Jump to content

Norse Live Attack site


n-quire
 Share

Recommended Posts

Well, in some PR blob that seems to have been distributed by them to everybody last summer they claim to have made honeypots for all sorts of internet-connected machines, from banks and ATMs (their words) to presumably routers ("infrastructure") waiting to get hacked by the world at large. This would be hosted by machines directly connected to the various Internet eXchanges so bandwidth shouldn't be an issue. That much sounds plausible.

They then show a seemingly real-time map of attacks against their honeypots. That I can also believe.

The article then goes on to suggest that they can monitor attacks against various institutions like banks, libraries and such. This I find much, much harder to believe. It would suggest that they basically siphon off the traffic going over an IX and monitor it. We're already unhappy about a government agency doing such things, yet when a commercial company does it it's a-okay? I call BS.

They suggest they have a product you can purchase that shows attacks against your machines. We have those products already. They're called "firewalls" and "intrusion detection systems". Very newfangled technology most people may not have heard of...

The only actual innovation I see is the visualization which, in all honesty, doesn't seem to add much. When your system gets attacked, do you really give a shit if it's from China or Russia or somewhere local? The final thing is that when an attack occurs, they can show the IP address and an indication where that IP address is in the world. I can't find the vid anymore, but I watched something on securitytube or some such where someone was explaining that they have clients set up pages on their public website that aren't reachable unless you know the page name, and the only reference to that is in the robots.txt informing search engines to not index them. The fair assumption being that if you do go there, you're probably not interested in what the company legitimately offers to you. The page has some java-based login to what appears to be a remote desktop or vpn type thing and very often attackers will assume they've hit paydirt, run the applet and try to login. Problem is that the java applet phones home and reports certain bits of information about the attacker like their real IP address (run locally, so VPN or proxy offers zero protection. If it reports a traceroute it might even divulge the real IP when run from within a VM) and in case of a wifi adapter the names of the various APs in your vacinity. That last bit I found very interesting because google can pin-point your location based on that down to a few meters with sufficient APs nearby. Good stuff. They used the same payload in special documents they'd offer on these pages, like embedded javascript in a docx for instance (in case you didn't know: MS Word is a browser these days).

I don't believe these guys are doing something like that. I believe they just pluck the IP from the request, do a lookup for that and call it a day.

So my feeling here is that it's just another firewall/ids product they're peddling and they've found a spiffy way to visualise it so they can have more management porn to allow you to defend spending your department budget on their services.

Edited by Cooper
Link to comment
Share on other sites

At the end of the day, stats are generally useful when for your individual needs, on your network and devices that you monitor. That said, log your own attacks, create your own graphs to create your own statistical analytics. You probably have tools built into your system, to do this already, just need to script something up to make the data useful. I think if the tool does that for you, its useful locally, but on a global scale, its marketing since they can't be everywhere or know every 0-day, nor could anyone or any tool for that matter, and most data is just white noise on the internet when you look at live maps that can't show actual data you can trust, such as what the attack is, a copy of the attack script(we can do that), the location of the attacker(we can do that too, although most of the time, is either botnet or spoofed activity). Like you said, are these real attacks, pings, random drive by chatter from bots and archivers or worse, marketing material? Only way to tell, try the product(if there is one).

- Side tangent - I myself have two versions of a product I built along with the help of @bwall aka (Brian botnethunter Wallace). We log attacks against "WordPress" (not the server, only files properly initialized by WordPress although it picks up attacks for all kinds of things from Joomla and Drupal attacks, etc) in a free version, as well as have a paid for version that both logs and blocks the attacks with a few more things it checks for than in the free version. We gather RFI attacks, decrypt them, and have a site for that which anyone can also contribute to, without the need for WordPress or our product(check here: https://defense.ballastsecurity.net/decoding/index.php). IronGeek even has something similar he's been doing for a long time on his own, and I think he may even send some of the RFI scripts to Bwall's decoder. In our product, we show the GeoIP data of the attackers along with some basic info on the attacks and some stats displayed on a google map so you can see where it was generated from. i used to put out reports monthly, but stopped trying to keep up with everything due to some shady shit a customer did... Its useful for me, but may not be for someone else. Somewhere along the way, a customer of ours who bought the product, stole it, re-branded it(without changing much of the code base other than passing it through Zend), and was selling it as their own product. As such, I stopped developing it at that time, since I hadn't copyrighted or trademarked the tool before it was stolen, I can't really sue without shit ton of money to go after them. Had it been done before release, would have went straight to federal court for copyright infringement and I'd probably be sitting pretty large right now. Instead, I started work on other tools for personal use and stopped releasing my tools, such as scripts that archive and store shell scripts and upload file attacks, brute force loggers, auto ban tools, tor blocking tools, and putting everything in a nice CSV file for creating stats, graphs, charts, etc.

My new project is something I'm eventually going to need help with, but if it works, will be released for free, and hopefully adopted as a standard in a manner of speaking. Can't say more than that right now, but its been something I've had in the back of my mind for a long time...

Link to comment
Share on other sites

Looked at the link you posted. Clicked on a random "Decoded bot" and got this which, to me, looks like very benign spam.

When does something qualify as a bot for your product?

My PHP-fu is a bit rusty but if you need a hand with anything feel free to drop me a line.

Link to comment
Share on other sites

Looked at the link you posted. Clicked on a random "Decoded bot" and got this which, to me, looks like very benign spam.

When does something qualify as a bot for your product?

My PHP-fu is a bit rusty but if you need a hand with anything feel free to drop me a line.

People spam the decoder all the time, and so do the bots we've archived, but we do have full on perl, php, and other obfuscated/decoded bots. THe decoder site gets abused, just like any other site gets spammed though. a "bot" qualifys, as an automated scripted attack generally carried out in mass, against targets from an IRC or other setup command and control server to carry out the attacks. Spam data of complete sites, as the one you showed, are a result of the fact anyone can paste a URL into the decoder though.

Try one like this though:

https://defense.ballastsecurity.net/decoding/index.php?raw=8a802120c96ab54873f9c1947af18aa1

What you see, is the plain text, decoded shell script. I could post source for one here, but it would probably get flagged. The link to some of them we show the source to, are also sometimes removed and you get a 404 or even 403 depending on what the site owners, or even botnet owner does to keep you from downloading them. I myself, have a script on one of my servers, that keeps the orginal RFI attack scripts. Bwall used to post both the original and decoded in the same page, but for space I guess modified to point to where the attack came from, and only shows the decoded shell scripts now.

In the shell scripts, you can see often where they "call home" to, and what other malware they download, such as compiled linux binaries with other functions that install and spread more sockets for the bots to connect to, control the server, etc.

Blog posts by Bwall on dissecting some bots:

http://blog.cylance.com/author/brian-wallace

He also put out videos demoing how they work and removal, and we also put out a paper on EDB few years ago:

2012-06-25 - Insecurity of Poorly Designed Remote File Inclusion Payloads - Part 2 php bwall

2012-06-10 - Insecurity of Poorly Designed Remote File Inclusion Vulnerabilities: Pt 1 php bwall

http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=bwall&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

More decoded examples and papers from bwall on the above link from EDB

Link to comment
Share on other sites

Problem is that the java applet phones home and reports certain bits of information about the attacker like their real IP address (run locally, so VPN or proxy offers zero protection. If it reports a traceroute it might even divulge the real IP when run from within a VM) and in case of a wifi adapter the names of the various APs in your vicinity.

This may be a little out of scope here but could you explain this statement? How would someone's actual IP address be revealed by this Java applet even if they are using a VPN service? (The other stuff about pinpointing a physical location based on nearby APs I understand as I have done it before).

Link to comment
Share on other sites

Well, the applet is running locally on your very own machine. It would be trivial for the java applet to do an 'ifconfig -a' or its windows equivalent and phone that home.

You get a new virtual interface for the VPN, but the actual interface is still there, and its IP is included in the output.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...