Anatomy of a Cyber-Attack
Security rule- Default Block NetBus Trojan horse
Time- 2:28 PM
File name- N/A
Local address- XX.XX.XX.XXX [IP redacted for privacy]
Local port- NetBus (12345)
Remote address- 220.127.116.11
Remote port- 3520
It's small-time stuff: somewhat amateurish. The NetBus Trojan is too famous for its own good. Sort of like Rush Limbaugh trying to be anonymous at a Vegas brothel. He might be able to get away with it in the Dominican Republic, but not in the good ol' Hew Hess Hay (not that Mr. Limbaugh would do such nasty things anywhere in the world, of course).
I'm rather fragile about cyber-attacks in general, and since the brutal episode last weekwherein the firewall on my server got hacked and one of my own IPs was installed as a bogeyI've gotten downright bitchy. I'm going to take you on a brief educational lesson in cyber-sleuthing. I'm going to over-simplify things at every turn, and I shall do so to the end of keeping at least some of you marginally interested in what could otherwise be about the most boring post this side of "Making Cracker Crumbs." To those who would flog me for making things so simple that they're downright outrageous, I say this: bite me.
NetBus Trojan-type stuff is easily smacked down by any decent antivirus program. Anyone stupid enough to be on the internets these days without layers of shields deserves what happens. NetBus Trojan takes control of certain functions on your computer and makes them respond to a remote client's commands. In other words, your computer becomes what we call a "zombie."
Anyone who's seen Night of the Living Dead knows that being a zombie sucks big time, and the situation isn't any better for a computer: you end up doing all manner of things you really wouldn't want to do were you still to have a soul within your meat bag. A zombie computer can pump out thousands of spam e-mails every day, it can launch spambots that post links to casinos and porn sites on hapless blogs, or it can participate in distributed denial of service attacks wherein a whole bunch of computers simultaneously flood a server with little packets of data, thereby overwhelming and thus shutting down the victimized machine. Like I said, being a zombie sucks big time.
NetBus Trojan is lame, and so is the little dweeb who uses it for an attack.
So, now, let's get down to the fun part. Who was behind this little gambit? The key is in that "Remote address" line above. That string of numbers is a "dotted quad," or in more modern terms, an "IP address," a unique identifier of a machine. The problem is that most of you readers will have direct IPs, which means I can track you down very easily if I must; but if you're running through a "proxy server," I'm going to end up tracking you down to some weird place in the middle of nowhere. And if you're doing things to really cover your tracks, you're going to be using some program or service that will run you through all kinds of hand-offs that will make my job of finding you a total nightmare. I'll be chasing you down through "onion servers," academic racks, miserably weak Chinese computers, and pathetically out-of-date Eastern European clunkers, all to the final end of coming up bupkis.
I might try to contact the techs at some of these intermediate IP switching places, and they'll tell me that there's not a thing on Earth they can do to help me out: being on or even near the backbone means getting a zillion pounds of traffic hopping through on its way from one place to another, and no one can do anything about one lousy burst of packets popping in for an IP freshener.
Welcome to the Age of Anonymity... provided, of course, you know how to play the game (and like Hell I'm going to explain here how easy it is to play the game).
So that "Remote (IP) address" above is useless, right? Ah, not so fast. Remember that above I used the term "somewhat amateurish" to describe this attack? Well, here's why.
Let's run a WHOIS on that IP. First, let's try ARIN WHOIS. This is what we get:
OrgName: RIPE Network Coordination Centre
Address: P.O. Box 10096
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
If that data above looks like hogwash, you're smarter than you think you are about this kind of stuff. Yes, that search did nothing but take us to a bunch of nameservers we'd probably end up chasing down to get even more information that didn't tell us much of anything. We got bupkis. (We really didn't, but life is short, and there should be a quicker way to get some gold.)
Let's try again. Let's go to one of my favorite sites, DNSstuff.com. This place is like a candy store for the cyber-sleuth. It's not the best, but it's really user friendly compared to some other tracking sites.
Let's run that IP through the "WHOIS Lookup" utility. Here's the output, with some of the boilerplate stuff removed:
% Information related to '126.96.36.199 - 188.8.131.52'
inetnum: 184.108.40.206 - 220.127.116.11
descr: Please Send Abuse/SPAM complaints To *****@012.net.il
status: ASSIGNED PA
changed: ***@linux.goldenlines.net.il 20060605
role: DNS REG
remarks: Goldenlines DNS Registration and LIR
address: Hasivim 25 Petach-Tikva,Israel
changed: ***@linux.goldenlines.net.il 20060921
% Information related to '18.104.22.168/24AS9116'
descr: Golden Lines
changed: ***@linux.goldenlines.net.il 20050607
Oooo! Paydirt! The jerk came out of Tel Aviv! And it looks like some cable TV company that has a cable modem service, or at least something like that.
Oh, but maybe not. Recall that I told you above that the bogeys bounce around the world on "hops," picking up the IP addresses of hapless, innocent servers. This IP address in Tel Aviv, Israel, might belong to nothing more than a server that was on a hop the bogey did.
Darn it! That was almost exciting. Again, though, we got nothing.
Or did we? Let's go back to that screen and have a closer look.
Check out the line that reads,
"descr: Please Send Abuse/SPAM complaints To *****@012.net.il"
and think about it for a second. Every server has to provide a contact for abuse complaints. That's a rule. But look at that e-mail address for complaints: *****@012.net.il. There's nothing in front of the '@' except for a string of "wildcard" stars, which means the e-mail address is useless. Of course, you can always simply put whatever you want in front of the '@' and send them a message: one place on the Internet shows a complaint address of Abuse@012.net associated with Goldenlines Ltd., which apparently owns the server from which the exploit came to us.
Nevertheless, they've made me curious.
Let's go back to the main DNSstuff.com page and run that IP through the "Abuse Lookup" utility, which should tell us exactly who the abuse contact is for the domain.
Oh, my. Here's what we get:
Looking up 22.214.171.124 at whois.abuse.net.
Above are the results from www.abuse.net, and are the E-mail address(es) that abuse complaints should be sent to.
See that blank little grey box? It's supposed to be filled with information, but it's not. Well, my goodness, gracious. Whoever runs this server is just making me curiouser and curiouser.
Let's go back to the main page of DNSstuff.com one more time and use the Spam database lookup utility. (See what I mean about that DNSstuff.com site? It's a candy store.) We put in the IP address and we get the results from requests made to 271 services concerning that IP. They pour out, row by row, telling whether or not the IP submitted is in their respective databases.
HEL-lo! Nine bright red rows. In other words, nine databases have that IP being listed for blocking or other action.
The server is a swarm node. Either it's a source, or it's so weak that half the pimple-faced loser computer geek crackers hanging out at the corner of Cheetos Street & Sleep Deprivation Avenue are popping it.
And there's no e-mail address for the complaints desk. Understand that this '012 Golden Lines" claiming the IP seems to be pretty pleased with its operations. The homepage is all in Hebrew, but they do have a company profile blurb written in English. It's the usual, self-pat on the back.
That company profile page for 012 Golden Lines is not without its irony, though. After bragging about its voice over broadband (VoB), wireless public Internet access hot spots, video on demand, and other services, we get treated to a nice brag about their "...email services that include the use of a personal mailbox from any computer (webmail), anti virus, anti spam ,content filtering, surfing from anywhere in the world..."
So what do we do? Well, there's the InterNIC Registrar Problem Reports Webpage, but you'll notice pretty quickly that, even though they have a complaint form you can fill out, they let you know in no uncertain terms that, no matter what your problem is, it's not their problem. In fact, those cats have this little beauty of a disclaimer:
"If you have a problem with one of the registrars, you should first try to resolve it with that registrar. Contact information for the registrars is posted at http://www.internic.net/contact.html.Of course, if you can't track down the registrar, that makes their first suggestion sort of moot. And all those 'private-sector agencies involved in addressing customer complaints or governmental consumer-protection agencies'?Uh, yeah. Sure. Find someone who cares; and when you do, let me know.
"If you cannot resolve your complaint with the registrar, you should address it to private-sector agencies involved in addressing customer complaints or governmental consumer-protection agencies. (The appropriate agency will vary depending on the jurisdiction of the registrar and the customer.)"
Okay, I shouldn't be that way. The Feds have several avenues available, but I won't give you links here. I have this thing about not being a turkey making loud turkey calls to people who might think I'm a turkey.
Don't ask me what that last paragraph meant; just leave me out of it if you're going to have law enforcement of the 21st Century be your helpmate.
In conclusion, let's run down where our little adventure got us. Ah, yes: nowhere. We know the name of the exploit that was trying to get in, and we know in a general way what it does if it makes it into a computer. We knowmaybe sort of, maybe kind ofwhere the attack originated, but maybe we don't. In fact, to be honest, we really have no clue yet about the particulars of the festering little nodule of a human being who was responsible for launching the attack. We know that the company running the server from which the attack came our way is going to whine that there's not a damn thing man or God can do about servers being used as pass-through points for malicious Internet bogeys.
And finally, we also know that no one in the universe really cares about our tiny little problem because the Internet is an unregulatable jungle. (Note there, by the way, that I described it as 'unregulatable', not 'unregulated'.) If you were a very important person or a very reputable corporation, people would care. Law enforcement authorities tasked to cyberspace criminal exploits would work with you. But you're not that important, and neither am I.
Some of you might recall what I've said before:
I'm just a computer program waiting for deletion to be confirmed.
Protect yourself. It's really dangerous out here in the night of this new world.
The Dark Wraith now rests.