February 2006

The Domain Name Service as an IDS

“how dns can be used for detecting and monitoring badware in a network”


this is a very interesting although preliminary work by obviously skilled people. i haven’t learned much but i am extremely happy others work on this than the people i already know! they also weren’t too shy with credit, mentioning florian weimer and his passive dns project already at the abstract (quoted below). they even mention me for some reason.

great paper guys!

moving past passive dns replication and blacklisting, they discuss what so far has been done for years using dnstop, and help us take it to the next level of dns monitoring.

someone should introduce them to duane wessels’ (from isc oarc) follow-up dnstop project, dsc. :)
[duane’s lecture on the tool at the 1st dns-oarc workshop] http://www.caida.org/projects/oarc/200507/slides/oarc0507-wessels-dsc.pdf

there has been some other interesting work done in this area by our very own david dagon from georgia tech:
[presentation from the 1st dns-oarc workshop] botnet detection and response – the network is the infection: http://www.caida.org/projects/oarc/200507/slides/oarc0507-dagon.pdf
[paper] modeling botnet propagation using time zones: http://www.cs.ucf.edu/~czou/research/botnet_tzmodel_ndss06.pdf

surfnet is looking for technologies to expand the ways they can detect network traffic anomalies like botnets. since bots started using domain names for connection with their controller, tracking and removing them has become a hard task. this research is a first glance at the usability of dns traffic and logs for detection of this malicious network activity. detection of bots is possible by dns information gathered from the network by placing counters and triggers on specific events in the data analysis. in combination with netflow information and ip addresses of known infected systems, detection of bots of network anomalies can be made visible. also the behavior of a bot can be documented and additional information can be gathering about the bot. using dns data as a supplement to the existing detection systems can give more insight in
the suspicious network traffic. with some future research, this information can be used to compile a case against particular types of bot or spyware and help dismantling a remote controlled infrastructure as a whole.

we started this research project with the question if the passive dns software of florian weimer was useful for bot detection. we immediately found out that the sensor of the passive dns software strips the source address from the collected data for privacy reasons, making this software not useful at all for our purpose. we deviated from the research plan (plan van aanpak) and took a more general approach to the question; ”is gathered dns traffic usable for badware detection”.

gadi evron,

Brian Krebs interviews a Bad Guy

brian krebs recently interviewed a botnet controller kiddie.

these people do kill. they do steal your aunty’s money and your dad’s pension. they destroy your thesis and have the feds knock on your door for crimes they committed. they cause the power to stop working. if it was true, i’d also like to blame them for things such as cancer and world hunger, i suppose i can’t though. worse still, these are just the kids.

i’d love to see an interview with the russian mob and their operations.

regardless, brian did a good job, like always.

also, there is a good post about it on taosecurity.

gadi evron,

Captcha implementation of PHP-Nuke poorly written

Several security advisories about the Captcha implementation in PHP-Nuke have been released.

The original report from Janek “waraxe” Vind states:

-Quote begins-
We can see, that challenge is called “$random_num” and response “$code” is constructed from various parts. And this algrithm means, that some specific challenge will have same response in following conditions:

1. It must be same day (because of the “$datekey”)
2. HTTP_USER_AGENT must be the same

So how to exploit this design weakness. First we need working challenge/response pair from “victim” server. For this let’s look at CAPTHA picture with numbers at login page.
Right mouse click on that picture and (in case of IE) –> properties–>address , and we can see picture url, something like this:
“http: // localhost/nuke78/modules.php?gfx=gfx&random_num=112652”
-Quote ends-

Secunia’s advice (workaround) is not to rely on the captcha feature to prevent automated logons to PHP-Nuke. SecurityFocus, in turn, warns that this flaw may be used to carry out other attacks against the login page. They list brute force attempts.

BTW: According to Secunia’s PHP-Nuke Product database

Currently, 23 out of 27 Secunia advisories, are marked as “Unpatched” in the Secunia database.

The original captcha model (“completely automated public Turing test to tell computers and humans apart”) itself is nine years old.

New MSN Search & Win campaign search site hosted in France

Like some of our readers know, MSN has started its Search & Win campaign exactly one week ago. The UI of the search page itself is Flash-based and it’s located at www.msnsearchandwin.com. Some details about the contest:
MSN will give users a chance to win prizes of $1 million by using this search engine. There are about 1,200 separate keywords linked to prizes, i.e. per month. The campaign will end at the end of April. Reportedly user will get information about possible prize after submitting his or hers search query. The prize list includes digital cameras, Xboxs, MP3 players, plasma TVs, trips etc. ‘If a link appears on the search results page with the words MSN Search & Win, click the link to see if you instantly won’, says the Help screen.

I decided to do some WHOIS queries yesterday and found a few interesting things:

1. The WHOIS results for this IP says:

inetnum: -
descr: Jaguar Network
country: FR
admin-c: JAGN-RIPE
tech-c: JAGN-RIPE
mnt-by: JAGUAR-MNT
changed: ***********@as30781.net 20050622
source: RIPE

When checking the domain as30781.net listed www.as30781.net is the Web site of Jaguar Network. The page is titled as ‘Jaguar Network – Network Operations Center’. No other domains are hosted by this French company, says Netcraft’s Top Sites Running report.

2. According to Netcraft this site uses Microsoft’s name servers:

Nameserver: ns1.msft.net
DNS admin: msnhst@microsoft.com
Nameserver Organisation: Microsoft Corporation, One Microsoft Way, Redmond, 98052, United States

There is no information what are the connections between Microsoft and Jaguar Network.

3. This is for U.S. customers only. From the point of privacy, I’m interested if this contest will need detailed registration:
Bush Administration Demands Search Data; Google Says No; AOL, MSN & Yahoo Said Yes

Reportedly Yahoo! is planning a similar campaign.
Feel free to comment.

Juha-Matti Laurio

Plupii.C proved: Remarkable old Mambo CMS installations in use

Systems behind content management system based Web sites are not always patched. Delays when patching systems are not weeks. In fact, they are more than months.

The XML-RPC for PHP vulnerability from June 2005 is not the only security issue being exploited in this new Linux worm case. One of the other vulnerabilities is GLOBALS[‘mosConfig_absolute_path’] issue CVE -2005-0512, reported and fixed exactly one year ago. This code injection issue affects Mambo systems 4.5.2 and earlier.

At this time, Mambo defacemect reports from volunteers who helped the Internet Storm Center to make a conclusion that a new Plupii variant is spreading. Sometimes even the word ‘mambo’ in the URL helps confirming Mambo sites being as target of defacement; see new ones at www.zone-h.org/en/defacements/view/id=3354748/ etc.

A fixed Mambo version is available, but administrators simply didn’t patched their systems.

“if you are not doing anything wrong, why should you worry about it?”

our friend alex eckelberry over at sunbelt’s blog writes about houston’s police chief harold hurtt, who seems to love cameras and to think big brother is all in your mind.

“if you are not doing anything wrong, why should you worry about it?”

even i can’t deny the need or the effectiveness, and i can see how cameras can be good for the public and law enforcement protecting the public. london has been a great example of that.

still, like with many other such solutions, the perps just move elsewhere where cameras don’t cover their every move. whether it’s another city block or another city is another issue all-together. shuffling the trouble is always the best solution, right?

putting such technology in the hands of people who believe they should also see into your house and that if you’d like some privacy, you must be a criminal is rather amusing in how it is scary.

the main point being, that even if the current head honcho is a nice guy and all those who work for him (or her) are cool people, who is to say their followers will be. what’s to stop them from putting cameras in our showers, next? after all, do we have anything to hide? maybe we all just like to “help ourselves”…?
are there any limitations on what this will be used for after it is there? how do you enforce that?

with all the recent privacy issues in the states, finand, etc. i am becoming increasingly uncomfortable trusting those who are supposed to protect me.

i have always been a strong believer that just because solutions to something can potentially be abused, that is no reason not to find out what these solutions are.
as an example, most of us agree we need to fight terrorism, yet immediately make war on any attempt to do so. instead of killing every possible suggested solution i’d rather they fight on how it gets done.

to do it and leave it wide-open for abuse, however, should in my opinion be illegal. how you define what “wide-open for abuse” though is problematic, but getting less so in some sectors with the increasing popularity of industry standardization. at least where it is understood, and i don’t know of many who utilize these tools and really understand what standardization is about.

gadi evron,