Subject: Re: detecting "Code Red" worm in NetFlow records
From: Dave Plonka (plonka@doit.wisc.edu)
Date: Fri Jul 20 2001 - 16:24:07 CDT
Thanks for the add'l hints, Mark - it works well to do a double-pronged
investigation and then see how the resulting sets intersect.
BTW, here's a slight adjustment to my previously suggested command
line. This one to identify hosts which appear to be successfully
propogating the Code Red worm:
$ flowdumper -se '6 == $protocol &&
80 == $dstport &&
7 == $pkts &&
4327 == $bytes &&
($TH_FIN & $tcp_flags)' raw_flow_file
Previous I had not specified port 80 as the dstport (hoping to see both
the infectors and infectees) but I was getting some false positives
when Apache and other web servers using port 80 as the source port
happened to produce just that number of packets and bytes.
As an aside, even after the epoch (0000 UTC, 7PM CDT) when the infected
hosts seemed to stopped propogating the worm, I still see a small
number of hosts doing the probes this morning. My hypothesis is that
those machines clocks are wrong.
The other funny thing I see in the FlowScan graphs, such as this graph
which the number of campus IP addresses that were probed (but did not
respond):
http://net.doit.wisc.edu/~plonka/abuse/20010719/monologue.png
(BTW, That's an unadvertised URL. In my copious free time I'm hoping
to add and "index.html" with some explanation of how FlowScan saw
the Code Red worm.)
is that a subset of the outside hosts that were probing were off by an
hour, and didn't stop until 0100 UTC, 8PM CDT (localtime). Possibly
this is because of incorrect Daylight-Savings-Time settings.
(I guess that's why secret agents always synchronize their watches when
beginning a mission...)
Dave
On Fri, Jul 20, 2001 at 12:43:52PM -0400, Mark Fullmer wrote:
> Nice work. A few additional tips.
>
> To track which hosts are hitting www.whitehouse.gov
>
> % cat <<EOF > filter.acl
> ip access-list standard wh permit host 198.137.240.91
> ip access-list standard wh permit host 198.137.240.92
> EOF
> % flow-cat <files> | flow-filter -f filter.acl -D wh | flow-stat -f9
>
> flow-dscan requires two config files, which can be empty to start up.
> % touch dscan.suppress.src
> % touch dscan.suppress.dst
>
> flow-tools can read and write cflowd files now which should make
> using both toolkits together easier or using Cflow.pm configure for cflowd.
>
> % cat <cflowd files> | flow-import -f0 -V5 | flow-filter -f filter.acl -Dwh | flow -stat -f9
>
> or if Cflow.pm is built for cflowd support
>
> % flow-cat <flow-tools files> | flow-export -f0 | flowdumper ...
>
> mark
>
> On Fri, Jul 20, 2001 at 09:39:20AM -0500, Dave Plonka wrote:
> >
> > flow-tools and FlowScan users,
> >
> > While this may be a bit late, here's a technique that I'm using to
> > determine which hosts were participating in the "Code Red" worm. (This
> > hit us really hard yesterday. For background on the worm see the links
> > below.)
> >
> > After investigating a number of hosts that had been infected, I see
> > that the original infection of a host leaves a recognizable signature
> > in the non-sampled NetFlow records.
> >
> > The successful infection looks like this (with "flowdumper -s"):
> >
> > 2001/07/19 10:17:14 invector.2179 -> infectee.80 6(PUSH|SYN|FIN|ACK) 7 4327
> > 2001/07/19 10:17:14 infectee.80 -> infector.2179 6(PUSH|SYN|ACK)
> > 5 212
> >
> > Then, immediately upon successful infection, the infectee starts the
> > probes to random destionation hosts on port 80:
> >
> > 2001/07/19 10:17:15 infectee.4321 -> 52.22.95.40.80 6(PUSH|RST|SYN|ACK)
> > 11 4487
> > 2001/07/19 10:17:15 infectee.4322 -> 91.167.212.99.80 6(PUSH|RST|SYN|ACK) 11 4487
> > 2001/07/19 10:17:15 infectee.4323 -> 130.56.74.159.80 6(PUSH|RST|SYN|ACK) 11 4487
> > ...
> >
> > The infection preable allows us to select just the candidate infectee
> > hosts like this:
> >
> > $ flowdumper -se '6 == $protocol && 7 == $pkts && 4327 == $bytes && ($TH_FIN & $tcp_flags)' raw_flow_file
> >
> > For those of you using flow-tools rather than cflowd, you can alos make
> > use the flow-dscan tool to detect the hosts performing port 80 probes:
> >
> > $ /usr/local/netflow/bin/flow-filter -P80 < raw_flow_file | /usr/local/netflow/bin/flow-dscan -b
> >
> > Dave
> >
> > P.S. below are some references on the IIS vulnerability and the worm
> > which exploits it.
> >
> > Announcement of the vulnerability:
> >
> > http://www.eeye.com/html/Research/Advisories/AD20010618.html
> >
> > Discussion about the "Code Red" exploit/worm:
> >
> > http://www.securityfocus.com/templates/headline.html?id=12021
> > http://www.securityfocus.com/templates/headline.html?id=12004
> > http://www.cert.org/incident_notes/IN-2001-08.html
> >
> > Patch to the vulnerability:
> >
> > http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
--
plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
--
Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body
Unsubscribe mailto:majordomo@net.doit.wisc.edu and say
"unsubscribe flowscan" in message body
Archive http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
This archive was generated by hypermail 2b25 : Fri Jul 20 2001 - 16:28:00 CDT