[770] in resnet
Re: DDoS attacks and zombies
daemon@ATHENA.MIT.EDU (Gary Flynn)
Tue Feb 5 08:56:21 2002
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3C5FE092.21050A30@jmu.edu>
Date: Tue, 5 Feb 2002 08:39:30 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Gary Flynn <flynngn@JMU.EDU>
To: RESNET-L@listserv.nd.edu
> From: Wendy Shih <wshih@RES.KENT.EDU>
>
> I got on the channel and see many of
> other .edu ResNet computers (possibly yours too) all victims.
I'd like a list of any jmu.edu computers you see. I'm sure the others
here would appreciate being told if computers on their network were listed
too.
> 1. If you have the experience, please share how I should proceed next to
> break this malicious operation.
Have you run up-to-date AV software on the computers? Sometimes known
trojans are used to get the files on the computers. Some of the BOTS
may also be known to AV vendors.
Install logging filters on your outgoing router or firewall interface
and log connections to the IRC server in question. If its a popular
server, you'll have to dig into the packets to determine which
computers are connected to the channel in question.
Or, as you've already found, you can just join the channel itself
and look for computers on your network.
Configure you network management software so that it monitors outgoing
rates of ICMP and UDP packets. Adjust thresholds and alert mechanisms
so you're told if they go past a baseline. TCP SYNs are a bit more
difficult.
Send the software you found to your AV vendor. They may develop a
signature for it.
If you watch the channel long enough, you'll eventually see a connection
from a computer that sends a command string that triggers the zombies to
attack. Unfortunately, its likely that computer is also compromised so
reporting it to law enforcement may be less than effective.
> 2. The scripts and server files are big - over 1.5Mb. Do you know how were
> they got installed on the computer? One of the owners said she just got
> the computer in September. She has updated virus software and claimed never
> download anything. She doesn't use any p2p software. The files were all
> identical in 3 computers and all installed in the same directory.
1. Were they running IIS? If so, was it patched?
2. They never accepted a game, screen saver, Christmas cards with certain
extensions, or a free software install from a "friend" over a RESNET
MS file share, IM, or MIRC session? ;)
3. Have they visited the Windows Update site and installed all critical
patches? If not, they could have been infected by reading malicious email
(without clicking an attachment) or visiting a malicious web site.
4. If they're NT or 2000 systems, download Fport and see if any unexpected
programs are listening.
http://www.foundstone.com/knowledge/free_tools.html
If you find a backdoor program in common to the computers, you can scan
your network on the listening port to see if there are others.
5. Did they have Microsoft file sharing incorrectly installed so that the
entire hard drive is shared? On a Windows NT/2000/XP machine, did
they have a nonexistent or weak administrator password allowing access
to the C$ share? Do you block netbios at the Internet border?
6. You can discover more about how the files work by installing tools to
monitor file, network, and registry access and the DLLs used by
the programs.
Filemon
Regmon
TDImon
ProcessExplorer
All are available for free from www.sysinternals.com
Do this only if you understand the implications and even then with great
caution on a machine you can reformat and that doesn't have access to any
critical information.
7. Copy the files to a unix machine and run the strings command
on them. This sometimes yields interesting information.
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________