Honeynet Project's 'honey pot' a sweet success in trapping hacker attacks

[InfoSec News <isn () C4I ORG>]

http://www.infoworld.com/articles/op/xml/00/11/27/001127opswatch.xml

Stuart McClure & Joel Scambray
Friday, Nov. 24, 2000

WHEN LAST WE SPOKE of the Honeynet Project, lead by Lance Spitzner, it
had successfully tracked a malicious Pakistani hacker group that was
trying to knock off as many Internet systems as it could (see "'Honey
pot' network can gather evidence for catching and prosecuting
hackers.") Fresh off their success in monitoring the group and handing
over the evidence to federal authorities, the Honeynet team took a
deeper look at the traffic they were capturing and found something
worth investigating further.

During just one month of monitoring, the Honeynet team's "honey pot,"
which poses as a real network to attract hackers, had been scanned by
hundreds of unique IP addresses looking for two particular ports: UDP
(User Datagram Protocol) port 137, used by the NetBIOS Naming Service,
and TCP port 139, the tried-and-true NetBIOS Session Service. This
should not surprise loyal Security Watch students, who know that these
ports, which are the Achilles' heels of Windows 9x/ME computers, turn
users into "easy @Home and DSL victims." Knowing the proliferation of
Windows 9x systems on the Internet and admitting more than idle
curiosity about hackers targeting Windows systems (the Honeynet
Project has been a mostly non-Microsoft entity until recently), the
team decided to build a default Windows 98 system with the entire C:
drive shared to the world -- hoping the "black-hat" bad guys would
come. And come they did.

Let the party begin

Within 24 hours, an attacker from Canada began probing the Windows 98
honey pot. Once he determined sharing was open on the system, he then
searched for a well-known worm Symantec calls the W32.HLLW.Bymer Worm,
which is sometimes called the Win32.Bymer Worm. Unlike many popular
Internet worms, this worm's sole purpose is to take advantage of free
CPU cycles on a victim's computer to help crack Distributed.net's
RC5-64 challenge. This voluntary challenge attempts to use existing
technology in a distributed fashion to download a small portion of the
64-bit key space and crack it. This is the only malicious worm we know
that is designed to assist in this effort.

The Win32.Bymer Worm is a self-replicating worm that finds vulnerable
Windows shares and copies to them Distributed.net's cracking
configuration and executable files (dnetc.ini and dnetc.exe) and then
the worm itself (msi216.exe or msi211.exe). But executing a worm on a
remote Windows 9x system is not as trivial as with Windows NT. You
can't simply tell the operating system to execute the new uploaded
file. Attackers typically have two techniques in their arsenal: They
send a self-executing attachment in a forged e-mail to the user or
they modify the user's win.ini file to force the worm to load once the
system reboots. This attacker chose the simpler choice, modifying
win.ini.

When the worm runs from win.ini it adds itself to the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or \RunServices
key. We presume the process allows for redundancy in case the first is
discovered. In addition, the worm runs the legitimate dnetc.exe
program in hide mode to begin cracking RC5-64 passwords. Finally, the
worm searches for other vulnerable systems by randomly picking an IP
address, scanning its ports, and attempting to connect to its shared
C: drive.

Just when the Honeynet monitors thought the roller coaster ride was
over, a second worm nosed its way out of the packet decodes. This one
turned out to be the same, but it was disguised as wininit.exe, the
name of a legitimate Windows 9x file installed by default. The attempt
to confuse the victim by changing the name of the worm in this case
was futile, but in many instances it is all the attacker needs to
continue the onslaught.

But the fun didn't stop there. The Honeynet network suffered another
three attempts to infect their Windows 98 honeypot system the
following day all in the same manner. Sometimes the lure of always-on
Internet home users is all too attractive for the black-hats. If after
reading this column you decide to review your own Windows systems for
the worms, a number of free and commercial products can do the trick,
including The Cleaner from MooSoft and Symantec's anti-virus software.
To check for the massive "global sharing of drive C:" misconfiguration
vulnerability just go to a command prompt and type "net shares." If
your root drive is shared, remove it immediately. If you must keep
root drive shares open then check to make sure passwords are enabled,
and strong!

To learn more about the Honeynet efforts, check out
www.enteract.com/~lspitz/.

Weakest link

You've probably heard "security is only as strong as your weakest
link." The force of the phrase comes home with Honeynet's latest
project. If attackers can so trivially gain access to a poorly
configured Windows 9x system, they are capable of quite a lot of
damage, including tunneling into your corporate network to download
sensitive data.


Stuart Mcclure is president and CTO and Joel Scambray is managing
principal at security consultant Foundstone ( www.foundstone.com ).

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".