SWR0311

50 %
50 %
Information about SWR0311
Education

Published on June 19, 2007

Author: The_Rock

Source: authorstream.com

Fishing for WormsA Lure that Works:  Fishing for Worms A Lure that Works EDUCAUSE Southwest Regional Conference Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas Copyright Paul Schmehl 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Network Aware Worms are a Difficult Problem to Solve:  Network Aware Worms are a Difficult Problem to Solve They attack open network shares anywhere in the network They’re often difficult to track to the source of the infection They’re very persistent and propagate quickly Their 'tribe' is increasing Antivirus protection can warn you of the infection, but it doesn’t track down the source Logs are often not enabled and when they are, they don’t log this sort of 'normal' activity unless specially configured Eradicating network aware worms is often like playing 'whack a mole' Introducing the “SMB Lure”:  Introducing the 'SMB Lure' A proactive approach to worm eradication Requires a minimal investment of equipment and time Requires almost no maintenance once configured properly Acts as an 'early warning system' as well as a 'teergrube' server for worms Conceived and designed by John Morris of Nortel Networks – AVIEN Member What is SMB Lure?:  What is SMB Lure? A Unix OS – your choice Samba – open source Proper configuration of samba A few scripts for maintenance A working SMTP server Configure the OS:  Configure the OS Minimal installation No services except SMTP and SSH Enable the firewall and tcpwrappers Establish a patching routine That’s it! Install and configure Samba:  Install and configure Samba Standard installation – nothing special *Can* edit the source if you want to It’s all in the configuration file Build your directory and file structure Make it look 'real' Sit back and enjoy  The smb.conf file:  The smb.conf file # Samba config file created for SMB-Lure # Global parameters [global] More smb.conf:  More smb.conf # No limit on log size max log size = 0 More smb.conf:  More smb.conf # TRICK-4: remotely announce our existance around the corporate network and force ourselves into several regionally and alphabetically diverse workgroups/domains. The IP addresses are the broadcast addresses for subnets that contain NT/Win2K servers. # Note the number of computers we are pretending to be is the number of remote-announce domains multiplied by the number of aliases (See TRICK-2) remote announce = 129.110.161.255/000-SECURITY 129.110.161.255/AV Samba startup configuration:  Samba startup configuration #!/bin/sh # Samba startup script /usr/local/samba/bin/smbd -D /usr/local/samba/bin/nmbd -D The checklogs script:  The checklogs script #!/bin/sh More checklogs script:  More checklogs script if [ $counter -gt 0 ]; then logname='$log' echo `basename '$log'name` andgt;andgt; $alerts echo Log started at `cat '$log' | awk '/2002/{print $1' '$2}' | head -n1 | cut -d'[' -f2 | cut -d',' -f1` andgt;andgt; $aler ts hostname=`basename '$log'name .log` echo $hostname andgt;andgt; $alerts IP=`cat '$log' | grep -e '$hostname ' | cut -d'(' -f2 | cut -d')' -f1 | sort -u` ${IP:=unknown} echo IP is $IP andgt;andgt; $alerts user=`cat '$log' | grep 'sesssetupX:name=' | cut -d'[' -f2 | cut -d']' -f1 | tail -n1` ${user:=unknown} echo User logged in was $user andgt;andgt; $alerts echo '' andgt;andgt; $alerts fi fi done Typical email alert:  Typical email alert Bugbear hits = 45. csgrad49370.logname Log started at csgrad49370.logname IP is unknown User logged in was bxg022000 Use nbtstat –a to get the IP The wormbait directory:  The wormbait directory 0,1456,graphics,00[1].rar AUTOEXEC.exe Ylcp.bak.rar return.rar 0,1456,graphics,00[1].txt.exe Ac.xls.exe Zbie.exe rock.c.exe 0116williams[1].bak.exe Bbuj.rar Zid.cpp.rar style.rar 0116williams[1].exe Bsxp.htm.exe codes,.exe test1 0116williams[1].rar Cclu.exe codes.bak.exe test2 0117cowduo[1].bak.rar Cjqmq.exe height.mpeg.scr test3 0117cowduo[1].exe Dd.mpg.rar http.rar test4 0117cowduo[1].html.rar End .exe koulic2.scr test5 0117cowduo[1].mp3.exe End .rar margin.bat test6 0117cowduo[1].mpeg.rar End .xls.rar margin.rar test7 0117cowduo[1].mpg.rar FACE.rar mayalog.eml test8 0117cowduo[1].pas.exe HEIGHT.exe name.doc.bat test9 0117cowduo[1].rar Ikvfi.rar new.c.exe width.rar API.htm.rar Tf.exe new.cpp.rar windows API.mp3.exe VALIGN.exe new.htm.exe winnt API.rar Wpcc.xls.exe new.rar Contents of mayalog.eml:  Contents of mayalog.eml MIME-Version: 1.0 Content-Type: multipart/related; type='multipart/alternative'; boundary='====_ABC123456j7890DEF_====' X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC123456j7890DEF_==== Content-Type: multipart/alternative; boundary='====_ABC09876j54321DEF_====' --====_ABC09876j54321DEF_==== Content-Type: text/html; charset='iso-8859-1' Content-Transfer-Encoding: quoted-printable andlt;HTMLandgt;andlt;HEADandgt;andlt;/HEADandgt;andlt;BODY bgColor=3D#ffffffandgt; andlt;iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0andgt; andlt;/iframeandgt;andlt;/BODYandgt;andlt;/HTMLandgt; --====_ABC09876j54321DEF_====-- --====_ABC123456j7890DEF_==== Content-Type: audio/x-wav; name='sample.exe' Content-Transfer-Encoding: base64 Content-ID: andlt;EA4DMGBP9pandgt; TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAI9/UEUAAEwBBQBAw8I7 AAAAAAAAAADgAA4BCwEGAABwAAAA8AUAAAAAAAd1AAAAEAAAAIAAAAAANzcAEAAAABAAAAQAAAAA A clean wormbait directory:  A clean wormbait directory test1 test2 test3 test4 test5 test6 test7 test8 test9 windows winnt The windows directory:  The windows directory accstat.exe control.ini explorer.exe isapnp.vxd net.exe qfecheck.exe setdebug.exe system32 welcome.exe arp.exe cvtaplog.exe extrac32.exe logos.sys netdde.exe ramdrive.sys setup.ini taskman.exe win.com autoexec.bat dblbuff.sys freecell.exe mayalog.eml neth.msg readme.htm setver.exe taskmon.exe win.ini calc.exe defrag.exe ftp.exe moricons.dll netstat.exe regedit.exe sigverif.exe telnet.exe winfile.exe cdplayer.exe desktop.ini grpconv.exe msdos.sys notepad.exe route.exe smartdrv.exe tracert.exe winipcfg.exe charmap.exe dialer.exe himem.sys mshearts.exe ping.exe rundll.exe sol.exe twain.dll winpopup.exe clipbrd.exe dosstart.bat hwinfo.exe nbtstat.exe progman.ini rundll32.exe system twunk_16.exe winsock.dll command.com drvspace.exe ifshlp.sys nddeapi.dll protman.exe scandskw.exe system.dat twunk_32.exe wscript.exe control.exe emm386.exe ipconfig.exe nddenb.dll protocol.ini scanregw.exe system.ini user.dat Other scripts:  Other scripts cleanup.sh – removes the wormbait directory and then repopulates it makefiles.sh – repopulates the wormbait directory with 'Windows files' Typical samba log – bret.log:  Typical samba log – bret.log [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) Transaction 1 of length 137 [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) switch message SMBnegprot (pid 11549) [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [PC NETWORK PROGRAM 1.0] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LANMAN1.0] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [Windows for Workgroups 3.1a] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LM1.2X002] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LANMAN2.1] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [NT LM 0.12] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(426) Selected protocol NT LM 0.12 [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) Transaction 2 of length 161 [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) switch message SMBsesssetupX (pid 11549) [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(858) Domain=[] NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(868) sesssetupX:name=[] Things to do:  Things to do Rewrite the checklogs script in Perl Move new worm entries to a text file and parse from the script Deal with Windows NetBIOS names with spaces in them Write script to rotate logs and delete

Add a comment

Related presentations

Related pages

6X37 STEEL WIRE ROPE_rigging hardware_Qingdao Hiwell ...

swr0311: 18: 11/16: 140.45: 151.68: 150.00: 162.00: 159.00: 172.00: 169.00: 182.00: 178.00: 193.00: 112.00: 109.00: 123.00: swr0312: 20: 13/16: 173.22: 187 ...
Read more

Popular Celtic Rings Women-Buy Cheap Celtic Rings Women ...

Free shipping Claddagh Style Hand to Hold a Heart with Crown Ring Stainless Steel Jewelry Celtic Knot Biker Women Ring SWR0311 Fine or Fashion: Fashion ...
Read more

hands holding heart ring Price - AliExpress.com - Online ...

Hands Holding Heart Ring Price Comparison, Price Trends for Hands Holding Heart Ring as Your Reference. Buy Hands Holding Heart Ring at Low Prices on ...
Read more

AliExpress.comのクラウンノット ...

... ハート クラウン リング ステンレス鋼ジュエリー ケルト ノット バイ カー女性リング SWR0311 US $19.25 / piece ...
Read more

La mujer celta tiendas de la línea más grande del mundo ...

... estilo a mantener un corazón con corona joyería del acero inoxidable del nudo céltico del motorista mujeres anillo SWR0311 € 18,00 / piece ...
Read more

神谷元子 @KMotoco のツイプロ - Twitter ...

わっかん @swr0311. 斉藤 ...
Read more

الذ واطعم مكرونه بيضاء بالفطر ...

الذ واطعم مكرونه بيضاء بالفطر راح تذوقونها ..واكيد بالصورر من اختكم ام اسيل .. - أطباق ...
Read more