How to obtain a complete list of CR2 compromised hosts

[aleph1 () securityfocus com]

----- Forwarded message from Braddock Gaskill <braddock () braddock com> -----

From: Braddock Gaskill <braddock () braddock com>
To: bugtraq () securityfocus com
Subject: How to obtain a complete list of CR2 compromised hosts
Date: Sun, 5 Aug 2001 12:38:12 -0400
Message-ID: <20010805123812.A11760 () braddock com>
X-Mailer: Mutt 1.0.1i

Here's an analysis of some very serious implications of CodeRed II I
just wrote, including a hypothetical technique for easilly building a
list of ALL infected hosts on the internet.  

Source site http://braddock.com/cr2.html

                    ___________________________________
                                      
  How anonymously get root access on a quarter million machines overnight
     By Braddock Gaskill (braddock () braddock com), (C) 5 August 2000
                    ___________________________________
                                      
Abstract

   This analysis describes a means through which a complete list of the
   estimated 250,000 CodeRed II infected and backdoor compromised hosts
   can be easily obtained by any individual who has been keeping a web
   server log of attempts on his machine, by using the backdoors on the
   machines that have attacked him to obtain the the web logs of the
   infected attacking IIS web servers to learn of new infected hosts. The
   strong recommendation from this report is that as part of any CodeRed
   II recovery effort, the system web logs should immediately be
   destroyed, and Intrusion Detection Systems should checking for and
   tracing recursive attempts to access web logs though the backdoor.
                    ___________________________________
   
   In the past 24 hours the CodeRed II worm has been infecting IIS web
   servers with a speed equal to or greater than that of the original
   CodeRed. The original CodeRed infected what is thought to be all
   vulnerable machines, approximately 250,000 hosts, in under 24 hours.
   
   While CodeRed I was relatively harmless, CodeRed II installs a full
   Administrator-access back door shell that can be accessed via HTTP.
   This creates a very interesting situation, and with the techniques
   discussed in this paper opens a new potential door for mass system
   cracking.
   
   The problem with releasing a worm or virus to obtain some information
   of value is that to transmit the information back to the worm
   originator creates a very clear trail that can be traced back to the
   perpetrator. Primitive and naive worms or viruses sometimes attempt to
   e-mail or otherwise communicate password files or information back to
   some origination point, allowing a trace to the original author. A
   more sophisticated worm might attempt to just pass information
   upstream to get it closer to some origination node, and make attempts
   to destroy records of the transmission, but this too leaves a trace of
   the worm's spread, and all records of the transmission in things like
   firewall logs and IDS systems can never be removed.
   
   It is difficult enough to find an anonymous enough node to make the
   initial release of the worm...preferably one would do this far from
   home in a previously unpatronized internet cafe or the like, through a
   large number of randomly cracked systems. If an author actually makes
   some attempt to "return to the scene of the crime" to retrieve
   anything of value the worm might send back to some rendezvous node, he
   could most certainly be caught.
   
   The alternative to this is to attempt to make the information the worm
   gathers public, and then attempt to retrieve it just like thousands of
   others will. For example, a worm might send password lists to a Usenet
   newsgroup or post it in some public forum. But any public forum
   usually has some form of moderation and administration, so any
   malicious information at such a site would not stay online for long.
   
   In addition, the more sophisticated the initial worm, the more
   stylistic and linguistic "fingerprints" the original author will leave
   on it. Posting to public forums may well double the code in a simple
   worm. If an author has ever made any of this code public, there may
   well be government agencies that could use code fingerprinting to
   narrow the field of suspects, particularly if other profiling
   information about known crackers can be used.
   
   If a true "anonymous common carrier" system like FreeNet is ever
   successfully put into place, this may well change the landscape, but
   true untraceability will probably always remain elusive once national
   security or currency laundering enforcability is at stake, even if
   unfortunate Draconian legal means are required to achieve it.
   
   CodeRed II, however, presents a very different alternative. CR2
   infects it's hosts with a simple worm, inserts a simple
   Administrator-access backdoor shell into the victim, and begins
   scanning for new victims. At first glance, the backdoor is of little
   use to the worm originator. After all, the originator has no list of
   infected hosts communicated back to him or left at some secret drop
   point. The originator, like anyone else, can perform massive network
   scans for the backdoor, but that would put him on a relatively short
   and easily compiled list of suspects. The worm also keeps no log of
   hosts that it has infected, and indeed no log is essential to keep the
   spread untraceable to the originating node. Perhaps a public key
   encrypted log could be compiled, but that leaves us back to the
   original problem of a fixed "drop point" or communication of the data.
   
   Lack of usefulness appears to be the case, except for the fact that
   the internet is now saturated with CR2 worms, each leaving web logs
   across the internet full of records of buffer overflow attempts, WITH
   the infected hosts IP address. These attack attempts perform an
   additional service than just attempted infection...they serve to
   announce the infection of the attacking host. And they do so in a way
   that leaves no direct trail of initial spread of the worm, and thus no
   direct risk of discovering the originating node.
   
   This means directly that by the end of the week I will personally in
   my web log have the IP addresses of over 100 random hosts with
   full-access backdoors installed that I could attack directly. 100
   hosts on different unrelated networks is a large compromise for any
   individual cracker, but not something that requires a massive internet
   worm to achieve. This is not enough value to make the plague of a worm
   worthwhile to it's originator.
   
   However, each of those 100 random infected hosts I know about are ALSO
   IIS web servers with logs of, for example, another 100 random infected
   hosts each that attempted to re-infect THEM. That means by breaking
   into the 100 hosts I know about and reading their logs, I now have
   backdoor access to approximately 100*100 = 10,000 hosts! Repeat this
   another level (preferably originating from the broken nodes), and I
   will have 1,000,000 break-in attempts by random hosts. At this point,
   many of these attempts will be from duplicate hosts, since only an
   estimated 250,000 hosts will be infected (this from the CR1
   estimates), however it is clear that the implication of this worm is
   FAR greater than random hosts with backdoors. It provides a clear
   mechanism for obtaining a list of thousands of infected hosts with
   backdoors.
   
   While this technique is nice, it is still not entirely untraceable.
   IDS systems will surely be looking for this type of backdoor
   exploiting traffic in the near term, and contacting several thousand
   hosts either directly or through a worm-backdoor distributed mechanism
   will be detectable on some level. A full list would require the
   recursive retrieval of web logs from several thousand hosts. However,
   the originator of the worm himself does not need to fear exposure...he
   has essentially made this information available to anyone who
   understands CodeRed II and it's implications described above, and it
   is probably a matter of hours to days before a public list of all
   infected hosts is made available online.
   
   --Braddock Gaskill, 5 August 2001
                    ___________________________________
   
   The text of this document may be freely reproduced and redistributed
   in unmodified form - bcg


-- 
"Basic research is what I'm doing when I don't know what I'm doing."
                                                         -Werner von Braun



----- End forwarded message -----

-- 
"Basic research is what I'm doing when I don't know what I'm doing."
                                                         -Werner von Braun




----- End forwarded message -----

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com