The Five Most Popular Attacks on the Internet

1
The Five Most Popular Attacks on the Internet

• Peter Mell, 1-7-98
• peter.mell_at_nist.gov
• National Institute of Standards and Technology
• Computer Security Division

2
Outline

• Sources of attacks and vulnerability information
• Details on the most frequently requested attacks
• Statistics on attacks available on the Internet

3
Web Site Resources
Attack Scripts
Rootshell, http//www.rootshell.com Fyodors
Playhouse, http//www.insecure.org
Vulnerability Information
Bugtraq, http//geek-girl.com/bugtraq NTBugtraq,
http//www.ntbugtraq.com
Vulnerability Advisories
CERT, http//www.cert.org L0pht,
http//www.l0pht.com/
4
We are Measuring the Popularity of Attacks

• Rootshell makes available a cgi scripts that
  reveals the last 50 search requests made on its
  database of 700 attack scripts
• We created a perl script that harvests search
  requests each hour
• Approximately 170,000 queries are made each month
  (our current sample size is 20 of the total
  number 33,000 queries)

5
The Top 18 Search Requests (12-98)
6
Search Requests on OSs
7
Search Requests on Applications
8
Attacks on Applications

• ICQ 6 exploits in the last year Spoof any ICQ
  user id and send people files that get stored
  anywhere
• Sendmail 11 exploits in the last year Local get
  root, DOS, Remote control
• imap 8 exploits in the last year Scanners and
  remote get root attacks

Manuals on performing a buffer overflow
attacks http//www.insecure.org/stf/smashstack.tx
t http//www.l0pht.com/advisories/bufero.html
9
Search Requests on Attacks
10
Back Orifice What Microsoft Says
Microsoft takes security seriously, and
has issued this bulletin to advise customers
that Windows 95 and Windows 98 users following
safe computing practices are not at risk
According to Wired (1998-Nov-17), 79 of
Australian ISPs are "infected" with Back Orifice.
http//www.wired.com/news/news/technology/story/16
310.html
11
Back Orifice
Author Cult of the Dead Cow http//www.cultde
adcow.com
Publish Date Released in August 1998 at the
annual hacker DEF CON convention
Summary Remotely control Windows 95 hosts
Transmission Method Web site downloads,
e-mailing free apps, piggybacking with ordinary
remote exploits
12
Back Orifice Applications
File System Control Add/delete any file Process
Control Run/kill any process Registry Control
List, create, delete, and set registry keys
and values Network Control View all exported
resources and their passwords. View and kill
connections. Multimedia Control Keystroke
monitor. Take screen shots. Control host
cameras. Packet Redirection Redirect local ports
to remote ports Packet Sniffer Views any
network packets Plug in Interface Much like
netscape plug-ins
13
Other Back Orifice Features
Plug-Ins Butt Trumpet Penetration Notification
via e-mail Saran Wrap Easily bundle BO with
legitimate software Speakeasy Broadcast a
penetration to an IRC channel
Other Features Encrypted Connections Autonomous
mode
14
Netbus
Similar to Back Orifice except that anyone can
log into a netbus server
Start optional application. Download/Upload/Delet
e files Send keystrokes and disable keys.
Record sounds from the microphone.
Go to an optional URL. Control mouse. Shut down
Windows. Listen to keystrokes. Take a
screendump.
15
Teardrop
Published before 11/14/97
Reboots or halts Windows 95, NT and Linux using 2
fragmented packets
P1 Offset0
P1 Offset0
P1 EndN
P1 EndN
a a a a a a
a a a a a a
c c c
b b c c c
P2 OffsetltN
P2 EndNM
P2 OffsetN
P2 EndNM
P1 Offset0
P1 Offset0
P1 EndN
P1 EndN
a a a a a a
a a a a a a
b
P2 OffsetltN
P2 EndltN
P2 OffsetN
P2 EndltN
16
Smurf
Published before 10/13/97
Smurf freezes a target by sending it large
numbers of ICMP ping packets
Attacker is not traceable Each of the attackers
ping packets is amplified into hundred of packets
Attacker
Target
Network that responds to broadcast pings
Ping packets Source Target Destination
Broadcast address
Target receives hundreds of packets for each of
the attackers packets
17
(Win)Nuke
Published before 5/7/97
Winnuke crashes window 95/NT hosts by
establishing a tcp connection and sending out of
band data
Target
Attacker
1. TCP connection established (port 139) 2. Send
a packet of out of band data (e.g.
send(s,str,strlen(str),MSG_OOB)
18
Listing of the top 20 attacks
Recommended scanning software nmap, queso,
strobe, netcat DOS attack toolkit targa
19
Statistics on attacks published on the Internet

• 37 of attacks can be launched from Windows hosts
  (people dont need Unix to be dangerous anymore)
• 4 of attacks compromise hosts that visit web
  sites (surfing the Internet is not risk free)
• 3 of attacks exploit more than one vulnerability
  (attack toolkits that allow children to penetrate
  hosts with the push of a button are becoming a
  reality)
• 8 are scanning tools that look for
  vulnerabilities (automated searching for
  vulnerable hosts is common place)

20
Even Firewalls, Routers, and Switches are not safe
Percent of attacks that work against firewalls
(7) (no penetration attacks found) routers (6)
(no penetration attacks found)
Percent of attacks that penetrate switches (2)
(nbase and 3com backdoor passwords)