1 / 18

Fishing for Worms A Lure that Works

Fishing for Worms A Lure that Works. Edutex 2003 February 18-20 Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas. Network Aware Worms are a Difficult Problem to Solve. They attack open network shares anywhere in the network

kalkin
Download Presentation

Fishing for Worms A Lure that Works

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fishing for WormsA Lure that Works Edutex 2003 February 18-20 Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas

  2. Network Aware Worms are a Difficult Problem to Solve • They attack open network shares anywhere in the network • They’re often difficult to track to the source of the infection • They’re very persistent and propagate quickly • Their “tribe” is increasing • Antivirus protection can warn you of the infection, but it doesn’t track down the source • Logs are often not enabled and when they are, they don’t log this sort of “normal” activity unless specially configured • Eradicating network aware worms is often like playing “whack a mole”

  3. Introducing the “SMB Lure” • A proactive approach to worm eradication • Requires a minimal investment of equipment and time • Requires almost no maintenance once configured properly • Acts as an “early warning system” as well as a “teergrube” server for worms • Conceived and designed by John Morris of Nortel Networks – AVIEN Member

  4. What is SMB Lure? • A Unix OS – your choice • Samba – open source • Proper configuration of samba • A few scripts for maintenance • A working SMTP server • A special type of honeypot

  5. Configure the OS • Minimal installation • No services except SMTP and SSH • Enable the firewall and tcpwrappers • Establish a patching routine • That’s it!

  6. Install and configure Samba • Standard installation – nothing special • *Can* edit the source if you want to • It’s all in the configuration file • Build your directory and file structure • Make it look “real” • Sit back and enjoy 

  7. The smb.conf file • # Samba config file created for SMB-Lure • # Global parameters • [global] • # TRICK 0: Setup our own workgroup, so named to be the first item in the Windows Network Neighborhood • workgroup = 000-SECURITY • # TRICK 1: Name our server, so that it appears as the first machine in its workgroup • netbios name = 000-worm-sensor • # TRICK 2: Create a few aliases for our sensor, so that it appears multiple times, interspersed in the workgroup • netbios aliases = C00-worm-sensor E00-worm-sensor J00-worm-sensor M00-worm-sensor • # warn curious individuals to stay away from our sensor • server string = Virus detector. Please! Do not touch (972-883-6866) • # Let’s be very promiscuous, we will share our fileshare contents with all worms • security = SHARE • # TRICK 3: Turn on Debug mode. This will provide useful information about what types of files the worm is accessing • # or is looking for on our server. • debug level = 3 • # Each visiting computer will have its own dedicated log file, makes reading much easier. • log file = /usr/local/samba/logs/%m.log

  8. More smb.conf • # No limit on log size • max log size = 0 • # Pretend to be a Windows NT 4 computer • announce version = 4.0 • socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 • dns proxy = No • wins server = 129.110.27.65 • name resolve order = wins • # We will be domain master, for 000-SECURITY • domain master = True • preferred master = True • # The IP address of our WINS server, provides name resolution • wins server = 129.110.70.36 • browseable = Yes

  9. More smb.conf • # TRICK-4: remotely announce our existance around the corporate network and force ourselves into several regionally and alphabetically diverse workgroups/domains. The IP addresses are the broadcast addresses for subnets that contain NT/Win2K servers. • # Note the number of computers we are pretending to be is the number of remote-announce domains multiplied by the number of aliases (See TRICK-2) • remote announce = 129.110.161.255/000-SECURITY 129.110.161.255/AV • # Here is where we define our fileshare ( called Wormbait) • [Wormbait] • # Scare away all the human worms, if they didn't get the picture from the server description above • comment = Network Worm Bait, please don't touch • # Directory containing lots of juicy infectable files, stored in multiple directories. • path = /home/wormbait • # Worms are our guests and allowed to do their worst. • writeable = Yes • guest ok = Yes

  10. Samba startup configuration • #!/bin/sh • # Samba startup script • /usr/local/samba/bin/smbd -D • /usr/local/samba/bin/nmbd -D

  11. The checklogs script • #!/bin/sh • # checklogs.sh - a shell script for parsing the Samba logs • # looking for worm or virus activity. If found, it's written • # to a log that is emailed to me hourly. • # Written by Paul Schmehl - 6/10/2002 • # set some variables • sambalogs=/usr/local/samba/logs/* • alerts=/home/alert.txt • touch $alerts • # loop through each log looking for worms and viruses • # and write to the alert.log if any are found • for log in $sambalogs • do • if [ -f ]; then • chmod 770 "$log" • counter=0 • funlove=`cat "$log" | grep -ci "find service ntldr"` • if [ $? == 0 ]; then • echo "Funlove hits = $funlove." >> $alerts • counter=`expr $counter + 1` • fi • nimda=`cat "$log" | grep -ci "\.eml sleep=5 read=No write=Yes"` • if [ $? == 0 ]; then • echo "Nimda hits = $nimda." >> $alerts • counter=`expr $counter + 1` • fi • nimdaa=`cat "$log" | grep -ci "\.eml failed"` • if [ $? == 0 ]; then • echo "Nimda a hits = $nimdaa." >> $alerts • counter=`expr $counter + 1` • fi

  12. More checklogs script • if [ $counter -gt 0 ]; then • logname="$log" • echo `basename "$log"name` >> $alerts • echo Log started at `cat "$log" | awk '/2002/{print $1" "$2}' | head -n1 | cut -d'[' -f2 | cut -d',' -f1` >> $aler • ts • hostname=`basename "$log"name .log` • echo $hostname >> $alerts • IP=`cat "$log" | grep -e "$hostname " | cut -d'(' -f2 | cut -d')' -f1 | sort -u` • ${IP:=unknown} • echo IP is $IP >> $alerts • user=`cat "$log" | grep "sesssetupX:name=" | cut -d'[' -f2 | cut -d']' -f1 | tail -n1` • ${user:=unknown} • echo User logged in was $user >> $alerts • echo "" >> $alerts • fi • fi • done • # mail the alert.log if there's anything in it and • # move the samba logs to the backup directory • if [ -s $alerts ]; then • mailx -s "SMB Lure Logs" root < $alerts • cd /usr/local/samba/logs • mv -f *.log backup/ • fi • # do some "maintenance" • chmod 660 /usr/local/samba/logs/backup/* • rm -f $alerts

  13. Typical email alert • Subject: Bugbear ALERT!! • 45 hits of Bugbear • The IP is x.x.x.x • The NetBIOS name is foo • The logname is foo.log • The last user logged in was foo

  14. The wormbait directory • 0,1456,graphics,00[1].rar AUTOEXEC.exe Ylcp.bak.rar return.rar • 0,1456,graphics,00[1].txt.exe Ac.xls.exe Zbie.exe rock.c.exe • 0116williams[1].bak.exe Bbuj.rar Zid.cpp.rar style.rar • 0116williams[1].exe Bsxp.htm.exe codes,.exe test1 • 0116williams[1].rar Cclu.exe codes.bak.exe test2 • 0117cowduo[1].bak.rar Cjqmq.exe height.mpeg.scr test3 • 0117cowduo[1].exe Dd.mpg.rar http.rar test4 • 0117cowduo[1].html.rar End .exe koulic2.scr test5 • 0117cowduo[1].mp3.exe End .rar margin.bat test6 • 0117cowduo[1].mpeg.rar End .xls.rar margin.rar test7 • 0117cowduo[1].mpg.rar FACE.rar mayalog.eml test8 • 0117cowduo[1].pas.exe HEIGHT.exe name.doc.bat test9 • 0117cowduo[1].rar Ikvfi.rar new.c.exe width.rar • API.htm.rar Tf.exe new.cpp.rar windows • API.mp3.exe VALIGN.exe new.htm.exe winnt • API.rar Wpcc.xls.exe new.rar

  15. A clean wormbait directory • test1 test2 test3 test4 test5 test6 test7 test8 test9 windows winnt

  16. The windows directory • accstat.exe control.ini explorer.exe isapnp.vxd net.exe qfecheck.exe setdebug.exe system32 welcome.exe • arp.exe cvtaplog.exe extrac32.exe logos.sys netdde.exe ramdrive.sys setup.ini taskman.exe win.com • autoexec.bat dblbuff.sys freecell.exe mayalog.eml neth.msg readme.htm setver.exe taskmon.exe win.ini • calc.exe defrag.exe ftp.exe moricons.dll netstat.exe regedit.exe sigverif.exe telnet.exe winfile.exe • cdplayer.exe desktop.ini grpconv.exe msdos.sys notepad.exe route.exe smartdrv.exe tracert.exe winipcfg.exe • charmap.exe dialer.exe himem.sys mshearts.exe ping.exe rundll.exe sol.exe twain.dll winpopup.exe • clipbrd.exe dosstart.bat hwinfo.exe nbtstat.exe progman.ini rundll32.exe system twunk_16.exe winsock.dll • command.com drvspace.exe ifshlp.sys nddeapi.dll protman.exe scandskw.exe system.dat twunk_32.exe wscript.exe • control.exe emm386.exe ipconfig.exe nddenb.dll protocol.ini scanregw.exe system.ini user.dat

  17. Other scripts • cleanup.sh – removes the wormbait directory and then repopulates it • makefiles.sh – repopulates the wormbait directory with “Windows files”

  18. Typical samba log – bret.log • [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) • Transaction 1 of length 137 • [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) • switch message SMBnegprot (pid 11549) • [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) • setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [PC NETWORK PROGRAM 1.0] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [LANMAN1.0] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [Windows for Workgroups 3.1a] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [LM1.2X002] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [LANMAN2.1] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) • Requested protocol [NT LM 0.12] • [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(426) • Selected protocol NT LM 0.12 • [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) • Transaction 2 of length 161 • [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) • switch message SMBsesssetupX (pid 11549) • [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) • setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 • [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(858) • Domain=[] NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] • [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(868) • sesssetupX:name=[]

More Related