[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: "LOGS: GIAC GCIA Version 3.3 Practical Detect(s)".
From: Vinod D'Souza <dsouza_vinod () yahoo ! com>
Date: 2002-12-20 2:43:42
[Download RAW message or body]
Network Detect #1
1. Source of Trace.
This Network detect has been obtained from the following URL.
http://www.incidents.org/logs/Raw/2002.9.1
2. Detect was generated by:
This alert has was generated by the specific snort rule that
from Backdoor rules.
alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR
Q access";flags: A+; dsize: >1; reference:arachnids,203;sid:184;
classtype:misc-activity; rev: 3;)
The traffic is originated from the port 31337,which is a well-known Back Orifice \
(UDP) port towards 515 a Line Printer port, yet any to any would trigger this alert. \
Chances are that, this packet might have matched other Signatures too in the Snort \
rule set. Snort does a first match so it matched BACKDOOR Q.
This detect has been generated for the analysis purpose, with
the help of following 2 commands along with the snort tool.
windump -r 2002.9.1 and windump -nXr 2002.9.1
3. Probability the source address was spoofed:
It seems most likely the source address has been spoofed and the
packet has been crafted. As per the TCP RFC 793 and RFC 1122,no
legitimate TCP traffic should occur originating from any broadcast
address, which includes 255.255.255.255. Broadcasts are sent when the
certain messages are intended for all computers on a network.
As TCP is a unicast protocol, it meant to facilitate the
establishment of full duplex communication between only two hosts, TCP
traffic destined for broadcast deviates from the specified intention of
TCP traffic as listed in the TCP RFC793.Here in this case the reset and
ack flags on the target host suggest that the target host should have
no response to this unusual stimulus activity.
4. Description of attack:
While looking at the following snort output, the important
points to notice are
TTL:15 TOS:0x0 ID:0 IpLen:20 DgmLen:43
***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
63 6B 6F cko
Time To Live (TTL) is the term for a data field in the Internet
protocol. TTL is today interpreted to indicate the maximum number of
routers a packet may transit. Each router that handles a packet will
decrement the TTL field by 1. When the count reaches zero, the packet
will be discarded and an error message will be transmitted to the
originator of the packet. The network utilities 'traceroute' and 'ping'
uses TTL. This number can also help determine what type of operating
environment that the packet originated from.
A value of 15 in the packet for all the logs definitely doesn't
seem normal. It is because The IP layer MUST provide a means for the
transport layer to set the TTL field of every datagram that is sent.
When a fixed TTL value is used, it MUST be configurable. The current
suggested value would be published in the "Assigned Numbers" RFC. And a
fixed value must be at least big enough for the Internet "diameter,"
i.e., the longest possible path. A reasonable value is about twice the
diameter, to allow for continued Internet growth.
The Time to Live is an indication of an upper bound on the
lifetime of an Internet datagram. It is set by the sender of the
datagram and reduced at the points along the route where it is
processed. If the time to live reaches zero before the Internet
datagram reaches its destination, the Internet datagram is destroyed. The time
to live can be thought of as a self-destruct time limit
The Type of Service is used to indicate the quality of the
service desired. The type of service is an abstract or generalized set
of parameters, which characterize the service choices provided in the
networks that make up the Internet. This type of service indication is
to be used by gateways to select the actual transmission parameters for
a particular network, the network to be used for the next hop, or the
next gateway when routing an Internet datagram. In the above packet the
TOS=0 which is the default value.
The IP identification number is mainly useful for identifying
anomalous signatures. This is essentially a random number, however it
is generated in different ways depending on the IP stack that is used. It
is also used in conjunction with the next two bytes (flags and offset)
to control fragmentation.
A value of IP Id of 0 could possibly ring some bells, as this
normally is a random number and then increments by 1 for each
subsequent packet. An id of 0 doesn't seem normal. However it is still possible
to have an id=0 when the DF is not set. That is, in the case when the
datagram becomes fragmented, all fragments created from this datagram
will contain this same identification number. So more research is
required to find out whether this is really a crafted packet as this ID
with value is zero looks suspicious.
Datagram length: Total length of 43 - Normally for a Solaris or
AIX packet, the total length of a packet is 44. This number, although
close, does not fit with the known types of systems that exist on the
Internet. The total length of 43 is abnormal, therefore supporting the
suspicion that the packet might have been crafted.
However the information on the BACKDOOR Q suggests that Q is a
remote access and redirection Trojan that employs strong encryption.
(<http://www.whitehats.com/info/IDS203>)
It allows for the execution of remote commands as root by
sending a raw tcp/icmp/udp packet. This signature watches for the
source address 255.255.255.255, which should not appear in normal traffic. The
content of the packet is the command to run as root - and is arbitrary.
And when visited the authors webpage it is possible to chose a protocol
to bypass the firewall and also possible to select the destination
port,source port etc. And based on the logs there are possibly 2 ways to
analyze this.
1.Since the source address is 255.255.255.255 it is
possible that Q program might have been installed earlier
2.Since the logs are not giving sufficient information on
the activity of the execution of the application, the chances are that
it might be a false positive.
However the interesting thing to note here is the use of
destination port 515, on which the Unix LPR service runs. There were
advisories released regarding vulnerabilities for the LPR service, for
many distributions of Linux and for the BSD variants. We believe that
the increase in probes to port 515 is for attackers looking for this
vulnerability.
The LPRng port, versions prior to 3.6.24, contains a potential
vulnerability, which may allow root compromise from both local and
remote systems.
The vulnerability is due to incorrect usage of the syslog(3)
function. Local and remote users can send string-formatting
operators to the printer daemon to corrupt the daemon's execution,
potentially gaining root access. And this again rings the bells that
the root access is necessary to run the Q Trojan application on the target
machine.
5. Attack mechanism:
When one look at the traffic and analyzing the packets using the
snort, the pattern, which triggers interest is the packet with both ack
and rst set with the payload "cko". Presumably the 'cko' string is some
sort of direction for systems infected with the Q Trojan to perform
some action. Possibly a packet such as with a payload of 'cko' prompts
infected servers to perform some action on a network, such that the
attacker can monitor for response activity within that medium.
So this is kind of an attempt crafting the packet and exploiting
the vulnerability on port 515 so as to get the root access, which
enables to run the Trojan Q Program application, which in return helps
the attacker to monitor for response activity within that medium. And
also it is possible that a packet with a source address of
255.255.255.255 and source port of 31337 is a threat because a Trojan
application could respond to this packet, which has been already
installed.
6. Correlations:
This particular detect is not new. There have been instances
where these similar traces have discusses in the Incidents list forum.
My first correlation of this detect is from the GIAC Practical
from Trenton Riddell. We can see the traces of a similar detect with
identical packets on his network.
http://www.giac.org/practical/Trenton_Riddell_GCIA.doc
The attack description look very similar as it has the same
source port and the destination port. But in the context of the packet
content the TTL value was different.
The second correlation I used is from the GIAC Practical of John
Jenkinson, where John has detected similar traces on his own network
with same TTL value of 13.
http://www.giac.org/practical/John_Jenkinson_GCIA.doc
Also from the Intrusion mail list I noticed a similar kind of traces.
The links to these list of achieves is as follows:
http://cert.uni-stuttgart.de/archive/intrusions/2002/10/msg00276.html
http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00112.html
http://www.incidents.org/archives/intrusions/msg00022.html
http://cert.uni-stuttgart.de/archive/intrusions/2002/08/msg00133.html
Information on the IDS203 "TROJAN-ACTIVE-Q-TCP" can be found from
http://www.whitehats.com/info/IDS203
The following link gives the homepage of the Author on IDS203
"TROJAN-ACTIVE-Q-TCP"
http://mixter.warrior2k.com/
Also the link below gives the more information on the probes on port
515
http://www.sans.org/newlook/alerts/port515.htm
The following link gives the traces of similar detect but which varies
in many aspects such as the TTL value, IP Identification Number, the
Flags set, the datagram length etc.
http://online.securityfocus.com/archive/75/193897/2002-10-19/2002-10-25/2
7. Evidence of active targeting:
09/30-18:41:25.986507 255.255.255.255:31337 -> 115.74.24.127:515
TCP TTL:15 TOS:0x0 ID:0 IpLen:20 DgmLen:43
***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
63 6B 6F cko
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
09/30-18:57:15.006507 255.255.255.255:31337 -> 115.74.11.81:515
TCP TTL:15 TOS:0x0 ID:0 IpLen:20 DgmLen:43
***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
63 6B 6F cko
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
09/30-18:58:29.996507 255.255.255.255:31337 -> 115.74.37.134:515
TCP TTL:15 TOS:0x0 ID:0 IpLen:20 DgmLen:43
***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
63 6B 6F cko
When you look at the above logs it is clear that the attacker is
targeting the subnet of the Network 115.74.x.x on port 515
8. Severity:
Severity = (Criticality + Lethality) - (System Countermeasures +
Network Countermeasures)
Criticality: 1 (As the destination host is picked up randomly
and chances are also that at any point it might be the critical Server.
However as the target port is 515 I will choose the Criticality as 1)
Lethality: 3 (I believe that the attack is probing the port for
a possible root access to a Trojan application already residing on the
machine)
System Countermeasures: 2 (Traffic is allowed to the target
machine but the exact target is unknown. Also if it is passing the
firewall, firewall shouldn't allow this packet)
Network Countermeasures: 1 (As it's a random target host and
chances are that there could be little protection from firewalls as the
packets can be bypass the firewall)
Severity = (Criticality + Lethality) - (System Countermeasures +
Network Countermeasures)
(1 + 3) - (2 + 1) = 1
9. Defensive recommendation:
As this kind of detect is still not well known and considering
that the LPRng port, versions prior to 3.6.24, contains a potential
vulnerability it is advisable to get the latest update from your OS
provider and upgrade to atleast LPRng version 3.6.25
10. Which of the following is true of a packet with a source
address of 255.255.255.255 and source port of 31337? (Choose one.)
1. This is a threat because a trojan application could respond to this acket.
2. This is not a threat because the router would block the broadcast response.
3. It is not a crafted packet.
4. This packet is not routable.
Answer: 1
-------------------------------
Vinod Alwyn D'Souza
dsouza_vinod@yahoo.com
---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic