1. What are two items to consider when creating a malware analysis.docx

1. What are two items to consider when creating a malware
analysis environment?
Could malware detect and react differently if a potential
malware analysis tool/environment is detected? Give two
possible examples.
UMUC (2013), Network Forensics, Cybercrime Investigation
and Digital Forensics. Retrieved from
http://tychousa5.umuc.edu/CSEC650/1202/csec650_07/assets/cs
ec650_07.pdf
2. Give an example of an incident where it was discovered that
a RAT was found in a corporate network.
Identify one method a forensic investigator may use to identify
a potential RAT program?
UMUC (2013), Network Forensics, Cybercrime Investigation
and Digital Forensics. Retrieved from
http://tychousa5.umuc.edu/CSEC650/1202/csec650_07/assets/cs
ec650_07.pdf
3/21/13 11:10 AMRubric
Page 1 of
1https://learn.vccs.edu/webapps/blackboard/execute/manageRub
rics?dispatch=view&context=course&rubricId=_6365_1&course
_id=_297188_1
Paper Rubric
Used to grade papers in the course.

Levels of Achievement
Criteria Explanation
Thesis/Introduction 10 Points
The assignment has a clear thesis which addresses all parts of
the
topic
Analysis 30 Points
Development of each of the introduction's thesis points; focused
treatment of the essay question. Analysis is detailed,
understandable and accurate.
Evidence 30 Points
Citation of specific historical events/developments to support
analysis. Reference to footnoted and/or cited sources.
Grammar/Organization 20 Points
Proper paragraph organization for the essay with correct style
usage.
Conclusion 10 Points
Short summation of paper.
RubricRubric
PrintPrint Close WindowClose Window
Name

Description
Rubric Detail
View Associated
Items
https://learn.vccs.edu/webapps/blackboard/execute/manageRubri
cs?dispatch=view&context=course&rubricId=_6365_1&course_i
d=_297188_1#
https://learn.vccs.edu/webapps/blackboard/execute/manageRubri
cs?dispatch=view&context=course&rubricId=_6365_1&course_i
d=_297188_1#
javascript:associationListToggle(%20);
UMUC Cybercrime Investigation and Digital Forensics
CSEC650
© UMUC 2011 Page 1 of 29
Contents
Topic 1: Scenario
...............................................................................................
.............................. 2
Scenario: Network Investigation at NAI
....................................................................................... 2
Topic 2: Module Introduction
...............................................................................................
............ 4
Topic 3: Network Forensics: An Overview
...................................................................................... 5

What is Network Forensics?
...............................................................................................
......... 5
Why We Need Network Forensics
...............................................................................................
6
Topic 4: Challenges in Network Forensics
...................................................................................... 8
The Complexities of Network Forensics
...................................................................................... 8
The Key to Network Forensic Investigations
............................................................................... 9
Case Study: Birth of the Earth
...............................................................................................
.... 11
Topic 5: Botnets
...............................................................................................
.............................. 14
Botnets as a Network Forensic Antagonist
................................................................................ 14
Types of Botnets
...............................................................................................
......................... 16
Challenges and Protection
...............................................................................................
.......... 17
Activity: Annihilating the Internet
...............................................................................................
. 19
Topic 6: Performing Live Acquisitions
...........................................................................................
24
Performing Live Acquisitions of Data

......................................................................................... 24
Techniques to Improve Live Acquisitions of Data
...................................................................... 25
Topic 7: Intrusion Detection and Monitoring
.................................................................................. 26
Relevance to Network Forensics
...............................................................................................
26
Topic 8:
Summary.................................................................................
......................................... 27
Glossary
...............................................................................................
.......................................... 28
CSEC650
Topic 1: Scenario
Scenario: Network Investigation at NAI
Network Forensics
CSEC650—Module 7
Network Investigation at NAI

Steve Freeman, a senior network engineer at National
Aerospace Industries (NAI),
notices some unusual activity on the company's Wide Area
Network (WAN). Steve
knows that network forensics can help solve cases of data
leakage and network
intrusions by performing an in-depth and accurate analysis of
the network.
He asks a network forensic investigator to conduct a forensic
investigation on the
company's network. Steve is hoping that the network forensic
investigator can help
determine the cause of the unusual activity.
Scenario
Scene 1
Steve Freeman is the senior network engineer at NAI. He
notices unusual activity on
NAI's WAN, which serves about 1,200 users.
Scene 2
Steve: Our company's network-management system has set off
an alarm. There have
been repeated unsuccessful log-ins, and they're all from Chief
Financial Officer David
Thompson's account.
Steve: I wonder if the simultaneous occurrence of the unusual
activity on the WAN and
this alarm is a coincidence. I'd better review the alarm.
Scene 3
Steve: There have been 24 attempted log-ins within a five-hour
period, from 1 a.m. to 6

a.m. on July 2.
Steve: This could be a serious security incident. I'll run this by
Judy Maines, our chief
forensic investigator.
Scene 4
A transcript of the conversation between Steve and Judy is
reproduced below.
Steve: Hi, Judy. Do you have a moment?
Judy: Sure, Steve.
Steve: I noticed some unusual activity on our WAN. There were
24 unsuccessful
attempts to log in to the CFO's account. I found this suspicious,
so I'm hoping you can
look into the matter.
Judy: It definitely sounds suspicious to me. I'll take a look.
CSEC650
Judy: Before I do that, I'll see if I can arrange a conference call
with Mr. Thompson.
Steve: Good idea. Let me know what happens.

Scene 5
Judy contacts Mr. Thompson's secretary, who tells her that Mr.
Thompson is in Florida
on a family vacation. Given the potentially serious nature of
this situation, Judy contacts
him on his cell phone.
Scene 6
A transcript of the conversation between Judy and Mr.
Thompson is reproduced
below.
Judy: Hello, Mr. Thompson. I'm sorry to call while you're on
vacation. There were
several unsuccessful log-in attempts from your account. Have
you had any log-in
issues?
Mr. Thompson: No, I haven't logged in to my account for a
week. What do you plan to
do now?
Judy: We're looking into it. I'll let you know what we find.
Scene 7
Judy: I'm really concerned now. Is a hacker trying to get into
the network? Could the
hacker already be inside, or is this just a glitch?
Scene 8
Judy: I'm going to conduct a rigorous network forensic review.
I'd also better get our
incident response team involved.

CSEC650
Topic 2: Module Introduction
Network forensics is much more complicated than deadbox or
file system forensics
because large networks have multiple entry and exit points.
Conducting a forensic
investigation on a network is more difficult than analyzing a
single computer because of
the complexities of network architectures.
This module focuses on network forensics, its associated
concepts, and the challenges
related to network forensics. The first topic is a general
overview of network forensics,
including the main approaches to it and the considerations a
forensic examiner must
take into account. The second topic explores a series of
challenges that are intrinsic to
the special aspects of network forensics. The third topic
presents the analysis of a major
threat to network forensic analysis—botnet technology.

The fourth topic deals with the issues related to planning and
completing a live
acquisition of network forensic captures. The final topic covers
important aspects of how
to use network logs to support a forensic investigation. The
module concludes with a
presentation of the important aspects of network intrusion
detection and monitoring.
CSEC650
What is Network Forensics?
The original purpose of the Internet was to share and
disseminate information among
physically separated parties by interconnecting networks. The
early forms of networks
required hardwired cabling and Network Interface Cards (NICs).
Today, networks range
from very small Personal Area Networks (PANs) to the vast
Internet, and each network
level uses various protocols to ensure a smooth and secure flow
of information. With
various protocols available for use at the network level, it is
important to have a solid
understanding of how networks operate before moving on to
forensics.

Most networks use TCP/IP to transmit and receive data from the
Internet in a commonly
structured format. In order to transmit data, whole files are
broken down into multiple
small data packets with source and destination addresses. As
with an envelope being
delivered from one destination to another, a number of
technological processes and
human actions exist to ensure accurate, timely, and secure
delivery.
In computer networks, routers perform the main phases of
delivering data to client
devices. Network forensics, therefore, involves
acquiring/capturing, preserving, and
analyzing relatively large amounts of data. Ideally, a highly
competent digital forensic
examiner will have an in-depth knowledge of the routers'
performance, as well as
security vulnerabilities and sources of evidence.
CSEC650
Why We Need Network Forensics

The Need for Network Forensics
An important question to ask about network forensics concerns
its value to an
organization. Network forensics is useful in capturing an attack
fingerprint and
performing post attack analysis for security exploits. Using
network forensics, a forensic
examiner can analyze historical network traffic. Such analyses
help examiners
investigate security attacks. Network forensics helps to
reconstruct the sequence of
events that occurred during the breach to get the complete
picture.
Cybersecurity attacks have become common these days. A
Distributed Denial of Service
(DDoS) attack on Bitbucket.org—a Web-based code-hosting
service that relies on
Amazon's Elastic Compute Cloud (EC2)1—and a DDoS attack
on Facebook and Twitter
in August 2011 are headline examples (WildPackets, n.d., p. 3).
In addition, IT professionals commonly use network forensics to
do these things
(WildPackets, p. 3):
Enhance network performance.
Improve the organization's intrusion-detection technologies.
Identify any rogue devices that reside on the network.
Prevent computer malware and network hacks.
Reference: "WildPackets." Network Forensics 101: Finding the
Needle in the Haystack. Retrieved from

https://mypeek.wildpackets.com/elements/whitepapers/Network
_forensics101.pdf
The Benefits of Network Forensics
Monitoring User Activity
Monitoring user activity is an important aspect of workplace
productivity as well as
cybersecurity. For instance, social networking sites are known
to create a significant
decrease in worker productivity. As a result, many
organizations have implemented
policies that prohibit or minimize such activities (WildPackets,
p. 3).
In addition, organizations have policies prohibiting non-work-
related activities—such
as online gaming and movie watching—that use network
resources. Finally, rogue
network forensics can monitor these types of activities and
provide management with
the evidence required to take disciplinary action against
employees who violate an
organization's policies (WildPackets, p. 4).
_forensics101.pdf
Identifying the Source of Data Leaks
Network monitoring helps to supervise the flow of data and to

detect data leaks. If a
data leak occurs in a monitored network, network monitoring
can reveal vital
information, such as what and how much data has been leaked
(WildPackets, p. 4).
In addition, a digital forensic investigator can identify the root
of the problem,
determine whether the leak was intentional or accidental, and
trace who or what
CSEC650
caused the leak. It is important to secure data because the
tangible and intangible
costs of a data leak can run into millions of dollars.
_forensics101.pdf.
Analyzing Business Transactions
Audit trails are an extremely useful source of network forensic
information. This is
true for all key business transactions and is even more
important for systems and

protocols that transmit data in plain text, such as Hypertext
Transfer Protocol
(HTTP), File Transfer Protocol (FTP), Telnet, and Structured
Query Language (SQL)
Network administrators are the owners of audit logs, so they
bear accountability for
maintaining and archiving these logs, some of which may be
initiated by the
organization's customers. If there are problems with certain
business transactions,
network forensic techniques often can be used to resolve them.
_forensics101.pdf
Identifying the Source of Intermittent Network Performance
Issues
A practical application of network forensics is the identification
of network
performance issues in an organization's LAN or WAN through
retrospective analysis.
Network forensic tools are more scientific and reliable than
traditional troubleshooting
tools, and a timeline analysis can provide the information
required to plot and
analyze all detailed and significant network events

Through network forensics, a forensic investigator can answer
questions about how
the network performed in a given time period by examining
every packet that was
transmitted across the network. Common examples of network
traffic include FTP
traffic, Web browsing, e-mail messages, and instant messages.
_forensics101.pdf.
CSEC650
The Complexities of Network Forensics
In contemporary enterprises, it is important to think about the
range of devices that send
and receive data within a company's network. In addition to
traditional computers, many
other devices are in use today—laptops, netbooks, mobile
devices, and Small-Scale
Digital Devices (SSDDs), such as the iPad and the Galaxy
tablet.

Although most networks are under the control and security of
the company, other
networks, such as the cellular network, satellite network, and
Internet Service Providers
(ISPs), are external and outside the company's control. These
external networks may
have valuable network forensic artifacts, such as network event
logs, system logs, or
information from individual servers. Log files are perhaps the
most important sources of
network data because they contain information about devices,
Internet activities,
services, and the active state of network data, which can prove
to be valuable network
forensic information.
CSEC650
The Key to Network Forensic Investigations
To investigate why the system raised an alarm, Judy, NAI's
chief forensic investigator,
decides to call a meeting with Steve and two other members of
her team—Calpurnia and

Jean. In this meeting, Judy hopes to discuss the merits of
analyzing network logs
because she intends to conduct a log review of NAI's network to
trace the cause of the
alarm.
A transcript of the discussion among Judy and her team is
reproduced here.
Judy: Thank you all for taking the time to attend this
discussion.
Judy: I'm hoping we can conduct a log review of NAI's network,
and I'd like to hear your
thoughts about the merits of conducting such a review.
Calpurnia: I think it's a good idea. At the very least, the
network logs can provide
information about the evidence trail of network events.
Jean: I agree. The ability to analyze network logs is a big
advantage for us.
Steve: It'll be a big help if we can verify the entry points,
personnel involved, and
systems used to access the network.
Judy: Yes, our organization had the foresight to make decisions
about how the
information is logged and retained.
Jean: Judy, network log files can be extremely large. I suggest
we establish accurate
network log analysis processes, data-retention policies, and
toolkits to analyze this
information.

Calpurnia: We can start with the event logs, which provide date-
time stamps that can be
essential in developing a timeline analysis for our investigation.
Steve: There are a number of third-party software applications
that will allow us to
establish filters of these network logs.
Jean: That should reduce the amount of data in the logs.
Judy: Going forward, I'll see if we can assign the information
security officer's staff to
review these logs as part of their daily responsibilities and to
back up the information
regularly.
Jean: Sounds good. How about using freeware tools to handle
the complex and data-
intensive aspects of network log analysis?
Calpurnia: Sure. Many freeware tools provide filtering and data-
reduction capabilities.
We can use them to improve our efficiency!
CSEC650
Judy: We'll go ahead with reviewing the network logs. Let's get
to work and keep each

other informed of any developments.
CSEC650
Case Study: Birth of the Earth
Background
New England–based Birth of the Earth is a leading manufacturer
of outdoor clothing and
footwear. The company uses a WAN to connect more than 850
users across its
corporate offices, call center, and manufacturing plant. Last
week, the company's digital
forensic investigator, Joe Schumer, received a call from the
networking group in the
Information Systems department, reporting an active network
intrusion at the company.
Methodology
As an experienced digital forensic investigator, Joe used the
Investigations Triad
methodology to conduct his investigation. The Investigations
Triad method involves
connecting the three main challenges in network forensics:
vulnerabilities, intrusion

response, and investigations.
Reference: Caballero, A. Fidge, S. Network Forensics: SIEM,
the Investigations Triad, and SANS Top-20
Vulnerabilities. Retrieved from
http://megabyteconcepts.com/Documents/ASC_Network_Forens
ics.pdf
Vulnerabilities
Vulnerabilities in IT systems are frequently unknown or are not
immediately detected.
Network forensic tools can help identify vulnerabilities and
provide detailed information
to the appropriate administrator, whose responsibility it is to fix
vulnerabilities.
Intrusion Response
Intrusion response can create a particularly challenging
situation for digital forensic
investigators. One of the fundamental questions debated in such
investigations is
whether to shut the network down immediately or observe the
intruder's behavior to
gather more evidence. The obvious risk of having the intruder
on the network for an
extended period is that he or she can further damage the
network. Conversely, tracking
the intruder's actions can help acquire sufficient evidence to
pursue a strong legal case.
Investigations

Investigations can revolve around an employee, a small group of
employees, and/or
outsiders. Most investigations begin with an analysis of all
available logs and short
interviews of key personnel, followed by the use of commercial
or open-source tools to
CSEC650
acquire evidence. Finally, the digital forensic investigator
examines and analyzes the
evidence.
Try This!
Choose all the correct answers.
Question 1: How did the networking group at Birth of the Earth
detect the intrusion in
their network?
a. They analyzed the network logs.
b. They identified data leakage.
c. They replaced computer hardware.
d. They fixed the CEO's laptop.
Correct Answers: Options a and b
Feedback:
Analyzing network logs and identifying data leakage can help
identify network intrusions.

Question 2: Select the network(s) that network forensic tools
and investigative
techniques can be useful with.
a. Local Area Network (LAN)
b. Personal Area Network (PAN)
c. Wireless network
d. Wide Area Network (WAN)
Correct Answers: Options a, b, c, and d
Feedback:
Network forensic tools are useful with all types of computer
networks.
Question 3: Which term refers to a type of record that should be
kept for all business
transactions and is often useful to digital forensic investigators?
a. General journal
b. Audit trail
c. Purchase requisition
d. Inventory listing
Correct Answer: Option b
Feedback:
Audit trails document the flow of business transactions on a
step-by-step basis.
Question 4: What type of process is a network forensic
investigation?
a. Proactive
b. Experimental
c. Reactive
d. Educational

Correct Answer: Option c
CSEC650
Feedback:
Most network forensic investigations are reactive in nature
because they respond to an
internal investigation, network intrusion, or criminal
investigation.
Question 5: Network forensic tools are used to conduct digital
investigations. Select
another situation in which network forensic tools can be used.
a. Training users about cybersecurity awareness
b. Diagnosing network performance issues
c. Testing antivirus signatures
d. Evaluating IT personnel performance
Correct Answer: Option b
Feedback:
Network forensic tools can be very useful in helping network
administrators and
engineers diagnose network performance problems.

CSEC650
Topic 5: Botnets
Botnets as a Network Forensic Antagonist
Introduction
Botnets, or robot networks, are one of the most serious and
insidious threats facing the
computing community today. Since their emergence in the late
1990s, botnet attacks
have increased in severity, frequency, scale, scope, and
sophistication. With botnets
demonstrating robust and advanced capabilities, the lack of
standardized and effective
investigative procedures for battling them poses huge
challenges for forensic engineers.
Bot
A bot is an autonomous application that is often malicious in
nature, such as a piece of
code that allows an attacker to commandeer a computer without
the owner's knowledge.
Bots turn the victim's computer into a robot or "zombie" that the
attacker can control
remotely.

Botnet
A botnet is a collection of computers infected by bots. A botnet
is formed by running
software, which is usually installed via drive-by downloads that
exploit Web browser
vulnerabilities, ActiveX controls, plug-ins, or any other
applications that a computer
requires to browse the Internet. Bots can control viruses,
worms, Trojan horses, or
backdoors under a common command-and-control
infrastructure.
Botnet Attacks
Botnet attacks can have serious consequences, such as financial
loss, including
regulatory noncompliance fines and litigation fees associated
with the theft of sensitive
second- and third-party data or intellectual property leakage;
damage to reputation; and
the time and costs associated with preventing, detecting, and
resolving attacks of fraud,
DDoS, and spam. (EdgeWave, 2011).
Reference: (n.d.) EdgeWave iPrism Technology.
ThreatDefender.com. Retrieved from
http://www.threatdefender.com/Web-Filter-Technology.asp
How Botnets Work
A bot herder or botmaster controls botnets remotely, usually
through an Internet Relay
Chat (IRC), which is a form of real-time communication over
the Internet, or peer-to-peer
(P2P) networking communications. Often the command-and-
control takes place via a

server known as the command-and-control server (C&C), over a
network, or through a
unique encryption scheme for stealth and protection against
detection or intrusion into
the botnet network. A bot typically runs hidden and uses a
covert channel standard, such
as Instant Messaging (IM), to communicate with its C&C
server.
The Botnet Life Cycle
The life cycle of a botnet typically includes four phases: spread,
infect, command and
control (C&C), and attack.
CSEC650
Spread
In the spread phase, the bots propagate to form many botnets
and infect systems
through varied means, such as spam and download of malicious
code. The goal of this
phase is to infect a system. The bot herder attempts either to
trick the user into installing
malicious code or to exploit vulnerabilities in the user's system.
Infect
Once malicious code is installed on a user's computer, the
malicious code uses various
techniques to infect the system and to hide its presence. These

well-established
techniques range from polymorphism (the code changes with
every new instantiation), to
rootkitting (the stealthy installation of malicious software), to
actively targeting the
protective measures (for example, the antivirus software, the
intrusion detection or
intrusion protection system [IDS/IPS], and the firewall).
Command and Control
Botnet C&C servers use a number of protocols, such as IRC,
P2P, and HTTP, to
communicate and control the bots. Social networking sites are
prime targets for botnet
C&C servers.
Attack
The final phase of the life cycle, the attack, involves the
distribution of spam that is
carrying the infection, targeted DDoS, and/or fraudulent
activities. When the attack is
successful, the size of the botnet can increase exponentially.
CSEC650
Topic 5: Botnets
Types of Botnets

Attackers have different motives for using botnets. The most
common incentives,
however, are financial gain and destruction.
Fraud
Fraud can take many forms and can be committed through many
media, including
"snail mail," wire, and telephone. Fraud is also committed over
the Internet in various
forms. For example, identity theft is one of the fastest-growing
crimes on the Internet
which is commonly initiated by bogus e-mail messages
generated and sent by bots
via spam. Bots can also harvest personal information through
multiple fake Web
sites by masquerading as popular auction Web sites, online
money-transfer sites, or
banks.
Spamming
Bots can spam a compromised computer via a generic proxy
protocol for TCP/IP-
based networking applications. Some bots can also implement a
special function to
harvest e-mail addresses and other personal information.
Distributed Denial of Service Attacks
Botnets are often used to carry out Distributed Denial of
Service (DDoS) attacks on
computer systems or networks. A DDoS attack causes a loss of
service to users,

including the loss of network connectivity and services, by
consuming the bandwidth
of the victim network or by overloading the computational
resources of the victim
system.
Sniffing Traffic
Bots can use packet sniffers to watch for and retrieve sensitive
clear-text data, such
as usernames and passwords, passing by a compromised
computer.
Keylogging
Attackers use keylogging to retrieve encrypted sensitive data
that sniffers cannot
decrypt. By monitoring each keystroke a user types on his or
her keyboard, an
attacker can obtain a variety of user-specific information.
Spreading New Malicious Code
Because all bots implement mechanisms to download and
execute a file via HTTP or
FTP, botnets usually spread new bots. They can also spread e-
mail viruses, Trojans,
worms, and other malicious code.
CSEC650

Topic 5: Botnets
Challenges and Protection
Challenges of Handling Botnets
The expertise of investigators who handle botnets varies from
organization to
organization. Some organizations use advanced techniques, and
others may have
insufficient knowledge and tools to handle any type of botnet
analysis. These differences
reiterate the need for standardization, coordination, and
corroboration of competencies
among digital investigators and jurisdictions.
The need to improve the speed and quality of botnet
investigations requires the
development of a systematic approach and investigative toolset
to handle botnets. This
means that forensic investigators should examine botnets at
both the local level and the
network level.
Botnets are constantly evolving. For example, they have moved
from a centralized C&C
structure to a distributed one, thereby increasing the complexity
of network- and local-
level investigations. The botnet infection and the control
mechanism on infected hosts
are generally quite similar, straightforward, and stable in
nature. Therefore, relevant
digital traces from a local machine can be collected to

supplement any subsequent
network-level investigation (Law, Chow, Lai, &Tse, 2009, p.
162).
Reference: Law Y.W, F., Chow, K.P., Lai K.Y., P., TseK. S., H.
A Host-Based Approach to BotNet
Investigation? Center for Information Security & Cryptography.
Retrieved from
http://www.cs.hku.hk/cisc/forensics/papers/09_05.pdf.
Polymorphism
Polymorphism is a condition in which bots change with every
instantiation so that
they always appear to be new.
Rootkitting
Rootkitting is the stealthy installation of software called a
rootkit, which is activated
each time a user boots up the system. Rootkits are difficult to
detect because they
are activated before the system's operating system has
completely booted.
Periodic Communications
A botnet communicates with its controller only periodically.
Therefore, the low
volume of communication makes it more difficult to analyze.
Retaliatory Denial of Service
Live investigations involving retaliatory DoS attacks can cause
botmasters to expand
their attack and cause even more damage. Retaliatory DoS

attacks are risky and
generally should be avoided unless the digital forensic
examiners feel there is value
in pursuing them.
Distributed Denial of Service
A botnet can cause packet flooding from numerous external IP
addresses against an
organization's network. Packet flooding can exceed a server's
capacity and
overwhelm or crash the system.
CSEC650
Fast Flux
Botnets use a Domain Name Server (DNS) technique called fast
flux to hide phishing
and malicious code delivery sites behind an ever-changing
network of compromised
hosts acting as proxies. Fast flux makes bot networks more
resistant to discovery
and countermeasures through a combination of peer-to-peer
networking, distributed
command and control, Web-based load balancing, and proxy
redirection.
Encrypted Channels and Code
The use of code-hardening techniques increases complexity for

reverse engineering.
Code obfuscation, encryption, and encoding further hide the
true nature of the
malicious code.
Botnet Protection
The most common approach to protecting networks against
botnets is to use several
firewalls and a layered security approach. Such protection may
include full-fledged
security systems covering all levels of the network, from
individual computers to the
servers, LANs, and external connectivity to the Web.
Other methods to protect networks include installing intrusion
detection systems and
protection at the gateway to e-mails serves, and disabling
unused ports used for FTP
applications and IRCs, which are the applications most
commonly used for
communication with the bot herder. Isolating infected
computers from the network
immediately after an attack is detected, and educating users via
training and security
awareness are also protection mechanisms.
CSEC650

Topic 5: Botnets
Activity: Annihilating the Internet
It's time to end the electronic age and save the world from its
wired and impersonal
existence. Let's cut some wires, spread infection, and herald
destruction—but in good
faith. You are the chosen one! You are hereby crowned
Botmaster.
Phase I: Organizing Your Botnet Technology
You are now Botmaster, and it is your responsibility to begin
annihilating the Internet!
You have a budget of $1,500 to fund your dastardly deeds. Your
first step will be to
establish a command-and-control structure, which will allow
you to gain the largest
amount of information possible. As everyone knows,
information is money!
Get started!
Welcome to the malware factory!
Carry out all necessary steps to acquire the tools you will need
in your toolbox.
Step 1: Select the malware you want to create for annihilation.
Keep in mind your
budget and your goal of producing an appropriate impact!
a. Virus: $100 Low Impact
b. Worm: $250 Low Impact
c. Trojan Horse: $400 Low Impact

d. Rootkit: $750 High Impact
Step 2: Select the distribution mechanism for your malware.
a. Through a rogue distribution of a popular software program:
$200
b. Via a downloadable game: $250
c. Through a Web browser: $175
d. As an e-mail attachment: $125
Step 3: How about customizing your malware to make it
unique? Select a tool from the
options below.
a. Code Monster: $200
The Code Monster will allow you to develop and customize
your malware code. You
can choose to combine your malware with existing programs to
develop superlatively
malicious software.
b. Web Map: $250
Use the Web Map to keep track of your work. You can
configure the Web Map to
notify you when your malware infects new computers, to track
the activities of other
hackers, and to identify new targets to attack. Your targets can
include private- and
public-sector computers and Web sites. The Web Map comes
equipped with various
resources, such as the results of passive scans of networks.
c. Malware-Gro Toolkit: $275
Use the Malware-Gro Toolkit to determine the size of your
botnet. You can even
begin small and then grow, depending on your interest and the
amount of damage

and chaos you want to create. The Malware-Gro Toolkit has
built-in tools to destroy
huge sections of cyberspace.
CSEC650
Step 4: Time to create the program to launch the attack!
Phase II: Selecting Your Victim
You have created your malware. Now it's time to select your
first victim! Read the
victim's profiles and the chat transcripts below. Then select a
victim to launch the
attack.
Zombie 1: Rob Flower
Rob is an elderly man who lives in a retirement community. He
uses the Internet to
communicate with his children, who live abroad.
Zombie 2: Gareth Owen
Gareth is a young IT professional. He has recently been hired as
a software developer.
Zombie 3: Martha Booth
Martha teaches at a university in the United Kingdom. She
teaches economics and uses
the Internet to keep up with current economic news and

developments.
Zombie 4: Michael Thomas
Michael is a college student. He uses the Internet to stay
connected with his friends and
to learn about new technology. An avid blogger, he usually
blogs about music, travel,
and changing technological trends.
A transcript of the chat between the Botmaster and
Martha/Gareth is below.
Botmaster: Hello! I am Botham. I work as a travel agent. Are
you interested traveling to
exotic destinations?
Martha/Gareth: I do not talk to strangers, Botham. I hope you
don't mind.
A transcript of the chat between the Botmaster and Rob/Michael
is below.
Botmaster: Hello! I am Botham. I work for a travel agent. Are
you interested in traveling
to exotic locations?
Rob/Michael: Yes, I am.
Botmaster: Great! I love traveling too, and was hoping to meet
people on the Internet
who share my interests.
Rob/Michael: Hmm.
Botmaster: So…do you travel budget or luxury?

Rob/Michael: Budget. I'd love to go on a luxury vacation.
Botmaster: In that case, here's a trade secret! You must check
out this Website we use.
It has special weekly offers on five-star resorts.
CSEC650
Rob/Michael: Really? Can you send me the link?
Botmaster: Sure. Here it is: www.travelabroad.com. I know you
will enjoy it. I use it all
the time.
Rob/Michael: Thank you for your suggestion. Nice to meet you
in cyberspace!
Botmaster: You too. I hope your next trip is really fun.
Feedback if you selected Rob or Michael as your victim:
Congratulations!
You have infected the victim's computer with your malware.
Feedback if you selected Gareth or Martha as your victim:
Operation failed!
The chat transcript indicates that this person will not be an ideal
victim. Select another

victim.
Phase III: Retaliation by the Infected Zombie
You will now step into the shoes of the victim. Look at the
incident from the victim's
perspective.
The victim's train of thought is reproduced below.
Victim: I cannot believe it. I have all kinds of unauthorized
charges on my credit cards,
and someone has dipped into my checking account, too.
Victim: Could I have been the victim of a botnet attack? I
remember reading about how
victims of botnet attacks lose their personal identity and
financial security.
Victim: I'm sure I didn't share my bank or credit card details
with anyone.
Victim: Hmm … the withdrawals from my account began a
couple of days after I visited
that travel Website.
Victim: The site was really useful, and I booked my next
vacation almost for free.
However, they say there's no such thing as a free lunch. Is it
possible my computer is
infected with some type of malware?
Victim: I'm angry at myself for not being more careful. I never
thought I was a gullible
person, but I'm going to have to be more careful.
Victim: I would love to track that person down while I try to

clean up this mess I've
gotten myself into. I'd better start by educating myself before I
do any more chatting
online!
CSEC650
Learn More
Test your knowledge of botnets by answering the following
questions.
Question 1: Select the best methods to protect a system from
botnet attacks.
a. Disable unused ports.
b. Establish several firewall layers.
c. Install an intrusion detection system.
Correct Answers: Options a, b, and c
Feedback:
All of these methods help protect your computer system from
botnet attacks.
Question 2: The botnet life cycle involves four key steps. Select
the steps in correct
order of occurrence.
a. Command and control, spread, attack, and infect
b. Attack, spread, infect, and command and control

c. Spread, infect, command and control, and attack
d. Infect, command and control, spread, and attack
Correct Answer: Option c
Feedback:
The proper sequence of steps in the botnet life cycle is: spread,
infect, command and
control, and attack.
Question 3: Which of the following malicious goals can botnets
accomplish?
a. Spamming
b. Fraud
c. Antivirus protection
d. DDoS attacks
Correct Answers: Options a, b, and d
Feedback:
Spamming, fraud, and DDoS attacks are common malicious
goals of botnets.
Question 4: What challenges do digital forensic investigators
face in detecting botnets?
a. Polymorphism
b. Fast flux
c. Covert channel communications
d. Rootkitting
Correct Answers: Options a, b, c, and d.
Feedback:
Polymorphism, fast flux, covert channel communication, and
rootkitting are all
challenges for digital forensic investigators in detecting botnets.

CSEC650
Question 5: What are common terms for the individual who
controls a botnet?
a. Network engineer
b. Botmaster
c. Bot herder
d. Script kiddie
Correct Answers: Options b and c
Feedback:
Botmaster and bot herder are the most common terms for a
person who controls a
botnet.
Question 6: Select a tool that one can use to track down a
botmaster.
a. Traceroute
b. Wireshark
c. Pingplotter
d. Whatsup
Correct Answer: Options a, b, c, and d
Feedback:

All of these tools provide the ability to trace traffic from one's
computer back to the
sending computer.
CSEC650
Performing Live Acquisitions of Data
Network forensic projects involving live acquisition of data are
widespread. Conducting a
live acquisition of data is helpful in large companies, where
taking a network offline to
collect forensic information can have an enormous impact on
the company's production.
It is important, then, that cybersecurity professionals
understand the precautions needed
to perform a live acquisition of network data.
Coordination
It is essential to coordinate the authorization and acquisition
approach with the
organization's network engineering group. This will minimize
the potential adverse

effects of working with live data, such as data corruption and
system crashes.
Coordination with other IT professionals is essential with any
digital investigation, and
even more so with live acquisition because the risks involved
are exponentially higher
than with other forensic procedures like deadbox analysis or
reviewing a smartphone for
forensic information.
Timing
Timing is another crucial aspect of acquiring live network data.
Event logs, e-mail
messages, and data files are the most important forensic
information needed in an
investigation. It is essential to ensure that all legal procedures
and precautions are taken
to use the data. Permissions can be obtained from internal legal
counsel and law
enforcement officials.
CSEC650
Techniques to Improve Live Acquisitions of Data

Digital forensic researchers have identified several methods to
improve the live
acquisition of network data. Judy conducts a presentation to
teach her team members
techniques for improving the live acquisition of data.
Recommendation 1: Position the collector as close as possible
to the source
of information.
The physical and the logical distance of the source of
information must be
considered. The collector should be close as possible to the
evidence source, both
physically and logically. Proximity will help minimize latency,
potential loss of
evidence, and authenticity of the evidence.
Recommendation 2: Perform write blocking of the evidence.
Perform write blocking of data to maintain the integrity of the
evidence. Write
blocking can be done with one-way Ethernet cables or by using
a read-only FTP
client device. In addition, write blocking should be performed
in front of a witness,
and both the procedures and the results should be documented.
The documented
data will serve as verification of the data's integrity.
Recommendation 3: Define workable boundaries to collect
relevant data.
Define workable boundaries so that the investigator collects

relevant data. Due to the
nature of high-speed networks, data travels faster than it can be
fully captured in a
live environment. Coordinating with an organization's IT staff
to develop some filters
and other technical controls is helpful.
Recommendation 4: Ensure that documentation requirements
are met.
Nickell (2006) makes seven specific recommendations for
documentation:
1. Diligence on the forensic investigator's part
2. Adherence to accepted methods and procedures
3. Precise data showing what was collected or, in some cases,
not collected
4. Start and end timestamps
5. Additional technical information, such as lower-level
protocol information or
headers
6. Notation of any errors or lost or corrupted data
7. Other meta information, such as the investigator's name, case
ID, and
case/evidence descriptions
Reference: B. Nickell (2006). "Improving Evidence Acquisition
from Network Sources," Digital Investigation:
The International Journal of Digital Forensics and Incident
Response, Vol. 3, No. 2.

CSEC650
Topic 7: Intrusion Detection and Monitoring
Relevance to Network Forensics
A very important and challenging aspect of forensic
investigations involves intrusion
detection. It is important to determine when to monitor a
network, and how much
monitoring to do, before taking an aggressive action in a digital
forensic investigation.
There are no steadfast rules about how to monitor a network
intrusion and when to bring
down your network to stop the intrusion from penetrating
deeper into your network.
One of the core challenges forensic investigators face is
balancing the need to have
sufficient evidence against the intruder with the need to stop the
intrusion. The more
evidence you gather, the stronger your legal case will be. On the
other hand, the longer
you allow the intruder access to your network in order to gather
evidence, the higher the
risks to your network. With practical experience comes greater
knowledge in dealing with
these important considerations.
Popular commercial tools like Ethereal, NetIntercept, and others

act as aids to the
forensic investigation.
CSEC650
Topic 8: Summary
We have come to the end of Module 7. The key concepts
covered in this module are
listed below.
Network forensics is useful in capturing an attack fingerprint,
performing post
attack analysis for security exploits, and analyzing historical
network traffic.
Network forensics can help monitor user activity, identify the
source of data
leaks, analyze business transactions, and identify the source of
intermittent
network performance issues.

Log files are an important source of network data because they
contain
information about devices, Internet activities, services, and the
active state of
network data that can be valuable network forensic information.
The Investigations Triad methodology is an investigative
technique that involves
connecting the three main challenges in network forensics:
vulnerabilities,
intrusion response, and investigations.
A bot is an autonomous application that is often malicious. A
computer attacked
by a bot is known as a robot or a zombie. A collection of
computers infected by
bots is known as a botnet.
The life cycle of a botnet typically includes four phases:
spread, infection,
command and control (C&C), and attack.
Some challenges encountered while dealing with botnets
include polymorphism,
rootkitting, periodic communications, retaliation, denial of
service, distributed
denial of service, fast flux, and encrypted channels and code.
The most common methods of protecting networks against
botnets are using
several firewalls and a layered security approach, installing

intrusion detection
systems and protection at the gateway to e-mail servers,
disabling unused ports,
and isolating infected computers.
Conducting a live acquisition of data is helpful in collecting
forensic information. It
should be done in coordination with the organization's IT
department.
CSEC650
Glossary
Term Definition
Audit Log An audit log is a list of all system-based activities,
including the
user ID, time of activity, workstation ID, and other information.
Audit Trail Audit trail is the ability to trace system activities to
their original
source of input, entry, transfer, or termination on the system.
Backdoor A backdoor is a remote access point for software; it
allows remote

connectivity. Though originally intended for debugging
purposes,
backdoors are currently used for remote command-and-control
actions.
Bot A bot is a computer program that is used to rapidly carry
out a
large number of automated and repetitive tasks on the Internet,
usually in a cybersecurity attack.
Bot herder A bot herder, also known as a botmaster, controls
botnets
remotely and tricks a victim into installing malicious code on a
computer.
Botnets A botnet is a group of robots, or compromised
computers, running
automatically. Often, the victims whose computers are part of
the
botnet are unaware of the invasion.
Command-and-Control A command-and-control system provides
for command and
control of system components, such as other computers.
Deadbox Forensics Deadbox forensics is an expression that
refers to forensic analysis
of laptops and PCs that are not actively connected to a live
network.
Denial of Service Denial of Service (DoS) or Distributed Denial
of Service (DDoS)
attacks use "zombie" servers to flood a target site with large
volumes of traffic. This flood of traffic consumes all of the
target
site's network or system resources and denies access to

legitimate users.
Distributed Denial of
Service
In a distributed denial of service attack (DDoS attack), a
computer's resources are made unavailable to its user when
several compromised systems flood it with useless data.
Fast Flux Fast flux is a Domain Name Server (DNS) technique
used to hide
phishing and malicious code delivery sites behind compromised
hosts that act as proxies.
File System Forensics File system forensics is the forensic
analysis of an individual
computer's file system and operating system components.
FTP File Transfer Protocol (FTP) is an application protocol that
uses
the TCP/IP protocol (or the Internet) to transfer files between
computers.
HTTP Hypertext Transfer Protocol (HTTP) transmits Web pages
to
clients.
Internet Relay Chat Internet Relay Chat (IRC) is a form of
communicating over the
Internet using private messages, chats, or group discussions.
CSEC650

Term Definition
Intrusion Response Intrusion response is the response by an
individual cyberforensic
investigator or incident response team to a network-based
intrusion.
Investigations Triad
Method
The Investigations Triad method involves connecting the three
main challenges in network forensics: vulnerabilities, intrusion
response, and investigations.
Network Forensics Network forensics is a forensic process
involving multiple devices
on a computer network.
Personal Area
Networks
A Personal Area Network (PAN) enables communication
between
computers, TVs, MP3 players, personal digital assistants
(PDAs),
and smartphones that are within a few feet of each other.
Pingplotter Pingplotter allows the user to trace the path of
packets across the
Internet.
Polymorphism Polymorphism is a condition in which bots
change with every

instantiation, so they always appear to be new.
Rogue Network
Forensics
Rogue network forensics is used to describe the practice of
using
network forensic techniques to perform malicious activities.
Rootkitting Rootkitting is the stealthy installation of software
called a rootkit,
which is activated each time a user boots up a system.
Small-Scale Digital
Devices
Small-scale digital devices are devices that are analogous to
embedded systems.
Structured Query
Language
Structured Query Language (SQL) is a data-manipulation
language that is the de facto standard used to manage actual
data
in relational database management systems.
Telnet Telnet enables remote use and supervision of systems.
Network
administrators monitor and control systems remotely using
Telnet.
Traceroute Traceroute traces the path of packets across an IP
network. An
intruder uses traceroute to map routers for known destinations
around the targeted system.

Whatsup Whatsup is a network-monitoring software.
Wireshark Wireshark is a free and open-source packet analyzer.
It is used for
network troubleshooting, analysis, software and
communications
protocol development, and education.
Write Blocking Write blocking is a forensic technique used to
avoid altering the
state of the source computer, in order to create a forensically
sound image of that computer.
Zombie A zombie is a computer that is remotely controlled by a
bot herder
or botmaster in a botnet.

1. What are two items to consider when creating a malware analysis.docx

Recommended

Recommended

More Related Content

Similar to 1. What are two items to consider when creating a malware analysis.docx

Similar to 1. What are two items to consider when creating a malware analysis.docx (20)

More from jackiewalcutt

More from jackiewalcutt (20)

Recently uploaded

Recently uploaded (20)

1. What are two items to consider when creating a malware analysis.docx