Web Tap Documentation

PREVIOUS - 2. The Management Interface      UP - Table of Contents

3. Alert Types and Mitigation

Web Tap will generate alerts when it identifies suspicious HTTP request behavior. There are a number of methods that it uses to differentiate human activity from automated request patterns. Here are the different types of alerts, what they mean, and what triggers there:

• Header Format – This alert means that the client sent the server some HTTP traffic that violates standard protocol specifications. An example is malware that communicates over port 80 to bypass IP layer detection systems, but does not use the HTTP protocol. This type of alert should have no false positives, unless you use a trusted application that has an improper implementation of the HTTP protocol.
• Non-HTTP – The traffic from the client to the server on TCP port 80 does not follow the HTTP protocol. Sometimes instant messaging programs or other unwanted applications will communicate over port 80 to bypass firewalls, but will use some arbitrary protocol instead of HTTP.
• Bad User-Agent – The user-agent field of an HTTP request identifies the client application making the request and its version. Web Tap will generate an alert when it sees a user agent that it has never seen before, which may indicate malicious activity. Other causes of new user-agents include web applications such as instant messaging programs, browser upgrades, media players, and automatic update applications.
• Delay Time – Traffic going form the client to server is being driven by an automated timer. Spyware and other unwanted programs often use timers to call back to their hosts. Automatically refreshing advertisements in browser windows that are left open, as well as trusted applications (iTunes, AIM, GMail Notifier, etc.) may also trigger this alert.
• Single Request Size – The client sent the server an abnormally large post request. Malware sometimes will upload large amounts of data in a single request. This alert will also be triggered when the client uploads a file to any website.
• Bandwidth Usage – If spyware sends out a lot of data slowly over a long period of time, its individual requests may be small, but its total bandwidth usage will be large. Again, this alert may also be triggered by users that post large amounts of data to websites or heavyweight interactive web applications.
• Request Regularity – Some programs that do not use timer-driven callbacks will still communicate with their servers very frequently. Examples of such programs include browser helper object (BHO) spyware that will send its server information whenever you visit any website. This alert may also be triggered by trusted applications that regularly communicate with their servers, as mentioned in the Delay Time section.

So what do you do when Web Tap has detected an unwanted program on your computer? The first step is to look at the HTTP requests associated with the alert and see what the program is doing. A good start is looking at the IP address with which the client is communicating, and see if its domain name is associated with known spyware hosts (such as zango.com and gator.com). If it is, then you can look up removal instructions for the particular type of spyware online. If, however, the server does not have a hostname, or has an unrecognized hostname, then it is necessary to look at the HTTP requests in more detail. In particular, which site is the "referer" in the requests? Is it a legitimate site that actually links to the suspicious host? What type of content is in the suspicious requests? These things can give you a better idea of what is being sent out from your machine and where it is going.

Due to the nature of anomaly-based detection, Web Tap is able to detect new and unknown threats, such as rootkits. It may be difficult to identify the source of malicious traffic. The best place to start, if there is no suspicion of an insider attack (which there shouldn't be for the personal version), is to communicate with the user and identify what type of legitimate activity occurred during the time of the alert. If you believe that the system has been compromised by a rootkit, the best thing to do is remove it from the network and either reinstall the operating system outright, or use a host-based rootkit mitigation solution to determine the type of rootkit and assess damages. Some information about rootkits for Windows can be found here.

PREVIOUS - 2. The Management Interface      UP - Table of Contents