Detecting Malware

Problem

My company is overrun by malware. How can we track users who have malware and where it's installed?

Solution

There is not easy way to detect all malware. However, you can use several methods to try to identify the traffic.

There are several methods with which to track these types of connections.

• Track all DNS queries from your network and look for known spyware domains like gator.com, doubleclick.net, etc. This tracks all A records and pointer records from hosts on your network to your DNS servers. If you allow your users to access external DNS servers, you might want to change DNS_SERVERS to any.

  log $HOME_NET any -> $DNS_SERVERS 53 (msg:"DNS query"; content:"A "; content:"PTR "; logto: dnsqueries.log; sid:10501; rev:1;)

• Record the web browsers in use on the network. Each browser has a unique name that it uses to identify itself to web servers. For example, if you look in your web server logs, you might see Microsoft Internet Explorer (MSIE) as the vast majority of connections. So record all the user agents but the most common.

  Log $HOME_NET any -> any $HTTP_PORTS (msg:"HTTP USER AGENT LOG"; flow: from_client; content:"user-agent"; logto:useragents.log; classtype: recon; sid:10502; rev:1;)

• Certain pieces of spywaresuch as Gatormake it easy to determine some important information, such as:
  • When an installation occurs. Installation of Gator is done over the Web through ActiveX components or such simple requests as a "GET gatorinst.exe" that the user will just click and install. For example, the following rule detects a Gator install over http:

    Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" Gator Spyware Download"; uricontent:"/gatorcme/"; nocase; classtype: bad-unknown; sid:10556; rev:1;)

  • The following rule detects the use of the Gator software once it's installed. Gator communicates using its own name for its browser.

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Gator browser in use"; content:"User-agent:"; content:"Gator"; nocase; flow:from_client,established; classtype:bad-unknown; sid:10557; rev:1;)

  • When installed, spyware communicates with known spyware company networks. The following rule comes from the Snort-sigs mailing list. It detects general Gator traffic on the network. I've modified the original signature to use the flow keyword instead of the old flags keyword.

    Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Gator client usage"; content:"Host: updateserver.gator.com"; flow: to_server, established; classtype: bad-unknown; sid:10558; rev:1;)

Discussion

Gator is only one piece of malware that might be running across your networks. The key to detecting and identifying malware is the same as with other types of traffic. Find some common feature of the traffic, such as a word or phrase, or even the HEX of the packets. Then zero in on that and determine some specifics of the traffic that you can repeat with as much accuracy as possible. The other key is to watch your web traffic very closely. User-agent or browser identification is a great method for searching through the logs to find strange connections from your network. Another suggestion is to use some of Snort's other tools to find hosts that are generating more traffic than normal or simply talkative hosts. Talkative hosts are usually an indication of a problem, unless they are servers.

Another suggestion is to use the malware ruleset from http://www.bleedingsnort.com. This entire ruleset just targets malware on a network. These rulesthough you use them at your own riskmay help you figure out just how much of your total network traffic is used by malware/adware/spyware software. Finally, detecting this type of traffic is really a job for your web proxy server and your DNS server. When you use blocks or denies to hamper this type of traffic, you'll have a more secure network and visibly better performance.

See Also

http://www.squidguard.org for the ideas about blocking malware

http://www.bleedingsnort.com for some malware rules