with the spam.. - FTP Directory Listing by pengxuebo

VIEWS: 1 PAGES: 64

									Total Discovery Log Analysis
                    Training

         James T. Bennett, 9/17/07
     RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                        Overview

     TD Log Concepts
1.    Source, Destination, and Direction
2.    Rule Precedence

     Rule Glossary
1.    Rule purpose
2.    Rule trigger criteria
3.    Additional rule info

     Threat Mitigation Policy
1.    F4 Project
2.    Threat Mitigation Policies

     TD Expert System
1.    Getting Started
2.    Charts & Graphs
3.    Log Data & Pre-analysis
4.    Expert System CSV
5.    Future of the Expert System




                                     Trend Micro Incorporated – FOR INTERNAL USE ONLY
     RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                        Overview

     Threat Log Analysis
1.    Start with the Spam
2.    VSAPI & NVP Pattern Matches
3.    Suspicious Packed Files
4.    Web Request from a Malware User-agent
5.    IRC Based Rules
6.    Discovering Gateways

     Research
1.    Research Resources


     Putting the Report Together
1.    Disclaimer




                                     Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
                                                                                   TD Log Concepts


Source, Destination, and Direction

   Before describing the rules in Total Discovery, and before going into details on how to
    effectively analyze a site’s logs, the concepts of source, destination, and direction must be
    explained.
   Every log will have a source IP, port, and MAC and a destination IP, port, and MAC. The
    source is where the network packet originated and the destination is where the packet was
    sent to.
   When TDA is deployed at a site, the ranges of the network’s internal IP addresses must be
    specified in the console. This is critical for the accuracy and effectiveness of the rules and
    determines the direction of a log.
   If a log’s source IP address is within the internal IP ranges mentioned above, the direction is
    internal. This means that the packet originated from within the site’s network. Otherwise,
    the log’s direction is external, and the packet came from outside the network.
   Direction plays a major role in log analysis and should never be overlooked. More details will
    be given as the rules and log analysis are explained.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
                                                                                   TD Log Concepts


Rule Precedence

   Other than VSAPI and NVP (Network Virus Pattern) pattern matches, all rules in Total
    Discovery have a confidence level of either HIGH, MEDIUM, or LOW.
   There are some rules that overlap in some ways, and logically one packet could generate
    more than one log. However, rule precedence usually will only allow one log per packet,
    unless there are two rules triggered with the same confidence level.
   Here is the rule precedence hierarchy: VSAPI > NVP > HIGH > MEDIUM > LOW
   Example: one packet contains a VSAPI pattern match, and also has behavior that matches a
    HIGH confidence rule. In this case, the VSAPI pattern match would be logged and the HIGH
    confidence rule would be discarded.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

SMTP Open-Relay access attempt

   An open mail relay is an SMTP server configured to allow anyone on the Internet to send
    email through it. This is commonly abused by spammers and it is recommended to disable
    it to avoid an email server being blacklisted.

   This rule is triggered when an internal host sends an SMTP email where neither the
    domain of the sender nor the recipient exists in Total Discovery's registered domains.
    Email aliases are considered trusted for this rule.

   It is important to note that this rule’s name can be misleading. It is more often triggered
    by spambots or false positives than actual open-relay attempts.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Peer to Peer

   Peer-to-peer networks are typically used for connecting hosts via largely ad hoc
    connections. Such networks are used commonly for sharing files, particularly media and
    software. Often, these files are copyright protected and illegal to be sharing in this
    manner. Also, files shared on P2P networks will sometimes contain viruses and/or
    malware.

   This rule is triggered when one of the following P2P applications establishes a connection
    with another node: Bittorent, Blubster, Direct_Connect, eDonkey2000, eDonkey_eMule,
    Gnucleus LAN, Limewire, Bearshare, Shareaza, iMesh, Kazaa, Kuro, MLDonkey, Morpheus,
    OpenNap, SoulSeek, WinMX




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Pattern Matches

   Total Discovery supports VSAPI and NVP (Network Virus Pattern) patterns.

   When a log does not have a description, it is usually a pattern detection and you can find
    the pattern name in the “DetectionName” field of the log.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Malicious URL access attempt

   This rule is triggered when a host attempts to access a URL whose URI matches one in our
    database of known malicious URIs. These URIs are commonly contacted by malicious
    downloader applications, adware, and malware that contacts scripts used to test HTTP
    proxies.
 Example:
http://www.somesite.com/baddir/file.php?blah
http://www.anothersite.com/baddir/file.php?blahblah
http://www.onemoresite.com/baddir/file.php?blahblahblah

In this example, we could create a bad URI of “/baddir/file.php”




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Suspicious file extension for an executable file

   This rule is triggered when a host attempts to download a file that is determined to be an
    executable and has an extension of .com, .bat, .pif, or .cmd. These file extensions are
    commonly used to disguise malware. This rule can also be triggered when an executable
    file has more than one extension, such as "image.gif.exe".




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Suspicious archive file

   This rule is triggered when a file contained in an archive attachment in an SMTP or POP3
    email has an extension of .com, .bat, .pif, or .cmd. These file extensions are commonly
    used to disguise malware. This rule can also be triggered when an executable file has
    more than one extension, such as "image.gif.exe".




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Suspicious packed file

   Trend's IntelliTrap detection technology heuristically identifies variants of known malware
    by detecting the use of the popular compression application that hackers use to create
    them.

   This rule is most commonly triggered when a host attempts to download a file that is
    detected by Intellitrap.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

IRC protocol detected

   The Internet Relay Chat (IRC) protocol is commonly used by malicious bots for
    communications.

   This rule is triggered when the IRC protocol is detected on an incoming or outgoing
    connection. This does not necessarily signify the presence of a bot and could simply be
    legitimate chatting on the IRC protocol.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

IRC protocol uses non-standard port

   The Internet Relay Chat (IRC) protocol typically uses a port in the range of 6665-6669. It
    is common for malicious IRC bots to use non-standard ports for their communication.

   This rule is triggered when an incoming or outgoing connection is detected using the IRC
    protocol on a port outside of this range. There is still a chance this is legitimate IRC
    traffic, but more likely it is a bot communication.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

CrossSite Scripting (XSS) detected

   This rule covers a specific type of XSS vulnerability that allows a user to inject script code
    onto a web page. This vulnerability commonly exists in web forms or web applications
    which do not validate user input properly.
   This rule is triggered when the HTTP request contains a script tag “<script>” in the URL
   Example: http://anysite.com/script.cgi?var=<script>alert(‘yo’)</script>&var2=something
   This rule also checks for encoding, so the above example would also work if the
    characters were encoded.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Default Account Usage

   Many services and applications come with a privileged default account which the user is
    expected to change the password for once installed. Not changing the default password
    for these default accounts poses a risk of unauthorized use.
   This rule is triggered when someone attempts to login to the default account for SQL or a
    Cisco switch present in the network.
   SQL using “sa” account with a blank password
   Cisco using “cisco” account with the password “cisco”




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

DNS query of a known IRC C&C

   The Internet Relay Chat (IRC) protocol is commonly used by malicious bots for
    communications.
   C&C stands for Command & Control. C&C servers are used by bot masters to control
    botnets. Typically, a bot will contact these servers to receive instructions and updates, in
    this case using the IRC protocol.
   This rule is triggered when a DNS query is made for a domain that is present in our
    database of known IRC C&C servers. This happens when a bot wishes to “phone home”
    for instructions from its master.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Email contains a packed executable in an archive file
  attachment

   Trend's IntelliTrap detection technology heuristically identifies variants of known malware
    by detecting the use of the popular compression application that hackers use to create
    them.
   This rule is triggered when an email attachment is an archive that contains a file detected
    by IntelliTrap.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Email contains a suspicious link to a possible phishing site

   It is common for a phishing email to contain a hard-coded IP address to the phishing site.
    Legitimate emails from your bank or ecommerce service would not contain such links.
   This rule is triggered when the domain of the sender’s email address matches our list of
    commonly phished domains (eg. Citibank, PayPal, eBay, etc.) and the message contains a
    hard-coded IP address.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Email sent through a non-trusted SMTP server

   This rule is triggered when an internal host sends SMTP email to an external SMTP server
    that is not present in Total Discovery's registered services. This could signify information
    leakage, but is also quite common in notification systems. It is recommended to
    investigate the legitimacy of the email being sent.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Email subject matches malware-used subject and contains an
  executable file attachment

   This rule is triggered when an SMTP or POP3 email has a subject commonly used by email
    worms and contains an executable attachment.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

IRC session established with a known IRC C&C

   The Internet Relay Chat (IRC) protocol is commonly used by malicious bots for
    communications.
   C&C stands for Command & Control. C&C servers are used by bot masters to control
    botnets. Typically, a bot will contact these servers to receive instructions and updates, in
    this case using the IRC protocol.
   This rule is triggered when a host connects with an IRC server present in our database of
    known IRC C&C servers.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Host DNS IAXFR/IXFR request from a non-trusted source

   The data contained in an entire DNS zone is sensitive. A hacker with this data could
    easily plan an attack on your network.
   This rule is triggered when any machine not listed in TDA’s trusted DNS services requests
    a DNS zone transfer (attempts to download all your DNS information).
   For this rule, the possible attacker is the destination IP address.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

IRC session on a non-standard port DCC sends an executable
   file

   The Internet Relay Chat (IRC) protocol typically uses a port in the range of 6665-6669. It
    is common for malicious IRC bots to use non-standard ports for their communication.
   DCC (Direct Client to Client) is used by IRC to transfer files. IRC based worms use social
    engineering tactics to send itself to other IRC users.
   This rule is triggered when a DCC request is made to send an executable file in an IRC
    session on a non-standard port.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

(Multiple/Too many) logon failed
   Numerous failed authentication attempts are a good indication of a malicious user or process
    trying to gain network access by performing password guessing. This is typically done using a
    so-called ‘dictionary attack’, where a list of words often used as passwords is simply tried on
    a given account. An alternative type of attack is the so called ‘brute-force’ attack. Here, a
    massive amount of passwords are automatically generated and tried. During a brute force
    attack, theoretically all combinations are tried, making it a very lengthy operation and thus,
    generating many more failed logins than the dictionary attack.
   This rule is triggered when a certain threshold of failed login attempts is reached. Below are
    the details of these thresholds per protocol.
   For the SMB protocol, the possible attacker is the destination IP address.
   Also for the SMB protocol, there are chances for false positives due to technical reason. You
    should consult the customer if you have suspicions.

                                             Multiple logon failed    Too many logon failed
                             Protocol         (threshold trigger)       (threshold trigger)
                                FTP                   =4x                      =20x
                               POP3                   =4x                      =20x
                           *Cisco Telnet              =3x                      =6x
                              **SMB                  =12x                      =18x

                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Oracle HTTP Exploit detected

   This rule detects attempts to exploit Oracle web service vulnerabilities.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Packed executable file dropped on an SMB administrative share

   Trend's IntelliTrap detection technology heuristically identifies variants of known malware
    by detecting the use of the popular compression application that hackers use to create
    them.
   The Administrative Shares are the default network shares created by all Windows NT-
    based operating systems. These default shares share every hard drive partition in the
    system. These shares will allow anyone who can authenticate as any member of the local
    Administrators group access to the root directory of every hard drive on the system.
   Network worms commonly spread by copying themselves to network shares. Advanced
    network worms will use password attacks to take advantage of administrative network
    shares in order to propagate itself to other hosts joined to the network.
   This rule is triggered when an IntelliTrap detected file is copied to an administrative
    share (C$, D$, Admin$).




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Possible Buffer-Overflow attempt detected

   A buffer overflow is a condition where a process attempts to store data in a buffer that is
    more than what it the buffer is intended to hold. This causes valid data such as those used
    to store variables or program flow data to be overwritten which may cause a process to
    crash or produce undesirable results.

   Buffer-Overflows can be triggered by malformed inputs that can be specifically crafted to
    execute arbitrary code; codes that can be used to download a malicious file from the
    internet, or open a port to execute remote commands.

   This rule is triggered when an RPC (Remote Process Call) message is detected to contain a
    sequence of instructions generally found in buffer-overflow code.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Possible NOP-sled detected

   NOP (opcode 0x90) is an Intel x86 instruction which stands for “no-operation”. When the
    CPU encounters such an instruction, it does nothing but move on to the next instruction.
    A sequence of NOP instructions (also known as NOP-sled) have been used in buffer
    overflow codes where the memory address to execute cannot be determined accurately.
    The padding of NOP’s help to slide the execution path to the malicious code.

   This rule is triggered when an RPC (Remote Process Call) message is detected to contain a
    sequence of NOP (no-operation) instructions and thus could be an indication of a buffer
    overflow attack.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Possible Downloader

   This rule is triggered when the HTTP content downloaded was declared to be of another
    type in the response headers, like that of a Shockwave Flash, JPEG, GIF, or Office
    document type but is actually a Windows executable file. An executable file normally
    would be declared to be of “application” type.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Rule Glossary

Rogue service detected

   Rogue services are security risks in a corporate network as they are generally
    mismanaged, often lacking compliance with the existing security policies.

   The lack of security patches of these services makes them vulnerable to compromise. The
    lack of proper configurations like authentication can be a cause of information leak.

   In some cases, rogue services may be a result of a malware infection; malware infects a
    system and acts as an SMTP Open-relay allowing unsolicited emails such as spams to be
    relayed from one domain to another or act like an SMTP server or client to spam emails.

   This rule detects SMTP and DNS services that are not registered in TDA’s registered
    services. It is usually best to confirm with the customer on these detections.
   Domain controllers, by default, have a DNS service active which needs to be registered in
    Total Discovery. Failure to do so will result in this rule being unnecessarily triggered.



                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                          F4 Project


                                                                               TDA           TDMS




                NVWE                               NVWE                            NVWE




Fantastic 4 aka ‘F4 Project’ is the project code name that integrates four existing products to
    deliver network behavior monitoring, network containment and damage clean-up:
          Total Discovery Appliance (TDA)
          Total Discovery Mitigation Engine (TDME)
          Total Discovery Mitigation Server (TDMS)
          Network Virus Wall


                                Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       F4 Project

F4 Components:
   TDA (Total Discovery Appliance)
          deployed offline at the core switch to monitor for suspicious network behavior
          detect known threats by network content inspection technology (NCIT) along with all the major
           protocols scanned by VSAPI.
          detect unknown threats by network content correlation technology (NCCT).
   TDME (Total Discovery Mitigation Engine)
          branched from DCE
          an engine to proactively eliminate malicious code from the infected system upon detection
          incorporates “forensic cleanup” to clean up
   TDMS (Total Discovery Mitigation Server)
          a server to receive the commands from TDA and then deploy agent to do forensic cleanup or damage
           assessment.
          can also trigger NVW to quarantine the infected client.
   NVW (Network Virus Wall)
          quarantine the infected client
          can quarantine or release the quarantine per TDMS instruction
          refers to NVWE2500 and NVWE 1200 model.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                             Threat Mitigation Policy

Important notes:
   The term “mitigable” means a threat is both cleanable and blockable.
   Mitigation parameters are defined in the Network Content Correlation Pattern (NCCP).
   NCCP maps each rule with the mitigation parameters:
       Cleanable (yes or no)
       Direction to clean (inbound, outbound, both)
       Protocol to clean (HTTP, IRC, SMTP, etc.)
       Clean priority (High, Medium-High, Medium, Medium-Low, Low) – clean task
          deployment priority is configurable in the TDMS console
       Clean target (source ip, destination ip)
       DCE pattern name to use if the target is the source (usually the attacker)
       DCE pattern name to use if the target is the destination (usually the victim)
   Along with the mitigation task, TDA will also provide tips on: source ip/port, destination
    ip/port, filename, dcecrc, smb pid, dcs pattern name, etc.
   If threat is mitigable, mitigation task is sent and processed by TDMS
   TDMS has options to enable/disable policy and apply exceptions before deploying TDME.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
         RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
                                                                  Threat Mitigation Policies

Policy
                  Threat Type                                                  Risk Mitigation
  ID
         Known external attacks             Internal computer downloading Malware/Spyware via HTTP protocol
  1
         (VSAPI)
         Known external attacks             Internal computer downloading Malware via FTP protocol
  2
         (VSAPI)
         Known internal detections          Internal computer propagating Malware via SMB (network share) protocol
  3
         (VSAPI)
         Known internal detections          Internal computer propagating Malware via SMTP protocol
  4
         (VSAPI)
         Known internal detections          Internal computer propagating Malware via IM protocols
  5
         (VSAPI)
         Known internal detections          Internal computer attacking the network with network viruses
  6
         (VSAPI2/NVP)




                                         Trend Micro Incorporated – FOR INTERNAL USE ONLY
         RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
                                                                  Threat Mitigation Policies

Policy
                  Threat Type                                                  Risk Mitigation
  ID
         Potential external attacks
  7                                         Internal computer downloading potential threats via HTTP protocol
         (Rule 23, 66)
         Potential internal detections      Internal computer propagating potential threats via SMB (network share)
  8
         (Rule 8)                           protocol
         Potential internal detections
  9                                         Internal computer propagating potential threats via SMTP protocol
         (Rule 9, 12, 13, 55, 72)
         Potential internal detections
 10                                         Internal computer attacking the network with potential network viruses/exploits
         (Rule 67, 68)
         Potential Internal Detection
 11                                         Internal computer infected by BOT
         (Rule 7, 26)
         Potential Internal Detection
 12                                         Internal computer compromised by Exploit or infected by Backdoor
         (Rule 17)
         Potential Internal Detection
 13                                         Internal computer infected by potential Downloader
         (Rule 88)




                                         Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
                                                 Total Discovery Expert System


Getting Started – Generate the report data

   The Expert System can be accessed at
    http://10.2.168.252/expertsystem/TD_Log_Analysis.php

   First, choose which site you will be reporting on from the select box.

   Then, use the dropdown menus to choose the date range of logs you will be reporting
    on and click the Submit button.

   If you do not see the site you wish to report on in the select box, or if there are any
    problems with the expert system or the data it generates, please contact
    james_bennett@trendmicro.com with the issue.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

The Charts and Graphs

   The first series give overall detection statistics for the date range. Figure 1-a is a pie
    chart that illustrates the percentage of internal and external detections. Chart 1-b
    displays the counts for all of the rules triggered for both directions.

   The second and third series give internal and external detection statistics for the date
    range respectively. Figures 2-a and 3-a are bar graphs that illustrate the counts of
    detections per protocol. Figures 2-b and 3-b are bar graphs that illustrate the counts of
    detections per confidence level. Confidence levels are assigned on a per rule basis.
    PATTERN is a VSAPI or NVW pattern detection. Charts 2-c and 3-c give detection statistics
    broken down by protocol, confidence level, and risk type ordered by their confidence
    level. Charts 2-d and 3-d give detection statistics broken down by protocol, confidence
    level, and rule description ordered by confidence level.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Log Data and Pre-Analysis

   After the charts and graphs, the Expert System presents you with 2 items regarding pre-
    analysis: Overview and Host Information.

   The Overview section will group together internal IP addresses that have a similar pre-
    analysis for your convenience. Each IP is a link that you can click on to display the all of
    the logs related to that IP. It is recommended that you right click on the link and choose
    to open in a new window so that you do not lose your place on the main page and have to
    scroll down again.

   The Host Information section organizes and groups all of the logs by the internal IP
    address and displays any pre-analysis for each host if available. Just as in the Overview
    section, each IP is a link you can follow to view all of the logs for that particular host.
    NOTE: just because there is no pre-analysis for a host does not mean that there is no
    threat. Each host’s logs should be investigated.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Pre-analysis
   applies log correlation
   involves adding pre-defined SQL queries on TDA events to provide
    automated analysis
   adds intelligence to recognize a series of patterned threat behavior or
    rule-out false positives




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Pre-analysis Rules supported:
   Threat Detection
      Bot Infected
      Possible Bot Activity
      Possible IRC Bot
      Bruteforce attack on FTP admin account;
      Spamming Worm Infected Emails
      SMTP Open Relay or SpamBot
      Infected Internal Machine Performing Attacks
      Spyware Infected
      Possible Malware
      Access to exploited site
      Possible P2P
      Possible Access to malicious URL
      External Network Virus Attack

                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Pre-analysis Rules supported:
   False Positive Detection
      False Positive (Email through Non-Trusted SMTP)
      False Positive (Open-relay)




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Bot infected machine
   rule 26 (session established with known IRC C&C server)

Bot activity
 rule 7 (Bot command detected)
Note:
 dstip is the infected host
 srcip is the IRC C&C server recommended to be blocked

Possible IRC Bot
   rule 18 (DNS query of known C&C)
   direction is internal




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Brute-force attack on FTP admin account.
   {
        rule 21 (multiple logon failed)
        protocol is FTP
        event count >= 5
             or
        rule 15 (too many logon failed)
    }
   username ‘Administrator’

Spamming worm infected emails
   direction is internal
   protocol is SMTP
   description is ‘Pattern Detection’
   event count >=5



                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

SMTP Open-Relay Server or Spambot
   rule 29 (SMTP open-relay) average event count/day > 20
   unique sender count > 5
   unique recipient count > 5


Infected Internal Machine Performing Attacks
   protocol is ‘virus_pattern_udp’ or ‘virus_pattern_tcp’
   srcip is internal




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Spyware infected Machine
   rule 70 (web request from spyware user-agent)
   direction is internal

Possible malware
  protocol is http
  external attack
  {
      rule 32 (suspicious file extension "com" for exe)
         or
      rule 47 (suspicious packed)
    }
Note: dstip is possible infected machine



                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Access to exploited site
 rule 75 (ANI exploit)
 protocol is http
 external attack
Note:
 High Confidence Level if domaintools.com returns a reverse ip of
   more than x sites hosted and/or blacklist status says "currently listed"


Possible P2P
   protocolgroup is P2P
   internal detection




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Possible Access to malicious URL
   rule 56 (web request to malware user-agent)
   direction is internal


External Network Virus Attack
   protocol is ‘virus_pattern_udp’ or ‘virus_pattern_tcp’
   srcip is external




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

False Positive (Email sent through a non-trusted SMTP server)
 rule 52 (Email sent through a non-trusted SMTP server)
   unique sender <= 2


False Positive (SMTP Open-Relay)
 rule 29 (SMTP Open-Relay)
   unique sender <= 2




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

The Expert System CSV File

   Right click and choose ‘Save Target As’ to save the csv file to your computer, then open it
    in Excel to view.
   One of the Expert System’s most useful features is how it organizes and presents TD log
    data to you. It organizes the logs by internal IP address, and shows you only the data you
    want to see for each log, ordering the logs by log time. What you see is a timeline of
    events for each host on the customer’s network, making it much easier to recognize when
    a threat is present.
   Each row in the csv contains the following data: the name of the site, the log time, the
    rule id# (for debugging purposes), the direction, the protocol, the source IP address, the
    source port, the destination IP address, the destination port, the rule description, and a
    series of “special” fields.
   A row of asterisks (*) is used to separate each internal host for easier reading.
   The special fields are for rule specific data. For example, an email based rule would have
    the sender, recipient, subject, and possibly URL data while an IRC based rule would
    possibly have the chat room name, nickname, and bot command issued. For pattern
    detections, there will be no rule description and instead you will see the detection name
    in the special field. These fields were all previously explained in the Rule Glossary
    section per each rule.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                              Total Discovery Expert System

Future of the Expert System

   Generate more of the report automatically, and perhaps generate a complete preliminary
    report.
   Automated research. Determine suspiciousness of IP address/URL/file.
   Web based reports and reporting functions.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
                                                                            Threat Log Analysis


Start with the spam..

   For most sites you will encounter, SMTP based rules will be the most popular. Scroll through
    the csv file and look at the SMTP rules for each host.
   First look at the number of emails for each host. Most spam comes in large numbers, so look
    more closely at the hosts which have a lot of SMTP logs.
   Look at the subject and URL. These can tell a lot about the nature of an email. First think
    about the name of the site you are analyzing and the nature of its business. Do the subjects
    of the emails fit with the environment? Of course, there are always personal emails at every
    site you will analyze. You need to become familiar with typical spamming and social
    engineering tactics. These become easy to spot with some practice. Unfortunately, TD only
    holds the first 32 characters of an email subject. But, this is usually enough to make a good
    judgement.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                             Threat Log Analysis

Start with the spam.. (continued)

   To familiarize yourself with some common spam subjects, review the following “in the wild” subjects.
    Worm (attempts to lure victim to run attachment or click link that leads to exploit):
    ecards (lures victim with promise of an ecard or egreeting):
    funny postcard             holiday e-card               movie-quality card             funny ecard
    greeting card              musical card                 birthday ecard animated postcard
    love e-card

    interesting pics/videos (lures victim with promise of scandalous pictures or video):
    Hey man, check out these pics I                          My friend took these pics of me,
    Oh man this girl is a freak, lol                         Don't tell my husband I gave you
    Honey, i miss you. let me show y                         Oh man I found these pictures of
    I bet your wife wont do this for                         My EX-boyfriend took these of me
    OMG, what are you thinking                               LMAO, your crazy man


    current events (lures victim using upcoming holiday, event, or current news):
    The Big Labor Day Weekend                              A Labor Day E-Card
    A Labor Day Greeting                                   Your Friend Sends A Labor Day Gr




                                     Trend Micro Incorporated – FOR INTERNAL USE ONLY
   RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                         Threat Log Analysis

Start with the spam.. (continued)
   Anti-malware:
   Worm Detected!               Trojan Detected! Virus Activity Detected!

   Most recently noted NFL related subjects:
   Do you have your NFL Game List?                Free NFL Game Tracker                Are you ready for some football?

   Currently, worm emails are using links to hardcoded IP addresses (often home users’ compromised PCs). The URLs will either link to the
   root directory of the IP (http://x.x.x.x/), or to some script (http://x.x.x.x/folder/in.php). Worms will otherwise include the binary as an
   attachment cleverly named to fool the recipient into thinking it is something else. If VSAPI has a pattern for the file, it will show up in the
   logs as a pattern match.

   Phishing(attempts to trick user into sending login info for banking and ecommerce sites):
   PayPal : Please confirm your Pay              IMPORTANT: Alert from eBay
   This is your official notificati              NorthFork Bank: Secure Confirmat
   NorthFork Bank: Secure Update Pr              NorthFork eCash Management Servi

   http://82.241.245.37/chaseonline.chase.com/index.htm
   http://70.88.210.45:81/ebay.com/index.html
   http://nfbconnect.northforkbank.com.pid24adhsaduFZGZBBB.com/confirm/cashman/banking/Confirm.asp
   http://0xce.0x4a.0x2e.0xcd/MembersLogin/index.htm
   http://0x574a115a/bancoposte
   http://3664571179/a.php

   There are many different banking and online payment services that are spoofed for phishing scams. The key is recognizing a “phishy”
   subject and even more importantly, a “phishy” URL. You can see the name of the banking institution or website in the URL, but it is not
   actually ever in the domain. The Northfork Bank comes close and could fool some, but notice how it is actually a subdomain? Also notice
   the notation of some of the IP addresses, they use decimal and hexadecimal in various formats.




                                          Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                         Threat Log Analysis

Start with the spam.. (continued)

   There are many other types and varieties of spam and they will continue to evolve.
   Other things to pay attention to besides the subject and URL in an email is the
    sender/recipient. For internal detections, look at the senders. Are there multiple senders
    coming from one IP address? Do the domains of the senders belong to the site? For
    external detections, are you seeing similar subjects being sent to many different
    recipients?
   The direction is important because it can hint to us that a machine in the network may
    actually be infected with a spamming bot. If the direction is internal, the threat is more
    severe because this means that the source IP for these logs is infected and actively
    spamming.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                         Threat Log Analysis

Reporting on Spam

   The most important spam related events to report on are internal detections. The
    customer is always concerned with spam originating from their network. This can cause
    their servers to be put on spam block lists. (refer to TD_report_SILGAN_20070822.doc)
   Every network receives spam, and most will already have spam protection in place. This
    makes reporting on external spam detections less of a priority, though it is a good
    practice to inform the customer of the possible threat, including the nature of the spam,
    the risks involved, and how to educate the end users on the network. If you are to
    include this analysis in your report, it should be towards the end after any higher priority
    events. (refer to TD_Report_ColoState_08012007.doc)




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                         Threat Log Analysis

VSAPI & NVP Pattern Matches

   Perhaps the easiest events to report on, the highest confidence detections of course are pattern
    detections. TD uses VSAPI and NVP patterns to detect malicious files and attacks on the network.
   It is common for multiple hosts on the network to be affected by the same pattern or group of patterns
    around the same time span, so look for all the hosts affected by the pattern(s) and group them together
    into one item on the report. The item should contain the IP addresses of the hosts affected, the log time
    of the detections (for multiple detections, use the latest date), the pattern names, and if the patterns
    are for NVP, the source IP addresses from where the attacks came.
   You should try to find a Trend Virus Encyclopedia entry for each pattern name and link to the entry from
    the pattern name in the report: http://www.trendmicro.com/vinfo/virusencyclo/default.asp
   It is also common to see the ‘Suspicious Packed File’ rule detection surrounding VSAPI pattern detections
    over HTTP. These files are other components of the malware or other malware in a payload and can be
    referred to as suspicious when reporting the incident.
   Much like with the spam related rules, the NVP detections that are internal are a higher priority than the
    external detections. Internal NVP detections tell us that an internal host is attacking other machines on
    the internet and is probably infected. You can determine if the pattern is an NVP pattern by looking at
    the protocol or risk type of the log.
    (refer to TD_report_SILGAN_20070808.doc & TD_report_JSUN_20070822.doc)




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                         Threat Log Analysis

Suspicious Packed Files

   A “Suspicious packed file” detection is an Intellitrap Generic_PAK detection. It is a
    generic detection of a file which has been packed by an application popularly used by
    malware authors. These detections can possibly be false positives, and alone are not
    enough to report on. However, these detections are great hints and with a little more
    research you can have enough confidence to report on an infection that otherwise would
    have been missed.
   Are there any other rules triggered around the same time on this host? As mentioned in
    the previous slide, it is common to see this rule alongside with pattern detections. This is
    an obvious infection taking place and should be reported. Other possibilities include
    seeing this rule after a “Malicious URL access attempt” detection, or “IRC protocol uses
    non-standard port”. Or maybe following the rule, you see “Web request from a malware
    user-agent”. All of these hint towards the file being malicious, and together, the
    combination of these rules gives you enough confidence to report that an infection has
    occurred.
   Another way to investigate if the file is malicious or not is by researching the source IP
    address where the file came from. More information on researching will be covered in
    the upcoming Research section.



                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                         Threat Log Analysis

Web request from a malware user-agent

   The chance for false positives on this rule are small, but possible. When analyzing these
    logs, research the URL and IP it is contacting to determine that it is indeed malicious.
    Often times the files will be .txt, .ini, or some kind of script like .php, .cgi, .pl. Try to
    investigate what kind of data is being sent and/or received to help raise or lower your
    suspicions. Please report possible false positives to
    ed_malibiran@premium.trendmicro.com and james_bennett@trendmicro.com
   The direction of these detections should mostly always be internal. If you find an
    external detection of this rule, there is a slight chance that some host on the network has
    been compromised and is hosting malicious files. Otherwise, this is likely a false positive.
    (refer to TD_report_JSUN_20070808.doc)




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                         Threat Log Analysis

IRC Based Rules

   There are a collection of different rules for the IRC protocol with varying confidence
    levels.
   Pay attention to the frequency of IRC logs for a host. If you see many IRC logs that are
    only seconds apart, this is a good indication of malware activity.
   Try using an IRC client or telnet to connect to the IRC server yourself. See if it looks like
    a legitimate chat server or possibly a C&C server. If the rule states it is on a non-standard
    port, be sure to use the proper port when connecting. Usually this will be src port for
    external and dst port for internal, unless the IRC server is actually the internal host.
   Also, perform research of the external IP address to help make a better determination of
    possible suspicious activity. More information on research will be provided in the next
    section.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                         Threat Log Analysis

Gateway Discovery

   Some customers may have gateway devices installed in their network for various reasons,
    including security and this can cause confusion when analyzing the logs.
   If you see large amounts of logs for many different rules and pattern detections on one
    host, there is a chance it may be a gateway device. You should consult the customer to
    confirm this.
   If you see a log from an external address to an internal address, then see a similar log
    from that internal address to another internal address, this is also a good sign of a
    gateway device. The reverse of this is true as well, a log from an internal address to
    another internal address, then another log from that internal address to an external
    address.
   Example: a VSAPI pattern match was detected from an external address to an internal
    address. Another detection for that same VSAPI pattern match was detected with the
    same timestamp (or maybe 1 or 2 seconds later) from that internal address to another
    internal address.




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Research

Research Resources
   A good way to better confirm the suspicious activities indicated by many types of logs is
    to do some research of the external IP address. There are many tools on the internet, and
    Trend’s intranet to help aid in your research
   Google:
    Other search engines will work as well, though Google’s extensive database, search
    features, and security risk warnings returned with your search results make it the most
    useful for log analysis. Simply perform a search of the IP address, domain name, or URL
    in question and look at the results returned. Look for antivirus, tech support, or other
    security sites in the results. Also look for words like “block this”, “blacklist”, etc. Click
    on some of these links and read to find more information about what the IP may have
    been involved with in the past.
   Domaintools.com:
    This is a great site for finding domain and whois info based on an IP address or domain
    name. It will also tell you if the domain/IP is on any popular blacklists. Watch out for
    the following names in the whois info: Russian Business Network, Intercage, ESTDOMAINS
   http://reclassify.wrs.trendmicro.com/submit-files/wrsonlinequery.asp



                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                                                       Research

Research Resources
   Another way to better confirm the suspicious activities indicated by some types of logs is
    to do some analysis of the questionable files involved.

   To learn how to extract a file from the TDA console, read the slides from
    Beta_Training_TDA_CAV.ppt
   Zip the file and password protect it with the password ‘virus’, then email it to
    vtest@av.trendmicro.com . In a few minutes, you will receive an email response with the
    PAFI scan results of our scanners and our top competitor’s scanners.
   Send the file to CWSandbox for automatic behavior logging:
    https://168.61.10.39/sub/submit.php
    User: trend
    Pw: 6otn3tdat4




                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY
    RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

                                                   Putting the Report Together

DISCLAIMERS:
 This report format is subject to change and can be considered a “work in progress”.
 I do not possess the greatest ability with Microsoft Office products =)

   Open the Word doc, TD_report_template.doc
   Copy the charts and graphs from the Expert System results and paste them into their
    corresponding locations in the report template.
   Review the charts, graphs, and the logs. Then add some brief commentary about the logs
    for the most popular protocol for each direction. In section 4, replace the 3 dots (…) with
    your commentary on the logs for the most popular protocol for internal detections. In
    section 5, do the same for external detections. Use some of the previous reports as a
    guideline if needed.
   If you have reported on this site previously, include your last report’s analysis in section 6
    as a reference for the customer.
   Using the tips given in the Threat Log Analysis slides, and using the previous reports for
    examples, fill in section 2 with your host level analysis.
   Change the page numbers in the table of contents to accurately reflect the report.



                                    Trend Micro Incorporated – FOR INTERNAL USE ONLY

								
To top