ATF v2: Weighted Threats

When I first introduced you all to the Aggregate Threat Feed back in May, it was a much smaller feed with very simple ambitions — pulling together threat data at work from our network edge and host based firewalls and aggregating the data into a usable feed. The actual intention being that as an attacker exposes themselves more on the network through invasive scans and attacks, they would quickly climb up the threat feed and end up banned proactively. Though this did and still does happen in a way, a problem was introduced when more and more data started to come in from the network edge and it quickly outweighed data from the hosts.

The old way the threat feed was sorted was by number of events. For the network edge IPS the events correlated with actual signature events on the network edge, so these could number from 50 events for an SNMP community scan to thousands of events for an SSH scan. Then you have the host based firewall events (mostly brute force attacks), these events are correlated into the feed by the occurrence of an attackers address across unique servers, so if 1.2.1.2 made a brute force attempt against 11 servers it would show in the feed as 11 events.

The problem that developed here is that the network edge IPS is far more noisy on an exposure level than the host based firewalls, so you would end up with hundreds of IP’s from the network edge with thousands of events each, while the host based firewalls, even though they represent hundreds of attacking IP’s also, the actual event counts relative to unique servers those IP’s attacked, was FAR lower. This meant that often the top 50 or 100 items in the threat feed were all IPS events, though quite valid events the actual host based events had more of a threat significance than some of the IPS events. The host events were simply being washed out of the top 100 on the list from the sheer volume of IPS events (who really wants to import 300 addresses from a threat feed? let alone even 100).

So, what I decided on doing was adding a weighted field into the database that is based on unique targets for each attacking IP. This weighted field is the new sort method for the feed and it works something like this. If the IPS picks up an attacker hammering five servers with an SQL injection exploit, that attacking IP ends up in the threat feed with a weight of 5, if we then have an attacker that runs brute force attacks on 30 servers, that attacking IP ends up in the threat feed with a weight of 30. The end result is that the threat feed gets better populated with the highest weighted attackers at the top, so those attackers who are more aggressive across unique targets, quickly end up at the top of the list. This allows the feed to better protect the devices/hosts it is being used on from a developing attack before the attacker reaches that device/host on the network.

Drop Format:
http://asonoc.com/api/atf.php?top=50

List Format (fields: IP | SERVICE | EVENTS | WEIGHT):
http://asonoc.com/api/atf.php?top=50&fmt=list

Signature Updates: Month In Review

Since I will be busy this coming week with other priorities, I am posting an early month in review blog on signature updates.

In the last 3 weeks we have not seen a whole lot of action on in-the-wild malware, most of what is propagating at the moment are variants of already detected content. That is however not to say there has not been new signatures extracted, allot of this months signatures have come from account level compromises on vulnerable e107, wordpress and joomla installations along with user submissions. There is not a whole lot of ground breaking malware threats, it is more of the usual such as mass mailers, perl/php command shells, irc bots and php socket flooding tools.

In total, the 3 weeks ending Sat July 24th, there has been 128 new signatures in 54 classifications with 65 signatures being added in the last 7 days. This brings us to a total of 2,588 (1002 MD5 / 1586 HEX) signatures, an increase of 117 signatures over the last blog post on signature updates. For those paying attention, there is a discrepancy of -11 signatures between the 128 new signatures and the +117 change since the last update, this is because there has also been 11 signatures removed for poor performance/false positives.

As always new signatures are automatically updated daily or can be manually updated with the -u|–update command line options. The 128 new signatures fall into the following classification groups:

base64.inject.unclassed    exp.linux.unclassed
perl.cmdshell.n0va         perl.ircbot.Arabhack
perl.ircbot.BaMbY          perl.ircbot.devil
perl.ircbot.fx29           perl.ircbot.genol
perl.ircbot.karawan        perl.ircbot.oldwolf
perl.ircbot.plasa          perl.ircbot.putr4XtReme
perl.ircbot.rafflesia      perl.ircbot.UberCracker
perl.md5browser.avi        perl.shell.cgitelnet
php.cmdshell.antichat      php.cmdshell.avi
php.cmdshell.aZRaiL        php.cmdshell.c100
php.cmdshell.DxShell       php.cmdshell.h4ntu
php.cmdshell.hackru        php.cmdshell.KAdot
php.cmdshell.lama          php.cmdshell.Macker
php.cmdshell.mic22         php.cmdshell.myshell
php.cmdshell.NCC           php.cmdshell.r3v3ng4ns
php.cmdshell.r57           php.cmdshell.s72
php.cmdshell.Safe0ver      php.cmdshell.SimShell
php.cmdshell.SRCrew        php.cmdshell.Storm7
php.cmdshell.unclassed     php.cmdshell.winx
php.cmdshell.wls           php.cmdshell.xakep
php.cmdshell.ZaCo          php.cpcrack.Aria
php.exe.globals            php.include.remote
php.ircbot.NewLive         php.mailer.DALLAS
php.mailer.unclassed       php.mailer.YoUngEST
php.nested.base64          php.pktflood.unclassed
php.rshell.0wned           web.malware.unclassed

The other side: who uses rfxn.com projects?

In one of my usual A.D.D. moments I decided to aggregate some data on project downloads and daily update queries to the rfxn.com server, to get a picture of who exactly is using the projects. Although this information is not terribly important, I do find it interesting. I need to stress that none of the listed organizations, agencies or businesses in any way endorse, sponsor or represent the opinions expressed on this site, they are simply users of my projects. That said, lets have a look at who uses the projects.

The basics:
1,808 Unique Networks across 117 Countries

Top 10 Usage Networks:
GNAX – Global Net Access
Hetzner Online
Waveform Technology
LEASEWEB
OVH
LIGHTPOINT COLOCATION & HOSTING
SoftLayer Technologies
MZIMA – Mzima Networks
CORPCOLO – Corporate Colocation
ThePlanet Internet Services

Top 10 Institutions of Higher Learning:
Columbia University
University of California at Berkeley
University of Maryland
Stanford University
York University
Washington University
University of Iowa
University of Puerto Rico
University of Alaska
University of Western Australia

Top Federal & Governmental Agencies:
State of Minnesota
Lafayette Consolidated Government
United States Coast Guard
Federal Aviation Administration

Top Corporations:
Yahoo (Bangalore Network Monitoring Center)
Yahoo (China Datacenter)
Microsoft Corp
Sun Microsystems
Google Inc
Cisco Systems
Bell Canada
Internap Network Services
IBM New Zealand

Top 15 Countries:
United States
Brazil
United Kingdom
Russian Federation
Netherlands
Canada
Germany
Australia
Turkey
Poland
Thailand
Romania
France
Japan
Switzerland

Projects: The personal costs

When you do open source development, especially as an independent developer, there is a constant struggle that must be balanced between that of work and personal obligations. As any open source developer will tell you, 99% of the time, the projects we develop fall strictly into the realm of personal time, no matter how much they may apply to our work field. It is difficult to justify the time that is required in maintaining one let alone a series of active projects when you also work a full-time job while trying to have some semblance of a life.

So, when you are faced with something you are truly passionate about, that constantly rubs up against a barrier that is your job and ever limited personal time, you start to question or more importantly look for change, in how you manage that passion. That is what I am currently faced with, the projects at the moment consume an increasing amount of my personal time on evenings and weekends — which has been that way for a long time — but recently, priorities and life have changed such that I can no longer allow that to be the case. I have managed these projects for almost 8 years, which I would not change for anything, I have and still do love working on them. However, the time has come that I need to start setting measurable, tangible, goals on the cost of maintaining these projects which will allow me, permitting donations or sponsors, to create dedicated time within my work week to manage the projects with focus strictly on them.

That said, I am seeking about $1,000 USD per month in donations or month-to-month sponsorships (which all sponsors will be duly pimped out on the site with a widget and on each project page); at the moment donations only average about $50-200 per month, it varies widely month-to-month towards the lower end. How did I come up with this amount? well it is simply a goal, a target, that reflects the amount of time I spend on the projects per-month (about 60hrs) and what I believe would allow me to take time out of other areas of my life to dedicate consistently that amount of time every month. This would make continuing to work on the projects much easier on me personally, easier on those in my life and easier on me occupationally/financially.

There is a donation tracker widget now on the right sidebar of the site, it simply uses paypal as the checkout process, the tracker will reset every 30 days. If you are interested in becoming a regular contributor or sponsor, please email me at ryan at rfxn.com to discuss it. Thank you in advance for your understanding.

Bot Networks: Jacking the Jackers

One of the more interesting parts of my malware hunting routine is when I notice new command & control hubs for bot networks in the source of ircbot malware content. I am not the type to just look and not play, I always dive into these networks and poke around. When it gets really fun is when the attackers get lazy thinking they are untouchable and leave open their irc networks with a series of simple administrator nick names that can be used to control the bots on the network.

So, what I sometimes do is sign into these irc networks, monitor & log them for a little while for abuse reporting purposes to the network hosting them, then I literally, jack the network from under the attacker and make every single bot exit with by telling all the bots to e.g: “killall -9 perl” which terminates the bot program. Some of the rage from these little kiddies is obscenely retarded but at the same time incredibly fun to watch prepubescent teens get mad over shit they should rightly be tossed into jail for.

Now, on occasion, this does backfire on me, I have had my home internet DDoS to death more than a few times to the point where I had to unplug my cable modem for hours to let the DHCP IP release and renew as a new one. It still is worth it and incredibly fun to ruin these kiddies week or month, with all the hard work they put into these bot networks amassing hundreds upon hundreds of zombies. Just as fun is when the kiddies think they’ve got you all figured out and locked the bot network down, you get a reply from a network administrator over at the company you sent an abuse email too telling you they are looking into the matter then minutes later, the network goes tits up cause the server hosting it was shut down 🙂

Yup that was my story time for the day, I will try post some of the funnier bits from network take down shortly, I will also be putting up some c&c stats into the soon-to-be-released threat statistics section, thats it for now, kthxbye!