informa
4 min read
article

A Tool For Investigating Suspicious Activity

Dealing with malware-infected computer systems can be time-consuming. If the compromised system has sensitive information, then often digital forensics will be employed to see whether the data was or could have been accessed by the malware. With the hit-or-miss performance of antivirus solutions and craftiness of malware authors, determining whether a computer system is infected is getting harder.
Dealing with malware-infected computer systems can be time-consuming. If the compromised system has sensitive information, then often digital forensics will be employed to see whether the data was or could have been accessed by the malware. With the hit-or-miss performance of antivirus solutions and craftiness of malware authors, determining whether a computer system is infected is getting harder.As a result of the above conundrum, I've been looking for some way to get more details about systems that generate suspicious activity (like DNS requests for known malicious domains published here and here). In the past, I've used the TRUMAN sandnet from Joe Stewart, but was recently looking for a slightly more robust solution that I could use outside the normal sandnet scenario.

Basically, I want to poison DNS so that known malicious domains point to the IP of my choosing. Instead of just knowing that a suspect computer has tried resolving the IP of a bad domain, I want the suspect system to now communicate to the server I choose, and continue with the action it would have taken if it were communicating with the real (bad) domain.

After trying out a honeypot-specific tool, I found INetSim, the "Internet Services Simulation Suite." Bingo: I found what I wanted. It acts almost identically to the Metasploit Framework setup I described in "Using Evil Wifi to Educate Users, IT Admins." INetSim emulates numerous services including HTTP, SMTP, POP3, DNS, FTP, TFTP, and more. The DNS service can be configured to return any IP you tell it to for any DNS request that comes in.

So, if a "badguy.com" is requested, it can return the address of the INetSim server. This is where the good stuff happens. The HTTP server can respond to any request with successful HTTP status code and serve up a file that matches the requested file extension. If a request comes in for a JPG, a JPG is sent back. If a text file is requested, a .TXT file is sent back. This is all configurable so you can add all the extensions and fake files you want.

From a security and forensic standpoint, the logs from INetSim can help fill in some of the puzzle pieces as to whether a computer is compromised or not. For example, if you're blocking all malicious domains and a look-up takes place for a bad domain, you don't know if it's because the user visited a Website hosting a redirect or trying to load a malicious piece of JavaScript from the bad domain. However, if you're pointing all malicious domains to INetSim, you can now see the actual request being made, which can help determine if it's just a redirect or malware phoning home.

Keep in mind, though, that this is just another bit of information to help you while investigating an event of interest. It may or may not be definitive, but I'm the kind that welcomes as much information as possible when making a determination.

I put together some additional technical details on using INetSim on Ubuntu over on my personal blog if you want more info.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.