A client of mine had a network that was constantly under malicious attack.
When the client was connected to the Internet, the corporate network routers
and switches lit up like a Christmas tree. When the Internet connection was
unplugged, network utilization hovered around its normal 2 to 3 percent. Hackers
were sending millions of packets across the network, but the client didn't know
how. The client had plugged a network sniffer into the network to capture malicious
packets, but in a few minutes, it was overwhelmed by hundreds of thousands of
packets—mostly of unauthorized traffic. How could we find out how the
hackers were breaking into the network and what they were doing? Enter the virus
trap.
Sometimes preventing viruses, worms, and Trojan horses from attacking your
computers isn't enough—you want to capture the malicious program and learn
everything you can from it. Studying the mechanics of what the bug is attempting
to do will help you provide a better defense. Even for network administrators
without advanced diagnostic skills, a virus trap can provide early detection
of network intrusions. Here are some methods you can use to trap malware and
examples of how they've been used in the past.
What Is a Virus Trap?
In lay terms, a virus trap is a program—often a honeypot program—designed
to detect, slow down, or capture a specific piece or type of malware for further
study. A honey-pot is a nonproduction computer asset created to track unauthorized
exploitation. A virus trap honeypot is a special-function honeypot built specifically
to detect and capture automated malware. It isn't as concerned as a regular
honeypot is with attacks originating from dedicated attackers, which are a small
percentage of overall attacks anyway. In order to track manual hackers, a more
functional and complicated honeypot is needed.
When malware is attacking, we're concerned about two things:
- What vulnerability is the malware looking for to be successful?
- What will the malware do once it has gained the initial access by using
the found vulnerability?
The first question seeks to find out how the pest is planning to attack network computers; the answer will reveal the steps the administrator needs to take to make sure the malware won't be successful (or at least to minimize the damage). The second question speaks to the malware's true motive. Is the malware just breaking in to break in, or does it want to damage data, steal files, send spam, or locate free hard drive space for storing malicious files and unlicensed digital media? A virus trap can help answer these questions.
Here are some situations in which you might want to set a virus trap:
- A new worldwide worm has been announced on the antivirus lists. You think
your network infrastructure is secured against the attack, but you want an
early-warning system if something gets inside your perimeter. Or a worldwide
worm has been announced, and computers on your network are showing signs similar
to reported infection symptoms.
- Something malicious keeps banging against your perimeter firewall, and you
want to capture it to find out what's trying to break in or out.
- Hackers or malware is successfully breaking into your network and servers
and you want to find out how.
Virus Trap Types and Uses
There are four major types of virus traps: port listeners, tarpits, honeypots,
and virtual machines.
Port listeners. A port listener is any program capable of opening
an IP port and capturing information entering that port. Port listeners are
the simplest of programs. They don't have to emulate a service, pretend to be
a server, or respond in any way. They only capture what's sent to them. The
downside of port listeners is that you can't use them to monitor stateful TCP
traffic, which always requires a reply to establish a successful communication
session. However, sometimes listening is all you want to do.
For example, the SQL Slammer worm used a single 376-byte UDP packet to carry
out its malicious deeds. To capture it, all you needed was a simple port listener
listening on UDP port 1434. The most common port listener in use today is Netcat,
a free utility that you can download from http://www vulnwatch.org/netcat.
You can use Netcat for all sorts of things, including establishing one or more
listening ports. To capture the Slammer worm, you could execute the following
Netcat command:
nc -vv -l -p 1434 > port1434.log
The -vv switch tells Netcat to be verbose and report connection attempts to the screen, -l tells Netcat to listen for inbound connections on the port indicated by the -p switch, and collected data is saved to a text file called port1434.log. (If you try this command, press Ctrl+C to end the Netcat session, or type
nc -h
for the Netcat Help screen.)
Figure 1 shows an example of the SQL Slammer
worm captured in a Netcat port listener. It isn't pretty or even understandable
unless you're a programmer, because it's captured executable code that's part
of a buffer overflow. Still, the text that follows the command
type port1434.txt
is the SQL Slammer worm. If you didn't recognize the worm and you searched
on the Internet for the few text strings you see, the results would indicate
that the executable code you captured belongs to SQL Slammer. You could then
test and verify that all your SQL Server systems are patched against the worm.
To see the full source code details of SQL Slammer, visit http://www.eeye.com/html/research/flash/sapphire.txt. If the attacks continue from the same source IP address,
you can even attempt to contact the host or implement other computer defenses.
Tarpits. Tarpits aren't used to capture and display malicious
code as much as to slow down quickly spreading malware. Developed by Michael
Robinton, LaBrea (http://labrea.source forge.net) was the first and is still
the most popular tarpit. It responds to any request for a nonexistent IP address.
After allowing time for any legitimate host to answer, LaBrea answers connection
attempts in such a way as to waste as much of the malware's time as possible—by maximizing TCP/IP retransmits and wait periods. LaBrea slows down malware
and hackers and identifies their origination IP address, as Figure
2 shows. Although LaBrea's functionality is intentionally limited, it's
a huge success at what it does. Many real-life worms and lab tests have corroborated
its ability to slow down Internet worms, just as its author hoped.