Re: Proxy stealing journal access

[Tim Doty <tdoty () MST EDU>]

malware worth anything can hide from a casual investigation of the live 
system. You might get lucky and it not be removing itself from the 
process list, or concealing its network activity, etc. though I haven't 
run across partial coverage in malware in several years.

First, if you have netflow then consult it. If you see network traffic 
logged there then it is happening, no matter what the local box is 
telling you. For example, local port 9064 connected to one or more 
remote IPs using various (and thus by implication) ephemeral ports then 
the local system is running some sort of service.

Second, if it is really important to you to track down what it is then 
hire someone with experience. The sooner the better, especially if you 
are concerned about it being APT. That said, APT is probably monitoring 
this list, it being open to the world, and will adjust accordingly. 
(Think I'm kidding? Someone I trust related a story about an APT 
intrusion where they used PeopleSoft activity to gauge response. 
Utilizing a public resource is just blackhat 101.)

Third, it may not be running any more. Some malware -- the opportunistic 
kind -- will happily disappear in order to remain invisible. It might be 
running in memory (leveraging a web browser or something else), it might 
have a clean up routine for system shutdown.

That said, if netflow says its there then your best bet is to do a 
memory dump and analyze that. I favor Volatility, but Redline is another 
possibility and there are others. Whatever tool you use, there is some 
skill associated with it. I've been using Volatility for a few months 
now and, while I can appreciate its power, I know that I've still got a 
lot to learn.

Tim Doty

On 10/06/2014 09:27 PM, Andrew Daviel wrote:
> We have an institutional subscription to a number of scientific
> journals, where our IPv4 address block is whitelisted so we can do
> searches without logging in per-user.
>
> Recently we had a complaint from SAE about unusual activity on our
> account. Their logs show downloads of some papers all from January 1994,
> from one of our laptops and also from an address from China Mobile.
> At the time in question, our network logs show a connection from the
> China Mobile address to the laptop - apparently a Web proxy on port 9064.
>
> So it looks like there is something on our laptop that allows a remote
> user to download journal papers using our subscription.
>
> When I look on the laptop, I can't find it. The laptop was rebooted, but
> I had expected something like Squid to start up again. There seem to be
> no common ports open. I'd half expected something simple installed by a
> user - VNC or logmein - but I don't see that.
>
> It's an older machine running XP with a few "possibly harmless" adwares,
> a couple of which I've cleared out.
>
> Has anyone seen anything like this ?
>
> I read things in the media about industrial espionage from China, so I'm
> half thinking "APT", but on the other hand it may be a wild goose chase.
>
> I'm running malwarebytes, which has turned up a few "potentially
> unwanted programs" but nothing really obvious. My usual Linux technique
> of looking for changed files is stymied because the users installed a
> lot of legitimate programs right around the same time - LabView etc.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature