SOTM27

Submitted by Bill Frische

on

April 21st 2003


Introduction

In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a succesful attack, the honeypot was joined to a large botnet. During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. The challenge is based on logs from five days of honeypot operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file. Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent. Your mission is to analyze the log file in order to answer the questions below.

MD5 sotm27.gz = b4bfc10fa8346d89058a2e9507cfd9b9
MD5Sum executed on local machine: b4bfc10fa8346d89058a2e9507cfd9b9 sotm27.gz

I performed the analysis on a Lindows 3.1 based system. This is basically a debian installation. I used the following tools:

snort 1.8.4
Ethereal 0.9.4
tcpflow
tcpdump
strings
grep
Acid

Beginning Questions

What is IRC?
<I>nternet <R>elay <C>hat. IRC is a generic term to talk about an Internet Application used to chat with others around the world. Each IRC network is named – EfNet and DalNet are two popular networks. IRC Networks tend to be subject to DDOS attacks as well as havens for the more undesireable elements of the Internet. It can also be a good place to ferret out information – caveot emptor.

What message is sent by an IRC client when it asks to join an IRC network?
.NICK.<NICKNAME>..USER.<USERNAME>.<LOCALMACHINE>.irc.debian.org.:<REALNAME>..

The general meaning of this is “Here is my nickname, my username, my machine name and realname.” The IRC server will respond with one of serveral messages like “I'm too busy now” or “Your nickname is already being used” or “Ok, come on in.”

What is a botnet?
A botnet is a lot of bots linked together. It can be thought of as a cluster of bots. The idea is to aggregate the power of the single bots into a more powerful system.

What are botnets commonly used for?
Evilness.

They have some legitimate uses like channel management, chat, and overall network management. Generally, you don't run across them being used this way as an average user on IRC.
What TCP ports does IRC generally use?
While an IRC server can be run on any TCP port, the most commonly used port is 6667. Other common ports surround 6667 ranging, usually, from 6660-6669.

What is a binary log file and how is one created?
A binary log file can be created in several ways, depending on the program. Tcpdump uses the -w switch. Snort uses -b to write in tcpdump binary format. This results in more packets per second that snort can analyze since it does not have to do a binary to text conversion.

What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?
209.196.44.172
217.199.175.10
63.241.174.144

It also tried to communicate with 66.33.65.68 but got no response.

During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

The following data was obtained using “tcpdump -r <honeynet file> -w IRCServer host 209.196.44.172” and then opening the IRCServer binary file in Ethereal and using the “Follow TCPStream” command:

NOTICE AUTH :*** Looking up your hostname...
NOTICE AUTH :*** Checking Ident
NOTICE AUTH :*** No Ident response
NOTICE AUTH :*** Found your hostname
NICK rgdiuggac
USER rgdiuggac localhost localhost :rgdiuggac
:irc5.aol.com 001 rgdiuggac :Welcome to the Internet Relay Network rgdiuggac
:irc5.aol.com 002 rgdiuggac :Your host is irc5.aol.com[irc5.aol.com/6667], running version 2.8/hybrid-6.3.1
NOTICE rgdiuggac :*** Your host is irc5.aol.com[irc5.aol.com/6667], running version 2.8/hybrid-6.3.1
:irc5.aol.com 003 rgdiuggac :This server was created Sun Jan 19 2003 at 19:04:03 PST
:irc5.aol.com 004 rgdiuggac irc5.aol.com 2.8/hybrid-6.3.1 oOiwszcrkfydnxb biklmnopstve
:irc5.aol.com 005 rgdiuggac WALLCHOPS PREFIX=(ov)@+ CHANTYPES=#& MAXCHANNELS=20 MAXBANS=25 NICKLEN=9 TOPICLEN=120 KICKLEN=90 NETWORK=XNet CHANMODES=be,k,l,imnpst EXCEPTS KNOCK MODES=4 :are supported by this server
:irc5.aol.com 251 rgdiuggac :There are 0 users and 4752 invisible on 4 servers
:irc5.aol.com 252 rgdiuggac 1 :IRC Operators online
:irc5.aol.com 254 rgdiuggac 4 :channels formed
:irc5.aol.com 255 rgdiuggac :I have 346 clients and 1 servers
:irc5.aol.com 265 rgdiuggac :Current local users: 346 Max: 348
:irc5.aol.com 266 rgdiuggac :Current global users: 4752 Max: 4765
:irc5.aol.com 250 rgdiuggac :Highest connection count: 349 (348 clients) (378 since server was (re)started)
:irc5.aol.com 375 rgdiuggac :- irc5.aol.com Message of the Day -
:irc5.aol.com 372 rgdiuggac :- - WELCOME TO AMERICA ONLINE'S - IRC SERVER
:irc5.aol.com 372 rgdiuggac :-
:irc5.aol.com 372 rgdiuggac :- - !!! WARNING WARNING WARNING WARNING !!!
:irc5.aol.com 372 rgdiuggac :- - !!! THIS SERVER SCANS FOR OPEN PROXIES !!!
:irc5.aol.com 372 rgdiuggac :- - !!! PORTS: 8080,3128,80,1080,23 !!!
:irc5.aol.com 372 rgdiuggac :- - So if this is a legal problem in your
:irc5.aol.com 372 rgdiuggac :- - country please disconnect NOW!
:irc5.aol.com 372 rgdiuggac :- - We do this to make your IRC experience
:irc5.aol.com 372 rgdiuggac :- - more enjoyable.
:irc5.aol.com 376 rgdiuggac :End of /MOTD command.
:rgdiuggac MODE rgdiuggac :+i
MODE rgdiuggac -x
MODE rgdiuggac +i
JOIN #xàéüîéðìx :sex0r
WHO rgdiuggac
:[email protected] JOIN :#xàéüîéðìx
:irc5.aol.com 353 rgdiuggac @ #xàéüîéðìx :rgdiuggac mikeoof riktgisli moongihli garcmobhc tixicok likenik rndvcoke mponptti moinhoyf oarcqeii cozfboy nolvped kiangiil aiiieahi idoiaiq gsrcaahh rockpdlhi stepbeyz aotkugxyc cikebocsz fgwiuglyc rositik radicioli radpneni miaeuglya ydsicoke rojigpr jiklniki kiwbcoka coloagsy mikzbovz maaenifi gaanoee rogqpenq iqonsohwh stepfakis cibesout stepupo rozijri kikiqwni pishcic rocrjouj oosirafwp rkinrahsm rldiuzl rickboyrz stenpguih mrhenik gtc
...
</NAMES LIST TRUNCATED>
...
:irc5.aol.com 353 rgdiuggac @ #xàéüîéðìx :mhowugxb piwhpzni rosgmivpa moonoonic rsdurskr xarlrdtim vogfiicha @atcppok
:irc5.aol.com 366 rgdiuggac #xàéüîéðìx :End of /NAMES list.
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] QUIT :Ping timeout: 600 seconds
:irc5.aol.com 352 rgdiuggac #xàéüîéðìx ~rgdiuggac pc0191.example.com irc5.aol.com rgdiuggac H :0 rgdiuggac
:irc5.aol.com 315 rgdiuggac rgdiuggac :End of /WHO list.
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] QUIT :Ping timeout: 1200 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] QUIT :Connection reset by peer
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 1200 seconds
:[email protected] QUIT :Connection reset by peer
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Connection reset by peer
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected]ogers.com QUIT :Read error: 104 (Connection reset by peer)
:[email protected] QUIT :Ping timeout: 600 seconds
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
...
<IRC PUBIC CHANNEL DATA TRUNCATED>
...
PONG :irc5.aol.com
:[email protected] JOIN :#xàéüîéðìx
:[email protected] JOIN :#xàéüîéðìx
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] QUIT :Read error: 104 (Connection reset by peer)
:[email protected] JOIN :#xàéüîéðìx
PONG :irc5.aol.com
PONG :irc5.aol.com
PONG :irc5.aol.com
PONG :irc5.aol.com
PONG :irc5.aol.com
PONG :irc5.aol.com
PONG :irc5.aol.com
PONG :irc5.aol.com
<PONGS TRUNCATED>

Then, by saving the output from the “Follow TCPStream” option in ASCII format, standard Linux text utilities can be used on the file.

When an IRC server channel is entered into, it is a JOIN commant. When a channel is left, it is a QUIT command. The attackers client issued a NAMES command when it entered the channel.

The server reports 353 people in the channel when the attacker entered the channel.

Including the attacker, 174 unique hosts JOINed the IRC server during the observation time. All in all, 177 join requests occurred, but some were from the same host.

Add this with the original 353 you get 527 unique hosts (if all the hosts listed in the names list were unique hosts – which is doubtful as you can join any given channel from a given hosts as many times as the client host can handle given its hardware and software limitations). For easy calculations, I will assume all 353 hosts were unique and none of the JOIN commands were from a host which was already in the channel (from the information given, there is no way to determine if a bot in the names list came from the same host as another bot which JOINed or was listed in the names list).

221 QUIT commands occurred during this time, usually occuring because of a timeout value. I will assume these hosts are 'dead' and not accessing the server. That means during the timeperiod of observation, there could have been up to 308 unique hosts accessing the botnet. Since botnet's can act like party lines and can privately communicate with each other, 308 bots is the potential number of active bots in the channel.

Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?
527*56kps=29512kps or 29.5mps. Be comparision a full T1 is 1.544mps. The total aggregate bandwidth is approxiately 19 T1's – if each of the original names in the NAMES list is a unique host.

Intermediate Questions

What IP source addresses were used in attacking the honeypot?
Many source addresses were used to attack the honeypot.

Snort reports 59 IP source addresses used for suspicious purposes against the honeypot. This number is automatically generated in ACID.


4.64.221.42
24.161.196.103
24.197.194.106
61.14.66.92
61.140.149.137
61.155.126.150
61.177.154.228
61.55.71.169
62.194.4.114
62.201.96.159
62.251.129.118
63.241.174.144
64.17.250.240
64.254.203.68
66.190.67.122
66.73.160.240
66.8.163.125
68.115.33.110
219.94.46.57
219.118.31.42
68.152.53.138
68.154.11.82
81.202.125.5
81.50.177.167
141.149.155.249
144.134.109.25
162.33.189.252
164.125.76.48
168.226.98.61
172.16.134.191
195.67.251.197
200.60.202.74
200.66.98.107
200.74.26.73
200.78.103.67
202.63.162.34
203.115.96.146
207.6.77.235
208.186.61.2
209.196.44.172
210.12.211.121
210.203.189.77
210.214.49.227
210.22.204.101
210.58.0.25
212.110.30.110
213.107.105.72
213.116.166.126
213.217.55.243
213.44.104.92
213.7.60.57
213.84.75.42
217.1.35.169
217.199.175.10
217.222.201.82
217.227.245.101
217.227.98.82
218.237.70.119
218.87.178.167



























What vulnerabilities did attackers attempt to exploit?

The following is a list a vulnerabilities the attackers atteempted to exploit along with the number of time the particular exploit was attempted during the observation period.
358 WEB-MISC http directory traversal
272 WEB-MISC http directory traversal
254 WEB-IIS scripts access
120 WEB-FRONTPAGE /_vti_bin/ access
102 NETBIOS SMB C access
82 WEB-IIS _mem_bin access
50 WEB-FRONTPAGE fourdots request
44 WEB-IIS Overflow-htr access
28 WEB-IIS SAM Attempt
24 WEB-IIS ISAPI .ida attempt
18 WEB-IIS asp-dot attempt
14 WEB-IIS admin access
8 WEB-COLDFUSION expeval access
6 WEB-IIS .asp access
6 WEB-COLDFUSION snippets attempt
6 WEB-CGI visadmin.exe access
6 WEB-CGI wguest.exe access
6 WEB-CGI perl.exe access
6 INFO Possible IRC Access
4 WEB-IIS CGImail.exe access
4 WEB-FRONTPAGE shtml.dll access
4 WEB-COLDFUSION exampleapp access
4 WEB-COLDFUSION exprcalc access
4 WEB-COLDFUSION getfile.cfm access
4 WEB-COLDFUSION cfcache.map access
4 WEB-CGI rguest.exe access
4 WEB-MISC get32.exe access
4 WEB-MISC Domino catalog.ns access
4 WEB-IIS srchadm access
4 WEB-IIS showcode.asp access
4 WEB-IIS search97.vts access
4 WEB-IIS jet vba access
4 WEB-IIS fpcount access
2 WEB-IIS adctest.asp access
2 WEB-IIS _vti_inf access
2 WEB-IIS MSProxy access
2 WEB-IIS JET VBA access
2 WEB-IIS JET VBA access
2 WEB-IIS .bat? access
2 WEB-IIS ISAPI .printer access
2 WEB-FRONTPAGE dvwssr.dll access
2 WEB-FRONTPAGE users.pwd access
2 WEB-FRONTPAGE shtml.exe access
2 WEB-FRONTPAGE service.pwd
2 WEB-FRONTPAGE registrations.txt access
2 WEB-FRONTPAGE register.txt access
2 WEB-FRONTPAGE administrators.pwd
2 WEB-FRONTPAGE authors.pwd access
2 WEB-FRONTPAGE form_results access
2 WEB-FRONTPAGE orders.txt access
2 WEB-IIS getdrvs.exe access
2 WEB-FRONTPAGE fpadmcgi.exe access
2 WEB-FRONTPAGE fpadmin.htm access
2 WEB-FRONTPAGE _vti_rpc access
2 WEB-COLDFUSION startstop DOS access
2 WEB-COLDFUSION cfmlsyntaxcheck.cfm
2 WEB-COLDFUSION evaluate.cfm access
2 WEB-COLDFUSION beaninfo access
2 WEB-COLDFUSION cfappman access
2 WEB-COLDFUSION parks access
2 WEB-COLDFUSION fileexists.cfm access
2 WEB-COLDFUSION administrator access
2 WEB-COLDFUSION addcontent.cfm access
2 WEB-COLDFUSION application.cfm access
2 WEB-COLDFUSION exampleapp app. chm
2 WEB-CGI tstisapi.dll access
2 WEB-CGI redirect access
2 WEB-CGI ppdscgi.exe access
2 WEB-CGI win-c-sample.exe access
2 WEB-CGI snorkerz.cmd access
2 WEB-CGI args.bat access
2 WEB-CGI uploader.exe access
2 WEB-CGI wwwboard passwd access
2 SCAN Proxy attempt
2 WEB-MISC admin.php access
2 WEB-IIS CodeRed v2 root.exe access
2 WEB-IIS ISAPI .idq access
2 WEB-IIS ISAPI .idq attempt
2 WEB-IIS ISAPI .ida access
2 WEB-MISC adminlogin access
2 WEB-MISC backup access
2 WEB-MISC Trend Micro OfficeScan access
2 WEB-MISC order.log access
2 WEB-MISC wwwboard.pl access
2 WEB-MISC ws_ftp.ini access
2 WEB-MISC Domino log.nsf access
2 WEB-MISC Ecommerce import.txt access
2 WEB-MISC .wwwacl access
2 WEB-MISC .htaccess access
2 WEB-MISC AuthChangeUrl access
2 WEB-MISC ICQ webserver DOS
2 WEB-MISC netscape admin passwd
2 WEB-MISC SmartWinCyberOfficeShoppingCart
2 WEB-MISC queryhit.htm access
2 WEB-IIS view source via translate header
2 WEB-IIS uploadn.asp access
2 WEB-IIS site server config access
2 WEB-IIS query.asp access
2 WEB-IIS newdsn.exe access
2 WEB-IIS msadc/msadcs.dll access
2 WEB-IIS codebrowser SDK access
The top two alerts are both directory traversals, but one traverses with a “..\\” and the other traverses with a “../” The output was produced by grepping the alerts.log file snort generates for lines beginning with [**] and then sorting, counting with uniq -c, and then resorting numerically in reverse order. (sort -n -r)

Which attacks were successful?

For each attack, the first and the last attempt was examined in detail using ACID and Ethereal. None of the attacks appear to be successful.

However, when I ran strings against the binary sotm27 file, I noticed some unusual activity:

<HOST>:~/My Documents# strings sotm27 | grep attrib
attrib.exe
attrib.exe
attrib.exe
attrib.exe

(The “grep attrib” is placed there for brevity. In actuality, I looked through the whole ouput of the command “strings sotm27”)

Since attrib is used to modify file properties, I consider this unusual. I then wrote a snort rule as follows and placed it in my local.rules file:

alert tcp any any -> any any (msg:"ATTRIB"; flags: A+; content:"attrib.exe"; nocase;)

The snort rule turned up packets in the form of:

03/05-20:35:49.693203 61.111.101.78:1697 -> 172.16.134.191:445
TCP TTL:109 TOS:0x0 ID:31858 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x64308C93 Ack: 0xC84ACEDD Win: 0xF63A TcpLen: 20
00 00 24 7C FF 53 4D 42 25 00 00 00 00 18 07 C8 ..$|.SMB%.......
00 00 00 00 00 00 00 00 00 00 00 00 02 08 D8 13 ................
02 08 40 10 10 00 00 28 24 00 00 04 00 00 00 00 ..@....($.......
00 00 00 00 00 00 00 00 00 54 00 28 24 54 00 02 .........T.($T..
00 26 00 03 40 39 24 00 5C 00 50 00 49 00 50 00 .&..@9$.\.P.I.P.
45 00 5C 00 00 00 00 00 D8 13 00 00 4F 49 4C 2D E.\.........OIL-
36 49 49 36 31 4E 30 4A 57 54 4B 00 00 00 00 00 6II61N0JWTK.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
61 74 74 72 69 62 2E 65 78 65 00 00 00 00 00 00 attrib.exe......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 2D 72 20 69 6E 73 74 2E 65 78 65 20 ....-r inst.exe

Obviously, something was trying to modify a file called inst.exe. A quick google search turned up that the command “attrib -r inst.exe” is part of a trojan. Interestingly enough, this trojan's payload would try to connect to a botnet. So I filtered out the address 61.111.101.78 to a file (tcpdump -r sotm27 -w evidence host 61.111.101.78) to confirm that this was indeed the source of the compromise.

As it turns out, further analysis of the tcpdump logs show that the 61.111.101.78 address probed the compromised machine in several ways. It mapped NULL sessions, get user lists, and then connected to ADMIN$.

Connection in ADMIN$
19:35:35.337438 61.111.101.78.1697 > 172.16.134.191.445 Tree Connect AndX Request PATH: \\172.16.134.191
0x0000 4500 008e 7af9 4000 6d06 c688 3d6f 654e E...z.@.m...=oeN
0x0010 ac10 86bf 06a1 01bd 642f 7db4 c84a b484 ........d/}..J..
0x0020 5018 f925 c341 0000 0000 0062 ff53 4d42 P..%.A.....b.SMB
0x0030 7500 0000 0018 07c8 0000 0000 0000 0000 u...............
0x0040 0000 0000 0000 fffe 0208 c000 04ff 0062 ...............b
0x0050 0008 0001 0037 0000 5c00 5c00 3100 3700 .....7..\.\.1.7.
0x0060 3200 2e00 3100 3600 2e00 3100 3300 3400 2...1.6...1.3.4.
0x0070 2e00 3100 3900 3100 5c00 4100 4400 4d00 ..1.9.1.\.A.D.M.
0x0080 4900 4e00 2400 0000 3f3f 3f3f 3f00 I.N.$...?????.
19:35:35.341894 172.16.134.191.445 > 61.111.101.78.1697: P 460:526(66) ack 758 win 16763 (DF) Tree Connect AndX Response
0x0000 4500 006a 8e30 4000 7f06 a175 ac10 86bf E..j.0@....u....
0x0010 3d6f 654e 01bd 06a1 c84a b484 642f 7e1a =oeN.....J..d/~.
0x0020 5018 417b 2be0 0000 0000 003e ff53 4d42 P.A{+......>.SMB
0x0030 7500 0000 0098 07c8 0000 0000 0000 0000 u...............
0x0040 0000 0000 0108 fffe 0208 c000 07ff 003e ...............>
0x0050 0001 00ff 0100 00ff 0100 000d 0041 3a00 .............A:.
0x0060 4e00 5400 4600 5300 0000 N.T.F.S...

The first bolded 00 represents “No Password” and then the second set of bolded represents the “Successful” status of the request.

Now that the attackers has some level of rights the the ADMIN$ share (on a Windows 2000 system, this is usually the root Windows directory, i.e., WINNT), they proceed to see if they can run \System32\PSEXESVC.EXE. Again, this is successful. However, the service does not exist so it is copied to the machine in question. This is classic of the psexec.exe tool from Sysinternals.

This service is then used to copy a series of files to the attacked server, including inst.exe and dvldr.exe. In each case the attacker copies psexesrc to the compromised machines, changes the attibutes of the file being copied, and copies the file. The psexesvc.exe is deleted.

The attacker further goes on to delete C$, D$, E$, and ADMIN$ using the command “net share /delete <SHARE> /y. The packet below is a response to an attempt to access the ADMIN$ share after it has been deleted. This verified further that the deletion occurred:

19:37:39.722582 61.111.101.78.1697 > 172.16.134.191.445: Tree Connect AndX Request, Path: \\172.16.134.191\ADMIN$
0x0000 4500 008e 8a9e 4000 6d06 b6e3 3d6f 654e E.....@.m...=oeN
0x0010 ac10 86bf 06a1 01bd 6443 a47c c84c 9b05 ........dC.|.L..
0x0020 5018 fa77 3314 0000 0000 0062 ff53 4d42 P..w3......b.SMB
0x0030 7500 0000 0018 07c8 0000 0000 0000 0000 u...............
0x0040 0000 0000 0000 fffe 0308 407d 04ff 0062 ..........@}...b
0x0050 0008 0001 0037 0000 5c00 5c00 3100 3700 .....7..\.\.1.7.
0x0060 3200 2e00 3100 3600 2e00 3100 3300 3400 2...1.6...1.3.4.
0x0070 2e00 3100 3900 3100 5c00 4100 4400 4d00 ..1.9.1.\.A.D.M.
0x0080 4900 4e00 2400 0000 3f3f 3f3f 3f00 I.N.$...?????.

19:37:39.724920 172.16.134.191.445 > 61.111.101.78.1697 Tree Connect AndX Response, Error: STATUS_BAD_NETWORK_NAME
0x0000 4500 004f 9295 4000 7f06 9d2b ac10 86bf E..O..@....+....
0x0010 3d6f 654e 01bd 06a1 c84c 9b05 6443 a4e2 =oeN.....L..dC..
0x0020 5018 4470 5c0c 0000 0000 0023 ff53 4d42 P.Dp\......#.SMB
0x0030 75cc 0000 c098 07c8 0000 0000 0000 0000 u...............
0x0040 0000 0000 0000 fffe 0308 407d 0000 00 ..........@}...

About 6 minutes later, the first IRC attempt occurrs.

The successful attack leading to a compromise is the signature of the a backdoor worm discovered in early March. It contains a IRC bot which connects to a bot net. The deleting of the default shares, changing the attributes, the names of the copied files, and the process of copying all point to the Deloder worm. Since this worm copies itself to places where it will run its payload automatically (like Startup) and there is a six minute gap between the last packet of the session for 61.111.101.79 and the first IRC attempt, I surmise that the machine was rebooted at this time.

More information about this worm can be found at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deloder.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?Vname=WORM_DELODER.A
http://vil.mcafee.com/dispVirus.asp?virus_k=100127


General Questions (not judged)

What did you learn about analysis as a result of studying this scan?
I learned that it is very time consuming to analyze packet data which there is not a snort signature for. Furthermore, I learned there needs to be a tool by which SMB packet data can be reassembled in an easy to read format.

How do you anticipate being able to apply your new knowledge and skills?
Whew. I traced more packet data that I have ever done before. My knowledge of the SMB protocol increased greated.