Re: fun with posiden rootkit

[Dave Dittrich <dittrich () cac washington edu>]

On Mon, 25 Mar 2002, Skip Carter wrote:

> > - sometimes checking failed script-kiddies can be entertaining if time
> >   permits to look around for any funny stuff
>
>   I had one incident that I investigated for a client recently.
>
>   It was the usual: gain entry, install rootkit, install password
>   scanner, etc.  Except he did it in the wrong order, so that his
>   password scanner caught his own connection back to his rootkit
>   archive; so when I started my investigation I was able to log in
>   to his archive and pick up his entire stash of tools.

I can't tell you how many times I've seen that over the years,
e.g.:

        http://staff.washington.edu/dittrich/talks/security/case1/hacksniff.txt

This kind of thing is, according to an Assistant US Attorney, "a slam
dunk" violation of the Wiretap statute.  With a little correlation
of events via timestamps on files and other logins in the sniffer
file, you can show a direct link between an intruder, the sniffer,
and the "fruits of crime" (the sniffed passwords).  If you can get
the owner of the site to save a copy for law enforcement (rather than
popping in yourself and copying files), there is corroborating
evidence from an independant source.

Then again, I've also seen the following:

/*
 * dontsniff2.c by XXXXXXXX (today: 13 Nov 1998)
 * Regards to both XXXXXX and XXXXXXX ;)
 * Paper:
 *  T.Ptacek, T.Newsham "Insertion, Evasion, and Denial of Service: Eluding
 *  Network Intrusion Detection," Secure Networks, Inc. January, 1998
 * Greetings to XXX@!#$
 * Description:
 *  this daemon add little protection from some kind of sniffers and IDS
 * How it work (in default mode: -fffdFD):
 *  1. send fake data packets with random garbage on every ACK packet -
 *      - sniffer log fake data.
 *  2. send fake FIN packets on every SYN packet -
 *      - sniffer "think" connection closed and stop logging.
 * "fake" mean - it good packets for sniffer but really ignored by most
 *   of computer systems in internet cause they have invalid sequence number.
 */

Moral of the story: don't expect to be lucky all the time, and trust
packets found on the network, not files found on a compromised host.

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com