AdvisorBits

Know your Enemy: Tracking Botnets

Lance Spitzner's Honeynet project is at it again. I just noticed this paper they wrote about bots... the quote made me laugh. Of all the reasons someone would break into my machine, stealing my Diablo 2 gear is probably pretty low on the list. All the kids on BattleNet tell me my gear stinks. (They usually use a different word.)

Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. Diablo 2 is an online game in which you can improve your character by collecting powerful items. The more seldom an item is, the higher is the price on eBay. A search on eBay for Diablo 2 shows that some of these items allow an attacker to make a nice profit. Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. There are documented cases where botnets were sold to spammers as spam relays: "Uncovered: Trojans as Spam Robots ". You can see an example of an attacker installing software (in this case rootkits) in a captured example.

Social Engineering is a huge threat in today's business landscape. Just like any other security exposure, before we can protect against it we have to understand the nature of the danger. Darren Miller has written an article describing one scenario in which social engineering is used to defeat external perimeter security without too much effort. Miller's article concludes with a concise and accurate definition of social engineering.

In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information.

There's more fun with social engineering at the IRS described at the Security Focus site. And they trust these guys with your social security numbers?

My friend and associate Aaron writes:

Hey I was wondering if you had any experience with the SmoothWall firewall? Seems that a lot of techie people like it and it's open source, and it's GUI.

Its all IPTABLES to me Aaron.

But no, I hadn't heard of SmoothWall, thanks for the pointer.

There are lots of different scripts (Bastille, Linux Firewall IPcop, etc.) to set them up, but what I always wonder is why does an end user need to configure a firewall?

In other words, the scripts automate starting and stopping IPTABLES and manipulating the chains. But who needs the warm friendly automation? I know IPTABLES is in the background, and I know how to manipulate and save chains from the CLI.

I am always interested to see what different scripts do. At the home office here, I am currently using Trustix Firewall 4.7. This is the software part of a very sweet looking hardware platform, XSentry.

Which has a warm fuzzy Java GUI that runs on Windows. I am very interested to see their way to setup the NAT. I always use mangling, and sometimes if I am in a hurry, MASQ; but they are actually allowing these packets across the FORWARD chain on a selective basis.

Moohahaha!

I noticed Gregg Keizer of CMP media said that the the exploit for the zero day flaw in OSX is posted over on the Metaspliot Framework site. This combined with the two worms that have recently been detected targeting the Macinstosh platfrom indicate to me that the security though obscurity that my fine feathered Mac friends usually hang their hopes on, has flown the coop.

Now that you're in my world, DON'T FREAK OUT!

Although Apple has not yet released a patch for this, or at least I couldn't find it on the Apple security site where one finds these things, they will. Remember that it is very important to keep up to date with updates that the vendors provide. A zero day exploit is rare, so usually Apple will produce a patch before the exploits are released.

The important things to remember to do for the best computer stability and security which is reasonably possible (no matter what computer or operating system you use) are these :

1. Use good passwords, change them occasionally.
2. Always update your software with security fixes and patches that the manuafacturer provides.
3. Use virus protection and operate behind a firewall.

I guess maybe I am beating this particular drum a bit hard, but I know a few Mac users and this is no longer just my hypothetical good computing hygyne advice. I really would hate for my Mac friends to find out the hard way that its not safe to play in the street. Following up on AdvisorBits: Welcome to my world, MacUser, I noticed today that there were mulptiple posts to the Incident Handlers Diary as SANS regarding the Apple security issues.

http://isc.sans.org/diary.php?storyid=1145&rss
http://isc.sans.org/diary.php?storyid=1139&rss
http://isc.sans.org/diary.php?storyid=1138&rss

I thought the remark by Kevin Liston this moring bears repeating, especially since it basically echos mine.

In an effort to use as little hype as possible I only suggest that now is the time for Mac users to seriously consider anti-virus, personal firewalls, and safe browsing habits. It is the time for Mac sysadmins to develop strong patch management policies. This likely means that a Mac is no longer the no-brainer-choice for what computer to get for your parents.

I say they're mine. As I went to research [i.e. Google: "avoiding it in the first place +SPAM" ] the rules, it seems they're pretty much the same everywhere.

1. Use a "straw man" email alias in public. Sometimes called throwaway or disposable email addresses, when you get on the spammer's list you can simply change addresses.
2. Read the check-boxes on the web form -- Carefully! Sometimes you have to check them to opt-out; sometimes checking them subscribes you to a promotional mailing list.
3. Don't publish clear text email addresses on-line. This includes your corporate web site (encrypt the address using JavaScript or use a CGI form submission) and any forums you may participate in. The reason for this rule is that spammers use programs called harvesters to read web pages and "harvest" email addresses.

Christian Seifert has investigated a series of on-going attempts to login to Unix servers on the Internet, and he has publish the report entitled Analyzing malicious SSH login attempts at Security Focus.

This caught my eye because I have recently seen evidence of this that I do not ordinarily see. Not only that but since I was on vacation, the person keeping an eye on things saw it too. There is nothing earth shattering about the techniques described in the report, but the analysis and narrative of the investigation was very interesting to me as a systems administrator.

Any sufficiently advanced technology is indistinguishable from magic.

That is commonly known as (Aurthur C.) Clark's third law. Its been further modified several times in popular culture to read more like this from the web comic Freefall:

Any technology, no matter how simple, is magic to those who do not understand it.

I have had cause to think about this lately. I mentioned the confusion of some of the audience at the business blogging with regard to feeds. And its important to remember that these things are on a fairly continuous scale. Which is to say, although I work with networking and servers all the time, there is still technology in this sphere that might as well be magic to me.

Since most businesses these days operate somewhere on this spectrum of technology and magic, its important to have some simple rules to guide our everyday actions with. For lack of a better reference I point to the number one item on Microsoft's list as the the most exploited.

This PDF is a transcript of a podcast "Security Now!" by two security researchers, Leo Laporte and Steve Gibson. I thought it was a good explanation of a new kind of threat. This new threat was first described by Joanna Rutkowska. She has her own paper here.