[770] in resnet

home help back first fref pref prev next nref lref last post

Re: DDoS attacks and zombies

daemon@ATHENA.MIT.EDU (Gary Flynn)
Tue Feb 5 08:56:21 2002

MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <3C5FE092.21050A30@jmu.edu>
Date:         Tue, 5 Feb 2002 08:39:30 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Gary Flynn <flynngn@JMU.EDU>
To: RESNET-L@listserv.nd.edu

> From:    Wendy Shih <wshih@RES.KENT.EDU>
>
> I got on the channel and see many of
> other .edu ResNet computers (possibly yours too) all victims.

I'd like a list of any jmu.edu computers you see. I'm sure the others
here would appreciate being told if computers on their network were listed
too.

> 1. If you have the experience, please share how I should proceed next to
> break this malicious operation.

Have you run up-to-date AV software on the computers? Sometimes known
trojans are used to get the files on the computers. Some of the BOTS
may also be known to AV vendors.

Install logging filters on your outgoing router or firewall interface
and log connections to the IRC server in question. If its a popular
server, you'll have to dig into the packets to determine which
computers are connected to the channel in question.

Or, as you've already found, you can just join the channel itself
and look for computers on your network.

Configure you network management software so that it monitors outgoing
rates of ICMP and UDP packets. Adjust thresholds and alert mechanisms
so you're told if they go past a baseline. TCP SYNs are a bit more
difficult.

Send the software you found to your AV vendor. They may develop a
signature for it.

If you watch the channel long enough, you'll eventually see a connection
from a computer that sends a command string that triggers the zombies to
attack. Unfortunately, its likely that computer is also compromised so
reporting it to law enforcement may be less than effective.

> 2. The scripts and server files are big - over  1.5Mb.  Do you know how were
> they got installed on the computer?   One of the owners said she just got
> the computer in September.  She has updated virus software and claimed never
> download anything.  She doesn't use any p2p software.  The files were all
> identical in 3 computers and all installed in the same directory.

1. Were they running IIS? If so, was it patched?

2. They never accepted a game, screen saver, Christmas cards with certain
   extensions, or a free software install from a "friend" over a RESNET
   MS file share, IM, or MIRC session? ;)

3. Have they visited the Windows Update site and installed all critical
   patches? If not, they could have been infected by reading malicious email
   (without clicking an attachment) or visiting a malicious web site.

4. If they're NT or 2000 systems, download Fport and see if any unexpected
   programs are listening.

   http://www.foundstone.com/knowledge/free_tools.html

   If you find a backdoor program in common to the computers, you can scan
   your network on the listening port to see if there are others.

5. Did they have Microsoft file sharing incorrectly installed so that the
   entire hard drive is shared? On a Windows NT/2000/XP machine, did
   they have a nonexistent or weak administrator password allowing access
   to the C$ share? Do you block netbios at the Internet border?

6. You can discover more about how the files work by installing tools to
   monitor file, network, and registry access and the DLLs used by
   the programs.

   Filemon
   Regmon
   TDImon
   ProcessExplorer

   All are available for free from www.sysinternals.com

   Do this only if you understand the implications and even then with great
   caution on a machine you can reformat and that doesn't have access to any
   critical information.

7. Copy the files to a unix machine and run the strings command
   on them. This sometimes yields interesting information.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

___________________________________________________
You are subscribed to the ResNet-L mailing list.

To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________

home help back first fref pref prev next nref lref last post