[771] in resnet

home help back first fref pref prev next nref lref last post

Re: DDoS attacks and zombies

daemon@ATHENA.MIT.EDU (Wendy Shih)
Tue Feb 5 11:26:01 2002

MIME-Version: 1.0
Content-Type: text/plain; charset=big5
Content-Transfer-Encoding: 7bit
Message-ID:  <3C60052D.335A63B9@res.kent.edu>
Date:         Tue, 5 Feb 2002 11:15:41 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Wendy Shih <wshih@RES.KENT.EDU>
To: RESNET-L@listserv.nd.edu

See below for responses

Gary Flynn wrote:

> > From:    Wendy Shih <wshih@RES.KENT.EDU>
> >
> > I got on the channel and see many of
> > other .edu ResNet computers (possibly yours too) all victims.
>
> I'd like a list of any jmu.edu computers you see. I'm sure the others
> here would appreciate being told if computers on their network were listed
> too.

I am logging it and will forward it tomorrow.  The victim's computer has to be
on-line for it to log and also I think there is max on the channel, so not all
victims will be one the channel at the same time.

>
>
> > 1. If you have the experience, please share how I should proceed next to
> > break this malicious operation.
>
> Have you run up-to-date AV software on the computers? Sometimes known
> trojans are used to get the files on the computers. Some of the BOTS
> may also be known to AV vendors.

Yes, we made sure to have latest McAfee dat file and also ran F-Prot  3.11 from
DOS.


>
>
> Install logging filters on your outgoing router or firewall interface
> and log connections to the IRC server in question. If its a popular
> server, you'll have to dig into the packets to determine which
> computers are connected to the channel in question.
>

unfortunately, we don't hafve a firewall by router.

>
> Or, as you've already found, you can just join the channel itself
> and look for computers on your network.
>

That is what I am checking.

>
> Configure you network management software so that it monitors outgoing
> rates of ICMP and UDP packets. Adjust thresholds and alert mechanisms
> so you're told if they go past a baseline. TCP SYNs are a bit more
> difficult.
>
> Send the software you found to your AV vendor. They may develop a
> signature for it.
>

Good idea.

>
> If you watch the channel long enough, you'll eventually see a connection
> from a computer that sends a command string that triggers the zombies to
> attack. Unfortunately, its likely that computer is also compromised so
> reporting it to law enforcement may be less than effective.

yes,  I saw the operators ip and dns but I think it is not easy to trace and could
be from a zombie too.

>
>
> > 2. The scripts and server files are big - over  1.5Mb.  Do you know how were
> > they got installed on the computer?   One of the owners said she just got
> > the computer in September.  She has updated virus software and claimed never
> > download anything.  She doesn't use any p2p software.  The files were all
> > identical in 3 computers and all installed in the same directory.
>
> 1. Were they running IIS? If so, was it patched?

None running IIS.

>
>
> 2. They never accepted a game, screen saver, Christmas cards with certain
>    extensions, or a free software install from a "friend" over a RESNET
>    MS file share, IM, or MIRC session? ;)

this is always possible.

>
>
> 3. Have they visited the Windows Update site and installed all critical
>    patches? If not, they could have been infected by reading malicious email
>    (without clicking an attachment) or visiting a malicious web site.

Probably not, will have them do that soon.

>
> 4. If they're NT or 2000 systems, download Fport and see if any unexpected
>    programs are listening.
>
>    http://www.foundstone.com/knowledge/free_tools.html
>
>    If you find a backdoor program in common to the computers, you can scan
>    your network on the listening port to see if there are others.

no backdoor/trojan  found.

>
>
> 5. Did they have Microsoft file sharing incorrectly installed so that the
>    entire hard drive is shared? On a Windows NT/2000/XP machine, did
>    they have a nonexistent or weak administrator password allowing access
>    to the C$ share? Do you block netbios at the Internet border?

Will do more research on this.  Thank you for all the info and suggestions below.
More later.

>

>
> 6. You can discover more about how the files work by installing tools to
>    monitor file, network, and registry access and the DLLs used by
>    the programs.
>
>    Filemon
>    Regmon
>    TDImon
>    ProcessExplorer
>
>    All are available for free from www.sysinternals.com
>
>    Do this only if you understand the implications and even then with great
>    caution on a machine you can reformat and that doesn't have access to any
>    critical information.
>
> 7. Copy the files to a unix machine and run the strings command
>    on them. This sometimes yields interesting information.
>
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe

___________________________________________________
You are subscribed to the ResNet-L mailing list.

To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________

home help back first fref pref prev next nref lref last post