Professional Documents
Culture Documents
Navpreet Singh
Principal Computer Engineer
Computer Centre, Indian Institute of Technology Kanpur, India
navi@iitk.ac.in
ABSTRACT
These days most of the Organizational Networks are facing a critical problem. Lately
there has been a lot of increase in Malwares such as worms, adwares, spywares etc.,
which get installed on the users PC and generate Network and Internet traffic without the
user’s knowledge i.e. in the background. As a result, the overall utilization of the
network, specially the Internet link, gets drastically minimized due to this unwanted
traffic.
This tool monitors the network traffic and identifies all the (active) computers on the
network which are infected with any kind of Malware. It provides the IP Address, MAC
Address and type of infection for the identified hosts. There may be some hosts for which
may it not be able to provide information on the type of infection, but it is able to identify
them.
3. Malicious Threats in Packets in a Thus if any machine on the network uses all
the above prefixes with a single domain
Network
name to guess the name of an SMTP server
then that machine is concluded to be
There are untold billions of packets flying
infected by the mydoom worm.
around the networks today. A great many of
them are of malicious intent [2]. Following
The domain name along with the prefix is the %WinDir%\system32 directory and then
present in the UDP datagram. execute it.
Target of Infection: Unpatched systems SYN FIN is probably the best known
vulnerable to LSASS exploit – MS04-011. illegal combination. SYN is used to start
a connection, while FIN is used to end
Detection Techniques: It starts an FTP an existing connection. It is nonsensical
server on TCP port 5554. This server is used to perform both actions at the same time.
to spread the worm to other hosts. Many scanning tools use SYN FIN
packets, because many intrusion
detection systems did not catch these in
the past, although most do so now. You
can safely assume that any SYN FIN Many of the tools used by attackers to scan
packets you see are malicious. and probe our networks are based on the use
of abnormal TCP packets. A large
SYN FIN PSH, SYN FIN RST, SYN percentage of alerts detected by intrusion
FIN RST PSH, and other variants on detection systems involve these types of
SYN FIN also exist. These packets may packets, so it is critical to be able to identify
be used by attackers who are aware that them. Our tool alerts on all abnormal TCP
intrusion detection systems may be packets.
looking for packets with just the SYN
and FIN bits set, not additional bits set. Detection Techniques: Our tool analyses all
Again, these are clearly malicious. the TCP packets for any of the above
mentioned suspicions and lists source of
Packets should never contain just a FIN these packets
flag. FIN packets are frequently used for
port scans, network mapping and other
stealth activities. 3.3 SSH Dictionary Attack
Some packets have absolutely no flags Also known as a dictionary attack, which
set at all; these are referred to as "null" uses a list of known passwords, a program
packets. It is illegal to have a packet will connect to a remote SSH server and
with no flags set. attempt to login using common user
name/password combinations. The system
Besides the six flag bits, TCP packets have administrators will notice large number of
two additional bits which are reserved for failed SSH login attempts in their log files.
future use. These are commonly referred to It is quite obvious that this is the work of an
as the "reserved bits". Any packet which has automated program as the user names used
either or both of the reserved bits activated are attempted in alphabetical order. The
is almost certainly crafted. time-stamps are also a dead give away, with
connections only a few seconds apart. Such
There are several other characteristics of scripts are generally used by hackers for
TCP traffic where abnormalities may be illegal intrusion.
seen:
A dangerous addition to these attacks is the
Packets should never have a source or attempts to break into “root” accounts.
destination port set to 0.
Thus if any Linux machine attempts too
The acknowledgment number should many ssh attacks on any other machine then
never be set to 0 when the ACK flag is that machine is definitely suspicious.
set.
Detection Techniques: If any linux machine
A SYN only packet, which should only connects normally to ssh port (port 22) of
occur when a new connection is being another machine then the number of tcp
initiated, should not contain any data. packets transmitted, starting from the time
when the connection is established till it is
Packets should not use a destination closed (SYN till FIN) remains almost fixed.
address that is a broadcast address, But if a machine is attempting a ssh
usually ending in .0 or .255 (.0 was an dictionary attack on another then it
older style of broadcast). Broadcasts are
normally not performed using TCP.
continuously sends tcp SYN requests on port but the tool is able too identify machines
22. Thus this machine is infected. which are possibly infected.
Improving the dictionary of worm Lately there has been a lot of increase in
signatures: This would help us ensure Malware which get installed on the users’
that there are less number of misses and PC and connect to Internet without the users
false alarms. knowledge i.e. in the background. This tool
Making the tool work as a Prevention helps Network Administrator to identify
Tool also: Specific ports on switches to such computers and take necessary action.
which infected machines which are
reportedly generating large number of Currently the tool is a basic tool which is
malicious or suspicious packets are very useful in identifying worms like sasser,
connected can be blocked, thus mytob, mydoom, blaster etc., adwares, ssh
removing the infected machines from the dictionary attacks, and suspicious packets
network. The MAC address of the including port scans. Still there are many
machines identified as infected or infected machines in the network which it is
suspicious can also be blocked, so that not able to identify with certainty. There are
the infection doesn't spread in the possibilities of misses and false alarms in
network and also save the network case of identifying machines which are
bandwidth. infected with unidentified Malware.
Reducing the time taken for complete
analysis: Improvements can be done in The tool can be enhanced to work as a
the script like inserting certain new realtime Malware Infection Detection
functions or using some different System (MIDS), towards which we are
algorithms or employing some new logic working.
that can bring down the analysis time.
Parallel programming can be one
possible solution to make the code run 7. References
faster.
Strengthening the Hardware: Using [1]http://www.tcpdump.org/tcpdump_man.h
more sophisticated hardware based on tml
newer technologies to run this tool can
[2]http://www.cromwell-
intl.com/security/security-netaudit.html
[3]http://www.doshelp.com/Ports/Trojan_Po
rts.htm
[4]http://securityresponse.symantec.com/avc
enter/venc/data/detecting.traffic.due.to.rpc.w
orms.html
[5]http://www.securityfocus.com/infocus/12
23
[6]http://sarc.com/avcenter/security_risks/ad
ware/
[7]http://www.spywaredetector.us/spywarew
eremove6.htm
[8]http://www.trojanguide.com/spywarelist.
html