When the Hackers Hack Back

Published: 2008-10-10
Last Updated: 2008-10-11 01:59:46 UTC
by Marcus Sachs (Version: 3)
2 comment(s)

Richard, one of our readers, sent us a very interesting note today.  He was investigating a network in Germany that was known to be a source of evil, and decided to launch an nmap scan as an exploratory measure.  We do not advocate scanning somebody else's network, even you find that the other network is irritating and disfunctional.  Better to work with that network's upstream ISP to see if they can assist in taming the out of control network owners.

Here are Richard's comments.  Do not try this from your own corporate network  The results may be hazardous to your job.

     On the evening of October 7th, I Nmapped a /24 out of Germany that was a known source of malware and general nefarious activities. I saw the usual ports open 22, 53, 80 on most of the machines I scanned.
    After the scan had stopped I closed the command prompt and began to read some late night email. I just happened to glance at my router and saw the receive lights were almost solid green. I opened my web browser and try to get out to the public network and could not, I suspected something was happening and it was.
     The machines I had scanned were launching as DDoS against my IP address and had basically shut me off from the rest of the world. I turned the interface down and went to bed thinking it might clear up after a while.
    I checked at 3:00 am, and 5:30 am and the attack was still on.
    I logged into my router to look at some logs and could see that the machines were still pumping junk down the wire so I called my upstream and they were of no help at all. It took two hours on the phone before I realized that they were not going to be able to help me so here is what I did:
    Thinking that whoever wrote the [attack] script was bright enough to include resource conservation into their code I figured if I remove all physical connection to the ISP at my house, the script would eventually sense that there no longer was a live host at the other end and it would stop. I wish I had tried this first instead of wasting my time on the phone with my useless ISP. It worked and we were back up after about ten minutes of being uncabled.
     Just to make sure I was correct I went through a second run of this and the exact same thing happened. From this I have learned two things, have a good relationship with your upstrreams and be careful what you do late at night.


Reader Neal sent us some technical tips on how he gets around the problem Richard pointed out above.

After I scan something, or if I suspect I gave out my IP address to someone hostile (email, IRC, etc.), then I immediately change my address BEFORE they have a chance to scan back.

There are a couple of different ways to change your IP address...

Modem: hang up and call back. If your ISP has a phone pool, then you're hopefully on a new address. (Then again, hopefully you're not scanning some /24 from a modem...)

Cable modem: I love this -- the networked DHCP address is actually NOT tied to your account. Your cable modem has a MAC address and non-routable DHCP address that is tied to your account. All you need to do is change your routable network address:

1. Login to your external firewall (you do have an external firewall, like a Linksys or Dlink, right?).  Change the WAN MAC address.  However, do NOT commit the change yet!  If you reset it now, then you will be unable to connect to your cable modem...

2. Login to your cable modem and click on the reboot/restart button. This causes it to forget the firewall's MAC address.

3. While the cable modem is shutting down/rebooting, commit the new WAN MAC address to your firewall.

When the cable modem comes up, it will learn the new WAN MAC address from your firewall. This new MAC address will be assigned a new, routable IP address from the cable modem ISP.  You now have a totally new external IP address.  Total offline time should be around 15 seconds.  (I've got it scripted!)

DSL modem: I don't have one, but I'm told it is a similar approach to cable modems or telephone modems (depending on your ISP).

If you have a T1 or T3 or static IP address?  You're screwed.  I recommend playing from a cable modem or DSL where you can change your address.


Reader Melvin sent us these comments:

The local DSL-providers require customers to "register" their MAC-address (either over the telephone, or over the web), in order to limit their customers to the agreed-upon "two" IP-addresses for a "residential" account, i.e., two computers, or your main computer and a "spare".

So, if you want to change your IP-address, you first have to tell the DSL-provider what the "new" IP-address will be.
Then, execute the NMAP from your current IP-address, and then login to your hardware firewall applicance, and change its "WAN" MAC-address to the "new" value, and restart the appliance. The DSL modem does not need to be restarted.

However, the local TELCO also offers an "all-in-one" applicance: wireless-G router, hardware firewall, and 4-port wired router, as an incentive to new customers.  It's much more difficult to change the MAC-address on that appliance.

Heaven help anybody (on dial-up or not) who is the next person to be assigned your "old" IP-address that is being attacked by the "hack-back" people -- you've screwed their network-connectivity, for a while.

Marcus H. Sachs
Director, SANS Internet Storm Center

2 comment(s)

World Bank Cyber Intrusions

Published: 2008-10-10
Last Updated: 2008-10-10 20:27:54 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Several readers wrote us today pointing out the Fox News story about cyber attacks against the World Bank.  There are a lot of details in the Fox News report, but no other independent confirmation of the story.  A recent update to the online story says this:

UPDATE: After FOX News published its story, a World Bank spokesman issued the following statement:

"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

"Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."

If you are aware of any other reports (not based on or pointing to the original Fox News story) please let us know via our contact page.

Marcus Sachs
Director, SANS Internet Storm Center

0 comment(s)

Fake Microsoft Update Email

Published: 2008-10-10
Last Updated: 2008-10-10 12:44:54 UTC
by Marcus Sachs (Version: 1)
2 comment(s)

Several readers have alerted us to a fake Microsoft email circulating with a malicious attachment.  If you are blocking executables at your email servers, there should not be a problem.  The email looks like this, but might vary a bit:

Subject:        Security Update for OS Microsoft Windows
From:           "Microsoft Official Update Center" <securityassurance@microsoft.com>

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft
Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows
XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance
problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a malicious
software, we made a decision to issue an experimental private version of an update
for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you
have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS
you have an indication to run all the updates at a background routine. In that case,
at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Version: PGP 7.1


Notice the legitimate signature block and PGP signature.  Sorry, Steve, I guess you are a popular guy!
Marcus H. Sachs
Director, SANS Internet Storm Center
2 comment(s)

Day 10 - Identification: Using Your Help Desk to Identify Security Incidents

Published: 2008-10-10
Last Updated: 2008-10-10 02:03:10 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

For the tenth day of Cyber Security Awareness Month we remind our readers that one of the best ways to identify problems in your network is to let your employee or customer help desk be the equivalent of a "human intrusion detection system".  When they get more than two or three calls about the same problem, the help desk should be notifying the security team about what is going on.  It might not be an incident that needs handling, but it's definitely an event that deserves watching.

Do you have a good relationship with your help desk staff?  Do you include them in your security planning and preparation, especially as potential sources of information about the security posture of your networks?  What steps have you taken to train your organization's help desk to recognize emerging security incidents?

Send us your ideas and comments via our contact form and we'll add them to this diary throughout the day.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: Awareness2008
0 comment(s)


Diary Archives