Tuesday, February 15, 2005

Incident Scenario #1

I figured that while I'm working on providing actual data, I'll post a "Counterhack"-style scenario for folks...the first one will be simple. This first scenario is based on an actual incident...

A friend brings you a Windows2000 laptop that no longer boots normally. You insert a Windows2000 distribution CD, and run a repair installation. When you're finally able to access to the system, you call your friend and ask for a logon...you opt not to mess around with the ntpasswd utility on this system.

The first red flag you have is that your friend's username and password are the same. Hhhmmm...Very Bad. Before hanging up, you ask your friend how he accesses the Internet, and he admits to still using dial-up (major procrastinator). He does offer up, however, that while most of the time he'll disconnect his system while he's not actually working (ie, surfing), many times he'll take a break...sometimes for half an hour or more...before coming back to the system. Hanging up and shaking your head, you log into the system. You don't see anything unusual on the desktop, so you open the User Manager. The first thing you notice is that besides the Administrator account and your friend's account, there are several others (not just the Guest account)...one called 'god', one called 'gawd', and another called 'godd'. Oddly enough, all visible accounts (with the exception of the Guest account) are part of the Administrators group.

Opening the Service Control Manager, you don't see the Internet Information Server (IIS) installed. From everything you can see, this system is a normal Windows2000 distribution, installed directly from CD. The system does seem to be up-to-date with regards to Service Packs and hotfixes, but you notice that there is no personal firewall installed, nor is there an anti-virus package installed.

At this point, consider these questions:

1. How might this system have been compromised?

2. What is a likely scenario that would explain how these accounts got on the system? How would you go about proving this?

3. What are some other things you might look for? What tools would you use?

4. How would you go about securing the system?

If you have questions and comments, please feel free to contact me. Responses to this scenario/questions should be placed in the Comments...

4 comments:

Brandon said...

1. How might this system have been compromised?

One possible vector of attack is that a null session could have been established and user id's could have been lifted. While the user is dialed in, the attacker could have brute forced the lifted uid with the pwd that is the same. Once there pick your poison, TFTP tools to the box and from there the gates are open.

2. What is a likely scenario that would explain how these accounts got on the system? How would you go about proving this?

Given the above possible attack vector, the attacker probably gained admin rights either by the user already having admin or user escalation. The attacker could then either issue a 'net user' command or if they had a remote administration tool or VNC upped to the box could have used either of those two methods.

3. What are some other things you might look for? What tools would you use?

Backup the HDD with dd or ghost. Check the RestrictAnonymous setting in the registry to verify if the theory is correct. Look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce to verify that there are no entries that would contribute to affecting the secure state of the machine. Look for any hidden files either by misplacement or MS ADS. Verify all running process's with Procexp.exe. Go through the event logs and look for anything that might be deemed suspicious and investigate. Use openports to look for any services on ports that should not be there. Run a full Nessus scan against the box utilizing NMAP to scan all ports and verify that all patches are indeed up to date. Verify this with MBSA. Depending on the results of these tools, take the investigation on from there.

4. How would you go about securing the system?

Resolve the issue of how the attacker gained entry in the first place. Enable maximum password age, minimum length, and complexity. After verifying that all patches and updates are indeed up to date, put a properly configured personal firewall and antivirus on the system. Also use adware/spyware (Adaware, Spybot, Hijackthis) tools to verify that the system is clean in that respect. Set up automatice updates if the user accepts running DL'ing over dial-up. Oh ya, educate the user.

dhibbeln said...

1. How might this system have been compromised?

Does this machine have an NIC card? Is it configured? You can't trust that it is only on dial-up. It could be taken down to the local hot-spot or to work. Can't trust what you are told by any end user.

2. What is a likely scenario that would explain how these accounts got on the system? How would you go about proving this?

My gut is that is malware and and attempt to make it part of a botnet.

Run Gargoyle from Wetstone on it.


3. What are some other things you might look for? What tools would you use?

Run Sybot 1.3 on it and look at all process running - use sysinternals tools also. filemon and regmon. There is also the process explorer.

4. How would you go about securing the system?

We have seen a lot of comparized systems. We have found that if after running malware apps we find stuff one it does not pay to fix it un less you image before you attempt to fix. Too many 16 hour days trying to fix something that a malware fixer found.

You end up with a Disaster recovery effort to find files for apps you never heard of.

Do not connect to net until after personal filewall installed.

Image the drive (acronis, ghost, ntimage etc) or copy off the data the use wants to keep. You might want to use MS File and Transfer wizard if lots MS apps.

Wipe the drive.

Format and rebuild the OS via CD' for OS and SP's. If pbssible move to XP SP2 Pro.

Load personal firewall of your taste.

Load Sybot 1.3 with teatimer and immunize the host files.

Once you have drive built, image it cause you know your friend is going to mess it upgain.

Anonymous said...

1. How might this system have been compromised?
The weak password, malware, or through some vulnerability that he didn't patch in time. I'd ask him when he updated his computer, and search for any likely vulnerabilities.

2. What is a likely scenario that would explain how these accounts got on the system? How would you go about proving this?
His account was compromised. Since it was part of the administrators group, the attacker would have admin privileges so he could create accounts. I could prove it by asking him which accounts he didn't create, but it would be more fun to use the FSP.

3. What are some other things you might look for? What tools would you use?
I'd focus on startup locations with autorunsc, and tasklist. Other tools I'd use are pslist, openports, cmdline, etc. Get the MAC times from the files and see if I could identify more suspicious activity. Getting the MAC times from the home directories would also be a quick start. I'd probably use mactime to help find files within a certain time range.

4. How would you go about securing the system?
The safest thing would be to save important data and reformat. If he doesn't want to do that then I'd just clean it up the best I could. Remove all files I have identified as malicious, as well as user accounts that he didn't create. Install firewall and AV software, strong passwords. Teach him about security, and help him learn from his mistakes.

Adam said...

^^ I forgot to say that installing AV software would help identify if malware was responsible for the initial compromise, or in any other way.