Courses CYBR 230 Archive_2017_fall Projects Project 3

Laboratory Network Monitoring: Background vs Malicious Traffic

Project Objectives

In this individual project, you will automate a web browser to create background traffic in the lab environment, and then introduce & monitor a piece of malware.

Requirements - Network Review

Review the existing lab network. Ask yourself:

Is it really ready for the introduction of live malware to the quarantine network?
Are you sure?

Items to verify include, but are not limited to:

Verify (through nmap or other tools) what hosts are visible from the quarantine network.
Augment the firewall rules, ensuring that devices in the quarantine network are unable to contact the router. Specifically, quarantine network hosts should be blocked via 'input' filter rules to sending any IP traffic that terminates at the router. (Exceptions may need to be made for services like DHCP...) Quarantine network hosts should be permitted to transit the router via 'forward' rules to reach, for example, the public Internet.
Augment the router with quality of service control. At a minimum, hosts in the quarantine network should be the lowest priority for Internet communication. In addition, even if bandwidth is available, hosts in the quarantine network should, if desired for a particular lab, be severely throttling in their access to the public internet. We may wish to observe malware scanning activity but limit the speed at which the malware can conduct its scan.
Do a proof of concept test for the virtual machine isolation design. Using the desktop student computers in the lab, ensure that the VM host (native Linux) has only have a DHCP-assigned IP address on the student subnet (which is untagged). Further, ensure that it is possible to assign a virtual NIC (tagged to the quarantine subnet) to a specific VM guest or set of guests (via software bridging) that are contaminated with malware. Verify that VM host and VM guest(s) have no direct communication with each other, and that any communication goes through the router firewall.

Requirements - Automated Web Browser

Write a “human using a web browser” simulator that will create a large amount of background network traffic, specifically DNS, HTTP, and HTTPS. This simulator should take as input a top-### list of websites. For example, the Alexa Top-50 list or Moz Top-500. Scrape that page and store it in a data structure. Then, as either the same program or a different program, randomly pick a site from the list and load the homepage in a web browser. Sleep for a random length of time, and then pick a link at random on that page and visit it. Repeat until "daily pageviews" is exhausted before choosing another site and starting again.

Automated web browser tools:

Puppeteer (for Google Chrome only)
- Main repo: https://github.com/GoogleChrome/puppeteer
- Getting started guide: https://github.com/emadehsan/thal
Selenium (for Firefox or Chrome)
- http://www.seleniumhq.org/
- Example code for Firefox: http://www.marinamele.com/selenium-tutorial-web-scraping-with-selenium-and-python
- Example video for Chrome: https://www.youtube.com/watch?v=bhYulVzYRng

Scraping tools:
Note that these are only for parsing the top-## list, not for automating the web browser! They will not load images, CSS files, run JavaScript, etc..

Webscraper: http://webscraper.io/
Scrapy: https://scrapy.org/

Requirements - Malware Hunting

Obtain and run a sample of real malware in the midst of all this normal activity. The selection of malware is up to you, as we can obtain VM images for any conceivable host OS and version. Your objective is to prove to the instructor that you can (a) detect this malware without relying on your knowledge that you started it on Machine X at UTC Time Y, and (b) fully explain its network behavior using the network forensic tools that were installed in the previous project.

Note 1: CYBR 230 is NOT a "reverse engineering malware" course. That is CYBR 220, in the spring. You should pick some well know, historical malware of interest where we already know lots about how it is supposed to work. Pick malware that has significant network activity, such as LAN or WAN scanning, or reaching out to C&C servers. (Avoid malware that is so old that the C&C servers are dead) Run that malware and see if our monitoring can (easily) detect the malware communication that we expect

Note 2: Introduction of live malware to the laboratory environment should happen only after an in-class discussion of best practices and completion of the network review requirements above.

Resources:

Malware samples for students

Grading

This is an individual project (with the exception of the network review). The grading breakdown is:

Network review - 20%
Automated Web Browser - 40%
Malware Hunting - 40%

Schedule

Your goal should be to have the automated web browser completed in week "1" and malware hunting completed in week "2".

Submission

Submit all files to the Canvas CMS site.

Make sure that your submission includes all of the following project deliverables:

The automated web browser system (source code + documentation on installation and usage)
A hunting document describing the malware you chose, what its documented behavior was, and then a step-by-step guide (with screenshots) showing how to use the monitoring tools to observe the malware behavior.