AOH :: ISN-2849.HTM

Researcher: Hacker Sophistication Outpacing Forensics

Researcher: Hacker Sophistication Outpacing Forensics
Researcher: Hacker Sophistication Outpacing Forensics 

By Kevin McLaughlin
Aug 9, 2006

In the never-ending cat-and-mouse game between hackers and those charged 
with stopping them, it's pretty clear who's winning--and it's not the cat.

Speaking at the Black Hat conference in Las Vegas last week, Kevin Mandia, 
president of Mandiant, an Alexandria, Va.-based security consultancy, said 
attackers are using increasingly sophisticated methods to evade detection 
and make life difficult for security incident response teams.

The sophistication of hackers' tools is outpacing that of investigators' 
forensic tools, and one of the consequences is that incident response 
teams charged with investigating attacks on networks are taking between 5 
and 8 days to find malicious code, Mandia said.

"Malware analysis can be time consuming, and most firms don't want to 
spend the money to fully analyze the malicious code, which could cause 
further damage [to the network]," said Mandia.

And because it can take days to find malicious code, Mandia said rumors of 
a kernel level rootkits always arise within the company that's being 
analyzed. Rootkits are software tools designed to hide running processes, 
files or system data and enable attackers to maintain control over a 
system without the user's knowledge. A kernel level rootkit takes this 
cloak of invisibility a step further by adding or modifying part of the 
kernel code.

Although Windows security breaches make up the majority of security 
incidents, the kernel level rootkits Mandia has come across thus far have 
been Linux-based. "We're not seeing any kernel level rootkits [for 
Windows], but the user space stuff is working well enough that it doesn't 
matter," he said.

Mandia said the main reason hackers aren't running kernel level rootkits 
is because they can make systems unstable, which could blow their cover. 
"The number one way people detect network compromise is when their system 
crashes," said Mandia.

Other common indicators that a PC's security has been breached include the 
inability to execute a 'save as' command; continual termination of 
antivirus software; and Windows Task Manager closing immediately when a 
user executes a 'ctrl-alt-delete' command, according to Mandia.

One of the worst things users can do if they think their systems have been 
compromised by a hacker is to shut off their PCs, because doing so 
prevents an investigator from analyzing the contents of the machine's RAM, 
which often contains useful forensic evidence, Mandia said.

In one attack on a corporate network, Mandia reviewed the RAM on a 
compromised machine and found an attack in progress on 11 other machines 
in the network, he said. Another advantage from analyzing RAM is being 
able to see a full list of commands a hacker has run, even if the hacker 
used an encrypted channel to carry out the attack, Mandia added.

One emerging tactic Mandia said he is seeing more frequently is hackers 
using Rogue Active Server Pages (ASP) as the front page for a compromised 
Web server. A user who accessed a bogus ASP page would essentially be 
giving attackers an open door into their PC, enabling them to remote view, 
copy, or delete files, Mandia said. "These pages are very sophisticated -- 
it's like having an executable on a machine," he said.

Profit-motivated attackers usually operate by hacking a victim's PC and 
installing a keystroke logger or by getting their victims to fall for 
phishing scams. Mandia says these attacks are tough to stop because the 
attackers tend to work quickly and leave little evidence behind.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods