Vulnerability Development mailing list archives
Followup: Zone Alarm and Akamai -- not either one. (blush).
From: j nickson <jnickson () TOGETHER NET>
Date: Mon, 16 Oct 2000 03:39:30 -0400
Followup: Zone Alarm and Akamai. Well, this is too long, but it may help someone. Summary: UDP probes and DNS spoofing from your ISP are generally recommended to be ignored by various authorities such as the Black Ice advice area. This advice may be misleading in some circumstances. Probably this is generally good advice for the first minute or two at most, but in the following situation it is more likely that the system concerned was hosting some hostile process. ------------------------------------------------- Background: Win 98 SE, no sound card, no Real Audio, ver 4.10.2222 Modem connection to temporary IP Addresses (naturally) ... Netscape 4.08, no netcaster, all Java turned off, javascript sometimes on, sometimes off. Opera 3.62 also with Java Off, javascript sometimes. No chat ever. All E.mail through Eudora with HTML and advanced formatting OFF. Intrernet Explorer exists but is never used. Outlook Express is not on the system. Scripting server is not on the system. Black Ice Defender, Zone Alert and Web Washer are all latest releases. Webwasher set to allow initial javascript but blocking all terminating js. UDP Probe history: Usually five per hour or so. DNS spoofing reported from one ISP regularly. Probably irrelevant but this ISP recently had "router problems" whose external symptoms were remarkably like the ones described in a different thread on this group. This ISP ignored e.mail asking for further advice on their DNS spoofs. GRC.COM Shield's Up consistently reports the system as "stealth" and no netbios exposed, as expected. ---------------------------- This Sunday morning I was checking news and weather and got 44 UDP probes in about ten minutes. I closed all network applications, locked Zone Alert (ZA) and thought for a bit. Went to get coffee, sat down again and *then* ZA popped a message --------------------------------------- The firewall has blocked Internet access to a388.g.akamai.net (63.160.183.233) (HTTP) from your computer. Time: 10/15/00 8:13:08 ---------------------------------------- It turns out Akamai is used by CNN, that much is solved. Why "my computer" was requesting something about two minutes after Netscape had been terminated escapes me. Connection killed. I connected a few times switching ISPs and to and from Black Ice (All fws latest copies) and got similar results, UDP probes, perhaps one per minute, not quite the outrageous rate of 44 in ten or eleven minutes of the first session. No, they were not front end loaded, pretty evenly distributed in bursts. I switched back to ZA. I believe I re-booted but am not 100% on that. Note that Black Ice Defender was no longer in memory. Zone Alert was running. I connected with and ISP with ZA "locked" and in awhile, not immediately, got this message. (note blackd is the BI Defender daemon) --------------------------------------- blackd tried to connect to the Internet (209.198.87.40), but was denied access by the Internet Lock. User: ********************* Program: blackd Time: 10/15/00 9:19:58 ------------------------------------------ I Ctrl-Alt-Del to look at the top level running tasks and neither blackd or Black Ice was listed. I know there are more detailed task lists, but I did not have them handy at the moment. It was pretty clear the system was ill or boggled. Phantom program requests. By Noon I had de-installed and re-installed BI and ZA and Webwasher and was connecting, generally with Zone Alert locked. Little changed -- usually five UDP probes or so in the first ten minutes. A little after that I browsed the same sites that I had in the morning, then terminated all applications, locked ZA and a few minutes later got: ------------------------------------------ The firewall has blocked Internet access to 216.15.66.222 (HTTP) from your computer. Time: 10/15/00 12:38:38 ------------------------------------------------- which is a Microsoft site advertising IIS. I have not been to a Microsoft site for weeks. I tend to avoid them as they do not seem careful about individual's privacy concerns. Again ZA was locked and NO internet applications such as browsers were running. It was pretty clear that the computer was boggled. I picked up a Trumpet Winsock 5.0 (great product) but it is Winsock 1.1 compatible, and the fws and WebWasher require winsock 2.0. It browsed great, but no fw support. De-install Trumpet. Then - Many larger apps were removed (Star Office, Jbuilder, Delphi, ...). - Zone Alert, Web Washer and removed. - Various document areas backed up again and some zipped also. - File hashes taken for all files (I generally only do C:) - The world defragged. - The registry cleaned using MS RegClean - Zone Alert, Black Ice and Webwasher are re-installed in new places. - When this is done and the configuration checked, Zone Alert shows an App I never approved, JAVA.EXE. I can attest that it was not in the webwasher list of programs before. I would have noticed, I hate Java for on-line. Great. Who or what got to ZA's list? Hidden in the Registry is my guess. I remove it. I double check and there is no Java.exe on the system now. Listed in the registry under a compatibility key? I remove it. - Each of Eudora, Netscape, Opera run separately, the key does not re-appear. I am almost certain there was one inside the Inprise/Borland package which is now removed. JAVAxxx's permeate any modern system. --------------------------- It is now about 19:00 and I reconnect to the internet. No UDP probes. No more DNS spoofs. Three hours of connect time later I have *one* suspicious UDP probe. I also tested "hangover requests by locking ZA in the middle of browsing and not gotten any hangover requests after about 30 seconds. I see nothing in the several minute range. The difficulty with this procedure is that repair took roughly 11 hours and to have single stepped and checked all the way through for determining an exact cause would have taken days, which are not available. A sarcastic and mathematically inclined friend is fond of saying, "Windows is a reliable state machine as turning it on, or using it, or any change reliably takes it from one unknown state through an unknowable function to a new unknown state." However in the new state: Black Ice is reliable and no longer sending messages when it is not loaded. It is not implicated in any way. The system is not apparently connecting to Redmond spontaneously. The system is no longer asking for things or sending information several minutes after the relevant program has been terminated. Lower level DLLs may have been altered, however none in C: were. The removal of many apps may have removed attack traces, and as I do not keep apps on C:, they did not have hash/signatures anyway. UDP probes went from a peak of 44 in ten minutes to 0.33 per hour. I have not seen a DNS spoof. Something serious changed. Learnings: UDP probes and DNS spoofs are not as harmless as some doc indicates. DNS Spoofs can be really serious. Naturally I never went to any account sites after seeing one. One of my two ISPs should have answered my e.mail of several weeks ago about this, but they did not. I will cheerfully be an expert witness, or recommend some, that such behavior does not meet "Due Care" or minimum professional standards should someone be severely damaged by such ISP behavior. If you have asked them about such a problem and gotten no response, and then your bank account is remotely cleaned out, the ISP might bear considerable liability. Black Ice is great for other reasons, but ZA has the ability to block all internet access NOW and report on attempts. This is a really good feature. I recommend that every once in awhile you startup with everything locked, and also once in awhile shut all network applications and lock ZA and watch for a few minutes while still connected. There are explainable exceptions, but Nothing Happening is the hoped for case. That is what I get now. I intend to alternate between BI and ZA every week or two. If you have only one, it might not be a bad idea, particularly if you are getting hit, to de-install, RegCLean, re-install in a different location. It takes but a few moments and might clean up any attack leavings. Of course all my primary passwords are changed. No particular product was implicated except of course the Windows Architectural Hairball (Cowpland), but I am almost but not quite ready to switch to Linux entirely. ------------------------------------------------- James Nickson, CDP voice: 603-256-8055 10 Merrifield, W. Chesterfield, NH, 03466-3131
Current thread:
- Followup: Zone Alarm and Akamai -- not either one. (blush). j nickson (Oct 16)