1 / 89

Zombie-nets, Pop-ups, and Spam

By Bill and Lorette Cheswick ches@cheswick.com lepac@cheswick.com http://www.cheswick.com. Zombie-nets, Pop-ups, and Spam . Definition: internet. A collection of interacting networks that support TCP/IP. 01/19/05. Zombie-nets, Pop-ups, and Spam. 2 of 45. 01/19/05.

terra
Télécharger la présentation

Zombie-nets, Pop-ups, and Spam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. By Bill and Lorette Cheswick ches@cheswick.com lepac@cheswick.com http://www.cheswick.com Zombie-nets, Pop-ups, and Spam

  2. Definition: internet • A collection of interacting networks that support TCP/IP 01/19/05 Zombie-nets, Pop-ups, and Spam 2 of 45

  3. 01/19/05 Zombie-nets, Pop-ups, and Spam 3 of 45

  4. TCP/IP • A set of protocols for connecting computers via a network • Almost nobody needs to know the details • Designed in the early 1980s • One design goal: end-to-end connectivity • We have learned better: firewalls break this idea 01/19/05 Zombie-nets, Pop-ups, and Spam 5 of 45

  5. Internet design:Smarts at the edge of the network • Unlike the phone system, the “center” of the network is pretty stupid • New services are designed and implemented at the edge of the network • No permission or special arrangements are needed 01/19/05 Zombie-nets, Pop-ups, and Spam 6 of 45

  6. 209.123.16.98 64.10.0.3

  7. Clients and servers • Clients initiate connections to servers • Servers tend to be publicly-known and accessible • Web services like www.amazon.com • There is seldom any good reason for a home or corporate computer to offer network services • But they do anyway. A lot of them 01/19/05 Zombie-nets, Pop-ups, and Spam 8 of 45

  8. 209.123.16.104 (client) 164.109.96.222 (server) (www.budweiser.com)

  9. TCP connections include a port number • TCP ports are numbers between 0 and 65535, inclusive • The client and server need only agree on which number to use • There is a long list of standard services and their TCP port numbers • World wide web (HTTP) port 80 • Email (SMTP) port 25 • thousands more

  10. Server ports • Each TCP service available on a computer is serviced by a program • If that program has a serious bug, someone far away may be able to compromise that computer, and inject their own software to “own” your computer • If you are running Windows, this has probably already happened to you

  11. How can we see these TCP services on a Windows computer? • Start -> All Programs -> Accessories -> Command Prompt • Run: netstat –a

  12. Windows XP, Service Pack 2 (SP2)

  13. A Few Sample port listener profiles

  14. Windows ME Active Connections - Win ME Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*

  15. Windows 2000 Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*

  16. Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*

  17. FreeBSD partition, this laptop(getting out of the game) Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address tcp4 0 0 *.22 tcp6 0 0 *.22

  18. It is easy to dump on Microsoft, but many others have made the same mistakes before

  19. Default servicesSGI workstation, c. 1995 ftp stream tcp nowait root /v/gate/ftpd telnet stream tcp nowait root /usr/etc/telnetd shell stream tcp nowait root /usr/etc/rshd login stream tcp nowait root /usr/etc/rlogind exec stream tcp nowait root /usr/etc/rexecd finger stream tcp nowait guest /usr/etc/fingerd bootp dgram udp wait root /usr/etc/bootp tftp dgram udp wait guest /usr/etc/tftpd ntalk dgram udp wait root /usr/etc/talkd tcpmux stream tcp nowait root internal echo stream tcp nowait root internal discard stream tcp nowait root internal chargen stream tcp nowait root internal daytime stream tcp nowait root internal time stream tcp nowait root internal echo dgram udp wait root internal discard dgram udp wait root internal chargen dgram udp wait root internal daytime dgram udp wait root internal time dgram udp wait root internal sgi-dgl stream tcp nowait root/rcv dgld uucp stream tcp nowait root /usr/lib/uucp/uucpd

  20. More default services(cont.) mountd/1 stream rpc/tcp wait/lc root rpc.mountd mountd/1 dgram rpc/udp wait/lc root rpc.mountd sgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountd sgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountd rstatd/1-3 dgram rpc/udp wait root rpc.rstatd walld/1 dgram rpc/udp wait root rpc.rwalld rusersd/1 dgram rpc/udp wait root rpc.rusersd rquotad/1 dgram rpc/udp wait root rpc.rquotad sprayd/1 dgram rpc/udp wait root rpc.sprayd bootparam/1 dgram rpc/udp wait root rpc.bootparamd sgi_videod/1 stream rpc/tcp wait root ?videod sgi_fam/1 stream rpc/tcp wait root ?fam sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd sgi_pod/1 stream rpc/tcp wait root ?podd tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerd tcpmux/sgi_printer stream tcp nowait root ?print/printerd 9fs stream tcp nowait root /v/bin/u9fs u9fs webproxy stream tcp nowait root /usr/local/etc/webserv

  21. Types of malware • Worms • Viruses • Trojans • Cookies • Adware • Keystroke loggers

  22. worms • Stand-alone programs that propagate themselves through computers • Usually enter via network ports

  23. Witty worm – the worldDavid Moore - CAIDA

  24. The witty worm…USADavid Moore - CAIDA

  25. viruses • Programs that propagate by infecting other programs • Spread by infecting other programs on a computer, and moving infected programs to other machines, e.g. through mail attachments

  26. trojans • Programs that appear useful, but may have evil side effects. • Imagine a tax preparation program that erases your disk on April 14

  27. cookies • Data stored on your computer by a web server, and returned to that server on future connections • Used to track you and your activities • Not always a bad thing • Not an executable program

  28. adware • Programs that reside in your computer for marketing purposes • May track your browsing, spending, or network activities

  29. Keystroke loggers • Hardware or software that records your keystrokes • Great way to collect passwords, credit card numbers, etc.

  30. Remedies Do you know enough to fix your own computer?

  31. Homepage data • Default settings • Amount of graphics • OS forcing a default • Adaware forcing a default • Various broadband difficulties with graphics • So much CPU activity that homepage can’t load

  32. You may need to back up yesterday • Pay attention to small differences in your computer’s behavior • Don’t wait for a month to go by before asking someone else • Write down error messages • Go somewhere else to check the errors • The Bernardsville Public Library

  33. Don’t open a new program until you’ve read tomorrow’s paper Circuits, Thursday NYT Personal Journal, WSJ CNET

  34. http://blogs.msdn.com/ie/archive/2005/01/11/350949.aspx Help comes in many guises

  35. www.sans.org • Delivered-To: Lepac@cheswick.comFrom: The SANS Institute <Webcast@sans.org>Subject: Internet Storm Center Threat Update and What Works in Intrusion Prevention WebcastsPlease sign into the SANS Portal for upcoming complimentary webcastsin January 2005.  On Wednesday, January 12, 2005, the Internet StormCenter will present the latest "Threat Update."  On Thursday, January20, 2005, SANS will host "What Works in Intrusion Prevention." 01/19/05 Zombie-nets, Pop-ups, and Spam 45 of 45

  36. http://tired-of-spam.home.comcast.net/eblocs.html

  37. 01/19/05 Zombie-nets, Pop-ups, and Spam 47 of 45

  38. System Tools • Disk defragmenter • Chkdsk /f • Dr Watson http://watson.addy.com/ • Add/Remove Programs • Auto-update for Windows XP • SP2 • Taskmanager 01/19/05 Zombie-nets, Pop-ups, and Spam 48 of 45

  39. Programs that help • Up-to-date Anti-virus software • Trojan Hunter • Spybot Search and Destroy • Adaware • Avert Stinger • McAfee targeted trojan and virus removal programs • Firewalls 01/19/05 Zombie-nets, Pop-ups, and Spam 49 of 45

  40. Websites • Download.com • CNet.com • Google.com • McAfee.com • Symantec.com • CERT.org 01/19/05 Zombie-nets, Pop-ups, and Spam 50 of 45

More Related