Zombienets, Popups, and Spam

1
Zombie-nets, Pop-ups, and Spam

• By Bill and Lorette Cheswick
• ches_at_cheswick.com
• lepac_at_cheswick.com
• http//www.cheswick.com

2
Definition internet

• A collection of interacting networks that support
  TCP/IP

01/19/05
Zombie-nets, Pop-ups, and Spam
2 of 45
3
01/19/05
Zombie-nets, Pop-ups, and Spam
3 of 45
4
(No Transcript)
5
TCP/IP

• A set of protocols for connecting computers via a
  network
• Almost nobody needs to know the details
• Designed in the early 1980s
• One design goal end-to-end connectivity
• We have learned better firewalls break this idea

01/19/05
Zombie-nets, Pop-ups, and Spam
5 of 45
6
Internet designSmarts at the edge of the network

• Unlike the phone system, the center of the
  network is pretty stupid
• New services are designed and implemented at the
  edge of the network
• No permission or special arrangements are needed

01/19/05
Zombie-nets, Pop-ups, and Spam
6 of 45
7
209.123.16.98
64.10.0.3
8
Clients and servers

• Clients initiate connections to servers
• Servers tend to be publicly-known and accessible
• Web services like www.amazon.com
• There is seldom any good reason for a home or
  corporate computer to offer network services
• But they do anyway. A lot of them

01/19/05
Zombie-nets, Pop-ups, and Spam
8 of 45
9
209.123.16.104 (client)
164.109.96.222 (server) (www.budweiser.com)
10
TCP connections include a port number

• TCP ports are numbers between 0 and 65535,
  inclusive
• The client and server need only agree on which
  number to use
• There is a long list of standard services and
  their TCP port numbers
• World wide web (HTTP) port 80
• Email (SMTP) port 25
• thousands more

11
Server ports

• Each TCP service available on a computer is
  serviced by a program
• If that program has a serious bug, someone far
  away may be able to compromise that computer, and
  inject their own software to own your computer
• If you are running Windows, this has probably
  already happened to you

12
How can we see these TCP services on a Windows
computer?

• Start - All Programs - Accessories - Command
  Prompt
• Run netstat a

13
Windows XP, Service Pack 2 (SP2)
14
A Few Sample port listener profiles
15
Windows ME
Active Connections - Win ME Proto Local
Address Foreign Address State
TCP 127.0.0.11032 0.0.0.00
LISTENING TCP 223.223.223.10139
0.0.0.00 LISTENING UDP
0.0.0.01025
UDP 0.0.0.01026
UDP 0.0.0.031337
UDP 0.0.0.0162
UDP 223.223.223.10137
UDP
223.223.223.10138
16
Windows 2000
Proto Local Address Foreign Address
State TCP 0.0.0.0135
0.0.0.00 LISTENING TCP
0.0.0.0445 0.0.0.00
LISTENING TCP 0.0.0.01029
0.0.0.00 LISTENING TCP
0.0.0.01036 0.0.0.00
LISTENING TCP 0.0.0.01078
0.0.0.00 LISTENING TCP
0.0.0.01080 0.0.0.00
LISTENING TCP 0.0.0.01086
0.0.0.00 LISTENING TCP
0.0.0.06515 0.0.0.00
LISTENING TCP 127.0.0.1139
0.0.0.00 LISTENING UDP
0.0.0.0445
UDP 0.0.0.01038
UDP 0.0.0.06514
UDP 0.0.0.06515
UDP 127.0.0.11108
UDP
223.223.223.96500
UDP 223.223.223.964500

17
Windows XP, this laptop
Proto Local Address Foreign Address
State TCP ches-pcepmap
ches-pc0 LISTENING TCP
ches-pcmicrosoft-ds ches-pc0
LISTENING TCP ches-pc1025
ches-pc0 LISTENING TCP
ches-pc1036 ches-pc0
LISTENING TCP ches-pc3115
ches-pc0 LISTENING TCP
ches-pc3118 ches-pc0
LISTENING TCP ches-pc3470
ches-pc0 LISTENING TCP
ches-pc3477 ches-pc0
LISTENING TCP ches-pc5000
ches-pc0 LISTENING TCP
ches-pc6515 ches-pc0
LISTENING TCP ches-pcnetbios-ssn
ches-pc0 LISTENING TCP
ches-pc3001 ches-pc0
LISTENING TCP ches-pc3002
ches-pc0 LISTENING TCP
ches-pc3003 ches-pc0
LISTENING TCP ches-pc5180
ches-pc0 LISTENING UDP
ches-pcmicrosoft-ds
UDP ches-pcisakmp
UDP ches-pc1027
UDP ches-pc3008
UDP ches-pc3473
UDP ches-pc6514
UDP
ches-pc6515
UDP ches-pcnetbios-ns
UDP ches-pcnetbios-dgm
UDP ches-pc1900
UDP ches-pcntp
UDP ches-pc1900
UDP
ches-pc3471
18
FreeBSD partition, this laptop(getting out of
the game)
Active Internet connections (including
servers) Proto Recv-Q Send-Q Local Address
tcp4 0 0 .22
tcp6 0 0 .22
19
It is easy to dump on Microsoft, but many others
have made the same mistakes before
20
Default servicesSGI workstation, c. 1995
ftp stream tcp nowait root
/v/gate/ftpd telnet stream tcp nowait root
/usr/etc/telnetd shell stream tcp
nowait root /usr/etc/rshd login stream tcp
nowait root /usr/etc/rlogind exec
stream tcp nowait root /usr/etc/rexecd
finger stream tcp nowait guest
/usr/etc/fingerd bootp dgram udp wait
root /usr/etc/bootp tftp dgram udp
wait guest /usr/etc/tftpd ntalk dgram
udp wait root /usr/etc/talkd tcpmux
stream tcp nowait root internal echo
stream tcp nowait root internal discard
stream tcp nowait root internal chargen
stream tcp nowait root internal daytime
stream tcp nowait root internal time
stream tcp nowait root internal echo
dgram udp wait root internal discard
dgram udp wait root internal chargen
dgram udp wait root internal daytime
dgram udp wait root internal time
dgram udp wait root internal sgi-dgl
stream tcp nowait root/rcv dgld uucp
stream tcp nowait root
/usr/lib/uucp/uucpd
21
More default services(cont.)
mountd/1 stream rpc/tcp wait/lc root
rpc.mountd mountd/1 dgram rpc/udp wait/lc
root rpc.mountd sgi_mountd/1 stream rpc/tcp
wait/lc root rpc.mountd sgi_mountd/1 dgram
rpc/udp wait/lc root rpc.mountd rstatd/1-3
dgram rpc/udp wait root rpc.rstatd
walld/1 dgram rpc/udp wait root
rpc.rwalld rusersd/1 dgram rpc/udp wait
root rpc.rusersd rquotad/1 dgram rpc/udp
wait root rpc.rquotad sprayd/1 dgram
rpc/udp wait root rpc.sprayd
bootparam/1 dgram rpc/udp wait root
rpc.bootparamd sgi_videod/1 stream rpc/tcp wait
root ?videod sgi_fam/1 stream
rpc/tcp wait root ?fam
sgi_snoopd/1 stream rpc/tcp wait root
?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait
root ?cvpcsd sgi_pod/1 stream rpc/tcp
wait root ?podd tcpmux/sgi_scanner
stream tcp nowait root ?scan/net/scannerd tcp
mux/sgi_printer stream tcp nowait root
?print/printerd 9fs stream tcp
nowait root /v/bin/u9fs u9fs webproxy
stream tcp nowait root
/usr/local/etc/webserv
22
Types of malware

• Worms
• Viruses
• Trojans
• Cookies
• Adware
• Keystroke loggers

23
worms

• Stand-alone programs that propagate themselves
  through computers
• Usually enter via network ports

24
Witty worm the worldDavid Moore - CAIDA
25
The witty wormUSADavid Moore - CAIDA
26
viruses

• Programs that propagate by infecting other
  programs
• Spread by infecting other programs on a computer,
  and moving infected programs to other machines,
  e.g. through mail attachments

27
trojans

• Programs that appear useful, but may have evil
  side effects.
• Imagine a tax preparation program that erases
  your disk on April 14

28
cookies

• Data stored on your computer by a web server, and
  returned to that server on future connections
• Used to track you and your activities
• Not always a bad thing
• Not an executable program

29
adware

• Programs that reside in your computer for
  marketing purposes
• May track your browsing, spending, or network
  activities

30
Keystroke loggers

• Hardware or software that records your keystrokes
• Great way to collect passwords, credit card
  numbers, etc.

31
Remedies

• Do you know enough to fix your own computer?

32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
Homepage data

• Default settings
• Amount of graphics
• OS forcing a default
• Adaware forcing a default
• Various broadband difficulties with graphics
• So much CPU activity that homepage cant load

37
You may need to back up yesterday

• Pay attention to small differences in your
  computers behavior
• Dont wait for a month to go by before asking
  someone else
• Write down error messages
• Go somewhere else to check the errors
• The Bernardsville Public Library

38
Dont open a new program until youve read
tomorrows paper

• Circuits, Thursday NYT
• Personal Journal, WSJ
• CNET

39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
Help comes in many guises

• http//blogs.msdn.com/ie/archive/2005/01/11/350949
  .aspx

45
www.sans.org

• Delivered-To Lepac_at_cheswick.comFrom The SANS
  Institute Subject Internet
  Storm Center Threat Update and What Works in
  Intrusion Prevention WebcastsPlease sign into
  the SANS Portal for upcoming complimentary
  webcastsin January 2005.  On Wednesday, January
  12, 2005, the Internet StormCenter will present
  the latest "Threat Update."  On Thursday,
  January20, 2005, SANS will host "What Works in
  Intrusion Prevention."

01/19/05
Zombie-nets, Pop-ups, and Spam
45 of 45
46
http//tired-of-spam.home.comcast.net/eblocs.html
47
01/19/05
Zombie-nets, Pop-ups, and Spam
47 of 45
48
System Tools

• Disk defragmenter
• Chkdsk /f
• Dr Watson http//watson.addy.com/
• Add/Remove Programs
• Auto-update for Windows XP
• SP2
• Taskmanager

01/19/05
Zombie-nets, Pop-ups, and Spam
48 of 45
49
Programs that help

• Up-to-date Anti-virus software
• Trojan Hunter
• Spybot Search and Destroy
• Adaware
• Avert Stinger
• McAfee targeted trojan and virus removal programs
• Firewalls

01/19/05
Zombie-nets, Pop-ups, and Spam
49 of 45
50
Websites

• Download.com
• CNet.com
• Google.com
• McAfee.com
• Symantec.com
• CERT.org

01/19/05
Zombie-nets, Pop-ups, and Spam
50 of 45
51
Backup

• What you have to loose

01/19/05
Zombie-nets, Pop-ups, and Spam
51 of 45
52
Set System Restore points

• Make sure you have Operating system source Disks
• You may have to buy a new Operating system or
  upgrade your computer
• Make sure you have product keys and
  authentication.
• Caution requires a minimum of two locations

01/19/05
Zombie-nets, Pop-ups, and Spam
52 of 45
53
Hardware tools

• Key drives
• External HD
• External zip drives
• CD-R or equivalent

01/19/05
Zombie-nets, Pop-ups, and Spam
53 of 45
54
01/19/05
Zombie-nets, Pop-ups, and Spam
54 of 45
55
Hardware v Software

• Software needs continual updates
• Hardware can be neglected, or you can forget the
  passwords to the interface

01/19/05
Zombie-nets, Pop-ups, and Spam
55 of 45
56
Updates

• To auto update or not
• Download but prompt to install
• Manual install

01/19/05
Zombie-nets, Pop-ups, and Spam
56 of 45
57
Passwords

• 8 or more digits, mixed letters and numbers
• Sentence
• Dictionary attack
• Foreign words
• equations

01/19/05
Zombie-nets, Pop-ups, and Spam
57 of 45
58
Encryption

• At what level
• Wireless network
• Router password
• Server
• Super user
• Computer
• US v the rest of the world- 128 bit encryption

01/19/05
Zombie-nets, Pop-ups, and Spam
58 of 45
59
Free software

• Only owrks in emerging typse of program solutions
  
• Then only until the programmers are in school or
  dating
• Success can be overwhelming and eventually you
  have to buy coke.

01/19/05
Zombie-nets, Pop-ups, and Spam
59 of 45
60
System administration

• Windows machines do not have automatio to make it
  easy.

01/19/05
Zombie-nets, Pop-ups, and Spam
60 of 45
61
Causes

• Buffer overflow errors
• Port use
• TCP/IP coopting

01/19/05
Zombie-nets, Pop-ups, and Spam
61 of 45
62
Progression

• Internet
• Network
• Your machine

01/19/05
Zombie-nets, Pop-ups, and Spam
62 of 45
63
Weekly Reader for the System Administrator

• X-Original-To Lepac_at_cheswick.comFrom The
  SANS Institute Subject
  Internet Storm Center Threat Update and What
  Works in Intrusion Prevention WebcastsPlease
  sign into the SANS Portal for upcoming
  complimentary webcastsin January 2005.  On
  Wednesday, January 12, 2005, the Internet
  StormCenter will present the latest "Threat
  Update."  On Thursday, January20, 2005, SANS
  will host "What Works in Intrusion Prevention."

01/19/05
Zombie-nets, Pop-ups, and Spam
63 of 45
64
Help comes in many guises

• http//blogs.msdn.com/ie/archive/2005/01/11/350949
  .aspx

65
If its Tuesday its another Microsoft Security
Bulletin

• http//netsecurity.about.com/cs/windowsxp/a/aa0414
  04.htm

66
_at_RISK

• X-Original-To Lepac_at_cheswick.com-----BEGIN PGP
  SIGNED MESSAGE-----Hash SHA1Your Defense In
  Depth and Roadmap to Network Security poster
  should havearrived (if you live in the US or
  Canada). If you didn't get one, youcan still see
  which security tools actually work and what
  constitutes acomplete defense in depth at
  www.sans.org/whatworks.
   
             _at_RISK The Consensus Security
  Vulnerability AlertJanuary 13,
  2005                                          
  Vol. 4. Week 2
  _at_RISK is
  the SANS community's consensus bulletin
  summarizing the mostimportant vulnerabilities
  and exploits identified during the past weekand
  providing guidance on appropriate actions to
  protect your systems(PART I). It also includes a
  comprehensive list of all newvulnerabilities
  discovered in the past week (PART II).Summary
  of the vulnerabilities reported this week-
  --------------------------------------------------
  ---------------------Category                    
              of Updates Vulnerabilities-
  --------------------------------------------------
  ---------------------Windows                     
                      3  (1, 2, 5, 12)Third
  Party Windows Apps                        6  (6,
  11)Unix                                         
     6  (7, 9)Novell                             
               2Cross Platform                     
               3  (3, 4)Web Application          
                         13 (8, 10)Network
  Device                                 
  2Hardware                                       
  1________________________________________________
  ______________________

01/19/05
Zombie-nets, Pop-ups, and Spam
66 of 45
67
CERT

• Community Emergency Response Team
• http//www.cert.org/

http//www.cert.org/
01/19/05
Zombie-nets, Pop-ups, and Spam
67 of 45
68
Smart phone hacking exploits

• http//www.techweb.com/article/printableArticle.jh
  tmljsessionid2ZHIULZRZ11U4QSNDBCCKHSCJUMEKJVN?ar
  ticleID56200144site_section700028

69
Security by Obscurity

• Please do not Forward, CC, or BCC this E-mail
  outside of the XXXX-security-discuss community.
  Confidentiality is essential for effective
  Internet security counter-measures.

70
Legitimate Companies doing possibly illegitimate
things

• http//www.wildtangent.com/
• http//www.weatherbug.com/
• http//www.apple.com/itunes/
• http//www.aim.com/

http//www.weatherbug.com/
01/19/05
Zombie-nets, Pop-ups, and Spam
70 of 45
71
One Case Study

• http//www.eblocs.com/
• http//tired-of-spam.home.comcast.net/eblocs.html
• http//www.nationaldonotemail.com/cart11.html
• http//www.spywarewarrior.com/rogue_anti-spyware.h
  tm

01/19/05
Zombie-nets, Pop-ups, and Spam
71 of 45
72
Windows XP

• Could not open any programs
• No processes in Task manager were obvious CPU
  hogs
• Could not get a number of Pop-ups off the
  desktop, inc a faulty load of eBlocs

01/19/05
Zombie-nets, Pop-ups, and Spam
72 of 45
73
01/19/05
Zombie-nets, Pop-ups, and Spam
73 of 45
74
01/19/05
Zombie-nets, Pop-ups, and Spam
74 of 45
75
01/19/05
Zombie-nets, Pop-ups, and Spam
75 of 45
76
01/19/05
Zombie-nets, Pop-ups, and Spam
76 of 45
77
Programs

• Different versions have different security
  features
• Automatic updates can break security in one way
  or another
• Not having automatic updates can kill a computer

01/19/05
Zombie-nets, Pop-ups, and Spam
77 of 45
78
(No Transcript)
79
01/19/05
Zombie-nets, Pop-ups, and Spam
79 of 45
80
01/19/05
Zombie-nets, Pop-ups, and Spam
80 of 45
81
Default settings

• Make sure important switches are turned off
• Read anything marked Security in a program you
  want to use
• Manual v Automatic Updates
• Reminders

01/19/05
Zombie-nets, Pop-ups, and Spam
81 of 45
82
Plan B Get out of the Game
83
Plan B non-Microsoft operating systems

• For a business, this can be hard
• Are the applications you want to run available
  and viable on your Plan B system
• Will you have trouble exchanging information with
  your customers?
• What kind of support requirements does the system
  have, and can you find support people?

01/19/05
Zombie-nets, Pop-ups, and Spam
83 of 45
84
Some Plan B choices

• Apple Macintosh
• Linux (many flavors)
• Unix (several flavours)
• Open source software

01/19/05
Zombie-nets, Pop-ups, and Spam
84 of 45
85
Apple Macintosh

• A long-time favorite of artists
• Handles things like photos and movies better than
  common Windows applications
• More stable than Windows
• Requires much less maintenance than Windows
• Much less malware directed at it
• Hardware and software is more expensive

01/19/05
Zombie-nets, Pop-ups, and Spam
85 of 45
86
Linux

• Most versions of Linux are free
• May be downloaded and installed on the net
• Gnoppix linux without bothering your hard
  drive http//www.gnoppix.org

01/19/05
Zombie-nets, Pop-ups, and Spam
86 of 45
87
Unix

• Software workbench for much of the world
• FreeBSD, OpenBSD, NetBSD are the common ones
• Also commercial versions for HP, Sun, etc.
• Non-commercial versions are free
• Very high quality software
• Very robust
• May lack the application or drivers you need

88
Open source software

• Free software that you can build yourself
• Many improve it
• Wikipedia is an open source encyclopedia
• Open source
• Mozilla firefox (web browser)
• Gaim (instant messager)
• Mythtv (PVR, like TiVo)

89
Zombie-nets, Pop-ups, and Spam

• By Bill and Lorette Cheswick
• ches_at_cheswick.com
• lepac_at_cheswick.com
• http//www.cheswick.com