Re: Microsoft's Early Xmas Present.

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 30 Dec 2001, mcoleman wrote:

> These logs you included appear to be logs from the web server itself,
> correct? 

        Correct.  The original alert was via Early Bird.

> If these are logs from the web server itself, then the 3-way handshake
> must have happened and that is really hard to spoof source IP without
> predictable sequence numbers, maybe someone spoofing directly upstream
> from you?

        That would be difficult from the direct upstream given that their
ingress and egress filters are -- for all intents and purposes --
appropriately set. 

> If you don't have stateful protection on your firewall and your
> earlybird software just sniffs signatures off of the wire like Snort
> does, then someone could generate SYNed/ACKed packets (to get past
> Established Filters) containing Nimda GET requests using whatever source
> IP they wanted, and could maybe trick a "signature sniffing" reporting
> system, and your web server would just ignore them...?

        Early Bird doesn't work like Snort.  It lies in wait as a
honeypot/IDS decoy that waits for HTTP worms to come looking for it.  When
it's awakened, it examines the attack signature and then compares it to a
list of known attack methodologies. 

        The flowchart for Early Bird can be found at this URL:
http://www.treachery.net/~jdyson/earlybird/earlybird-flowchart.html

> Then, there's always the possibility that M$ got infected, but you have
> to consider all angles.  Far be it for me to defend M$, but you have to
> keep an open mind about everything these days.  I don't believe anything
> unless it is proven.  Completion of a 3-way handshake would be strong
> evidence for me though. 

        I tend to agree, which is why I waited for 72 hours before
releasing my notice.  I did a full analysis and all signs pointed to
Microsoft's actual network.

> On a whim, I would consider looking up www.whitehouse.gov and see if the
> earlybird saw and reported attacks from that network as well, as this
> would likely be another target that a trickster would use to try to
> embarass you. 

        Early Bird doesn't work that way.  Besides, www.whitehouse.gov is
on a totally different Class B.  To the best of my knowledge Nimda doesn't
spew across multiple Class B's until it has exhausted its own Class B. 

> That early bird software is a great idea, but I see it easily abused
> unless strong precautions are in place.

        Such as?  I don't see how it could be so readily abused.  Indeed,
there are multiple stopgaps built in that prevent its abuse.

> I am sorry I am not familiar with that software, it may be much deeper
> than I am giving it credit for, I just thought it important to throw
> this possibility to you tonight in case that is what is happening.

        Have a stop by and take a look at the Early Bird FAQ.  It should
cover the concerns you have about possible net.abuse of the utility.

        The current version of Early Bird is 2.6, and there will be a
total rewrite of the utility (v3.0) that will be released in the next week
or so.  It will have a much larger attack signature database and all that
good stuff.

        Cheers...

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPC6047lDRyqRQ2a9AQH1nQP+IbgOrug28GKL35jpjmvGM81AUKgizR/i
3s3ymBAdV5k3xIqj0yI1ldFlY4xx5qUtTdYHGSz9dnlEUeCQe6w0ct51hOj4xLWa
k2PkvKzFZORXf+Molvc4M+Aoj+k09UXnaLbUlZy03awh+cei08tRcLa0N56Slf+H
xPK6/AtCyP8=
=f8qS
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com