Information Exchange Among
FIRST members
Damir Rajnovic
<gaus@cisco.com>
Slide 1
© 2010 by FIRST.ORG, Inc.
FIRST - a global organization
Forum for Incident Response and Security Teams - FIRST
Slide 2
© 2010 by FIRST.ORG, Inc.
FIRST Vision and Mission
Vision
FIRST is a premier organization and recognized global leader in incident response.
Membership in FIRST enables incident response teams to more effectively respond
to security incidents by providing access to best practices, tools, and trusted
communication with member teams.
Mission Statement
FIRST is an international confederation of trusted computer incident response
teams who cooperatively handle computer security incidents and promote
incident prevention programs.
FIRST members develop and share technical information, tools, methodologies,
processes and best practices
FIRST encourages and promotes the development of quality security products,
policies & services
FIRST develops and promulgates best computer security practices
FIRST promotes the creation and expansion of Incident Response teams and
membership from organizations from around the world
FIRST members use their combined knowledge, skills and experience to promote a
safer and more secure global electronic environment.
Slide 3
© 2010 by FIRST.ORG, Inc.
What FIRST offers
•
•
•
•
Training and education
Place to meet your peers
Trusted forum to exchange information
Place to ask questions and be informed on
what is happeneing
Slide 4
© 2010 by FIRST.ORG, Inc.
Reports on new malware
"Hostile" .pdf functionality observed in #3 below compliments of the Adobe 2009
Christmas "Bonus".
Drops C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\wininit32.exe MD5: 3022d0030732ae273538def0cd32680a
Upon execution, wininit32.exe then drops:
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\wininit.dll
And calls home to ”<host>.live-msn.net" on TCP/8080
(perhaps the MSFT folks here would like to do something about that ;) )
Fortunately, the following /32 doesn't appear to be listening on TCP/8080 right now
AS | IP
| AS Name
4xx7 | x.y.74.24 | <REMOVED> Networks Inter-Exchange
Slide 5
© 2010 by FIRST.ORG, Inc.
Phishing attacks
Subject: Sustained large scale phishing attack now using VOIP
Hi first-teams,
Just a heads up on some ongoing, and now increasing, activity we are seeing
here. There has been a sustained phishing attack against <COUNTRY>
largest bank (The Bank) which has reached some pretty impressive
(depressing?) levels for the past few weeks. Some stats given to us on the
numbers seen:
"So actually in the last 7 days we've received approx 71 000 emails for
The Bank phishing (out of approx 238 000 spams at that level). So about 30% of
all spams coming in at that level of detection are The Bank phishers!"
Slide 6
© 2010 by FIRST.ORG, Inc.
DNS Amplification
This morning we've seen quite an uptick in DNS amplification attacks to open recursive
resolvers (sigh) using the TXT records from <site>.info. Those of you who have
technology to look for that in packets may want to have a peek. ;-)
2009-04-DD HH:53:58.506 UTC+0200 is the start time here -- out of curiosity can you
share the (presumably spoofed) IP address which was making the queries and thus
getting the packet love? I'd like to check our own data to see if the attack passed
through here as well.
Slide 7
© 2010 by FIRST.ORG, Inc.
DNS Attacks
We see these queries beginning on or about 2009-03-DD HH:09:23 UTC. At that time,
the TXT RR was:
aaaaaa….aaaaaaaaaaabbbbb….bbbbbbbbbbbbbcccccc….ccccccccccccc
On or about 2009-04-DD HH:00:08 UTC the TXT RR changes to: <host1>.net
Note that <host2>.info is an alias for <host>.net. We've not yet identified the malware
responsible for the queries.
Note that the IP to which both <host2>.info and <host>.net resolve, x.y.47.91, has
hosted badness in the past. This may not be related, of course.
AS | IP
| BGP Prefix
3xx6 | x.y.47.91 | x.y.0.0/18
| CC | Registry | Allocated | AS Name
| US | arin
| 2006-08-25 | <removed>
2009-02-DD HH:14:57 UTC x.y.47.91 TCP 80 httpbot www.<host>.info
[ ... ]
2009-03-DD HH:09:03 UTC x.y.47.91 TCP 80 httpbot www.<host>.info
Slide 8
© 2010 by FIRST.ORG, Inc.
Suspicious packets
HH:57:25.033496 42:74:21:74:0:21 0:1:2:da:a2:8e 8100 64: 802.1Q
vlan#993 P0
255.255.255.255.80 > x.y.92.64.5786: R [tcp sum ok] 0:0(0) ack
1157431297 win 0 (ttl 239, id 44289, len 40)
0x0000
03e1 0800 4500 0028 ad01 0000 ef06 f5ac
....E..(........
0x0010
ffff ffff xxyy 5c40 0050 169a 0000 0000
......\@.P......
0x0020
44fd 0001 5014 0000 2ac7 0000 8dec 7085
D...P...*.....p.
0x0030
5a9f
Z.
16:57:27.331273 42:74:21:74:0:21 0:1:2:da:a2:8e 8100 64: 802.1Q
vlan#993 P0
255.255.255.255.80 > x.y.88.203.27866: R [tcp sum ok] 0:0(0) ack
315752449 win 0 (ttl 49, id 5565, len 40)
0x0000
03e1 0800 4500 0028 15bd 0000 3106 4e67
....E..(....1.Ng
0x0010
ffff ffff xxyy 58cb 0050 6cda 0000 0000
......X..Pl.....
0x0020
12d2 0001 5014 0000 0a27 0000 e301 0000
....P....'......
0x0030
0054
.T
Slide 9
© 2010 by FIRST.ORG, Inc.
Abused proxies
Next, is a list of 3,434 abused proxies sorted by ASN. These have been supposedly
verified in the last 3 days. Please take the time to look for your ASN and also at the
end for MultipleOrigin entries:
AS | IP:PORT
X
| x.y.249.2:80
X
| x.y.249.34:80
X
| x.y.255.7:8080
Y
| x.y.0.190:3128
Y
| x.y.2.87:80
Slide 10
© 2010 by FIRST.ORG, Inc.
Denial-of-Service attacks
Subject: 6GB-20GB DDOS attack heading near you! 122k attacking IPs, please read
[....]
Each day, at around the same time, several DNS TXT queries are sent to a
series of 122,000 DNS servers (up from 87,000 a few days ago, and 55,000
at last count from <PROVIDER>).
[....]
The sources are always spoofed and are varying from day to date. The
latest sources were primarily within the following prefixes:
x.y.64.0/24
x.y.81.0/24
….
Slide 11
© 2010 by FIRST.ORG, Inc.