Jeff Kabachinski

Jeff Kabachinski, MS-T, BS-ETE, MCNE

Last month, we covered the progression of hacking into the realm of big business and organized crime. In today’s environment, traditional security will no longer suffice. Most organizations put their defense systems on the perimeter or border of the enterprise network—with not much attention elsewhere. Called the M&M (as in candy) method, once you can get past the tough outer shell, all the soft sweet stuff and big payoff is in the inside.

Last month, we covered that intrusion detection systems (IDS) and intrusion detection and prevention systems (IDPS) are network applications used to detect intruders. IDS troll the network looking for security breaches. It continually polls routers, gateways, and servers for their logs and management reports looking for data that does not line up with that network’s baseline. It also keeps an eye on traffic and traffic patterns for the unusual or known patterns of intrusion. As a reactive system, it simply alerts the network administration that something fishy is going on. IDPS can also be proactive by sequestering suspect traffic, for example, while it alerts the administration. The IDPS will also notify the appropriate network devices to block suspect Transmission Control Protocol (TCP) ports and list the systems that are trying to use them. Since TCP ports are 2-byte addresses, there are 65,000 possible addresses. The Internet Assigned Numbers Authority (IANA) has assigned about 50,000 of them, which still leaves plenty of open ports that anyone can use to set up a communication connection.

While hackers do not have to follow convention and use any port, they are less likely to conflict with legitimate use and risk detection. IDS and IDPS will scan TCP ports looking for ports left hanging open but idle, as well as atypical ports being used. You can scan the TCP ports on your computer to see what is being used. Check the sidebar to see how! At the end of an event, the detection systems can send a report of all the details that happened before, during, and after an attack to further learn its Modus Operandi (MO).

APT=Advanced Persistent Threat

An APT usually starts with building a portfolio on key employees. The hacker will look for their listing in LinkedIn or Facebook, or other social media du jour. They’ll get a handle on their families, where they live, and what kinds of hobbies or likes and dislikes they have. From this information, hackers craft a spear phishing e-mail message. Phishing is the low-tech hacker talking to people trying to figure out their network login info. Spear phishing is targeted with content relative to the recipient. In one case, just two e-mails were sent to a select group of employees with the subject line that said, “2011 Recruitment Plan.” The e-mail was crafted well enough to trick one of the employees to retrieve it from the junk mail folder and open the attached Excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.”

Unfortunately, the spreadsheet contained a zero-day exploit that installed a back door through an Adobe Flash weakness (that Adobe has since taken care of). The term zero-day simply means that the exploit or malicious executable stays hidden until the time it is ready to complete its mission, like the Trojan horse. Then again, it was not really an Excel spreadsheet after all, now was it? It contained a remote administration tool (RAT) that allows a remote user to take control of a system as if he is sitting in front of it. If you have ever turned over control of your PC to remote IT support, then you have seen a legal RAT (the software, not the IT support person) in action.

APT RATs are malicious and hide themselves from security software. There are a number of variants to keep up the masquerade (see the sidebar). RSA, the security division of information storage giant EMC Corp, was compromised by a spear phishing attack (via spoof e-mails) that used a zero-day Adobe Flash vulnerability and a Poison Ivy RAT variant. “Poison Ivy” is just the name of this particular variant.

RSA’s products are intended to prevent unauthorized access to customers’ computer systems by adding an extra layer of protection. RSA’s customers include banks and other large companies like Lockheed Martin and Canon. Like the saying goes—if these guys can get hacked in this way and not even realize it until damage has been done, yipes for the rest of us!

In the RSA case of last spring, the RAT was used in reverse communication mode. In other words, the remote computer (your computer) became the host for the RSA client to log in and take over operations. They do this for a number of reasons.

Since outgoing connections from your network are assumed to be less threatening, your IDS doesn’t pay too close attention to you asking to download a file from the Internet. Doing it this way allows the software tool to be downloaded without being blocked by any firewall or suspicious router.

In addition, since it all started from within your network, it will not be necessary for the remote administrator to know your IP address to send the software tool. So, we are not asking for anything that would throw up a red flag. Rather than receiving commands from a control server, tools such as Poison Ivy turn the tables, pulling commands from an external server making them more difficult to detect. Poison Ivy has been used in numerous other attacks, including the Operation Aurora attack against Google in late 2009.

Long-Term Information Gathering

APTs are long-term hacks. It involves the criminal obtaining initial access to your network via the wetware layer (network users). Employee portfolios are fleshed out with collected data used to create login attempts. Once a successful login is obtained, they can infiltrate the network and stay logged on for a long time collecting information about other users and the system. They can build up a pile of user credentials, capture documents, e-mail, and data files. Then they will encrypt and compress all this information and send it out to their server for analysis. These are criminals that do this for a living. They will see what they can get from the data before selling it to someone else. If they remain undetected, they will keep going, penetrating deeper and deeper into your network, all the time gathering more sensitive information.

Many Trojans now have these kinds of RAT capabilities that allow an individual to control the victim’s computer. They harbor a file called “the server” and run it on the victim’s PC. The server file can be sent via e-mail, P2P file sharing software, or in Internet downloads. They are usually disguised as a legitimate program or file. Some server files will pop up a fake error message when opened, to make it seem like nothing happened. There are even other server files that will shut down your antivirus and firewall software.

As in a typical APT, after penetrating RSA’s network, the attackers went after credentials for employees with access to higher-value information. The attackers take their time, watching what you are doing via “digital shoulder surfing” to determine your role and access levels. They collect all manner of information as users log on and off. File directories and paths are logged to paint a picture of the system layout, allowing the attacker to get closer and closer to sensitive data. If they come up empty, they simply move on to the next employee and track information for their portfolio—er, I mean, dossier. After a suitable amount of information has been collected, the attacker aggregates the information and moves it to internal staging servers that were previously set up. There, the data gets compressed and encrypted for extraction. The attackers set up FTP channels to move the data quickly to the external staging servers, probably at a hosting provider or third party. After the information has been exfiltrated in this way, the attackers cover their tracks by erasing all the bits, bytes, files, and various detritus left behind by their operations.

“One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and end point defenses,” said Uri Rivner, head of new technologies, consumer identity protection, at RSA in an April 1, 2011, RSA blog.

To safeguard our organizations, and ourselves, we will also need to react with a new defense doctrine. As important as the annual flu shot, maybe we can start our APT immunization with annual Spear Phishing Awareness training!

Jeff Kabachinski, MS-T, BS-ETE, MCNE, has more than 20 years of experience as an organizational development and training professional. He is the director of technical development for Aramark Clinical Technical Services in Charlotte, NC. For more information, contact .

Using Netstat

Take a look at what is going on with your Transmission Control Protocol (TCP) ports by using netstat. Netstat is a built-in command line utility that displays protocol statistics and current TCP/IP connections. At a time when everything is running normally, take a snapshot of the activity with netstat. When you suspect that your computer slowdown might be caused by intruders hogging CPU time, take another snapshot and compare.

To get to a DOS-like command line, select “Run” from the right-side menu that appears when clicking the MS Windows Start button, usually found at the lower left hand of the screen—it is the round Windows logo.

  • After selecting “Run,” type CMD in the “open” box and a DOS-like window appears.
  • To get started and see the selection of switches you can use to get various views of the active ports, type: netstat /?
  • To see the status of all active ports, type: netstat /a
  • By using the /o switch, netstat will add the owning process ID (PID) to the list—type netstat /o

For a list of PIDs and their process names, use the Task Manager. First open Task Manager by typing Control+Shift+Escape simultaneously.

  • Go to the processes tab and select “Columns.”
  • Select PID from the list (should be at the top of the list), and click “OK.”
  • Click on the PID header to put the list in order by PID.
  • Under Description on the right side, you will see who that PID is. This will get you started.

Remember to type “Exit” to close the command line window when you are finished.

There is a wealth of information on the Internet, so you should not have any trouble learning all the grim details of using netstat and the PID list. Happy hunting!

Typical RAT Software and Trojans
  • Back Orifice
  • Bifrost
  • Bandook RAT
  • BlackShades RAT
  • Cerberus RAT
  • Cybergate
  • Darkcomet-RAT
  • Poison Ivy
  • SubSeven (Sub7)
  • NetCAR
  • Netop Remote Control
  • Netop OnDemand
  • Netop Mobile & Embedded
  • Y3K Remote Administration Tool
  • Optix Pro
  • LANfiltrator