Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What's In A Name?

Published: 2011-10-10
Last Updated: 2011-10-12 14:53:56 UTC
by Tom Liston (Version: 1)
8 comment(s)

"What's in a name? That which we call a rose
By any other name would smell as sweet."
– Juliet, Romeo and Juliet (II, ii, 1-2)

"A good name is more desirable than great riches; to be esteemed is better than silver or gold." – Proverbs 22:1 (NIV)


A rose is a rose is a rose

What if I could hack your organization and abuse your company’s reputation – and what if I could do it without your firewall, IDS, IPS, or your host-based badware detection making a peep?

What if I could use your organization’s good name to sell ED drugs, questionable Facebook "apps," shady online "personal ads," or to distribute porn that would make a sailor blush?

What if I did all of that, and you didn’t know? What if the hack itself took place on a machine you didn’t directly control and only accessed rarely?  And what if the hack was so subtle, so obscure, and so difficult to find that once I had it in place, it might be years before you ever stumbled across it – if you ever stumbled across it?

This nightmare scenario is, unfortunately, reality for at least 50 organizations – ones that I’ve been able to uncover – and I'm certain that there are many, many more.  Each of these organizations has been a victim of a malicious alteration of their domain information – an alteration that added new machine names to their existing information, and allowed bottom-feeding scam artists to abuse their good reputation to boost the search-engine profile of their drug, app, "personal ad," or porn sites.

Take a look at the following table:

These sites... Resolve To While the main site... Resolves To
buy-viagra.4kidsnus.com 67.55.117.204 www.4kidsnus.com 50.73.38.13
drugs-1501.abingtonurology.com 67.55.117.204 www.abingtonurology.com 74.208.98.50
personals-1501.abingtonurology.com
tubes-1501.abingtonurology.com
payday-loans.accessbank.com 74.220.215.210 www.accessbank.com 66.147.240.154
cialis.advancedsynthesis.com 74.50.13.17 www.advancedsynthesis.com 216.227.216.47
viagra.advancedsynthesis.com
cialis.apptech.com 66.96.147.107 www.apptech.com 66.96.147.107
loans.apptech.com
viagra.apptech.com 66.96.147.106
buy-cialis.asfiusa.com 67.55.33.109 www.asfiusa.com 74.220.215.84
buy-viagra.asfiusa.com
mg-drugs.asfiusa.com
payday-loans.asfiusa.com
rx-drugs.asfiusa.com
facebook.blueagle.com 74.50.13.17 www.blueagle.com 209.200.244.56
buy-cialis.boothscorner.com 67.55.117.204 www.boothscorner.com 74.208.98.50
buy-viagra.boothscorner.com
24-buy-cialis.campsankanac.org 67.55.33.109 www.campsankanac.org 74.208.98.50
24-personals.campsankanac.org
buy-cialis.campsankanac.org
buy-viagra.campsankanac.org
viagra.cccsaa.org 74.50.13.17 www.cccsaa.org 216.227.214.82
buy-cialis.cfi.gov.ar 67.55.117.204 www.cfi.gov.ar 201.234.37.147
buy-viagra.cfi.gov.ar
mg-drugs.chesarda.org 65.254.250.103 www.chesarda.org 65.254.250.109
viagra.cranehighschool.org 74.50.13.17 www.cranehighschool.org 216.227.220.85
buy-cialis.dollardiscount.com 67.55.117.204 www.dollardiscount.com 74.208.98.50
buy-viagra.dollardiscount.com
buy-cialis.eap.edu 74.220.215.210 www.eap.edu 66.147.240.167
buy-viagra.eap.edu
mgdrugs.eap.edu
payday-loans.eap.edu
rxdrugs.eap.edu
buy-cialis.ejercito.mil.do 74.220.215.210 www.ejercito.mil.do 74.220.215.113
buy-viagra.ejercito.mil.do
mgdrugs.ejercito.mil.do
payday-loans.ejercito.mil.do
rxdrugs.ejercito.mil.do
buy-cialis.elbertcounty-co.gov 74.220.215.210 www.elbertcounty-co.gov 74.220.207.155
buy-viagra.elbertcounty-co.gov
drugs.elbertcounty-co.gov
cheap-viagra.ellerbecreek.org 66.96.147.106 www.ellerbecreek.org 66.96.147.106
cialis-price.ellerbecreek.org
payday-loans.ellerbecreek.org
cialis-buy.esad.org 69.73.170.8 www.esad.org 69.73.185.194
payday-loan.esad.org
player.esad.org
translator.esad.org
buy-cialis.fabius-ny.gov 173.236.60.138 www.fabius-ny.gov 173.236.47.26
buy-viagra.fabius-ny.gov
payday-loans.fabius-ny.gov
personals.fabius-ny.gov
1-facebook.fwbl.com 173.236.60.138 www.fwbl.com 65.60.41.210
1-games.fwbl.com
1-payday-loans.fwbl.com
1translator.fwbl.com
payday-loans.fwbl.com
payday-loans.fwbl.com
translator2.fwbl.com
facebook-i.georgetownky.gov 69.73.170.8 www.georgetownky.gov 69.73.136.24
payday.georgetownky.gov
personals-d.georgetownky.gov
viagra-buy.georgetownky.gov
rx-drugs.golocalnet.com 65.254.250.103 www.golocalnet.com 65.254.250.105
mg-drugs.goodhope.com 66.96.147.106 www.goodhope.com 66.96.147.115
buy-cialis.hamwave.com 74.50.13.17 www.hamwave.com 209.200.245.66
buy-viagra.hamwave.com
payday.hamwave.com
buy-cialis.haskell.edu 74.220.215.210 www.haskell.edu 74.220.207.138
buy-viagra.haskell.edu
drugs-coog.haskell.edu
drugs.haskell.edu
cialis.hiwassee.edu 65.254.250.103 www.hiwassee.edu 65.254.250.110
drugs.hiwassee.edu
payday-loans.hiwassee.edu
buy-viagra.hothouse.net 66.96.147.106 www.hothouse.net 66.96.147.106
buy-cialis.iiehk.org 67.55.117.204 www.iiehk.org 58.177.188.240
buy-viagra.iiehk.org
buy-viagra.karen.org 65.254.250.103 www.karen.org 65.254.250.109
facebook.lisboniowa.com 65.254.250.103 www.lisboniowa.com 65.254.250.114
payday-loans.lisboniowa.com
viagra.lisboniowa.com
cialis.medpharmsales.com 74.50.13.17 www.medpharmsales.com 216.227.214.82
buy-cialis.menalive.com 69.73.170.8 www.menalive.com 69.73.138.10
buy-viagra.menalive.com
drugs.menalive.com
facebook.menalive.com
payday-loans.menalive.com
buy-viagra.mvas.org 74.220.215.210 www.mvas.org 74.220.215.73
payday-loans.mvas.org
buy-cialis.nywolf.org 96.30.42.100 www.nywolf.org 96.30.42.100
buy-viagra.nywolf.org
payday-loans.nywolf.org
buy-cialis.okgolf.org 65.254.250.103 www.okgolf.org 65.254.250.101
loans.omill.org 69.73.170.8 www.omill.org 69.73.139.41
mg-drugs.omill.org
personals.omill.org
rx-drugs.omill.org
cialis.onyvax.com 173.236.60.138 www.onyvax.com 216.104.37.106
loans.onyvax.com
viagra.onyvax.com
drugs-1501.pattywagstaff.com 67.55.117.204 www.pattywagstaff.com 76.202.66.30
personals-1501.pattywagstaff.com
tubes-1501.pattywagstaff.com
1-payday-loans.qunlimited.com 173.236.60.138 www.qunlimited.com 173.236.37.194
1facebook.qunlimited.com
1-facebook.rivcoems.org 173.236.60.138 www.rivcoems.org 69.175.91.58
1-payday-loans.rivcoems.org
1player.rivcoems.org
buy-cialis.sacmetrofire.ca.gov 74.220.215.210 www.sacmetrofire.ca.gov 66.147.240.176
buy-viagra.sacmetrofire.ca.gov
drugs.sacmetrofire.ca.gov
mgdrugs.sacmetrofire.ca.gov
rxdrugs.sacmetrofire.ca.gov
buy-cialis.santafeproductions.com 74.50.13.17 www.santafeproductions.com 209.200.242.240
cialis.saturdaymarket.com 74.50.13.17 www.saturdaymarket.com 209.200.245.36
viagra.saturdaymarket.com
buy-cialis.seabury.edu 74.220.215.210 www.seabury.edu 66.147.240.183
buy-viagra.seabury.edu
drugs.seabury.edu
buy-cialis.symspray.com 66.96.147.106 www.symspray.com 66.96.147.103
buy-cymbalta.tcsys.com 67.55.117.204 www.tcsys.com 99.20.97.250
buy-lexapro.tcsys.com
buy-viagra.tcsys.com
divx-player.tcsys.com
facebook.tcsys.com
flv-player.tcsys.com
personals-2702.tcsys.com
player.tcsys.com
translator.tcsys.com
tubes-2702.tcsys.com
buy-viagra.ubf.org 74.220.215.210 www.ubf.org 74.220.201.220
mg-drugs.ubf.org
payday-loans.ubf.org
rx-drugs.ubf.org
drugs-1801.uhsurology.com 67.55.117.204 www.uhsurology.com 64.57.219.72
personals-1801.uhsurology.com
tubes-1801.uhsurology.com
buy-cialis.uniben.edu 74.220.215.210 www.uniben.edu 69.195.82.57
buy-viagra.uniben.edu
mg-drugs.uniben.edu
mgdrugs.uniben.edu
payday-loans.uniben.edu
payday.uniben.edu
rx-drugs.uniben.edu
rxdrugs.uniben.edu
buy-cialis.viethoc.org 67.55.117.204 www.viethoc.org 208.127.15.120
buy-cymbalta.viethoc.org
buy-levitra.viethoc.org
buy-lexapro.viethoc.org
buy-viagra.viethoc.org
divx-player-beob.viethoc.org
flv-player-beob.viethoc.org
personals-0602.viethoc.org
player-beob.viethoc.org
drugs.williamson.edu 65.254.250.103 www.williamson.edu 65.254.250.105
payday-loans.williamson.edu
viagra.williamson.edu
payday.yanceycountync.gov 67.55.33.109 www.yanceycountync.gov 66.147.242.162
tubes-1111.yanceycountync.gov
Note: These IP addresses can (and should) change.  The above information was gathered 10-7-2011 13:00 UTC

Over 150 "new" entries have been created in the zone information for these organizations.  Each of these new "sites" inherits whatever good reputation the parent domain may have accumulated, and is, therefore, valuable as a means of search engine optimization (SEO).

The following table shows that these hacks occurred at multiple DNS providers with a few being somewhat more "popular" than others:

Domain DNS Provider
4kidsnus.com dnsexit.com
abingtonurology.com
boothscorner.com
campsankanac.org
cfi.gov.ar
dollardiscount.com
iiehk.org
pattywagstaff.com
tcsys.com
uhsurology.com
viethoc.org
yanceycountync.gov
ejercito.mil.do hostmonster.com
accessbank.com
asfiusa.com
eap.edu
elbertcounty-co.gov
haskell.edu
mvas.org
sacmetrofire.ca.gov
seabury.edu
ubf.org
uniben.edu
apptech.com ipage.com
ellerbecreek.org
goodhope.com
hothouse.net
symspray.com
qunlimited.com justhost.com
advancedsynthesis.com lunariffic.com
blueagle.com
cccsaa.org
cranehighschool.org
hamwave.com
medpharmsales.com
santafeproductions.com
saturdaymarket.com
compliancemedical.com myhostcenter.com
menalive.com nocdirect.com
esad.org
georgetownky.gov
omill.org
fabius-ny.gov pipedns.com
fwbl.com
onyvax.com
rivcoems.org
chesarda.org powweb.com
golocalnet.com
hiwassee.edu
lisboniowa.com
okgolf.org
williamson.edu
nywolf.org wiredtree.com
karen.org yourhostingaccount.com
Down the Rabbit Hole

Finding these sites was a matter of luck and perseverance.  Initially, I happened across a single, odd-sounding site name while looking for organizations that had been compromised by the bad guys for SEO purposes.  Using tools that attempt to list all of the domain records pointing to a particular IP address led me to more.  Google searches for sites linking to these domains led me further.  Unquestionably, there are more of these types of sites out there – some not currently in use.   However, because there is no good way to truly search DNS information, attempting to find these from the "outside" is difficult and frustrating.

"Round up the usual suspects..."

How did this happen? Unsurprisingly, no one I talked to about this was standing at the front of the line, ready to take the blame for these issues: Domain owners swear they used good passwords and are sure that the DNS providers were hacked, DNS providers are certain that the Domain owners used lousy passwords on their accounts... 'round and 'round we go. 

My gut tells me that the truth lies somewhere in between: bad passwords combined with poor account lockout controls on something like a cPanel-type web interface probably led to successful brute force attacks on most of these... I could, however, be completely wrong. Unfortunately, I just don't have the time to chase every one of these to ground.

Don’t Let This Happen To You

  • Check your DNS zone file information periodically, just to make sure nothing has been added without your knowledge.
  • Choose passwords wisely, especially on interfaces where brute-force attacks are likely (i.e. pretty much anything accessible from the internet).  Never use dictionary words.  And remember: while "qwertyuiop" may not be in your dictionary, it IS in mine...
  • Periodically take a look at your website how Google sees it (Google search: "site:yoursite.com" – NOT www.yoursite.com, and look through the pages for anything out of the ordinary.  Toss a few choice keywords in as well ("Viagra," "Cialis," "drugs," "personals," etc...).  This kind of search can help you discover many different types of issues with your site.

 

Tom Liston
ISC Handler
Senior Security Consultant, InGuardians, Inc.
Twitter: @tliston

 

8 comment(s)

Critical Control 6 - Maintenance, Monitoring, and Analysis of Security Audit Logs

Published: 2011-10-10
Last Updated: 2011-10-10 18:31:01 UTC
by Jim Clausing (Version: 1)
4 comment(s)

The next of our critical controls for Cyber Security Awareness Month is log management/monitoring/analysis.  This has been a interest/passion of mine for a long time. As Eric Cole (among others) is fond of saying in SEC 401, prevention is ideal, but detection is a must.  If you aren't logging as much as possible, how will you ever know when something bad happens? 

As mentioned in a couple previous diaries this month, one of the keys for this control is that all of the log generating devices (routers, switches, firewalls, servers, workstations, ...) be synchronized, so NTP is your friend.

The third key is to collect the logs somewhere other than the device that generates them, our "central log server."  This server should be one of your most locked down, best protected servers in the enterprise.  This way, even if the bad guys breach one of the servers and are able to modify the logs on the server to hide their tracks, there will still be the unmodified copy of the logs on the log server.

All of this does you no good if you aren't actually looking at the logs and this is where you need both some software to automate things and an experienced analyst.  The software is going to be necessary because sheer volume can quickly overwhelm an analyst.  This doesn't necessarily mean you need to spend a lot of money though.  While the commercial SEIM packages are good, you can accomplish a lot with a free software like awk and grep.  In 1997, Marcus Ranum introduced the notion of "artificial ignorance," the idea of using software to remove the "known good" entries to let the analyst concentrate on the new/unusual stuff.  For a number of years, I used his nbs (never before seen) software on my home system (though I recently tried to recompile it and ran into an issue that I haven't taken the time to track down yet).  Just last week I saw announcement of some new software, called LogTemplater, that implements a similar idea.  I've just started looking at it, but it looks like it has some promise. 

Once you've cut the logs down to a manageable volume, the analyst is also still crucial.  Analysis is an area where I personally think you are doing your enterprise a disservice by making this the job of the newbie.  An analyst who knows the environment and has developed a feel for what is normal can much more quickly hone in on where the real problems are.  On the other hand, if the newbie can work with an experienced analyst, this is a good way to quickly learn the environment.

There is no point in me repeating everything that is already at the SANS critical controls page linked below, so please check out the page linked below.

So, what do you use for your log analysis?  Let us know either in the comments section below or via our contact page.

Reference:

http://www.ranum.com/security/computer_security/papers/ai/

http://www.uberadmin.com/Projects/logtemplater/index.html

http://www.sans.org/critical-security-controls/control.php?id=6

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

4 comment(s)
Diary Archives