The role of proxies and protocols in malware investigations, according to ESET
FYI, this story is more than a year old
A lot of people associate online anonymity with Tor, however it is a much deeper issue than this and does not relate only to privacy while browsing. In this post, we will learn some of the key concepts to keep in mind when analysing malware, because when we talk about anonymity, we need to understand the role played by proxy servers and certain protocols used for communication in such cases.
It’s important to be aware of these concepts, because when someone is trying to establish an anonymous connection these are the fundamental tools employed.
What is a proxy and what types of proxies exist?
A proxy is nothing more than a tool allocated to act as an intermediary in communications. Depending on what type of proxy is used, it may be possible to identify the information sent by the user—and this may be recorded on some kind of equipment.
They can be used for a variety of purposes: managing bandwidth, applying restrictions on a network (for example on downloading applications or from websites), or blocking access to certain sites, just to name a few.
Basically, a proxy is situated between the client equipment and the destination equipment. The types seen frequently are:
· Transparent proxy: does not modify requests or responses beyond requesting authentication and identification, in other words the fields should not be modified. When the client uses a transparentproxy, all requests sent to the destination server come from the IP address of the server. However, it adds a line in the header to indicate the original IP address from which the query came (i.e. the user’s IP address).
· Highly anonymous proxy: designed to ensure complete privacy for the user, as it does not reveal their IP address or any other type of information. This is the most highly sought-after type, due to the high level of anonymity it offers.
· Anonymous proxy: does not reveal the user’s IP address on the server from which queries are being made. Although it may contain the header X-Forward-For, where an IP address is shown, this can be the proxy’s IP rather than the client’s.
Now that we are clear about the differences between these types of proxies, we need to look at what type of activity is going to be carried out, in order to know which proxy type is best suited to the needs of the investigation.
Protocols used in the anonymisation process
Protocols are sets of rules that enable communication between entities (client – service) in order to send information. The most frequently seen are HTTP, SOCKS4, and SOCKS5.
These are described in turn below:
· HTTP: HTTP proxies (named as such due to filtering connections in this protocol) were designed to receive queries and redirect them to the requested resource. They are generally used for unencrypted connections, although they support SSL and FTP.
· SOCKS4: this protocol was designed for managing traffic between the client and the server, via an intermediary (proxy server). SOCKS4 only supports TCP communications, and does not have any methods of authentication. The extension that followed this, named SOCKS4A, was different in that it incorporated support for resolving names through DNS.
· SOCKS5: the subsequent and latest version of the above proxy, which incorporates support for TCP and UDP communications, as well as support for authentication from the client to the proxy
How does anonymity help with investigations?
It’s important to know what type of information you are sending when you are connecting and interacting with a piece of equipment directly.
Let’s suppose you are carrying out a security audit with the relevant authorities, in order to dismantle a network of cybercriminals—you will need to run a lot of processes that interact with the equipment they are using to carry out their attacks. This way, with anonymity, the investigator would disguise their identity (i.e. IP address) constantly, without exposing their real identity.
If your actions were discovered by the cybercriminals, they might find out that you were trying to make connections from a network belonging to a branch of the authorities, due to the availability of records and public information, including that held by registration organisations.
It’s also useful if the investigator has instructed a tool to automatically download samples of malicious code from websites. If you wish not to leave any type of record anywhere (whether for reasons of confidentiality, for personal reasons, or the requirements of the situation), having tools with this ability will be of great use to you as an investigator.
Let’s consider the example of investigating a botnet: after identifying the address where thebotmaster’s control panel is located, if you try to access it to check whether it is active, there are two potential outcomes:
· In the case of direct interaction, the attacker may receive an alert in their log and suspect that someone—other than a bot—is attempting to connect to the server. When they notice that this activity is coming from a particular IP address, they might try to block it and thus deny access to their control panel, so that the investigator gets a negative response when they try to access it, meaning they cannot continue their investigation.
· In the case of having anonymity, the outcome could be very similar, except with the advantage of being able to change the network’s identity (the investigator’s IP address) and this explains all the aforementioned. In this case, you need to make sure to use a highly anonymous proxyso as not to leave any kind of trail. If the attacker blocks the (anonymous) IP address, in reality they would be blocking the address coming from the proxy server. Furthermore, you are protecting your digital identity, thereby preventing any type of attack in response.
The main thing is to keep in mind the differences between HTTP, SOCKS4, and SOCKS5 In many cases of investigations, including security audits and malware analyses, it’s best to leave nothing to chance. Therefore, it’s necessary to consider what type of activity you are going to carry out, what type of anonymity you will need, and what type of connection you are going to use (although for better security, SOCKS5 is recommended).
Beyond the concept of anonymity, there are various other issues to keep in mind depending on the requirements of the situation. While Tor is a free network for browsing based on privacy, there are other tools such as Privoxy and ProxyChains, to name just two, which also help in maintaining privacywhile using tools.
In the day-to-day running of an investigation, you have to constantly evaluate what type of activity you need to carry out, and whether or not it requires anonymity. If it does require anonymity, you need to analyse what level, and, of course, the higher the security of the connection, the better the conditions will be.
As investigators, it’s essential to understand how things work and not to limit yourself to one particular tool. This enables you to develop your own customised tools, and will help you in analysing malware.
By Ignacio Pérez, ESET