UMnet Administration - Hackfinder Information

UMnet Hackfinder Description

ITCom does not monitor network traffic content, but we do log traffic header information—i.e. what's on the "outside of the envelope" (source and destination addresses, source and destination ports, and protocol)as well as the total number of bytes and packets sent in each flow.

We periodically analyze portions of these traffic logs looking for patterns of traffic that are characteristic of various known computer security problems including viruses, worms and "zombie bots". A collection of programs (which we collectively refer to as "Hackfinder") pulls together all of the information on suspicious traffic and automatically notifies the network administrators for the nets from which this traffic originates. Currently Hackfinder runs four times a day, at 07:00, 11:00, 15:00 and 19:00, analyzing the traffic log data for the preceeding hour.

In addition, the data are periodically scanned for "high-volume" sources or recipients of traffic, which are often—though not always—caused by "Denial of Service" (DoS) attacks of various sorts. High-volume alerts are checked manually to see if they are false alarms (one user's DoS attack may be another user's Internet2 demo application); those found likely to be real DoS attacks are passed on to the net admins as well.

Hackfinder sends its alerts to each person listed as an administrator of each network on which a suspect machine resides. If the UMnet network information database lists a group as the primary admin then the messages are sent only to that group and not to subsequently listed individuals.

If you receive a Hackfinder alert and believe that you're not the right person to be contacted, please check the UMnet network information database to verify the information we have for the reported network, and send additions/corrections to umnet.admin@umich.edu.

As of 22 March 2004 the HackFinder alerts include the following message:

This message is automatically generated; for more information, see:

http://www.itcom.itd.umich.edu/backbone/umnet/Hackfinder.html

Please do not reply to this message unless you need assistance locating one
of the machines listed below.

I = ICMP traffic to more than 500 non-UM addresses
M = MS File Sharing/WinRPC traffic to more than 500 non-UM addresses
Q = SQL traffic to more than 150 non-UM addresses
S = Excessive SMTP traffic (possible Spam relaying, etc.)
W = Web traffic to more than 500 non-UM addresses
Z = IRC traffic >5% of all small-packet traffic (likely due to a Zombie bot)
* = Repeated address from the previous report

I, M, Q, S, and W alerts are based on traffic within the past hour
Z alerts are based on the most recent 4 hours of traffic

Note that Zombies can be remotely controlled and are often used to
attack others; these machines should be cleaned up immediately.

Hackfinder Signatures

Below are descriptions of several of the "hack" and "attack" signatures that we are looking for. Note, though, that we tune the signatures as we learn more about each type of infection, and new ones are added and old ones are removed as the pool of active malware evolves with time.

ICMP

Many types of worms can propagate directly from computer to computer without human intervention—rather than spreading through e-mail or web pages, they target vulnerabilities in other network services that may be running on a machine, such as file sharing, ftp, etc. Before a machine can be infected it must be found, so many of these worms probe addresses throughout the Internet looking for other machines to infect. The ICMP Echo Request ("ping") is often used for this purpose.

Hackfinder generates an ICMP alert when a machine sends ICMP Echo Requests to more than 500 non-UM IP addresses in a 20-minute period.

NOTE: Due to a firmware bug, we currently can not distinguish between the various ICMP message types; this has resulted in a high false positive rate for 'I' alerts, since inbound port scanning or DoS attack traffic can lead to a large volume of non-ping ICMP traffic (typically ICMP Port Unreachable messages) which can trigger an alarm. At this time we do NOT recommend taking action on 'I' alerts unless there are other indications that the reported machine has been conpromised.

SQL

SQL is a database query language; many systems have SQL services turned on, often without the owner's realizing this. The SQLSlammer worm—and probably others—sends SQL queries to random Internet addresses, looking for SQL servers that may be vulnerable to infection. SQLSlammer in particular generates so much of this traffic that a handful of infected machines on campus (when it first hit) were able to knock UM off the Internet for several hours. Other more recent SQL-targeted malware tries some brute-force password cracking but hits fewer machines, hence the lower destination count threshold for SQL alerts.

An SQL alert is generated when a machine sends SQL traffic to more than 150 non-UM IP addresses in a 20-minute period.

Microsoft File Sharing/WinRPC

Lots of worms spread through open shares and other vulnerabilities in Microsoft's Remote Procedure Call protocols. Unless you're obsessive about patching your Windows machines within a few hours of when updates are released, you're likely to have been infected by one of these vulnerabilities. And, as you might expect, infected machines scan the Internet looking for other machines to infect.

MFS/WinRPC alerts are generated when a machine sends traffic to more than 500 non-UM IP addresses, where the destination port is either 135 (WinRPC), 139 (NetBIOS Session Service) or 445 (MSFS), in a 20-minute period.

Sendmail/SMTP

The Simple Mail Transfer Protocol is used to deliver e-mail between mail servers (not to be confused with IMAP and POP, which deliver mail from servers to clients). Many types of malware propagate through e-mail; others turn an infected machine into an "open relay" so they can be used for sending spam. Infected machines may also scan the Internet looking for other mail servers that they can use to propagate infections and/or spam.

Sendmail alerts are generated when a machine sends traffic to TCP port 25 on more than 100 non-UM IP addresses, or more than 7 flows over 100 KB to non-UM IP addresses, in a 20-minute period.

Web alerts are generated when a machine sends traffic to TCP port 80 on more than 500 non-UM IP addresses and receives replies from less than 85% ofthe targeted addresses. The reply check helps to eliminate (presumably) legitimate peer-to-peer applications which run over port 80; these apps will contact large numbers of active machines, where a malware-generated scan generally hits random addresses most of which will not respond.

Zombies

Zombies are a different breed of cat; machines running a zombie bot can be remotely controlled without the owners' knowledge. Zombies are most often used to launch distributed DoS attacks, or as unwitting servers of pornography or pirated movies, etc. Zombies are often controlled using the IRC (Internet Relay Chat) protocol. Since IRC can operate on a variety of ports—which also have legitimate uses—and zombies generally only talk to a small number of controlling machines, the traffic signature of a zombie is quite a bit more complex.

Zombie alerts are generated by traffic which meets the following criteria:

Others

There are many other types of compromises that we currently can not detect through traffic analysis. These include such things as guessed/stolen passwords (which allow the bad guys to use normal methods of access—we can't distinguish between legitimate and illegitimate ssh traffic, for example), spyware (which can record your keystrokes and foward them to a third party), or various "back door" programs which will have your machine listening for commands using non-standard ports (which also have legitimate uses). So what we can find is far from complete with respect to the variety of things that are out there to attack you.

For More Information