Last Updated: 2007-11-22 13:49:09 UTC
by Johannes Ullrich (Version: 1)
One of the main problems the Internet security operations community faces is that although global encompassing incident response and information sharing is happening, it is on the technological and operational levels. We mostly do not know how to communicate with the policy makers. Some of us present there made head-way in the hallways (as the sessions are mostly just repeated talk).
I spoke with Dr Hamadoun Touré, the Secretary General of the ITU on some of our efforts and some of our operational needs, and was pleased to find an open mind and sincere interest. The ITU, at least as far as I understood, is concerned with Internet security, and appreciates the importance of the operational communities and the work we do.
On a surprised note, China ran a few security sessions in which its' delegates have shown high visibility into Internet security and abuse in China, speaking of issues of establishing trust and incident response statistics. They are highly concerned with spam, and are the only ones to have spoken in an operational manner. They quoted numbers from (mainly) US sources that showed spam and abuse activity in China, then they indicated a drop of spam being sent from the Chinese network (spam is of key importance to them in their presentations).
On the other hand they presented an increase in phishing and botnet incidents being reported. In one slide they showed numbers on phishing reports, sorted by top-reporters. The top-5 reporters were: Verisign (probably iDefense), RSA (probably Cyota), eBay (probably eBay), CastleCops (Probably PIRT) and MarkMonitor.
But wait, there's more. The Chinese delegation also discussed mitigation success rates. In phishing, out of over 600 sites reported in one time period they mitigated just over 200. They were sinciere and open on where they have to get better and to be honest, I was in awe from them, a country I considered to be a black hole of abuse reports. We made some new contacts and hope these will prove fruitful for future cooperation. I am highly impressed with the people I met from China..
Another subject of interest to me was my discussion with Milton Mueller on his advocacy of some information being removed from publicly accessible WHOIS data. Although ideologically I am with him on this privacy issue, practically it is the only, granted very poor, way for the Internet security operations community to take down abusive domain names today, through registrars, and the Internet can't do without it until another option is presented. I hope to work with him on solutions to this conundrum.
My lecture there was one I only found out I was giving a about a month ago after being contacted by a member of ICANNs SSAC. It was a part of the Case Studies session from the Diplo foundation ( http://www.diplomacy.edu ), where I spoke, technically, of lessons from the Estonian Internet war and how countries can defend themselves, as written in the post-mortem analysis and recommendations I wrote for the Estonian CERT. In the questions section we spoke of the importance of CERT organizations, how they are established and on the differences in fraud as seen in different parts of the world. My fellow session members were: Robert Guerra (Canada, session moderator), Veronica Cretu (Moldova, facilitator), and the other panelists: Olga Cavalli (Argentina) and Cristine Hoepers (who manages the Brazilian CERT). I, of course, am from Israel and work for Afilias Global Registry Services.
Last Updated: 2007-11-21 01:21:34 UTC
by Kevin Liston (Version: 1)
Holiday/Family Incident Response Why and How
Apologies in advance that this is Windows-centric.
Many of us are going to visiting with friends and family over the next couple of months while celebrating a number of year-end holidays. Often, we are tapped for on-site tech-support duty in exchange for holiday treats.
Yesterday George posted a request for what's in your holiday/family incident response toolkit. Overnight I collected the response in the hopes to present a useful and organized list.
Incident response under these conditions can be way harder than what one encounters at their day-job. The builds are non-standard, there are rarely backups to rely on, the data are irreplaceable (personal financial data, photographs, genealogical project, etc.) The stakes are often higher.
The response methodology is similar to what you'd run into at work:
- Lessons Learned/Prevention
Hopefully that was done last year when you put on AV, firewalls, and anti-spyware. This year, the root-kit detection tools are more widely available so it's a good time to update your jump-kit and your framework
The first step is an interview with the machine user. You should ask things like:
- "Have you patched recently?"
- "Is the machine running slowly?"
- "Getting a lot of pop-ups?"
Follow the interview with an inspection to verify that the AV is present, running, and up-to-date. Ensure that the OS is fully patched. Peek at the hosts file. See if there is reason to suspect that the machine is compromised before you start tearing into it.
Should you determine that the machine has been compromised, it is time to start backing up the important files off of the machine. The only sure approach to cleaning a system is to rebuild it. There were many spyware/virus cleaning tools submitted, but I consider them useful only in the Identification phase to determine if the machine has been compromised. I personally do not recommend them for reliable system cleanup.
If the system was properly secured last time, and no ill has come of it, then congratulations. But your work is not over. This final stage is the most important stage in incident response. Go over what you found in your investigation, point it out, and provide a solution. No Anti-virus? Put one on. No backups? Make one. Firewall not enabled? Enable it. This is the point where you provide additional instructions, set-up an ongoing tech-support option (if you're brave/generous enough,) and suggest alternatives (say, move them from IE7 to Opera or Firefox-- which have their own issues so you have to carefully consider the consequences of that.)
I broke the tools down into the following categories:
- Frameworks - how one deploys the tools to the system
- System Analysis
- Malware Analysis - a subset of System Analysis tools focused to analyzing the malware
- Network Analysis
- Registry Cleanup
- Remote Support
- Browser protection
CD vs. USB
How should you transport your tools to the site? There are a lot of good arguments supporting the use of burned CDs and USB drives.
- You can leave copies behind for them to use
- It's hard to infect them
- Capacity - a trade-off can be made between capacity and expense by switching to DVD
- Flexibility - you can write to them
- Make nice gifts
- Risky, if you don't write protect them
- Costlier than CD/DVD media
Of course one can simply run from the CD or USB on the live system. In some cases this is the best first step, especially if you suspect something like a botnet running on the system. Live incident response can quickly identify that the machine is compromised and provide you with the code that's causing the traffic right away (see below for the System Analysis tools one can use in these cases.)
Others prefer to work from a boot-disk when analyzing a system, particularly when a root-kit is suspected. These came in two varieties, Windows-based and Linux-based.
In the windows-based options, people recommended:
- BartPE (http://www.nu2.nu/pebuilder/)
- Ultimate Boot CD (http://www.ubcd4win.com)
- PortableApps (http://portableapps.com/)
For Linux-based options try:
- BackTrack 2 (http://www.remote-exploit.org/backtrack.html)
- Knoppix (http://www.knoppix.org/) take a look for the Knoppix variant knoppicillin
- Helix (http://www.e-fense.com/helix/)
- Ubuntu 7.10 which supports Read/Write access to NTFS partitions
These tools can be used for an initial assessment of the system. One (or more) of these should be left installed on the system when you leave. There are plenty of great commercial solutions. I'm only listing free solutions today:
- Grisoft's AVG (http://www.grisoft.com)
- ClamWin (http://www.clamwin.com/)
- Avast! (http://www.avast.com/eng/avast_4_home.html)
- Avira Antivir (http://www.free-av.com/)
- Microworld Free AV toolkit (http://www.mwti.net/products/mwav/mwav.asp)
Like anti-virus tools, these play a role in initial assessment of the system, and should be installed on the system when you leave it for added protection.
- Spybot Search and Destroy (http://www.safer-networking.org/en/spybotsd/index.html) the most commonly suggested tool
- Adaware (http://www.download.com/Ad-Aware-2007-Free/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5)
- Sunbelt's CounterSpy Trial Edition (http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/)
- cwshredder (http://www.intermute.com/spysubtract/cwshredder_download.html) a very focused spyware cleaner
- Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html)
- Winpatrol (http://www.winpatrol.com/)
- BOClean (http://www.comodo.com/boclean/boclean.html) which I find to be an interesting little tool
- PC Tools Spyware Doctor (http://www.pctools.com/spyware-doctor/)
- Runscanner (http://www.runscanner.net)
We did not have a lot of these tools last year. They may turn up things that aren't showing up in your other scans.
- Sysinternals RootkitRevealer (http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx)
- F-Secure Blacklight (http://www.f-secure.com/blacklight/)
- GMER (http://www.gmer.net)
- AVG Anti-rootkit (http://www.grisoft.com/doc/download-free-anti-rootkit)
- IceSword (http://www.antirootkit.com/software/IceSword.htm)
- Rootkit Unhooker (http://antirootkit.com/software/RootKit-Unhooker.htm)
- Sophos Anti-rootkit (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html)
The guys over at RaDaJo (RAul, DAvid and JOrge) Security Blog have an article inspired by George's post featuring Anti-Rootkit tools: http://radajo.blogspot.com/2007/11/anti-rootkit-windows-tools-searching.html.
Burning a copy of irreplaceable photos and other documents to CD/DVD is time well spent, regardless if the system is compromised and needs to be reinstalled or not. They will likely not regret the time put into this important defense measure. Reader Robert suggests that you can avoid a lot of drag and drop effort by using Areca (http://areca.sourceforge.net/.)
There are a tremendous amount of little programs that can give you an eye into what is going on in the system. These are used during the live response stage of your Holiday/Family incident response. Hijackthis was the overwhelming favorite, followed by huge support of the Sysinternals tools.
- Hijackthis (http://www.spywareinfo.com/~merijn/programs.php)
- Sysinternals Process Explorer (http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx)
- Sysinternals Autoruns (http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx)
- Sysinternals TCPView (http://www.microsoft.com/technet/sysinternals/Utilities/TcpView.mspx)
- Sysinternals Procmon (http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx)
- Sysinternals Filemon (http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx)
- Sysinternals Streams (http://www.microsoft.com/technet/sysinternals/FileAndDisk/Streams.mspx)
- DatFind (http://virus-protect.org/datfindbat.html) an interesting little German batch-file that reports on recently changed system files.
- LADS (http://www.heysoft.de/nt/ep-lads.htm)
- OpenPorts (http://www.topshareware.com/DiamondCS-OpenPorts-download-7334.htm)
- WhyReboot (http://exodusdev.com/products/WhyReboot/)
- Microsoft XP Change Analysis Diagnosis Tool (http://support.microsoft.com/?kbid=924732)
- XRayPC (http://www.x-raypc.com) which has some interesting client/server applications for remote tech support
Use of these tools can occupy a lot of your time and require a fair amount of experience. Russ has offered a helpful write up for a Rapid Malware Response/Analysis process (http://holisticinfosec.org/publications/MalcodeAnalysisTechniquesForIH_McRee.pdf.)
These tools were offered up to take a closer look at the malware that has been found on the system. Using these requires a larger investment of time than many people have while visiting. But for future use, these tools might be handy to have on your own incident response toolkit.
- Mandiant Red Curtain (http://www.mandiant.com/mrc)
- OllyDbg (http://www.ollydbg.de) a freeware debugger for tracing program execution
- PEiD (http://peid.tk) for detecting packers, cryptors and compilers
- WinDiff (http://www.grigsoft.com/download-windiff.htm) for comparing files
- XVI32 (http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm) for hex editing
It is sometimes easier to determine if a system is compromised by looking at the network traffic leaving the system. Especially if you're familiar with protocol analysis. Commonly suggested tools were:
- Wireshark (formerly known as Ethereal) (http://www.wireshark.org)
- Nmap (http://insecure.org/) for scanning the suspected system for backdoor listeners
- SmartSniff (http://www.nirsoft.net/utils/smsniff.html) a smaller packet capture program
A few tools were submitted that promise to clean up the registry and other system files to improve system performance.
- CCleaner (http://filehippo.com/download_ccleaner/) commonly recommended by readers
- EasyCleaner (http://personal.inet.fi/business/toniarts/ecleane.htm)
Some brave and generous people offer remote tech support to their families. They have recommended:
It is not something that I would recommend or personally do. For selfish reasons, I don't look forward to late night tech support phone calls from Aunt Minnie. Nor do I like opening up a remote control panel on a machine that I'm trying to protect.
This was the focus of last years post (how to get all of the updates for Grandma's PC together.) The Offline-Update project (http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml) promises to solve the problem of building your own CD or USB to patch your relatives' machines that have only dial-up connections to the internet. But what about all of those applications on the system? Attacks are moving from OS vulnerabilities to leveraging vulnerabilities in applications like audio players and PDF readers. Secunia offers a program that can inventory and assess the applications installed on the system. Details of this is available at: https://psi.secunia.com/.
Many submissions suggested that they move the user from using IE over to Firefox or Opera. Also, they suggested using McAfee's Siteadvisor (http://www.siteadvisor.com/) and Netcraft's Toolbar (http://toolbar.netcraft.com/.)
Other protection methods
- Ensure that the firewall is enabled and configured properly.
- Enable DEP if it is available
- Tony suggest modifying the hosts file to add further protection (http://www.mvps.org/winhelp2002/hosts.htm)
- Enlist their system to submit logs to Dshield
Kevin Liston (kliston at isc dot sans dot org)
Last Updated: 2007-11-20 22:34:40 UTC
by Kevin Liston (Version: 1)
“There is nothing on my computer that a hacker would be interested in.”
How often do you hear that statement as a key point in someone’s defense strategy? It is something I’ve often heard in social outings and family gatherings.
I try to use it as an opportunity for security awareness. First rephrase the statement to by: “There is nothing on my computer that a criminal would be interested in.” This takes the conversation away from the contentious “what does the word, hacker, mean” question/debate. If you focus on protecting yourself form criminals, you stand a pretty good chance against hackers/crackers as well (should you feel there is such a distinction or not.)
What makes up an abstract computer system on the Internet?
- Hard Drive
- Internet access/IP address
- User data
So what would a criminal be interested in on this average computer?
CPU: botnets often use their slave machines to send email, proxy web traffic, and launch denial of service attacks. These all use slices of CPU on the machine to do work that they would otherwise not have the resources to do.
Memory: User’s browsing habits, username/password credentials, and other sensitive user data is captured out of memory.
Hard Drive: I have seen bot-nets that perform no other service than act as a giant library to store pirated films and audio.
Internet access/IP address: every new IP that isn’t already on a blocklist is of interest to spammers. Criminals can host malicious websites on a machine to avoid other blocklists. Criminals can proxy their traffic through a machine hide their true location and avoid some companies’ firewalls blocking known-bad IPs.
What about User Data?
Everyone knows that criminals are interested in your banking and paypal credentials. They are also after your eBay passwords so they can sell stolen goods in your name. They are after your facebook, and myspace credentials so they can post links to malicious websites (look at Dancho Danchev's post today for an example.) They’re after your email address. Even by itself a working email address is worth money. Take a person’s address book and you get their social network that can be used to launch targeted email attacks. Your email address is often used as your account name on a number of web services. It’s arguable that you can correlate more about a person based on their email address than their Social Security Number anymore.
So you may think there is nothing of interest on your machine, but there are certainly things of value on your system. Criminals know how to “make it up in volume.”
Last Updated: 2007-11-20 17:57:27 UTC
by Johannes Ullrich (Version: 2)
Quick update: The source MAC address is the MAC address of the Windows XP system running in VMWare Fusion 1.1 (updated yesterday). The destination MAC address is the broadcast address (all FF). One reader (Mike) suggested that this is part of wireless access points trying to find each other. There are three wireless access points that are part of this WDS, but given the MAC address, I don't think this is related.I am just on vacation at my parents place, and while doing some network maintenance, I came across these two mystery packets:
17:07:17.405771 IP 192.168.178.255 > 255.255.255.255: ip-proto-139 30 0x0000: 4500 0032 0003 0000 ff8b 8c57 c0a8 b2ff E..2.......W.... 0x0010: ffff ffff 0100 0200 0000 0000 0000 0000 ................ 0x0020: 0000 a2c0 d297 bcc3 6c40 1ad5 d0bf 382a ........l@....8* 0x0030: ab63 .c 17:07:17.406835 IP 192.168.178.255 > 255.255.255.255: ip-proto-139 30 0x0000: 4500 0032 0001 0000 ff8b 8c57 c0a8 b2ff E..2.......W.... 0x0010: ffff ffff 0100 0100 0000 0000 0000 0000 ................ 0x0020: 0000 1b3c 90a3 4ac1 50b7 930a b723 a181 ...<..J.P....#.. 0x0030: 431a C.
A bit about the network: 3 PCs, 2 Macs running Leopard. Each Mac runs vmware with Windows XP. All the PCs run Windows XP. There is a "FritzBox" DSL router. Part of the network is wireless. Other then that, there isn't that much special about the network. The hosts run firewalls which are pretty much open locally.
No idea so far why these packets show up. Kind of looks like they are corrupted netbios packets (port 139 > protocol 139?). But why broadcast like this? Please let us know if you have any ideas.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute