A common need that many of my clients have is that for network security monitoring (NSM). It is widely believed and understood that some sort of intrusion detection or intrusion prevention system (IDS/IPS) is a valuable addition to enhance their security posture. With this understanding though, the same individuals or corporations that have gained this level of understanding are still missing a piece of the pie.
So, what is this missing piece? Simply put, its a live person or a security analyst. The most sophisticated systems in the world still need a well trained individual to not only tune them but also to monitor their output and validate or even interpret it.
Typically when we put any such system in-place there is an involved process of understanding the normal traffic-patterns of the communication taking place on the existing network. This allows us to, over time, create a baseline and tune out any false-positive items that may be triggered by legitimate traffic and fine-tune other existing rules. Even after all fine-tuning is complete the system needs an individual to analyze output and validate any events that pose risk to the information systems and organization. Depending on the size of the network involved, this individual or individuals could range from the local network Administrator to a team of dedicated security analysts. In the instance of this individual being the local network Administrator there should be adequate training such that this individual is familiar with network security practices, standards, and the usage of the in-place monitoring systems. This training should be refreshed annually to insure that the administrator is kept up to date with newer techniques and technologies.
My main goal behind this article is to impress upon you the need for an analyst of some form. In the absence of an analyst and without proper maintenance, the system becomes useless and will not serve it's proper function.
JJC
Thursday, July 26, 2007
Tuesday, July 24, 2007
COX Communications HiJacking DNS
Recently while perusing the interweb, I came across the following article; "ISP Seen Breaking Internet Protocol to Fight Zombie Computers". The short of this article is that Cox Communications is attempting to remove bots from customers PC's by way of redirecting infected systems (by way of hijacked DNS records) to a c&c server that they control and issue standard bot uninstall commands to said bots. While I think that this is conceptually a good idea, I foresee several issues with it.
By design, bots are built with some level of security concerning who can issue commands to them, as noted in my previous blog about the disassembly of the RxBot, not to mention the differing commandsets that are built into them. Couple this with the new Fast-Flux Service Networks that we are starting to see and this method that Cox is attempting becomes an all but futile effort.
I am also curious where they are obtaining their list of c&c servers from. Perhaps off of the c&c list that Shadowserver.org maintains, or from another location? How do they filter out good IRC traffic from bad IRC traffic on public IRC servers that may have been listed as being a c&c in addition to a legitimate IRC server. From the looks of the article, they don't and this poses an issue by way of blocking legitimate IRC traffic for those that connect to those servers.
A brief list of commands issued:
I would also like to review their customer agreement and see if it indeed gives them the authorization to remove files / uninstall things from the end-users computer. Granted the goal is to remove malware; but what if I have been infected by just such malware and need to glean some information, such as what exactly exfiltrated my system? What if I am a business owner and my system contains information that is sensitive to myself, my business or my clients and I need to know what data exfiltrated my network so that I know what corrective or legal measures need to be taken?
All of this said, they also did not notify anyone that they were effectively hijacking DNS records, this somewhat gets back to my second point concerning legitimate IRC traffic that was obviously interupted enough to cause investigation into the matter. This further investigation is what led to the discovery of said hijacking, more here: http://www.exstatica.net/hijacked/
To my mind, the concept was an interesting one albeit innefective but the execution was absurd from unauthorized software removal down to DNS hijacking. This makes you wonder what else they are doing that has not yet been discovered.
Cheers,
JJC
By design, bots are built with some level of security concerning who can issue commands to them, as noted in my previous blog about the disassembly of the RxBot, not to mention the differing commandsets that are built into them. Couple this with the new Fast-Flux Service Networks that we are starting to see and this method that Cox is attempting becomes an all but futile effort.
I am also curious where they are obtaining their list of c&c servers from. Perhaps off of the c&c list that Shadowserver.org maintains, or from another location? How do they filter out good IRC traffic from bad IRC traffic on public IRC servers that may have been listed as being a c&c in addition to a legitimate IRC server. From the looks of the article, they don't and this poses an issue by way of blocking legitimate IRC traffic for those that connect to those servers.
A brief list of commands issued:
[INFO] Channel view for “#martian_” opened. -->| YOU (Drew) have joined #martian_ =-= Mode #martian_ +nt by localhost.localdomain =-= Topic for #martian_ is “.bot.remove” =-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM =-= Topic for #martian_ is “.remove” =-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM =-= Topic for #martian_ is “.uninstall” =-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM =-= Topic for #martian_ is “!bot.remove” =-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM =-= Topic for #martian_ is “!remove” =-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM =-= Topic for #martian_ is “!uninstall” =-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM .bot.remove .remove .uninstall !bot.remove !remove
I would also like to review their customer agreement and see if it indeed gives them the authorization to remove files / uninstall things from the end-users computer. Granted the goal is to remove malware; but what if I have been infected by just such malware and need to glean some information, such as what exactly exfiltrated my system? What if I am a business owner and my system contains information that is sensitive to myself, my business or my clients and I need to know what data exfiltrated my network so that I know what corrective or legal measures need to be taken?
All of this said, they also did not notify anyone that they were effectively hijacking DNS records, this somewhat gets back to my second point concerning legitimate IRC traffic that was obviously interupted enough to cause investigation into the matter. This further investigation is what led to the discovery of said hijacking, more here: http://www.exstatica.net/hijacked/
To my mind, the concept was an interesting one albeit innefective but the execution was absurd from unauthorized software removal down to DNS hijacking. This makes you wonder what else they are doing that has not yet been discovered.
Cheers,
JJC
Wednesday, July 18, 2007
RxBot
Recently one of my clients became infected with the RxBot, I was able to detect it using SNORT 2.6.1.4 on a FreeBSD 6.2 system running the latest rules from bleedingthreats.net. That being said, the issue did not originally manifest as a Bot or c&c destination but as a TCP:3306 or MySQL worm scan / propagation attempt.
Specifically it was sid 1:2001689 and sid 1:2404003 that first alerted us to the issue using the aforementioned system with BASE and Sguil. Further research down the line revealed IRC commands on non-standard ports...as found in the bleeding-attack_response.rules.
Without getting into the nitty gritty of the whole thing, disassembly of the bot revealed it to be an RxBot with the following characteristics.
Some of the bot commands and other findings:
auth, logout, wget, port, stop, stats, threads, procs, open, godie, reboot, nick, join, part, http, tftp, rndnick, secure, unsecre, httpstop, logstop, ftfpstop, procsstop, securestop, reconnect, disconnect, quit, status, botid, aliases, clearlog, testdlls, getclip, flusharp, flushdns, crash, killthreads, prefix, server, killproc, killid, delete, list, mirc, read, gethost, addalias, action, cycle, mode, repeat, delay, execute, rename, httpcon, upload, pstore.
Once the bot has found a vulnerable MySQL server it creates a database called 'clown' and dumps a file encoded with base64. The file is then extracted to clown.dll in c:\windows\system32.
This means its a self contained spreader and doesn't need to create additional network connections to spread.
If that fails, it will also use sql xp_cmdshell commands to tftp or ftp the binary from another host.
Over 200 passwords are hardcoded into the binary, which it uses when connecting to both sql and smb shares. Some of those passwords:
staff, teacher, student, intranet, main, winpass, blank, office, control, nokia, siemens, compaq, dell, cisco, oracle, orainstall, sqlpassoainstall, db1234, databasepassword, data, databasepass, dbpassword, dbpass, access, database, domainpassword, domain, domainpass, hello, hell, backup, technical, loginpass, login, mary, kate, george, eric......etc.
channels it sends traffic to:
#nBot-udf pass
#infected
#patch
##sniff##
##keylog##
#cracked
#vnc
#lan
##full##
#dbot
#1
#2
#3
#4
#5
#rose
##dns
#edoo
#dns
#miBot
#MYSQL#
#moh
#sql
#db0t
#nbot-3306
#dbot
##asn
#psyBNC
##final
#final#
#stable
#gecko
#mbot
##mBot
#own#
#vBot
#vCal
##yb
#nBot
#yahoo
#miBot
#rx#
#x1
#x2
#sqltest
some file drops:
c:\cmd.exe
cdmd.exe
dbot.exe
fileWin.exe
nig.exe
windowsVNC.exe
C:\ffd.exe
nrose.exe
c:\pp.exe
C:\pk.exe
C:\OG.exe
C:\ud2.exe
C:\120.exe
C:\lol.exe
C:\ne.exe
C:\fg.exe
c:\dump.exe
C:\ucla.exe
C:\eggdrop.exe
c:\210.exe
C:\faa.exe
C:\full.exe
C:\sql.exe
C:\setps.exe
sgffg.exe
C:\S.exe
C:\vsyncadi.exe
C:\g.exe
C:\npk.exe
C:\Print.exe
C:\MSDEVS.exe
MSD.exe
mswin.exe
C:\bbv.exe
C:\sql.exe
C:\bbnc.exe
C:\pBNC.exe
C:\bot.exe
C:\UD_PI.exe
C:\vbot.exe
yang.exe
qb.exe
ucla.exe
C:\secret.exe
C:\seddcret.exe
C:\S.exe
c:\l0l.exe
c:\MSDEVs3.exe
bbv.exe
C:\h1ggd3n.exe
C:\H9de.exe
C:\xx1.exe
hhiden.exe
C:\setups.exe
C:\n.bat
nwsz.exe
C:\ne.exe
The bot then joins https.easypwn.net with the password s3cr3t.
The bot administrator must have the user host "symtec.us" to issue commands.
The bot has anti-debugger and anti-vmware code, and is packed with AsPack.
The bot registers as version 2, however we've seen evidence a version 3 exists as well.
I would like to thank Nicholas, Jason and Jamaal for their invaluable assistance in the disassembly and work on this fun.
Aside from detecting IRC commands on non-standard ports and portscans, here are a few rules (more to follow) that should help detect this specific bot:
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"RxBot Trojan Client Lookup of easypwn.net"; content:"easypwn.net"; nocase; classtype:trojan-activity; reference:url,global-security.blogspot.com/2007/07/rxbot.html; sid:3000005; rev:2;)
JJC
Specifically it was sid 1:2001689 and sid 1:2404003 that first alerted us to the issue using the aforementioned system with BASE and Sguil. Further research down the line revealed IRC commands on non-standard ports...as found in the bleeding-attack_response.rules.
Without getting into the nitty gritty of the whole thing, disassembly of the bot revealed it to be an RxBot with the following characteristics.
Some of the bot commands and other findings:
auth, logout, wget, port, stop, stats, threads, procs, open, godie, reboot, nick, join, part, http, tftp, rndnick, secure, unsecre, httpstop, logstop, ftfpstop, procsstop, securestop, reconnect, disconnect, quit, status, botid, aliases, clearlog, testdlls, getclip, flusharp, flushdns, crash, killthreads, prefix, server, killproc, killid, delete, list, mirc, read, gethost, addalias, action, cycle, mode, repeat, delay, execute, rename, httpcon, upload, pstore.
Once the bot has found a vulnerable MySQL server it creates a database called 'clown' and dumps a file encoded with base64. The file is then extracted to clown.dll in c:\windows\system32.
This means its a self contained spreader and doesn't need to create additional network connections to spread.
If that fails, it will also use sql xp_cmdshell commands to tftp or ftp the binary from another host.
Over 200 passwords are hardcoded into the binary, which it uses when connecting to both sql and smb shares. Some of those passwords:
staff, teacher, student, intranet, main, winpass, blank, office, control, nokia, siemens, compaq, dell, cisco, oracle, orainstall, sqlpassoainstall, db1234, databasepassword, data, databasepass, dbpassword, dbpass, access, database, domainpassword, domain, domainpass, hello, hell, backup, technical, loginpass, login, mary, kate, george, eric......etc.
channels it sends traffic to:
#nBot-udf pass
#infected
#patch
##sniff##
##keylog##
#cracked
#vnc
#lan
##full##
#dbot
#1
#2
#3
#4
#5
#rose
##dns
#edoo
#dns
#miBot
#MYSQL#
#moh
#sql
#db0t
#nbot-3306
#dbot
##asn
#psyBNC
##final
#final#
#stable
#gecko
#mbot
##mBot
#own#
#vBot
#vCal
##yb
#nBot
#yahoo
#miBot
#rx#
#x1
#x2
#sqltest
some file drops:
c:\cmd.exe
cdmd.exe
dbot.exe
fileWin.exe
nig.exe
windowsVNC.exe
C:\ffd.exe
nrose.exe
c:\pp.exe
C:\pk.exe
C:\OG.exe
C:\ud2.exe
C:\120.exe
C:\lol.exe
C:\ne.exe
C:\fg.exe
c:\dump.exe
C:\ucla.exe
C:\eggdrop.exe
c:\210.exe
C:\faa.exe
C:\full.exe
C:\sql.exe
C:\setps.exe
sgffg.exe
C:\S.exe
C:\vsyncadi.exe
C:\g.exe
C:\npk.exe
C:\Print.exe
C:\MSDEVS.exe
MSD.exe
mswin.exe
C:\bbv.exe
C:\sql.exe
C:\bbnc.exe
C:\pBNC.exe
C:\bot.exe
C:\UD_PI.exe
C:\vbot.exe
yang.exe
qb.exe
ucla.exe
C:\secret.exe
C:\seddcret.exe
C:\S.exe
c:\l0l.exe
c:\MSDEVs3.exe
bbv.exe
C:\h1ggd3n.exe
C:\H9de.exe
C:\xx1.exe
hhiden.exe
C:\setups.exe
C:\n.bat
nwsz.exe
C:\ne.exe
The bot then joins https.easypwn.net with the password s3cr3t.
The bot administrator must have the user host "symtec.us" to issue commands.
The bot has anti-debugger and anti-vmware code, and is packed with AsPack.
The bot registers as version 2, however we've seen evidence a version 3 exists as well.
I would like to thank Nicholas, Jason and Jamaal for their invaluable assistance in the disassembly and work on this fun.
Aside from detecting IRC commands on non-standard ports and portscans, here are a few rules (more to follow) that should help detect this specific bot:
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"RxBot Trojan Client Lookup of easypwn.net"; content:"easypwn.net"; nocase; classtype:trojan-activity; reference:url,global-security.blogspot.com/2007/07/rxbot.html; sid:3000005; rev:2;)
JJC
Tuesday, July 17, 2007
OSSIM, is it ready?
A project that I have been keeping my eye on for a while is the OSSIM (Open Source Security Information Management) project: http://www.ossim.net/
I have been apprehensive to try this one out, due to some fairly negative feedback that I have received from numerous users and peers. That being said, I will be slapping it onto one of my FreeBSD boxes within the next few months and letting you know what happens.
JJC
I have been apprehensive to try this one out, due to some fairly negative feedback that I have received from numerous users and peers. That being said, I will be slapping it onto one of my FreeBSD boxes within the next few months and letting you know what happens.
JJC
Network Security Center and Toolkit on FreeBSD
Over the course of the next few weeks I will be publishing a comprehensive guide on the installation, securing, configuration and usage of a variety of Open Source security tools to create a comprehensive Network Security Center (NSC). The purpose of this security center will be to perform Network based IDS (NIDS), act as a server for Host based IDS (HIDS), perform vulnerability scanning reporting and management, and create a tool set for Network Security Analysis. All of this accomplished using a core Operating System of FreeBSD 6.2 and a variety of other Open Source applications that we will customize to fit our needs as we go.
I'll begin by covering the base installation and securing of the FreeBSD Operating System then over the following weeks step into the various sections of the NSC to build a truly robust solution.
If you would like to get a jumpstart, I will be using FreeBSD 6.2 obtained from www.freebsd.org (I also placed a copy of the i386 ISO here:)
https://secure.redsphereglobal.com/data/freebsd/6.2/6.2-RELEASE-i386-disc1.iso
The full guide to FreeBSD can be found at the following location, it would not hurt to read through and familiarize yourself with section 2 prior to the upcoming install post.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html
I will also be working with the guys at rawpacket.org and their upcoming formal release of HeX Live. Currently HeX Beta v1.0 is available for download from one of the following sites for more information, please check out the site rawpacket.org
Primary Site
Mirror 1
JJC
I'll begin by covering the base installation and securing of the FreeBSD Operating System then over the following weeks step into the various sections of the NSC to build a truly robust solution.
If you would like to get a jumpstart, I will be using FreeBSD 6.2 obtained from www.freebsd.org (I also placed a copy of the i386 ISO here:)
https://secure.redsphereglobal.com/data/freebsd/6.2/6.2-RELEASE-i386-disc1.iso
The full guide to FreeBSD can be found at the following location, it would not hurt to read through and familiarize yourself with section 2 prior to the upcoming install post.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html
I will also be working with the guys at rawpacket.org and their upcoming formal release of HeX Live. Currently HeX Beta v1.0 is available for download from one of the following sites for more information, please check out the site rawpacket.org
Primary Site
Mirror 1
JJC
Wednesday, April 18, 2007
Phishing Angst in light of VA Tech tragedy
Phishing Angst in light of VA Tech tragedy
Unfortunate but true, there are those individuals that would attempt to profit in a devious and mal-intentioned manner from any tragedy. These threats come in many forms, ranging from phishing scams, spam, websites, fax, telephone and beyond. There will likely be a number mal-intended attempts made to collect money, personal information and the like by many individuals posing as organizations designed to provide a form of aid or funding for the VA Tech tragedy.
The best defense against this type of threat is to simply research the organization that you intend on giving money, support or information to prior to engaging them. If you receive an unsolicited email or something that looks suspicious there are a number of sites that maintain a fairly updated list that can all easily be found through your favorite search engine.
All of this said, if you feel compelled to donate your time, expertise or money in aid of those affected by the VA Tech tragedy then please do so. There are currently a number of well known organizations working to help those affected such as the American Red Cross http://www.redcross.org/article/0,1072,0_312_6578,00.html and VA Tech is also directly accepting donations on their website at http://www.vt.edu/tragedy/memorial_fund.php.
Below is a list of domains that were registered immediately following the Virginia Tech tragedy. It should be noted that at the time of this article none of these domains have been reported as being used in a malicious manner, but please keep an eye out and protect yourself against the many risks associated with identity theft, fraud and beyond.
vatechshooting.com
vatechshooting.net
vatechshooting.org
vatechshooting.info
vatechshooting.us
vatechshooting.biz
vtshooting.com
vtshooting.info
vatechmassacre.com
vatechmassacre.net
vatechmassacre.info
vatechmassacre.biz
vtmassacre.com
vtmassacre.net
vtmassacre.org
vtmassacre.info
virginiatechrampage.com
vatechrampage.com
vtrampage.com
virginiatechmurders.com
virginiatechmurders.net
virginiatechmurders.org
virginiatechmurders.info
virginiatechmurders.us
vatechmurders.com
vtmurders.com
hokieshootings.com
hokiemassacre.com
Best Regards,
JJC
Sunday, April 1, 2007
A few tips for the home user.
The world has become somewhat accustomed to basic physical and personal security over the years; but what of the cyber security realm, from the perspective of the basic home user? In today’s age of online banking, billions of electronic transactions, online shopping, electronic records management and so much more affected by or even wholly controlled by technology it is absolutely imperative that even the home computer user have a basic understanding of cyber security. I have detailed a few basic steps that should be taken to mitigate many common threats.
Virus - Install and maintain current anti-virus software and signatures. It’s not enough to simply buy an anti-virus application and leave it on your computer. Every day a large number of new computer viruses or virus variants come out, as a direct result of this all of the major anti-virus software companies release updates regularly (sometimes every few hours) that need to be placed on your computer for you to truly be protected. Many anti-virus applications can be configured to automatically download and install such updates. For the cost-conscious user I recommend AVAST http://www.avast.com, it’s free for home users and consistently rates high in independent tests!
Patch – Ever get that annoying popup from your task bar? Well, it’s not just an annoying message, these things are really important. Though software and operating system manufacturers try to design and build their products using security standards and to the highest of standards they do miss things. These things that they miss result in potential backdoor access to your computer, holes that give the would-be hacker or application access to any and all data that may be on your computer. RedSphere maintains an updated list of patches and vulnerabilities under the News -> Cyber Security section.
Lock – When you are not using your computer, logout of it or lock it. If you live in a home with multiple family members you should create new and unique accounts for each user of the computer. This will accomplish a few things; first it will create accountability for other users / children, without a unique account you can’t determine who was visiting certain websites or downloading certain applications. Be sure that everyone is educated and informed that they need to either lock the computer or logout of it when they are finished with their session. If they do not do this, another user could do whatever they wanted without being held accountable.
Disconnect – The vast usage and adoption of high-speed technologies such as DSL and cable modems has made the ever-connected PC a more common thing than not. The more time any computer or system is connected to the internet the more likely it is to be infected by a virus, attacked by a worm or hacked by a hacker. This can easily be mitigated by disconnecting the computer from the internet, this may mean that you edit your dial-up connections, turn off your computer or modem, or even disconnect cables.
Backup – Even taking all of the steps mentioned above and beyond, there will always be the possibility of data becoming corrupt or otherwise destroyed. Most of us have already experienced at least one or more times data-loss. Whether a program erroring out while we are working on an unsaved document, a hard-disk failing, a virus or worm or even a natural disaster we can protect ourselves cost-effectively and easily. A large number of home computers now have CD or even DVD recorders build into them and include software to create backups. CD and DVD media are but one of many options in the wide world of backup, others include USB Thumb Drives, External Hard-Disks, Network Attached Storage and many many other options.
Be Mindful – Simply put, use your noggin! What do I mean when I say this, doesn’t everyone use their noggin? Of course they do, but there are so many more implications relative to Cyber Security. Don’t open emails from unknown sources, don’t give anyone your social security number or any other Personally Identifiable Information online, don’t send emails containing confidential information, don't install peer-to-peer software or any of the aforementioned. This topic is a pretty big one and I’ll address in much more depth at a future date!
In closing, there are a great many things that you can do to better protect your data and security and the above list should give you a good start.
Best Regards,
JJC
Subscribe to:
Posts (Atom)