If you haven't ever read one of the SANS GCIA practicals (or written one) this won't be as funny but I think you'll still appreciate it. :) toby ----- Original Message ----- From: "Craig Baltes" <craig@private> To: "Julien Radoff" <vildian@private> Cc: <intrusions@private> Sent: Tuesday, November 12, 2002 12:49 PM Subject: Re: LOGS: GIAC GCIA Version 3.4 Practical Detect #4 An absolute work of art!! On Tuesday 12 November 2002 12:17 pm, Julien Radoff wrote: > DETECT FOUR > > > [**] SHPILKIS ALERT!!! [**] > 06/10-17:30:30.834488 0:3:E7:D9:26:C0 -> 0:0:C:6:B2:33 > type:0x800 len:0x71 > X.Y.221.104:4527 -> X.Y.180.133:80 TCP TTL:666 TOS:0x0 > ID:666 IpLen:666 DgmLen:666 DF > ***AP*** Seq: 0xF5D98495 Ack: 0xB824F82 Win: 0x4470 > TcpLen: 20 > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C GET > /SHPILKIS/..\ > 34 34 23 43 2E 65 78 65 3F 2F 63 2B 64 69 34 dd > genektikaZOINK > > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > > 1.1 Source of Trace: > > Raw files from: > > http://www.incidents.org/logs/RAWHIDE/ > > 1.2 Detect Generated By: > > SCHNORT Win32 1.8 triggered this rule: > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 > (msg:"SHPILKIS ALERT!!!"; flags: A+; content: "I've got > shpilkis in my genektikazoink!!"; noclass; > classtype:brutal aweful and mean attack; sid:1002; > rev:2;) > > This was the command used: schnort -c schnort.conf -d > -e -l log -r 2002.05.9 | help | grep > > The detect works by detecting the deadly secret > 'shpilkis' command in the payload > > I used this command to generate a TCP dump analysis: > mcsedump -r 2002.5.9 -vvvvvvv > file.txt > > This is a portion of the mcsedump output. > 17:30:30.834488 h000476b9bf5d.ne.client2.attbi.com.4527 > > 46.5.180.133.80: P [bad tcp cksum eae4!] > 4124673173:4124673232(59) ack 193089410 win 17520 (DF) > (ttl 107, id 29762, len 99, bad cksum a005!) > > 1.3 Probability the Source Address Was Spoofed: > > Likely. But don't worry. We will find you! You can't > outsmart SANS!!! > > 1.4 Description of Attack: > > This attack executes hidden secret Microsoft Outlook > self destruct code, inserting shpilkis into the > genektizoink buffer floppy memory stack partition, > whereupon causing your hard drive to spin backwards and > play backmasked messages from Bill Gates involved in a > bizarre ritual I don't even want to talk about. Then > your computer bursts into flames. > Vulnerable systems are OS2 Warp and Windows XP. > > 1.5 Attack Mechanism: > > This attack does bad things, man. I mean BAD things!! > > 1.6 Correlations: > > http://www.cert.org/advisories/MS-2001-11.html > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/you'rejust_Imagining_this_vulnerability_there_is_no_problem_with_our_software_it's_really_great.hml > > 1.7 Evidence of Active Targeting: > > Bring it. Chump. > > 1.8 Severity: > > Severity = (criticality + lethality) - (system > countermeasures + network countermeasures) > > Criticality = 5 > When your hard drive spins backwards, it causes the > electronodes on your motherboard and fatherboard to > squelch the IRQ PCI bus settings, which can cause fires > or inflammation. > > Lethality = 5 > If the inflammation spreads, it's curtains for you, > sister. > > System Countermeasures = 0 > It can't be stopped. > > Network Countermeasures = .4423 > At least there is an alert giving you time to panic for > a few minutes. > > SEVERITY = 9.5577 > > 1.9 Defensive Recommendations: > > Run for the hills!! Seagate is working on a freewheel > patch which will prevent the hard drive from spinning > backwards. It works like a bicycle freewheel footbrake. > Your hard drive will come to a dead hault instead, > probably ruining it, but it's better than the > alternative. And disable desktop themes. It's driving > people in the neighboring cubicles crazy, you jerk. I'm > getting ready to send you a virus myself!! > > 1.10 Multiple Choice Question: > > Who is buried in Grant's tomb? > > A. Linux > B. Grant > C. Smith > D. Jones > E. All of the above. > > Answer E > > -- Craig Baltes, GCIA Senior Information Security Analyst LURHQ corp craig@private 843-903-4376 x2 Get your free encrypted email at https://www.hushmail.com
This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 10:18:02 PST