The machine had current anti-virus software and a personal firewall. It turned out to be the laptop of a remote worker with DSL who had remote access through a VPN (split tunneling disabled). As an example, neither CERT nor the FBI were able to appoint any resources to this incident.Īfter the first wave of scans, we asked that the host be checked out thoroughly. And third, there are so many similar tool kits out there that they provide an overload of small moving targets for the good guys (virus protection vendors, firewall vendors, and security staffs in general). Second, it uses an array of intermediate victims to obfuscate the attacker's identity. First, it uses commonly available tools to completely control victims. To summarize, the power of this approach is three-pronged. A great majority are centered around a hacked version of mIRC, a common IRC client and associated mIRC scripts. This allows the attacker to control dozens and, in some cases, hundreds or thousands, of zombies with a great deal of flexibility and vision. More sophisticated packages allow their victims, or zombies, to report back regarding the success/progress of attacks. The control code provides the attacker a means to run and control various utilities via IRC, backdoor access to the host, and some mechanism for file transfer. This control code is what really defines this class of trojan package. Load some control code (often a collection of mIRC scripts).Add a variety of tools for common tasks (backdoors, DOS, host and port scanning, hiding the attacks identity, scuttling the host if necessary, etc.).This may be done in a variety of ways, usually cracker 101 level activity. Infect a host (usually one with good bandwidth and high level of anonymity, like a DSL or cable modem home user).They range from the collected and self-written scripts of individuals to collections of such tools available for download and use by less skilled attackers. There are likely hundreds, perhaps thousands, of these types of packages, which may really be considered crackers' tool kits - Swiss Army knives for cracking, if you will. The reasons for this is that there are too many such tools, most are evolving, and their propagation is more deliberate and controlled, unlike newsworthy worms like Nimda and Melissa. And most virus protection packages catch very few tools like this. Some alerting organizations allude only to increases in IRC-based backdoors and malware, but do not mention the individual trojan package(s) used. Still, you seldom hear of it - the use of semi-custom trojan packages using IRC as a control channel. This attacker's code is probably unique, but the approach is not new or unique. Constant security event monitoring is the missing key to most information security infrastructures.Īpr 25 18:15:14 client_firewall unix: securityalert: tcp if=hme1 from .43:3622 to 212.110.161.45 on unserved port 6667Īpr 25 18:04:32 client_firewall unix: securityalert: tcp if=hme1 from .43:3690 to 203.121.68.219 on unserved port 6667Īpr 25 17:55:15 client_firewall unix: securityalert: tcp if=hme1 from .43:4240 to 209.116.7.23 on unserved port 6667Īpr 25 17:56:48 client_firewall unix: securityalert: tcp if=hme1 from .43:4802 to 212.74.101.21 on unserved port 6667 And in a few days we were well into exploring our attacker's methods, tools, and activities - an endeavor that would result in a greater awareness of what is now appreciated as a distinct class of attacks (IRC based trojans), and re-enforcement of the fact that firewalls, anti-virus software, and intrusion detection systems are not enough. Within minutes LURHQ had thousands of alerts. The firewall alerts, as shown in Table 1 began around midnight: prolific scans from a host inside one of LURHQ Corporation's client's perimeters to many Internet hosts for IRC (TCP 6667). It discusses the general methodology used to discover, track, and stop such malicious activity by presenting a real-world case study. This paper discusses IRC-based trojans as a distinctly underestimated class of malicious activity, and how real time security event monitoring is the key to identifying and containing similar compromises.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |