[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: RE: LOGS: GIAC GCIA Version 3.3 Practical Detect - Backdoor Q acc
From: "Smith, Donald " <Donald.Smith () qwest ! com>
Date: 2002-11-25 14:32:32
[Download RAW message or body]
So I only have one question.
Is this backdoor Q or a false positive?
For a description on what Q does and how it works see:
http://whitehats.com/cgi/arachNIDS/Show?_id=ids203&view=research
Here is a link to the source code.
http://mixter.warrior2k.com/code.html
> -----Original Message-----
> From: Danny Walker [mailto:dwalker@packetforge.net]
> Sent: Sunday, November 24, 2002 11:50 PM
> To: 'Szczepankiewicz, Peter'; intrusions@incidents.org
> Subject: RE: LOGS: GIAC GCIA Version 3.3 Practical Detect - Backdoor Q
> access
>
>
> Peter,
>
> Answers are inline.
>
> Thanks,
> Danny
> >-----Original Message-----
> >From: Szczepankiewicz, Peter [mailto:pjszczep@fiwc.navy.mil]
> >Sent: Sunday, November 24, 2002 11:23 PM
> >To: dwalker@packetforge.net; intrusions@incidents.org
> >Subject: RE: LOGS: GIAC GCIA Version 3.3 Practical Detect -
> Backdoor Q
> >access
> >
> >A few questions -
> >
> > Could you please include a sample rule, the event
> >generator. You describe it pretty well, but which rule in
> >your 11/11 rule set picked up the packet?
>
> I defined the characteristics the rule was looking for but
> failed to include
> the actual rule, so here it is.
>
> alert tcp 255.255.255.0/24 any -> $HOME_NET any
> (msg:"BACKDOOR Q access";
> flags:A+; dsize: >1; reference:arachnids,203; sid:184;
> classtype:misc-activity; rev:3;)
>
> > Also, why is it that Q on a server is so stealthy?
> >There must be some method to recognize it and clean it off the
> >host. If nothing else, watching for new open ports would find
> >a new trojan, but not after you're already infected.
>
> Unfortunately since Q is open source code there is no telling
> what other
> features might have been added. An actual trojan infected
> machine needs to
> be found in order to determine a fingerprint to use for easy
> detection.
>
> > Why would Q chose to use port 515? Because it looks
> >like valid lpd?
>
> Q can use any port to bind to so the creator of this trojan
> picked TCP515 to
> look like printer traffic, I guess. Since the trojan has to
> bind to the
> port and accepts incoming encrypted traffic on that port
> using UDP53 or
> TCP139 might prove difficult depending on the host and its use.
>
> > Administrative question. Your correlations include
> >links to send e-mail. It might be better to include the
> >specific hyperlinks to the e-mails you mention.
>
> Yes, M$ decided it was in my best interest to make all email
> looking address
> become actual mailto: URIs when I copied my Word document
> over to outlook.
> I will fix this.
>
>
>
>
> >-----Original Message-----
> >From: Danny Walker [mailto:dwalker@packetforge.net]
> >Sent: Saturday, November 23, 2002 3:56 PM
> >To: intrusions@incidents.org
> >Subject: LOGS: GIAC GCIA Version 3.3 Practical Detect -
> >Backdoor Q access
> >
> >
> >Backdoor Q Access
> >1) Source of Trace
> >The following logs were analyzed from the incidents.org website:
> >
> ><http://www.incidents.org/logs/Raw/2002.4.30>
> >
> >Although the log stated the traffic was for 4/30/2002 it
> >actually contained traffic from 5/29-19:03:04 to 5/30-18:57:36.
> >
> >The following alerts were generated:
> >
> >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> >+=+=+=+=+=+
> >[**] BACKDOOR Q access [**]
> >05/30-23:28:29.914488 255.255.255.255:31337 ->
> >XXX.XXX.29.242:515 TCP TTL:14 TOS:0x0 ID:0 IpLen:20 DgmLen:43
> >***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
> >63 6B 6F cko
> >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> >+=+=+=+=+=+
> >[**] BACKDOOR Q access [**]
> >05/30-23:32:56.944488 255.255.255.255:31337 ->
> >XXX.XXX.105.131:515 TCP TTL:14 TOS:0x0 ID:0 IpLen:20 DgmLen:43
> >***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
> >63 6B 6F cko
> >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> >+=+=+=+=+=+
> >[**] BACKDOOR Q access [**]
> >05/30-00:00:11.954488 255.255.255.255:31337 ->
> >XXX.XXX.208.229:515 TCP TTL:14 TOS:0x0 ID:0 IpLen:20 DgmLen:43
> >***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
> >63 6B 6F cko
> >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> >+=+=+=+=+=+
> >[**] BACKDOOR Q access [**]
> >05/30-02:10:42.014488 255.255.255.255:31337 ->
> >XXX.XXX.241.193:515 TCP TTL:14 TOS:0x0 ID:0 IpLen:20 DgmLen:43
> >***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
> >63 6B 6F cko
> >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> >+=+=+=+=+=+
> >
> >In this case the entire packet trace is the same as above.
> >Typically the total trace is made up of other packets in
> >addition to the offending packet that would allow a complete
> >look at the trace.
> >
> >2) Detect was generated by:
> >Snort v.1.9.0 (Build 209) using a rule set dated 11/11/2002.
> >According to ArachNIDS at Whitehats.com (www.whitehats.com
> ><http://www.whitehats.com>) the detection signature looks in
> >the IP Header for a Source Address of 255.255.255.255/32,
> >Destination Address of $INTERNAL, Protocol of 6 (TCP) and
> >Total Length >1 and in the TCP header for ACK bit set. The
> >network infrastructure in which this packet was found is unknown.
> >
> >Three questions that should be answered when looking at the detect in
> >question:
> >1. Could this be a false positive? This is probably not a
> >false positive
> >since the packet is unique enough that it would be easy to
> >distinguish. The existence of the packet does not indicate in
> >any way that your network has been infected with the
> >particular trojan. Since the Reset bit was enabled even if a
> >host is infected it wouldn't attempt to communicate back to
> >the source, but other communication methods may be enabled.
> >
> >2. Could this attack bypass the current signature causing
> >false negatives?
> >Due to the ability to configure Q many ways and that we do not
> >know if the trojan version of Q doesn't have additional
> >capabilities than the official version this is a difficult
> >question to answer. I could easily modify the stimulus packet
> >that my version of the trojan uses which would bypass this
> >signature and would create another deviation of the trojan, so
> >the safe answer is that this signature could cause false negatives.
> >
> >3. Do we really understand the attack and traffic to keep false
> >interpretations from happening? This question may be best
> >answered under the Description of Attack and Attack Mechanism
> >sections below.
> >
> >3) Probability the source address was spoofed:
> >This packet is not part of a TCP session since no handshake
> >was ever initiated. The sender has definitely forged the
> >packet since it is not possible to have a host at
> >255.255.255.255/32. I would say that the source address is
> >probably spoofed.
> >4) Description of Attack:
> >Q is a remote access and redirection server with strong
> >encryption written by Mixter and like many other utilites has
> >a good and bad use. This utility can provide power users and
> >administrators the ability to secure communication through
> >encrypted redirection services similar to netcat. This utility
> >offers a few configuration options that allows its services to
> >be hidden by renaming its process to klogd, and changing the
> >uid it runs under.
> >
> >The signature states that this is an attempt to send a command
> >to a compromised Q server. This is plausible since the packet
> >is set up like a probe with the sole intention of causing an
> >intitial communication with a Trojan.
> >
> >It has been given CVE# CAN-1999-0660 which is a generic
> >listing stating that some type of hacker utility or trojan
> >horse is installed but gives very little information. One
> >note also that is is still a candidate to be added to the CVE.
> >5) Attack Mechanism:
> >This packet seems to be a stimulus with the intention of
> >querying Trojans already planted. Port 515 (Printer port) has
> >been used to send out the packets with the hope that this port
> >will be open more often. A source host of 255.255.255.255/32
> >could assist with bypassing source address ACLs in security
> >devices. In addition the ACK bit set could enable the packet
> >to bypass some older stateful inspection firewalls and
> >NAT-based routers.
> >
> >This attack would be considered a form of reconnaissance since
> >the packets are sent out accross the Internet looking for
> >hosts that might communicate.
> >
> >All of the packets have payload of 'cko' that could be a
> >message to the dormant servers to communicate back to a preset
> >IP address or something similar. At that time a reverse
> >command shell could be initiated given the attacker complete
> >access to the compromised server.
> >
> >My analysis is subject to the concept of false interpretations
> >since there really isn't enough data to make concrete statements.
> >6) Correlations
> >In reviewing past posts to INCIDENTS@SECURITYFOCUS.COM
> ><mailto:INCIDENTS@SECURITYFOCUS.COM>, Le (sec@onetwo.com
> ><mailto:sec@onetwo.com>) requested information about similar
> >traffic found by Snort on his class B network. Although there
> >was interesting piece of information given by Jeff Peterson
> >(Jpeterson@BTIIS.NET
> ><mailto:Jpeterson@BTIIS.NET>) stating that there seemed to be
> >a correlation with the packets received to connecting to
> >certain IRC servers which would make sense given Mixter's work
> >with IRC bots and examples of using Q to connect to IRC servers.
> >
> >7) Evidence of Active Targeting:
> >These trolling packets are hitting across this class B in no
> >particular order.
> >
> >8) Severity:
> >Severity = (Criticality + Lethality) - (System
> Countermeasure + Network
> >Countermeasure)
> >
> >Criticality - (3) The targets identified could be workstations
> >or servers. If the printer port is open chances are the
> >machines most vulnerable would be servers of some type.
> >
> >Lethality - (5) If compromised and activated any trojan
> >planted on an internal machine would be lethal to that
> >network. Since a reverse shell will probably be initiated
> >once found only adds to the damage.
> >
> >System Countermeasure - (1) Without additional information on
> >the trojan itself it would be difficult at best to protect any
> >host. Monitoring the hosts in question would be the best
> >possible answer at this time.
> >
> >
> >Network Countermeasure - (3) Blocking the source address at
> >the perimeter and watching for it with the IDS would assist
> >with network protection. But the real difficulty would be
> >providing a countermeasure when the treat is not totally known.
> >
> >So the Severity would be (3 + 5) - (1 + 3) = 4
> >
> >9) Defensive Recommendations:
> >To keep these packets from traversing a network the network
> >perimeter should not allow broadcast packets from the outside.
> > Locating and cleaning any hosts already infected with the Q
> >software may be a little more difficult given some of its
> >ability to hide. Since this could be the Q server heavily
> >modified there is no way to determine exactly what to look
> >for. If the environment can be severed from the internet one
> >effective way to determine if your local LAN has infected
> >machines would be to craft an identical packet and broadcast
> >it across the network watching for return traffic, although I
> >would consider this only an option if I was concerned about it.
> >
> >10) Multiple Choice Test Question:
> >Which one of the following reasons would not tell you that
> >this packet was crafted?
> >
> >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> >+=+=+=+=+=+
> >[**] BACKDOOR Q access [**]
> >05/30-23:28:29.914488 255.255.255.255:31337 ->
> >XXX.XXX.29.242:515 TCP TTL:14 TOS:0x0 ID:0 IpLen:20 DgmLen:43
> >***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
> >63 6B 6F cko
> >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> >+=+=+=+=+=+
> >
> >A) Source address of 255.255.255.255
> >B) Source port of 31337
> >C) Window Size of 0x0
> >D) Sequence number of 0x0
> >
> >The answer is B.
> >
> >References:
> >
> >"IDS203 "TROJAN-ACTIVE-Q-TCP." ArachNIDS - The Intrusion Event
> >Database. Whitehats Network Security Resource. 2001.
> ><URL:http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids203>.
> >(11/19/02)
> >
> >Le (sec@onetwo.com <mailto:sec@onetwo.com>). "Email subject:
> >Backdoor Q access." Incidents@securityfocus.com
> <mailto:Incidents@securityfocus.com>
> mailing list. 4/29/2001. (11/19/02)
>
> Peterson, Jeff (jpeterson@btiis.net
<mailto:jpeterson@btiis.net>). "Email
subject: Backdoor Q access." Incidents@securityfocus.com
<mailto:Incidents@securityfocus.com> mailing list. 5/4/2001. (11/19/02)
Mixter. "Source code for Q - version 2.4." Remote access and redirection
services with strong encryption. File: Q-2.4.tgz. 1999.
<URL:http://mixter.warrior2k.com/>. (11/17/02)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic