Over the past several years, the Honeynet Project has consistently seen the same tactics used against the Honeynet. Alhough these tactics do not apply to the entire blackhat community, they are the ones most commonly used. You will most likely see these tactics used against your organization. The tactic we have identified is a simple one. A majority of blackhats randomly scan the Internet for a specific weakness; when they find it, they exploit it. They focus on a specific vulnerability, perhaps the only one they know. Sometime, they use tools released for mass scanning and scan millions of systems until they find potential targets. Most of the tools are simple to use and automated, requiring little interaction. You launch the tool and come back several days later to obtain your results. The blackhat community even has a name for these types of tools: autorooter. No two tools are alike, just as no two exploits are alike. However, most of the tools are based on the same tactics. First, the blackhat develops a database of IP addresses that can be scanned: live systems that the blackhat can probe. The next step is to gain information on those IP addressees: what operating system they are using and any services or applications they are offering. Often, the version of the service or application must be determined. Once this information is obtained, either the blackhat or the tool will determine whether the remote system is vulnerable. Recently, however, it has become more and more common that blackhats do not even bother trying to determine whether the remote system is vulnerable. They just run the exploit against a wide range of systems and see whether they are successful.
For example, let's say that a blackhat has a tool that exploits a vulnerable version of rpc.statd on Linux systems, such as statdx.c. The blackhat may not know how the tool works or may not even know what rpc.statd is. Most likely, someone on IRC explained the exploit, or the blackhat downloaded a HOWTO that explains the tool step-by-step. However, the blachkhat does know that Linux systems running a vulnerable version, such as Red Hat 6.2, must be found. Often, the tools come preconfigured to be run against a specific operating system or vendor type. These are the systems and vulnerabilities the blackhat will look for. First, the attacker would develop a database of IP addresses that could be scanned: systems that are up and reachable. Another method would be to conduct a zone transfer of a domain's DNSs. Once this database of IP addresses is built, the user would want to determine which systems were running Linux. This can be done by looking at systems banners, such as from TELNET, or using more sophisticated scanning tools to determine the remote operating system type, such as Nmap or Queso. These tools create special packets that can remotely determine the operating system type of most systems, sometimes even the kernel version or the patch level. Once the remote operating system type has been determined, the next step is to determine whether the service is running, in this case, rpc.statd. Port scanners, such as Nmap, or simple systems tools, such as rpcinfo, could then be used to determine which Linux hosts were running rpc.statd. All that is left now is to exploit those vulnerable systems.
These tactics are not limited to UNIX-based systems; we see the same tactics used against Windows-based systems also. Blackhats will randomly probe the Internet for specific Windows-based vulnerabilities and then, once identified, compromised them. For example, NetBIOS scans are one of the most aggressive scans we have seen. Blackhats on the Internet are aggressively scanning for systems with Windows SMB exposed shares. The Honeynet Project logged more than 500 such scans in a single month (see Appendix D). Other common probes are for NT IIS vulnerabilities, such as Unicode or RDS. Then, the blackhat community will quickly exploit these vulnerable systems. The blackhat community is not biased but will aggressively probe for and find any vulnerability. No system is safe.
Not every blackhat follows these tactics step-by-step. Often, only part of these tactics may be followed. For example, many blackhats become lazy and do not even bother building a database of IP addresses but instead just sequentially scan an entire network for a specific service, such as Washington University's FTP server daemon. If the blackhats find a system running FTP, they will not bother to determine which vendor or which version is running but instead will just launch the exploit. If it works, great. If not, they move on to the next system. They literally have millions of systems to try. As these tools are almost always automated, the numbers are in their favor. The blackhats can run these scans 24 hours a day, 7 days a week, at no cost to themselves.
You would think that all this scanning would be extremely noisy, attracting a great deal of attention. However, many people are not monitoring their systems and do not realize that they are being scanned or that their systems are being used to scan others. Also, many script kiddies quietly look for a single system to exploit. Once they have exploited a system, they use it as a launching pad, boldly scanning the entire Internet without fear of retribution. If their scans are detected, the system administrator, not the blackhat, will be held liable.
Blackhats often archive or share their scan results for use at a later date. For example, a user develops a database of what ports are open on reachable Linux systems in order to exploit the current image map vulnerability. However, let's say that a month from now, a new Linux exploit is identified on a different port. Instead of having to build a new database, which is the most time-consuming part, the user can quickly review the archived database and compromise the vulnerable systems. As an alternative, script kiddies share or even buy databases of vulnerable or compromised systems. (You will see examples of this in Chapter 11.) The script kiddie can then exploit your system without even scanning it. Just because your systems have not been scanned recently does not mean that you are secure.
Once systems have been compromised, the more sophisticated blackhats implement Trojans and backdoors. Backdoors allow easy, unnoticed access to the system. Even if the administrator changes system accounts or passwords, the blackhat still has remote access. System binaries are trojaned so that the blackhat's presence and activity are hidden. This is done by modifying system binaries to hide the blackhat's files, processes, and any other activity. The Trojans make the intruder undetectable, not showing up in any of the logs, systems processes, or file structure. More sophisticated Trojans modify system libraries or even load kernel modules, modifying the running kernel in memory. To automate this process and make it simpler, tools called rootkits have been developed and published. These kits automate the entire process of taking control of a system, including wiping system logs clean to hide the blackhat, replacing system binaries, implementing backdoors, and launching sniffers to capture system accounts and passwords. We have even recorded rootkits securing the compromised system so no other blackhats can find and exploit the same vulnerability. The blackhats build a comfortable and safe home from which to continue their activity.
These attacks are not limited to a certain time of the day. Many administrators search their log entries for probes that happen late at night, believing that this is when blackhats attack. But they attack at any time. Remember, in most cases, it is automated programs, not manual methods, that break into systems. Scans take place 24 hours a day; you have no idea when the probe will happen. These attacks are also launched from throughout the world. Just as the Internet knows no geographical bounds, it knows no time zones. It may be midnight where the blackhat is but 1 pm in your location. Expect your systems to be scanned and probed anytime, from anywhere.