Software\Microsoft\Windows \CurrentVersion\Explor-er\RunMRU which made it seem that it was typed in at
the keyboard of the server. Finding the vulnerable software,
however, made it apparent that the exploit was the way in
which this command appeared.
Coincidently, the authors
investigated another incident the following week
with a similar attack vector.
At that time, a state agency’s ISP advised the sysadmin that a large volume of
Internet Relay Chat (IRC)
traffic was being generated
by their server. This traffic
was being sent to a host in
Japan using TCP port 6669.
Numerous other ports were
also found to be open on
Examination of event
logs showed a number of
interesting events starting
three months earlier. The
server, which had essentially
run non-stop for months at a
time, performed a sudden restart, right after the execution
of a Windows Media Player
(WMP) event. This same pattern was seen periodically over the next few months, until
the report of the IRC traffic. Upon further examination,
we stumbled across a file named i—in the system32 directory. This file was almost identical to the previous attack
except the name of the downloaded file was different and,
of course, the IP address was different, this one resolving
to a system in Buenos Aires, Argentina. The IP address of
the host that ostensibly placed the command on the system
was from the Miami, Florida area. Continued examination
showed that the system had been infected with many types
of malware, including Backdoor.Usirf, Backdoor.Hackde-fender, W32.Dropper, and W32.IRCBot.D.
This compromised system was running services over
Windows 2000 Professional. It also had an older version of
WMP that happened to have a known vulnerability that
allows attackers to elevate their credentials on the target
host. In this case, it is believed that WMP provided the
first attack vector whereby the same single command as
seen the previous week was used to upload some backdoor
rootkit; this seems to be a relatively common mechanism
with which to insert nefarious code on a foreign host. The
installed malware can, of course, take any number of actions and that is how the additional malware was uploaded.
The difference between the two compromises and their
investigative results was the logging efforts by the two
companies. The first site relied solely on the Windows
Event Viewer and the second site used a more robust Web
log. Ironically, despite inferior logging capabilities, the first
site noticed a problem with their server within days of the
attack whereas the second
site’s initial breach was not no-
ticed for several months, until
the increase in IRC traffic was
reported. Nevertheless, the
second site’s logs provided an
incredible amount of informa-
tion in piecing together the
attack and helping with the
investigation, whereas there
was little network informa-
tion from the first site due to
limitations with the Windows
Although both sites had
sensitive personal informa-
tion, no evidence was found
to suggest that the sites were
specially targeted for that
information or even that the
information was downloaded.
Instead, both target hosts look
like they were the victims of an
automated attack because they
were accessible and vulnerable,
and then used to troll for other vulnerable sites.
Legal Aspects and Tool Reliability
Because of the newness of network forensic activity, network examiners are often left to use existing and emerging
tools that have not yet faced the challenge of being proven
valid in court. In some respects, the presentation phase of a
digital investigation is the most critical; regardless of what
has been found, it is worthless if the information cannot be
convincingly conveyed to a judge and jury.
The test for admissibility of scientific evidence in U.S.
federal courts (and about a dozen state courts) is called
the “Daubert test,” named for the landmark case, Daubert
v. Merrell Dow Pharmaceuticals. 5, 6 According to Daubert, a
judge has to determine the admissibility of evidence using
the following four guidelines:
• Testing: Can—and has—the procedure been tested?
• Error Rate: Is there a known error rate of the procedure?
• Publication: Has the procedure been published and
subject to peer review?
• Acceptance: Is the procedure generally accepted in
the relevant scientific community?
Because of the newness of network
forensic activity, network examiners are
often left to use existing and emerging
tools that have not yet faced the chal-
lenge of being proven valid in court.