1 Internet Threat Brief – SANS GIAC LevelOne © 2000 1 Intrusion Detection Overview and Trends in Internet Attacks Bad things that happen to good organizations! Hello. My name is Stephen Northcutt. Today we are going to discuss some of the common attacks levied against individuals and organizations who are on the Internet. Though this is a tool-oriented technology brief, I would like to state one thing up front: tools are not attacking your sites, people are. There are a large number of loosely organized, skilled individuals across the Internet who are focused on building and using attack tools to take over systems and use them for their own purposes. We will demonstrate that these attacks range from your home computer connected to your ISP all the way to the largest and most advanced organizations on the Internet. To get the most out of this briefing you should have completed the IP Concepts and IP Behavior courses. However, we will explain the material as we go. 2 Internet Threat Brief – SANS GIAC LevelOne © 2000 2 Outline • Modems and what they mean •Trojans • Scanning and attack tools • What do those tools mean • What I’m doing Important public safety announcement: we are going to mention several tools during this talk. We will even provide URLs for some of these so that you can use them to test these techniques out yourself. Keep in mind, you could end up in trouble if you misuse these. An important lesson to share is that you should always test attack tools in a lab environment never on a live network. Over the years I have been amazed at how well I can break networks simply by scanning them. Needless to say, the owners of the networks are not always overjoyed, and it is great to be able to demonstrate that I tested them in a lab BEFORE I let them loose on a live, production network. Also, please, only test on your own network; don’t probe systems that you do not own. People really do get fired and even prosecuted; be certain to have permission before testing any attack or scanning tool. 3 Internet Threat Brief – SANS GIAC LevelOne © 2000 3 INTERNET ISP Firewall The more restrictive a site’s firewall policy, the more likely the employees will use modems. PCs ship with fast modems as standard equipment You just about can’t buy a system today without a 56K modem built in. Firewalls are not magical; they can be penetrated and subverted in a number of ways. PCs with modems, however, are number one in the subvert-a-firewall hit parade. There are at least two problems with modems inside a firewall: 1) leaving the modem on auto- answer, and 2) having attackers scan you when you use them to connect to the Internet. The first case (auto-answer) is well understood. If the modem is left in this mode, then an attacker may locate it with a wardialer and access the site. Perhaps the best defense for this is to sweep your site for modems periodically. Phonesweep is a commercial war dialer available at http://www.sandstorm.net. The second modem risk is exposed when a system makes a connection to an ISP: it is a fully functional, bi-directional network connection. Many sites understand some or all of the information- gathering probes and attacks that can be directed against Windows machines, and block NetBIOS with their filtering firewall or router. However, a system connected to an ISP is not protected by the firewall, and all of the NetBIOS techniques we have discussed can be directed at this system. If you have a need to connect to an ISP from your organization, consider the use of BlackICE Defender, Norton Internet Security, McAfee Personal Firewalll or similar software to protect these vulnerable systems. (Editor’s note: These products are discussed later in the Security Essentials course. – JEK) 4 Internet Threat Brief – SANS GIAC LevelOne © 2000 4 Finding Unprotected Shares - Legion Legion is available from rhino9.ml.org for $10.00. This tool is recommended for any system administrator or security professional responsible for a site with Windows systems. Just remember to test it in a lab and get WRITTEN permission BEFORE you run it, or the tag line of your next career may be: “Would you like fries with that order?” (Editor’s note: The Rhino9 web site is no more; Legion can still be found by doing an Internet search. Always exercise caution when downloading ‘hacker’ tools, make sure you trust the source of the tool and can verify that it is authentic and does not contain Trojans or other surprises. – JEK) What does Legion do? The software can detect unprotected or poorly protected shares. Poorly protected shares may allow an attacker access to files. Depending on this access, this may mean the ability to compromise the system. It certainly could mean the ability to defeat two of the primary security pillars: confidentiality and integrity. Confidentiality would be breached if they could read the files; integrity would be compromised if they could modify the files. Unprotected files are certainly not the only approach to attacking Windows systems on the Internet. I continue to be amazed how well null sessioning works to get user names, and how easily brute force attacking yields weak passwords. Many of you know about shares and null sessions and have figured “so what, we have a firewall and we block NetBIOS”. This is good, but if one system that connects to the Internet via modem gets compromised, it can be used as a springboard to run against your entire network from the inside. Again, the simplest way to subvert a firewall is with a system and a modem inside a facility. 5 Internet Threat Brief – SANS GIAC LevelOne © 2000 5 Tools That May Be Visiting Your DMZ •Trojans •Jackal • Queso, “Passive Queso” • Nmap •Hping As we continue our discussion of well known attack and scanning tools, I am going to give a bit of a historical perspective. Please keep in mind, the Shadow team was never a group that downloaded exploits all day long to see what they did. So, if you send email after the webcast asking if I have goofed with this or that exploit, the answer is probably no. I don’t possess a big library of attack tools. The perspective we used when we mention these tools is that we watched patterns on the net and then asked questions. Why is this traffic behaving like this? Sometimes we were able to tie a particular pattern, or signature, to a tool. The dates and time frames we are using in this discussion represent when these patterns came to us over the net, as opposed to when the tools were written or developed. 6 Internet Threat Brief – SANS GIAC LevelOne © 2000 6 Trojans This is Roland’s home computer, connected to an ISP Legal disclaimer: I don’t possess the artsy skills to edit the bit map on this screen to change the Internet address of the attacker to a private address. So, as they say in novels, any resemblance to a real Internet address is purely coincidental. The two most common, or well known Trojans are Back Orifice and NetBus. Another important Trojan that needs discussion is SubSeven. The screen shot on your slide is from a wonderful program called BackOfficer Friendly by the folks at NFR (www.nfr.net). Before we move to NetBus, I would like to emphasize that your home computer system is also at risk. Attackers sweep the ISP dial-ins looking for vulnerable systems. Here’s the log: Sun May 30 19:31:10 BO PING sweep attempted by 172.20.229.47 Sun May 30 20:19:24 BO TYPE_SYSLISTPASSWORDS attempted by 172.20.229.47 Sun May 30 20:19:29 BO TYPE_SYSENDKEYLOG attempted by 172.20.229.47 Sun May 30 20:19:29 BO TYPE_FILEDELETE attempted by 172.20.229.47 7 Internet Threat Brief – SANS GIAC LevelOne © 2000 7 Trojans “Driving the Bus”, NETBUS This screen shot is the result of the NetBus Trojan. Some of the commands that can be issued to the infected system are visible: send arbitrary text, play sounds, turn on the system’s microphone to spy on what is being said, and (my personal favorite) opening the CDROM door at will. NetBus establishes a TCP connection; this can remain active for a long time during periods of low level activity. 8 Internet Threat Brief – SANS GIAC LevelOne © 2000 8 SubSeven Client SubSeven, also known as Sub7 or Backdoor_G, is a Trojan for the Windows platform (9X and NT) and is the primary Trojan being pinged for in the year 2000. The SubSeven download consists of three programs: the SubSeven server, client, and server editor. The server is the part of the Trojan that must be run on the victim’s machine for infection to occur. The client is the attacker’s device enabling connection to, and control of, those computers running the server. The screen shot shows the client interface for SubSeven v2.1. With 113+ characteristics, this version provides more attack options than either Back Orifice or NetBus. Attack examples include: recording signals from the victim’s microphone, logging keyboard entries, Registry editing, opening FTP sessions (as in the screen shot), starting and recording from a webcam, gathering computer information, executing applications, stealing passwords and much more. For the client to connect to a server, the server’s IP address is needed. The attacker achieves this by using ICQ if the victim does not have IP hiding enabled, or by using the notification options available on the server - the server will notify the attacker (by e-mail, ICQ, or IRC) that the victim has connected to the Internet. 9 Internet Threat Brief – SANS GIAC LevelOne © 2000 9 SubSeven EditServer This screen shot shows the interface for the SubSeven EditServer program. This facility ups the ante when it comes to detecting SubSeven activity and cleaning SubSeven infections. An attacker can connect to a client and install a newly-configured form of the SubSeven server, and then remove the old one. The new configuration might use a different TCP port, a different autostart mechanism (e.g. Registry, win.ini, etc.), a server filename that varies in size, icon and name, and might notify the attacker that the victim is on-line in a different way. So, if the server uses varying ports and may appear in disguise, how do we deal with it? Well, typical ports are 1243, 6711, 6712, 6713, 6776 and 27374. Typical filenames are server.exe, rundll.exe, systray.dl, and Task_bar.exe. The problem is that the ports, file names, and file locations can vary. However, the SubSeven server always uses an autostart mechanism involving some combination of entries in system.ini, win.ini and the Registry, specifically: HKLM\Software\Microsoft\Windows\CurrentVersion\(Run or RunServices) The entry “shell=“ in system.ini, “run=“ or “load=“ in win.ini, or the registry locations above, will contain a reference to the server program. Cleaning involves removing the offending entries and keys and deleting the server program. V2.2 will be released soon. Apparently, this will include a whole new concept in infection…Beware. 10 Internet Threat Brief – SANS GIAC LevelOne © 2000 10 Trojans Review • The most well-known Trojan programs are Netbus and Back Orifice • SubSeven is the primary Trojan being pinged for in 2000 • Protective tools include: all major anti-virus tools, NukeNabber, Back Officer Friendly, and ZoneAlarm To review the material on Trojans, the most common infection vector is by email. An unwitting individual opens an attachment and then they have the active Trojan. However, the attacker still has to find the system, unless they had a way of being certain which system was infected. This is the reason there is a lot of scanning activity looking for Trojans. The two well known Trojans, Netbus and Back Orifice have equally famous default ports of 12345 and 31337, but they can exist at other ports, and there are a large number of Trojans, including variations of these. Most recently, we have been evaluating scans that appear to be looking for Trojans, but are using a variety of destination ports – making it more difficult to write a filter for these scans. Furthermore, examples such as SubSeven show that destination ports may change from case to case. The good news is that with reasonable precautions you can defend your systems! The major anti- virus software packages are quite good at locating and cleaning Trojans. Also, I strongly recommend you consider the use of personal firewalls – several of these are listed on the slide. That concludes our section on Trojans. We will now take a look at some additional scanning and exploit tools that have obvious network signatures. First, we will review the format of a network trace. [...]... confuse lowend intrusion detection systems and untrained analysts • CIRTs are going to need raw data from detects Internet Threat Brief – SANS GIAC LevelOne © 2000 31 I hope I have convinced you that there is an Internet threat, and that threat could affect you or your organization Sites that have no intrusion detection systems, that do not collect raw data, and are lacking trained analysts are going to have... moving to 2048-bit encryption Internet Threat Brief – SANS GIAC LevelOne © 2000 32 Intrusion detection is an important tool in countering the Internet threat Without intrusion detection, it never would have been possible to create this brief Nearly all the information in this brief was detected by the Shadow Intrusion Detection system There are plenty of folks with ideas about what an IDS does and. .. port scanning and spoofing simultaneously, by crafting packets and analyzing the return Internet Threat Brief – SANS GIAC LevelOne © 2000 21 Hping is a “network analysis tool” that fits ping’s ICMP concept to TCP and UDP An hping user can craft packets with a customized destination and source port, window size, identification field, TCP flags (UAPRSF) and more Results are returned like ping Spoofed... to stealth scanning: low and slow and covert channels Covert channels involves hiding information in packet headers, or in what is called null padding, and can be a handy way to synchronize with Trojans Low and slow is just what it sounds like; there comes a point somewhere between 3 and 7 packets per hour that it is no longer practical to search for scans unless your have a data mining capability Now,... packets traveling forever on the Internet like that poor soul who got lost on the MTA in Boston and never returned Now, if these scans were actually originating from sites all over the Internet, and possibly from different operating systems as well, we should see over thousands of these packets, and some variation in the TTLs 23 TTL In the notes pages are the Time To Live fields from the traces in the previous... Does It Mean? • 1997 – Stealth, resist logging – Penetration, evade SYN matching • 1998 – TCP Fingerprinting - stack analysis – Coordinated attacks Internet Threat Brief – SANS GIAC LevelOne © 2000 25 Keeping in mind the date caveats given earlier, let’s try to put these tools and their development into perspective While the attacker’s goals of penetration and stealth have been consistent, the techniques... talked about Jackal and how it used SYN/FIN to attempt to penetrate firewalls or filtering routers and evade logging as an early entry into the field along with the “stealth” TCP half scans Over time, we saw the techniques become more refined and we also learned that these illogical flag combinations could be used for stack analysis or TCP fingerprinting to determine the operating system Finally, we considered... DOS attacks against YAHOO and others Currently, in September 2000, we are investigating the possibility that Windows Trojans are involved in these attacks I would like to briefly discuss one more Internet threat Until recently, viruses were a fairly ho-hum subject Great, someone sends you a file with the monkey or stoned virus; your anti-virus software picks it up and cleans it and you keep on trucking... reconnaissance tool for developing chains of potential infection Internet Threat Brief – SANS GIAC LevelOne © 2000 28 The intrusion detection system flagged a number of non-profile outbound FTPs, and they were all headed to two addresses Marker was one of the culprits, the one we sorted out first as a matter of fact It turned out the computers were sending a file out into the Internet containing a list of the Microsoft... Lets take a look at one last Internet threat This is the threat introduced by users who download and run utilities that are designed to share and search for files across the Internet Examples are the programs Napster, Gnutella, and more recently Scour In the next two slides we’ll examine Gnutella - its function and the dangers it introduces Gnutella is an Internet file sharing utility Described as a . 1 Internet Threat Brief – SANS GIAC LevelOne © 2000 1 Intrusion Detection Overview and Trends in Internet Attacks Bad things that happen. understand some or all of the information- gathering probes and attacks that can be directed against Windows machines, and block NetBIOS with their filtering