A couple of sites were able to see the HTTP request that was executed, and it appeared to implicate a host www.rusftpsearch.net. The site was available for a few days and it appeared to be collecting IPs of any open proxy servers found.
Ron Marcum of Vanderbilt University discovered a PC on his network that was scanning hosts on other networks looking for ports 80, 8080, and 3128. He discovered a Trojan called RingZero that appeared to be the culprit. At a SANS conference in 1999, conference members and instructors installed the program that was discovered on the Vanderbilt host and examined what it did. They were able to recreate that this Trojan would scan other hosts on web ports.
The suspected infection means is via email or mp3 sharing. But, this seminal malicious code is one of the first that infected hosts and gathered some valuable information from the hosts, and then used the infected hosts to scan other hosts. This is the same model used for scans and attacks today, albeit quite a bit more sophisticated.
Summary
Without unnecessarily belaboring the point, the events described in this chapter have demonstrated the added value of having TCPdump or Shadow running at a site to capture the background traffic. The first incident of a non-intrusion showed how TCPdump can be invaluable because its purpose is not exclusively to show alerts of events of interest, but to capture all traffic. It can provide an audit trail of activity that occurred, or more descriptively in this case, of activity that did not occur.
In addition, TCPdump was used in the scan incident to assess the reaction of hosts on the monitored network to the scan. Scans can be harmless distractions when there is no response by the scanned hosts, or in this case, they can be a reason for concern. Although most NIDS will inform you of scans, none will automatically alert you of responding hosts.
In the third and final events, TCPdump was used to get very specific information about the fragments or packets in order to make more accurate evaluations of the nature of the attack. You can even begin to do forensic investigation about the type of hosts that are conducting the hostile activity. You will see a more thorough discussion of passive analysis of hostile traffic in the next chapter.
Chapter 11. Mystery Traffic
Many times as a security analyst, you see some kind of interesting traffic and wish that you had the time or resources to investigate it or understand it better. You have a much better chance of being able to do this if you are in a research position rather than a busy operational
environment where your exclusive purpose is to make sure that no unauthorized access occurs. One such opportunity to do analysis of an event of interest arose at a site where Shadow was used to capture traffic. The site was the target of some extensive unexplained activity directed at TCP destination port 27374, which is often used by SubSeven.
The explanation and findings of the traffic are discussed in this chapter. When we witnessed this activity, we had a gut feeling that we were seeing something unique just because of the sheer volume of it. We used Shadow's collected TCPdump records to analyze different fields and aspects of the packet to come to our conclusions. This was a team effort conducted with the help of co-workers Vern Stark and David Heinbuch.
My suspicion is that many people who gravitate to the position of security analyst enjoy working puzzles or mysteries. The mystery of this traffic was unraveled simply using TCPdump record capture, Perl programming to examine and summarize different aspects of the traffic, and Excel to plot the findings. Working on this puzzle was not only a great learning experience of doing traffic evaluation, and recovery after making errant assumptions, but it provided a lot of entertainment to some true bit-heads.
The Event in a Nutshell
Examination of an hour's traffic on June 29, 2001 at 12:00 captured by a Shadow sensor positioned outside a monitored site's perimeter firewall revealed a large number of source hosts scanning what appeared to be the site's Class B address space for TCP destination port 27374. Shadow retrospectively analyzes each hour's traffic for anomalies. Anomalies, or more accurately, events of interest, are culled by running the previous hour's collected TCPdump traffic through a series of TCPdump filters. One of the filters looks for attempted TCP SYN connections from outside the network to a host in the network.
TCP destination port 27374 is associated with a Trojan known as SubSeven that can allow full access to the victim's machine. We have seen plenty of large scans to the SubSeven port; however, we had never seen a scan that generated such a large volume of traffic—nor had we seen one that had come from multiple concurrent sources.
Correlation of Similar Activity
About this same time, the System Administration, Networking, and Security (SANS) Internet Storm Center released a report on June 26, 2001 about a Microsoft Windows worm named W32.leave.worm. The speculation was that this worm was used to make the infected host a participant host, also known as a zombie, in distributed denial of service (DDoS) attacks. According to the report, the worm spread via connections to hosts listening on TCP port 27374. The report noted that the worm scanned predetermined network blocks associated with @Home and Earthlink for destination port 27374. However, it made no mention of synchronized scanning, nor did it mention scanning of networks other than those previously mentioned. Although the described worm activity appeared to be different than the activity that was witnessed at the monitored site, it was possible that the worm activity had mutated since the initial report.