The Five Most Popular Attacks on the Internet Peter Mell, National Institute of Standards and Technology Computer Security Division
Outline n Sources of attacks and vulnerability information n Details on the most frequently requested attacks n Statistics on attacks available on the Internet
Web Site Resources CERT, L0pht, Vulnerability Advisories Bugtraq, NTBugtraq, Vulnerability Information Attack Scripts Rootshell, Fyodor’s Playhouse,
We are Measuring the Popularity of Attacks n Rootshell makes available a cgi scripts that reveals the last 50 search requests made on its database of 700+ attack scripts n We created a perl script that harvests search requests each hour n Approximately 170,000 queries are made each month (our current sample size is 20% of the total number: 33,000 queries)
The Top 18 Search Requests (12-98)
Search Requests on OSs
Search Requests on Applications
Attacks on Applications n ICQ: 6 exploits in the last year Spoof any ICQ user id and send people files that get stored anywhere n Sendmail: 11 exploits in the last year Local get root, DOS, Remote control n imap: 8 exploits in the last year Scanners and remote get root attacks Manuals on performing a buffer overflow attacks:
Search Requests on Attacks
Back Orifice: What Microsoft Says “Microsoft takes security seriously, and has issued this bulletin to advise customers that Windows 95 and Windows 98 users following safe computing practices are not at risk…” According to Wired (1998-Nov-17), 79% of Australian ISPs are "infected" with Back Orifice.
Back Orifice Author: Cult of the Dead Cow Publish Date: Released in August 1998 at the annual hacker DEF CON convention Summary: Remotely control Windows 95 hosts Transmission Method: Web site downloads, ing free apps, piggybacking with “ordinary” remote exploits
Back Orifice Applications File System Control: Add/delete any file Process Control: Run/kill any process Registry Control: List, create, delete, and set registry keys and values Network Control: View all exported resources and their passwords. View and kill connections. Multimedia Control: Keystroke monitor. Take screen shots.Control host cameras. Packet Redirection:Redirect local ports to remote ports Packet Sniffer:Views any network packets Plug in Interface:Much like netscape plug-ins
Other Back Orifice Features Other Features: Encrypted Connections Autonomous mode Plug-Ins: Butt Trumpet:Penetration Notification via Saran Wrap:Easily bundle BO with legitimate software Speakeasy:Broadcast a penetration to an IRC channel
Netbus Start optional application. Download/Upload/Delete files Send keystrokes and disable keys. Record sounds from the microphone. Similar to Back Orifice except that anyone can log into a netbus server Go to an optional URL. Control mouse. Shut down Windows. Listen to keystrokes. Take a screendump.
Teardrop Reboots or halts Windows 95, NT and Linux using 2 fragmented packets a a a b b c c c P1 Offset=0 P1 End=N P2 Offset<N P2 End=N+M a a a c c c P1 Offset=0 P1 End=N P2 Offset=N P2 End=N+M a a a b P1 Offset=0 P1 End=N P2 Offset<N P2 End<N a a a P1 Offset=0 P1 End=N P2 Offset=N P2 End<N Published before 11/14/97
Smurf Target Smurf freezes a target by sending it large numbers of ICMP ping packets Attacker is not traceable Each of the attacker’s ping packets is amplified into hundred of packets Attacker Network that responds to broadcast pings Ping packets: Source: Target Destination: Broadcast address Target receives hundreds of packets for each of the attacker’s packets Published before 10/13/97
(Win)Nuke Winnuke crashes window 95/NT hosts by establishing a tcp connection and sending out of band data Target Attacker 1. TCP connection established (port 139) 2. Send a packet of out of band data (e.g. send(s,str,strlen(str),MSG_OOB) Published before 5/7/97
Listing of the top 20 attacks Recommended scanning software: nmap, queso, strobe, netcat DOS attack toolkit: targa
Statistics on attacks published on the Internet n 37% of attacks can be launched from Windows hosts (people don’t need Unix to be dangerous anymore) n 4% of attacks compromise hosts that visit web sites (surfing the Internet is not risk free) n 3% of attacks exploit more than one vulnerability (attack toolkits that allow children to penetrate hosts with the push of a button are becoming a reality) n 8% are scanning tools that look for vulnerabilities (automated searching for vulnerable hosts is common place)
Even Firewalls, Routers, and Switches are not safe Percent of attacks that work against: firewalls (7%) (no penetration attacks found) routers (6%) (no penetration attacks found) Percent of attacks that penetrate: switches (2%) (nbase and 3com backdoor passwords)