Fighting Zombies with FastNMAP Plus Other Tools for the Toolbox Infragard Friday, July 23, 2010 Brian Allen, CISSP ballen@wustl.edu Network Security Analyst, Washington University in St. Louis http://nso.wustl.edu/ Washington University in St. Louis, MO • • • • • • Private University Founded in 1853 3,000+ Full Time and Adjunct Faculty 13,000+ Full and Part Time Students 13,000+ Employees 4000+ Students Living on Campus Decentralized Campus Network Business School NSS Law School Arts & Sciences Internet NSO Medical School Library Social Work Art & Architecture Engineering School Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Today’s Discussion Items • Proactive Tools: – Nmap: Scan every IP, every port, once per month – Google Alerts • Reactive Tools: – Malware analysis tools like VirusTotal – Anti-virus scanners like Malwarebytes – System tools like the Sysinternals Suite • Highlighted Malware: – Zeus Some NMAP Benefits • NMAP is the top pick because it: – Finds backdoors, FTP servers, open proxies, rogue access points, etc – Can identify many services running like Apache servers, IIS 5.0, or RealVNC – Extensive series of scripts available similar to nessus or metasploit – Open Source NMAP Downsides • NMAP has trouble scanning more than a few hosts or small subnets at a time: – It returns too much data to reasonably wade through – It has performance issues scanning large networks Solution: FastNMAP and NPWN • Developed by Brandon Enright UC San Diego • http://sourceforge.net/projects/npwn • FastNMAP will run NMAP in a way to optimize it for scanning large networks • NPWN is a tool that reads in large FastNMAP reports and quickly highlights important items Potential Pitfalls of Scanning • Pick a reasonable period to scan: 1 week < X < A Couple Months • Identify Devices with Problems, Exclude Them, Work to Fix them – A Switch’s one minute heartbeat was missed, and school’s network engineers were paged – A KVM Switch Hung – It was old and needed to be updated, then it handled the scan fine NMAP Scripting Engine • I kept 92 nse scripts like: – – – – – – – "dns-recursion.nse“ "http-headers.nse“ "imap-capabilities.nse“ "irc-info.nse“ "p2p-conficker.nse“ "smb-enum-users.nse“ "ssl-cert.nse“ • I removed all the brute force ones + others like: – "smb-check-vulns.nse“ – "smb-brute.nse" FastNMAP Command # nmap -sL -n 128.252.0.0/16 | egrep '^Nmap scan‘ | awk '{print $5}‘ | ./fastnmap.pl NPWN Command #./npwn.pl -x -s 7 -d ./log/ FastNMAP.pl Status Update • Took three days to scan /16 network (65000+ IPs) • Much of the campus sits behind firewalls • Can only scan the MedSchool’s 93 /24 subnets once per month • Am not scanning any of our private IP space (student subnets, wireless, etc) • Usually find about 3000 IP addresses online Some Interesting Npwn Tags NPWN TAG [VNCAUTHBYPASS] [BACKDOOR] [IMAPWEAKAUTHNOSSL] [POP3WEAKAUTHNOSSL] [NOPASSWD] [OPENX11] [SERV-U] [OLD_MSFTP] [SSLCERT_WILDCARD] [NSFTP] Severity {10} {10} {7} {7} {7} {7} {6} {4} {4} {3} Virus Total • A very nice site to upload suspicious malware • Checks the malware against nearly all AV products (39 at last count) • Delivers a report in minutes • Plus, if the malware is new, then it will be shared with AV vendors Google Alerts • Another valuable proactive tool • Find hacked php web applications, abused world writable calendars, etc • Spammers will find all these and use them to promote their spam enterprises • Google Alerts will send you an email letting you know when it finds whatever you want to search for: Sysinternals Tools (Windows) • • • • • • Process Explorer Autoruns Process Monitor PSTools TCPView RootkitRevealer MalwareBytes • Fake Anti-virus Malware is common now • I have had bad luck trying to clean it by hand • I have had users on campus, plus reports from other security folks, that Malwarebytes is a good tool to combat Fake Antivirus infections. • Best solution is to wipe the OS and start over Zeus • A Few Notable Zeus Attacks from the Past Year • Bullitt County, Kentucky: July 2009 -$415,000 • • http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html • Western Beaver School District, PA Jan 2009 -$219,000 • http://www.courier-journal.com/blogs/bullitt/2009/07/bullitt-not-alone-in-online-thefts.html • Duanesburg Central School District, NY: Jan 2010 -$3Million • http://www.duanesburg.org/news/0910/cybercrime.htm How Zeus Works 1. Hackers send phishing emails with a link to download the zeus bot to the victim’s computer 2. The zeus bot has a keylogger which captures the victim’s bank credentials 3. The criminal logs in to bank's website using that information, and transfers money to the "Customer Service Specialist" AKA Money Mule 4. The Mule then receives instructions on how to wire the money internationally, keeping a generation commission (money stolen from someone else's bank account!) for themselves Zeus Facts • 3.6 Million bots in the US as of late 2009 • http://www.networkworld.com/news/2009/072209-botnets.html • For Computers with up-to-date AV, 55% still were infected by Zeus • http://www.trusteer.com/files/Zeus_and_Antivirus.pdf • Sold on the Underground Economy and Used by Criminal Organizations What Can Zeus Do? • Keylogger is activated • Replace the web form on a search page: • Ask for card numbers, pin numbers, SSNs, answers to security questions, etc. • Real-time screenshots can be taken • It can “phone home” and update itself • It can KOS! (Kill the OS) http://www.abuse.ch/?p=1327 Any Questions?