This article will tell you how to analyze and detect malicious network interaction on the network. The information is provided for review. Here we will discuss the main tools for analyzing network traffic and consider the sources of examples for practice.
Network Interaction Analysis
For the purposes of this article, we will consider malicious traffic generated by malicious software on a local network. What makes such network interaction" harmful"? Any data transmitted by malware over the network ensures the "correct" operation of the VPO and can affect one of the characteristics of information that is stored and processed in the system, namely, integrity, availability, and confidentiality.
What does malicious software generate on the network in most cases?:
To detect malicious network interaction, you need to:
Ready-made sets of malicious network interaction can be found simply by Googling "malicious pcap". A good selection is here. At first, it is better to use this traffic to understand exactly how malicious software can transmit information over the network. On the resource, you can also find a section with recorded network interactions that were created in order to learn how to explore traffic. Let's try to analyze the recorded traffic of malicious software.
NOTE: You can't run any files or commands found in the recorded network interaction on your work machine — You need to analyze this data in a VM.
The selected network interaction file represents the network activity of the malicious Trickbot software. Since we don't know how the network is built, or where the network interaction was recorded, we'll find out which machines interact in the network at all:
There are 24 machines in total, which is quite a lot. Let's try to find out what protocols are used there:
From the list, you can see that the network uses the Windows operating system running in the infrastructure running Windows AD. Let's look for malicious network interactions. Typically, the study begins by looking at the amount of information that is transmitted as part of the interaction of network machines:
Interaction with an ip address that starts with 149.28 looks interesting. Let's create a filter:
As a result, we see the following picture:
It looks like a document was opened on the machine that loads the template file for the MS Office document. Next is an obfuscated VBA script:
It is obvious that the recorded interaction included the stage of infection of the OS with malicious software. If you look at a filter like this:
We find that the malware's network interaction is also encrypted. What should I do? There are no encryption keys, so you won't be able to read the information inside the packets.
This question has been asked for quite a long time. We found common approaches that, together with the context of network interaction (host software, machine roles in the local network), can detect malicious network interaction even without decrypting it.
A curious project can be found here. The project uses neural networks as a tool for analyzing encrypted traffic. They are the ones that can allow us to classify transformed interactions.
Classification is based on the following data:
Conclusion
Modern virus writers most often include various functions of data transmission over the network in the VPO they develop. Among this information, you can find a lot of confidential information: from user account details to passwords to bank accounts. Such a leak in the network can lead to irreversible consequences for companies, as well as ordinary home users. A network administrator should be able to detect such connections in the network: to do this, you need to be aware of the "current" malware and the content of traffic that it most often generates.
Network Interaction Analysis
For the purposes of this article, we will consider malicious traffic generated by malicious software on a local network. What makes such network interaction" harmful"? Any data transmitted by malware over the network ensures the "correct" operation of the VPO and can affect one of the characteristics of information that is stored and processed in the system, namely, integrity, availability, and confidentiality.
What does malicious software generate on the network in most cases?:
- report on system infection;
- credentials collected in the system;
- received commands from the management server;
- downloadable malware update modules;
- network traffic used for DDoS attacks
To detect malicious network interaction, you need to:
- Be able to record fragments of network interaction;
- Know the basic patterns of malware transmission of data over the network and how to hide information in network interaction.
Ready-made sets of malicious network interaction can be found simply by Googling "malicious pcap". A good selection is here. At first, it is better to use this traffic to understand exactly how malicious software can transmit information over the network. On the resource, you can also find a section with recorded network interactions that were created in order to learn how to explore traffic. Let's try to analyze the recorded traffic of malicious software.
NOTE: You can't run any files or commands found in the recorded network interaction on your work machine — You need to analyze this data in a VM.
The selected network interaction file represents the network activity of the malicious Trickbot software. Since we don't know how the network is built, or where the network interaction was recorded, we'll find out which machines interact in the network at all:
There are 24 machines in total, which is quite a lot. Let's try to find out what protocols are used there:
From the list, you can see that the network uses the Windows operating system running in the infrastructure running Windows AD. Let's look for malicious network interactions. Typically, the study begins by looking at the amount of information that is transmitted as part of the interaction of network machines:
Interaction with an ip address that starts with 149.28 looks interesting. Let's create a filter:
Code:
``` ip.addr==172.16.1.101 && tcp.port==65483 &&
ip.addr==149.28.140.9 && tcp.port==80```As a result, we see the following picture:
It looks like a document was opened on the machine that loads the template file for the MS Office document. Next is an obfuscated VBA script:
It is obvious that the recorded interaction included the stage of infection of the OS with malicious software. If you look at a filter like this:
Code:
tlsWe find that the malware's network interaction is also encrypted. What should I do? There are no encryption keys, so you won't be able to read the information inside the packets.
Network Interaction Analysis: today and in the future
Any network analysis skills are broken down by using traffic encryption. The current standard for network encryption at the application layer of the OSI model is the use of HTTP over TLS. This is often a "Game Over" of any analysis if the encryption keys are not available. What should I do in this case?This question has been asked for quite a long time. We found common approaches that, together with the context of network interaction (host software, machine roles in the local network), can detect malicious network interaction even without decrypting it.
A curious project can be found here. The project uses neural networks as a tool for analyzing encrypted traffic. They are the ones that can allow us to classify transformed interactions.
Classification is based on the following data:
- transmitted with the ClientHello TLS interaction message
- lengths of transmitted data
- time timeouts between sending data
Conclusion
Modern virus writers most often include various functions of data transmission over the network in the VPO they develop. Among this information, you can find a lot of confidential information: from user account details to passwords to bank accounts. Such a leak in the network can lead to irreversible consequences for companies, as well as ordinary home users. A network administrator should be able to detect such connections in the network: to do this, you need to be aware of the "current" malware and the content of traffic that it most often generates.
