Windows Spam Proxy Viruses - PowerPoint PPT Presentation

About This Presentation
Title:

Windows Spam Proxy Viruses

Description:

You are all smart people with the right (free) tools and good intentions ... Spam-proxy viruses are becoming very common - most of the recent big ones all ... – PowerPoint PPT presentation

Number of Views:135
Avg rating:3.0/5.0
Slides: 76
Provided by: philipar
Learn more at: http://web.mit.edu
Category:
Tags: free | proxy | spam | viruses | windows

less

Transcript and Presenter's Notes

Title: Windows Spam Proxy Viruses


1
Windows Spam Proxy Viruses

Phil Rodrigues and Keith Bessette University
of Connecticut MIT Security Camp August 21, 2003
2
Introduction
3
Introduction
  • I have been accused of being a salesman
  • IPAUDIT
  • I have been accused of being a preacher
  • BLOCK WINDOWS NETWORKING

4
Motivational Speaker
  • Now I am a motivational speaker
  • You are all smart people with the right (free)
    tools and good intentions
  • Together we can make a difference!

5
Desperate Times
6
Desperate Times
  • Win PopUp alerts to RPC-DCOM vulnerable hosts
    (thanks Eric Jacobsen)
  • Hacking hosts that were DOSing our NetReg box
    (thanks Rich Graves)
  • Sending Spam like this

7
My Spam
  • Experience the results you've always wanted
  • with a MASSIVE scientific breakthrough
  • Best of all...
  • There Are NO Agonizing Hanging Weights, NO Tough
    Exercises,
  • NO Painful And Hard-To-Use Pumps, And There Is NO
    Dangerous Surgery Involved.
  • But the best part is when you reveal yourself in
    all your glory to the woman in your life. When
    she sees how massive and manly, how truly long
    and hard you are, she will surrender and give you
    everything you have always wanted.

8
What We Noticed
9
What We Noticed
  • Ive been answering abuse_at_uconn.edu for about two
    years now.
  • Noticable increase in amount of inbound spam
    complaints over the course of the Spring
  • Exciting Full-Color Chart ahead!

10
Worm Ate my Homework
  • Jan 2
  • Feb 15
  • Mar 12
  • Apr 70

11
What we Noticed (cont)
  • April 03 started nmap the hosts we got
    complaints about and found unexpected ports open
  • amap them and usually found
  • http-proxy
  • smtp-proxy
  • ?? probably RAT
  • Visited some and found they were mostly virus
    related SoBig, LovGate, Jeem

12
How We Detected It
13
How We Detected It
  • IPAudit graphs looking for outgoing scans
  • local hosts that contact many more remote hosts
    than they got answers from
  • IPAudit client/server report that told us
  • Highest mail connections
  • ssh
  • telnet
  • http
  • https

14
How We Detected It (cont)
  • Daily totals were a good start, but we needed
    more detail - short bursts got lost in steady
    volume
  • Jon Rifkin made IPAudit graph that showed
    outbound SMTP connections per min.
  • Allowed us to quickly see a change in the normal
    mail traffic we expected.

15
How We Detected It
16
How We Caught It
17
How We Caught It
  • Would block high-SMTP connection hosts as we saw
    them
  • Hint dont name stuff "plum" or "bilbo"
  • Got our hands on a host and pulled the infected
    files off of it.
  • Randomly got jeem.

18
How We Caught It (cont)
  • Jeem had only infected about 13 hosts on campus
  • it was not extremely common.
  • 4 of its hosts had sent out gt2,000,000 pieces of
    spam over a few hours
  • It was extremely active!

19
How Jeem Works
20
The Jeem Process Initialization
  • After the initial infection, 3 ports are opened
    on the infected host
  • An attempt to ping Microsoft occurs
  • Sends a HTTP GET command to an update.pl script
    on the Master Server
  • GET /update12.pl?magic515273856672ox2-5-0-2195
    tm289id-1cache1057100466 ...

21
Jeem Process Initialization Cont
  • Master Server generates an ID for the infected
    host and passes all the new info to a Control
    Server by calling another update.pl script on the
    Control Server.
  • prxmagicwestads.comwestads.comwestads.comK2
    /vcgi/danny/update.cgi/vcgi/danny/update.pl/vcgi
    /danny.plP1193728
  • No further contact between the Master Server and
    Control Server can be seen.

22
Pre-Spam
  • MySQL is running on the Control Server
  • After 60 minutes, the infected host pings MSFT,
    and then sends a HTTP GET command to the Control
    Server
  • Script from the Control Server tells the infected
    host to sleep for 30 minutes
  • prxmagicwestads.comwestads.comwestads.comK2
    /vcgi/danny/update.cgi/vcgi/danny/update.pl/vcgi
    /danny.plPsleep193728

23
Pre-Spam Cont
  • The Control Server then makes quick contact with
    the remote control Jeem port
  • HTTP GET commands continue to be sent to the
    Control Server every 30 minutes
  • This allows the established connection to be kept
    open and alive through firewalls
  • Signifies that the infected host is alive and
    ready for commands

24
Spam
  • We ASSUME the Relaying Servers contact a Control
    Server through SSH/MySQL
  • A Relay Server sends a packet containing a
    command connect ip25
  • This opens a connection between the infected host
    and the indicated mail server
  • Other packets containing ltmail togt and other
    SMTP commands are sent from a Relay Server to the
    infected host and passed on to the mail server

25
Spam Cont
  • All ACK commands from the mail server are sent
    back to the infected host and then to the Relay
    Server
  • If 100Mb are sent inbound to the infected host,
    the infected host sends out 100Mb
  • The Relay Server keeps this connection open by
    using a SACK Permitted option flag
  • SACK Permitted allows an established connection
    to remain open with knowledge that data will be
    sent in non-contiguous blocks
  • Most of the mail servers used were setup to
    accept mail only from hosts w/ properly
    configured DNS entries

26
Control Server
Relay Hosts
SSH / MYSQL?
HTTP?
Master Server
HTTP /
JEEM
SMTP
Mail Server
HTTP
SMTP
JEEM
Infected Host
27
Jeem on the Network
  • 137.099.092.210 Infected Host
  • MMM.SSS.000.159 Master Server
  • CCC.SSS.129.048 Control Server
  • RRR.HHH.104.130 Relay Host
  • RRR.HHH.015.111 Relay Host
  • 064.012.137.152 Mail Server (AOL)

28
Jeem on the Network
  • LocIP RemIP Ptl LPrt RPrt
    InBy OuBy Fir Las
  • 137.099.092.210 MM.SS.000.159 6 1054 80
    3541 662 1 2
  • 137.099.092.210 CCC.SS.129.048 6 1056 80
    481 548 1 2
  • 137.099.092.210 CCC.SS.129.048 6 5119 1061
    272 206 2 2
  • 137.099.092.210 CCC.SS.129.048 6 1062 80
    481 549 1 2
  • 137.099.092.210 CCC.SS.129.048 6 5119 2618
    272 206 2 2
  • 137.099.092.210 CCC.SS.129.048 6 1066 80
    481 549 1 2
  • 137.099.092.210 CCC.SS.129.048 6 5119 4157
    272 206 2 2
  • 137.099.092.210 CCC.SS.129.048 6 1250 80
    481 551 1 2
  • 137.099.092.210 CCC.SS.129.048 6 5119 3988
    272 206 2 2
  • 137.099.092.210 RR.HH.104.130 6 5119 1591
    1269 1288 2 1
  • 137.099.092.210 064.012.137.152 6 1251 25
    1783 2042 1 2
  • 137.099.092.210 RR.HH.015.111 6 5119 4486
    2502 1495 2 2
  • 137.099.092.210 064.012.138.152 6 1252 25
    1396 2573 1 2
  • 137.099.092.210 RR.HH.015.111 6 5119 1183
    2770 1735 2 2
  • 137.099.092.210 064.012.138.089 6 1253 25
    1636 2896 1 2

29
Who We Spoke To
30
Who We Spoke To
  • Emailed Michael Tokarev, Anti-Spam King of Russia
  • May 20, 2003 NY Times
  • Last October, Michael Tokarev, a Russian
    computer programmer active in the worldwide
    antispam effort, noticed a lot of spam in Russian
    that offerred bulk-mailing services. The messages
    were identical, but they came from many different
    computers. He investigated and found they were
    forwarded by a program, calling itself Jeem, that
    had not been seen before.
  • First of all, congratulations to you all for
    this job.

31
Who We Spoke To
  • Michael Tokarev
  • But.. the time was lost already. Waay lost.
    Jeems are NOT in a wide use anymore. They're
    still pops up sometimes, and the site/home SHOULD
    be alive and working to pick up jeems to use
    them. But their usage dropped dramatically. New
    "technologies" has been developed for this same
    purpose.

32
June 2003
  • 70,328 1080 (socks-proxy)
  • 51,735 6588 (analog-x)
  • 11,862 2280,2281,2282,2283 (sobig.c)
  • 9,079 21 (vuln FTP USER)
  • 8,874 7441 (ms proxy 1.0)
  • 8,036 8080 (http-proxy)

33
July 2003 (incomplete)
  • 47,477 1080 (socks-proxy)
  • 32,095 7441 (ms proxy 1.0)
  • 23,951 6588 (analog-x)
  • 15,872 3380, 3381, 3382 (sobig.e)
  • 13,638 2280, 2281, 2282 (sobig.c)
  • 11,123 3330, 3331, 3332 ???

34
Who We Spoke To (cont)
  • Asked NOX folks what we should do
  • Advised to take it seriously and reports it to
    Feds, or State Police, or ISP
  • Spoke to FBI

35
How They Helped Us
36
How They Helped Us
  • Took us seriously
  • We gave them a technical summary and packet
    capture
  • Had learned some lessons from IRC DOS attack
    earlier in the spring
  • Agent Marty McBride from New Haven met with us to
    go over the details

37
How They Helped Us (cont)
  • Contacted the ISP that was hosting the master
    server with freeze order
  • Domain was changing hands and server was going
    away!

38
How They Helped Us (cont)
  • Former ISP would keep files intact and the new
    ISP would make sure the master server continued
    to work
  • Tested the scripts Control Server have changed
    directories, and the update.pl etc scripts
    continue to function

39
What Changes We Made
40
What Changes We Made
  • We no longer want to infect the world with our
    SMTP-engine mail viruses.
  • Block Outbound TCP 25 (SMTP) from ResNet
  • Even better

41
Changes (cont)
  • Register all knowm mail servers on campus (easy
    with IPAudit)
  • Block Outbound SMTP from every non-mailserver

42
Conclusions
43
Conclusions
  • Spam is becoming public enemy 1
  • Viruses are an attractive way to make money
  • Spam-proxy viruses are becoming very common -
    most of the recent big ones all have some form of
    mail or web proxy built into them
  • Block outbound SMTP from your own ResNet at the
    least, if not whole campus

44
Conclusions cont
  • Take the time to look into things that happen and
    learn more about them
  • Work with each other and with the Feds
  • Together we can make the Internet a better place!

45
Contact Info
  • Phil Rodrigues
  • phil.rodrigues_at_uconn.edu
  • Keith Bessette
  • keith.bessette_at_uconn.edu

46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
(No Transcript)
68
(No Transcript)
69
(No Transcript)
70
(No Transcript)
71
(No Transcript)
72
(No Transcript)
73
(No Transcript)
74
June 2003
  • 70,328 1080 (socks-proxy)
  • 51,735 6588 (analog-x)
  • 11,862 2280,2281,2282,2283 (sobig.c)
  • 9,079 21 (vuln FTP USER)
  • 8,874 7441 (ms proxy 1.0)
  • 8,036 8080 (http-proxy)

75
July 2003 (incomplete)
  • 47,477 1080 (socks-proxy)
  • 32,095 7441 (ms proxy 1.0)
  • 23,951 6588 (analog-x)
  • 15,872 3380, 3381, 3382 (sobig.e)
  • 13,638 2280, 2281, 2282 (sobig.c)
  • 11,123 3330, 3331, 3332 ???
Write a Comment
User Comments (0)
About PowerShow.com