Date: 20 May 2002
References: ESB-2003.0162
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2002.03 AUSCERT Advisory
File-Sharing Activity Part 2 of 2 -
Increased intruder attacks against servers to expand
illegal file sharing networks
20 May 2002
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has recently received increasing numbers of reports regarding
large scale illegal file sharing networks that fall into two distinct
categories. The first category, concerning peer-to-peer file sharing
software, is discussed in the previous advisory AA-2002.02. The second
category, concerning compromised servers being used in file sharing
networks, is discussed here.
AusCERT has received reports of the existence of large file-sharing
networks that consist of compromised, high-bandwidth, high-availability
servers. These servers are controlled remotely by attackers for the
purpose of distributing pirated intellectual property (eg. software and
movies).
- ---------------------------------------------------------------------------
1. Description
The compromised servers that form part of the file-sharing networks are
usually controlled via Internet Relay Chat (IRC). Backdoor or trojan
horse programs are installed on the compromised servers enabling them to
connect to IRC so they can be controlled from IRC channels. Reports
indicate that most of the compromised servers are Windows 2000 and NT
systems.
The criteria attackers use to select victims, for the purpose of
distributing pirated intellectual property, is that of high-bandwidth and
high-availability. The potential targets include, but are not limited to
university servers, home broadband users, Internet Service Providers and
similar hosting companies.
The file-sharing is done in two possible ways - via IRC bots like "Iroffer"
and/or via FTP.
The IRC bots (such as Iroffer) are designed specifically for file-sharing
over IRC. They allow users who connect to the same IRC channel as the
compromised servers to initiate requests to the compromised servers through
IRC channel commands and start downloads via DCC (Direct Client
Connection).
Where FTP is used for file-sharing on the compromised server it is often
found to be a third party FTP application (eg. ServUFTP, bulletproof FTP
server) combined with "Firedaemon". FireDaemon is a utility that allows
you to install and run applications as a Windows NT/2K/XP service - similar
to the UNIX "inetd". These FTP services can be difficult to detect and
are usually run on high-numbered ports.
Distributed Denial of Service (DDos) agents (eg. "knight.exe" and "GTbot")
are often found to have been installed on compromised servers being used
as part of the illegal file sharing networks.
2. Impact
Many of the risks described in section "2. Impact" from AA-2002.02
"Security implications of using peer-to-peer file sharing software" also
apply here. These risks include:
- added exposure to viruses and trojan contained in the files downloaded
onto your computer;
- loss of control over corporate data and resources as they are shared
outside an organisation;
- denial of service on the compromised host due to the increased load
caused installed backdoor or trojan horse programs;
- denial of service against third parties as the compromised host is used
to as part of a DDoS attack;
- bandwidth problems caused by illicit file sharing of possibly gigabytes
of pirated intellectual property; and
- possible civil / criminal ramifications associated with hosting, and
therefore having control or possession over, pirated intellectual
property - willingly or otherwise.
3. Workarounds/Solutions
Block or restrict access to IRC services at the network perimeter
The ports used by compromised hosts in order to connect to IRC channels
can be blocked by a firewall on the network perimeter - ie. the known
IRC ports of 6667/tcp and 7000/tcp. However, given that IRC can be run
over any port, an additional solution would be to use network and host
based Intrusion Detection Systems (eg Snort) configured to examine
network traffic for IRC traffic.
If these measures cannot be applied to an entire network - consider
implementing them for a subnet or particular hosts that have been
identified as at greater risk from attack or of greater importance to
your organisation.
A general principle to follow is to only open ports on your firewall if
you have a business need for a particular network service and are aware
of the security implications of running that service.
Install and Maintain Anti-Virus Software
Most current anti-virus software products are able to detect and alert
administrators that an attacker is attempting to install a backdoor or
trojan horse program or that one has already been installed.
To ensure the effectiveness of anti-virus products, it is vital to keep
them up to date with the latest virus and attack signatures supplied by
vendors.
If you suspect that your site may have been compromised, we encourage you
to read:
ftp://ftp.auscert.org.au/pub/cert/tech_tips/intruder_detection_checklist
If your site has been compromised, we encourage you to read:
http://www.auscert.org.au/Information/Auscert_info/Papers/win-UNIX-system_compromise.html
4. Further Information
Further advice on detecting the unauthorised activity of such software,
and on minimising potential risks, is contained in the references below.
Dave Dittrich's CanSecWest CORE02 - Dissecting Distributed Malware
Networks
http://staff.washington.edu/dittrich/talks/core02/Core02.ppt
GT Bot (Global Threat)
http://bots.lockdowncorp.com/gtbot.html
Trends in Denial of Service Attack Technology
http://www.cert.org/archive/pdf/DoS_trends.pdf
CERT Incident Note IN-2000-08 - Chat Clients and Network Security
http://www.cert.org/incident_notes/IN-2000-08.html
CERT Incident Note IN-2002-03 - Social Engineering Attacks via IRC
and Instant Messaging
http://www.cert.org/incident_notes/IN-2002-03.html
CERT Incident Note IN-2000-02 - Exploitation of Unprotected Windows
Networking Shares
http://www.cert.org/incident_notes/IN-2000-02.html
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained in
this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPQ8oMyh9+71yA2DNAQFEVQP/QARiFs5D5dqpicjFZ3aZH8LKqDImUeJj
DvdzpvXKJnhK7tHb7NVjXJAYYyWjI5hu0CrR5h+ymVpzGHUVTNGtnC4JOcHZB4A5
QIVb90FNjqsQDbClmUKW1fkO9MJXbvLpr0DV9cEdaCbDEYwCScJe08klD2XUi1fE
3puJkB3qdms=
=4Pp8
-----END PGP SIGNATURE-----
|