1. The Five Most Popular Attacks on the Internet Peter Mell, 1-7-98 peter.mell@nist.gov National Institute of Standards and Technology Computer Security Division

2. Outline n Sources of attacks and vulnerability information n Details on the most frequently requested attacks n Statistics on attacks available on the Internet

3. Web Site Resources CERT, http://www.cert.org L0pht, http://www.l0pht.com/ Vulnerability Advisories Bugtraq, http://geek-girl.com/bugtraq NTBugtraq, http://www.ntbugtraq.com Vulnerability Information Attack Scripts Rootshell, http://www.rootshell.com Fyodor’s Playhouse, http://www.insecure.org

4. We are Measuring the Popularity of Attacks n Rootshell makes available a cgi scripts that reveals the last 50 search requests made on its database of 700+ attack scripts n We created a perl script that harvests search requests each hour n Approximately 170,000 queries are made each month (our current sample size is 20% of the total number: 33,000 queries)

5. The Top 18 Search Requests (12-98)

6. Search Requests on OSs

7. Search Requests on Applications

8. Attacks on Applications n ICQ: 6 exploits in the last year Spoof any ICQ user id and send people files that get stored anywhere n Sendmail: 11 exploits in the last year Local get root, DOS, Remote control n imap: 8 exploits in the last year Scanners and remote get root attacks Manuals on performing a buffer overflow attacks: http://www.insecure.org/stf/smashstack.txt http://www.l0pht.com/advisories/bufero.html

9. Search Requests on Attacks

10. Back Orifice: What Microsoft Says “Microsoft takes security seriously, and has issued this bulletin to advise customers that Windows 95 and Windows 98 users following safe computing practices are not at risk…” http://www.wired.com/news/news/technology/story/16310.html According to Wired (1998-Nov-17), 79% of Australian ISPs are "infected" with Back Orifice.

11. Back Orifice Author: Cult of the Dead Cow http://www.cultdeadcow.com Publish Date: Released in August 1998 at the annual hacker DEF CON convention Summary: Remotely control Windows 95 hosts Transmission Method: Web site downloads, e-mailing free apps, piggybacking with “ordinary” remote exploits

12. Back Orifice Applications File System Control: Add/delete any file Process Control: Run/kill any process Registry Control: List, create, delete, and set registry keys and values Network Control: View all exported resources and their passwords. View and kill connections. Multimedia Control: Keystroke monitor. Take screen shots.Control host cameras. Packet Redirection:Redirect local ports to remote ports Packet Sniffer:Views any network packets Plug in Interface:Much like netscape plug-ins

13. Other Back Orifice Features Other Features: Encrypted Connections Autonomous mode Plug-Ins: Butt Trumpet:Penetration Notification via e-mail Saran Wrap:Easily bundle BO with legitimate software Speakeasy:Broadcast a penetration to an IRC channel

14. Netbus Start optional application. Download/Upload/Delete files Send keystrokes and disable keys. Record sounds from the microphone. Similar to Back Orifice except that anyone can log into a netbus server Go to an optional URL. Control mouse. Shut down Windows. Listen to keystrokes. Take a screendump.

15. Teardrop Reboots or halts Windows 95, NT and Linux using 2 fragmented packets a a a b b c c c P1 Offset=0 P1 End=N P2 Offset<N P2 End=N+M a a a c c c P1 Offset=0 P1 End=N P2 Offset=N P2 End=N+M a a a b P1 Offset=0 P1 End=N P2 Offset<N P2 End<N a a a P1 Offset=0 P1 End=N P2 Offset=N P2 End<N Published before 11/14/97

16. Smurf Target Smurf freezes a target by sending it large numbers of ICMP ping packets Attacker is not traceable Each of the attacker’s ping packets is amplified into hundred of packets Attacker Network that responds to broadcast pings Ping packets: Source: Target Destination: Broadcast address Target receives hundreds of packets for each of the attacker’s packets Published before 10/13/97

17. (Win)Nuke Winnuke crashes window 95/NT hosts by establishing a tcp connection and sending out of band data Target Attacker 1. TCP connection established (port 139) 2. Send a packet of out of band data (e.g. send(s,str,strlen(str),MSG_OOB) Published before 5/7/97

18. Listing of the top 20 attacks Recommended scanning software: nmap, queso, strobe, netcat DOS attack toolkit: targa

19. Statistics on attacks published on the Internet n 37% of attacks can be launched from Windows hosts (people don’t need Unix to be dangerous anymore) n 4% of attacks compromise hosts that visit web sites (surfing the Internet is not risk free) n 3% of attacks exploit more than one vulnerability (attack toolkits that allow children to penetrate hosts with the push of a button are becoming a reality) n 8% are scanning tools that look for vulnerabilities (automated searching for vulnerable hosts is common place)

20. Even Firewalls, Routers, and Switches are not safe Percent of attacks that work against: firewalls (7%) (no penetration attacks found) routers (6%) (no penetration attacks found) Percent of attacks that penetrate: switches (2%) (nbase and 3com backdoor passwords)