----- Forwarded message from Braddock Gaskill <braddockat_private> ----- From: Braddock Gaskill <braddockat_private> To: bugtraqat_private Subject: How to obtain a complete list of CR2 compromised hosts Date: Sun, 5 Aug 2001 12:38:12 -0400 Message-ID: <20010805123812.A11760at_private> X-Mailer: Mutt 1.0.1i Here's an analysis of some very serious implications of CodeRed II I just wrote, including a hypothetical technique for easilly building a list of ALL infected hosts on the internet. Source site http://braddock.com/cr2.html ___________________________________ How anonymously get root access on a quarter million machines overnight By Braddock Gaskill (braddockat_private), (C) 5 August 2000 ___________________________________ Abstract This analysis describes a means through which a complete list of the estimated 250,000 CodeRed II infected and backdoor compromised hosts can be easily obtained by any individual who has been keeping a web server log of attempts on his machine, by using the backdoors on the machines that have attacked him to obtain the the web logs of the infected attacking IIS web servers to learn of new infected hosts. The strong recommendation from this report is that as part of any CodeRed II recovery effort, the system web logs should immediately be destroyed, and Intrusion Detection Systems should checking for and tracing recursive attempts to access web logs though the backdoor. ___________________________________ In the past 24 hours the CodeRed II worm has been infecting IIS web servers with a speed equal to or greater than that of the original CodeRed. The original CodeRed infected what is thought to be all vulnerable machines, approximately 250,000 hosts, in under 24 hours. While CodeRed I was relatively harmless, CodeRed II installs a full Administrator-access back door shell that can be accessed via HTTP. This creates a very interesting situation, and with the techniques discussed in this paper opens a new potential door for mass system cracking. The problem with releasing a worm or virus to obtain some information of value is that to transmit the information back to the worm originator creates a very clear trail that can be traced back to the perpetrator. Primitive and naive worms or viruses sometimes attempt to e-mail or otherwise communicate password files or information back to some origination point, allowing a trace to the original author. A more sophisticated worm might attempt to just pass information upstream to get it closer to some origination node, and make attempts to destroy records of the transmission, but this too leaves a trace of the worm's spread, and all records of the transmission in things like firewall logs and IDS systems can never be removed. It is difficult enough to find an anonymous enough node to make the initial release of the worm...preferably one would do this far from home in a previously unpatronized internet cafe or the like, through a large number of randomly cracked systems. If an author actually makes some attempt to "return to the scene of the crime" to retrieve anything of value the worm might send back to some rendezvous node, he could most certainly be caught. The alternative to this is to attempt to make the information the worm gathers public, and then attempt to retrieve it just like thousands of others will. For example, a worm might send password lists to a Usenet newsgroup or post it in some public forum. But any public forum usually has some form of moderation and administration, so any malicious information at such a site would not stay online for long. In addition, the more sophisticated the initial worm, the more stylistic and linguistic "fingerprints" the original author will leave on it. Posting to public forums may well double the code in a simple worm. If an author has ever made any of this code public, there may well be government agencies that could use code fingerprinting to narrow the field of suspects, particularly if other profiling information about known crackers can be used. If a true "anonymous common carrier" system like FreeNet is ever successfully put into place, this may well change the landscape, but true untraceability will probably always remain elusive once national security or currency laundering enforcability is at stake, even if unfortunate Draconian legal means are required to achieve it. CodeRed II, however, presents a very different alternative. CR2 infects it's hosts with a simple worm, inserts a simple Administrator-access backdoor shell into the victim, and begins scanning for new victims. At first glance, the backdoor is of little use to the worm originator. After all, the originator has no list of infected hosts communicated back to him or left at some secret drop point. The originator, like anyone else, can perform massive network scans for the backdoor, but that would put him on a relatively short and easily compiled list of suspects. The worm also keeps no log of hosts that it has infected, and indeed no log is essential to keep the spread untraceable to the originating node. Perhaps a public key encrypted log could be compiled, but that leaves us back to the original problem of a fixed "drop point" or communication of the data. Lack of usefulness appears to be the case, except for the fact that the internet is now saturated with CR2 worms, each leaving web logs across the internet full of records of buffer overflow attempts, WITH the infected hosts IP address. These attack attempts perform an additional service than just attempted infection...they serve to announce the infection of the attacking host. And they do so in a way that leaves no direct trail of initial spread of the worm, and thus no direct risk of discovering the originating node. This means directly that by the end of the week I will personally in my web log have the IP addresses of over 100 random hosts with full-access backdoors installed that I could attack directly. 100 hosts on different unrelated networks is a large compromise for any individual cracker, but not something that requires a massive internet worm to achieve. This is not enough value to make the plague of a worm worthwhile to it's originator. However, each of those 100 random infected hosts I know about are ALSO IIS web servers with logs of, for example, another 100 random infected hosts each that attempted to re-infect THEM. That means by breaking into the 100 hosts I know about and reading their logs, I now have backdoor access to approximately 100*100 = 10,000 hosts! Repeat this another level (preferably originating from the broken nodes), and I will have 1,000,000 break-in attempts by random hosts. At this point, many of these attempts will be from duplicate hosts, since only an estimated 250,000 hosts will be infected (this from the CR1 estimates), however it is clear that the implication of this worm is FAR greater than random hosts with backdoors. It provides a clear mechanism for obtaining a list of thousands of infected hosts with backdoors. While this technique is nice, it is still not entirely untraceable. IDS systems will surely be looking for this type of backdoor exploiting traffic in the near term, and contacting several thousand hosts either directly or through a worm-backdoor distributed mechanism will be detectable on some level. A full list would require the recursive retrieval of web logs from several thousand hosts. However, the originator of the worm himself does not need to fear exposure...he has essentially made this information available to anyone who understands CodeRed II and it's implications described above, and it is probably a matter of hours to days before a public list of all infected hosts is made available online. --Braddock Gaskill, 5 August 2001 ___________________________________ The text of this document may be freely reproduced and redistributed in unmodified form - bcg -- "Basic research is what I'm doing when I don't know what I'm doing." -Werner von Braun ----- End forwarded message ----- -- "Basic research is what I'm doing when I don't know what I'm doing." -Werner von Braun ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 11:54:03 PDT