Know Your Enemy - PowerPoint PPT Presentation

1 / 70
About This Presentation
Title:

Know Your Enemy

Description:

Once exploited, the worm replicates itself, looking for more victims. ... usr/bin/login /usr/bin/ps /usr/bin/ls /usr/bin/netstat. The bot ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 71
Provided by: Ania1
Category:
Tags: enemy | know

less

Transcript and Presenter's Notes

Title: Know Your Enemy


1
Know Your Enemy
  • by
  • The Honeynet Project

2
Your Speaker
  • Background
  • Ask Questions
  • This is NOT a monologue, fell free to ask
    questions at anytime.

3
Audience
  • This presentation is focused for technical
    users. A basic understanding of systems and
    TCP/IP are expected.

4
Purpose
  • To explain the purpose, operations, and
    findings of the Honeynet Project

5
Sun Tzu - The Art of War
  • If you know the enemy and yourself, you need
    not fear the results of a hundred battles. If
    you know yourself but not the enemy, for every
    victory gained you will also suffer a defeat. If
    you know neither the enemy nor yourself, you will
    succumb in every battle.

6
Overview
  • Introduction
  • The Honeynet Project
  • The Threat
  • Real World Examples
  • How to Protect
  • Conclusion

7
Introduction
  • Security has traditionally focused on
    defensive actions, such as firewall, IDS, and
    encryption, the badguys have the initiative.
    Organizations could only sit and wait for a
    failure in their defenses. The Honeynet Project
    is attempting to change this.

8
The Honeynet Project
  • We are a group of 30 security professionals
    dedicated to improving the security of the
    Internet community. We do this on our own time
    with our own resources.

9
Our goal
  • To learn the tools, tactics, and motives of
    the blackhat community and share the lessons
    learned.
  • We take the initiative by gathering
    intelligence on the enemy.

10
The Value
  • Awareness We raise awareness by demonstrating
    real systems that were compromised in the wild by
    the blackhat community.
  • Information For those who are already aware and
    concerned, we hope to give you the information to
    better secure and defend your resources.

11
What is a Honeynet
  • A Honeynet is one of the primary tools we use
    to learn about the badguys. A Honeynet is a
    network of production systems designed to be
    compromised. Once compromised, we analyze the
    data and learn the tools, tactics, and motives of
    the blackhat community.

12
The Systems
  • The systems used within the Honeynet are
    actual production systems. Nothing is emulated,
    nor is anything done to make the systems more
    insecure. The risks and vulnerabilities found in
    a Honeynet exist in organizations throughout the
    Internet.

13
(No Transcript)
14
The Threat
  • The blackhat community is extremely aggressive.
    Our Honeynet averages
  • 3.6 unique scans a day
  • 3 systems compromised per month
  • This is on a 8 IP network that does not advertise
    itself.
  • http//project.honeynet.org/scans/scans.txt

15
Goals / Motives
  • The goals of blackhats vary as much as their
    tools. However, often they do not care who they
    compromise to achieve their goals, its just a
    matter of how many systems.

16
Methodology
  • Many blackhats randomly probe the Internet
    searching for a specific vulnerability. Only 1
    percent of systems may have this vulnerability.
    However, you can compromise 10,000 systems if you
    scan over a million.

17
Blackhat Review
  • Extremely Aggressive
  • May not care who you are
  • Randomly scan massive amount of systems (security
    through obscurity will not work)

18
Real World Example
  • We will now review some actual systems
    compromised using tools and tactics similar to
    the ones we have just covered.
  • I will be using screen shots to show the data.
    I want to give you the feel that you are doing
    the analysis yourself.

19
Terminal Session
20
Systems Compromised
  • 1. Windows98 Desktop
  • 2. Default Solaris 2.6 Server

21
Windows98 Desktop
  • We will now review a compromised Windows98
    Desktop. This box was a honeypot, so every
    packet of the attack was captured.
  • This honeypot was a default installation of
    Windows98 with C drive share enabled. This is
    the same system some of you have sitting at home.

22
Overview
  • During the month of October we identified a
    huge increase in the number of NetBIOS scans the
    Honeynet was receiving, over 520 scans in one
    month. We knew something was up, but what? We
    placed a Windows98 honeypot on our Honeynet and
    waited. We did not have to wait long.

23
The Initial Probe
  • Our blackhat begins by probing our honeypot
    for its NetBIOS name. This confirms that the
    system is up and running the Windows operating
    system.

24
The Initial Probe
25
Shares
  • Once our system has been confirmed as a
    Windows system, the remote blackhat identifies
    whether or not the C drive is shared. In our
    case, it is.

26
Shares
27
The Attack
  • The blackhat now executes his attack. He
    begins by copying the configuration file
    dnetc.ini to our system.

28
The Attack
29
The Attack
  • The blackhat then copies over the executable
    dnetc.exe. This file is a valid program, part of
    the distributed.net group. Users can participate
    in challenges by having their spare CPU cycles
    attempt to crack a challenge, in this case
    encryption challenge.

30
That Attack
31
The Worm
  • The next step we see a worm installing itself.
    This indicates that our blackhat is not a
    person, but an automated worm that is probing the
    Internet on its own and self-replicating itself.
    We see here it doing just that.

32
The Worm
33
The Motive
  • The author of the worm is attempting to win
    the distributed.net challenge by having thousands
    of victims do its work for him.

34
The Infection
  • The worm now reconfigure the window.ini file,
    which will cause the worm to start once the
    system reboots.

35
The Infection
36
Three more attacks
  • Over the next three days, our honeypot was
    attacked three more times by other worms. These
    worms attempted to right over each other,
    fighting for control of the system. The worms
    are literally at war for your system.

37
Summary
  • We have just witnessed an automated worm that
    randomly scans the Internet for vulnerable
    victims. Once exploited, the worm replicates
    itself, looking for more victims.

38
Compromised Solaris System
  • We will now review a compromised Solaris
    system. This Solaris box was a honeypot, so
    every packet and keystroke of the attack was
    captured.
  • This honeypot was a default installation of
    Solaris 2.6 unpatched, compromised June 4, 2000.

39
Overview
  • One June 4, 2000 our Solaris honeypot was
    compromised with the rpc.ttdbserv vulnerability.
    Once compromised, a rootkit was implemented.
    However, the black-hat also installed an IRC bot.
    This bot captured all of the black-hats IRC
    conversations for a two week period.

40
The Exploit
  • Our Solaris honeypot is remotely exploited via
    rpc vulnerability, specifically ToolTalk Object
    Database server, rpc.ttdbserv.

41
IDS Alert
42
Shell
  • This exploit creates a root shell, allowing
    the black-hat to execute commands as root.

43
Execute as Root
44
Creating Accounts
  • Our black-hat then connects to port 1524 and
    creates two systems accounts. First, the account
    re, UID 500. Second, the account r, UID 0.

45
The Accounts
46
Access
  • Once the black-hat created these two accounts,
    he then telneted in and then proceeded to take
    control of the system. Notice the similarities
    between the commands used by this black-hat and
    the previous one

47
Taking Control
48
Installing
  • Once he has his rootkit, the next step is to
    install it. Once again, this rootkit is fully
    automated, taking only seconds to install.

49
The Rootkit
50
./setup.sh
51
Log Cleaning
52
Securing
53
Not Seen
  • Not covered in these keystrokes is
    installation of trojan binaries. You can see
    exactly which binaries were trojaned by reviewing
    the rootkit yourself. Binaries include
  • /usr/bin/login
  • /usr/bin/ps
  • /usr/bin/ls
  • /usr/bin/netstat

54
The bot
  • The last step is the installation of an IRC
    bot. Apparently, that was the whole purpose of
    this attack, to gain systems for IRC bots. IRC
    bots allow people to maintain control, or ops, on
    IRC channels. This bot is what captured all of
    the black-hats chats on IRC.

55
./me -f bot2
56
bot2
57
emech233.users
58
IRC Chats
  • Over a two week period we monitored these
    black-hats as they communicated over IRC. You
    can gain a better understanding of their motives
    and psychology by reviewing their conversations.

59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
Summary of Solaris System
  • We have seen a example of a more dangerous
    attack. We see an individual probing the Internet
    for the rpc.ttdbserv vulnerability. Their intent
    is to own as many systems as possible for
    bragging right and system bots.

63
Summary of both examples
  • We have witnessed two systems compromised in
    the wild. These attacks are extremely common and
    happen every day, these threats are for real.

64
How to Protect
  • Dont be the easy kill
  • Learn the tools and tactic
  • Watch your systems

65
Protection
  • Dont be the easy kill
  • Armor system
  • Turn off unnecessary services
  • Update patches
  • Have standardized, secure system builds
  • Stay current with the latest vulnerabilities

66
Learn / Understand the tools
  • Run the tools against your network.
  • Tools are different, but the strategies are
    similar.
  • Understand the exploits and what they look for.

67
Watch Your Systems
  • Know when your systems are being probed or
    attacked.
  • Watch and protect your system logs
  • Have built in alerting mechanisms

68
Summary
  • It is hoped that the work of the Honeynet
    Project will give you a better understanding of
    this threat. By understanding this threat, you
    can now better protect against it.

69
Conclusion
  • The Honeynet Project is group of 30 security
    professionals dedicated to learning the tools,
    tactics, and motives of the blackhat community
    and sharing those lessons learned.

70
Resources
  • Honeynet Project
  • http//project.honeynet.org
  • Additional Information
  • http//www.securityfocus.com
  • http//www.hackernews.com
  • http//www.whitehats.com
Write a Comment
User Comments (0)
About PowerShow.com