by Corey Merchant
|Detecting and Containing IRC-Controlled Trojans: When Firewalls, AV, and IDS Are Not Enough
by Corey Merchant and Joe Stewart, LURHQ Corporation Secure Operations Center
last updated July 10, 2002
This paper discusses IRC-based trojans as a distinctly underestimated class of malicious activity, and how real time security event monitoring is the key to identifying and containing similar compromises. It discusses the general methodology used to discover, track, and stop such malicious activity by presenting a real-world case study.
The firewall alerts, as shown in Table 1 began around midnight: prolific scans from a host inside one of our customers' perimeter to many Internet hosts for IRC (TCP 6667). Within minutes we had thousands of alerts. And in a few days we were well into exploring our attacker's methods, tools, and activities - an endeavor that would result in a greater awareness of what I now appreciate as a distinct class of attacks (IRC based trojans), and re-enforcement of the fact that firewalls, anti-virus software, and intrusion detection systems are not enough. Constant security event monitoring is the missing key to most information security infrastructures.
Table 1. Firewall Logs
Apr 25 18:15:14 customer_firewall unix: securityalert: tcp if=hme1 from xxx.xxx.xxx.43:3622 to 18.104.22.168 on unserved port 6667 Apr 25 18:04:32 customer_firewall unix: securityalert: tcp if=hme1 from xxx.xxx.xxx.43:3690 to 22.214.171.124 on unserved port 6667 Apr 25 17:55:15 customer_firewall unix: securityalert: tcp if=hme1 from xxx.xxx.xxx.43:4240 to 126.96.36.199 on unserved port 6667 Apr 25 17:56:48 customer_firewall unix: securityalert: tcp if=hme1 from xxx.xxx.xxx.43:4802 to 188.8.131.52 on unserved port 6667
..and so on over thousands of hosts.
The Attacker's Approach
This attacker's code is probably unique, but the approach is not new or unique. Still, you seldom hear of it - the use of semi-custom trojan packages using IRC as a control channel. Some alerting organizations allude only to increases in IRC-based backdoors and malware, but do not mention the individual trojan package(s) used. And most virus protection packages catch very few tools like this. The reasons for this is that there are too many such tools, most are evolving, and their propagation is more deliberate and controlled, unlike newsworthy worms like Nimda and Melissa. There are likely hundreds, perhaps thousands, of these types of packages, which may really be considered crackers' tool kits - Swiss Army knives for cracking, if you will. They range from the collected and self-written scripts of individuals to collections of such tools available for download and use by less skilled attackers. Most work like this:
This control code is what really defines this class of trojan package. The control code provides the attacker a means to run and control various utilities via IRC, backdoor access to the host, and some mechanism for file transfer. More sophisticated packages allow their victims, or zombies, to report back regarding the success/progress of attacks. This allows the attacker to control dozens and, in some cases, hundreds or thousands, of zombies with a great deal of flexibility and vision. A great majority are centered around a hacked version of mIRC, a common IRC client; and associated mIRC scripts. To summarize, the power of this approach is three-pronged. First, it uses commonly available tools to completely control victims. Second, it uses an array of intermediate victims to obfuscate the attacker's identity. And third, there are so many similar tool kits out there that they provide an overload of small moving targets for the good guys (virus protection vendors, firewall vendors, and security staffs in general). As an example, neither CERT nor the FBI were able to appoint any resources to this incident.
Discovering the Compromise
After the first wave of scans, we asked that the host be checked out thoroughly. It turned out to be the laptop of a remote worker with DSL who had remote access through a VPN (split tunneling disabled). The machine had current anti-virus software and a personal firewall. The user was described as non-technical, which led us to believe that the laptop had been compromised in one way or another, so it was sent in for a scrub down. Nothing was found. The group that did this said that the box was re-imaged, but when it came back up on the network we immediately began getting scans from it to many Internet addresses for Squid (TCP 3158) and SQL (TCP 1433). We asked that the box be sent to us this time.
We set the machine up on on an outside network alongside a sniffer, booted up, and captured for an hour. At this time we notice that it was SYN flooding a Web server (see Table 2). Upon further investigation using Ethereal and other tools, we discovered that it and about 75 other zombies were taking part in a distributed denial of service attack, all controlled from an IRC channel on a server presumably in Kazakhstan. Therefore, we had to take the host off-line. But, we had enough captures to see that it was taking part in distributed scans for certain services (looking for new zombie recruits), was transfering and receiving files from its master (mostly scripts to perform all these tasks and to scuttle the host itself if necessary), as well as the DDOS activity mentioned. From the information gathered, we believe that the activity ties together something like this. The attacker:
Table 2. DDOS Capture Decode
# Stran is the op, our attacker. Here he sets the channel topic, which tells the # zombies who to attack, and on what port(s). :Stranfirstname.lastname@example.org TOPIC #rubik :!0pana www.gotocasino.com 80 # A zombie on attbi.com's net reports that it is "bOmBiNg" the victim. :xJ9XI58!~F107638I@rox-21043.atl.client2.attbi.com PRIVMSG #rubik :5,1[#4bOmBiNg#5]#0-#3[#09 www.gotocasino.com #3] # The same zombie reports back a successful attack :xJ9XI58!~F107638I@rox-21043.atl.client2.attbi.com PRIVMSG #rubik :14Attacked host #15: #4 www.gotocasino.com #14port #15: #4 80 # This goes on for many hosts, who continue to syn flood the victim.
Table 3. Distributed Squid Scan
# The channel op Stran, our attacker, tells the zombies to scan the addresses and ports in # in 3128.txt :Stranemail@example.com PRIVMSG #rubik :!0 play #rubik 3128.txt 2500 PRIVMSG Stran :##00X# #U##15nderstood
Important notes here are that the network-based IDS missed this activity because there were no signatures for this specific trojan, the virus software on the host also missed it for similar reasons, and the alerts on the firewall looked upon first glance like standard internal network noise. However, the security staff, watching in real time, clued in that the source was a VPN network, and that the destination was a bit suspicious.
Anatomy of the Trojan
It is useful to understand what some of the standard pieces of one of these trojan are. The following is from Trend Micro's virus encyclopedia. It outlines what they said about the trojan after we had turned over the files. They and other virus vendors have since released pattern updates for this trojan.
Upon execution, this backdoor malware extracts the following files:
C:\Winnt\system32\ght.dll C:\Winnt\system32\hajr.drv C:\Winnt\system32\iexplorer4.cab C:\\Winnt\system32\Msboot.exe C:\Winnt\system32\msflxgd.exe C:\Winnt\system32\smtp.txt C:\Winnt\system32\syscribe.txt
It then executes Msboot.exe, a file written in Visual Basic, which is a loader program. To allow itself to execute upon subsequent reboot, it creates a registry run key as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\RunServices ?Microsoft ReBoot?= ?C:\Winnt\system32\Msboot.exe?
MSFLXGD.EXE is a modified PE-Compact mIRC client. Upon execution, it drops a configuration script, netv.ocx (detected as IRC_SOER.A). With it and the other accessory scripts, it functions as a backdoor program connecting to the site Irc.Kamaz.Kz via port 7777. There, it joins a specific channel and sends messages to the hacker's nick. It also waits for specific keyword triggers that serve as commands for it process.
When this program is running on the infected computer, the hacker can execute the following:
In addition to the abilities that Trend mentions, we have seen the following:
And, we have seen our attacker add and remove special-function scripts periodically.
It appears that this attacker's primary means of propagating the trojan was by exploiting open MS-SQL servers running on Windows NT/2000 boxes. All zombies had SQL servers with SA accounts that had no password. We were able to recreate similar activity using the command shell provided by MS-SQL. All zombies were also attached to DSL routers or cable modems, so our attacker appears to be interested in bandwidth, as well. Our methods were:
Table 4. SMTP Banners
184.108.40.206 Banner: 220 sediu Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Wed, 8 May 2002 14:59:08 +0300 220.127.116.11 Banner: 220 risnt7.lefrak.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.21) ready 18.104.22.168 Banner: 220 ramaposoftware.BEXTInc.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Wed, 8 May 2002 07:51:10 -0400 22.214.171.124 Banner: 220 computech-srvr.computechny.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Wed, 8 May 2002 07:52:43 -0400 126.96.36.199 Banner: 220 infoe.infoequation.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Wed, 8 May 2002 07:53:37 -0400 188.8.131.52 Banner: 220 server20002.DOMAIN2000 Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Wed, 8 May 2002 07:46:34 -0400 184.108.40.206 Banner: 220 minserver1 Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Wed, 8 May 2002 20:51:27 +0900 220.127.116.11 Banner: 220 webdemo Microsoft ESMTP MAIL Service, Version: 5.0.2195.4453 ready at Wed, 8 May 2002 04:54:29 -0700 18.104.22.168 Banner: 220 rational2.i-telco.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Wed, 8 May 2002 04:55:12 -0700 22.214.171.124 Banner: 220 SLIN.i-telco.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.1600 ready at Wed, 8 May 2002 04:55:29 -0700
Finally, we e-mailed the most relevant contact available for the victim hosts we had on record, informing them of the activity we had seen and that they had vulnerable and compromised hosts.
Anecdotal evidence based on activity we've seen on over 100 networks based solely in the United States, along with information gathered during this incident, suggests that these IRC-based trojans and similar tool kits likely account for a vast majority of deliberate, successful security breaches. Yet, most go unnoticed. Further, these are generally not that sophisticated. Merely taking the technique up one level of expertise - for example, by adding encryption and communication/control over port 443, which almost no one filters or inspects outbound, or encoding and tunneling in another valid protocol - makes the existence of the ongoing penetration nearly invisible. In a corporate or government espionage scenario, one can envision an attacker silently gathering proprietary information over a long period completely unnoticed. In a warez scenario, these kinds of zombie networks are the latest trend in storing, moving, and distributing pirated software and media.
Given that the current standard security model for most organizations is product based, this type of activity is routinely overlooked. Most of these organizations bought firewalls and virus software during a big security push in the early 1990s, and intrusion detection systems later, but none of these products detected this trojan and none stopped it, and general awareness in security circles is surprisingly low. Mass media outlets are are inclined to cover large scale worm outbreaks, while most security types tend to focus on one dimensional attacks (e.g. someone is port scanning the firewall).
As we've seen, there are a few components necessary for discovering and stopping this class of attack:
However, none of these in isolation are effective. And, more importantly, the critical glue that binds these is active, real-time monitoring of security events 24x7. The diligent watching of trained security staff is the most effective real defense for this type of activity.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.