Logs vs Bots and Malware Today

December EventSource Newsletter
By Dr. Anton Chuvakin, Security Warrior Consulting

Despite the fact that security industry has been fighting malicious software – viruses, worms, spyware, bots and other malware since the late 1980s, malware still represents one of the key threat factors for organizations today. While silly viruses of the 1990s and noisy worms (Blaster, Slammer, etc.) of the early 2000’s have been replaced by commercial bots and so-called “advanced persistent threats,” the malware fight rages on.

In this month’s newsletter article, we take a look at using log data to understand and fight malicious software in your organization.

The first question we have to address is why are we even talking about using logs in this context when we have had dedicated “anti-virus” security software for nearly 30 years? One of the dirty secrets of the security industry is that the effectiveness of traditional anti-virus software has been dropping over the last few years. The estimates place anti-virus software effectiveness at 30 percent to 50 percent at best – which means that 50 percent to 70 percent of malicious software present on today’s computers is not detected automatically by leading anti-virus tools. Even such widely disputed estimates are hotly debated, as there is no single consistent methodology for testing antivirus software. Whatever the estimates, heavily customized malware will almost always be missed, and therefore needs to be detected using other means. Such malware has become much more common now that criminals have found a lucrative business in stealing bank credentials, card numbers, and other valuable information from consumers and businesses alike.

As a result, other technologies have to step in to help antivirus tools in their mission: stopping the spread of malicious software. Log data provides information about system and network activities that can be used to look for machines behaving “under the influence” of malicious software.

Logs to Fight Malware

So, how can we use logs to fight malicious software?

Let’s start with firewall logs. They can help reveal connectivity patterns from the network to the outside world, serving as proof that one system connected (in case of a successful connection message) or tried to connect (in case of a failed or blocked connection log messages) to another system. This is very useful to establish the path of the malware within your organization’s infrastructure – from the initial infection to the subsequent spreading of that infection.

Along the same lines, firewall logs and network flow data can serve as proof of a lack of connectivity: firewall blocking connections not followed by a successful attempt prove that the malware was unable to connect outside to its “headquarters” and sensitive data was most likely not stolen after being acquired by the malware. These logs are vital, and provide very useful information while assessing the cost and impact of a malware incident – assuming your firewall logs are being collected by your log management tool.

Logs can also help you detect malware initiated scans – combining multiple hits on the firewall into a single pattern – a scan – gives us the information about malware spread and reconnaissance activities. SIEM tools can create alerts upon seeing such a pattern in logs. Typically, if you see a scan by an internal system that hits (or tries to hit) a large number of external systems, you have an infected system inside your perimeter. On the other hand, spyware sometimes has its own log signatures, such as multiple attempts to connect to a small set of systems over port 80 or a high TCP port. In fact, one can match firewall logs to known “blacklists” of malware sites —please refer to the SANS Internet Storm Center and other sources for such lists.

Which Logs Are Best?

So, what types of logs are most useful for detecting and fighting malicious software?

As mentioned above, firewall logs are incredibly useful for malicious software tracking – but only as long as outbound connections (successful and blocked) are recorded in logs.

Since modern IDS and IPS devices have signatures for network malware detection including worms, viruses, and spyware, their logs are useful for learning the impact to infected systems, as well as the number and nature of infection attempts in your environment.

Even looking at the logs from your anti-virus can be incredibly helpful to detect situations when an anti-virus tools detects the “evil presence” but fails to clean it automatically. A characteristic log message is generated by most major antivirus vendor tools in such circumstances. This log may be your sole indication that the system is infected.

These logs are useful for detecting the occurrences where the malware tries to damage an antivirus tool or interfere with its update mechanism, thereby preventing the up-to-date virus signatures from being delivered. Whenever an anti-virus software process dies, a log is created by the system, and reviewing such log records can serve as early indication of a possible incident, as well as provide key evidence further in the investigation.

Additionally, modern anti-virus software will log when an update is applied, and indicate if an update fails, leaving the system unprotected, AND when an update succeeds. As a result, the log will serve as evidence as to the state of your protection. If the machine still has malware despite having updated anti-virus signatures, it means that the malware specimen is probably too new for the AV tool to catch.

Web proxy logs can be used for detection of file uploads and other outbound information transfers via the web, initiated by data-stealing malware. Looking for methods and content-type in combination with either known suspicious URLs or user-agent (i.e. web client type) can often reveal spyware infections that are actively collecting data and channeling it out of your environment. Admittedly, a well-written spyware can certainly fake the user-agent field, but it can be useful to add to our query above. Proxy logs may indicate a pattern of activity where a machine shows a set of connections and data uploads in rapid sequence with attempts to many systems suggesting malware may be the cause.

Operating system logs are also useful for malware tracking since modern operating systems will require software updates and process terminations – and both can be performed by malicious software. Even simply logging the application launches with process names allows us to match those names against known lists of malware applications, sometimes with surprising and scary results.

Quick Case Study

In one recent example, in a recent case a regular desktop was seen scanning all over the internal network. This was discovered by analyzing the firewall logs and uncovering a spike in volume after this scanning started en masse. The desktop was quickly cut from the network soon after this discovery, and an incident was declared. When the system was investigated, an impressive array of malware was discovered – along with a dead anti-virus software, killed by the malware. Logs also helped to answer the question “Did it infect anybody else?!” For this purpose, the same logs from firewalls revealed that no other system manifested such scanning apart from the investigated one. So, it was determined that the scanning campaign didn’t lead to infections of other systems.

Conclusions

To conclude, nowadays, anti-virus solutions are MUCH more likely to miss the malware, compared to a few years ago. Logs present a critical piece of information for detecting and investigating infections. Automatically collecting, baselining, and analyzing logs will sometimes result in faster detections then only using anti-virus tools. By using a log management tool to collect and analyze firewall, IDS/IPS, server and web proxy logs you can quickly find evidence of malware activities across systems and networks.