Download presentation
Presentation is loading. Please wait.
1
Fishing for Worms A Lure that Works EDUCAUSE Southwest Regional Conference Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas Copyright Paul Schmehl 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Network Aware Worms are a Difficult Problem to Solve They attack open network shares anywhere in the network They’re often difficult to track to the source of the infection They’re very persistent and propagate quickly Their “tribe” is increasing Antivirus protection can warn you of the infection, but it doesn’t track down the source Logs are often not enabled and when they are, they don’t log this sort of “normal” activity unless specially configured Eradicating network aware worms is often like playing “whack a mole”
3
Introducing the “SMB Lure” A proactive approach to worm eradication Requires a minimal investment of equipment and time Requires almost no maintenance once configured properly Acts as an “early warning system” as well as a “teergrube” server for worms Conceived and designed by John Morris of Nortel Networks – AVIEN Member
4
What is SMB Lure? A Unix OS – your choice Samba – open source Proper configuration of samba A few scripts for maintenance A working SMTP server
5
Configure the OS Minimal installation No services except SMTP and SSH Enable the firewall and tcpwrappers Establish a patching routine That’s it!
6
Install and configure Samba Standard installation – nothing special *Can* edit the source if you want to It’s all in the configuration file Build your directory and file structure Make it look “real” Sit back and enjoy
7
The smb.conf file # Samba config file created for SMB-Lure # Global parameters [global] # TRICK 0: Setup our own workgroup, so named to be the first item in the Windows Network Neighborhood workgroup = 000-SECURITY # TRICK 1: Name our server, so that it appears as the first machine in its workgroup netbios name = 000-worm-sensor # TRICK 2: Create a few aliases for our sensor, so that it appears multiple times, interspersed in the workgroup netbios aliases = C00-worm-sensor E00-worm-sensor J00-worm-sensor M00-worm-sensor # warn curious individuals to stay away from our sensor server string = Virus detector. Please! Do not touch (972-883-6866) # Let’s be very promiscuous, we will share our fileshare contents with all worms security = SHARE # TRICK 3: Turn on Debug mode. This will provide useful information about what types of files the worm is accessing # or is looking for on our server. debug level = 3 # Each visiting computer will have its own dedicated log file, makes reading much easier. log file = /usr/local/samba/logs/%m.log
![The smb.conf file # Samba config file created for SMB-Lure # Global parameters [global] # TRICK 0: Setup our own workgroup, so named to be the first item in the Windows Network Neighborhood workgroup = 000-SECURITY # TRICK 1: Name our server, so that it appears as the first machine in its workgroup netbios name = 000-worm-sensor # TRICK 2: Create a few aliases for our sensor, so that it appears multiple times, interspersed in the workgroup netbios aliases = C00-worm-sensor E00-worm-sensor J00-worm-sensor M00-worm-sensor # warn curious individuals to stay away from our sensor server string = Virus detector.](http://images.slideplayer.com/13/4044702/slides/slide_7.jpg "Please. Do not touch ( ) # Let’s be very promiscuous, we will share our fileshare contents with all worms security = SHARE # TRICK 3: Turn on Debug mode. This will provide useful information about what types of files the worm is accessing # or is looking for on our server. debug level = 3 # Each visiting computer will have its own dedicated log file, makes reading much easier. log file = /usr/local/samba/logs/%m.log.")
8
More smb.conf # No limit on log size max log size = 0 # Pretend to be a Windows NT 4 computer announce version = 4.0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No wins server = 129.110.27.65 name resolve order = wins # We will be domain master, for 000-SECURITY domain master = True preferred master = True # The IP address of our WINS server, provides name resolution wins server = 129.110.70.36 browseable = Yes
9
More smb.conf # TRICK-4: remotely announce our existance around the corporate network and force ourselves into several regionally and alphabetically diverse workgroups/domains. The IP addresses are the broadcast addresses for subnets that contain NT/Win2K servers. # Note the number of computers we are pretending to be is the number of remote-announce domains multiplied by the number of aliases (See TRICK-2) remote announce = 129.110.161.255/000-SECURITY 129.110.161.255/AV # Here is where we define our fileshare ( called Wormbait) [Wormbait] # Scare away all the human worms, if they didn't get the picture from the server description above comment = Network Worm Bait, please don't touch # Directory containing lots of juicy infectable files, stored in multiple directories. path = /home/wormbait # Worms are our guests and allowed to do their worst. writeable = Yes guest ok = Yes
10
Samba startup configuration #!/bin/sh # Samba startup script /usr/local/samba/bin/smbd -D /usr/local/samba/bin/nmbd -D
11
The checklogs script #!/bin/sh # checklogs.sh - a shell script for parsing the Samba logs # looking for worm or virus activity. If found, it's written # to a log that is emailed to me hourly. # Written by Paul Schmehl - 6/10/2002 # set some variables sambalogs=/usr/local/samba/logs/* alerts=/home/alert.txt touch $alerts # loop through each log looking for worms and viruses # and write to the alert.log if any are found for log in $sambalogs do if [ -f ]; then chmod 770 "$log" counter=0 funlove=`cat "$log" | grep -ci "find service ntldr"` if [ $? == 0 ]; then echo "Funlove hits = $funlove." >> $alerts counter=`expr $counter + 1` fi nimda=`cat "$log" | grep -ci "\.eml sleep=5 read=No write=Yes"` if [ $? == 0 ]; then echo "Nimda hits = $nimda." >> $alerts counter=`expr $counter + 1` fi nimdaa=`cat "$log" | grep -ci "\.eml failed"` if [ $? == 0 ]; then echo "Nimda a hits = $nimdaa." >> $alerts counter=`expr $counter + 1` fi
12
More checklogs script if [ $counter -gt 0 ]; then logname="$log" echo `basename "$log"name` >> $alerts echo Log started at `cat "$log" | awk '/2002/{print $1" "$2}' | head -n1 | cut -d'[' -f2 | cut -d',' -f1` >> $aler ts hostname=`basename "$log"name.log` echo $hostname >> $alerts IP=`cat "$log" | grep -e "$hostname " | cut -d'(' -f2 | cut -d')' -f1 | sort -u` ${IP:=unknown} echo IP is $IP >> $alerts user=`cat "$log" | grep "sesssetupX:name=" | cut -d'[' -f2 | cut -d']' -f1 | tail -n1` ${user:=unknown} echo User logged in was $user >> $alerts echo "" >> $alerts fi done # mail the alert.log if there's anything in it and # move the samba logs to the backup directory if [ -s $alerts ]; then mailx -s "SMB Lure Logs" root < $alerts cd /usr/local/samba/logs mv -f *.log backup/ fi # do some "maintenance" chmod 660 /usr/local/samba/logs/backup/* rm -f $alerts
![More checklogs script if [ $counter -gt 0 ]; then logname= $log echo `basename $log name` >> $alerts echo Log started at `cat $log | awk /2002/{print $1 $2} | head -n1 | cut -d [ -f2 | cut -d , -f1` >> $aler ts hostname=`basename $log name.log` echo $hostname >> $alerts IP=`cat $log | grep -e $hostname | cut -d ( -f2 | cut -d ) -f1 | sort -u` ${IP:=unknown} echo IP is $IP >> $alerts user=`cat $log | grep sesssetupX:name= | cut -d [ -f2 | cut -d ] -f1 | tail -n1` ${user:=unknown} echo User logged in was $user >> $alerts echo >> $alerts fi done # mail the alert.log if there s anything in it and # move the samba logs to the backup directory if [ -s $alerts ]; then mailx -s SMB Lure Logs root < $alerts cd /usr/local/samba/logs mv -f *.log backup/ fi # do some maintenance chmod 660 /usr/local/samba/logs/backup/* rm -f $alerts](http://images.slideplayer.com/13/4044702/slides/slide_12.jpg "More checklogs script if [ $counter -gt 0 ]; then logname= $log echo `basename $log name` >> $alerts echo Log started at `cat $log | awk /2002/{print $1 $2} | head -n1 | cut -d [ -f2 | cut -d , -f1` >> $aler ts hostname=`basename $log name.log` echo $hostname >> $alerts IP=`cat $log | grep -e $hostname | cut -d ( -f2 | cut -d ) -f1 | sort -u` ${IP:=unknown} echo IP is $IP >> $alerts user=`cat $log | grep sesssetupX:name= | cut -d [ -f2 | cut -d ] -f1 | tail -n1` ${user:=unknown} echo User logged in was $user >> $alerts echo >> $alerts fi done # mail the alert.log if there s anything in it and # move the samba logs to the backup directory if [ -s $alerts ]; then mailx -s SMB Lure Logs root < $alerts cd /usr/local/samba/logs mv -f *.log backup/ fi # do some maintenance chmod 660 /usr/local/samba/logs/backup/* rm -f $alerts")
13
Typical email alert Bugbear hits = 45. csgrad49370.logname Log started at csgrad49370.logname IP is unknown User logged in was bxg022000 Use nbtstat –a to get the IP
14
The wormbait directory 0,1456,graphics,00[1].rar AUTOEXEC.exe Ylcp.bak.rar return.rar 0,1456,graphics,00[1].txt.exe Ac.xls.exe Zbie.exe rock.c.exe 0116williams[1].bak.exe Bbuj.rar Zid.cpp.rar style.rar 0116williams[1].exe Bsxp.htm.exe codes,.exe test1 0116williams[1].rar Cclu.exe codes.bak.exe test2 0117cowduo[1].bak.rar Cjqmq.exe height.mpeg.scr test3 0117cowduo[1].exe Dd.mpg.rar http.rar test4 0117cowduo[1].html.rar End.exe koulic2.scr test5 0117cowduo[1].mp3.exe End.rar margin.bat test6 0117cowduo[1].mpeg.rar End.xls.rar margin.rar test7 0117cowduo[1].mpg.rar FACE.rar mayalog.eml test8 0117cowduo[1].pas.exe HEIGHT.exe name.doc.bat test9 0117cowduo[1].rar Ikvfi.rar new.c.exe width.rar API.htm.rar Tf.exe new.cpp.rar windows API.mp3.exe VALIGN.exe new.htm.exe winnt API.rar Wpcc.xls.exe new.rar
![The wormbait directory 0,1456,graphics,00[1].rar AUTOEXEC.exe Ylcp.bak.rar return.rar 0,1456,graphics,00[1].txt.exe Ac.xls.exe Zbie.exe rock.c.exe 0116williams[1].bak.exe Bbuj.rar Zid.cpp.rar style.rar 0116williams[1].exe Bsxp.htm.exe codes,.exe test1 0116williams[1].rar Cclu.exe codes.bak.exe test2 0117cowduo[1].bak.rar Cjqmq.exe height.mpeg.scr test3 0117cowduo[1].exe Dd.mpg.rar http.rar test4 0117cowduo[1].html.rar End.exe koulic2.scr test5 0117cowduo[1].mp3.exe End.rar margin.bat test6 0117cowduo[1].mpeg.rar End.xls.rar margin.rar test7 0117cowduo[1].mpg.rar FACE.rar mayalog.eml test8 0117cowduo[1].pas.exe HEIGHT.exe name.doc.bat test9 0117cowduo[1].rar Ikvfi.rar new.c.exe width.rar API.htm.rar Tf.exe new.cpp.rar windows API.mp3.exe VALIGN.exe new.htm.exe winnt API.rar Wpcc.xls.exe new.rar](http://images.slideplayer.com/13/4044702/slides/slide_14.jpg "The wormbait directory 0,1456,graphics,00[1].rar AUTOEXEC.exe Ylcp.bak.rar return.rar 0,1456,graphics,00[1].txt.exe Ac.xls.exe Zbie.exe rock.c.exe 0116williams[1].bak.exe Bbuj.rar Zid.cpp.rar style.rar 0116williams[1].exe Bsxp.htm.exe codes,.exe test1 0116williams[1].rar Cclu.exe codes.bak.exe test2 0117cowduo[1].bak.rar Cjqmq.exe height.mpeg.scr test3 0117cowduo[1].exe Dd.mpg.rar http.rar test4 0117cowduo[1].html.rar End.exe koulic2.scr test5 0117cowduo[1].mp3.exe End.rar margin.bat test6 0117cowduo[1].mpeg.rar End.xls.rar margin.rar test7 0117cowduo[1].mpg.rar FACE.rar mayalog.eml test8 0117cowduo[1].pas.exe HEIGHT.exe name.doc.bat test9 0117cowduo[1].rar Ikvfi.rar new.c.exe width.rar API.htm.rar Tf.exe new.cpp.rar windows API.mp3.exe VALIGN.exe new.htm.exe winnt API.rar Wpcc.xls.exe new.rar")
15
Contents of mayalog.eml MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC123456j7890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC123456j7890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC09876j54321DEF_====" --====_ABC09876j54321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --====_ABC09876j54321DEF_====-- --====_ABC123456j7890DEF_==== Content-Type: audio/x-wav; name="sample.exe" Content-Transfer-Encoding: base64 Content-ID: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAI9/UEUAAEwBBQBAw8I7 AAAAAAAAAADgAA4BCwEGAABwAAAA8AUAAAAAAAd1AAAAEAAAAIAAAAAANzcAEAAAABAAAAQAAAAA
16
A clean wormbait directory test1 test2 test3 test4 test5 test6 test7 test8 test9 windows winnt
17
The windows directory accstat.exe control.ini explorer.exe isapnp.vxd net.exe qfecheck.exe setdebug.exe system32 welcome.exe arp.exe cvtaplog.exe extrac32.exe logos.sys netdde.exe ramdrive.sys setup.ini taskman.exe win.com autoexec.bat dblbuff.sys freecell.exe mayalog.eml neth.msg readme.htm setver.exe taskmon.exe win.ini calc.exe defrag.exe ftp.exe moricons.dll netstat.exe regedit.exe sigverif.exe telnet.exe winfile.exe cdplayer.exe desktop.ini grpconv.exe msdos.sys notepad.exe route.exe smartdrv.exe tracert.exe winipcfg.exe charmap.exe dialer.exe himem.sys mshearts.exe ping.exe rundll.exe sol.exe twain.dll winpopup.exe clipbrd.exe dosstart.bat hwinfo.exe nbtstat.exe progman.ini rundll32.exe system twunk_16.exe winsock.dll command.com drvspace.exe ifshlp.sys nddeapi.dll protman.exe scandskw.exe system.dat twunk_32.exe wscript.exe control.exe emm386.exe ipconfig.exe nddenb.dll protocol.ini scanregw.exe system.ini user.dat
18
Other scripts cleanup.sh – removes the wormbait directory and then repopulates it makefiles.sh – repopulates the wormbait directory with “Windows files”
19
Typical samba log – bret.log [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) Transaction 1 of length 137 [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) switch message SMBnegprot (pid 11549) [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [PC NETWORK PROGRAM 1.0] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LANMAN1.0] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [Windows for Workgroups 3.1a] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LM1.2X002] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LANMAN2.1] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [NT LM 0.12] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(426) Selected protocol NT LM 0.12 [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) Transaction 2 of length 161 [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) switch message SMBsesssetupX (pid 11549) [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(858) Domain=[] NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(868) sesssetupX:name=[]
![Typical samba log – bret.log [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) Transaction 1 of length 137 [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) switch message SMBnegprot (pid 11549) [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [PC NETWORK PROGRAM 1.0] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LANMAN1.0] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [Windows for Workgroups 3.1a] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LM1.2X002] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LANMAN2.1] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [NT LM 0.12] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(426) Selected protocol NT LM 0.12 [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) Transaction 2 of length 161 [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) switch message SMBsesssetupX (pid 11549) [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(858) Domain=[] NativeOS=[Windows Service Pack 1] NativeLanMan=[Windows ] [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(868) sesssetupX:name=[]](http://images.slideplayer.com/13/4044702/slides/slide_19.jpg "Typical samba log – bret.log [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) Transaction 1 of length 137 [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) switch message SMBnegprot (pid 11549) [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [PC NETWORK PROGRAM 1.0] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LANMAN1.0] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [Windows for Workgroups 3.1a] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LM1.2X002] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [LANMAN2.1] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342) Requested protocol [NT LM 0.12] [2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(426) Selected protocol NT LM 0.12 [2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878) Transaction 2 of length 161 [2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685) switch message SMBsesssetupX (pid 11549) [2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(858) Domain=[] NativeOS=[Windows Service Pack 1] NativeLanMan=[Windows ] [2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(868) sesssetupX:name=[]")
20
Things to do Rewrite the checklogs script in Perl Move new worm entries to a text file and parse from the script Deal with Windows NetBIOS names with spaces in them Write script to rotate logs and delete
Similar presentations
