Real-time exploits tracking with Anti-Exploit

The security industry managed to develop a comprehensive set of computer forensics tools, both free and commercial, that could help IT professionals to track down the tools used to attack their networks. Even though the advanced features they utilize, their limitations eventually tend to leave IT experts without a determined answer.

Computer forensics tools were designed to investigate and find digital evidence after a computer incident has occurred. However, in most incidents it’s uncommon for hackers to leave any traces that might lead to their tools or their existence.

This is a review of the first on-access Anti-Exploit scanner. Anti-Exploit can help IT professionals to discover local attackers before they manage to execute malicious programs.

The Anti-Exploit exploit scanner utilizes kernel features to identify suspicious files when they are created or used. Anti-Exploit tags suspicious file by checking its md5 value (will be changed to signature-based) and comparing it against a database of well-known malicious tools such as exploits, rootkits, etc.

Anti-Exploit does not require any special modules for installation and on most systems it will be installed smoothly. The only additional package required is Dazuko Linux kernel module, which provides an interface for file system access control. Anti-Exploit comes with a configuration file, enables one to modify settings such as proxy information (for updates), email alerts and more. It must be edited prior executing the final installation step.

Upon running Anti-Exploit for the first time, we need to update its exploits database:

# aexpl –u etc/aexpl.conf

Once Anti-Exploit is up-to-date, we can start monitoring the system for suspicious file activity:

# aexpl –c etc/aexpl.conf

To make sure the program started successfully, we check the log file:

# tail /var/log/aexplWed

Sep 14 07:36:45 2005  AntiExploit started.

Wed Sep 14 07:36:45 2005  Worker thread woken up

Now that Anti-Exploit is running, we are going to have a test. For the purpose of the test, we assume that the system has been compromised and the hacker is now trying to obtain root on the system:

# wget http://hades/pen-test/userroot.sh

# tail –f /var/log/aexpl

[…]

Wed Sep 14 07:55:47 2005 

Found suspious file:/root/userrooter.sh uid(0) gid(0)

In addition to adding the event to its log file, Anti-Exploit will also send an email alert containing the same information.

Anti-Exploit itself (beta version) does not give an enhanced security environment to corporate networks. However, integration with other third-party tools could create an extensive monitoring environment and decrease the number of hacking attacks.

For example: access-prevention to files which have been identified as suspicious or execution of the suspicious file in a virtual environment in order to learn the attacker was planning to do.