The Five Most Popular Attacks on the Internet

Peter Mell, 1-7-98

peter.mell@nist.gov

National Institute of Standards and Technology

Computer Security Division

Outline

Sources of attacks and vulnerability information

Details on the most frequently requested attacks

Statistics on attacks available on the Internet

Web Site Resources

CERT, http://www.cert.orgL0pht, http://www.l0pht.com/

Vulnerability Advisories

Bugtraq, http://geek-girl.com/bugtraqNTBugtraq, http://www.ntbugtraq.com

Vulnerability Information

Attack ScriptsRootshell, http://www.rootshell.comFyodor’s Playhouse, http://www.insecure.org

We are Measuring the Popularity of Attacks Rootshell makes available a cgi scripts that

reveals the last 50 search requests made on its database of 700+ attack scripts

We created a perl script that harvests search requests each hour

Approximately 170,000 queries are made each month (our current sample size is 20% of the total number: 33,000 queries)

The Top 18 Search Requests (12-98)

1. linux 2.3% 10. 1.2%

2. windows nt 2.3% 11. solaris 1.1%

3. windows 1.5% 12. redhat 1.0%

4. icq 1.4% 13. windows 98 0.9%

5. sendmail 1.4% 14. netbus 0.8%

6. back orifice 1.4% 15. nuke 0.8%

7. smurf 1.3% 16. scanner 0.8%

8. teardrop 1.3% 17. freebsd 0.8%

9. imap 1.3% 18. irix 0.7%

Search Requests on OSs

1. linux 2.3% 10. 1.2%

2. windows nt 2.3% 11. solaris 1.1%

3. windows 1.5% 12. redhat 1.0%

4. icq 1.4% 13. windows 98 0.9%

5. sendmail 1.4% 14. netbus 0.8%

6. back orifice 1.4% 15. nuke 0.8%

7. smurf 1.3% 16. scanner 0.8%

8. teardrop 1.3% 17. freebsd 0.8%

9. imap 1.3% 18. irix 0.7%

Search Requests on Applications

1. linux 2.3% 10. 1.2%

2. windows nt 2.3% 11. solaris 1.1%

3. windows 1.5% 12. redhat 1.0%

4. icq 1.4% 13. windows 98 0.9%

5. sendmail 1.4% 14. netbus 0.8%

6. back orifice 1.4% 15. nuke 0.8%

7. smurf 1.3% 16. scanner 0.8%

8. teardrop 1.3% 17. freebsd 0.8%

9. imap 1.3% 18. irix 0.7%

Attacks on Applications ICQ: 6 exploits in the last year

Spoof any ICQ user id and send people files that get stored anywhere

Sendmail: 11 exploits in the last year Local get root, DOS, Remote control

imap: 8 exploits in the last yearScanners and remote get root attacks

Manuals on performing a buffer overflow attacks:http://www.insecure.org/stf/smashstack.txthttp://www.l0pht.com/advisories/bufero.html

Search Requests on Attacks

1. linux 2.3% 10. 1.2%

2. windows nt 2.3% 11. solaris 1.1%

3. windows 1.5% 12. redhat 1.0%

4. icq 1.4% 13. windows 98 0.9%

5. sendmail 1.4% 14. netbus 0.8%

6. back orifice 1.4% 15. nuke 0.8%

7. smurf 1.3% 16. scanner 0.8%

8. teardrop 1.3% 17. freebsd 0.8%

9. imap 1.3% 18. irix 0.7%

Back Orifice: What Microsoft Says“Microsoft takes security seriously, and hasissued this bulletin to advise customers thatWindows 95 and Windows 98 users following safe computing practices are not at risk…”

http://www.wired.com/news/news/technology/story/16310.html

According to Wired (1998-Nov-17), 79% of Australian ISPs are "infected" with Back Orifice.

Back Orifice

Author: Cult of the Dead Cow http://www.cultdeadcow.com

Publish Date: Released in August 1998 at the annual hacker DEF CON convention

Summary: Remotely control Windows 95 hosts

Transmission Method: Web site downloads, e-mailing free apps, piggybacking with “ordinary” remote exploits

Back Orifice Applications

File System Control: Add/delete any fileProcess Control: Run/kill any processRegistry Control: List, create, delete, and set registry

keys and valuesNetwork Control: View all exported resources and

their passwords. View and kill connections.

Multimedia Control: Keystroke monitor. Take screen shots. Control host cameras.

Packet Redirection: Redirect local ports to remote ports Packet Sniffer: Views any network packetsPlug in Interface: Much like netscape plug-ins

Other Back Orifice Features

Other Features:Encrypted ConnectionsAutonomous mode

Plug-Ins:Butt Trumpet: Penetration Notification via e-mail Saran Wrap: Easily bundle BO with legitimate

softwareSpeakeasy: Broadcast a penetration to an IRC

channel

Netbus

Start optional application. Download/Upload/Delete files Send keystrokes and disable keys. Record sounds from the microphone.

Similar to Back Orifice except that anyone can log into a netbus server

Go to an optional URL. Control mouse. Shut down Windows. Listen to keystrokes. Take a screendump.

TeardropReboots or halts Windows 95, NT and Linuxusing 2 fragmented packets

a a a a a a b b c c c

P1 Offset=0P1 End=N

P2 Offset<N P2 End=N+M

a a a a a a c c c

P1 Offset=0 P1 End=N

P2 Offset=N P2 End=N+M

a a a a a ab

P1 Offset=0P1 End=N

P2 Offset<N P2 End<N

a a a a a a

P1 Offset=0 P1 End=N

P2 Offset=N P2 End<N

Published before 11/14/97

Smurf

Target

Smurf freezes a target by sending it large numbers of ICMP ping packetsAttacker is not traceableEach of the attacker’s ping packets is amplified into hundred of packets

Attacker Network that respondsto broadcast pings

Ping packets:Source: TargetDestination: Broadcast address

Target receives hundreds ofpackets for each of the attacker’s packets

Published before 10/13/97

(Win)Nuke

Winnuke crashes window 95/NT hosts by establishing a tcp connection and sending out of band data

TargetAttacker

1. TCP connection established (port 139)2. Send a packet of out of band data (e.g. send(s,str,strlen(str),MSG_OOB)

Published before 5/7/97

Listing of the top 20 attacks

1. back orifice 6. mscan 11. land 16. satan2. smurf 7. nestea 12. boink 17. nmap3. teardrop 8. winnuke 13. crack 18. bonk4. netbus 9. targa 14. strobe 19. sniffit5. nuke 10. rootkit 15. queso 20. eggdrop

Recommended scanning software: nmap, queso, strobe, netcat

DOS attack toolkit: targa

Statistics on attacks published on the Internet 37% of attacks can be launched from Windows

hosts (people don’t need Unix to be dangerous anymore) 4% of attacks compromise hosts that visit web

sites (surfing the Internet is not risk free) 3% of attacks exploit more than one vulnerability

(attack toolkits that allow children to penetrate hosts with the push of a button are becoming a reality)

8% are scanning tools that look for vulnerabilities (automated searching for vulnerable hosts is common place)

Even Firewalls, Routers, and Switches are not safe

Percent of attacks that work against:firewalls (7%) (no penetration attacks found)routers (6%) (no penetration attacks found)

Percent of attacks that penetrate:switches (2%) (nbase and 3com backdoor passwords)