Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 1533 on the Rise

Published: 2008-05-26
Last Updated: 2008-05-27 10:50:06 UTC
by Marcus Sachs (Version: 2)
0 comment(s)

Take a look at port 1533.  That's quite an increase in targeted computers reporting via DShield over the past few days.  Anybody got some good packet captures showing what is going on?  If so, send them to us via our contact page so we can analyze them. 

UPDATE:  Juanma sent us a note pointing to a recent vulnerability in IBM Lotus Sametime.  That's probably the cause of the increase in port 1533 activity.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: 1533 packets ports
0 comment(s)

Predictable Response

Published: 2008-05-26
Last Updated: 2008-05-26 22:05:34 UTC
by Marcus Sachs (Version: 2)
3 comment(s)

Incident handling and management calls for developing well understood and predictable responses to emergencies or damaging events as they occur.  Frequent rehearsal of the response steps makes recovery from an incident faster and usually more successful.    But predictive behavior can also be used against us, if an adversary knows (or can predict) what you will do when faced with a series of unfolding events.

Some examples from the recent past include Y2K, the various terrorist attacks this decade, and natural disasters like Hurricane Katrina, the Indonesian tsunami, and the recent earthquakes in China.  With Y2K, do you remember the wild panic of trying to find Cobol programmers at the last minute who could fix the two-digit date fields?  Predictably, a lot of that programming got contracted to outside organizations - a well-trained adversary could have established multiple software companies that could have been used to insert malicious backdoors and booby traps into mainframes, control networks, and other critical computer systems.  In the days following Hurricane Katrina's landfall, we predictably saw over a thousand websites get established that offered a mechanism for getting donations to the affected families.  All they needed was your credit card number.  Yeah, right.

Most readers of the SANS Internet Storm Center's diaries know that we've followed nearly all of these events and sometimes we even predicted a few of them ourselves.  So now it's time to go out on a limb again.  Everybody is aware of the rapid rise in oil futures (the cost per barrel for crude oil), and if you drive a car you feel the result every time you fill up.  This morning I saw that the local station near my house had crossed the $4 per gallon threshold overnight.  I know that in Europe and Asia, $4 per gallon (that's about 0.67 Euros/Liter) is VERY cheap but it's about twice what we were paying for it this time last year.  If gas prices continue to climb at the current rate, they could well double by the end of the year.  So, here's the predictable behavior.  With gas prices that high, many people will prefer to work from home rather than driving or taking public transportation, thus putting a heavy load on ISPs and the Internet in general due to telecommuting.  So, if you were a Bad Guy, how would you take advantage of this predictable behavior? 

Some ideas some to mind, such as establishing web portals for work collaboration or marketing a new anti-virus solution for protecting home computers used for doing office work.  Either of those capabilities would of course include a "value added feature" designed to syphon off sensitive information for criminal or espionage purposes.  I'm sure there are many more evil ideas, so if you have any send them this way and we'll add them to the bottom of this diary.

UPDATE 1 - Here are a few ideas submitted by readers.  Feel free to use the "comment" capability or to send us your ideas via our contact page.  Either is fine.

Boris offered these thoughts: 

If I was a bad guy and I wanted to take advantage of then increasing number of people working from home, I would increase the amount of key-logging and screen capture software that I was sending out.

Not only would this allow me to gain even deeper access into the compromised local machine through passwords but it would also allow me a unrestricted form of entry into the company's servers and data centres since I would have appropriate passwords and no brute force hacking required.

Screen capture software would also allow me to gain access to all kinds of sensitive documents and network plans, all useful for deeper attacks against the main servers of the company.

  A reader wanting to remain anonymous said:  

There is already no shortage of people who will nav to a URL that they saw on *TV* in order to rid their computer of performance robbing mal-crap, without a single thought as to who's "free" scripted ActiveX is being driven down upon them as auto-magical quicksilver. 

Just who vouches for the ongoing security and iron clad compartmentalization of GoToMyPC and its ilk?  I could care less that Citrix is the backend and/or even a financial stake holder.  Citrix, in and of itself, is not hack proof.  Yet there are plenty of companies whose employees are already using G2MPC, whether or not the company actually knows about it and has officially sanctioned such whiz-bangy remote access "convenience." 

How many telecommute/work-from-home computers are going to be restricted only for official business use and quarantined from any/all personal use shenanigans??? 

Major corporations, who are already actively working on pandemic flu business continuity contingencies, may already have a vouched for infrastructure in place, that can sanely deal with any gas price related up tick in telecommuting/work-from-home.  How far these measures happen to trickle down to critical suppliers and business partners, who knows???   

Iain wrote to say: 

Here in the UK, GoToMyPC has recently been advertised on TV as a solution to accessing your office PC when at a remote meeting/presentation. Your suggested scenario of more home-working could also be driving this (unusual for the UK) advertising.

As a Sysadmin at a SMB, I use variations of VNC (specifically TightVNC) extensively within out network for support purposes. When working from home, I have to use a VPN to get past the firewall before using VNC to access specific machines. A free version of VNC that can connect 2 machines behind different firewalls (in a similar way to Windows Remote Support) would be useful to me. It would probably be usefule to someone planning to work from home as well. Since VNC is open-source, it would be relatively easy for a malicious company to produce such a version containing monitoring components, then advertise it as a free alternative to GoToMyPC.

VPNs are another target. My company network hides behind an Exoserver (proprietary FreeBSD firewall device) and a Smoothwall (Linux firewall device). Both of these devices provide VPN solutions allowing me to connect to the company network from home. Smaller business may have nothing more complex than a firewall/router connected to ADSL with no VPN capability. A relatively cheap router could be flashed with new software to provide simple VPN capability, with a side order of backdoor and information siphoning, then marketed as a simple connection solution.

This scenario is DEFINITELY possible. I have signed up to a project from Samknows.com to independently monitor UK ADSL ISPs. They provide a Linksys WRT54 variant with custom software that constantly monitors and tests my home ADSL connection. It sits between my ISPs router and the rest of my home network, so it has access to everything that happens on my ADSL connection. I had to decide whether I trusted these people - in the end, participating in this trial is a way to give something back to the community - just like writing this response.

Marcus H. Sachs
Director, SANS Internet Storm Center

3 comment(s)
Diary Archives