ADVANCED PERSISTENT THREAT DETECTOR

REPORT – 2

Submitted By
Shyam Prakash RS
17MZ08
I Year M.E. CSE
 ADVANCED PERSISTENT THREAT

Advanced persistent threat has been a growing potential threat to all computer
systems, and is more dangerous than other malware and viruses, due to its behaviour and
ability of being undetected by antivirus software.

So, identifying its presence on any internet enabled computer is very essential
and should be done as soon as possible This proposed tool has a simple user Interface,
with which the user can check for the presence of APT by trying to browse any URL and
check for possible redirections to malicious and anonymous sites.

Steps :

1.The outflowing network traffic of the system which is to be checked are captured and
exported by Wireshark. Wireshark is a free and open source packet analyser. It is a data
capturing program that understands the structure of different networking protocols.

2.The captured packets are exported into plain text files. (*.txt format)

3.A sample capture data has been shown below, with which the application works, to
identify the Threat Affected Personal Computer.

No. Time Source Destination Protocol Length Info

1 0.000000 fe80::1015:ea7:8492:61d ff02::1:2 DHCPv6 157 Solicit XID:
0xf801fc CID: 00010001219607d49840bb06579a

Frame 1: 157 bytes on wire (1256 bits), 157 bytes captured (1256 bits) on interface 0

Ethernet II, Src: 0a:00:27:00:00:09 (0a:00:27:00:00:09), Dst:

IPv6mcast_01:00:02 (33:33:00:01:00:02)

Internet Protocol Version 6, Src: fe80::1015:ea7:8492:61d, Dst: ff02::1:2

User Datagram Protocol, Src Port: 546, Dst Port: 547 DHCPv6

4. The fields src and dst denote Source and Destination of the network traffic.
Using the dst field, the actual redirection which occurs in the system on user request can
be identified, by using the IP address.

5. When the redirection is unintentional and is done to a malicious site, user is identified to
be using an affected Personal Computer.

6. The Corresponding url of the Destination IP address is identified and logged.

7. When the user generates the report of Test, user is warned about the malicious
redirections and the URLs are listed.

8. It is possible that new URLs may be included for redirection by the attacker, to solve
his/her purpose. Therefore, updating the list if malicious URL is necessary. This update of
list of malicious URLs is done by providing regular product updates.

9. User can do testing or can perform update only by logging in to the application, to
prevent the misuse and generation of false reports.
 Login Screen

Wireshark Packet Capture Screen

Exporting Captured Data to Plain Text

Application Home Screen

Difficulties Faced:
1. Capturing of Packet data can be done only manually, as invocation of Wireshark
through Netbeans or any Java IDE is infeasible.

2. Exporting done in text format needs each and every line of stream of characters to
be searched, to identify destination field for identifying Malicious destination URL.

Solved By Usage of Apache FileUtils

String text = FileUtils.readFileToString("hello.txt");

System.out.println(text.substring(text.indexOf("dst"), text.lastIndexOf("U")));

The above function splits the String starting from the Word dst, which denotes destination IP
Address.

Sample Code for Login Applet

[MyApplet.java]
import java.awt.*;
import java.net.*;

public class MyApplet extends java.applet.Applet {

public String username = "";

public String password = "";

public void init() {

if (!login()) {
try {
getAppletContext().showDocument
(new URL(getCodeBase()+"accessdenied.html"),"_top");
}
catch (Exception e) {e.printStackTrace(); }
}
else {
// here the username and password are OK
}
}

public boolean login() {

boolean userValid = false;
MyLogin login = new MyLogin (new Frame(""));
requestFocus();
if (login.id) {
username = login.username.getText();
password = login.password.getText();
userValid = validateUser(username , password);
System.out.println
("The password for " + username
+ " is " + (userValid?"valid":"invalid"));
}
else
System.out.println
("Cancel was pressed.");
 login.dispose();
return userValid;

private boolean validateUser(String usr, String pwd) {

return (usr.equals("user1") && pwd.equals("pwd"));
}
}
[MyLogin.java]
import java.awt.*;
import java.awt.event.*;

public class MyLogin extends Dialog implements ActionListener {

boolean id = false;
Button ok,can;
TextField userid;
TextField password;

MyLogin(Frame frame){
setLayout(new FlowLayout());
userid = new TextField(15);
password = new TextField(15);
password.setEchoChar('*');
add(new Label("UserID :"));
add(userid);
add(new Label("Password :"));
add(password);
addOKCancelPanel();
createFrame();
pack();
setVisible(true);
}

void addOKCancelPanel() {
Panel p = new Panel();
p.setLayout(new FlowLayout());
createButtons( p );
add( p );
}

void createButtons(Panel p) {
p.add(ok = new Button("Login"));
ok.addActionListener(this);
p.add(can = new Button("Cancel"));
can.addActionListener(this);
}

void createFrame() {
Dimension d = getToolkit().getScreenSize();
setLocation(d.width/4,d.height/3);
}

public void actionPerformed(ActionEvent ae){

if(ae.getSource() == ok) {
id = true;
setVisible(false);
}
 else if(ae.getSource() == can) {
id = false;
setVisible(false);
}
}
}

Main Screen Sample Code:

package me.cse.psgtech.sdllab;

public class DNS extends javax.swing.JApplet {

{
for (javax.swing.UIManager.LookAndFeelInfo info :
javax.swing.UIManager.getInstalledLookAndFeels()) {
if ("Nimbus".equals(info.getName())) {
javax.swing.UIManager.setLookAndFeel(info.getClassName());
break;
}
}
}
/* Create and display the applet */
try {
java.awt.EventQueue.invokeAndWait(new Runnable() {
public void run() {
initComponents();
}
});
} catch (Exception ex) {
ex.printStackTrace();
}
}

private void initComponents() {

jPanel1 = new javax.swing.JPanel();

jLabel1 = new javax.swing.JLabel();
jLabel2 = new javax.swing.JLabel();
jButton1 = new javax.swing.JButton();
jButton2 = new javax.swing.JButton();
jButton3 = new javax.swing.JButton();
jTextField1 = new javax.swing.JTextField();
jScrollPane1 = new javax.swing.JScrollPane();
jTextPane1 = new javax.swing.JTextPane();
jButton4 = new javax.swing.JButton();

jLabel1.setFont(new java.awt.Font("Times New Roman", 0, 24)); // NOI18N

jLabel1.setHorizontalAlignment(javax.swing.SwingConstants.CENTER);
jLabel1.setText("APT Detector");

jLabel2.setFont(new java.awt.Font("Times New Roman", 0, 24)); // NOI18N

jLabel2.setText("Status");

jButton1.setFont(new java.awt.Font("Times New Roman", 0, 18)); // NOI18N

jButton1.setText("Re-Analyze");
jButton1.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
});
 //similarly for button 2,3,4

javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);

jPanel1.setLayout(jPanel1Layout);
jPanel1Layout.setHorizontalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(javax.swing.GroupLayout.Alignment.TRAILING, jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addComponent(jLabel1, javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
.addGroup(jPanel1Layout.createSequentialGroup()
.addGap(28, 28, 28)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addComponent(jButton1)
.addGap(58, 58, 58)
.addComponent(jButton4))
.addGroup(jPanel1Layout.createSequentialGroup()
.addGap(12, 12, 12)

.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jLabel2, javax.swing.GroupLayout.PREFERRED_SIZE, 105,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 188,
javax.swing.GroupLayout.PREFERRED_SIZE))))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED, 14,
Short.MAX_VALUE)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(javax.swing.GroupLayout.Alignment.TRAILING,
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING, false)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGap(33, 33, 33)
.addComponent(jButton2, javax.swing.GroupLayout.PREFERRED_SIZE, 116,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addGap(29, 29, 29))
.addGroup(jPanel1Layout.createSequentialGroup()
.addComponent(jButton3, javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addContainerGap()))
.addGroup(javax.swing.GroupLayout.Alignment.TRAILING,
jPanel1Layout.createSequentialGroup()
.addComponent(jScrollPane1, javax.swing.GroupLayout.PREFERRED_SIZE, 168,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addContainerGap())))
);
jPanel1Layout.setVerticalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addComponent(jLabel1, javax.swing.GroupLayout.PREFERRED_SIZE, 37,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING,
false)
.addComponent(jTextField1)
.addComponent(jButton3, javax.swing.GroupLayout.DEFAULT_SIZE, 52,
Short.MAX_VALUE))
.addGap(36, 36, 36)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
 .addComponent(jLabel2, javax.swing.GroupLayout.PREFERRED_SIZE, 39,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jScrollPane1, javax.swing.GroupLayout.PREFERRED_SIZE, 47,
javax.swing.GroupLayout.PREFERRED_SIZE))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED, 118,
Short.MAX_VALUE)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jButton1)
.addComponent(jButton2)
.addComponent(jButton4))
.addGap(21, 21, 21))
);

javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());

getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addContainerGap()
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addContainerGap())
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addContainerGap()
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addContainerGap())
);
}// </editor-fold>

private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {

// TODO add your handling code here:
}

private void jButton2ActionPerformed(java.awt.event.ActionEvent evt) {

// TODO add your handling code here:
}

private void jTextField1ActionPerformed(java.awt.event.ActionEvent evt) {

// TODO add your handling code here:
}

private void jButton4ActionPerformed(java.awt.event.ActionEvent evt) {

// TODO add your handling code here:
}
private javax.swing.JButton jButton1;
private javax.swing.JButton jButton2;
private javax.swing.JButton jButton3;
private javax.swing.JButton jButton4;
private javax.swing.JLabel jLabel1;
private javax.swing.JLabel jLabel2;
private javax.swing.JPanel jPanel1;
private javax.swing.JScrollPane jScrollPane1;
private javax.swing.JTextField jTextField1;
private javax.swing.JTextPane jTextPane1;
// End of variables declaration
}