Joseph Granneman

Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Using Open Source Tools For Malware Detection

I started my technology career in the late '80s, working as a bench tech at a small computer repair shop. The first major malware infection I remember was a virus called Stoned, which spread when users shared floppy. It was hidden in the master boot record, but was not terribly difficult to find and repair. A computer infected by Stoned simply displayed the message, “Your computer is now stoned, Legalise (sic) Marijuana.”

Times have certainly changed. Malware has evolved into a multimillion-dollar criminal enterprise, sophisticated to the point that it's difficult to detect and even more difficult to remove. Today's malware is excellent at evading antivirus by using rootkits and obfuscation. It lurks in memory, often attached to a system process or device driver, and can siphon out personal and company secrets that are sold to the highest bidder.

How can a small business stand up to this kind of sophisticated malware? The good news is that there are great open source tools available that allow anyone to find, study and eliminate these threats. It just takes a little time and effort to turn some spare hardware into a commercial grade malware detection system.

To give you an idea, I'll describe how I used open source tools to hunt down a particularly malevolent strain of the Zeus Trojan, which primarily targets financial accounts. Zeus captures keystrokes on financial websites to steal credentials, which it forwards to criminals. The source code was leaked in 2011, and modern strains of Zeus rely on peer-peer communication; this makes finding the command and control servers for the Zeus botnet very difficult.

pfSense and Snort

Zeus entered the network in late June, either via a phishing email or a user visiting a compromised website. It used a zero-day flaw in the Java runtime, then bypassed an up-to-date antivirus system and hid itself via a rootkit in the system recycle bin. The nightly antivirus scans ran without a hitch, so there was no hint of the criminal activity that was taking place on the infected machine.

My company had just implemented a new firewall using the open source pfSense. This easy-to-use firewall based on FreeBSD is a great security solution for a limited budget. It will run on fairly low-end hardware and is very simple to install. Don't let the price fool you--it offers features that are competitive with almost any commercial offering.

[Security researchers were busy demonstrating new vulnerabilities and exploits at the recent Black Hat USA Conference. See what was on the firing line in "9 Technologies Security Researchers Will Break At Black Hat."]

One of the best features of pfSense is that it can run the open-source Snort intrusion detection system. Snort is one of the most useful tools available for discovering malware running on the network. Here's why: Malware can easily bypass antivirus programs unless a specific signature exists to detect the threat; after bypassing antivirus protection, the malware is almost impossible to find once it has used a rootkit to avoid future detection. However, all malware needs to communicate out across the Internet to download instructions and upload payloads of ill-gotten information; this is where Snort catches it.

I configured pfSense with the open source Snort feed, which is 30 days behind the registered rules but still works well enough for SMB networks. I also added the emerging threats rules subscription because it is full of malware signatures that are contributed by the community almost in real time. Instead of configuring Snort to listen on the external network interface, I configured it to listen only on the LAN network interface to intercept traffic destined for the Internet. This allowed it to see the source addresses of infected machines running on the LAN.

Global Config (redacted)
(click image for larger view)

pfSense and Snort are so well-integrated that the system can block traffic based on the source or destination IP address the triggered the alert. This worked well when dealing with Zeus because the infected PC could not communicate to the rest of the Zeus botnet, blocking any possible information leak until the PC could be pulled from service.

Blocked (redacted)
(click image for larger view)

The infected PC was identified through the Snort alerts, but there was an interesting surprise: It had another virus--ZeroAccess, which is used as a “click-jacker.” A click-jacker is used to generate fraudulent clicks on ads that are per-click based. Although not as dangerous as Zeus, it is still a type of criminal activity that uses company assets. pfSense contains a diagnostic packet capture that is adept at capturing malware that uses recurring traffic patterns. For example, ZeroAccess communicates to the rest of the botnet using UDP ports 16464 and 49154. pfSense was able to capture this traffic by defining filters on these specific ports.

Next Page: Open Source Forensics Tools

Page:  1 | 2  | Next Page »

Related Reading

More Insights

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013

TechWeb Careers