ISC Update: LAND Attacks and new Malware
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: ISC Update: LAND Attacks and new Malware

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    ISC Update: LAND Attacks and new Malware

    Hello all-

    Just checking out the SANS ISC and saw a few things we should know about:

    Link: http://isc.sans.org/

    Story so far:
    MS05-051 (MSDTC) Malware / Port 1025 (NEW)
    Published: 2005-12-15,
    Last Updated: 2005-12-15 16:04:03 UTC by Daniel Wesemann (Version: 1)

    A blog entry over at F-Secure mentions a new piece of malware dubbed "Dasher.A" that is trying to exploit the MS05-051 aka MSDTC vulnerability. The spreading mechanism seems to be very unreliable, but likely explains the surge in Port 1025 traffic we've seen recently . The captured packets look a lot like what the MS05-051 POC exploit posted at FrSIRT.com would cause. [Thanks to Juha-Matti and David for reporting this.]

    Update 15:27 UTC: Georg Wicherski from the German Honeynet Project has successfully captured the full exploit, including payload, on one of these tcp/1025 attacks. The payload will be called Dasher.B by F-Secure - and unlike the .A variant, this one does work, and drop a keylogger. Georg is planning to update mwcollect with MS05-051 detection and capture code over the next days.



    LAND attacks against network devices (NEW)
    Published: 2005-12-15,
    Last Updated: 2005-12-15 13:56:26 UTC by Daniel Wesemann (Version: 1)

    A "LAND" attack involves IP packets where the source and destination address are set to address the same device. Older variants, as reported http://isc.sans.org/diary.php?date=2005-03-07 earlier, rely on the source address to be spoofed to the same value as the destination IP. A recent post to Bugtraq came up with a new twist: LAND attacks against routers and perimeter devices, addressed to the outside interface and with the source spoofed to the inside interface. Rumour has it that these attacks are easily conducted and surprisingly "successful". The defense, though, is just as simple: Packets with spoofed source addresses have no business entering your perimeter networks. If you have not yet applied ingress filtering on the outermost devices of your internet connection that you have control over, now is a good time to do so. RFC 2827 and RFC 3704 are good sources of information on ingress filtering and Reverse Path Forwarding. And while you're at it updating your filters, dont forget to apply outbound spoofing filters as well - see this paper in the SANS Reading Room for details.



    SANS Internet Storm Center.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I just wanted to append this to genXer's mention of the "revised" Land attack... or the Remote Land Attack (RLA) as I've seen it refered to..

    Here's the content of a document that was released on the subject.. There are parts of it I'd have to question (for example... that XP in vulnerable... I never heard of the resurface that Wikipedia is describing so I may just be out of the loop)... Anyways... I've got a few of those devices kicking around so I'm tempted to do some testing of my own to see the results.. The SANS ISC article said that you should have ingress filtering applied is making it sound like this only affects large corporations... What about the 1000s if not Millions of small businesses that rely on these simple home networking routers...

    A worm using the current MS vulns or email or user stupidity to spread that besides sending itself out hit your entire subnet repeatedly with this attack could wind up being a very dangerous thing.. A loss of service for many small businesses can mean going out of business... Email has become a crutch for these people and with no internet there's no email... If it's happening repeated.... well the word 'screwed' come to mind.

    Source: http://www.teamtrinix.com/exploits/rla/RLA.htm
    RLA
    ("Remote LanD Attack")
    2005


    As discovered by:
    Justin M. Wray
    (jayizkool@gmail.com)


    Devices/Vendors Vulnerable:
    - Microsoft Windows XP, SP1 and SP2
    - Linksys Routers
    - Westell Routers/Modems
    - Motorola Modems/Routers
    - Cisco Firewalls, Switches, and Routers
    - DSL Modems
    - Cable Modems
    - Consumer Routers
    - All Central Connectivity Devices (any manufacturer)

    Devices/Vendors Tested:
    - Linksys BEFW11S4
    - Linksys WRT54GS
    - Westell Versalink 327W (Verizon Modem)
    - Cisco Catalyst Series (Multiple)
    - Scientific Atlantic DPX2100 (Comcast Modem)

    Definition:
    A LAND attack is a DoS (Denial of Service) attack that consists of
    sending a special poison spoofed packet to a computer, causing it to
    lock up. The security flaw was first discovered in 1997 by someone using
    the alias "m3lt", and has resurfaced many years later in operating
    systems such as Windows Server 2003 and Windows XP SP2.
    (http://en.wikipedia.org/wiki/LAND_attack)

    Explanation of LanD:
    LanD uses a specially crafted ICMP echo packet which has the same
    source and destination address. The receiving system stalls due to the
    erroneous packet and not having instructions to handle the unique
    packet. In Windows 9x variants, the systems will "blue screen. " On
    modern NT variants, the systems will hang for approximately 30 seconds
    with full CPU usage before discarding the packet. With a looped script,
    the attacker can render the system useless. UNIX variants have been
    able to use a firewall rule to drop LanD packets - leaving most systems
    patched.

    Microsoft originally released an initial patch that secured Windows 9x
    variants - causing the exploit to lose popularity and become somewhat
    obscure. Later, when Windows NT variants were released, Microsoft
    neglected to patch the security flaw; this caused Windows XP Service
    Pack 2 to remain susceptible to such an attack. Within the last four
    (4) months, Microsoft has released a patch for Windows NT variants.

    LanD versus Remote LanD:
    LanD was originally introduced in the late 1990s and was very popular
    with educational and business networks. The original LanD attack had to
    be executed internally on the local network - thereby giving rise to the
    name "LanD" (indicating that access has been granted to the local
    premises). However, with a remote attack (Remote LanD), crafting
    special packets and spoofing the destination and source IP addresses
    will cause the attack to be carried out remotely against the central
    connectivity device.

    Exploit / Proof of Concept:
    There is no handwritten code needed to exploit this vulnerability.
    The only requirement is an IP packet creation utility (such as HPing2 or
    IPSorcery). Below are some HPing2 examples:
    Victim's IP Address: 63.24.122.59
    Victim's Router IP Address: 192.168.1.1
    hping2 -A -S -P -U 63.24.122.59 -s 80 -p 80 -a
    192.168.1.1

    Remote LanD Specifications:
    Although the exploit will work without the Ack, Syn, Push, and Urg
    (flags), the device does not seem to shut off without these flags.
    Sending just the LanD part of the packet seems to only create high
    amounts of latency on the victim's end. The spoofed source address must
    be the address of the central connectivity device; although the normal
    default is 192.168.1.1, some manufacturers use different addresses (such
    as 192.168.1.100 or 192.168.0.1). As a result, the IP address should be
    checked prior to initiating any test. Additionally, a broadcast address
    will work for a source address as well, thereby flooding the network
    with responses from all the machines connected to the network. Although
    it will not stale the Central Connectivity Device, it will maximize the
    entire network usage - crippling the network with extremely high
    latency.

    Test Environment:

    - Test One
    - Attacker: hping2 on Comcast Cable connection behind Linksys Router
    - Victim: DSL Modem/Router on Verizon DSL connection

    - Test Two
    - Attacker: hping2 on Comcast Cable connection behind Linksys Router
    - Victim: Linksys Router on Comcast Cable connection

    - Test Three
    - Attacker: hping2 on Comcast connection behind Linksys Router
    - Victim: Comcast Cable Modem

    - Test Four
    - Attacker: hping2 on Comcast connection behind Linksys Router
    - Victim: Cisco Router on T1 connection

    - Test Five
    - Attacker: hping2 on Comcast connection behind Linksys Router
    - Victim: Cisco Pix Firewall, on T1 connection

    Test Results:

    Test One:
    Connection Latency - followed by the modem physically turning off.
    Time elapsed: approximately 10 seconds (from beginning of packet
    flooding to complete shutdown).

    Test Two:
    Connection Latency, router reset, then connection lost. Reset needed
    before router would communicate online again.

    Test Three:
    Modem lights flickered; the modem lost connection and sat with the Data
    light completely out.

    Test Four:
    Router lost connection to the internet.

    Test Five:
    Firewall lost network connection.
    Conclusion:
    It appears that central connectivity device manufacturers need to
    release firmware updates and/or patches to protect against LanD and
    remote LanD attacks. The LanD attack is no longer simply a local attack
    but has now evolved into having the capability of being launched
    remotely.

    Acknowledgements:
    - Casey O'Brien, M.S.
    - Assisted with test trials
    - Matthew Wines
    - Assisted with test trials
    - Yvonne M. Wray, M.S.
    - Report editor

    Submitted: 12/14/2005 by Justin M. Wray
    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I got slammed with something yesterday....kinda like a port scan...source was on our ISPs net port 8999...scanning all ports

    My router isnt listed there (phew)...but it sure got hot

    I did contact my ISP while it was happening and sent some of the logs...Lasted about 2.5 hours..

    I did happen to gleen it coming from a cisco router though

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I did happen to gleen it coming from a cisco router though
    How?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I was unable to ping or tracert...so I typed in the ip into explorer and got a response from it...which I then googled.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ahh... Good girl/lady/woman... (perm any 1 from 3 as needed)

    I'm glad you didn't say you IDed it from it's MAC address.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Most of this stuff is WAY over my head tiger....

    Thats why I hang out here...still learning



    To old to be a girl

    Misbehave to much to be a lady

    ......woman it will have to be....or watery tart

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Had you IDed it from the MAC address you would have simply IDed your own router. The MAC address in a packet reflects the MAC address of the last device the packet passed through and therefore changes numerous times during it's trip across the internet.

    Misbehave to much to be a lady
    Now that's my kind of watery tart.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    See I didnt know that...learn something new everyday

    But something was going on so I monitored the best I could

    By trying to connect to it I got the reponse with the device ID and software version when my request was rejected....which I also forwarded to the ISP.

    Wish I had more time for this security stuff...it is my passion

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It's all pretty simple really.....

    It has to be or I couldn't do it......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •