RE: Subseven Scans

[Robert Buckley <rbuckley () synapsemail com>]

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Tuesday, August 13, 2002 1:47 PM
To: Robert Buckley; 'Baribault, Gary'; grdnwsl; Rob Keown
Cc: incidents () securityfocus com
Subject: RE: Subseven Scans



> A recon probe against the attacking hosts that were
> up, indicated that they
> are all windows hosts, all with port 139 open to the
> public. Some hosts did
> show signs of being compromised and had virus'
> present. 

Interesting.  How was this determined?

"it was determined by examining the contents of the drive in question, and
seeing a directory
structure that appeared to be one that had been infected. You wont find
normal people creating directories with 
control codes in them, and since more than 1 out of the 20 + hosts had that
type of sign, its assumed they are in 
fact infected with something. It also showed sings that these were not
business systems, and of a home type of system,
which can lead to a conclusion that they were less secure than business
systems, and more prone to have stuff uploaded on them.  Most the hosts had
MS file sharing enabled, with write access from the root of the drive. Just
another sign
to lead to a formidable conclusion"

> It was determined
> that all attacking hosts are unknowingly being used
> to attack other systems.

Really?  How so?  Were you able to conduct a virus
scan of the attacking hosts and determine that the
Trojan or controlling software was actually being
used?  After all, one cannot conclusively determine,
even on an infected system, that the user of the
attacking host was unaware that it was infected, and
had conducted a port scan.  After all, nmap 3.0 was
recently released...and yes, it does run on Win32
(precompiled binary available).  

"see above. Nmap has nothing to do with the equation. It makes no difference
wether it was nmap, or a perl port scanner
or even if the hosts were worming. The fact that the scan took place
sequentially and not at the same time, leads one 
to believe that this is the work of one person hopping from system to
system, quite possibly to try to break ACL's on the borders. Otherwise, a
distributed scan of this type is more likely to happen all at once, in order
to smoke screen the victim, believing that some of the hosts could be
spoofed, or confusing analyses. Instead, the scans were at 1 or so minute
intervals and that has "Im one person" written all over it in the signature
world. There was no effort on my part to determine if an infection on an
attacking host was causing the scan or not. The application source of the
scan made no difference in my analyses"

The above statement is simply too emphatic for me,
without more information.  At best, one can say that
it was determined with a relative degree of certainty
that the attacking host was unknowingly used to attack
other systems.

"see above: a normal distributed scan happens simultaneously. Scanning from
one host to the next at one minute wait time intervals between the scan is
not normal, and indicates, in most cases, that a person is hopping from host
to host"

This goes back to what I mentioned earlier to
Rob...until someone posts some speculation (including
non-reproducable verification steps...or not) and in
the end, the community really hasn't benefited
overall.  

"The community can benefit from whatever they can. I had no intentions of
providing speculation, it just happened as part of the proccess if thats how
one sees it. What I wanted to send to the original writer, is what I
concluded. Not that it is set in stone or otherwise, its up to the analyst
to interpret the data I have given them, false or otherwise."

I'm glad to see that someone took a look at the
hosts...Rob sent me some info about the majority being
from Korea...but I think that it would benefit the
community as a whole to know how those steps were
conducted...how was it determined that the systems
were infected, and how was it determined that the
infection, the malware installed, was actually what
was doing the scanning, and not a port scanner?
 
"It was not my intention to provide how or what tools were used for the
attack, only to provide insight on the hosts 
invloved, and their status, and OS type. That was my intention, and that was
what I provided. Any other queries 
about what tools were invloved, and what infections were present, is not my
concern. My only concern was to provide 
factual data that I had gathered.

1: Windows hosts, all of them - fact.
2: MS Shares at the root level, some of them. - fact.
3: Sequentially scanned, not simutaneous - fact.
4: Hosts were not spoofed. - fact.
5: Some hosts showed signs of virus via the CTRL chars that were used to
create directories on their shares. - fact.
6: How long the attack lasted. - fact.
7: Was the attack successful. - fact.

Thats all I wanted to get to the original poster. All other concerns, moral
values and comments
are not warrented. Do with it what you will. 

Sincerely, RB.

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com