[771] in resnet
Re: DDoS attacks and zombies
daemon@ATHENA.MIT.EDU (Wendy Shih)
Tue Feb 5 11:26:01 2002
MIME-Version: 1.0
Content-Type: text/plain; charset=big5
Content-Transfer-Encoding: 7bit
Message-ID: <3C60052D.335A63B9@res.kent.edu>
Date: Tue, 5 Feb 2002 11:15:41 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Wendy Shih <wshih@RES.KENT.EDU>
To: RESNET-L@listserv.nd.edu
See below for responses
Gary Flynn wrote:
> > From: Wendy Shih <wshih@RES.KENT.EDU>
> >
> > I got on the channel and see many of
> > other .edu ResNet computers (possibly yours too) all victims.
>
> I'd like a list of any jmu.edu computers you see. I'm sure the others
> here would appreciate being told if computers on their network were listed
> too.
I am logging it and will forward it tomorrow. The victim's computer has to be
on-line for it to log and also I think there is max on the channel, so not all
victims will be one the channel at the same time.
>
>
> > 1. If you have the experience, please share how I should proceed next to
> > break this malicious operation.
>
> Have you run up-to-date AV software on the computers? Sometimes known
> trojans are used to get the files on the computers. Some of the BOTS
> may also be known to AV vendors.
Yes, we made sure to have latest McAfee dat file and also ran F-Prot 3.11 from
DOS.
>
>
> Install logging filters on your outgoing router or firewall interface
> and log connections to the IRC server in question. If its a popular
> server, you'll have to dig into the packets to determine which
> computers are connected to the channel in question.
>
unfortunately, we don't hafve a firewall by router.
>
> Or, as you've already found, you can just join the channel itself
> and look for computers on your network.
>
That is what I am checking.
>
> Configure you network management software so that it monitors outgoing
> rates of ICMP and UDP packets. Adjust thresholds and alert mechanisms
> so you're told if they go past a baseline. TCP SYNs are a bit more
> difficult.
>
> Send the software you found to your AV vendor. They may develop a
> signature for it.
>
Good idea.
>
> If you watch the channel long enough, you'll eventually see a connection
> from a computer that sends a command string that triggers the zombies to
> attack. Unfortunately, its likely that computer is also compromised so
> reporting it to law enforcement may be less than effective.
yes, I saw the operators ip and dns but I think it is not easy to trace and could
be from a zombie too.
>
>
> > 2. The scripts and server files are big - over 1.5Mb. Do you know how were
> > they got installed on the computer? One of the owners said she just got
> > the computer in September. She has updated virus software and claimed never
> > download anything. She doesn't use any p2p software. The files were all
> > identical in 3 computers and all installed in the same directory.
>
> 1. Were they running IIS? If so, was it patched?
None running IIS.
>
>
> 2. They never accepted a game, screen saver, Christmas cards with certain
> extensions, or a free software install from a "friend" over a RESNET
> MS file share, IM, or MIRC session? ;)
this is always possible.
>
>
> 3. Have they visited the Windows Update site and installed all critical
> patches? If not, they could have been infected by reading malicious email
> (without clicking an attachment) or visiting a malicious web site.
Probably not, will have them do that soon.
>
> 4. If they're NT or 2000 systems, download Fport and see if any unexpected
> programs are listening.
>
> http://www.foundstone.com/knowledge/free_tools.html
>
> If you find a backdoor program in common to the computers, you can scan
> your network on the listening port to see if there are others.
no backdoor/trojan found.
>
>
> 5. Did they have Microsoft file sharing incorrectly installed so that the
> entire hard drive is shared? On a Windows NT/2000/XP machine, did
> they have a nonexistent or weak administrator password allowing access
> to the C$ share? Do you block netbios at the Internet border?
Will do more research on this. Thank you for all the info and suggestions below.
More later.
>
>
> 6. You can discover more about how the files work by installing tools to
> monitor file, network, and registry access and the DLLs used by
> the programs.
>
> Filemon
> Regmon
> TDImon
> ProcessExplorer
>
> All are available for free from www.sysinternals.com
>
> Do this only if you understand the implications and even then with great
> caution on a machine you can reformat and that doesn't have access to any
> critical information.
>
> 7. Copy the files to a unix machine and run the strings command
> on them. This sometimes yields interesting information.
>
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________