DOCSLIB.ORG

Implementation of a Distributed Intrusion Detection and Reaction System

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Implementation of a Distributed Intrusion Detection and Reaction System Mestrado em Engenharia Inform´atica Disserta¸c~ao Relat´orioFinal Implementation of a distributed intrusion detection and reaction system Jo~aoPedro dos Santos Soares [email protected] Orientador: Prof. Dr. Jorge Granjal Co-Orientador: Eng. Ricardo Ruivo Data: 1 de Setembro de 2016 1 Mestrado em Engenharia Inform´atica Disserta¸c~ao Relat´orioFinal Implementation of a distributed intrusion detection and reaction system Jo~aoPedro dos Santos Soares [email protected] Orientador: Prof. Dr. Jorge Granjal Co-Orientador: Eng. Ricardo Ruivo J´uriArguente: Prof. Dr. M´arioRela J´uriVogal: Prof. Dr. Paulo Sim~oes Data: 1 de Setembro de 2016 3 Abstract Security was not always an important aspect in terms of networking and hosts. Nowa- days, it is absolutely mandatory. Security measures must make an effort to evolve at the same rate, or even at a higher rate, than threats, which is proving to be the most difficult of tasks. In this report we will detail the process of the implementation of a real distributed intrusion detection and reaction system, that will be responsible for securing a core set of networks already in production, comprising of thousands of servers, users and their respec- tive confidential information. Keywords: intrusion detection, intrusion prevention, host, network, security, threat, vul- nerability, hacking 5 Acknowledgments As we step into the most important project of my student life, there's a couple of people to whom I am extremely grateful, without them, this project and my life in general wouldn't be the same. I want to start by thanking my supervisor: Professor Jorge Granjal, who I quickly grew to admire for his dedication to this project. I can't stress enough the importance of the presence of a supervisor in the development of a thesis project, from the beginning until the very end, and this was certainly the case. Even on holidays, Professor Jorge Granjal attended to every meeting and made sure I received the appropriate feedback and counseling every time. Along with Professor Jorge Granjal, comes Engineer Ricardo Ruivo, my co-supervisor and work colleague, who more than that, became my friend and mentor at work. When I started working at SIC (Servi¸code Inform´aticae Comunica¸c~oes),there was no better way I could be welcomed if not with Ricardo's good mood and professionalism. He taught me a great deal of what I know now, and is one of the main reasons I wish to continue to work at SIC in the following year. His abilities and skills at work still amaze me to this day. I must also thank my family, that even if not directly involved with this project, supported me for as long as I can remember, not ever doubting my abilities and always encouraging me to go further and to work harder. All this while providing me with all the resources and freedom that I wanted and/or needed. I'm eternally grateful and lucky to have been born surrounded by my wonderful parents and sister. I also want to thank all my close friends that contributed to my resilience throughout the year, by providing me with incredibly fun, and also sometimes crazy moments. In this group of friends I want to give a special thanks to Maxi (Jo~aoLouren¸co),who played a great part in helping me build my current personality, by constantly sharing his optimistic view with me, which was one of the major reasons that kept me going, and made me pursue the master's degree. Last but not least, I want to thank the newest addition to my life: Rita, my girlfriend, who I've known for almost a year, but only a few months ago have I started to look at her the way I already should have in the beginning. Her presence alone inspired me and encouraged me to work, and helped me surpass my sporadic laziness. It impresses me how far we've come and what we've achieved in only a couple of months, we are definitely not normal, and hopefully we stay that way for more years to come. 7 List of Figures 1 Gantt Chart for the first semester. 18 2 Gantt Chart for the second semester. 19 3 New Gantt Chart for the second semester. 20 4 Switched network versus a hubbed network. 25 5 The association (and dissociation) process of a client to a wireless access point. 28 6 Using an intermediary to communicate between wireless clients. 29 7 TCP's three-way handshake . 35 8 A normal TCP data exchange . 37 9 TCP sequence number being brute-forces . 38 10 Wireshark logs of a DNS query . 40 11 Amplification attack in practice . 41 12 A minimalist diagram of the department's network infrastructure. 63 13 Top vulnerabilities when aggregating both inbound and outbound traffic. 65 14 Top vulnerabilities exploited in attacks to the department's network. 66 15 Top targeted machines in attacks to the department's network. 66 16 Top origin countries in attacks to the department's network. 67 17 Top vulnerabilities exploited in attacks originated at the department's network (Outlier). 68 18 Top machines launching attacks originated at the department's network (Out- lier). 68 19 Top vulnerabilities exploited in attacks originated at the department's network. 69 20 Top machines launching attacks originated at the department's network. 70 21 Top targeted countries in attacks originated at the department's network. 71 22 Logical architecture diagram. 80 23 Physical architecture diagram. 83 24 Interaction between the components of our architecture. 85 25 Network diagram of the current architecture implementation . 95 26 Puppet manifest hierarchy . 97 27 Log flow diagram . 102 28 Top vulnerabilities detected by the NIDS . 104 29 Reader and crawler interaction . 105 30 Testing setup diagram. 110 9 List of Tables 1 Comparison of traffic capture techniques. 49 2 Comparison of detection strategies. 56 3 Comparison of intrusion detection/prevention systems. 61 4 Server specifications. 64 5 Availability scenario . 76 6 Modifiability scenario 1 - Updates . 76 7 Modifiability scenario 2 - Network topology changes . 76 8 Performance scenario . 77 9 Testability scenario . 77 10 Usability scenario . 78 11 Scalability scenario . 78 12 Architecture validation tests. 116 13 Reaction times of the three IDS applications. 134 14 Phase 1 results . 135 15 Phase 2 results . 136 16 Phase 3 results . 137 17 Statistics producing test. 138 18 Phase 1 results . 139 19 Phase 2 results . 139 20 Phase 3 results . 140 21 HIDS Availability test results. 140 22 Phase 1 results . 142 23 Phase 2 results . 142 24 Phase 3 results . 143 25 Detailed HIDS scalability testing. 144 26 Misuse-based detection validation. 145 27 Detailed SQL injection test results. 146 28 Detailed cross-site scripting test results. 146 29 Detailed NTP amplification attack test results. 146 30 Anomaly-based detection validation. 147 31 Detailed FTP bruteforcing test results. 147 32 Detailed TCP Syn Flood test results - Phase 1. 148 33 Detailed TCP Syn Flood test results - Phase 2. 148 34 Detailed HTTP directory scan test results. 148 35 Detailed Port scanning test results. 148 36 Detailed system availability threatening test. 149 37 Detailed OSSEC integrity checking testing. 149 38 Detailed OSSEC rootkit detection testing. 149 11 Index 1 Introduction 17 1.1 Contextualization . 17 1.2 Objectives . 17 1.3 Life cycle and Planning . 18 1.4 Report structure . 20 2 State of the Art 23 2.1 Threats and vulnerabilities . 23 2.1.1 Physical Layer . 23 2.1.2 Link Access Layer . 24 2.1.3 Network Layer . 31 2.1.4 Transport Layer . 34 2.1.5 Application Layer . 39 2.2 Detecting intrusions: Technologies and strategies . 44 2.2.1 Techniques for achieving network visibility . 44 2.2.2 Detection strategies . 49 2.2.3 Comparison of detection strategies . 56 2.2.4 Types of intrusion detection systems . 56 2.3 Preventing intrusions: Technologies and strategies . 57 2.3.1 Network intrusion prevention . 57 2.3.2 Host intrusion prevention . 57 2.4 Exploring intrusion detection/prevention systems . 58 2.4.1 Free & open-source products . 58 2.4.2 Commercial products . 60 2.4.3 Comparison of intrusion detection/prevention systems . 61 3 Preliminary Work 63 3.1 Traffic capture and analysis strategy . 64 3.1.1 Capturing the network traffic . 64 3.1.2 Analyzing network traffic . 65 3.2 Preliminary analysis results and conclusion . 65 3.2.1 Attacks against the DEI's network . 66 3.2.2 Attacks originated at the DEI's network . 67 4 System Architecture 73 4.1 Functional Requirements . 73 4.1.1 Detecting . 73 4.1.2 Reacting . 74 4.1.3 Alerting and Logging . ..
Load more

Recommended publications
  • A Comparative Analysis of Open- Source Intrusion Detection Systems
    TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Science Chair of Network Software A COMPARATIVE ANALYSIS OF OPEN- SOURCE INTRUSION DETECTION SYSTEMS Master’s Thesis ITI70LT Student: Mauno Pihelgas Student code: 106497IVCMM Advisor: Risto Vaarandi, Ph.D Tallinn 2012 Declaration I hereby declare that I am the sole author of this thesis. The work is original and has not been submitted for any degree or diploma at any other University. I further declare that the material obtained from other sources has been duly acknowledged in the thesis. ……………………………………. ……………………………… (date) (signature) 2 3 List of Acronyms and Abbreviations BSD license A class of extremely simple and very liberal licenses for computer software. Acronym BSD is short for Berkley Source Distribution. [1] CERT Computer Emergency Response Team. CPU Central Processing Unit. DoS Denial of Service. GNU A recursive acronym for GNU's Not Unix. [2] GNU GPL GNU General Public License. The most widely used license for free software. [2] GNU GRUB A multi-boot boot loader responsible for loading and transferring control to the operating system kernel. GPU Graphics processing unit. A processing unit on a graphics cards. HDD Hard Disk Drive. ICMP Internet Control Message Protocol. One of the core protocols of the Internet Protocol suite. IDS Intrusion Detection System. IPS Intrusion Protection System. md5sum A program used to calculate and verify 128-bit MD5 hashes. NIC Network Interface Card. NIDS Network-based Intrusion Detection System. Nmap Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. [3] PCAP A libpcap library file format that is the primary capture format for many networking tools.
    [Show full text]
  • Cyber Security Assessment Tools and Methodologies for the Evaluation of Secure Network Design at Nuclear Power Plants
    Cyber Security Assessment Tools and Methodologies for the Evaluation of Secure Network Design at Nuclear Power Plants A Letter Report to the U.S. NRC January 27, 2012 Prepared by: Cynthia K. Veitch, Susan Wade, and John T. Michalski Sandia National Laboratories P.O. Box 5800 Albuquerque, New Mexico 87185 Prepared for: Paul Rebstock, NRC Program Manager U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Engineering Digital Instrumentation & Control Branch Washington, DC 20555-0001 U.S. NRC Job Code: JCN N6116 Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000. Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation. NOTICE: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government, nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, any agency thereof, or any of their contractors or subcontractors.
    [Show full text]
  • (Ids) Snort Dan Suricata Berbasis Aturan/Rules Standar Pengembang
    PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN SURICATA BERBASIS ATURAN/RULES STANDAR PENGEMBANG SKRIPSI Diajukan untuk Memenuhi Salah Satu Syarat Memperoleh Gelar Sarjana Komputer Program Studi Teknik Informatika Oleh : Benedictus Yoga Pradana 095314040 HALAMAN JUDUL PROGRAM STUDI TEKNIK INFORMATIKA JURUSAN TEKNIK INFORMATIKA FAKULTAS SAINS DAN TEKNOLOGI UNIVERSITAS SANATA DHARMA YOGYAKARTA 2016 i PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI COMPARING DETECTION CAPABILITY OF SNORT AND SURICATA INTRUSION DETECTION SYSTEM (IDS) BASED ON DEVELOPER’S STANDARD RULES A Thesis Presented as Partial Fulfillment ofThe Requirements to Obtain Sarjana Komputer Degree in Informatics Engineering By : Benedictus Yoga Pradana 095314040 INFORMATICS ENGINEERING STUDY PROGRAM INFORMATICS ENGINEERING DEPARTMENT FACULTY OF SCIENCE AND TECHNOLOGY SANATA DHARMAUNIVERSITY YOGYAKARTA 2016 ii PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI HALAMAN PERSETUJUAN SKRIPSI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN SURICATA BERBASIS ATURAN/RULES STANDAR PENGEMBANG Oleh: Benedictus Yoga Pradana NIM: 095314040 Telah disetujui Oleh: Pembimbing Iwan Binanto, S.Si., M.Cs. Pada tanggal: iii PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI ALAMAN PENGESAHAN SKRIPSI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN
    [Show full text]
  • Darknoc: Dashboard for Honeypot Management
    DarkNOC: Dashboard for Honeypot Management Bertrand Sobesto, Michel Cukier Matti Hiltunen, Dave Kormann, Gregg Vesonder Clark School of Engineering AT&T Labs Research University of Maryland 180 Park Ave. College Park, MD, USA Florham Park, NJ, USA fbsobesto, [email protected] fhiltunen, davek, [email protected] Robin Berthier Coordinated Science Laboratory Information Trust Institute University of Illinois Urbana-Champaign, IL, USA [email protected] Abstract been used to conduct various studies of attackers [1, 9] and analysis of cyber crimes such as unsollicited elec- Protecting computer and information systems from secu- tronic mails, phishing [10], identity theft and denial of rity attacks is becoming an increasingly important task service. The computer security community has used hon- for system administrators. Honeypots are a technol- eypots to analyze different techniques deployed by the ogy often used to detect attacks and collect information attackers to reach their objectives. Attackers’ arsenal about techniques and targets (e.g., services, ports, oper- includes distributed denial of service [24], botnets [2], ating systems) of attacks. However, managing a large worms [11] or SPAM [15]. However few studies focus and complex network of honeypots becomes a challenge on the usage of honeypots data to help network adminis- given the amount of data collected as well as the risk that trators to better protect their production networks. Hon- the honeypots may become infected and start attacking eypot deployment is challenging and the architecture of other machines. In this paper, we present DarkNOC, a such networks is complex. For example, distributed hon- management and monitoring tool for complex honeynets eynets require secure tunnels and different levels of pro- consisting of different types of honeypots as well as other tection must be in place to ensure a total containment of data collection devices.
    [Show full text]
  • Intrusion Detection System and Intrusion Prevention System with Snort Provided by Security Onion
    Bezborodov Sergey Intrusion Detection System and Intrusion Prevention System with Snort provided by Security Onion. Bachelor’s Thesis Information Technology May 2016 DESCRIPTION Date of the bachelor's thesis 06.05.2016 Author(s) Degree programme and option Bezborodov Sergey Information Technology Name of the bachelor's thesis Intrusion Detection Systems and Intrusion Prevention System with Snort provided by Security Onion. Abstract In this thesis I wanted to get familiar with Snort IDS/IPS. I used the Security Onion distribution with a lot of security tools, but I concentrated on Snort. Also I needed to evaluate Security Onion environment and check what features it provides for processing with Snort. During the work I needed to figure out the pros and cons of using Security Onion with Snort as a security system for network. I compared it with alternatives and briefly describe it. As result I installed Security Onion, work with the environment, configured different features, created and modified rules and so on. I think this thesis will be helpful for people who want to use IDS/IPS for their network, it should help them to choose IDS/IPS vendor, make Security Onion and Snort installation, make comparison with another one and just get familiar with the network security tools. Also, this thesis can be a part of big research of network security tools, because now is impossible to find such detailed guides and literatures about any IDS/IPS tools. It is a good idea to combine many researches about it and make a good library. This thesis can be used for further development of Snort and Security Onion as it only on the development phase now, it will provide base for new researching with new versions.
    [Show full text]
  • Part I ATTACK VECTORS
    Attack Simulation and Threat Modeling Olu Akindeinde February 8, 2010 Copyright © 2009 Olu Akindeinde Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in Appendix B entitled "GNU Free Documentation License". 2 ATTACK SIMULATION AND THREAT MODELING i PREFACE “The purpose of computing is insight not numbers” I wrote this book as a direct consequence of Security Analysis and Data Visualization1. A lot of ground rules were laid there - we simply follow up here. Attack Simulation and Threat Modeling explores the abundant resources available in advanced security data collection, processing and mining. It is often the case that the essential value inherent in any data collection method is only as good as the processing and mining technique used. Therefore, this book attempts to give insight into a number of alternative security and attack analysis methods that leverage techniques adopted from such subject areas as statistics, AI, data mining, graphics design, pattern recognition and to some extent psychology and economics. As security design and implementation become major components of the overall enterprise architecture and data collection tools improve and evolve, the ability to collect data will no doubt increase dramatically. This then brings us to the value of the data which is often only as useful as what the analysis can shape it into. Whilst the security process itself is key, the collection, processing and mining techniques used to analyze the data are even more important.
    [Show full text]
  • Toolsmith Suricata
    toolsmith ISSA Journal | August 2010 Suricata: An Introduction By Russ McRee – ISSA member, Puget Sound (Seattle), USA Chapter mentations.2 I’ll include a bit more on the HTP Library cour- Prerequisites tesy of Ivan below. *nix operating system (Windows binaries Matt Jonkman, the OISF president and board member, of- pending) fered a features table that helps further exemplify Suricata’s capabilities. s I prepare this month’s column for your reading Existing IDS/IPS Engines Suricata pleasure, I also contemplate how to pack every- Features (Open and Commercial) (by the OISF) A thing I want to share with you at the ISSA Interna- Multi-Threaded Processing No Yes tional Conference (September 15-17, 2010 in Atlanta) into a Complete IPv6 Support Some Complete 50-minute session. That challenge is not unlike how I might IP Reputation Cisco Only Yes (soon) share everything I want you to know about Suricata in 1500 +/- words; pretty tough, but I’ll give it a shot. Automated Protocol Detection No Yes GPU Acceleration No Yes Suricata is the primary offering from the Open Information Multi-Platform Native Hard- No Yes Security Foundation (OISF), a non-profit foundation orga- ware Acceleration Support nized to build a next generation IDS/IPS engine, with funded Global Variables/Flowbits No Yes (soon) support from the Department of Homeland Security’s Direc- torate for Science and Technology HOST program (Home- Full Windows Support Some Yes land Open Security Technology) and the Navy’s Space and Inline Windows Support No Yes Naval Warfare Systems Command (SPAWAR). GeoIP Lookups No Yes (soon) To that end, Suricata is an open source, next generation in- Advanced HTTP Parsing No Yes trusion detection and prevention engine.
    [Show full text]
  • Suricata: Caso Di Studio Di Intrusion Detection and Prevention System
    Università degli Studi di Camerino SCUOLA DI SCIENZE E TECNOLOGIE Corso di Laurea in Informatica (Classe L-31) Suricata: caso di studio di Intrusion Detection and Prevention System Laureando Relatore Mirco Pazzaglia Prof. Fausto Marcantoni Matricola 081190 A.A. 2011/2012 «Learn the rules so you know how to break them properly.» Dalai Lama «The quieter you become, the more you can hear.» Ram Dass Ringraziamenti «Ringrazio tutti e tutto, niente e nessuno» I miei più sentiti ringraziamenti vanno a tutti coloro che hanno fatto e fanno parte della mia vita. Ringrazio la mia famiglia per il supporto e l'aiuto che mi ha fornito, e che da sempre mi segue in ogni mio passo verso il futuro. Ringrazio Noemi, mia sorella, che da sempre crede in me e mi sprona a dare il meglio dandomi la fiducia di cui ho bisogno. Non posso mancare di ringraziare tutti i miei amici, da coloro che mi seguono dalla mia infanzia a quelli che si sono aggiunti nel corso degli eventi della mia vita. Compagni d'ogni momento, dal più triste al più felice, hanno tutti contribuito ad arricchire il mio essere e sono loro infinitamente grato per le esperienze che abbiamo condiviso. Un ringraziamento anche ai miei colleghi di studio con i quali c'è sempre stato aiuto e supporto reciproco. Nello specifico vorrei ringraziare i miei due, oltre che amici, colleghi Moschettieri Giacomo e Giacomo con i quali ho condiviso i momenti migliori di questo percorso universitario, siano stati di studio, di svago o di brainstorming. Ringrazio il corpo docenti del corso di laurea in Informatica dell'Università di Camerino e nello specifico il Prof.
    [Show full text]
  • Tiago Filipe Mesquita Da Cunha Deteção De Falsos Alertas De Intrusão Em Redes De Computadores
    Tiago Filipe Mesquita da Cunha Deteção de Falsos Alertas de Intrusão em Redes de Computadores Dissertação de Mestrado Mestrado Integrado em Engenharia Eletrónica Industrial e Computadores Trabalho efetuado sob a orientação do Professor Doutor Henrique Santos Professor Doutor Sérgio Lopes janeiro de 2019 DIREITOS DE AUTOR E CONDIÇÕES DE UTILIZAÇÃO DO TRABALHO POR TERCEIROS Este é um trabalho académico que pode ser utilizado por terceiros desde que respeitadas as regras e boas práticas internacionalmente aceites, no que concerne aos direitos de autor e direitos conexos. Assim, o presente trabalho pode ser utilizado nos termos previstos na licença abaixo indicada. Caso o utilizador necessite de permissão para poder fazer um uso do trabalho em condições não previstas no licenciamento indicado, deverá contactar o autor, através do RepositóriUM da Universidade do Minho. Licença concedida aos utilizadores deste trabalho Atribuição-NãoComercial-CompartilhaIgual CC BY-NC-SA https://creativecommons.org/licenses/by-nc-sa/4.0/ ii AGRADECIMENTOS Este trabalho de dissertação representa o término de uma importante etapa de formação na minha vida, com as mais variadas aprendizagens, tanto a nível pessoal como académico. Para tal, devo e quero expressar, neste pequeno texto, a minha gratidão a todos os intervenientes, que direta ou indiretamente contribuíram para este caminho efetuado. Em primeiro lugar, agradeço aos meus pais, pela oportunidade que me foi concedida de continuar a formação académica e enveredar no ensino superior, assim como pelo acompanhamento, paciência e apoio. De igual modo, um especial agradecimento à minha namorada, pelo carinho, conforto e incentivo, nestas e noutras circunstâncias de maior pressão, que tanto ajudaram a enfrentar as adversidades.
    [Show full text]
  • Analysis of a Suspect Program: Linux
    Chapter 10 Analysis of a Suspect Program: Linux Solutions in this chapter: ■ Analysis Goals ■ Guidelines for Examining a Malicious Executable Program ■ Establishing the Environment Baseline ■ Pre-Execution Preparation: System and Network Monitoring ■ Defeating Obfuscation: Removing the Specimen from its Armor ■ Exploring and Verifying Attack Functionality ■ Assessing Additional Functionality and Scope of Threat ■ Other Considerations ˛ Summary 575 576 Chapter 10 • Analysis of a Suspect Program: Linux Introduction In Chapter 8 we conducted a preliminary analysis of a suspicious file, sysfile, in the case study “James and the Flickering Green Light.” Through the file profiling methodology, tools and techniques discussed in the chapter, we gained substantial insight into the dependencies, symbols and strings associated with the file, and in turn, a predictive assessment as to program’s nature and functionality. In particular, the information we collected from sysfile thus far has revealed that it is an ELF executable file that has not been obfuscated with packing or encryption, and is identified by numerous anti-virus engines as being a backdoor or DDoS agent. Further, the file dependencies discovered in sysfile suggest network capability. Lastly, symbol files referenced a file, kaiten.c, which we learned through research is code relating to known IRC bot program with denial of service capabilities. Building on this information, in this chapter, we will further explore nature, purpose and function- ality of sysfile by conducting a dynamic and static analysis of the binary. Recall that dynamic or behavioral analysis involves executing the code and monitoring its behavior, interaction and effect on the host system, whereas, static analysis is process of analyzing executable binary code without actually executing the file.
    [Show full text]