Case where AV is useless

Discussion in 'other anti-virus software' started by NetWatchman, Sep 5, 2002.

Thread Status:
Not open for further replies.
  1. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    I am by no means against AV, however, I think way too many users think of it as a comprehensive solution...when for some types of attacks it provides absolutely ZERO protection.

    Here is an intrusion investigation I just completed which demonstrates this point:

    I'm not running a file server, am I?
    http://www.mynetwatchman.com/kb/security/articles/winforensics

    I spent about 3 days putting the above together...hope you find it interesting...it also gives a pretty good start on how to perform a forensic analysis of a Windows based system when intrusion is suspected.
     
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,604
    Location:
    Hawaii
    A totally fascinating read! Thanks for posting it.
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Compliments are in place, Lawrence!

    Securiteam reported about the abuse from Iroffer earlier on this year, and there surely is an analogy here:

    "Increased Hacking Activity Associated with Underground File-Sharing Networks


    Summary
    ISS X-Force has been tracking several large file-sharing networks that are being used to trade terabytes of pirated software and movies. These networks consist of hundreds of compromised machines that are remotely controlled by software and movie pirates to distribute files. These pirates are actively attempting to compromise high-bandwidth servers at universities and web-hosting providers in order to expand the reach and distribution capabilities of their existing file-sharing networks.


    Details
    Impact:
    Computers infected with the rogue file-sharing software may be unknowingly participating in a massive underground file-sharing network. These large "bot" networks are extremely popular and may be responsible for enormous bandwidth utilization.

    This bot software may also install Trojan horse software that allows a remote attacker to gain access to the system. The remote attacker does not need further access to the infected target in order to utilize its resources.

    Description:
    IRC, or Internet Relay Chat, is perhaps the oldest worldwide Internet chat network in existence. The original IRC was brought online in 1988.

    Historically, IRC has been favored by the computer underground over other chat networks. Hackers continue to use IRC to congregate, discuss tactics and techniques, and trade hacking tools. Recently, IRC has been used to control large numbers of IRC-aware distributed denial of service (DDoS) zombie programs and "warez" distribution bots. These tools are typically modified backdoor or Trojan horse programs that are designed to connect to IRC where they can be controlled from IRC channels.

    IRC bots have become much more sophisticated in recent years as their authors find new applications for their use. The first IRC bots were simple scripts designed to maintain IRC channel rules and to distribute information to IRC users. They have evolved into remote controlled backdoor programs, DDoS zombies, and warez distribution programs.

    There is increasing overlap between the hacking and warez communities as software pirates are now borrowing techniques and tools from the hacking community. Backdoors are installed on computers in order to connect them to IRC-based file-sharing networks. These attackers attempt to compromise low risk/high reward systems, such as servers in .edu domains, home broadband users, web hosting companies, and Internet Service Providers. All of these targets are similar because they are not heavily protected and have a large amount of available bandwidth.

    Pirates needed to increase their storage and bandwidth capabilities due to the size of modern software packages and the popularity of downloading pirated movie files. These files are several hundred megabytes in size, so it is cost-prohibitive for warez pirates to use their own servers to distribute this material.

    The largest file-sharing IRC bot networks have 300-400 bots, all logged into the same IRC network and listening on the same IRC channel. The larger channels can have several hundred to thousands of individuals downloading files from these bots. Some bot networks are restricted so that normal IRC users cannot download files. However, most of these networks are public, allowing normal IRC users to download pirated files without restrictions. IRC bots like "iroffer" are especially user friendly and provide instructions to novice pirates on how to download files.

    Iroffer is a standalone executable written specifically for files sharing over IRC. This bot is a fileserver/file-sharing server. It allows users to forward requests to the server through IRC channel commands and initiate downloads via DCC (Direct Client Connection). Iroffer is updated frequently to enhance network performance and to optimize download times.

    Iroffer's features include the ability to limit the amount of bandwidth used in general and by time and date, remote administration via DCC chat, virtual host support, high performance CPU/memory, and network code, logging features, and DCC resume support. Iroffer is available for a variety of UNIX platforms as well as Windows binary format. Currently, Iroffer is very popular in IRC channels that deal with pirated movies, video game console software, computer software, mp3 music, and pornography.

    Typical Iroffer bot advertisement:
    deleted - Forum Admin

    Iroffer IRC bots periodically broadcast to an IRC channel that files are available, instructions on how to download them, and statistics to help software pirates determine how fast the bot's network connection is.

    Pirates install rogue FTP servers on bot servers to facilitate uploading and downloading as well as for transferring pirated files to other bot networks. Some of this back-end files distribution functions are automated while others are executed manually by the bot owners. These rogue FTP servers are frequently hard to detect and are typically run on high ports. Common FTP servers used for this purpose are "raidenftpd" and "bulletproof FTP server" (formerly Gene6) available for Windows, and "glftpd" available for UNIX. These FTP servers are used more often because they are easier to control remotely, have advanced administration capabilities, and allow for some automation of their functionality through third party plug-in scripts."

    If only people...oh well, let's face it: safe hex and prevention is fairly unknown unused by most people, alas.

    On a side note: it's for good reasons, the anti-trojan TDS3 does cover Iroffer on their primary list.

    regards.

    paul
     

    Attached Files:

  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    It really boggles the mind to think that there are soo many people out there with their computers online 24/7, with no protection and their machines are being used at will by crackers around the world.
    I got away from irc a long time ago, but for so many new people that don't have a clue about security, the first thing they do is jump right into irc and chat rooms and within a week are giving total strangers all kinds of personal information. All a guy has to do is act like he is trying to help someone, and soon they are so grateful to him for fixing some little problem, they're ready to get married. Unbelievable.
     
  5. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    NetWatchman, very interesting. I'm wondering though, would not a firewall detect this traffic? Was all this done in spite of a firewall present?
    I agree, there is nothing there for an AV to detect, or even an AT, but a firewall should.
    I think. o_O o_O
    With port 139 blocked or even just NetBios disabled, this cannot happen, right?
     
  6. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    The infected host was in an academic environment. This has to be the most challenging for a security administrator...the whole "default deny" concept totally conflicts with the "openness" of academia.

    Can you imagine trying to protect a campus network...but are not allowed to implement even the most basic firewall rules!

    Let's just say that this end-user has taken matters into his own hands and thrown ZA on every host in his area.
     
Loading...
Thread Status:
Not open for further replies.