Information Security News mailing list archives
Honeynet Project's 'honey pot' a sweet success in trapping hacker attacks
From: InfoSec News <isn () C4I ORG>
Date: Mon, 27 Nov 2000 02:34:47 -0600
http://www.infoworld.com/articles/op/xml/00/11/27/001127opswatch.xml Stuart McClure & Joel Scambray Friday, Nov. 24, 2000 WHEN LAST WE SPOKE of the Honeynet Project, lead by Lance Spitzner, it had successfully tracked a malicious Pakistani hacker group that was trying to knock off as many Internet systems as it could (see "'Honey pot' network can gather evidence for catching and prosecuting hackers.") Fresh off their success in monitoring the group and handing over the evidence to federal authorities, the Honeynet team took a deeper look at the traffic they were capturing and found something worth investigating further. During just one month of monitoring, the Honeynet team's "honey pot," which poses as a real network to attract hackers, had been scanned by hundreds of unique IP addresses looking for two particular ports: UDP (User Datagram Protocol) port 137, used by the NetBIOS Naming Service, and TCP port 139, the tried-and-true NetBIOS Session Service. This should not surprise loyal Security Watch students, who know that these ports, which are the Achilles' heels of Windows 9x/ME computers, turn users into "easy @Home and DSL victims." Knowing the proliferation of Windows 9x systems on the Internet and admitting more than idle curiosity about hackers targeting Windows systems (the Honeynet Project has been a mostly non-Microsoft entity until recently), the team decided to build a default Windows 98 system with the entire C: drive shared to the world -- hoping the "black-hat" bad guys would come. And come they did. Let the party begin Within 24 hours, an attacker from Canada began probing the Windows 98 honey pot. Once he determined sharing was open on the system, he then searched for a well-known worm Symantec calls the W32.HLLW.Bymer Worm, which is sometimes called the Win32.Bymer Worm. Unlike many popular Internet worms, this worm's sole purpose is to take advantage of free CPU cycles on a victim's computer to help crack Distributed.net's RC5-64 challenge. This voluntary challenge attempts to use existing technology in a distributed fashion to download a small portion of the 64-bit key space and crack it. This is the only malicious worm we know that is designed to assist in this effort. The Win32.Bymer Worm is a self-replicating worm that finds vulnerable Windows shares and copies to them Distributed.net's cracking configuration and executable files (dnetc.ini and dnetc.exe) and then the worm itself (msi216.exe or msi211.exe). But executing a worm on a remote Windows 9x system is not as trivial as with Windows NT. You can't simply tell the operating system to execute the new uploaded file. Attackers typically have two techniques in their arsenal: They send a self-executing attachment in a forged e-mail to the user or they modify the user's win.ini file to force the worm to load once the system reboots. This attacker chose the simpler choice, modifying win.ini. When the worm runs from win.ini it adds itself to the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or \RunServices key. We presume the process allows for redundancy in case the first is discovered. In addition, the worm runs the legitimate dnetc.exe program in hide mode to begin cracking RC5-64 passwords. Finally, the worm searches for other vulnerable systems by randomly picking an IP address, scanning its ports, and attempting to connect to its shared C: drive. Just when the Honeynet monitors thought the roller coaster ride was over, a second worm nosed its way out of the packet decodes. This one turned out to be the same, but it was disguised as wininit.exe, the name of a legitimate Windows 9x file installed by default. The attempt to confuse the victim by changing the name of the worm in this case was futile, but in many instances it is all the attacker needs to continue the onslaught. But the fun didn't stop there. The Honeynet network suffered another three attempts to infect their Windows 98 honeypot system the following day all in the same manner. Sometimes the lure of always-on Internet home users is all too attractive for the black-hats. If after reading this column you decide to review your own Windows systems for the worms, a number of free and commercial products can do the trick, including The Cleaner from MooSoft and Symantec's anti-virus software. To check for the massive "global sharing of drive C:" misconfiguration vulnerability just go to a command prompt and type "net shares." If your root drive is shared, remove it immediately. If you must keep root drive shares open then check to make sure passwords are enabled, and strong! To learn more about the Honeynet efforts, check out www.enteract.com/~lspitz/. Weakest link You've probably heard "security is only as strong as your weakest link." The force of the phrase comes home with Honeynet's latest project. If attackers can so trivially gain access to a poorly configured Windows 9x system, they are capable of quite a lot of damage, including tunneling into your corporate network to download sensitive data. Stuart Mcclure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone ( www.foundstone.com ). ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Honeynet Project's 'honey pot' a sweet success in trapping hacker attacks InfoSec News (Nov 27)