Networks Security

Security often involves synthesizing tidbits of information from many disparate sources

in order to form an accurate picture of what has happened. My team once responded

to a report that desktop computers at a biomedical corporation were crashing, with

their hard drives erased, apparently, by a virus that circumvented the company’s anti-virus protections.

While examining an affected PC, we noticed that a few processes were still running—

thanks to the fact that the operating system generally won’t allow the deletion of files

that are in use. Among these processes were several instances of svchost.exe. Closer

examination revealed that one of these had the same name as the legitimate Windows

executable, but was in fact an impostor: a saboteur was at work.

Using a disassembler, we determined that, every minute, the Trojan checked a

folder on a server for the presence of a command file, whose contents it would exe-cute. We built a program to monitor that directory and archive copies of any files

that appeared; our program also recorded the user account that put the file there,

and the name of the system from which this was done.

The account had domain administrator privileges, and this led us to examine the

domain’s login scripts, where we found the code that installed the Trojan on users’

workstations. We wrote a second program to record the MAC address of the system

when it registered its name with the DHCP server, and inspect the ARP tables from

the network’s switches in order to find the physical port to which it was connected.

Then, with a building wiring diagram, we were able to track the culprit to a specific

cubicle.

Finding the source of this problem involved knowledge about network infra-structure, operating systems, administration techniques, programming, and reverse-engineering. This is an extreme example, to be sure, but real-world security problems

seldom confine themselves to a single technical area of specialization.