After reviewing the SANS Top-20 2007 Security Risks, I started asking myself and the rest of our security team how the behavior analysis features of Flow Analytics accurately detects such Internet threats. This is especially important as these concerns are constantly changing making it difficult to stay on top of topics such as the latest on Conficker.

Back to security basics
We decided to go back and answer the question “What is computer security?”. We pretty much agreed that it is the unauthorized use – even if only attempted – of any computer. We then asked “How do we assist companies in this area?”. We all agreed that our solution detects problems that have already gotten past traditional security practices such as antivirus software on desktops, firewalls and intrusion detection systems.

Who is watching for strange behaviors?
I think everyone would agree that infected machines will make it onto the network. Our goal is to detect, flag and even stop host behaviors that could cause problems locally or for other hosts on the network.

Related read: Downadup/Conficker Worm caught by using Flow Analytics, NetFlow Analyzer

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Good morning world.  At the beginning of the week I was helping a customer who found he had been attacked by the Downadup/conficker Worm. This worm pounded his network! The customer explained to me that the worm came in with a brute force attack, which infected his computers that were not updated. He then saw the traffic on his network almost triple. The Downadup/Conficker Worm generated 250 domain names per day that scanned his network, infected his computers, and tried to go to the Internet. Because of the way this customer had set up his network, the worm was not able to pass through his Proxy to the Internet.

The customer looked at his Flow Analytics and saw that he was having Excessive SYN Violations. SYN Violations indicate a denial-of-service attack. Because the worm was not able to get through the Proxy, it created a denial of service. This customer was able to click on the SYN Violations in Flow Analytics and pick off which computers were infected and patch them up.

The customer was able to patch up his servers and his computers in a timely manner with the help of Flow Analytics; traffic has slowed down and his network is back to normal.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Overview
With several million machines now infected, identifying the Downadup worm on your network is a little easier than you might think with NetFlow.  We suggest leveraging it for more than just viewing top talkers.

While this worm is designed to change itself to elude identification by AV software, it does not change its behavior on the network.

How does it work?
The Downadup worm takes advantage of a security hole in the RPC service for Windows machines. This hole has been patched and can be obtained here. This patch was not rolled out via the normal windows update and has left tens of millions of PC’s at risk.

It Phones Home
Once infected, the machine goes out to one of 4 sites to get its true external IP address. Once it has that, it establishes has the ability to communicate with C&C (command and control) servers.

It Spreads the Disease
The first priority of the worm is to try and infect other hosts. It will try and scan your entire subnet for other hosts. The scan will occur on TCP Port 445 (RPC).

How is this identified?
If using Netflow or sFlow Scrutinizer with Flow analytics can catch this using its SYN scan algorithm. Once you have been alerted, you can drill into the flow view to see the addresses that have been scanned and isolate the infected hosts from the network.

Monitor for the Call
The Flow Analytics Internet Threats algorithm will notify you if a machine on your network is communicating with a known C&C server.  You can also run reports in Scrutinizer to see who has accessed one of the four known addresses that provide an IP address.  Call us and we’ll get Flow Analytics installed on your server.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!