Transcript Fishing for Worms A Lure that Works

Fishing for Worms
A Lure that Works
EDUCAUSE Southwest Regional Conference
Paul Schmehl ([email protected])
Adjunct Information Security Officer
The University of Texas at Dallas
Copyright Paul Schmehl 2003. This work is the intellectual property of the author. Permission is granted for this material
to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the
reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to
republish requires written permission from the author.
Network Aware Worms are a
Difficult Problem to Solve







They attack open network shares anywhere in the network
They’re often difficult to track to the source of the infection
They’re very persistent and propagate quickly
Their “tribe” is increasing
Antivirus protection can warn you of the infection, but it
doesn’t track down the source
Logs are often not enabled and when they are, they don’t log
this sort of “normal” activity unless specially configured
Eradicating network aware worms is often like playing “whack
a mole”
Introducing the “SMB Lure”





A proactive approach to worm eradication
Requires a minimal investment of
equipment and time
Requires almost no maintenance once
configured properly
Acts as an “early warning system” as well as
a “teergrube” server for worms
Conceived and designed by John Morris of
Nortel Networks – AVIEN Member
What is SMB Lure?





A Unix OS – your choice
Samba – open source
Proper configuration of samba
A few scripts for maintenance
A working SMTP server
Configure the OS





Minimal installation
No services except SMTP and SSH
Enable the firewall and tcpwrappers
Establish a patching routine
That’s it!
Install and configure Samba






Standard installation – nothing special
*Can* edit the source if you want to
It’s all in the configuration file
Build your directory and file structure
Make it look “real”
Sit back and enjoy 
The smb.conf file

# Samba config file created for SMB-Lure
# Global parameters

[global]

# TRICK 0: Setup our own workgroup, so named to be the first item in the Windows Network Neighborhood
workgroup = 000-SECURITY






# TRICK 1: Name our server, so that it appears as the first machine in its workgroup
netbios name = 000-worm-sensor
# TRICK 2: Create a few aliases for our sensor, so that it appears multiple times, interspersed in the workgroup
netbios aliases = C00-worm-sensor E00-worm-sensor J00-worm-sensor M00-worm-sensor

# warn curious individuals to stay away from our sensor
server string = Virus detector. Please! Do not touch (972-883-6866)
# Let’s be very promiscuous, we will share our fileshare contents with all worms

security = SHARE


# TRICK 3: Turn on Debug mode. This will provide useful information about what types of files the worm is accessing
# or is looking for on our server.

debug level = 3

# Each visiting computer will have its own dedicated log file, makes reading much easier.

log file = /usr/local/samba/logs/%m.log


More smb.conf

# No limit on log size

max log size = 0

# Pretend to be a Windows NT 4 computer

announce version = 4.0

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

dns proxy = No

wins server = 129.110.27.65

name resolve order = wins

# We will be domain master, for 000-SECURITY

domain master = True

preferred master = True

# The IP address of our WINS server, provides name resolution

wins server = 129.110.70.36

browseable = Yes
More smb.conf


# TRICK-4: remotely announce our existance around the corporate network and force ourselves into several regionally and
alphabetically diverse workgroups/domains. The IP addresses are the broadcast addresses for subnets that contain
NT/Win2K servers.
# Note the number of computers we are pretending to be is the number of remote-announce domains multiplied by the
number of aliases (See TRICK-2)

remote announce = 129.110.161.255/000-SECURITY 129.110.161.255/AV

# Here is where we define our fileshare ( called Wormbait)

[Wormbait]

# Scare away all the human worms, if they didn't get the picture from the server description above
comment = Network Worm Bait, please don't touch



# Directory containing lots of juicy infectable files, stored in multiple directories.
path = /home/wormbait

# Worms are our guests and allowed to do their worst.
writeable = Yes

guest ok = Yes

Samba startup configuration




#!/bin/sh
# Samba startup script
/usr/local/samba/bin/smbd -D
/usr/local/samba/bin/nmbd -D
The checklogs script

#!/bin/sh


# checklogs.sh - a shell script for parsing the Samba logs
# looking for worm or virus activity. If found, it's written
# to a log that is emailed to me hourly.
# Written by Paul Schmehl - 6/10/2002

# set some variables

sambalogs=/usr/local/samba/logs/*
alerts=/home/alert.txt
touch $alerts


























# loop through each log looking for worms and viruses
# and write to the alert.log if any are found
for log in $sambalogs
do
if [ -f ]; then
chmod 770 "$log"
counter=0
funlove=`cat "$log" | grep -ci "find service ntldr"`
if [ $? == 0 ]; then
echo "Funlove hits = $funlove." >> $alerts
counter=`expr $counter + 1`
fi
nimda=`cat "$log" | grep -ci "\.eml sleep=5 read=No write=Yes"`
if [ $? == 0 ]; then
echo "Nimda hits = $nimda." >> $alerts
counter=`expr $counter + 1`
fi
nimdaa=`cat "$log" | grep -ci "\.eml failed"`
if [ $? == 0 ]; then
echo "Nimda a hits = $nimdaa." >> $alerts
counter=`expr $counter + 1`
fi
More checklogs script



















if [ $counter -gt 0 ]; then
logname="$log"
echo `basename "$log"name` >> $alerts
echo Log started at `cat "$log" | awk '/2002/{print $1" "$2}' | head -n1 | cut -d'[' -f2 | cut -d',' -f1` >> $aler
ts
hostname=`basename "$log"name .log`
echo $hostname >> $alerts
IP=`cat "$log" | grep -e "$hostname " | cut -d'(' -f2 | cut -d')' -f1 | sort -u`
${IP:=unknown}
echo IP is $IP >> $alerts
user=`cat "$log" | grep "sesssetupX:name=" | cut -d'[' -f2 | cut -d']' -f1 | tail -n1`
${user:=unknown}
echo User logged in was $user >> $alerts
echo "" >> $alerts
fi
fi
done
# mail the alert.log if there's anything in it and
# move the samba logs to the backup directory

if [ -s $alerts ]; then
mailx -s "SMB Lure Logs" root < $alerts
cd /usr/local/samba/logs
mv -f *.log backup/
fi

# do some "maintenance"

chmod 660 /usr/local/samba/logs/backup/*
rm -f $alerts





Typical email alert







Bugbear hits = 45.
csgrad49370.logname
Log started at
csgrad49370.logname
IP is unknown
User logged in was bxg022000
Use nbtstat –a to get the IP
The wormbait directory
















0,1456,graphics,00[1].rar
AUTOEXEC.exe
0,1456,graphics,00[1].txt.exe Ac.xls.exe
0116williams[1].bak.exe
Bbuj.rar
0116williams[1].exe
Bsxp.htm.exe
0116williams[1].rar
Cclu.exe
0117cowduo[1].bak.rar
Cjqmq.exe
0117cowduo[1].exe
Dd.mpg.rar
0117cowduo[1].html.rar
End .exe
0117cowduo[1].mp3.exe
End .rar
0117cowduo[1].mpeg.rar
End .xls.rar
0117cowduo[1].mpg.rar
FACE.rar
0117cowduo[1].pas.exe
HEIGHT.exe
0117cowduo[1].rar
Ikvfi.rar
API.htm.rar
Tf.exe
API.mp3.exe
VALIGN.exe
API.rar
Wpcc.xls.exe
Ylcp.bak.rar
Zbie.exe
Zid.cpp.rar
codes,.exe
codes.bak.exe
height.mpeg.scr
http.rar
koulic2.scr
margin.bat
margin.rar
mayalog.eml
name.doc.bat
new.c.exe
new.cpp.rar
new.htm.exe
new.rar
return.rar
rock.c.exe
style.rar
test1
test2
test3
test4
test5
test6
test7
test8
test9
width.rar
windows
winnt
Contents of mayalog.eml




























MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC123456j7890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC123456j7890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC09876j54321DEF_===="
--====_ABC09876j54321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC09876j54321DEF_====---====_ABC123456j7890DEF_====
Content-Type: audio/x-wav;
name="sample.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO
PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAI9/UEUAAEwBBQBAw8I7
AAAAAAAAAADgAA4BCwEGAABwAAAA8AUAAAAAAAd1AAAAEAAAAIAAAAAANzcAEAAAABAAAAQAAAAA
A clean wormbait directory

test1 test2 test3 test4 test5 test6
test7 test8 test9 windows winnt
The windows directory









accstat.exe control.ini explorer.exe isapnp.vxd net.exe
qfecheck.exe
setdebug.exe system32 welcome.exe
arp.exe
cvtaplog.exe extrac32.exe logos.sys netdde.exe ramdrive.sys
setup.ini taskman.exe win.com
autoexec.bat dblbuff.sys freecell.exe mayalog.eml neth.msg readme.htm
setver.exe taskmon.exe win.ini
calc.exe defrag.exe ftp.exe
moricons.dll netstat.exe regedit.exe
sigverif.exe telnet.exe winfile.exe
cdplayer.exe desktop.ini grpconv.exe msdos.sys notepad.exe route.exe
smartdrv.exe tracert.exe winipcfg.exe
charmap.exe dialer.exe himem.sys mshearts.exe ping.exe rundll.exe
sol.exe
twain.dll winpopup.exe
clipbrd.exe dosstart.bat hwinfo.exe nbtstat.exe progman.ini rundll32.exe
system
twunk_16.exe winsock.dll
command.com drvspace.exe ifshlp.sys nddeapi.dll protman.exe
scandskw.exe system.dat twunk_32.exe wscript.exe
control.exe emm386.exe ipconfig.exe nddenb.dll protocol.ini scanregw.exe
system.ini user.dat
Other scripts


cleanup.sh – removes the wormbait
directory and then repopulates it
makefiles.sh – repopulates the
wormbait directory with “Windows files”
Typical samba log – bret.log






























[2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878)
Transaction 1 of length 137
[2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685)
switch message SMBnegprot (pid 11549)
[2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342)
Requested protocol [LANMAN1.0]
[2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342)
Requested protocol [Windows for Workgroups 3.1a]
[2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342)
Requested protocol [LM1.2X002]
[2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342)
Requested protocol [LANMAN2.1]
[2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(342)
Requested protocol [NT LM 0.12]
[2003/02/14 04:34:29, 3] smbd/negprot.c:reply_negprot(426)
Selected protocol NT LM 0.12
[2003/02/14 04:34:29, 3] smbd/process.c:process_smb(878)
Transaction 2 of length 161
[2003/02/14 04:34:29, 3] smbd/process.c:switch_message(685)
switch message SMBsesssetupX (pid 11549)
[2003/02/14 04:34:29, 3] smbd/sec_ctx.c:set_sec_ctx(329)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(858)
Domain=[] NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1]
[2003/02/14 04:34:29, 3] smbd/reply.c:reply_sesssetup_and_X(868)
sesssetupX:name=[]
Things to do




Rewrite the checklogs script in Perl
Move new worm entries to a text file
and parse from the script
Deal with Windows NetBIOS names
with spaces in them
Write script to rotate logs and delete