topic Re: Detect Rootkit using Comparison of network packets to logged pc communications. in Tech Talk

Detect Rootkit using Comparison of network packets to logged pc communications.

Marcipicus — Sat, 13 Jun 2020 13:25:29 GMT

Hi there,

I have an idea for a tool to detect rootkits. Might not be possible.Might have already been done.

1.Record packets sent from the suspect computer using wireshark.(All NICs...as I understand it there can be only one connection(IP address) to the network per Network interface card and this cannot be changed by a rootkit)

2.Log all packets sent by the suspect computer using the computer's logging utilities.

3.Compare the two records of network communication to see if the computer is hiding its activities.

I might not know the technical aspects of this so if this is trivial please let me know politely and I'll leave it be.

Cheers

Re: Detect Rootkit using Comparison of network packets to logged pc communications.

denbesten — Sat, 13 Jun 2020 15:02:36 GMT

"Network Intrusion Detection System" and "Network Intrusion Prevention System" are the names for products that do this.

The biggest in difficulty with monitoring for malware is that you are searching for a very small needle in a very large haystack and the bad actors work very hard to make their needles look like straw. As a result, it works best to rely upon commercial IDS/IPS providers that specialize in keeping their "signatures" up-to-date. Anymore, these are generally inbuilt into enterprise-grade network firewalls. It is also why you should rely on well-reputed EPP (Endpoint Protection Platform) and EDR (Endpoint Detection and Response) platforms rather than trying to roll-your-own.

Gartner does have market analysis and magic quadrants for most all the technologies mentioned above.

Re: Detect Rootkit using Comparison of network packets to logged pc communications.

JKWiniger — Sat, 13 Jun 2020 15:07:46 GMT

I don't seem to able to follow your idea...

First, you can assign multiple IP addresses to a single network card, many operating systems just don't allow it though a GUI interface. It's not something that is commonly done so I would guess they limited to just the one to simplify things for the average user.

If you monitor the packets coming off of a machine anything going over HTTPS would not be readable by Wireshark, I believe. I think normally the detection happens based on the IP address the packs are going to and at times is normally unused port are suddenly used.

I have an interest in gap between when a hack happens and when it is successfully detected.

John-

Re: Detect Rootkit using Comparison of network packets to logged pc communications.

Shannon — Sat, 13 Jun 2020 23:45:18 GMT

@Marcipicus, what would be the benefit of such an approach? There are already EPS / EDR solutions for end-points & IDS / IDP solutions for network traffic --- these may either be signature-based / behavior-based, or use a combination of the two.

Should malicious activity be detected by an EPS / EDR, I could suspect that the end-point is compromised; should the EPS / EDR detect nothing, but traffic anomalies get picked up by the network IDS / IPS, I can also suspect this if it's traced back to an end-point.

How is what you suggested offering an advantage over this?