GETTING NETWORKING INFORMATION
Many types of malware will attempt to exfiltrate data and/or use some form of interprocess communication (IPC). These activities usually involve some sort of networking. Volatility allows you to get various types of networking information, in order to help you locate malware.
The Linux ifconfig command is used to list network interfaces along with their MAC and IP addresses, etc. The Volatility linux_ifconfig command will provide a list of network interfaces with IP address, MAC address, and whether or not promiscuous mode is enabled. As a reminder, packets received on an interface that are for a different interface are normally dropped. An interface in promiscuous mode may be used for packet sniffing as no packets are dropped. The results of running this command against the PFE subject system are shown in Figure 8.19. Nothing unusual is seen here.
FIGURE 8.19
Results of running the Volatility linux_ifconfig command against the PFE subject system.
Once the network interfaces are known, you should look at open ports on the subject machine. On Linux systems the netstat command is one of many tools that will report this type of information. The Volatility linux_netstat command provides similar information. Readers are likely familiar with TCP and UDP sockets. Some may not be familiar with UNIX sockets, which are also reported by netstat. A UNIX socket is used for interprocess communication on the same machine. If you look at a typical Linux system it will have a lot of these sockets in use. Don’t overlook these sockets in your investigation, as they could be used for IPC between malware components or as a way to interact with legitimate system processes.
Because the linux_netstat command returns so much information, you might want to combine it with grep to separate the various socket types. Results from running the linux_netstat command with the results piped to grep TCP are shown in Figure 8.20. The highlighted line shows a rootkit shell is listening on port 7777. We can also see Secure Shell (SSH) and File Transfer Protocol (FTP) servers running on this machine. There are dangers associated with running an FTP server. One of these is the fact that logins are unencrypted, which allows for credentials to be easily intercepted. Online password cracking against the FTP server is also much quicker than running a password cracker against SSH. This FTP server could have easily been the source of this breach.
FIGURE 8.20
TCP sockets on the PFE subject system.
The results from running linux_netstat against the PFE subject system and piping them to grep UDP are shown in Figure 8.21. Partial results of running this command and piping output to grep UNIX are shown in Figure 8.22. Not surprisingly, a large number of UNIX sockets are being used by operating system and X-Windows components. Nothing out of the ordinary is seen here.
FIGURE 8.21
UDP sockets on the PFE subject system.
FIGURE 8.22
Partial listing of UNIX sockets on the PFE subject system.
Linux provides an extensive system, known as netfilter, for filtering out various networking packets. Netfilter allows a set of hooks to be created at various points in the network flow, such as pre-routing, post-routing, etc. A complete discussion of netfilter is well beyond the scope of this book. The Volatility linux_netfilter command will list netfilter hooks that are present. Running this command against the PFE subject system revealed a pre-routing hook with an address similar to that of the system call hooks created by the Xing Yi Quan rootkit.
The Address Resolution Protocol (ARP) is used to translate MAC (hardware) addresses to IP addresses. Some attacks work by altering the ARP table and/or by abusing ARP protocols. Volatility provides the linux_arp command for printing ARP tables. The results of running this command against the PFE subject system are shown in Figure 8.23.
There appears to be nothing amiss here.
FIGURE 8.23
The ARP Table from the PFE subject system.
Sockets operating in promiscuous mode can be listed with the Volatility linux_list_raw command. Running this command against the PFE subject system only showed the two Dynamic Host Configuration Protocol (DHCP) clients. There are two because each network interface using DHCP has its own process. In other words, this revealed nothing abnormal.