Risk management the big picture part 2

Trang 1

Risk Management The Big Picture – Part 2

Going Around the Firewall and Scanning for Vulnerabilities

If attackers are going to take advantage of vulnerabilities, it makes sense that we need to find them before they do System, network, and telephone vulnerability scanning tools are a powerful method

of doing this

Trang 2

Lets take a look at another Internet threat This is the threat introduced by users who download and run utilities that are designed to share and search for files across the Internet Examples are the programs Napster, Gnutella, and more recently Scour In the next two slides we’ll examine Gnutella, its function, and the dangers it introduces

Gnutella is an Internet file sharing utility Described as a “servant”, Gnutella acts as a server for sharing files

while simultaneously acting as a client that searches for and downloads files from other users

The Gnutella net is peer-to-peer with interconnected servants that search and relay one another to make file sharing and storage truly distributed When searching for a file, the Gnutella service will search hosts that you are connected to, and hosts they are connected to, and so on Once the file is found, a download can be initiated with a TCP connection directly between the ‘client’ and ‘server’

Gnutella was designed to enhance free, easy, and anonymous exchange of information However, there is a dark side - the distributed nature of the Gnutella net combined with the Gnutella net protocol introduces security weaknesses for Gnutella users A prime concern is that Gnutella users situated behind firewalls open a hole in their firewall when they connect to an external Gnutella net The way this works is covered in the next slide

Traces taken from a Gnutella user’s machine show that when searching, requesting a download, or ‘pinging’ for other Gnutella hosts, the user gives away a combination of information including an IP address within a network, a half-open connection and/or a known set of SEQ and ACK numbers, and a MAC address Although security is not achievable merely through obscurity, it is certainly better to not openly offer this information to anyone on the Internet!

In order to handle Network Address Translation (NAT), the Gnutella design incorporates the ability to spoof ports and IP addresses Unfortunately, this means that an unwitting host may be targeted by many simultaneous SYN requests from hosts on the Gnutella net who are attempting to grab the files that the spoofed host is apparently offering

One more thing - with the current increasing use of Gnutella, and the number of Gnutella versions and downloads available, perhaps it is only a matter of time before someone discovers that there’s more to their executable than they originally thought Is there a better way to distribute a Trojan, than to take advantage of a pool of users eager to download

Trang 3

Gnutella - Firewall Subversion

F I R E W A L L

A

C

F I R E W A L L

On the left, host A is behind a firewall and has connected to host B, forming a Gnutella net Host A initiated the connection, which the firewall allowed An external TCP request from host C is denied by the firewall - that is, C cannot initiate a connection to A Gnutella provides a mechanism for host C to

circumvent this firewall block and access host A

On the right, we see that host C connects to the Gnutella net previously set up by A and B Through host B

on the net, host C can now ‘see’ the files being offered by A In order to download from A, host C needs to set up a TCP connection Host C achieves this by sending a request to the Gnutella net which relays the request to A, telling A to initiate a connection to C Since A is not prevented from connection initiation, a connection can be made Indirectly, C can connect to a port on a host behind a firewall that denies inbound TCP connections to unserved ports! Combine this with the information give-away talked about earlier, and the hacker’s job is made that much easier

Thanks to Matt Scarborough for sourcing the Gnutella information For more on Gnutella visit

http://www.sans.org/y2k/gnutella.htm

To summarize this section, many users place too much trust in their firewalls and firewalls are wonderful, but they, like any defensive means, have limitations Next we will take a look at the type of attacks that are banging against your firewall on a daily basis

Trang 4

INTERNET

ISP

Firewall

The more restrictive

a site’s firewall policy, the more likely the employees will use modems.

Firewalls, Wireless Connections, and Modems

Suppose your house is connected to the Internet with a Cisco router running the firewall feature set Behind that is an additional appliance firewall Could your systems be easily reached? They could if the systems run 802.11 wireless cards! But long before wireless became popular, there were still a number of ways to penetrate or avoid firewalls You can’t buy a system today without a 56K modem built-in and PCs with modems, however, are number one in the subvert-a-firewall hit parade.There are at least two problems with modems inside a firewall: Leaving the modem on auto-answer and having attackers scan you when you use them to connect to the Internet

The first case (auto-answer) is well-understood If the modem is left in this mode, then an attackermay locate it with a war dialer and access the site Perhaps the best defense for this is to sweep your site for modems periodically Phonesweep is a commercial war dialer available at

http://www.sandstorm.net

The second modem risk is exposed when a system makes a connection to an ISP: It is a fully functional, bi-directional network connection Many sites understand some or all of the information-gathering probes and attacks that can be directed against Windows machines, and block NetBIOS

with their filtering firewall or router However, a system connected to an ISP is not protected by the

firewall!!

The picture on your screen represents a successful compromise of a secure facility The firewall was a good one, with certified proxies However, there was no proxy available for the timecard application, so they gave the administrative worker access to an ISP account A determined hacker had studied what they were doing and since timecards are done at about the same time every other Friday, was able to scan the ISP dialups, find the administrative worker’s system, and gain access to information via an unprotected share that was later used to attack the facility The firewall did its job

Trang 5

Finding Unprotected Shares

-Legion

Legion is available from http://www.nmrc.org/files/snt/ This tool is recommended for any system administrator or security professional responsible for a site with Windows systems Just remember to test it in a lab and get WRITTEN permission BEFORE you run it, or the tag line of your next career may be: “Would you like fries with that order?”

What does Legion do? The software can detect unprotected or poorly protected shares Poorly protected shares may allow an attacker access to files Depending on this access, this may mean the ability to compromise the system It certainly could mean the ability to defeat two of the primary security pillars: Confidentiality and integrity Confidentiality would be breached if they could read the files; integrity would be compromised if they could modify the files This simple flaw

is what enables an entire class of Windows worms to function, if they find an unprotected share they can copy themselves to the hard drive and then simply need to find a way to have their code

executed Sometimes these worms aren’t that dangerous, Lance Spitzner has an interesting account

of an unprotected share worm at: http://project.honeynet.org/papers/worm/ In that case the worm borders on research

NOTE, not all Windows worms propagate via unprotected shares KAK for

instance, uses an ActiveX design flaw in Outlook Express so that if the user simply reads an email message, (they do not have to open an attachment like the earliest worms), KAK is able to spread by attaching itself to the outgoing signature file so that it can reach other victims

Many of you know about shares and null sessions and have figured, “So what? We have a firewall and we block NetBIOS” This is good, but if one system that connects to the Internet via modem or wireless card gets compromised, it can be used as a springboard to run against your entire network from the inside Again, the simplest way to subvert a firewall is with a system and a modem inside a facility

Trang 6

Social Engineering

• Attempt to manipulate or trick a person

into providing information or access

• Bypass network security by exploiting

human vulnerabilities

• Vector is often outside attack by

telephone or a visitor inside your facility

“Social engineering” is the term used to describe an attempt to manipulate or trick a person into providing valuable information or access to that information It is the process of attacking a network

or system by exploiting the people who interact with that system.

People are often the weakest link in an organization’s security All of the technology in the world cannot protect your network from a user who willingly gives out his or her password, or innocently installs malicious software

Social engineering often preys on qualities of human nature, such as the desire to be helpful, the fear

of getting in trouble, or the tendency to trust the people - and computers - with which we interact

Trang 7

Social Engineering (2)

• Human-based

– Urgency – Third-person authorization

• Computer-based

– Popup windows – Mail attachments

Most social engineering is “human based.” It involves one person trying to get valuable information from another person The most well-known techniques are the urgency, impersonation, and third-person authorization techniques Here is a classic example A man calls the help desk: “Hello, this

is Bob Smith, the Vice President of Big Corporation I’m on travel and I’ve forgotten my password Can you reset it so I can retrieve an important email for a meeting in 15 minutes?” Would your help desk question this request? Most people would give out the information without thinking, either because they want to be helpful or because they are afraid of refusing the “vice president’s” request especially since he has an urgent meeting in 15 minutes

Social engineering can also be computer-based Consider this example: A user is browsing the web when he sees a pop-up window telling him that his Internet connection has timed out and he needs to re-enter his user name and password to re-authenticate Would the average user question this activity? This is a common means to steal password information

These examples show that “human nature” can make it trivially easy for an attacker to walk right in

to your network Why hack through someone’s security system when you can get a user to open the door for you?

Trang 8

Social Engineering Defense

• Develop appropriate security policies

• Establish procedures for granting

access, etc., and reporting violations

• Educate users about vulnerabilities

and how to report suspicious activity

Social engineering is one of the hardest attacks against which to defend The weakness is a human one; we want to help people Technology, such as host perimeter defense products, can provide some protection (for example, anti-virus software to guard against users who run viruses or Trojan software) Your best defense is to establish clear security policies - and enforce them

• Security policies should establish such things as: The types of access allowed; the people

authorized to grant such access; and the circumstances under which exceptions may be granted

• In addition to policy, you should define procedures for things like activating and deactivating accounts; changing or resetting passwords; and granting additional rights or privileges

• Finally, educate your users about these types of threats In most cases, users do not maliciously create security problems - they generally do so out of ignorance If users are aware of the threats, they can properly guard against them

Here is a final thought about social engineering In some sense, all attacks are social engineering Whatever technology or technique an attacker is using to attack a site, if the attack is noticed, it often has a marked effect Many people are starting to feel that they

cannot keep up, that they cannot defend against the rapidly evolving threat This is one reason why a course like this one is important, it gives you access to a lot of up-to-date information packaged so that you can get up-to-speed and back in the game fast

Trang 9

Primary Threat Vectors

• Outsider attack from network

• Outsider attack from telephone

• Insider attack from local network

• Insider attack from local system

• Attack from malicious code

A threat is applied against a vulnerability and that results in a compromise or denial of service A

threat vector is the method a threat uses to get to the target For example, mosquitoes are the vector

for malaria A countermeasure against malaria (the threat) is to locate and spray mosquito breeding ponds (detection and response) or to invest in mosquito netting (prevention)

As we discuss threats, please try to keep the threat vectors firmly in mind Once the most important and probable threat vectors have been listed, you can note which ones are handled by current measures and which ones your proposal will address For example, insider fraud risks are often well-controlled by existing separation of duties and audit controls

Trang 10

Tools That May Be Visiting Your DMZ

• 3 famous Windows Trojans

• Windows viruses that collect

info

• Jackal, Queso, and SYN/FIN

• Nmap and Hping

• Unix Worms

As we continue our discussion of well-known attack and scanning tools, I am going to give a bit

of a historical perspective Many of the authors that worked on this file and the entire course were involved in the Department of Defense’s Shadow Intrusion Detection team When we mention these tools, the way we learned about them was watching patterns on the net and then asking questions Why is this traffic behaving like this? Sometimes we were able to tie a particular pattern, or

signature, to a tool The dates and time frames we are using in this discussion represent when these patterns came to us over the net, as opposed to when the tools were written or developed

Let me give you an example We have already discussed Gnutella, but there is a similar tool called Napster and it uses the default ports of 6699 and 6700 Recently, I was doing intrusion detection work at a U.S military site in the Pacific and we saw a LOT of traffic One or two packets were trying to come in from the Internet to these well known Napster ports, but they were unable to penetrate the perimeter defenses of the military base Then, boom, a bunch of traffic to or from port

8888 We configured a Snort intrusion detection system to capture the traffic and it had the look and feel of Napster People were downloading sound files Apparently, the folks on the base had found a way around the traffic filtering on the firewall by using this alternate port number of 8888 It seemed

to be primarily a chat channel, but they were also able to acquire sound files using it The new port with 8888 was a new pattern to me, but because I had seen a lot of Napster before, it had the look and feel of Napster If you have an opportunity to run TCPdump or Windump (www.tcpdump.org) and watch the traffic coming to your network, this is a valuable thing to be familiar with

When you start watching, one thing you will almost certainly see are probes for Trojans In the next few slides, we are going to look at some of the famous Windows Trojans and discuss their signature over the network They are: Back Orifice, Netbus, and of course, SubSeven These are examples of one of the most prevalent threat vectors today, malicious code

Trang 11

This screenshot is from an attack called w32.leaves, vulnerable computers are being harvested.

What is a Trojan, how do they work?

How do Trojans work? The user often compromises their computer by clicking on an attachment in

an email message or newsgroup Sometimes they try to hide the Trojan using a file name One famous variation of the third Trojan we are going to discuss was released in newsgroups as

sexxxymovie.mpeg.exe Imagine folks surprise when they clicked on it At that point the computer is compromised and waiting for its master Older Trojans like Back Orifice and NetBus waited patiently, SubSeven tries to find a master

From a risk management perspective if you are infected with a Trojan and are not protected by at least one of the following:

- A firewall

- A personal firewall

- Anti-virus files that recognize the Trojan or Trojan attempt

then your computer system is certain to be compromised and totally under the control of the attacker

The screenshot is from a famous attack called w32.leaves In this case attackers would troll the Internet looking for infected systems Then they would use a master password to break into the computer An arrest was made in London in August 2001 from a combined effort of the FBI and Scotland Yard

Trang 12

Trojans

“Driving the Bus”, NETBUS

This screen shot is the result of the NetBus Trojan Some of the commands that can be issued to the infected system are visible: Send arbitrary text, play sounds, turn on the system’s microphone to spy

on what is being said, and (my personal favorite) opening the CDROM door at will

NetBus establishes a TCP connection This can remain active for a long time during periods of level activity Most of the Trojans have control panels similar to this one The default ports for NetBus are TCP 12345 or sometimes 12346

low-It is highly recommended that you memorize these default ports if you do not already know them low-It really helps when you know some of the more commonly probed ports and don’t have to stop to look them up That is especially true for SubSeven, the software shown on the next slide Before the worm traffic overtook it, this was the most commonly probed port in the year 2000, and it is still very active today The port is 27374 TCP though it can be changed This is the default and by far most common

Trang 13

SubSeven Client

SubSeven, also known as Sub7 or Backdoor_G, is a Trojan for the Windows platform (9x and NT) and is the primary Trojan being pinged for in the year 2000 The SubSeven download consists of three programs: The SubSeven server, client, and server editor The server is the part of the Trojan that must be run on the victim’s machine for infection to occur The client is the attacker’s device enabling connection to, and control of, those computers running the server

The screen shot shows the client interface for SubSeven v2.1 With 113+ characteristics, this version provides more attack options than either Back Orifice or NetBus Attack examples include:

Recording signals from the victim’s microphone, logging keyboard entries, Registry editing, opening FTP sessions (as in the screen shot), starting and recording from a webcam, gathering computer information, executing applications, stealing passwords, and much more

For the client to connect to a server, the server’s IP address is needed The attacker achieves this by using ICQ if the victim does not have IP hiding enabled, or by using the notification options available

on the server The server will notify the attacker (by e-mail, ICQ, or IRC) that the victim has

connected to the Internet

Trang 14

SubSeven EditServer

This screen shot shows the interface for the SubSeven EditServer program This facility ups the ante when it comes to detecting SubSeven activity and cleaning SubSeven infections An attacker can connect to a client and install a newly-configured form of the SubSeven server, and then remove the old one The new configuration might use a different TCP port, a different autostart mechanism (e.g Registry, win.ini, etc.), a server filename that varies in size, icon and name, and might notify the attacker that the victim is on-line in a different way

So, if the server uses varying ports and may appear in disguise, how do we deal with it? Well, typical ports are 1243, 6711, 6712, 6713, 6776, and 27374 Typical filenames are server.exe, rundll.exe, systray.dll, and Task_bar.exe The problem is that the ports, file names, and file locations can vary However, the SubSeven server always uses an autostart mechanism involving some combination of entries in system.ini, win.ini, and the Registry, specifically:

HKLM\Software\Microsoft\Windows\CurrentVersion\(Run or RunServices)

The entry “shell=ini” in system.ini, “run=“ or “load=“ in win.ini, or the registry locations above, will contain a reference to the server program Cleaning involves removing the offending entries and keys and deleting the server program

V2.2 will be released soon Apparently, this will include a whole new concept in infection Beware

Trang 15

Trojans Review

• Trojans can penetrate firewalls as

email attachments

• SubSeven was the primary Trojan

being pinged for in 2000

• Protective tools include: All major

anti-virus tools, firewalls, personal

The good news is that with reasonable precautions you can defend your systems! The major virus software packages are quite good at locating and cleaning Trojans Also, I strongly recommend you consider the use of personal firewalls

anti-That concludes our section on Trojans These next tools are classified as viruses, but what they do is really interesting If they get onto your computer, they will attempt to FTP information off of your system into the Internet

Trang 16

• The Caligula virus (also called WM97) is a Word

macro virus that searches the Registry for the

location of the PGP key ring When the key ring

file is found, it is uploaded to the

ftp.codebreakers.org incoming directory.

• Once the computer is infected, Caligula sets the

is also rarely monitored; it just doesn’t seem to be worth the trouble

• Caligula can be detected by checking if the following registry value exists:

HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\Caligula

• Picture.exe can be detected by checking for a file called "note.exe" in the windows directory (this file is created by the Trojan)

As a general rule to avoid such Trojans and viruses, never run unknown binaries System administrators should monitor attempted FTP connections to 208.201.88.110 (ftp.codebreakers.org)

Also, to protect your PGP key, never store the secret passphrase on the hard drive Make sure the

passphrase is long and complicated, (some PGP front ends offer a "passphrase quality" bar that measures the strength of the passphrase)

For more information about picture.exe and Caligula, read ISS X-Force's advisory:

http://www.iss.net/xforce/alerts.html Other information-gathering viruses include picture.exe and

W97.Marker.A We will discuss Marker, since it just keeps popping up

Trang 17

• Word 97 Virus

– HKEY_CURRENT_USER\Software\Microsoft

\MS Setup(ACME)\User Info

– What does it do?

• FTP’s what appears to be “worm tracks”, a list of the previous systems it has infected

• Could potentially be a valuable reconnaissance tool for developing chains of potential infection

W97M.Marker.A

We first discovered this when the intrusion detection system flagged a number of outbound FTPs, all headed to two addresses Marker was one of the culprits, the one we sorted out first as a matter of fact It turned out the computers were sending a file out into the Internet containing a list of the Microsoft Office registration information, as well as the internetaddresses of the infection chain So what?

The interesting thing is that the information could potentially be used to target a specific desktop with a virus or Trojan Ifsomeone didn’t have good anti-virus software once, they might not again, and by knowing who sends what to whom, you actually might be able to arrange to target a virus-infected host That would be a neat trick

On your slide you see some strange formula, starting with HKEY What is that? It’s a Windows Registry entry How do you examine a Registry entry? With regedit, found in your Windows explorer, just hit CTRL F and type in regedit

Important safety tip Your Registry is very important to the operation of your computer You should make a backup of

your computer, or at least ensure you have an updated Emergency Recovery Disk handy On the other hand, hopefully you are just going to look and not edit anything How else can you learn?

The Registry entry on your slide is for an Office97 computer running Windows98, so you might have to goof around a bit

on an NT 4.0 with Office 2000 The acme stuff is under HKEY_LOCAL_MACHINE, but learning is what it is all about

Anyway, should you find your way to User Info, check and see if the value of the key is LOGFILE = True This could be

an indication of compromise by the virus Of course, you could just run an updated mainstream anti-virus software

package and be done with it

Using tools like these to capture information from your disk is not going to end because it works and is fairly low risk There are other types of reconnaissance that require scanning from the outside These generally must operate with a fairly obvious signature, though as we will see, there are ways to stealth their activity

Trang 18

Enter the Jackal 1997

/* Jackal - Stealth/FireWall scanner With the use of

half open ports and sending SYNC (sometimes additional

flags like FIN) one can scan behind a firewall It

shouldn’t let the site feel we're scanning by not doing a

3-way-handshake; we hope to avoid any tcp-logging.

Credits: Halflife, Jeff (Phiji) Fay, Abdullah Marafie.

Alpha Tester: Walter Kopecky.

Results:

Some firewalls did allow SYN | FIN to pass through No

Site has been able to log the connections though during

alpha testing.ShadowS shadows@kuwait.net

Copyleft (hack it; i really don’t care).

*/

Opening comments - Jackal.c

Jackal was the first software package I became aware of that was commonly used for SYN/FIN

scanning As you know, the three-way handshake begins with a packet with a SYN as the only TCP flag in the packet However, it turns out that a number of operating systems, including Windows and many Unix systems, will respond to a SYN and also a FIN This was a significant improvement on the half-open style scan

A SYN is used to initiate a connection; a FIN is used to tear a connection down It isn’t logical for the two to be used together! So we have this situation where the tool gets good results and yet is easy for the analyst to find TCPdump, the software sniffing tool used in the Shadow intrusion detection system, could detect the SYN/FIN just fine In fact, we had been scratching our heads for weeks wondering what was generating such a strange pattern Over the years and this dates back to late

1996, we have seen hundreds of variations of SYN/FIN Why? One reason is that it works

In the same way that many hosts will respond to the combination even though they really shouldn’t,

it turns out that many perimeters would allow these packets to pass since they were only looking for a SYN only

It may be true that SYN/FIN penetrates some firewalls and filtering routers, but it didn’t penetrate proxy-based firewalls such as TIS’s (now NAI’s), or Gauntlet for Secure Computing’s Sidewinder When I got the scoop on Jackal, I spent a lot of hours reading sniffer logs from both sides of these firewalls

Trang 19

Sons of Jackal Continue to be Seen

Source Port 0 and 65535

12:36:54 prober.0 > relay.net.2049: SF 111:111(0) win 512

16:11:38 IMAPER.65535 > ns2.org.143: SF 111:111(0) win

512

13:10:33 iquery.65535 > 192.168.2.3.111: SF 111:111(0)

win 1024

SF - SYN = Synchronize or Start; FIN = Finish or Stop

The attacks shown on your screen are signatures against buffer overflows of well-known services Again, we know the signature, if you were to pull the Snort Intrusion Detection system signatures you would find a SYN/FIN since it is that common

So, we could debate the effectiveness of Jackal and the software that followed its lead, but from an intrusion detection point of view, the key point is that source port zero and SF set are a good

signature In fact, they are a great signature Now, if SYN /FIN isn’t logical, why do we see it on the network? Are these packets being crafted? The answer is, of course they are Almost all software that creates crafted packets leaves an easily discovered signature On this slide, the fixed sequence number of 111 lets us know this particular exploit script is being used

Therefore, to reiterate: The primary purpose(s) of the SF must be to avoid getting logged and to evade filtering devices

As of April, 1999, attacks have been seen, not just to IMAP (143) or NFS (2049), but also to FTP (TCP port 21) and DNS TSIG (TCP 111)

Trang 20

Queso and Friends

http://www.apostols.org/projectz/queso/

Queso sends packets with unexpected code bit

combinations to determine the operating system of

the remote computer Currently, they claim to be

able to distinguish over 100 OSes and OS states

Queso pattern is shown on notes page

I really do have to hand it to the attacker community; they never cease to amaze me with their

creativity When I first heard of queso, I just had to shake my head in wonderment I found it really

hard to believe that by sending a mere six packets with some odd header combinations, including our friend SYN/FIN, and by watching the responses you got back, it was possible to determine the

operating system That is brilliant! This process is called stack analysis or TCP fingerprinting and

it is remarkably successful However, because the process requires sending unexpected or illogical patterns (such as SYN/FIN together), it sometimes also serves as a denial of service for devices with TCP stacks that are ill-prepared to handle these patterns They just crash The exact queso pattern is shown below

From the Queso page, the Queso scan pattern:

0 SYN * THIS IS VALID, used to verify LISTEN

6 SYN+XXX+YYY * XXX & YYY are unused TCP flags

All packets have a random seq_num and a 0x0 ack_num

Trang 21

06:41:24srn.com.113 > 172.21.32.83.1004: S 405:405(0) ack 674 win 8192

06:42:08 srn.com.113 > 192.168.83.15.2039: S 233:233(0) ack 674 win 8192

The initiating SYN connections were never sent, but SYN-ACKs are received.

06:44:09 srn.com.113 > 192.168.162.67.2226: S 76:761(0) ack 674 win 8192 06:44:09 192.168.162.67.2226 > srn.com.113: R 674:674(0) win 0

Result

Network Mapping

Using TCP SYN-ACK packets

This slide demonstrates the TCP half-open scan pattern Before we talk about how this works, let’s

do a quick refresher on the TCP three-way handshake that is diagramed in your notes pages

Three-way handshake: A wants to talk to B ,so A sends a packet with the SYN flag set B says OK,

I will talk with you and acknowledges A’s SYN with a SYN/ACK A says great and acknowledges B’s SYN/ACK with an ACK, and the conversation begins

is wrong TCP is stateful, and so 192.168.162.67 knows he never sent a SYN or active open packet,

(recall this is the first step in the three-way TCP handshake) He figures this packet must be a mistake and sends a RESET (the “R” in the second line) to say break off communications, something

is wrong here This gives away his existence to srn.com Now, this pattern is USUALLY seen as a result of a denial of service attack, however, if these packets are able to penetrate your net you still give away mapping information

Trang 22

This is a small sample of a massive pattern detected at several sites All the packets were NetBIOS

to TCP 139 They claimed to come from a number of source addresses It was the picture-perfect coordinated attack, a large number of attackers to several sites There was only one problem; it was too perfect The more we examined the various header fields of the packets, the more we were struck by the similarity of header fields, and how easy it was to define the signature for this traffic

So, we started looking at the traffic more closely One of the header fields is the ‘time to live’, or

TTL field This is a very important field As a router passes a packet on its way, it is supposed to

decrement the TTL field Once the TTL field reaches 0, the packet is no longer forwarded by routers This way, there shouldn’t be lost packets traveling forever on the Internet like that poor soul who got lost on the MTA in Boston and never returned Now, if these scans were actually originating from sites all over the Internet, and possibly from different operating systems as well, we should see over thousands of these packets and some variation in the TTLs

Trang 23

In the notes pages are the Time To Live fields

from the traces in the previous slide Notice how

they cluster around 120 This is not expected behavior This is also fixed in the nmap 2.08

release that has a decoy function so that the

decoy TTLs are random.

Analysis credit to Army Research Lab

TTL

So we started comparing the TTL value with the hopcount back with a traceroute This isn’t good science, but over time, the clustering TTLs and the hops back convinced us to call our CIRTs and tell them we really didn’t think these scans were genuine So what was the point? Apparently, someone was playing some sort of mind game In information warfare, this is called perception management

or PSYOP, for psychological operation As an interesting side note, HD wrote me a day or two after

we came to this conclusion and said he had found a vulnerability in nmap’s decoy generator, that it didn’t vary the TTL, but not to worry it would be fixed in the next release Gee thanks!

Destination IP Address: 172.20.224.77

Traceroute Back: Timeout occurred after 10/7/7 hops

Expected Traceroute hops: 10

Traceroute Back: 12/10/11 hops

TTL: one connection 115, 3 connections 116

Traceroute Back: 14/13/12 hops

Expected Traceroute hops: 12-13

Traceroute Back: Timeout occurred after 12/11/11 hops

Trang 24

Worms

• Attack system through known holes

• Automatically scan for more systems to

attack.

• Lower system defenses, install a root

shell or rootkit, and/or let the attacker know the system has been attacked.

Viruses have a limitation; they generally depend on the actions of a system user to spread That user might have to download and run an application, open and run an email attachment, or insert and read or boot from and infected floppy If the user never does one of the above, the virus can’t spread

Think of a worm as a virus on autopilot A worm doesn’t need a user to do anything to spread

Here’s how a worm commonly spreads:

1) The worm scans a large number of systems for one or more vulnerabilities

2) Once it has found a system that has a vulnerability it recognizes, it attacks the remote system with a tool written to exploit that hole

3) After breaking in, it tells the remote system to download a fresh copy of the virus code (either from the attacking system itself or from a web server) and tells it to run some commands that perform some actions on the attacked system

4) Finally, the attacked system starts scanning for even more systems to attack – go back to step 1

If each scan resulted in just 5 infected systems, we’d start off with just the worm author’s system (1), end up with (1 + 5) =6 systems after the first round, (1 + 5 + 5*5) =31 systems after the second round, (1 + 5 + 5*5 + 5*5*5) 156 systems infected after the third round, and so on We might very well get to thousands of systems infected and scanning for more within 5 or ten minutes of the original infection.The worm might commonly do any of the following on the attacked system: Let the original attacker know about this new infected system by sending them an email with this system’s address, include a copy of the system password files for easy breaking later, open up backdoors for easy access, deface web pages on the system, and replace system binaries such as netstat, ls, and ps so the administrator can’t tell whether the system is infected They could do almost anything to the system, up to and including deleting all the files on the system, but rarely get that destructive because they don’t want to

Trang 25

Ramen Worm

• Attacks Redhat Linux through holes

in file and printer sharing services.

• Minor defacement to web pages.

• Mails off password files to two email accounts.

This worm showed up in January, 2001 It looks for three specific vulnerabilities in Redhat Linux 6.2 and 7.0 only Note

that these were known vulnerabilities; patches for each of them had been made available for at least three months Systems

with these patches applied were not vulnerable to this worm

Once it broke into the system, it:

- replaced all web pages on the system with one that said “Hackers looooooooove noodles” and had an image of a package

of Ramen noodles

- mailed off the password files to two email accounts, presumably owned by the attacker

- replaced ps and netstat with versions that would hide the existence of Ramen

- installed and ran a Stacheldracht (Distributed Denial of Service) agent

- closes the holes that it used to break in

That last action might seem strange – why would a worm want to close a hole on the attacked system? There are two main

reasons The most important is that a worm needs some way to stop itself from infecting a given system more than once If

it didn’t, the worm would go on forever, infecting and re-infecting systems, eventually chewing up all the resources of the given systems and their networks The original Morris Internet worm failed to correctly check if it had infected a system and did exactly that, crippling the Internet for a day or so Closing the holes is the easiest way to prevent this

The second reason is that the attacker may not want other attackers to get into the system so he/she can build up a collection

of “owned” systems

SANS has more details about this worm at http://www.sans.org/y2k/ramen.htm

Trang 26

Lion Worm

• Breaks in via bind vulnerability.

• Opens up root shells and a

-It replaces 12 system tools with versions that hide itself

-Depending on the version, it may install the t0rn rootkit or TFN2K

SANS has more details about this worm at http://www.sans.org/y2k/lion.htm

Trang 27

Handling Worms

Can be stopped by:

• Shutting down unneeded services

• Closing existing vulnerabilities

• Shutting down web server where fresh

copies of virus found

• Removal

How hard is it to protect your systems? It’s easy:

Apply the recommended updates from your software vendor!

Worms depend on being able to exploit vulnerabilities that have generally been out for awhile, and have patches available to fix those vulnerabilities If everyone had kept their systems current with updated versions of these software packages, Ramen and Lion would never been able to infect a single system

Also, take the time to turn off any services on your system(s) that aren’t truly needed This reduces your risk during the short period between when a vulnerability is announced and when you install the vendor-supplied updates

One other way to limit the spread of a specific virus is to close the source of the code; if it comes from a web server, the owner of that server may be persuaded to stop serving up that file Unfortunately, the virus may have several hours to spread before the server can stop serving those files, and viruses don’t always use this method of distribution

After a system has been infected, there are two choices for removal The obvious answer of backing up one’s data, wiping the drive, reinstalling the operating system, applying patches, and restoring one’s data is the way that’s most certain to completely remove the worm, but takes a lot of time and effort SANS and the Institute for Security Technology Studies[http://www.ists.dartmouth.edu/] have made removal tools available for Ramen and Lion, as well as the recent Adore and Butcher worms Details about the worm and these removal tools can be found at http://www.sans.org/y2k/ramen.htm , http://www.sans.org/y2k/lion.htm, and http://www.sans.org/y2k/adore.htm

Well, we have talked about a number of things, let’s see if we can wrap this up in a nice tidy package!

Trang 28

techniques have become more effective over time We talked about Jackal and how it used SYN/FIN

to attempt to penetrate firewalls or filtering routers and evade logging as an early entry into the field along with the “stealth” TCP half scans

Over time, we saw the techniques become more refined and we also learned that these illogical flag combinations could be used for stack analysis or TCP fingerprinting to determine the operating system

Finally, we considered stealth again, and pointed out that one way to achieve low and slow was to use multiple source addresses working together to scan the target system This is the so-called coordinated attack

Trang 29

Attack History (2)

• 1999

– Database analysis capability – Continued work on distributed scanners – Decoys, decoys, decoys

– Advanced scans for Trojans

• 2000 Distributed Denial of Service

• 2001 New Worms and a Worm toolkit

Then we have 1999 an interesting year One advance is the database capability Scanning can produce a considerable volume of raw data Slicing, dicing, and fashioning this data into useful

information can be a lot of work Nlog provides a web based interface to a database for analysis of

the data

Decoys are a pretty significant advance It shouldn’t be a surprise; deception is a technique common

to all kinds of warfare Decoys are going to be very challenging for analysts and CIRTs alike

In mid-1999, we saw multiple cases of really strange scans, both ICMP and also TCP or UDP to really screwball ports Many of these have what is apparently encrypted content My best guess is that some of this traffic is related to Trojan acquisition or tasking

The year 2000 brings us to a whole new culmination of distributed attacks In March of 2000 we learned that we could no longer ignore the work that had been going to develop new attack tools that worked together to increase their firepower - distributed denial of service or DDoS tools A single teenager in Canada was able to crush major Internet sites like Yahoo and CNN In September, 2000

we were investigating the possibility that Windows Trojans were involved in these attacks

Do you remember the discussion of SubSeven and sexxxymovie.mpeg.exe? This was one of these tools that was planted in systems During the Lion worm run, one variation of that software included distributed denial of service tools As systems are compromised they may be set aside for attacking others later

The concept of a worm is not new, but in 2001, the creation of these was hastened with the

development of worm tool kits, all you needed was a new vulnerability, or even an old one and it was possible to create a new worm

Trang 30

Firewalls can be Avoided

• Backdoors

• Malicious code

• Malformed packets

Have we made our point? Since firewalls can be avoided,

we need to find our vulnerabilities before attackers do.

We realize that you have just seen more threat tools in an hour than you probably would want to consider in a month, but it is critical that we understand and are able to enumerate ways which firewalls and other perimeter protections can be avoided

Trang 31

Vulnerability Scanners

What are they generally

• Target, scanners must only scan

systems you own

• Scan, “test for services”, multiple ports

The cardinal rule of scanning or vulnerability assessment is to be certain to only scan systems that

you own and are authorized to scan Otherwise, you will be setting off someone else’s intrusion

detection capability and that is hardly a good idea

If you are shopping for a scanning toolset, it is reasonable to assume that either of the big three (ISS,

NAI, and Symantec) scan for the same number of vulnerabilities They will all come up with false

positives that have to be investigated manually Before you plunk your money down, there are four

things you really want to consider:

• How is the product licensed? Is this flexible enough for your planned growth? Can it be upgraded easily?

• How interoperable is the product? Is it fully Common Vulnerabilities and Exposures (CVE) compliant?

• Can you easily compare the results of a scan today with the results of one four weeks ago, or

is this a manual process?

• Does your manager like the report output?!?

Định dạng
Số trang	63
Dung lượng	1,25 MB