SE Labs

Posts tagged 'monitoring'

Network security appliances vs. Word and PowerShell

Over the last few months we have seen a surge in attacks using apparently innocent documents that install malware covertly on victims’ systems.

Unless you are running specialist monitoring tools, or very effective security software, you probably won’t see any symptoms of the attack.

The goals of these attacks are varied. In some cases they provide remote access to hackers. In others so-called cryptocurrency mining software is installed. These programs (ab)use your systems’ processing power in an attempt to generate cryptocurrencies such as Monero. The attackers get rich off your power bill.

While there are variations in how the attacks work, the typical path to compromise involves opening the document, which could be in Microsoft Word format, after which an exploit runs a PowerShell script. This, in turn, downloads and installs the malware.

In this report we investigate how effectively some very popular network security products are at handling these and other threats.

As usual, we have also thrown in some particularly devious targeted attacks that appear to be completely legitimate applications but that provide us with remote access to unprotected targets. When we gain this access we try to hack the target in the same way a real attacker would. This gives the security products the best chance of detecting and potentially blocking the bad behaviour.

The good news is that all of these products were able to detect many (if not all) of the threats. Some were able to block most, although complete protection is not guaranteed. As always, a layered approach to protection is best. For advice on which endpoint software to choose see our Endpoint Protection test results on our website.

Latest report (PDF) now online.

What’s the difference between SE Labs and a cyber-criminal?

nsa-jan-2018-2776476

As we prepared this network security appliance report for publication we were also getting ready to present at BT’s internal security conference Snoopcon.

We had been asked to talk about security products and how they might not do what you assume they will.

Reports like this (PDF) provide an interesting insight into how security products actually work. Marketing messages will inevitably claim world-beating levels of effectiveness, while basic tests might well support these selling points. But when you actually hack target systems through security appliances you sometimes get a very different picture.

Some vendors will support the view that testing using a full attack chain (from a malicious URL pushing an exploit, which in turn delivers a payload that finally provides us with remote access to the system) is the right way to test. Others may point out that the threats we are using don’t exactly exist in the real world of criminality because we created them in the lab and are not using them to break into systems worldwide.

We think that is a weak argument. If we can obtain access to certain popular, inexpensive tools online and create threats then these (or variants extremely close to them) are just as likely to exist in the ‘real world’ of the bad guys as in a legitimate, independent test lab. Not only that, but we don’t keep creating new threats until we break in, which is what the criminals (and penetration testers) do. We create a set and, without bias, expose all of the tested products to these threats.

But in some ways we have evolved from being anti-malware testers to being penetration testers, because we don’t just scan malware, execute scripts or visit URLs. Once we gain access to a target we perform the same tasks as a criminal would do: escalating privileges, stealing password hashes and installing keyloggers. The only difference between us and the bad guys is that we’re hacking our own systems and helping the security vendors plug the gaps.

Latest report (PDF) now online.

Network appliances vs. targeted attacks

apt-2533097

There have been so many publicised data breaches in 2017 that we didn’t even have enough space in our latest report to provide a basic summary. In many cases a business network was breached. Business networks comprise endpoints (usually Windows PCs), servers, Point of Sale computers and a range of other devices.

Latest reports now online.

In this report (PDF) we explore the effectiveness of network appliances designed to detect and block attacks against endpoint systems.

One approach to compromising a business is to hack an endpoint (PC) and then to use it as a platform from which to launch further attacks into the network. For example, rather than going straight for a company’s main servers why not trick a user into infecting his/ her computer with malware? We can then scan and infect the entire network, stealing information, causing damage and generally behaving in ways contrary to the business’ best interests.

There is some really good endpoint software available, as we see in our regular Endpoint Protection tests, but nothing is perfect and any extra layers of security are welcome. If one layer fails, others exist to mitigate the threat. In this report we explore the effectiveness of network appliances designed to detect and protect against attacks against endpoint systems.

The systems we have tested here are popular appliances designed to sit between your endpoints and the internet router. They are designed to detect, and often protect against, threats coming in from the internet or passing through the local network. Their role is to stop threats before they reach the endpoints. If they fail to stop a threat, they might learn that an attack has happened and generate an alert, while subsequently blocking future, similar attacks.

There are no guarantees that technology will always protect you from attackers, but our results show that adding layers of security is an effective way to improve your prospects when facing general and more targeted attacks.

Next-generation firewalls: latest report

2017q1-2088039

Using layers of security is a well-known concept designed to reduce the chances of an attacker succeeding in breaching a network. If one layer fails, others exist to mitigate the threat.

Latest reports now online.

In this report (PDF) we explore the effectiveness of network appliances designed to detect and block attacks against endpoint systems.

The systems we have tested here are popular appliances designed to sit between your endpoints and the internet router. They are designed to detect, and often protect against, threats coming in from the internet or passing through the local network.

Their role is to stop threats before they reach the endpoints. If they fail to stop a threat, they might learn that an attack has happened and generate an alert, while subsequently blocking future, similar attacks.

In some cases an appliance will take information it considers suspicious and send it to a cloud-based service for further analysis. In this way it might allow a threat through the first time, explore it more deeply using the cloud service and send back information to the appliance so that it will block  that same (or similar) attack in future.

It’s a little like an immune system.

As immune systems adapt to protect against known threats, so threats adapt in an arms race to defeat protection mechanisms. This report includes our first public set of network security appliance results.

Future reports will keep you updated as to how well the industry competes with the bad guys in the real world.

Back from the Dead

email-1932571Forgotten web sites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for web sites and nothing else.

Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

The friendly, well written message was a refreshing change from the usual approach, which most often demands immediate, unthinking action. The sender, however, could only call me “J” as he didn’t have my forename. There was a protected file attached, but the sender had supplied the password. It was a contract, he said, and he looked forward to hearing back from me.

The headers said the email came from a French telecoms company. Was someone on a spending spree with my money? My PayPal and bank accounts showed no withdrawals.

Curious about the payload, I spun up a suitably isolated Windows 10 victim system, and detonated the attachment. It had the cheek to complain about having no route to the outside world. I tried again, this time with an open internet connection. A randomly-named process quickly opened and closed, while the file reported a corruption. Maybe the victim system had the wrong version of Windows installed, or the wrong vulnerabilities exposed. Maybe my IP address was in the wrong territory. Maybe (and this is more likely) the file spotted the monitoring software watching its every move, and aborted its run with a suitably misleading message.

Disappointed, after deleting the victim system I wondered which site out of hundreds could have been compromised. I’ll probably never know, but it does reveal a deeper worry about life online.

Over the years, we all sign up for plenty of sites about which we subsequently forget, and usually with whichever email address is most convenient. It’s surely only a matter of time before old, forgotten sites get hacked and return to haunt us with something more focused than malicious commodity spam – especially if we’ve been silly enough to provide a full or real name and address. Because of this, it pays to set up dedicated accounts for registrations, or use temporary addresses from places such as Guerrilla Mail.

Monitor Unknown Connections with Currports

currports2b-2bprocess2bdetail-7373569
Uncover dodgy connections and malicious activity with this handy, free utility.

If you’ve ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections. Written and maintained by Nir Sofer, Currports gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer. Unlike Process Monitor, which is part of the excellent Windows Sysinternals suite, Currports isn’t a massive firehose of events that needs taming to be of any use.

You can download Currports from its homepage. The link is near the bottom. If you run a 64-bit architecture, be sure to download the 64-bit version. You can run Currports from anywhere including the desktop. It will create a configuration file called cports.cfg in whichever folder you run it from (including the desktop).

Setting Up
Run Currports and expand the display. By default, the listing is unsorted and doesn’t automatically update, but we can change that. Press Alt + 1 to set an update time of one second, Alt + 2 for two seconds and so on.

Scroll across the display to see the information offered on each connection. Each time you press CTRL+Plus (on the keypad) the columns will auto-resize themselves.

If you double click on a line, a pop-up appears giving details of the process. This basically summarises the data in each of the columns. You can highlight a piece of information, then copy and paste it into other documents etc.

If you grab a column header with the mouse, you can pull it to wherever you want. I advise pulling “Process Created On” to the very left of the display because this acts as a handy time index to events. You can also go to View -> Choose Columns and re-order them, or switch off those you don’t require. If you find it difficult to follow lines across the screen, you can also mark every other line in light grey, and add gridlines from this menu.

There’s another useful column way over to the right of the display. It’s the Remote IP Country column. This will give you the country each remote IP address is assigned to, but it doesn’t display anything until we download the legacy GeoLite City Database. Download the Binary/xz version of the file and place it in the same directory as the same folder as Currports. Re-run Currports, move the Remote IP Country column to a place where you can see it, and you should see the column start to populate as connections are made. If not, you probably downloaded the wrong database. It’s the Binary/xz format you need. You don’t have to unpack it; just place it in the same directory as Currports.

To test the setup, open the Edge browser to generate lots of connections. Sure enough, the screen fills with new connections to different IP addresses as it accesses news, adverts and lots of other guff from multiple countries. The names of servers are resolved into host names where possible, as are city and country names if you downloaded the GeoLite City Database.

Setting Options
Currports has a range of useful options. Most control what’s displayed. Particularly useful is Mark Ports of Unidentified Applications, which is set by default. Any suspicious ports are coloured pink. Suspicious in this context means no icon, no version information, and so on.

To save you from having to sit and actively monitor Currports waiting for an infection to make its move, you can set the Beep on New Ports option. This can become quite noisy on a busy system, but if you just need to know if a suspect process on a specially prepared victim system is making outside connections without you having to stare at the screen for hours, this is the option for you.

You can also log activity by selecting File -> Log Changes. This begins writing to cports.log, which is a plain text file. It logs new connections and connections that close. The log file is written to the same folder from which you started Currports.

You can also filter Currports’ on-screen output. The format of a filter varies slightly depending on what you filter.

For example, to remove all instances of svchost.exe from the display, enter the following line:

exclude:process:svchost.exe

To only show HTTP and HTTPS traffic and exclude all other connected processes:

include:remote:tcp:80
include:remote:tcp:443

You can use local, remote or both to define which end of the connection you’re interested in.  Similarly, the allowed protocols are TCP, UDP and TCPUDP (both).

The include directive means that everything else is excluded, so you’ll need to build up the output using multiple include lines.

Nice Touches
The icon bar gives you quick access to some useful functionality. For example, select a process, hit the red cross, and its connections will drop. This isn’t recommended in normal use, but if you want to see if a piece of malware automatically re-establishes its connection it’s what you need.

Select one or more processes and hit the floppy disk icon. This allows you to save all the data from those lines as a text file.

Drag and drop the target icon onto an application and it should highlight the processes for you. On a fresh installation of Windows 10 Home this didn’t work, but your mileage may vary.

You can set and toggle the display filter with the next two icons. This second option is very useful in cases where you need to clear down the display to just the processes that interest you, then open it back up to all processes. 

currports2b-2bhtml2boutput-7200668

The next two icons deal with copying the details for one or more processes into the paste buffer for inclusion in another document, and viewing a process’ properties (double clicking also displays the properties).

Searching for strings is accomplished with the binoculars icon, which allows you to specify case sensitivity.

Finally, you can export the entire display into HTML format, which is then opened in your default browser.

All pretty interesting stuff, but what can you do with Currports other than satisfy your curiosity?

Using Currports
Currports comes into its own as part of the behavioural analysis of potential malware. If you’ve downloaded a piece of older, unsupported application, it’s immensely useful to see if it’s leaking information or calling home.

Depending on the type of infection, several things may happen. A botnet client will try to contact its command server for instructions, a payload and a target list. Ransomware might also call home for an encryption key, but much of it also explores your network looking for other machines with unprotected shares to hold hostage. If it does so, you’ll see multiple connection attempts to lots of other addresses on the subnet.

It’s not unusual for some forms of malware to open connections to the site router while attempting to find vulnerabilities to exploit. It’s easier to attack your router from the inside of the network than from the (supposedly) hardened public side. If it can install a fake certificate or subvert DNS caching, it can redirect traffic to attack servers.

Many drive-by infections need somewhere to download and run their payloads. They can’t use the system directories, so tend to use your temporary directory. In a similar vein, much of today’s malware likes to masquerade as legitimate system processes, such as svchost.exe. A Svchost with a process path leading to your temporary directory instead of WINDOWSSystem32 is clearly not legitimate, for example. Anything out of the ordinary (Excel making connections to Romania?) should be investigated.

There are also times where all hell seems to let loose, but which are completely benign. Windows Update, for example. For this reason, it’s useful to install Windows in a VM, download and set Currports running, and just get a feel for what happens during various major operating system events. Also, install an antivirus product and watch the connections fly as it updates itself.

So, there we have it: a simple, useful utility to give you a clear 1,000-foot view of the connections being made. I may have missed one or two options, but if you have any interesting uses for Currports, please feel free to post them in the comments.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press