Crackers subvert servers to map Web weak spots

In a giant leap for attack technology, crackers, possibly from Russia, are mapping the Internet.

In the process, they are pinging a massive number of proxy ports, possibly in search of user names, passwords, proxy service information, vulnerabilities and other rich data that could be used to launch large-scale attacks on government and corporate sites. The attack uses a Trojan horse (hidden code) to dupe victim machines running Windows programs into probing other servers connected to the Internet and sending the information back to a main server in Russia. So far, 1,000 victims of the Trojan horse have been discovered by members of the Bethesda, Md.-based System Administration, Networking and Security Institute (SANS) – a cooperative research and education group with 62,000 members.

The Trojan horse, dubbed Ring0 or RingZero, was first detected Sept. 19, when a faculty member at SANS detected a scan on his home cable modem to ports 80, 8080 and 3128.

All of these TCP/IP ports are used for proxy services – usually firewall services that protect internal networks from being mapped, by changing IP addresses as corporate users are connected to the Internet. Because there are well over 65,000 ports available to TCP/IP, poorly-configured proxy servers could be exploited to give up sensitive user identifications and passwords.

The Shadow Intrusion Detection Team at the Naval Surface Warfare Center in Vahlgren, Va., joined with SANS to find the source of the attack. Program manager John Green found that the port scans were coming from 500 separate machines. A mailing to SANS’ 62,000 members turned up 300 who said they had been scanned on the same ports.

One SANS member found the program (Ring0.vxd) in his Windows directory and e-mailed it to Green. (Ring0 represents the highest-level kernel access, which enables complete control of the victim machine.)

Russian Server

Green presented RingZero recently at the SANS Network Security 99 conference in New Orleans, where some 50 pizza-fuelled SANS members stayed up until 2 a.m. one night unleashing the program in a controlled networked environment.

The group traced the program through the Internet as it sped off to deliver the information to a server in Russia ( that is no longer on-line.

“What we found was a quantum leap in attack technology. This was a large-scale, indiscriminate mapping of the Internet and connected servers,” Green explained. “The program looked like it would generate about 20 random IP addresses, all on port 80, then on 8080, then on 3128. It was sequential. It would pause, like it was generating another list of random IPs, then it would go again. And it went on and on and on.”

To date, automated port scanning has been conducted by individual or cooperative machines that don’t have the horsepower to gather the vast amount of information needed to map the entire Internet, let alone the services and vulnerabilities within each connected machine. But the distributed nature of this attack, along with the program’s ability to randomly generate IP addresses, has the security community worried.

“There are entire entities out there trying to bring shape and form to the Internet. For what purpose, no one knows. But this event will force the community to move the feasibility line into what we thought wasn’t yet possible,” said Chris Williams, security research manager at Network Associates Inc. in San Jose.

There are some intriguing loose ends that SANS is still trying to tie up. For example, there’s an encrypted data file in the Trojan horse (its.dat) that Green thinks could reconfigure the crack (such as rerouting data to different repositories should one go off-line) under specified circumstances.

And then there’s the question of what exactly the attacker is after. Some suspect that the attacker is looking for user IDs and passwords flowing into and out of the proxy ports.

Others have suggested that the attacker is mapping vulnerable ports for future exploitation. Green has conjectured that crackers, knowing which proxy ports are vulnerable, could simply route their attacks through these ports to mask their own identities.

Users Beware

RingZero once again reinforces the need to teach users not to run untrusted executables, either off the Web or from e-mail. In addition, users should be diligent in their port protections and close ports that aren’t in use.

And if you see Ring0 and its extensions (ips.exe, pst.exe or its.dat) in the Windows system directory, it’s too late. You’re already sending information to the mother ship, wherever that is.