Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
Network Security
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SANS FLASH: New Trojan Sending Data To Russia

  • From: Dan Zegarac
  • Date: Mon Jul 31 16:48:35 2000 
Jim,

	The original message was an FYI.  Merit is still looking into this threat
and trying to evaluate it.  It is possible something would be put on the
border routers (not the affililate routers).

	At present you cannot get to the Russian host from MichNet.  It is being
blocked somewhere (possibly by one or all of Merit's providers) or it has
been taken off-line.  Since nothing has come out of CERT or CIAC (the
department of energy response center), we do not know if this is a wide
spread attack or a limited incident.  We also have little information on
the port or ports being used, protocols, tools (what does the client have
to download to etc.

	The kinds of sites that should be most concerned with this type of message
are research facilities and commercial organizations.  All of these sites
should have some type of firewall or other security in place to protect
against this type of attack.

	If Wayne County RESA or any other Merit affiliate came under attack, Merit
would definitely put filters in place to prevent it.  There is just too
little information at present and so many router to do this at present.

- - Dan

At 11:22 AM 7/31/00 -0400, you wrote:
>Is Merit blocking this for us??
>
>>>> Dan Zegarac <zegarac@merit.edu> 7/31/00 10:34:18 AM >>>
>>Delivered-To: zegarac@home.merit.edu 
>>Delivered-To: zegarac@merit.edu 
>>Date: Fri, 28 Jul 2000 16:40:41 -0600 (MDT)
>>From: The SANS Institute <sans@sans.org>
>>Subject: SANS FLASH: New Trojan Sending Data To Russia
>>To: Dan Zegarac <zegarac@merit.edu>
>>
>>SANS Flash Report: Trojans Sending More Data To Russia
>>July 28, 2000, 6:20 pm, EDT
>>
>>This is preliminary information.  The GIAC (Global Incident
>>Analysis Center) has received several submissions showing large
>>amounts of data being sent, illegitimately, from Windows 98
>>machines to a Russian IP address (194.87.6.X).  The cause is most
>>probably a Trojan, but whatever it is, it is moving fast.
>>
>>What you should do?
>>
>>1. All sites should block network traffic from or to 194.87.6.X
>>2. If you see outgoing traffic from one of your machines to that
>>address, you should pull it from the network until anti-virus
>>signatures are available.
>>
>>This activity has been going on for a few days, but the
>>correlations are just coming in.  If you have information to
>>share, please send it to intrusion@sans.org.
>>
>>The remainder of this message is fairly technical and meant to
>>help system administrators and firewall administrators protect
>>their systems.
>>
>>Thank you!
>>
>>Stephen Northcutt, Director Global Incident Analysis Center
>>The SANS Institute
>>
>>> From SANS GIAC Report 00/07/28
>>>(dhoelzer)
>>>    This one came in at about 20:16 on July 26. The 194.87.6.201
>>machine interestingly enough, resolves back to .ru. There is
>>no other traffic to or from this network (194.87.6.X) for the
>>last two months of live data that I have online. It's hard to
>>make a guess on this one. Perhaps the machine that recorded
>>this is on a proxy list somewhere, but then, this machine is a
>>brand new honeypot on an IP address that hasn't been populated
>>for at least 7 years, and has never been used as a proxy server.
>>If this is just a random stab, it's interesting that there is
>>no record of any network mapping from this network/host.
>>Perhaps there was some coordinated mapping here, or perhaps
>>there is someone out there who has mapped us already who was
>>willing to share (or moved to a new network).
>>>
>>>    bash# cat 8080
>>>    Initializing server socket...Binding to port 8080...Done.
>>>    Starting listener...Listening.
>>>    Connection from: 194.87.6.201
>>>        0| 47 45 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63
>>>       16| 6f 6d 6d 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69
>>>       32| 6f 6e 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31
>>>       48| 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f 6d 6d
>>>       64| 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69 6f 6e 2e
>>>       80| 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a
>>>       96| 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63
>>>      112| 68 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20
>>>         +-------------------------------------------------
>>>        0|  G  E  T     h  t  t  p  :  /  /  w  w  w  .  c
>>>       16|  o  m  m  i  s  s  i  o  n  -  j  u  n  c  t  i
>>>       32|  o  n  .  c  o  m  /     H  T  T  P  /  1  .  1
>>>       48|  .  .  H  o  s  t  :     w  w  w  .  c  o  m  m
>>>       64|  i  s  s  i  o  n  -  j  u  n  c  t  i  o  n  .
>>>       80|  c  o  m  .  .  A  c  c  e  p  t  :     *  /  *
>>>       96|  .  .  P  r  a  g  m  a  :     n  o  -  c  a  c
>>>      112|  h  e  .  .  U  s  e  r  -  A  g  e  n  t  :
>>>      128|  M  o  z  i  l  l  a  /  4  .  0     (  c  o  m
>>>      144|  p  a  t  i  b  l  e  ;     M  S  I  E     4  .
>>>      160|  0  1  ;     W  i  n  d  o  w  s     9  8  )  .
>>>      176|  .  .  .
>>>         +-------------------------------------------------
>>>            0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
>>>    Connection Terminated
>>>    bash# nslookup 194.87.6.201
>>>    Server:  midgaard.smsc.com
>>>    Address:  170.129.53.52
>>>    Name:    201.6.87.194.dynamic.dol.ru
>>>    Address:  194.87.6.201
>>
>>+++
>>Correlation to Laurie's post to GIAC Report 00/07/28,
>>(http://www.sans.org/y2k/072800.htm): 
>>
>>> (Laurie@.edu)
>>>
>>>   =-=-=-=-=-=-=-=-=-=-=
>>>
>>>   194.87.6.201 == 201.6.87.194.dynamic.dol.ru
>>>
>>>   RU-DEMOS-940901
>>>
>>>   Included this because of the Russian source address.
>>>
>>>   Jul 26 22:26:23 hostka snort[20224]: MISC-WinGate-8080-
>>Attempt:
>>>     194.87.6.201:3344 -> a.b.c.32:8080
>>
>>http and Wingate connection attempts from the same
>>`dynamic.dol.ru'
>>domain:
>>
>>Name:    27.6.87.194.dynamic.dol.ru
>>Address:  194.87.6.27
>>
>>Jul 27 19:30:08 foo /kernel: Connection attempt to TCP a.b.c.8:80
>>from 194.87.6.27:4156
>>
>>Name:    147.6.87.194.dynamic.dol.ru
>>Address:  194.87.6.147
>>
>>[**] WinGate 8080 Attempt [**]
>>07/24-23:04:39.418351 194.87.6.147:3185 -> a.b.c.8:8080
>>TCP TTL:120 TOS:0x0 ID:12966  DF
>>**S***** Seq: 0x540140   Ack: 0x0   Win: 0x2000
>>TCP Options => MSS: 536 NOP NOP SackOK
>>
>>[**] WinGate 8080 Attempt [**]
>>07/24-23:04:40.502718 194.87.6.147:3185 -> a.b.c.8:8080
>>TCP TTL:120 TOS:0x0 ID:17318  DF
>>**S***** Seq: 0x540140   Ack: 0x0   Win: 0x2000
>>TCP Options => MSS: 536 NOP NOP SackOK
>>
>>[**] WinGate 8080 Attempt [**]
>>07/24-23:04:41.521379 194.87.6.147:3185 -> a.b.c.8:8080
>>TCP TTL:120 TOS:0x0 ID:27302  DF
>>**S***** Seq: 0x540140   Ack: 0x0   Win: 0x2000
>>TCP Options => MSS: 536 NOP NOP SackOK
>>
>>
>>The system trace below was found by a conseal firewall:
>>2000/07/27 9:15:19 PM GMT -0400: NDC 10/100 Fast E..[0001][No
>>matching rule] Blocking outgoing TCP: src=24.114.my.ip,
>>dst=194.87.6.27, sport=8080, dport=2418.
>>2000/07/27 9:15:22 PM GMT -0400: NDC 10/100 Fast E..[0001][Ref#
>>181] Blocking incoming connection attempt: src=194.87.6.27, local
>>port 8080.
>>
>>
>>
>
>Dan Zegarac                     | Title:  Internet Consultant
>Merit Network, Inc.             | E-mail: zegarac@merit.edu 
>4251 Plymouth Road, Suite 2000  | Phone:  (734) 936-0304
>Ann Arbor, MI   48105-2785      | Fax:    (734) 647-3185
>
>
>

Dan Zegarac                     | Title:  Internet Consultant
Merit Network, Inc.             | E-mail: zegarac@merit.edu
4251 Plymouth Road, Suite 2000  | Phone:  (734) 936-0304
Ann Arbor, MI   48105-2785      | Fax:    (734) 647-3185


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.