Fighting Zombies with FastNMAP Plus
Other Tools for the Toolbox
Infragard
Friday, July 23, 2010
Brian Allen, CISSP
ballen@wustl.edu
Network Security Analyst,
Washington University in St. Louis
http://nso.wustl.edu/
Washington University in St. Louis, MO
•
•
•
•
•
•
Private University Founded in 1853
3,000+ Full Time and Adjunct Faculty
13,000+ Full and Part Time Students
13,000+ Employees
4000+ Students Living on Campus
Decentralized Campus Network
Business School
NSS
Law School
Arts & Sciences
Internet
NSO
Medical School
Library
Social Work
Art & Architecture
Engineering School
Decentralized Campus Network
NSS = Network Services and Support
NSO = Network Security Office
Today’s Discussion Items
• Proactive Tools:
– Nmap: Scan every IP, every port, once per month
– Google Alerts
• Reactive Tools:
– Malware analysis tools like VirusTotal
– Anti-virus scanners like Malwarebytes
– System tools like the Sysinternals Suite
• Highlighted Malware:
– Zeus
Some NMAP Benefits
• NMAP is the top pick because it:
– Finds backdoors, FTP servers, open proxies, rogue
access points, etc
– Can identify many services running like Apache
servers, IIS 5.0, or RealVNC
– Extensive series of scripts available similar to
nessus or metasploit
– Open Source
NMAP Downsides
• NMAP has trouble scanning more than a few
hosts or small subnets at a time:
– It returns too much data to reasonably wade
through
– It has performance issues scanning large networks
Solution: FastNMAP and NPWN
• Developed by Brandon Enright UC San Diego
• http://sourceforge.net/projects/npwn
• FastNMAP will run NMAP in a way to optimize
it for scanning large networks
• NPWN is a tool that reads in large FastNMAP
reports and quickly highlights important items
Potential Pitfalls of Scanning
• Pick a reasonable period to scan: 1 week < X <
A Couple Months
• Identify Devices with Problems, Exclude Them,
Work to Fix them
– A Switch’s one minute heartbeat was missed, and
school’s network engineers were paged
– A KVM Switch Hung – It was old and needed to be
updated, then it handled the scan fine
NMAP Scripting Engine
• I kept 92 nse scripts like:
–
–
–
–
–
–
–
"dns-recursion.nse“
"http-headers.nse“
"imap-capabilities.nse“
"irc-info.nse“
"p2p-conficker.nse“
"smb-enum-users.nse“
"ssl-cert.nse“
• I removed all the brute force ones + others like:
– "smb-check-vulns.nse“
– "smb-brute.nse"
FastNMAP Command
# nmap -sL -n 128.252.0.0/16 |
egrep '^Nmap scan‘ |
awk '{print $5}‘ |
./fastnmap.pl
NPWN Command
#./npwn.pl -x -s 7 -d ./log/
FastNMAP.pl Status Update
• Took three days to scan /16 network (65000+ IPs)
• Much of the campus sits behind firewalls
• Can only scan the MedSchool’s 93 /24 subnets
once per month
• Am not scanning any of our private IP space
(student subnets, wireless, etc)
• Usually find about 3000 IP addresses online
Some Interesting Npwn Tags
NPWN TAG
[VNCAUTHBYPASS]
[BACKDOOR]
[IMAPWEAKAUTHNOSSL]
[POP3WEAKAUTHNOSSL]
[NOPASSWD]
[OPENX11]
[SERV-U]
[OLD_MSFTP]
[SSLCERT_WILDCARD]
[NSFTP]
Severity
{10}
{10}
{7}
{7}
{7}
{7}
{6}
{4}
{4}
{3}
Virus Total
• A very nice site to upload suspicious malware
• Checks the malware against nearly all AV
products (39 at last count)
• Delivers a report in minutes
• Plus, if the malware is new, then it will be
shared with AV vendors
Google Alerts
• Another valuable proactive tool
• Find hacked php web applications, abused
world writable calendars, etc
• Spammers will find all these and use them to
promote their spam enterprises
• Google Alerts will send you an email letting
you know when it finds whatever you want to
search for:
Sysinternals Tools (Windows)
•
•
•
•
•
•
Process Explorer
Autoruns
Process Monitor
PSTools
TCPView
RootkitRevealer
MalwareBytes
• Fake Anti-virus Malware is common now
• I have had bad luck trying to clean it by hand
• I have had users on campus, plus reports from
other security folks, that Malwarebytes is a
good tool to combat Fake Antivirus infections.
• Best solution is to wipe the OS and start over
Zeus
• A Few Notable Zeus Attacks from the Past Year
• Bullitt County, Kentucky: July 2009 -$415,000
•
•
http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html
http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html
• Western Beaver School District, PA Jan 2009 -$219,000
•
http://www.courier-journal.com/blogs/bullitt/2009/07/bullitt-not-alone-in-online-thefts.html
• Duanesburg Central School District, NY: Jan 2010
-$3Million
•
http://www.duanesburg.org/news/0910/cybercrime.htm
How Zeus Works
1. Hackers send phishing emails with a link to
download the zeus bot to the victim’s computer
2. The zeus bot has a keylogger which captures the
victim’s bank credentials
3. The criminal logs in to bank's website using that
information, and transfers money to the
"Customer Service Specialist" AKA Money Mule
4. The Mule then receives instructions on how to
wire the money internationally, keeping a
generation commission (money stolen from
someone else's bank account!) for themselves
Zeus Facts
• 3.6 Million bots in the US as of late 2009
•
http://www.networkworld.com/news/2009/072209-botnets.html
• For Computers with up-to-date AV, 55% still
were infected by Zeus
•
http://www.trusteer.com/files/Zeus_and_Antivirus.pdf
• Sold on the Underground Economy and Used
by Criminal Organizations
What Can Zeus Do?
• Keylogger is activated
• Replace the web form on a search page:
• Ask for card numbers, pin numbers, SSNs, answers to
security questions, etc.
• Real-time screenshots can be taken
• It can “phone home” and update itself
• It can KOS! (Kill the OS) http://www.abuse.ch/?p=1327
Any Questions?