Free file sharing services such as LimeWire, FrostWire and UTorrent in most forms is illegal (note: there are legal sources however this post is focusing on file-sharing of pirated content). The cost of music, software and other applications are becoming more expensive to accommodate lost revenue caused by piracy spread through file sharing. As the price goes up to make up lost revenue, more people join file sharing networks. It’s a vicious cycle. There is however a more important reason besides ethics, law and cost to not be involved with file sharing services. Like my mother use to say … “nothing is free in this world”. Most of the pirated goods from file sharing you believe are free actually come at a very high price to your system and privacy.
Nuclear RAT rootkit
There are many malicious applications used by hackers to gain access to a system. The worst form is a Rootkit. Rootkits gain full control of a system without the victim’s knowledge and typically are very hard to detect and remove. Many popular rootkits include covert channel communication tools to hide phone home attempts from modern security tools. The rootkit example above is called Nuclear RAT (Remote Access Tool found at nuclearwintercrew.com). The image is the RAT server GUI that manages connections from Rootkits placed on systems. Some spy options include seeing the victim’s screen, logging keystrokes, controlling the mouse, opening a remote shell and so on (see images). There are options to hide RAT such as Melt Server (deletes executable) and using Stealth Shell Folders so you won’t see it running. Once installed, an attacker owns your system.
How secure is your home or corporate network? Many administrators believe they are protected behind layers of security solutions such as firewalls, IPS/IDS appliances, endpoint security products, content filters, SIEMs, etc. Regardless of your investment in security technology there will always be risk, which dramatically increases as soon as people are included in the equation. One way to verify your risk level is to become the hunter rather than hunted by scanning all traffic on your network for malicious behavior. You may be surprised to find an unpatched server leaking sensitive information through hidden ports or bots hidden on your personal computer phoning home in the middle of the night!
There are vendors and consultants that can offer scanning services, which usually are extremely pricey but worth every penny. Regardless, some of us don’t have the budget or would like to test our home network and can’t justify purchasing enterprise level technology for one or two computers. For those use cases, there are open source tools available for performing packet captures. One of the most widely used open source tools is Wireshark. Wireshark provides detailed information about network traffic down to the packet level. Unfortunately many administrators don’t understand the information being displayed by protocol analyzers such as Wireshark. For some people it’s like staring at the matrix code, which only trained security analyst are capable of seeing the blond, brunette and redheads. NetWitness offers a free threat analysis tool called NetWitness Investigator that quickly translates a large packet capture session into readable data. For example, Investigator may reveal your home network is sending large amounts of data to other countries, which is a pretty good indicator that you have a problem.
Choose the interface you want to capture (Ethernet, wireless, etc.)
Tune things as you see fit or leave them default and click start
You should see packets flowing on the screen. If not, you have not selected a live interface.
One way to see which interfaces are seeing data is clicking capture followed by capture interfaces. You will see which interfaces see packets via the counters.
Once your done, save your capture and move to NetWitness.
Using NetWitness Investigator:
You can download NetWitness Investigator from HERE
Once downloaded and installed, open NetWitness Investigator
Right click the left column under Demo Collection and select new local collection
Give it a name and click OK
Click your new folder and select import packets
Select your wireshark capture.
Double click the folder and your capture will be presented
Click any selection on the left to dive deeper into your capture.
Look for odd behavior such as weird ports, destinations, countries, etc.
It’s important to test the security status of your network. Many malicious applications are designed by hackers to be hidden using stealthy techniques that can’t be seen without a packet capture tool. Both Wireshark and NetWitnessInvestigator are free yet powerful tools you can use to detect communication from hidden malicious applications.