Docstoc

Zombie-nets_ Pop -ups_ and Spam

Document Sample
Zombie-nets_ Pop -ups_ and Spam Powered By Docstoc
					Zombie-nets, Pop-ups, and
         Spam

  By Bill and Lorette Cheswick
      ches@cheswick.com
     lepac@cheswick.com
   http://www.cheswick.com
           Definition: internet
• A collection of interacting networks that
  support TCP/IP




01/19/05       Zombie-nets, Pop-ups, and Spam   2 of 45
01/19/05   Zombie-nets, Pop-ups, and Spam   3 of 45
                       TCP/IP
• A set of protocols for connecting
  computers via a network
     – Almost nobody needs to know the details
• Designed in the early 1980s
• One design goal: end-to-end connectivity
     – We have learned better: firewalls break this
       idea


01/19/05           Zombie-nets, Pop-ups, and Spam   5 of 45
          Internet design:
  Smarts at the edge of the network
• Unlike the phone system, the “center” of
  the network is pretty stupid
• New services are designed and
  implemented at the edge of the network
• No permission or special arrangements
  are needed



01/19/05       Zombie-nets, Pop-ups, and Spam   6 of 45
209.123.16.98




                64.10.0.3
            Clients and servers
• Clients initiate connections to servers
• Servers tend to be publicly-known and
  accessible
     – Web services like www.amazon.com
• There is seldom any good reason for a
  home or corporate computer to offer
  network services
     – But they do anyway. A lot of them

01/19/05          Zombie-nets, Pop-ups, and Spam   8 of 45
209.123.16.104 (client)




                        164.109.96.222
                           (server)
                     (www.budweiser.com)
  TCP connections include a port
            number
• TCP ports are numbers between 0 and
  65535, inclusive
• The client and server need only agree on
  which number to use
• There is a long list of standard services
  and their TCP port numbers
  – World wide web (HTTP) port 80
  – Email (SMTP) port 25
  – thousands more
             Server ports
• Each TCP service available on a computer
  is serviced by a program
• If that program has a serious bug,
  someone far away may be able to
  compromise that computer, and inject their
  own software to “own” your computer
• If you are running Windows, this has
  probably already happened to you
   How can we see these TCP
services on a Windows computer?
• Start -> All Programs -> Accessories ->
  Command Prompt
• Run: netstat –a
Windows XP, Service Pack 2 (SP2)
A Few Sample port listener
        profiles
                    Windows ME
Active Connections - Win ME

 Proto   Local Address        Foreign Address   State
 TCP     127.0.0.1:1032       0.0.0.0:0         LISTENING
 TCP     223.223.223.10:139   0.0.0.0:0         LISTENING
 UDP     0.0.0.0:1025         *:*
 UDP     0.0.0.0:1026         *:*
 UDP     0.0.0.0:31337        *:*
 UDP     0.0.0.0:162          *:*
 UDP     223.223.223.10:137   *:*
 UDP     223.223.223.10:138   *:*
                    Windows 2000
Proto   Local Address           Foreign Address   State
  TCP     0.0.0.0:135             0.0.0.0:0         LISTENING
  TCP     0.0.0.0:445             0.0.0.0:0         LISTENING
  TCP     0.0.0.0:1029            0.0.0.0:0         LISTENING
  TCP     0.0.0.0:1036            0.0.0.0:0         LISTENING
  TCP     0.0.0.0:1078            0.0.0.0:0         LISTENING
  TCP     0.0.0.0:1080            0.0.0.0:0         LISTENING
  TCP     0.0.0.0:1086            0.0.0.0:0         LISTENING
  TCP     0.0.0.0:6515            0.0.0.0:0         LISTENING
  TCP     127.0.0.1:139           0.0.0.0:0         LISTENING
  UDP     0.0.0.0:445             *:*
  UDP     0.0.0.0:1038            *:*
  UDP     0.0.0.0:6514            *:*
  UDP     0.0.0.0:6515            *:*
  UDP     127.0.0.1:1108          *:*
  UDP     223.223.223.96:500      *:*
  UDP     223.223.223.96:4500     *:*
Proto
           Windows XP, this laptop
        Local Address           Foreign Address   State
 TCP     ches-pc:epmap           ches-pc:0         LISTENING
 TCP     ches-pc:microsoft-ds    ches-pc:0         LISTENING
 TCP     ches-pc:1025            ches-pc:0         LISTENING
 TCP     ches-pc:1036            ches-pc:0         LISTENING
 TCP     ches-pc:3115            ches-pc:0         LISTENING
 TCP     ches-pc:3118            ches-pc:0         LISTENING
 TCP     ches-pc:3470            ches-pc:0         LISTENING
 TCP     ches-pc:3477            ches-pc:0         LISTENING
 TCP     ches-pc:5000            ches-pc:0         LISTENING
 TCP     ches-pc:6515            ches-pc:0         LISTENING
 TCP     ches-pc:netbios-ssn     ches-pc:0         LISTENING
 TCP     ches-pc:3001            ches-pc:0         LISTENING
 TCP     ches-pc:3002            ches-pc:0         LISTENING
 TCP     ches-pc:3003            ches-pc:0         LISTENING
 TCP     ches-pc:5180            ches-pc:0         LISTENING
 UDP     ches-pc:microsoft-ds    *:*
 UDP     ches-pc:isakmp          *:*
 UDP     ches-pc:1027            *:*
 UDP     ches-pc:3008            *:*
 UDP     ches-pc:3473            *:*
 UDP     ches-pc:6514            *:*
 UDP     ches-pc:6515            *:*
 UDP     ches-pc:netbios-ns      *:*
 UDP     ches-pc:netbios-dgm     *:*
 UDP     ches-pc:1900            *:*
 UDP     ches-pc:ntp             *:*
 UDP     ches-pc:1900            *:*
 UDP     ches-pc:3471            *:*
FreeBSD partition, this laptop
  (getting out of the game)
 Active Internet connections (including servers)
 Proto Recv-Q Send-Q Local Address
 tcp4       0      0 *.22
 tcp6       0      0 *.22
It is easy to dump on Microsoft,
but many others have made the
      same mistakes before
    Default services
SGI workstation, c. 1995
ftp     stream tcp   nowait   root    /v/gate/ftpd
telnet stream tcp    nowait   root    /usr/etc/telnetd
shell   stream tcp   nowait   root    /usr/etc/rshd
login   stream tcp   nowait   root    /usr/etc/rlogind
exec    stream tcp   nowait   root    /usr/etc/rexecd
finger stream tcp    nowait   guest   /usr/etc/fingerd
bootp   dgram  udp   wait     root    /usr/etc/bootp
tftp    dgram  udp   wait     guest   /usr/etc/tftpd
ntalk   dgram  udp   wait     root    /usr/etc/talkd
tcpmux stream tcp    nowait   root    internal
echo    stream tcp   nowait   root    internal
discard stream tcp   nowait   root    internal
chargen stream tcp   nowait   root    internal
daytime stream tcp   nowait   root    internal
time    stream tcp   nowait   root    internal
echo    dgram  udp   wait     root    internal
discard dgram  udp   wait     root    internal
chargen dgram  udp   wait     root    internal
daytime dgram  udp   wait     root    internal
time    dgram  udp   wait     root    internal
sgi-dgl stream tcp   nowait   root/rcv dgld
uucp   stream tcp    nowait   root    /usr/lib/uucp/uucpd
         More default services
               (cont.)
mountd/1    stream rpc/tcp wait/lc     root   rpc.mountd
mountd/1    dgram   rpc/udp wait/lc    root   rpc.mountd
sgi_mountd/1 stream rpc/tcp wait/lc    root   rpc.mountd
sgi_mountd/1 dgram rpc/udp wait/lc     root   rpc.mountd
rstatd/1-3 dgram    rpc/udp wait       root   rpc.rstatd
walld/1     dgram   rpc/udp wait       root   rpc.rwalld
rusersd/1   dgram   rpc/udp wait       root   rpc.rusersd
rquotad/1   dgram   rpc/udp wait       root   rpc.rquotad
sprayd/1    dgram   rpc/udp wait       root   rpc.sprayd
bootparam/1 dgram   rpc/udp wait       root   rpc.bootparamd
sgi_videod/1 stream rpc/tcp wait       root   ?videod
sgi_fam/1   stream rpc/tcp wait        root   ?fam
sgi_snoopd/1 stream rpc/tcp wait       root   ?rpc.snoopd
sgi_pcsd/1 dgram    rpc/udp wait       root   ?cvpcsd
sgi_pod/1   stream rpc/tcp wait        root   ?podd
tcpmux/sgi_scanner stream tcp nowait   root   ?scan/net/scannerd
tcpmux/sgi_printer stream tcp nowait   root   ?print/printerd
9fs         stream tcp      nowait     root   /v/bin/u9fs u9fs
webproxy    stream tcp      nowait     root   /usr/local/etc/webserv
           Types of malware
•   Worms
•   Viruses
•   Trojans
•   Cookies
•   Adware
•   Keystroke loggers
                worms
• Stand-alone programs that propagate
  themselves through computers
• Usually enter via network ports
Witty worm – the world
David Moore - CAIDA
The witty worm…USA
David Moore - CAIDA
                 viruses
• Programs that propagate by infecting other
  programs
• Spread by infecting other programs on a
  computer, and moving infected programs
  to other machines, e.g. through mail
  attachments
                  trojans
• Programs that appear useful, but may
  have evil side effects.
  – Imagine a tax preparation program that
    erases your disk on April 14
                cookies
• Data stored on your computer by a web
  server, and returned to that server on
  future connections
• Used to track you and your activities
• Not always a bad thing
• Not an executable program
                 adware
• Programs that reside in your computer for
  marketing purposes
• May track your browsing, spending, or
  network activities
         Keystroke loggers
• Hardware or software that records your
  keystrokes
• Great way to collect passwords, credit
  card numbers, etc.
        Remedies

Do you know enough to fix your
       own computer?
          Homepage data
• Default settings
• Amount of graphics
• OS forcing a default
• Adaware forcing a default
• Various broadband difficulties with
  graphics
• So much CPU activity that homepage
  can’t load
      You may need to back up
            yesterday
• Pay attention to small differences in your
  computer’s behavior
• Don’t wait for a month to go by before
  asking someone else
• Write down error messages
• Go somewhere else to check the errors
  – The Bernardsville Public Library
 Don’t open a new program
until you’ve read tomorrow’s
            paper
     Circuits, Thursday NYT
     Personal Journal, WSJ
               CNET
Help comes in many guises

 http://blogs.msdn.com/ie/archive/2
       005/01/11/350949.aspx
                     www.sans.org

• Delivered-To: Lepac@cheswick.com
  From: The SANS Institute <Webcast@sans.org>
  Subject: Internet Storm Center Threat Update and What Works in
  Intrusion Prevention Webcasts
   Please sign into the SANS Portal for upcoming complimentary
   webcasts
   in January 2005. On Wednesday, January 12, 2005, the Internet
   Storm
   Center will present the latest "Threat Update." On Thursday,
   January
   20, 2005, SANS will host "What Works in Intrusion Prevention."




01/19/05               Zombie-nets, Pop-ups, and Spam          45 of 45
        http://tired-of-
spam.home.comcast.net/eblocs.h
              tml
01/19/05   Zombie-nets, Pop-ups, and Spam   47 of 45
              System Tools
•   Disk defragmenter
•   Chkdsk /f
•   Dr Watson     http://watson.addy.com/
•   Add/Remove Programs
•   Auto-update for Windows XP
•   SP2
•   Taskmanager

01/19/05        Zombie-nets, Pop-ups, and Spam   48 of 45
           Programs that help
• Up-to-date Anti-virus software
• Trojan Hunter
• Spybot Search and Destroy
• Adaware
• Avert Stinger
• McAfee targeted trojan and virus removal
  programs
• Firewalls
01/19/05      Zombie-nets, Pop-ups, and Spam   49 of 45
              Websites
•   Download.com
•   CNet.com
•   Google.com
•   McAfee.com
•   Symantec.com
•   CERT.org


01/19/05      Zombie-nets, Pop-ups, and Spam   50 of 45
                  Backup
• What you have to loose




01/19/05      Zombie-nets, Pop-ups, and Spam   51 of 45
           Set System Restore points
• Make sure you have Operating system
  source Disks
• You may have to buy a new Operating
  system or upgrade your computer
• Make sure you have product keys and
  authentication.
• Caution requires a minimum of two
  locations
01/19/05          Zombie-nets, Pop-ups, and Spam   52 of 45
               Hardware tools
•   Key drives
•   External HD
•   External zip drives
•   CD-R or equivalent




    01/19/05        Zombie-nets, Pop-ups, and Spam   53 of 45
01/19/05   Zombie-nets, Pop-ups, and Spam   54 of 45
           Hardware v Software
• Software needs continual updates
• Hardware can be neglected, or you can
  forget the passwords to the interface




01/19/05       Zombie-nets, Pop-ups, and Spam   55 of 45
              Updates
• To auto update or not
• Download but prompt to install
• Manual install




01/19/05      Zombie-nets, Pop-ups, and Spam   56 of 45
               Passwords
• 8 or more digits, mixed letters and
  numbers
• Sentence
• Dictionary attack
• Foreign words
• equations



01/19/05       Zombie-nets, Pop-ups, and Spam   57 of 45
                 Encryption
•   At what level
•   Wireless network
•   Router password
•   Server
•   Super user
•   Computer
•   US v the rest of the world- 128 bit
    encryption
01/19/05         Zombie-nets, Pop-ups, and Spam   58 of 45
            Free software
• Only owrks in emerging typse of program
  solutions
• Then only until the programmers are in
  school or dating
• Success can be overwhelming and
  eventually you have to buy coke.



01/19/05      Zombie-nets, Pop-ups, and Spam   59 of 45
           System administration
• Windows machines do not have automatio
  to make it easy.




01/19/05        Zombie-nets, Pop-ups, and Spam   60 of 45
                   Causes
• Buffer overflow errors
• Port use
• TCP/IP coopting




01/19/05       Zombie-nets, Pop-ups, and Spam   61 of 45
            Progression
• Internet
• Network
• Your machine




01/19/05     Zombie-nets, Pop-ups, and Spam   62 of 45
          Weekly Reader for the System
                 Administrator
•     X-Original-To: Lepac@cheswick.com
      >
      From: The SANS Institute <Webcast@sans.org>
      Subject: Internet Storm Center Threat Update and What Works in Intrusion
      Prevention Webcasts
      Please sign into the SANS Portal for upcoming complimentary webcasts
      in January 2005. On Wednesday, January 12, 2005, the Internet Storm
      Center will present the latest "Threat Update." On Thursday, January
      20, 2005, SANS will host "What Works in Intrusion Prevention."




    01/19/05                  Zombie-nets, Pop-ups, and Spam               63 of 45
Help comes in many guises

 http://blogs.msdn.com/ie/archive/2
       005/01/11/350949.aspx
If its Tuesday it’s another
Microsoft Security Bulletin
http://netsecurity.about.com/cs/wi
    ndowsxp/a/aa041404.htm
                                                           @RISK
•   X-Original-To: Lepac@cheswick.com
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    Your Defense In Depth and Roadmap to Network Security poster should have
    arrived (if you live in the US or Canada). If you didn't get one, you
    can still see which security tools actually work and what constitutes a
    complete defense in depth at www.sans.org/whatworks.
    *************************************************************************
             @RISK: The Consensus Security Vulnerability Alert
    January 13, 2005                                  Vol. 4. Week 2
    *************************************************************************
    @RISK is the SANS community's consensus bulletin summarizing the most
    important vulnerabilities and exploits identified during the past week
    and providing guidance on appropriate actions to protect your systems
    (PART I). It also includes a comprehensive list of all new
    vulnerabilities discovered in the past week (PART II).
    Summary of the vulnerabilities reported this week:
    - -----------------------------------------------------------------------
    Category                              # of Updates & Vulnerabilities
    - -----------------------------------------------------------------------
    Windows                                       3 (#1, #2, #5, #12)
    Third Party Windows Apps                               6 (#6, #11)
    Unix                                      6 (#7, #9)
    Novell                                     2
    Cross Platform                                  3 (#3, #4)
    Web Application                                  13 (#8, #10)
    Network Device                                   2
    Hardware                                      1
    ______________________________________________________________________




01/19/05                                            Zombie-nets, Pop-ups, and Spam   66 of 45
                  CERT

• Community Emergency Response Team
• http://www.cert.org/
                  http://www.cert.org/




01/19/05     Zombie-nets, Pop-ups, and Spam   67 of 45
Smart phone hacking exploits

http://www.techweb.com/article/printa
bleArticle.jhtml;jsessionid=2ZHIULZR
Z11U4QSNDBCCKHSCJUMEKJVN?
articleID=56200144&site_section=70
                  0028
      Security by Obscurity


“Please do not Forward, CC, or BCC this
E-mail outside of the XXXX-security-
discuss community. Confidentiality is
essential for effective Internet security
counter-measures.”
           Legitimate Companies doing
            possibly illegitimate things
• http://www.wildtangent.com/
    http://www.weatherbug.com/

• http://www.weatherbug.com/

• http://www.apple.com/itunes/

• http://www.aim.com/

01/19/05                  Zombie-nets, Pop-ups, and Spam   70 of 45
            One Case Study
• http://www.eblocs.com/

• http://tired-of-
  spam.home.comcast.net/eblocs.html

• http://www.nationaldonotemail.com/cart11.html
• http://www.spywarewarrior.com/rogue_anti-
  spyware.htm

01/19/05        Zombie-nets, Pop-ups, and Spam   71 of 45
             Windows XP
• Could not open any programs
• No processes in Task manager were
  obvious CPU hogs
• Could not get a number of Pop-ups off the
  desktop, inc a “faulty” load of eBlocs




  01/19/05       Zombie-nets, Pop-ups, and Spam   72 of 45
01/19/05   Zombie-nets, Pop-ups, and Spam   73 of 45
01/19/05   Zombie-nets, Pop-ups, and Spam   74 of 45
01/19/05   Zombie-nets, Pop-ups, and Spam   75 of 45
01/19/05   Zombie-nets, Pop-ups, and Spam   76 of 45
                 Programs
• Different versions have different security
  features
• Automatic updates can break security in
  one way or another
• Not having automatic updates can kill a
  computer



01/19/05        Zombie-nets, Pop-ups, and Spam   77 of 45
01/19/05   Zombie-nets, Pop-ups, and Spam   79 of 45
01/19/05   Zombie-nets, Pop-ups, and Spam   80 of 45
           Default settings
• Make sure important switches are turned
  off
• Read anything marked Security in a
  program you want to use
• Manual v Automatic Updates
• Reminders



01/19/05      Zombie-nets, Pop-ups, and Spam   81 of 45
Plan B: Get out of the Game
     Plan B: non-Microsoft operating
                systems
• For a business, this can be hard
     – Are the applications you want to run available
       and viable on your Plan B system
     – Will you have trouble exchanging information
       with your customers?
     – What kind of support requirements does the
       system have, and can you find support
       people?


01/19/05           Zombie-nets, Pop-ups, and Spam   83 of 45
           Some Plan B choices
•   Apple Macintosh
•   Linux (many flavors)
•   Unix (several flavours)
•   Open source software




01/19/05         Zombie-nets, Pop-ups, and Spam   84 of 45
              Apple Macintosh
• A long-time favorite of artists
     – Handles things like photos and movies better
       than common Windows applications
• More stable than Windows
• Requires much less maintenance than
  Windows
• Much less malware directed at it
• Hardware and software is more expensive
01/19/05           Zombie-nets, Pop-ups, and Spam   85 of 45
                         Linux
• Most versions of Linux are free
     – May be downloaded and installed on the net
• Gnoppix – linux without bothering your
  hard drive: http://www.gnoppix.org




01/19/05          Zombie-nets, Pop-ups, and Spam   86 of 45
                         Unix
• Software workbench for much of the world
• FreeBSD, OpenBSD, NetBSD are the common
  ones
    – Also commercial versions for HP, Sun, etc.
•   Non-commercial versions are free
•   Very high quality software
•   Very robust
•   May lack the application or drivers you need
         Open source software
•   Free software that you can build yourself
•   Many improve it
•   Wikipedia is an open source encyclopedia
•   Open source
    – Mozilla firefox (web browser)
    – Gaim (instant messager)
    – Mythtv (PVR, like TiVo)
Zombie-nets, Pop-ups, and
         Spam

  By Bill and Lorette Cheswick
      ches@cheswick.com
     lepac@cheswick.com
   http://www.cheswick.com

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:20
posted:4/16/2010
language:English
pages:89