Know Your Enemy

1
Know Your Enemy

• by
• The Honeynet Project

2
Your Speaker

• Background
• Ask Questions
• This is NOT a monologue, fell free to ask
  questions at anytime.

3
Audience

• This presentation is focused for technical
  users. A basic understanding of systems and
  TCP/IP are expected.

4
Purpose

• To explain the purpose, operations, and
  findings of the Honeynet Project

5
Sun Tzu - The Art of War

• If you know the enemy and yourself, you need
  not fear the results of a hundred battles. If
  you know yourself but not the enemy, for every
  victory gained you will also suffer a defeat. If
  you know neither the enemy nor yourself, you will
  succumb in every battle.

6
Overview

• Introduction
• The Honeynet Project
• The Threat
• Real World Examples
• How to Protect
• Conclusion

7
Introduction

• Security has traditionally focused on
  defensive actions, such as firewall, IDS, and
  encryption, the badguys have the initiative.
  Organizations could only sit and wait for a
  failure in their defenses. The Honeynet Project
  is attempting to change this.

8
The Honeynet Project

• We are a group of 30 security professionals
  dedicated to improving the security of the
  Internet community. We do this on our own time
  with our own resources.

9
Our goal

• To learn the tools, tactics, and motives of
  the blackhat community and share the lessons
  learned.
• We take the initiative by gathering
  intelligence on the enemy.

10
The Value

• Awareness We raise awareness by demonstrating
  real systems that were compromised in the wild by
  the blackhat community.
• Information For those who are already aware and
  concerned, we hope to give you the information to
  better secure and defend your resources.

11
What is a Honeynet

• A Honeynet is one of the primary tools we use
  to learn about the badguys. A Honeynet is a
  network of production systems designed to be
  compromised. Once compromised, we analyze the
  data and learn the tools, tactics, and motives of
  the blackhat community.

12
The Systems

• The systems used within the Honeynet are
  actual production systems. Nothing is emulated,
  nor is anything done to make the systems more
  insecure. The risks and vulnerabilities found in
  a Honeynet exist in organizations throughout the
  Internet.

13
(No Transcript)
14
The Threat

• The blackhat community is extremely aggressive.
  Our Honeynet averages
• 3.6 unique scans a day
• 3 systems compromised per month
• This is on a 8 IP network that does not advertise
  itself.
• http//project.honeynet.org/scans/scans.txt

15
Goals / Motives

• The goals of blackhats vary as much as their
  tools. However, often they do not care who they
  compromise to achieve their goals, its just a
  matter of how many systems.

16
Methodology

• Many blackhats randomly probe the Internet
  searching for a specific vulnerability. Only 1
  percent of systems may have this vulnerability.
  However, you can compromise 10,000 systems if you
  scan over a million.

17
Blackhat Review

• Extremely Aggressive
• May not care who you are
• Randomly scan massive amount of systems (security
  through obscurity will not work)

18
Real World Example

• We will now review some actual systems
  compromised using tools and tactics similar to
  the ones we have just covered.
• I will be using screen shots to show the data.
  I want to give you the feel that you are doing
  the analysis yourself.

19
Terminal Session
20
Systems Compromised

• 1. Windows98 Desktop
• 2. Default Solaris 2.6 Server

21
Windows98 Desktop

• We will now review a compromised Windows98
  Desktop. This box was a honeypot, so every
  packet of the attack was captured.
• This honeypot was a default installation of
  Windows98 with C drive share enabled. This is
  the same system some of you have sitting at home.

22
Overview

• During the month of October we identified a
  huge increase in the number of NetBIOS scans the
  Honeynet was receiving, over 520 scans in one
  month. We knew something was up, but what? We
  placed a Windows98 honeypot on our Honeynet and
  waited. We did not have to wait long.

23
The Initial Probe

• Our blackhat begins by probing our honeypot
  for its NetBIOS name. This confirms that the
  system is up and running the Windows operating
  system.

24
The Initial Probe
25
Shares

• Once our system has been confirmed as a
  Windows system, the remote blackhat identifies
  whether or not the C drive is shared. In our
  case, it is.

26
Shares
27
The Attack

• The blackhat now executes his attack. He
  begins by copying the configuration file
  dnetc.ini to our system.

28
The Attack
29
The Attack

• The blackhat then copies over the executable
  dnetc.exe. This file is a valid program, part of
  the distributed.net group. Users can participate
  in challenges by having their spare CPU cycles
  attempt to crack a challenge, in this case
  encryption challenge.

30
That Attack
31
The Worm

• The next step we see a worm installing itself.
  This indicates that our blackhat is not a
  person, but an automated worm that is probing the
  Internet on its own and self-replicating itself.
  We see here it doing just that.

32
The Worm
33
The Motive

• The author of the worm is attempting to win
  the distributed.net challenge by having thousands
  of victims do its work for him.

34
The Infection

• The worm now reconfigure the window.ini file,
  which will cause the worm to start once the
  system reboots.

35
The Infection
36
Three more attacks

• Over the next three days, our honeypot was
  attacked three more times by other worms. These
  worms attempted to right over each other,
  fighting for control of the system. The worms
  are literally at war for your system.

37
Summary

• We have just witnessed an automated worm that
  randomly scans the Internet for vulnerable
  victims. Once exploited, the worm replicates
  itself, looking for more victims.

38
Compromised Solaris System

• We will now review a compromised Solaris
  system. This Solaris box was a honeypot, so
  every packet and keystroke of the attack was
  captured.
• This honeypot was a default installation of
  Solaris 2.6 unpatched, compromised June 4, 2000.

39
Overview

• One June 4, 2000 our Solaris honeypot was
  compromised with the rpc.ttdbserv vulnerability.
  Once compromised, a rootkit was implemented.
  However, the black-hat also installed an IRC bot.
  This bot captured all of the black-hats IRC
  conversations for a two week period.

40
The Exploit

• Our Solaris honeypot is remotely exploited via
  rpc vulnerability, specifically ToolTalk Object
  Database server, rpc.ttdbserv.

41
IDS Alert
42
Shell

• This exploit creates a root shell, allowing
  the black-hat to execute commands as root.

43
Execute as Root
44
Creating Accounts

• Our black-hat then connects to port 1524 and
  creates two systems accounts. First, the account
  re, UID 500. Second, the account r, UID 0.

45
The Accounts
46
Access

• Once the black-hat created these two accounts,
  he then telneted in and then proceeded to take
  control of the system. Notice the similarities
  between the commands used by this black-hat and
  the previous one

47
Taking Control
48
Installing

• Once he has his rootkit, the next step is to
  install it. Once again, this rootkit is fully
  automated, taking only seconds to install.

49
The Rootkit
50
./setup.sh
51
Log Cleaning
52
Securing
53
Not Seen

• Not covered in these keystrokes is
  installation of trojan binaries. You can see
  exactly which binaries were trojaned by reviewing
  the rootkit yourself. Binaries include
• /usr/bin/login
• /usr/bin/ps
• /usr/bin/ls
• /usr/bin/netstat

54
The bot

• The last step is the installation of an IRC
  bot. Apparently, that was the whole purpose of
  this attack, to gain systems for IRC bots. IRC
  bots allow people to maintain control, or ops, on
  IRC channels. This bot is what captured all of
  the black-hats chats on IRC.

55
./me -f bot2
56
bot2
57
emech233.users
58
IRC Chats

• Over a two week period we monitored these
  black-hats as they communicated over IRC. You
  can gain a better understanding of their motives
  and psychology by reviewing their conversations.

59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
Summary of Solaris System

• We have seen a example of a more dangerous
  attack. We see an individual probing the Internet
  for the rpc.ttdbserv vulnerability. Their intent
  is to own as many systems as possible for
  bragging right and system bots.

63
Summary of both examples

• We have witnessed two systems compromised in
  the wild. These attacks are extremely common and
  happen every day, these threats are for real.

64
How to Protect

• Dont be the easy kill
• Learn the tools and tactic
• Watch your systems

65
Protection

• Dont be the easy kill
• Armor system
• Turn off unnecessary services
• Update patches
• Have standardized, secure system builds
• Stay current with the latest vulnerabilities

66
Learn / Understand the tools

• Run the tools against your network.
• Tools are different, but the strategies are
  similar.
• Understand the exploits and what they look for.

67
Watch Your Systems

• Know when your systems are being probed or
  attacked.
• Watch and protect your system logs
• Have built in alerting mechanisms

68
Summary

• It is hoped that the work of the Honeynet
  Project will give you a better understanding of
  this threat. By understanding this threat, you
  can now better protect against it.

69
Conclusion

• The Honeynet Project is group of 30 security
  professionals dedicated to learning the tools,
  tactics, and motives of the blackhat community
  and sharing those lessons learned.

70
Resources

• Honeynet Project
• http//project.honeynet.org
• Additional Information
• http//www.securityfocus.com
• http//www.hackernews.com
• http//www.whitehats.com