Re: compromised machines

From: Michael H. Warfield (mhw_at_wittsend.com)
Date: 08/28/04 

Date: Sat, 28 Aug 2004 17:52:09 -0400
To: Harlan Carvey <keydet89@yahoo.com>

On Fri, Aug 27, 2004 at 03:41:20AM -0700, Harlan Carvey wrote:

> When you say IDS/IPS, which are you referring to? If
> IDS, remember...they are signature-based. One of the
> biggest problems with employing such a technology is
> not understanding that it only detects those things
> that it has signatures for...

        Actually... No.

        Every IPS has an IDS at its heart. It's the resulting behavior that
makes the descrimination

        An IDS may be signature based, protocol based, anomoly based,
or hueristic, or any combination of the above. And there are examples
of each in deployment now.

        So a blank statement "If IDS, Remember...they are signature-based"
is patently false along several vectors.

        Mike

> > After one week, I have 50 machines which are
> > compromised by the same
> > bot, and some of them are the same as the previous
> > list of machines.
>
> That tends to happen in situations in which no root
> cause analysis was done.
>
> > Now a host-based firewall is a very tough option
> > for us, since we are
> > a university with around 30,000 computers and under
> > different
> > departments. Does anyone know what bots are causing
> > these and any IDS signatures for these.
>
> Well, given the banner you provided, it would seem
> that you could write one of your own. Does your IDS
> product provide the facility for such a thing?
>
> > We are using a couple of IDS such as snort and
> > Dragon and Intrushield, Any help for this is
> > appreciated.
>
> My earlier question was rhetorical...
>
> > I did have a look at one of these
> > machines and from what I see, there are a couple of
> > files which seem to be causing this.
> > there is a csmss.exe file which is listening on the
> > port 6544.. The
> > machine is also running a remote server.
> > before csmss.exe, a file ServNT.exe seems to have
> > been executed, which
> > might have caused a sequence of events.. there is a
> > batch file , which
> > using the registry runs a remote admin server at
> > startup. then we got
> > a number of files which are used to show the banner,
> > hide the files .
> > If I could find out how did they get inside the
> > system, because most
> > of the infected machines were running fully patched
> > Windows XP with
> > latest Norton Antivirus definitions.?
>
> Patches aren't the be-all-and-end-all...there's more
> to security than that. There are other avenues into
> systems such as email and the browser...avenues that
> may not be covered by patches.
>
> > All of those machines are running either Windows
> > 2000 professional or XP professional.
> > 2 machines wer analysed, one of which was completely
> > ptched and had
> > all the latest virus definitions from Norton,
> > another machine was not
> > patched and no virus updates were present.. But the
> > state of affairs
> > at both the machines was the same.. themessage sent
> > before contains
> > the details..
> > on more analysis, I found csmss.exeto be a part of
> > W32.Dedler
> > Trojan.. but how it got inside the system is
> > anyone's guess..
>
> Perhaps not...I went to the Symantec site and looked
> up "Dedler"...it's not a Trojan...it's a worm.
> http://securityresponse.symantec.com/avcenter/venc/data/w32.dedler.worm.html
>
> Interesting thing about the write-up at the site:
> "4. Copies the following files to open network
> shares:"
>
> There wasn't any detail in your description regarding
> your domain setup, but maybe that helps a little bit
> in explaining how so many systems were infected. I
> know the Symantec writeup doesn't jive exactly with
> your description, but based on what Norton detected,
> it's a start. It might also go toward explaining why
> so many machines were reinfected...
>
> > None of them was running IIS.
>
> Ok...I'm not sure where that plays into all this...but
> ok...
>
> Good luck. 

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Relevant Pages

  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • RE: Value of "richer" signatures?
    ... Is it that much faster to do "protocol parsing" than ... > Here's an example of how the newer IDS signatures help ... > Let's say you are using a simple packet grepping IDS ...
    (Focus-IDS)
  • RE: Testing IDS/IPS Signatures
    ... can a scanner be used to validate the IDS ... True, Nessus can help in testing signatures but IMHO, it has limitations. ... > service features in Nessus and NeWT to see what is in fact ...
    (Focus-IDS)
  • RE: Comparing the performance of two IDS products with different architectures
    ... Comparing the performance of two IDS products with different architectures ... An interesting point, “a packet is only tested for a signature when needed, and not when it isn't ... and only tests signatures that apply to those contents. ... could argue all day long about the strengths and weaknesses of “pattern matching” vs “protocol ...
    (Focus-IDS)
  • Re: How to choose an IDS/FW MSS provider
    ... > people's IDS technologies, their opaqueness drives a constant nagging ... not becuase your signatures are open. ... NFR is not a free ... >> Senior Systems Engineer ...
    (Focus-IDS)
Quantcast