Special Analysis:
Anatomy of a Cyber-Attack
Security rule- Default Block NetBus Trojan horse
Date- 9/27/06
Time- 2:28 PM
Path- N/A
File name- N/A
Direction- Inbound
Local address- XX.XX.XX.XXX [IP redacted for privacy]
Local port- NetBus (12345)
Remote address- 84.94.169.156
Remote port- 3520
Protocol- TCP
It's small-time stuff: somewhat amateurish. The NetBus Trojan is too famous for its own good. Sort of like Rush Limbaugh trying to be anonymous at a Vegas brothel. He might be able to get away with it in the Dominican Republic, but not in the good ol' Hew Hess Hay (not that Mr. Limbaugh would do such nasty things anywhere in the world, of course).
I'm rather fragile about cyber-attacks in general, and since the brutal episode last week—wherein the firewall on my server got hacked and one of my own IPs was installed as a bogey—I've gotten downright bitchy. I'm going to take you on a brief educational lesson in cyber-sleuthing. I'm going to over-simplify things at every turn, and I shall do so to the end of keeping at least some of you marginally interested in what could otherwise be about the most boring post this side of "Making Cracker Crumbs." To those who would flog me for making things so simple that they're downright outrageous, I say this: bite me.
NetBus Trojan-type stuff is easily smacked down by any decent antivirus program. Anyone stupid enough to be on the internets these days without layers of shields deserves what happens. NetBus Trojan takes control of certain functions on your computer and makes them respond to a remote client's commands. In other words, your computer becomes what we call a "zombie."
Anyone who's seen Night of the Living Dead knows that being a zombie sucks big time, and the situation isn't any better for a computer: you end up doing all manner of things you really wouldn't want to do were you still to have a soul within your meat bag. A zombie computer can pump out thousands of spam e-mails every day, it can launch spambots that post links to casinos and porn sites on hapless blogs, or it can participate in distributed denial of service attacks wherein a whole bunch of computers simultaneously flood a server with little packets of data, thereby overwhelming and thus shutting down the victimized machine. Like I said, being a zombie sucks big time.
NetBus Trojan is lame, and so is the little dweeb who uses it for an attack.
So, now, let's get down to the fun part. Who was behind this little gambit? The key is in that "Remote address" line above. That string of numbers is a "dotted quad," or in more modern terms, an "IP address," a unique identifier of a machine. The problem is that most of you readers will have direct IPs, which means I can track you down very easily if I must; but if you're running through a "proxy server," I'm going to end up tracking you down to some weird place in the middle of nowhere. And if you're doing things to really cover your tracks, you're going to be using some program or service that will run you through all kinds of hand-offs that will make my job of finding you a total nightmare. I'll be chasing you down through "onion servers," academic racks, miserably weak Chinese computers, and pathetically out-of-date Eastern European clunkers, all to the final end of coming up bupkis.
I might try to contact the techs at some of these intermediate IP switching places, and they'll tell me that there's not a thing on Earth they can do to help me out: being on or even near the backbone means getting a zillion pounds of traffic hopping through on its way from one place to another, and no one can do anything about one lousy burst of packets popping in for an IP freshener.
Welcome to the Age of Anonymity... provided, of course, you know how to play the game (and like Hell I'm going to explain here how easy it is to play the game).
So that "Remote (IP) address" above is useless, right? Ah, not so fast. Remember that above I used the term "somewhat amateurish" to describe this attack? Well, here's why.
Let's run a WHOIS on that IP. First, let's try ARIN WHOIS. This is what we get:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 84.0.0.0 - 84.255.255.255
CIDR: 84.0.0.0/8
NetName: 84-RIPE
NetHandle: NET-84-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS3.NIC.FR
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2003-11-17
Updated: 2004-03-16
If that data above looks like hogwash, you're smarter than you think you are about this kind of stuff. Yes, that search did nothing but take us to a bunch of nameservers we'd probably end up chasing down to get even more information that didn't tell us much of anything. We got bupkis. (We really didn't, but life is short, and there should be a quicker way to get some gold.)
Let's try again. Let's go to one of my favorite sites, DNSstuff.com. This place is like a candy store for the cyber-sleuth. It's not the best, but it's really user friendly compared to some other tracking sites.
Let's run that IP through the "WHOIS Lookup" utility. Here's the output, with some of the boilerplate stuff removed:
% Information related to '84.94.168.0 - 84.94.179.255'
inetnum: 84.94.168.0 - 84.94.179.255
netname: GOLDENLINES-CABLE
descr: Please Send Abuse/SPAM complaints To *****@012.net.il
country: IL
admin-c: DR5299-RIPE
tech-c: DR5299-RIPE
status: ASSIGNED PA
notify: ***@linux.goldenlines.net.il
changed: ***@linux.goldenlines.net.il 20060605
mnt-by: AS9116-MNT
mnt-lower: AS9116-MNT
source: RIPE
role: DNS REG
remarks: Goldenlines DNS Registration and LIR
address: Hasivim 25 Petach-Tikva,Israel
e-mail: ******@012.net.il
admin-c: KI373-RIPE
tech-c: KI373-RIPE
tech-c: AG914-RIPE
tech-c: MH21010-RIPE
nic-hdl: DR5299-RIPE
notify: ***@linux.goldenlines.net.il
changed: ***@linux.goldenlines.net.il 20060921
mnt-by: AS9116-MNT
source: RIPE
abuse-mailbox: *****@012.net.il
% Information related to '84.94.169.0/24AS9116'
route: 84.94.169.0/24
descr: Golden Lines
origin: AS9116
mnt-by: AS9116-MNT
changed: ***@linux.goldenlines.net.il 20050607
source: RIPE
Oooo! Paydirt! The jerk came out of Tel Aviv! And it looks like some cable TV company that has a cable modem service, or at least something like that.
Oh, but maybe not. Recall that I told you above that the bogeys bounce around the world on "hops," picking up the IP addresses of hapless, innocent servers. This IP address in Tel Aviv, Israel, might belong to nothing more than a server that was on a hop the bogey did.
Darn it! That was almost exciting. Again, though, we got nothing.
Or did we? Let's go back to that screen and have a closer look.
Check out the line that reads,
"descr: Please Send Abuse/SPAM complaints To *****@012.net.il"
and think about it for a second. Every server has to provide a contact for abuse complaints. That's a rule. But look at that e-mail address for complaints: *****@012.net.il. There's nothing in front of the '@' except for a string of "wildcard" stars, which means the e-mail address is useless. Of course, you can always simply put whatever you want in front of the '@' and send them a message: one place on the Internet shows a complaint address of Abuse@012.net associated with Goldenlines Ltd., which apparently owns the server from which the exploit came to us.
Nevertheless, they've made me curious.
Let's go back to the main DNSstuff.com page and run that IP through the "Abuse Lookup" utility, which should tell us exactly who the abuse contact is for the domain.
Oh, my. Here's what we get:
Looking up 84.94.169.156 at whois.abuse.net.
Above are the results from www.abuse.net, and are the E-mail address(es) that abuse complaints should be sent to.
See that blank little grey box? It's supposed to be filled with information, but it's not. Well, my goodness, gracious. Whoever runs this server is just making me curiouser and curiouser.
Let's go back to the main page of DNSstuff.com one more time and use the Spam database lookup utility. (See what I mean about that DNSstuff.com site? It's a candy store.) We put in the IP address and we get the results from requests made to 271 services concerning that IP. They pour out, row by row, telling whether or not the IP submitted is in their respective databases.
HEL-lo! Nine bright red rows. In other words, nine databases have that IP being listed for blocking or other action.
Decent.
The server is a swarm node. Either it's a source, or it's so weak that half the pimple-faced loser computer geek crackers hanging out at the corner of Cheetos Street & Sleep Deprivation Avenue are popping it.
And there's no e-mail address for the complaints desk. Understand that this '012 Golden Lines" claiming the IP seems to be pretty pleased with its operations. The homepage is all in Hebrew, but they do have a company profile blurb written in English. It's the usual, self-pat on the back.
That company profile page for 012 Golden Lines is not without its irony, though. After bragging about its voice over broadband (VoB), wireless public Internet access hot spots, video on demand, and other services, we get treated to a nice brag about their "...email services that include the use of a personal mailbox from any computer (webmail), anti virus, anti spam ,content filtering, surfing from anywhere in the world..."
Indeed.
So what do we do? Well, there's the InterNIC Registrar Problem Reports Webpage, but you'll notice pretty quickly that, even though they have a complaint form you can fill out, they let you know in no uncertain terms that, no matter what your problem is, it's not their problem. In fact, those cats have this little beauty of a disclaimer:
"If you have a problem with one of the registrars, you should first try to resolve it with that registrar. Contact information for the registrars is posted at http://www.internic.net/contact.html.Of course, if you can't track down the registrar, that makes their first suggestion sort of moot. And all those 'private-sector agencies involved in addressing customer complaints or governmental consumer-protection agencies'?—Uh, yeah. Sure. Find someone who cares; and when you do, let me know.
"If you cannot resolve your complaint with the registrar, you should address it to private-sector agencies involved in addressing customer complaints or governmental consumer-protection agencies. (The appropriate agency will vary depending on the jurisdiction of the registrar and the customer.)"
Okay, I shouldn't be that way. The Feds have several avenues available, but I won't give you links here. I have this thing about not being a turkey making loud turkey calls to people who might think I'm a turkey.
Don't ask me what that last paragraph meant; just leave me out of it if you're going to have law enforcement of the 21st Century be your helpmate.
In conclusion, let's run down where our little adventure got us. Ah, yes: nowhere. We know the name of the exploit that was trying to get in, and we know in a general way what it does if it makes it into a computer. We know—maybe sort of, maybe kind of—where the attack originated, but maybe we don't. In fact, to be honest, we really have no clue yet about the particulars of the festering little nodule of a human being who was responsible for launching the attack. We know that the company running the server from which the attack came our way is going to whine that there's not a damn thing man or God can do about servers being used as pass-through points for malicious Internet bogeys.
And finally, we also know that no one in the universe really cares about our tiny little problem because the Internet is an unregulatable jungle. (Note there, by the way, that I described it as 'unregulatable', not 'unregulated'.) If you were a very important person or a very reputable corporation, people would care. Law enforcement authorities tasked to cyberspace criminal exploits would work with you. But you're not that important, and neither am I.
Some of you might recall what I've said before:
I'm just a computer program waiting for deletion to be confirmed.
Protect yourself. It's really dangerous out here in the night of this new world.
The Dark Wraith now rests.
Published 9/28/2006 09:17:00 AM
<< 11 Comments Total
Let's go to one of my favorite sites, DNSstuff.com.
Fun little place there. Wish I had it several months ago when somebody was trying to nail me. The firewall back trace gave pretty detailed info on some of the IPs, but on some I got nothing but the RIPE Network like your Whois search here. Would have been interesting to use the the DNSstuff search, but unfortunatley the logs were automatically deleted. by the software after a set period.
So what good is the reverse DNS lookup?
Speaking of spambots, I see they've been active over on the Message board this morning. More target practice for you I guess.
Good evening, Dark Wraith.
You said: I'm going to over-simplify things at every turn, and I shall do so to the end of keeping at least some of you marginally interested in what could otherwise be about the most boring post this side of "Making Cracker Crumbs." To those who would flog me for making things so simple that they're downright outrageous, I say this: bite me.
Ha. Oversimplifying? That's okay. It may not have been simple enough for me. I'll read it again, though. That should help. Perhaps, I'll check those sites you've so helpfully linked to. Thank you for the explanation. It helps to make me realize what kind of mischief these spambots can get up to.
Good Lord! I haven't been doing my usual updates over at the Message Board, and look what happens!
Not to worry, though: I just went over there and tore my ass at the latest porn spammer. I just sent his Webhost a copy of the invoice along with a mention about talking to the federal 'Net Porn Nannies.
I won't direct them to my own site, obviously, but I don't have to: it looks like several of those Webcam sites are playing fast and loose with the required declarations on model ages. In fact, at least one of the sites is making an allusion to a photographer that only real (and I mean, genuine) preeeeverts would be particularly interested in.
I suppose if I'm going to live in the Age of American Christo-Fascism, I might as well make some use of it.
Now, if only I can figure out a way to make some serious coin on American Fascism, Inc. Hmm, maybe a Halliburton-style rendition service for stupid Webcam operators: make unrepentent neoconnies watch uninterrupted, wretchedly bad Webcam action.
Yeah. That might work.
The Dark Wraith sees entrepreneurial opportunities.
Dark Wraith, this is the kind of stuff I'd love to see more of here.
I still haven't found a decent, basic, easy to understand, and follow tutorial suitable for those who know nothing about the subject on getting anonymous on the web. I know that being truly anonymous is just about impossible (especially from Big Brother's all-seeing eye) but it wouldn't hurt for people who're concerned about their privacy to make a habit of minimizing their web trail. Especially during these times...
In fact, I think that everyone should get in the habit of using encryption for all of their emails. I'd do it but most of the people I send stuff to either don't want to be bothered or don't know what I'm talking about.
BTW, yeah I have DNSstuff bookmarked in my "I Spy" folder.
Good afternoon, Auntie Roo.
Rest assured that I will be providing more of these kinds of articles. I definitely want to post one on spambots very soon. They irritate me (as some people here rather suspect), and I'm taking a new approach to dealing with the trash that sets them loose.
You might recall that little dust-up over at Crooks and Liars about my post here on cookies. That phony computer expert popped up in the comments over there acting like I had no idea what I was talking about. Unfortunately, my retort (complete with the full code for one of my own cookies) didn't get posted until way down that thread, so I assess that one as a net negative on my cred.
I won't let that happen again, especially since I'm going to have to put up a post at some point wherein I shall unintentionally but totally set off a whole lot of people about W3C.
(As a warning shot, standards like what are emerging make the job of aggregating, analyzing, and acting upon staggering amounts of data—as in communications on blogs—s-o-o-o much more convenient for very concerned government agencies. Anyone want to know how excited the NSA's creepy consultants are about so-called "rdf"?)
That's okay. I'll take the heat.
The Dark Wraith adjusts his dentures to "BITE BACK" mode.
Good afternoon, Dark Wraith.
Thanks so much for this post. I've been wrestling with whether or not to comment - as you can see, common sense lost today.
It was a lot of things, but not boring. I'm a new fan of DNSstuff.com - a friend told me about the traceback feature, which I had to use earlier this week. I hope I never have to use that again.
Oh Dark One, you're alright in my book. Keep up the great work.
If I had to think about this stuff while web surfing, I'd certainly go back to reading real books made out of paper.
Get a Mac.
16 years. So far, so good.
The Dark Wraith does not even go near discussions of religious differences.
I'm curious Dark Wraith: You want us to protect ourselves from the antiviruses, trojan horses, spam, and all the other nasties that are out there on the internet--just waiting to take over our computers. My question to you is what type of software should we arm ourselves with? What is the best firewalls out here? What is the best anti-virus software? What is the best anti-spam and privacy guard software? There's a whole bunch of software out there--some good, some crap--that it is confusing to wade through for even regular computer users like myself.
What software do you like for protecting your computers?