180 likes | 306 Views
Fishing for Worms A Lure that Works. Edutex 2003 February 18-20 Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas. Network Aware Worms are a Difficult Problem to Solve. They attack open network shares anywhere in the network
E N D
Fishing for WormsA Lure that Works Edutex 2003 February 18-20 Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas
Network Aware Worms are a Difficult Problem to Solve • They attack open network shares anywhere in the network • They’re often difficult to track to the source of the infection • They’re very persistent and propagate quickly • Their “tribe” is increasing • Antivirus protection can warn you of the infection, but it doesn’t track down the source • Logs are often not enabled and when they are, they don’t log this sort of “normal” activity unless specially configured • Eradicating network aware worms is often like playing “whack a mole”
Introducing the “SMB Lure” • A proactive approach to worm eradication • Requires a minimal investment of equipment and time • Requires almost no maintenance once configured properly • Acts as an “early warning system” as well as a “teergrube” server for worms • Conceived and designed by John Morris of Nortel Networks – AVIEN Member
What is SMB Lure? • A Unix OS – your choice • Samba – open source • Proper configuration of samba • A few scripts for maintenance • A working SMTP server • A special type of honeypot
Configure the OS • Minimal installation • No services except SMTP and SSH • Enable the firewall and tcpwrappers • Establish a patching routine • That’s it!
Install and configure Samba • Standard installation – nothing special • *Can* edit the source if you want to • It’s all in the configuration file • Build your directory and file structure • Make it look “real” • Sit back and enjoy
The smb.conf file • # Samba config file created for SMB-Lure • # Global parameters • [global] • # TRICK 0: Setup our own workgroup, so named to be the first item in the Windows Network Neighborhood • workgroup = 000-SECURITY • # TRICK 1: Name our server, so that it appears as the first machine in its workgroup • netbios name = 000-worm-sensor • # TRICK 2: Create a few aliases for our sensor, so that it appears multiple times, interspersed in the workgroup • netbios aliases = C00-worm-sensor E00-worm-sensor J00-worm-sensor M00-worm-sensor • # warn curious individuals to stay away from our sensor • server string = Virus detector. Please! Do not touch (972-883-6866) • # Let’s be very promiscuous, we will share our fileshare contents with all worms • security = SHARE • # TRICK 3: Turn on Debug mode. This will provide useful information about what types of files the worm is accessing • # or is looking for on our server. • debug level = 3 • # Each visiting computer will have its own dedicated log file, makes reading much easier. • log file = /usr/local/samba/logs/%m.log
More smb.conf • # No limit on log size • max log size = 0 • # Pretend to be a Windows NT 4 computer • announce version = 4.0 • socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 • dns proxy = No • wins server = 129.110.27.65 • name resolve order = wins • # We will be domain master, for 000-SECURITY • domain master = True • preferred master = True • # The IP address of our WINS server, provides name resolution • wins server = 129.110.70.36 • browseable = Yes
More smb.conf • # TRICK-4: remotely announce our existance around the corporate network and force ourselves into several regionally and alphabetically diverse workgroups/domains. The IP addresses are the broadcast addresses for subnets that contain NT/Win2K servers. • # Note the number of computers we are pretending to be is the number of remote-announce domains multiplied by the number of aliases (See TRICK-2) • remote announce = 129.110.161.255/000-SECURITY 129.110.161.255/AV • # Here is where we define our fileshare ( called Wormbait) • [Wormbait] • # Scare away all the human worms, if they didn't get the picture from the server description above • comment = Network Worm Bait, please don't touch • # Directory containing lots of juicy infectable files, stored in multiple directories. • path = /home/wormbait • # Worms are our guests and allowed to do their worst. • writeable = Yes • guest ok = Yes
Samba startup configuration • #!/bin/sh • # Samba startup script • /usr/local/samba/bin/smbd -D • /usr/local/samba/bin/nmbd -D
The checklogs script • #!/bin/sh • # checklogs.sh - a shell script for parsing the Samba logs • # looking for worm or virus activity. If found, it's written • # to a log that is emailed to me hourly. • # Written by Paul Schmehl - 6/10/2002 • # set some variables • sambalogs=/usr/local/samba/logs/* • alerts=/home/alert.txt • touch $alerts • # loop through each log looking for worms and viruses • # and write to the alert.log if any are found • for log in $sambalogs • do • if [ -f ]; then • chmod 770 "$log" • counter=0 • funlove=`cat "$log" | grep -ci "find service ntldr"` • if [ $? == 0 ]; then • echo "Funlove hits = $funlove." >> $alerts • counter=`expr $counter + 1` • fi • nimda=`cat "$log" | grep -ci "\.eml sleep=5 read=No write=Yes"` • if [ $? == 0 ]; then • echo "Nimda hits = $nimda." >> $alerts • counter=`expr $counter + 1` • fi • nimdaa=`cat "$log" | grep -ci "\.eml failed"` • if [ $? == 0 ]; then • echo "Nimda a hits = $nimdaa." >> $alerts • counter=`expr $counter + 1` • fi
More checklogs script • if [ $counter -gt 0 ]; then • logname="$log" • echo `basename "$log"name` >> $alerts • echo Log started at `cat "$log" | awk '/2002/{print $1" "$2}' | head -n1 | cut -d'[' -f2 | cut -d',' -f1` >> $aler • ts • hostname=`basename "$log"name .log` • echo $hostname >> $alerts • IP=`cat "$log" | grep -e "$hostname " | cut -d'(' -f2 | cut -d')' -f1 | sort -u` • ${IP:=unknown} • echo IP is $IP >> $alerts • user=`cat "$log" | grep "sesssetupX:name=" | cut -d'[' -f2 | cut -d']' -f1 | tail -n1` • ${user:=unknown} • echo User logged in was $user >> $alerts • echo "" >> $alerts • fi • fi • done • # mail the alert.log if there's anything in it and • # move the samba logs to the backup directory • if [ -s $alerts ]; then • mailx -s "SMB Lure Logs" root < $alerts • cd /usr/local/samba/logs • mv -f *.log backup/ • fi • # do some "maintenance" • chmod 660 /usr/local/samba/logs/backup/* • rm -f $alerts
Typical email alert • Subject: Bugbear ALERT!! • 45 hits of Bugbear • The IP is x.x.x.x • The NetBIOS name is foo • The logname is foo.log • The last user logged in was foo
The wormbait directory • 0,1456,graphics,00[1].rar AUTOEXEC.exe Ylcp.bak.rar return.rar • 0,1456,graphics,00[1].txt.exe Ac.xls.exe Zbie.exe rock.c.exe • 0116williams[1].bak.exe Bbuj.rar Zid.cpp.rar style.rar • 0116williams[1].exe Bsxp.htm.exe codes,.exe test1 • 0116williams[1].rar Cclu.exe codes.bak.exe test2 • 0117cowduo[1].bak.rar Cjqmq.exe height.mpeg.scr test3 • 0117cowduo[1].exe Dd.mpg.rar http.rar test4 • 0117cowduo[1].html.rar End .exe koulic2.scr test5 • 0117cowduo[1].mp3.exe End .rar margin.bat test6 • 0117cowduo[1].mpeg.rar End .xls.rar margin.rar test7 • 0117cowduo[1].mpg.rar FACE.rar mayalog.eml test8 • 0117cowduo[1].pas.exe HEIGHT.exe name.doc.bat test9 • 0117cowduo[1].rar Ikvfi.rar new.c.exe width.rar • API.htm.rar Tf.exe new.cpp.rar windows • API.mp3.exe VALIGN.exe new.htm.exe winnt • API.rar Wpcc.xls.exe new.rar
A clean wormbait directory • test1 test2 test3 test4 test5 test6 test7 test8 test9 windows winnt
The windows directory • accstat.exe control.ini explorer.exe isapnp.vxd net.exe qfecheck.exe setdebug.exe system32 welcome.exe • arp.exe cvtaplog.exe extrac32.exe logos.sys netdde.exe ramdrive.sys setup.ini taskman.exe win.com • autoexec.bat dblbuff.sys freecell.exe mayalog.eml neth.msg readme.htm setver.exe taskmon.exe win.ini • calc.exe defrag.exe ftp.exe moricons.dll netstat.exe regedit.exe sigverif.exe telnet.exe winfile.exe • cdplayer.exe desktop.ini grpconv.exe msdos.sys notepad.exe route.exe smartdrv.exe tracert.exe winipcfg.exe • charmap.exe dialer.exe himem.sys mshearts.exe ping.exe rundll.exe sol.exe twain.dll winpopup.exe • clipbrd.exe dosstart.bat hwinfo.exe nbtstat.exe progman.ini rundll32.exe system twunk_16.exe winsock.dll • command.com drvspace.exe ifshlp.sys nddeapi.dll protman.exe scandskw.exe system.dat twunk_32.exe wscript.exe • control.exe emm386.exe ipconfig.exe nddenb.dll protocol.ini scanregw.exe system.ini user.dat
Other scripts • cleanup.sh – removes the wormbait directory and then repopulates it • makefiles.sh – repopulates the wormbait directory with “Windows files”
Typical samba log – bret.log • [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) • Transaction 1 of length 137 • [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) • switch message SMBnegprot (pid 11549) • [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) • setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [PC NETWORK PROGRAM 1.0] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [LANMAN1.0] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [Windows for Workgroups 3.1a] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [LM1.2X002] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [LANMAN2.1] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [NT LM 0.12] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(426) • Selected protocol NT LM 0.12 • [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) • Transaction 2 of length 161 • [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) • switch message SMBsesssetupX (pid 11549) • [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) • setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 • [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(858) • Domain=[] NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] • [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(868) • sesssetupX:name=[]