RE: Subseven Scans

From: Robert Buckley (rbuckleyat_private)
Date: Wed Aug 14 2002 - 08:39:19 PDT

  • Next message: Richard Gilman: "Increased IIS scans mainly on"

    -----Original Message-----
    From: H C [mailto:keydet89at_private]
    Sent: Tuesday, August 13, 2002 1:47 PM
    To: Robert Buckley; 'Baribault, Gary'; grdnwsl; Rob Keown
    Cc: incidentsat_private
    Subject: RE: Subseven Scans
    > A recon probe against the attacking hosts that were
    > up, indicated that they
    > are all windows hosts, all with port 139 open to the
    > public. Some hosts did
    > show signs of being compromised and had virus'
    > present. 
    Interesting.  How was this determined?
    "it was determined by examining the contents of the drive in question, and
    seeing a directory
    structure that appeared to be one that had been infected. You wont find
    normal people creating directories with 
    control codes in them, and since more than 1 out of the 20 + hosts had that
    type of sign, its assumed they are in 
    fact infected with something. It also showed sings that these were not
    business systems, and of a home type of system,
    which can lead to a conclusion that they were less secure than business
    systems, and more prone to have stuff uploaded on them.  Most the hosts had
    MS file sharing enabled, with write access from the root of the drive. Just
    another sign
    to lead to a formidable conclusion"
    > It was determined
    > that all attacking hosts are unknowingly being used
    > to attack other systems.
    Really?  How so?  Were you able to conduct a virus
    scan of the attacking hosts and determine that the
    Trojan or controlling software was actually being
    used?  After all, one cannot conclusively determine,
    even on an infected system, that the user of the
    attacking host was unaware that it was infected, and
    had conducted a port scan.  After all, nmap 3.0 was
    recently released...and yes, it does run on Win32
    (precompiled binary available).  
    "see above. Nmap has nothing to do with the equation. It makes no difference
    wether it was nmap, or a perl port scanner
    or even if the hosts were worming. The fact that the scan took place
    sequentially and not at the same time, leads one 
    to believe that this is the work of one person hopping from system to
    system, quite possibly to try to break ACL's on the borders. Otherwise, a
    distributed scan of this type is more likely to happen all at once, in order
    to smoke screen the victim, believing that some of the hosts could be
    spoofed, or confusing analyses. Instead, the scans were at 1 or so minute
    intervals and that has "Im one person" written all over it in the signature
    world. There was no effort on my part to determine if an infection on an
    attacking host was causing the scan or not. The application source of the
    scan made no difference in my analyses"
    The above statement is simply too emphatic for me,
    without more information.  At best, one can say that
    it was determined with a relative degree of certainty
    that the attacking host was unknowingly used to attack
    other systems.
    "see above: a normal distributed scan happens simultaneously. Scanning from
    one host to the next at one minute wait time intervals between the scan is
    not normal, and indicates, in most cases, that a person is hopping from host
    to host"
    This goes back to what I mentioned earlier to
    Rob...until someone posts some speculation (including
    non-reproducable verification steps...or not) and in
    the end, the community really hasn't benefited
    "The community can benefit from whatever they can. I had no intentions of
    providing speculation, it just happened as part of the proccess if thats how
    one sees it. What I wanted to send to the original writer, is what I
    concluded. Not that it is set in stone or otherwise, its up to the analyst
    to interpret the data I have given them, false or otherwise."
    I'm glad to see that someone took a look at the
    hosts...Rob sent me some info about the majority being
    from Korea...but I think that it would benefit the
    community as a whole to know how those steps were was it determined that the systems
    were infected, and how was it determined that the
    infection, the malware installed, was actually what
    was doing the scanning, and not a port scanner?
    "It was not my intention to provide how or what tools were used for the
    attack, only to provide insight on the hosts 
    invloved, and their status, and OS type. That was my intention, and that was
    what I provided. Any other queries 
    about what tools were invloved, and what infections were present, is not my
    concern. My only concern was to provide 
    factual data that I had gathered.
    1: Windows hosts, all of them - fact.
    2: MS Shares at the root level, some of them. - fact.
    3: Sequentially scanned, not simutaneous - fact.
    4: Hosts were not spoofed. - fact.
    5: Some hosts showed signs of virus via the CTRL chars that were used to
    create directories on their shares. - fact.
    6: How long the attack lasted. - fact.
    7: Was the attack successful. - fact.
    Thats all I wanted to get to the original poster. All other concerns, moral
    values and comments
    are not warrented. Do with it what you will. 
    Sincerely, RB.
    Do You Yahoo!?
    HotJobs - Search Thousands of New Jobs
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 11:10:53 PDT