MN623

Lecture 04- Attacking on network devices &

Anomaly Detection for enterprise security &
Advanced malware analysis

Acknowledgements:
The contents are compiled from
S. Halder, S. Ozdemir (2018) . Hands-On Machine Learning for Cybersecurity_ Safeguard your system by making your
machines intelligent using the Python ecosystem-Packt Publishing
Monnappa K A - Learning Malware Analysis_ Explore the concepts, tools, and techniques to analyze and investigate
Windows malware-Packt Publishing (2018)
Andrew Whitaker, Daniel P. Newman - Penetration testing and network defense -Cisco Press (2006)
 Recall of Spoofing and Session
Hijacking in Week 3 Lecture
 Reconnaissance and open source intelligence tools
 Phishing/ Spoofing Concepts
 ARP, IP and DNS Spoofing, Avanced Spoofing framework
 Session Hijacking and TCP/IP Hijacking
 how attackers can capture and analyze the traffic by placing
a packet sniffer with a real-time example incorporating WIL
to learn varied tools.

April 2020 Compiled by Dr Ajay Shiv Sharma 2

 Topics to be covered in Week4

 Techniques to attack a number of networked devices,

– including firewalls, intrusion detection systems (IDSs), routers, and switches

 Anomaly Detection for enterprise security

 Six phases of a network attack
 Malware analysis concepts and Advanced Malware Analysis
 Focus on Static Malware Analysis incorporating WIL to learn
varied tools.

April 2020 Compiled by Dr Ajay Shiv Sharma 3

 Attacking the Network Devices
• Network administrators have to be concerned
with a lot more than just protecting their servers.
• They also need to put safeguards in place to
protect a number of networked devices,
– including firewalls, intrusion detection systems (IDSs),
routers, and switches.

April 2020 Compiled by Dr Ajay Shiv Sharma 4

 Bypassing Firewalls
• Determining which ports are allowed through a firewall
and which ports are filtered.
• Two popular methods of ascertaining the configuration of
a firewall are as follows:
– ACK scan
– Firewalking

April 2020 Compiled by Dr Ajay Shiv Sharma 5

 Tunneling Methods to Bypass
Firewalls
• Loki ICMP tunneling
– use Loki ICMP tunneling to execute commands of your choosing
by tunneling them inside the payload of ICMP echo packets.
• ACK tunneling
– AckCmd is a backdoor application that allows you to get a
remote shell on a Windows computer.
• HTTP tunneling
– HTTPTunnel is a client/server application. The client application
is called htc and the server is hts.

April 2020 Compiled by Dr Ajay Shiv Sharma 6

 Evading Intruder Detection
Systems
• Signature-based IDS devices are easier to circumvent
than anomaly-based ones.
• Two methods of bypassing IDS devices are as follows:
– Encryption
– Exploit mutation

April 2020 Compiled by Dr Ajay Shiv Sharma 7

 Testing Routers for Vulnerabilities
Test against the following services and features on the target
routers:
• Cisco Discovery Protocol (CDP)
• HTTP service
• Passwords
• Routing protocols

April 2020 Compiled by Dr Ajay Shiv Sharma 8

 Modifying Routing Tables
• When performing a penetration test on a network,
– you should test to see if you can inject a bogus entry into the
routing table of the corporation.
• This can be as easy as plugging in a router on the network
and configuring it to inject routes, or using a utility such
as
– Boson RIP Route Generator (http://www.boson.com).

April 2020 Compiled by Dr Ajay Shiv Sharma 9

 Testing Switches for Vulnerabilities
• Following are some of the methods for testing switches:
• VLAN hopping
• Spanning Tree attacks
• MAC table flooding
• ARP attacks
• VTP attacks

April 2020 Compiled by Dr Ajay Shiv Sharma 10

 Network Anomaly
Detection for Entreprise
• Network anomalies are unlike regular network
infections by viruses.
• Network anomalies are detected by identifying
non-conforming patterns in the network data.

April 2020 Compiled by Dr Ajay Shiv Sharma 11

 Stages of a network attack

Phase 1 – Reconnaissance
Phase 2 – Initial compromise
Phase 3 – Command and control
Phase 4 – Lateral movement
Phase 5 – Target attainment
Phase 6 – Ex-filtration, corruption, and disruption

April 2020 Compiled by Dr Ajay Shiv Sharma 12

 Dealing with lateral
movement
• Lateral movement is not limited to a single victim
within a network
• and enables spreading of the malware infestations
across the servers and domain controllers,
• Hence compromising the network in its entirety.
 Lateral movement moves across the network to gain
privileges within the network and grant various accesses
to the command and control servers.

April 2020 Compiled by Dr Ajay Shiv Sharma 13

 How network intrusion
spreads

Fig. 1 C2 Server Intrusion

April 2020 Compiled by Dr Ajay Shiv Sharma 14

 WIL - Using Windows event logs
to detect network anomalies

Fig. 2 Windows Active Directory logs

April 2020 Compiled by Dr Ajay Shiv Sharma 15

 WIL - How the object access
events works

Fig. 3 Concept of Handles

April 2020 Compiled by Dr Ajay Shiv Sharma 16

 WIL – A sample Active Directory
(AD) Log

Fig. 4 A sample AD Log

April 2020 Compiled by Dr Ajay Shiv Sharma 17

 WIL - Apache Flume Kudu Sink

Fig. 5 Apache Flume Kudu Sink

April 2020 Compiled by Dr Ajay Shiv Sharma 18

 Detecting anomalies in a
network with k-means
• In various network attacks, the malware
floods the network with traffic.
• K-means are suitable algorithms for such
cases, as network traffic usually has a pattern.
• Also, network threats do not have labeled
data. Every attack is different from the other.
 Hence, using unsupervised approaches is
the best bet here.

April 2020 Compiled by Dr Ajay Shiv Sharma 19

 K-means modeling, evaluation,
normalizing, verification
• First Build the K-means model.
• Then do Model evaluation to evaluate the
goodness of the model
– Use the sum of squared errors method.
• Normalizing features
• Compare: Perform kmeans clustering twice: Once
with normalization and without normalization
• Use one-hot encoding
• Manual verification

April 2020 Compiled by Dr Ajay Shiv Sharma 20

 WIL – Hands on - Network
intrusion data
• Use the KDD Cup 1999 data for this use case.
• The data is approximately 708 MB in size and
contains 4.9 million network connections.
• The data contains 38 features in total.
• The features are categorized into both categorical
and numerical data.
– The data collections also come with labels that help
determine the purity of the clusters once the clustering
algorithm has been applied.

April 2020 Compiled by Dr Ajay Shiv Sharma 21

 Introduction to Malware
Analysis
• What malware means and its role in the
cyber-attacks
• Malware analysis and its significance in digital
forensics
• Different types of malware analysis
• Various sources to obtain malware samples

April 2020 Compiled by Dr Ajay Shiv Sharma 22

 What Is Malware?

• Malware is a code that performs malicious actions;

– it can take the form of an executable,script,
code, or any other software.
• Attackers use malware to steal sensitive
information, spy on the infected system, or take
control of the system.
– Malware is a broad term that refers to different
types of malicious programs such as trojans,
viruses, worms, and rootkits.

April 2020 Compiled by Dr Ajay Shiv Sharma 23

 Malware Categories

• Virus or Worm
• Trojan
• Backdoor / Remote Access Trojan (RAT)
• Adware
• Botnet
• Information stealer
• Ransomware
• Rootkit
• Downloader or dropper

April 2020 Compiled by Dr Ajay Shiv Sharma 24

 Malicious actions

• Disrupting computer operations

• Stealing sensitive information, including personal,
business, and financial data
• Unauthorized access to the victim's system
• Spying on the victims
• Sending spam emails
• Engaging in distributed-denial-of-service attacks (DDOS)
• Locking up the files on the computer and holding them
for ransom

April 2020 Compiled by Dr Ajay Shiv Sharma 25

 What Is Malware Analysis?

• Malware analysis is the study of malware's behavior.

• The objective is to understand the working of malware
and how to detect and eliminate it.
• Analyzing the suspect binary in a safe environment to
identify its characteristics and
• functionalities so that better defenses can be built
– to protect an organization's network.

April 2020 Compiled by Dr Ajay Shiv Sharma 26

 Why Malware Analysis?

• To extract information from the malware

sample,
– which can help in responding to a
malware incident.
• The goal of malware analysis is to
determine the capability of malware,
detect it, and contain it.
• Determining identifiable patterns that can
be used to cure and prevent future
infections.
April 2020 Compiled by Dr Ajay Shiv Sharma 27
 What is done after Malware
Analysis?
• Threat intelligence teams very often use
the indicators determined from a
malware analysis
– to classify the attack and attribute
them to known threats.
• Malware analysis can help you get
information about who could be behind
the attack
– competitor, state-sponsored attack
group, and so on
April 2020 Compiled by Dr Ajay Shiv Sharma 28
 Advanced Malware Analysis

• Static analysis
• Dynamic analysis (Behavioral Analysis)
• Code analysis
• Memory analysis (Memory forensics)
– Integrating different analysis techniques
can reveal a wealth of contextual
information,
– which will prove to be valuable in your
malware investigation.
April 2020 Compiled by Dr Ajay Shiv Sharma 29
 Static Analysis

• Static analysis is the technique of analyzing the

suspect file without executing it.
• It is an initial analysis method that involves
extracting useful information
– from the suspect binary to make an informed
decision on
• how to classify or analyze it and
• where to focus your subsequent analysis
efforts.
April 2020 Compiled by Dr Ajay Shiv Sharma 30
 Static Analysis Steps

• Identifying the malware's target architecture

• Fingerprinting the malware
• Scanning the suspect binary with anti-virus
engines
• Extracting strings, functions, and metadata
associated with the file
• Identifying the obfuscation techniques used to
thwart analysis
• Classifying and comparing the malware samples

April 2020 Compiled by Dr Ajay Shiv Sharma 31

 Determining the File Type

• During your analysis, determining the file

type of a suspect binary will help you
identify
• the malware's target operating system
(Windows, Linux, and so on) and
architecture (32-bit or 64-bit platforms).
• how to classify or analyze it and
• where to focus your subsequent
analysis efforts.

April 2020 Compiled by Dr Ajay Shiv Sharma 32

 Identifying File Type Using
Manual Method

Fig. 6 HxD hex editor

On Linux systems, to look for the file signature, the xxd command can
be used, which generates a hex dump of the file as shown here:
$ xxd -g 1 log.exe | more

April 2020 Compiled by Dr Ajay Shiv Sharma 33

 Identifying File Type Using Tools

• On Linux systems, use the file utility.

$ file mini
mini: PE32 executable (GUI) Intel 80386, for MS Windows
$ file notepad.exe
notepad.exe: PE32+ executable (GUI) x86-64, for MS
Windows
• On Windows, use CFF Explorer, part of Explorer Suite.

April 2020 Compiled by Dr Ajay Shiv Sharma 34

 Fingerprinting the Malware

• Fingerprinting involves generating the cryptographic

hash values
– for the suspect binary based on its file content.
• The cryptographic hashing algorithms such as MD5,
SHA1 or SHA256 are considered the de facto standard
– for generating file hashes for the malware specimens.

April 2020 Compiled by Dr Ajay Shiv Sharma 35

 Multiple Anti-Virus Scanning
• Scanning the suspect binary
– with multiple anti-virus scanners helps in
determining
• whether malicious code signatures exist for the suspect
file.
• The signature name for a particular file can provide
– additional information about the file and its capabilities.
• By visiting the respective antivirus vendor websites or
searching for the signature in search engines,
– you can yield further details about the suspect file.
• Such information can help in your subsequent investigation
– and can reduce theCompiled
April 2020 analysis
by Dr Ajaytime.
Shiv Sharma 36
 Extracting Strings
• Extracting strings can give clues about the program
functionality and indicators associated with a suspect
binary.
– For example, if a malware creates a file, the filename is stored
as a string in the binary.
– Or, if a malware resolves a domain name controlled by the
attacker, then the domain name is stored as a string.
• Strings extracted from the binary can contain
– references to filenames, URLs, domain names, IP
addresses, attack commands, registry keys, and so on.

April 2020 Compiled by Dr Ajay Shiv Sharma 37

 Determining File Obfuscation

• Often malware authors obfuscate or armor their

malware binary.
• Obfuscation is used by malware authors to protect
– the inner workings of the malware from security
researchers, malware analysts, and reverse
engineers.
• Malware authors often use programs such
– as Packers and Cryptors to obfuscate their file to
evade detection from security products such as
anti-virus and to thwart analysis.
April 2020 Compiled by Dr Ajay Shiv Sharma 38
 Inspecting PE Header
Information
• When an executable is compiled, it includes a
header (PE header), which describes its
structure.
• When the binary is executed, the operating
system loader reads the information from the
PE header and then loads the binary content
from the file into the memory.
• Examining the PE header yields a wealth of
information about the binary, and its
functionalities.
April 2020 Compiled by Dr Ajay Shiv Sharma 39
 WIL - Inspecting Exports

Fig. 7 Inspecting the exported functions

April 2020 Compiled by Dr Ajay Shiv Sharma 40

 Comparing And Classifying The
Malware
• To know whether the malware sample belongs
to a particular malware family
• Comparing the suspect binary with previously
analyzed
– samples or the samples stored in a public
– or private repository can give an
understanding of the malware family, its
characteristics, and the similarity with the
previously analyzed samples.

April 2020 Compiled by Dr Ajay Shiv Sharma 41

 WIL - Classifying Malware Using
YARA
• YARA (http://virustotal.github.io/yara/) is a
powerful malware identification and
classification tool.
• Malware researchers can create YARA rules
based on textual or binary information
contained within the malware specimen.
• These YARA rules consist of a set of strings
and a Boolean expression, which determines
its logic.

April 2020 Compiled by Dr Ajay Shiv Sharma 42

 WIL - Malware Sources
• Hybrid Analysis: https://www.hybrid-analysis.com/
• KernelMode.info:
http://www.kernelmode.info/forum/viewforum.php?f=16
• VirusBay: https://beta.virusbay.io/
• Contagio malware dump: http://contagiodump.blogspot.com/
• AVCaesar: https://avcaesar.malware.lu/
• Malwr: https://malwr.com/
• VirusShare: https://virusshare.com/
• theZoo: http://thezoo.morirt.com/
• You can find links to various other malware sources in Lenny
Zeltser's blog post https://zeltser.com/malware-sample-sources

April 2020 Compiled by Dr Ajay Shiv Sharma 43

 Summary

 Techniques learnt to attack a number of networked devices,

– including firewalls, intrusion detection systems (IDSs), routers, and switches

 Anomaly Detection for enterprise security

 Six phases of a network attack
 Malware analysis concepts and Advanced Malware Analysis
 Focus on Static Malware Analysis incorporating WIL to learn
varied tools.

April 2020 Compiled by Dr Ajay Shiv Sharma 44

 Lecture 4 Questions

1) Explore attacking dynamic routing protocols?

2) Differentiate between Signature based and Anomaly based
detection techniques for entreprise security.
3) Analyze Network intrusion data provided in Slide21
4) Evaluate Dynamic analysis (Behavioral Analysis), Code analysis
and Memory analysis (Memory forensics) in regards to
Advanced Malware Analysis?
5) How integrating different malware analysis techniques can reveal
a wealth of contextual information?

April 2020 Compiled by Dr Ajay Shiv Sharma 45