We’ve decided to write an “incident of the month” feature to highlight the unseen work that Janet CSIRT does. These articles won’t feature in depth technical or forensic analysis of the latest threats, but we do hope to provide an insight into how a Incident Response team operates. The recent STRATFOR hack was mentioned in the latest edition of Janet News, and that provides as good a starting point as any.

On Christmas Eve the hacker collective ‘Anonymous’ accessed the web servers of STRATFOR, a Global Intelligence think tank based in Austin Texas, and copied 200 gigabytes of data. The account details of approximately 860,000 subscribers have been compromised following this attack including passwords used by 1,500 Janet users at 200 sites. The account details were quickly uploaded to pastebin.com and other distribution sites. The timing was unfortunate and occurred over Christmas during our reduced working hours. By the time we were able to investigate the original source of data had disappeared.

In early January the data had reappeared in an easier to digest form where anyone could quickly search through the large volume of data to pull out only relevant account details. We were able to extract over 1,500 accounts with e-mail addresses in .ac.uk domains, and began to process them.

Dealing with large incidents that affect hundreds of customers presents a dilemma. Should the entire event be considered as a single incident in our incident handling system, or should each customer be allocated their own incident? Handling the incident per customer allows us to better triage our workload according to the needs and requirements of each customer and so this is the approach we usually opt for. Considering the event to be a single incident is perhaps conceptually tidier and more “correct”, but can quickly become cumbersome.

Automated scripts match the e-mail addresses in the data to specific customers which is not a simple task. Institutions can have long and short form domains, as well as a large number of domains belonging to departments and projects. The script created tickets in our incident handling system and dispatched e-mails containing details of the incident to each customer. As soon as replies started arriving from customers, these incidents are manually handled just like any other. The number of incidents we were handling more than doubled during this period.

By the time the information had reached us, some of the compromised data had already been abused. Since many people reuse passwords across many systems, e-mail accounts were easily accessed. These accounts were quickly secured when we alerted institutions to this risk. Some of the data also contained credit card details. These had been quickly abused and most people had already been notified by their banks of fraudulent transactions. Thankfully most in the majority of cases people just had to have a long hard think about how they chose and use passwords.

Towards the end of last week we started to detect large volumes of suspicious traffic in our netflow data that we now believe to be due to the spread of the W32/Morto worm. Levels of traffic appear to have since declined and we’ve also noticed that the traffic has changed from a static source port of 4935 to a dynamic and random port, making it harder to spot with our netflow tools. Analysis from elsewhere appears to indicate that multiple variants of the worm have been released and this change in behavior could be due to one of these new variants.

The worm itself spreads by attempting a limited number of brute force attempts against the administrative account on your Windows systems using Windows Remote Desktop (RDP). That it spreads widely whilst guessing only a small and limited number of passwords, should be a clear warning that secure passwords are still not widely used.

We recommend that where possible protocols commonly used for remote administration are routinely blocked inbound to your networks. This not only includes RDP but similar protocols such as VNC, X11, telnet and even SSH in some cases. Suitable and usable strong passwords should be used and enforced, and where possible alternatives to the use of passwords for authentication should be considered.

Further information on W32/Morto is available from Microsoft, Sophos, and F-Secure.

Incidents involving compromised iPhones have become a regular occurrence. These compromised systems are  detected using our netflow system when they initiate a particular pattern of SSH probes directed towards T-Mobile’s IP address space. The pattern consists of a small number (less than 200) probes sent to addresses within 178.96.0.0/12.

The compromised systems are all jail-broken, with SSH logins enabled for the uploading of applications to the phone. Unfortunately this process often leaves the system with root logins via SSH enabled, and  crucially a default root password that allows the phone to be easily compromised by an attacker or worm.

If you are using a jail-broken phone, make sure that you change the root password.

Over the last few weeks a number of organizations have reported seeing the arrival of spoofed DNS traffic arriving at their networks. The DNS packets are sent to DNS servers, with the source IP address set to another address from the same subnet as the DNS server. The DNS queries are typically for a A records within a small set of domains and with a constant QueryID.

We are not currently aware of the source or intent behind this traffic, but we recommend that administrators make sure that their networks do not respond to these packets. This can be done by placing anti-spoofing measures at your network border using uRPF or ACLs. You should also make sure that your DNS servers are not acting as open resolvers and refuse recursive queries from external sources.

If you believe you are currently receiving this, or similar, traffic then please report it to us.

Follow Up

After further investigation we believe that we have managed to identify the purpose for this traffic and the organisation that is responsible.

We believe that this traffic is being generated and sent out by a Chinese content distribution network (CDN) in an effort to make their websites more visible. The purpose of the traffic is to seed DNS lookups in DNS servers, as it is often difficult to contact mainland Chinese DNS servers outside of China.
In many cases the spoof traffic is dropped at border routers and firewalls, but in some cases this is not possible and the traffic does reach DNS servers. These servers then accept and cache the requests.

While we believe that the intent of the originators of the traffic is not malicious from their perspective, we also believe that we cannot allow the use of JANET as a conduit in this way because:

• It is unsolicited
• It is using spoofed IP addresses
• The traffic has an impact on resources
• The traffic has the potential to cause unpredictable problems

We will therefore be asking the CDN responsible for this traffic to cease this activity across JANET

Amongst the hundreds of domains that the DNS traffic requests lookups for, the most common are subdomains of
*.lxdns.com
*.cdn20.com

These domains often resolve to IPs in the range of:
60.190.XXX.XXX
121.9.XXX.XXX
121.10.XXX.XXX
113.107.XXX.XXX