Why You Should Fear Baby Hackers

[InfoSec News <isn () C4I ORG>]

http://www.builder.com/Servers/SecurityIssues/082300/?tag=st.bl.3880.linksgp

By Chris Prosise and Saumil Udayan Shah
8/23/00

We often hear about "black hat" hackers invading our networks, taking
over systems, and pillaging sensitive information. Some of us might
even have experienced it. But one rarely gets a chance to actually sit
and observe how hackers go about invading a network. We got such an
opportunity a few months ago when we joined the Honeynet Project,
which was created to learn the techniques the enemy uses. The project
was initiated and coordinated by Lance Spitzner, who is a part of Sun
Microsystems' GESS Global Security Team.

The purpose of the Honeynet Project was simple: to learn about the
mindset and the techniques used by black-hat hackers today. To this
end, the project members created a network of computers loaded with
commonly used software, registered a domain name, and monitored
Internet traffic to see what would happen. This set of computers, or
honeypot, was set up specifically to lure hackers. It was guarded by
standard firewalls that were specifically designed to allow network
traffic into the systems but to restrict traffic going out of these
systems back onto the Internet. The crux of the honeypot, however, was
the monitoring system, which recorded the data going in and out of the
network--including suspicious activity performed by attackers. In this
case, the project used Snort as the monitoring system. The computers
in the honeypot ran out-of-the-box Solaris 2.6 and Windows NT 4.0
operating systems.

The Attack Begins
URL: http://www.builder.com/Servers/SecurityIssues/082300/ss01.html

The first successful attack on the honeypot occurred on June 4, 2000.
Remarkably, the honeypot network had been created just a few days
earlier, with no public launch. The rapidity of the attack shows us
how quickly black-hat hackers will find new systems. Also, the systems
on the honeypot network contained no juicy information. They were set
up as plain vanilla systems on the Internet. That they were
compromised indicates that, although systems containing sensitive
information such as user profiles or credit card numbers may be prime
targets for hackers, systems that do not host sensitive information
are not spared.

The hackers used a common Solaris exploit known as rpc.ttdbserv to
compromise the honeypot and to gain root (system administrator)
privileges. The rpc.ttdbserv exploit is listed in the SANS Top Ten
List as the third most commonly used hacking trick. Immediately after
compromising the system, the attackers created two user accounts with
root privileges so that they could get back into the system at a later
time. They set up a rootshell (an interactive login shell with root
privileges) to listen on an arbitrary TCP port so that they could gain
administrative access without being authenticated.

Bring On the Rootkit

After creating a back door, our attackers proceeded to download and
set up a rootkit on the compromised system. Very simply, a rootkit is
a set of programs that replaces commonly used system tools and
utilities and that hides the attackers' activities. Typical Unix
rootkits include replacements for programs such as ps to hide
processes, netstat to hide network connections, ls to hide files, and
other tools such as packet sniffers to monitor network traffic
(especially passwords). The rootkit even removes any telltale
activities from system log files. In the rootkit our attackers used,
we noticed the Pico editor, an easy-to-use Unix editor (as opposed to
vi, the popular editor found on most Unix systems). The presence of
Pico made it obvious that the attackers did not have advanced Unix
skills.

The Daily Word, Via IRC
URL: http://www.builder.com/Servers/SecurityIssues/082300/ss02.html

The attackers' next step was to set up an Internet Relay Chat proxy so
that they could use their proxy to maintain system operations on their
IRC channel. That was convenient for us: because we were able to
recover log files of their conversations, the IRC channel gave us
excellent firsthand information on their activities. We analyzed the
logs each day to understand the hackers' motives and psychology. The
logs also helped us figure out where the hackers were based.

Our first hint about the hackers' location was that they conversed in
Urdu. That, along with some other clues, helped us deduce that they
were from Pakistan. Fortunately, Saumil was able to translate the
conversations from Urdu into English. A sanitized version of the IRC
logs is available on the Honeynet Project site.

Fourteen days of snooping on their IRC chat gave us a clear picture of
who the attackers were, what kind of skills they possessed, and what
they were setting out to do. Basically, these hackers were joyriders
who would try to compromise any system they could find. The attacks
were random, and systems that were easy picking were compromised.

Hackers Show Off

One of our favorite examples of bravado occurred when one of the
attackers bragged that he had compromised 40 systems in one fell
swoop. This statement shows us how real the threat is. Exploits are
becoming automated to such an extent that even amateur attackers,
often called "script kiddies" by the security community, can
compromise hosts, despite the fact that such hackers have no idea how
or why the exploit works. In the IRC logs we observed, the attackers
taught each another some basic Unix skills, including how to go about
launching canned exploits and even denial of service (DoS) attacks.

As time progressed, we saw more of their malicious side. According to
what we culled from their log files, these hackers were attacking
computer systems in India, the United Arab Emirates, and Pakistan,
plus a few other systems scattered around the globe. They said they
were a politically motivated hacker group, performing such activities
as part of their propaganda.

Their claimed malicious activities included using password crackers to
crack user accounts on ISPs, launching major DoS attacks on various
sites and ISPs, trading credit cards over underground IRC channels,
and teaching other attackers the tricks of the trade. One of the
attackers even claimed to have compromised a billing system on an ISP
and gained access to more than 5000 user accounts. The hackers said
they were using the used stolen credit cards to register some domains
to host their propaganda and exploit tools.

Lessons to Be Learned
URL: http://www.builder.com/Servers/SecurityIssues/082300/ss03.html

Our close encounter with black hat hackers reinforced the following
points:

* The hacker threat is very real.

  For anyone hosting systems on the Internet, it is only a matter of
  time till a hacker probe comes knocking on your door. Even the least
  interesting system can be a target. Systems get compromised if they
  appear to be weakly protected or are suspected of having a known
  vulnerability. Most of the time, attackers use compromised systems
  to cover their tracks when launching attacks against other systems.

* It does not take a great deal of skill for hackers to compromise
  systems.

  With canned exploit tools available on the Internet, attackers can
  compromise systems without even knowing how their exploits work. As
  we observed in this particular episode, the attackers possessed only
  some basic Unix skills, yet they managed to get root access to
  systems.

* Compromised systems are used as launching points for further
  malicious activity.

  In this situation, the attackers said they used compromised systems
  to launch denial of service attacks against various sites.

In gaining firsthand experience with malicious hackers, Lance Spitzner
and the whole Honeynet Project team did us all a service. They've
provided us with rare insight into the minds and practices of one of
the greatest Internet threats to date: "black hats."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".