It was a cold afternoon here in the city, colder then your normal spring afternoon. Things had been hectic here in the office lately, but I had a feeling that things were going to get much much busier.

A tall man walked through the door.

“Are you the Cisco NetFlow detective?” he asked.

“Yes, I am. What can I do for you?’

‘I’m in trouble, big trouble!” he said.

“What kind of trouble?” I knew that he was in trouble from the second I saw him; it’s the kind of trouble the haunts a man, the kind that brings them to a guy like me.

“Jimmy, I’m getting logs from the IDS and firewalls notifying me of an intrusion attempt. They are trying to communicate to a local IP, but I don’t know who that local IP is or who else they were talking to.”

“What’s even worse is that our school district was awarded a technology grant that makes us a beacon school for technology. These hacks are getting out to the news and my job is on the line. The school board is calling for an investigation into my actions. I don’t know what else I can do!”

“Don’t worry Joe, I’ve seen this before and I can help you out. Let’s look at your network. What do you have behind that firewall?”

“We have multiple Cisco routers and three Catalyst switches.” said Joe.

“Good news Joe, they support Cisco NetFlow. This will be easy.”

Joe looked confused. “What’s Cisco NetFlow?”

“NetFlow is a protocol developed by Cisco to help you manage your network traffic. It gives you a record of each conversation. It can tell you who is talking on your network, who they are talking to and what they are saying. We’ll use Scrutinizer to help us manage and report on it. It will find out where the issue is.”

After a few minutes Jimmy D and Joe had set up Scrutinizer and were successfully sending flows from all the switches and routers.

“Now we need to let it gather some data. Let’s get together in the morning.”

The Next Day:

“First, let’s take a look at the firewall logs.”

As we browsed through the list something caught my attention. It appeared the attacks were coming from a 66.122.5.200 address. We then created a custom report in Scrutinizer to reveal who was attempting to communicate with this address. We already knew that the internal machine wasn’t getting to the IP in question, but we still wanted to know who is trying to communicate with it. It could be a virus or worse.

We first resolved the outside IP of 66.122.5.200 and it returned the host www.hackedquiznotes.tv. We then created a custom report that generated all conversations to and from that IP. On a hunch, I decided to report on the router that served the student level of the campus.

We ran the report and found the issue.

“Look, from here we can see that this workstation is trying to communicate with that IP. We can also see that they were using port 6609. Let’s go down to that lab and look at that machine.”

Soon Jimmy D and Joe were in the computer lab face-to-face with a student.

“Ben, this is Detective Jimmy D and he is looking at some issues with our network,” said Joe.

“Excuse me for a moment Ben, I need to check something on that computer.” Joe and I sat down at the computer while Ben stood over by the door.

“Haven’t I seen him before?” I asked.

“You might have seen Ben in the paper. He and his father helped break ground on the new CBA Network Management building. CBA Network is one of the companies asking the school district to outsource their network solutions to them. They are trying to cut costs.”

I started typing and the pieces started to come together… The picture wasn’t good.

“Joe, it looks like Ben added an app that monitors certain folders for any activity. Once activity is detected it uploads that file to a remote site. In this case, it is www.hackedquiznotes.tv, via port 6609.”

“That’s not right. Ben wouldn’t have access like that…”

Joe quickly sat down at the computer and checked on the user name that was running that service. The users name is abcnm and it was created two weeks ago by Jon, the Jr. Admin.

Joe turned to me and had a horrible look on his face.

“What wrong Joe?” I said.

“I can’t believe it,” said Joe. Two weeks ago Jon, my Jr Admin was passed up for the Admin position. He was very upset that I had gotten the job. He wanted it, and wanted it bad.

“Why do you think he did this?” asked Joe.

Joe quickly turned to Ben and asked, “What do you have to say about this?”

All of a sudden a look of anger came over Ben’s face. The kind of anger you see when you see the senior quarterback missing the last touch down during the last second of his last game ever.

“Arggg, I would of gotten away with it, if it wasn’t for him!” yelled Ben.  “My dad was going to buy me a new car, if he won this contract. So I made sure Jon would take over your job in the new building. The district
would have gotten rid of you by then!”

“Ahh I see,” said Joe. “Well I think that you need to speak with Vice Principal Flanagan. I’ll bet he
will want to contact the District and your father!”

“Thank you Jimmy D. You have saved my position!”

“Not a problem Joe, that is my job.”

Although quite a bit of this story is fictional, it is based on a real life call. Some of the names have been changed to protect the innocent.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Over the weekend I spent quite a bit of time watching some of the awesome IT security videos that are offered on The Academy Pro web site. I couldn’t believe all the valuable step by step information that this site offers.  Believe it or not, I had a goal. I needed to learn more about “Conficker“.

We have already covered how to detect “Conficker” traffic via Scrutinizer’s Flow Analytics application from my buddy Milton’s blog back in March. In the NetworkWorld article titled “Downadup/Conflicker worm: When will the next shoe fall? “, Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks is quoted as saying,  “It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs”. So how can we prevent this from happening?

My goal was to conduct a security audit for such a vulnerability. That is where TheAcademyPro comes in. TheAcademyPro web site was created by Peter Giannoulis, a well know information security consultant and author. Check out this awesome interview with Peter on Hak5. They just started a series on how to conduct vulnerability scans for Conficker:

Conficker vulnerabilities with Core Impact – Posted on April 20th, 2009

“Everybody’s had to deal with Conficker over the last little while, but many don’t realize exactly how easy it is to exploit a system using the targeted vulnerability. Let’s begin the week by manually exploiting Conficker vulnerabilities with Core Impact 8 modules.”

Now I have a bit more information and might be able to conduct a security audit soon. I will keep you posted.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

A couple of weeks ago I wrote a blog entitled Downadup/Conficker Worm caught by using Flow Analytics, NetFlow Analyzer which used the SYN Violation algorithm to detect its presence. Another algorithm that will help prevent worms on your network is the RST/ACK Destination algorithm.

RST/ACK Destination algorithm looks for excessive connection denials that come back from the destination host. This is very handy in detecting such small things as network misconfigurations, and big things such as worms or port scans across the network.

Since worm attacks are designed to spread throughout networks and copy themselves to other nodes it’s important to monitor the connection requests within your network. Some worms, such as the ExploreZip Worm, are designed to alter system config files. Others exploit vulnerabilities in an effort to establish backdoors to your network. With the network now compromised, these infected machines known as zombies join other networks that have also been infected. These botnets function as a channel to inject Trojans and other viruses into yours and other networks.

Detection is made easier when using RST/ACK Destination algorithm. With the help of Flow Analytics and gadgets like this, you have the visibility you need to detect malicious behavior before it causes damage.

Milton

Last month, I wrote a blog featuring the value of Flow Analytics entitled: Downadup/Conficker Worm caught by using Flow Analytics, NetFlow Analyzer. Flow Analytics is a great tool that provides you with many useful algorithms. Today, I’ll focus on one of them: the IP Address Violation algorithm.

The IP Address Violation algorithm allows you to define permissable subnets/ CIDR across your network. (Exp. 10.1.0.0/16). The IP Address Violation algorithm can alert you, via exported syslogs, if there is traffic generated from an IP address that is not part of an allowed subnet defined within the gadget. For example, this gadget would come in handy if someone installed a Linksys wireless router on your network that started to hand out DHCP addresses, or even a laptop with a static IP.

Here are some instructions on how to configure approved subnets for your network.

First find the Flow Analytics Overview gadget in your MyView window, then click on the plus sign where it says IP Address Violations.

In the drop-down row, click on the icon with the little people in it. (Guess we don’t have an official name for that icon.) A window will pop up called Allowed Subnets where you want to place the subnet and CIDR you want to allow on your network.

If you have any questions, please do not hesitate to call Tech Support at 207-324-8805 Ext:4

Milton

For those of you who are still running Scrutinizer v5.0.x or v5.5.0 and are looking to upgrade to the latest version; here’s a brief walkthrough on how to do so:

1. Make a complete backup of Scrutinizer directory and Scrutinizer database.

2. Go to the Scrutinizer Available Updates page.
a. Select Upgrade Scrutinizer
b. Select the v5.0.2/5.5 to v5.5.1 Update [Download Update] from the Version Upgrade Section.

3. Run the update executable over your current Scrutinizer installation.

4. When the v5.5.1 update is completed, download the v5.5.1/6.0 to v6.0.4 Update.

5. Run the update executable over the Scrutinizer v5.5.1 installation.

6. When you finish upgrading, you will need a new license key for v6.0.4.

Feel free to contact Plixer Technical Support at 207-324-8805 Ext:4, and we’ll be happy to generate one for you.

Milton