Hardcore Defacement Statistics Presented by Brian Martin / Matt ...

Copyright 2000. attrition.org Staff

Presented by Brian Martin / Matt DickersonSlides by Dale Coddington

Feds, Felons and Flakes:

Reflections on the Attrition Mirror


IntroductionThis Talk Will Cover:

The attrition mirror How we operate Defacement information and statistics Random other babble


Who We Areattrition.org Staff

Brian Martin a.k.a. Jericho

Brian Martin has been involved in computers since the early 80's. Hisexperience spans from first generation home computers to large scaleservers powering the most current business applications today. Working inthe computer security industry for the past five years, he has providedsecurity audit and penetration assessment for foreign banks, Fortune 500companies, Department of Defense and more. He has provided training andconsultation for the Federal Bureau of Investigations, Defense CriminalInvestigative Services, and the National Security Agency. In recentmonths, Brian's articles focusing on security issues have been widelycirculated on the Internet, corporate newsletters, and print magazines.



Matt Dickerson a.k.a. Munge

Matt Dickerson has worked as an economist and statistician providinglegal consulting for Fortune 500 companies and universities since 1996.While his experience with computers began in the late 1980's, hisinterest in the Unix Operating System coincided with his statisticalprogramming on the Unix platform in the mid-1990's. Since then, he hasprovided administrative, technical, and training support for diverse Unixplatforms for the professional, manufacturing, and banking industries.



Dale Coddington a.k.a. Punkis

Dale Coddington is a Systems Security Engineer with eEye Digital Security, acomputer security products and consulting company located in sunny SouthernCalifornia. In the past Dale has conducted consulting and training courses at several NASA Centers, State of Washington, Naval Justice Center, the U.S. Department of Justice, and several Japanese Corporations. In 1999 Dale was appointed one of two technical consultants by the Defense Team of Kevin Mitnick.


Modus OperandiQualification of Statistics

The statistics and information presented here are based on data collected since November 1998

Attrition began actively mirroring defaced sites in January 1999

Mirrors on the attrition site date back to 1995 Data before January ‘99 is believed to be accurate

but is not 100% confirmed


The “Root” of the ProblemHow are These Sites Being Defaced?

Unix:– Remote buffer overflows– Sniffer / trusted path attacks– Poorly-coded CGI’s

Windows NT:– RDS / MSADC– IISHack– MS Front Page misconfigurations– Other misc. CGI/Web exploits


DefacementsSpeculation: Why are More NT Boxes Defaced?

Compare the knowledge required to navigate the hacked system: NT : Must know basic DOS Commands.

– echo "i 0wn j00" >> c:\inetpub\index.html

Unix : Must know basic Unix commands – In many cases defacers lack the common skill to even

find the main web page on a system:– find / -type f -name index.html –print– vi /path/to/index.html (wait vi is too hard to use)


Why Me?Why Are These Sites Being Defaced?

Tagging, electronic graffiti One-upmanship - who can hit the biggest site The ‘gov/mil’ phenomenon Delusions that what they are doing is impressive

or cool It's trendy - like baggy pants, it just won't go

away. “Hacktivism” (95% convenient excuse)


The Fine Art of MirroringThe Steps

Mail comes in ([email protected]) Goes to six people on attrition (and

mirrored off site) Staff verifies the defacement (lynx,

Netscape, etc) Run a custom mirror utility 'aget'


The Fine Art of MirroringWhat aget Does

aget Version 4.5 - 866 lines of shell script– check to see if it has been mirrored, avoid duplication– use Netcraft (www.netcraft.com/whats/), NMAP

(www.insecure.org), and lynx to verify the Operating System of the defaced site

– If NMAP OS fingerprint is unknown, mail it to Fyodor– Do a NIC lookup based on the country/TLD– Take traceroute to record upstream provider(s)– Check to see if previously defaced– Check for hidden comments in HTML, DOS signature, etc.


The Fine Art of MirroringWhat aget Does (Continued)

– Mail CERT based on country, mail NIPC (heh)– Mail NIC contacts– Mail attrition defaced* mail lists

http://www.attrition.org/security/lists.html– Form letter clearly explaining this is a third party

notification of a security incident on the remote machine – this is just a warning that a site has been defaced, no other information is given


Stop Hacking My %^&&* Box!"Defaced Site Administrative Response"

80 – 90%– Friendly, appreciative, asking us for help,

thanking for notification 10 – 20%

– Hostile responses, threats, insults, blame us


Stop Hacking My %^&&* Box!Responses

CERT– Recent addition. CERT originally asked to be

removed from notification utility– When challenged on why they exist in the first

place, they agreed to receive notifications


Stop Hacking My %^&&* Box!Responses

NIPC– Forwarded notifications on to “the appropriate

people” approximately 20% of the time – some replies state they do not fall under infrastructure threats

– No response for other 80% of notifications


Feds UsFederal Agency / Law Enforcement Mirror Utilization

FBI Connecticut Office –– Issued a single 2703(d) subpoena requesting

information on ‘flipz’ and ‘fuqraq’– Attrition Responded and charged $16.00 for

administrative fees– $16.00 is the extent of income from federal

agencies in all of attrition’s history


Feds UsFederal Agency / Law Enforcement Mirror Utilization

FBI Mirror Printouts – – Several raid victims have verified that printouts

from the attrition.org mirror were used during those raids

– “Did you hack this site?”


Forensics and Mirrors(Not Profiling)

Most defacements are sloppy Leave a nice forensics trail Many patterns in defacement activity

– Easy to match one person operating under different names

– Indications groups/individuals talk before choosing targets (wave of .edu, wave of .br, wave of...)


Linking(Public)

Obvious signs – signatures (graphics or text)

Broken Image – pathed to local drive where HTML was created - few

geniuses pathed to c:\microsoft\office\john\doe\ or similar paths that included their real name

Meta tags – Generators, meta names, and more

Greets, misspellings, language, more


Linking(Private)

Mail to us is more candid, more verbose Defacers use Hotmail and other freemail sites w/

X-Originating-IP– (grep, quote how many times we see x-originating)– (uniq, how many unique x-originating IPs have we

seen) In some mail the defacer takes credit

– Other times a 'friend' is reporting the hack– Occasionally arbitrary third party reports it (usually on

high profile, high traffic sites).


LinkingAnalysis

Looking at all of the above, it is trivial to link different names and group members to each other

Several defacers change name and style for a variety of reasons– A quick check at the forensics/footprints of

their work will reveal a substantial amount


Mail Woes

Roughly 33% of mail to hacked@ are false reports Sites are not defaced, do not answer, or show no

signs of intrusions Infrequently, we receive mail of a defacement

before it happens– Typically a minute or less before defacement. Either

way, it obligates us and potentially makes us liable if we do not report the crime before it occurs


Blame Us(Everyone Else Does)

We are often accused of encouraging defacements– This is far from the truth

Odds are we have berated and insulted most defacers for their activities - we've questioned them, encouraged them to STOP, etc.

We are not the only mirror. If we close up shop, the other mirrors will pick up our role. This isn't a good idea because we do it better


Disclaimer(Of Course)

Conclusions based on the mirror or statistics must be looked at carefully:

Example: Saying "defacements are increasing“ – Yes. there are more defacements today than yesterday in

general – No. roughly the same percentage compared to servers

deployed (?) Example: Saying "XX OS is more secure“

– No. it is likely the OS has not been audited/tested as much as many other OS’s. You must factor if the OS is open source, how long it has been deployed, etc.


Why Our Mirror is Better(The Fine Art of Shameless Self Promotion)

All of our information is public (and free) We notify sites of the intrusions as we learn about

them We provide mail lists to keep you informed of

defacements We collect more information about the site We provide breakouts by group, TLD,

organization We provide comprehensive statistics


20 Most Active GroupsIncluding Ties

group hacks days active in years

20) kpz 40 185 0.51 20) mozy 40 211 0.58 19) p4riah 41 108 0.30 18) keeblerelves 43 138 0.3817) ehw 43 101 0.28 17) fuqrag 43 74 0.20 17) teaminfinity 43 112 0.31 16) hip 44 233 0.64 16) ytcracker 44 299 0.82




16) v00d00 44 183 0.50 15) kryptek 46 191 0.52 14) pentaguard 47 503 1.38 13) fuby 54 289 0.79 13) artech 54 166 0.45 12) teamecho 59 54 0.15 11) hv2k 60 226 0.6210) levelseven 64 233 0.64 9) ph33rtheb33r 67 214 0.59 8) crimeboys 83 156 0.43 7) mcm4nus 86 100 0.27 6) acidklown 93 273 0.75




5) dhc 98 271 0.74 4) pakistanhc 100 272 0.74 3) gh 115 268 0.73 2) antichrist 142 163 0.45 1) forpaxe 154 196 0.54


20 Longest Running Groups

group days active in years hacks

20) x 312 0.85 4 19) rat 334 0.91 10 18) maverick 338 0.93 3 17) c0rvus 359 0.98 12 16) xessor 377 1.03 12 15) mod 379 1.04 2 14) ez|ne 389 1.07 3 13) ch0jin 390 1.07 2 12) kingstr0ke 403 1.10 4 11) lou 419 1.15 15


20 Longest Running Groups

group days active in years hacks

10) druhy 432 1.18 6 9) viper 443 1.21 3 8) sploit 495 1.36 16 7) rewted 498 1.36 7 6) snow 498 1.36 3 5) pentaguard 503 1.38 47 4) xploit 531 1.45 3 3) rootworm 549 1.50 21 2) h4g1s 693 1.90 5 1) adm 811 2.22 3


Defacement Counts and PercentagesGeneric Domains

Breakout Defacements Percent

International Organizations (int) 11 0.17

Non-Profit Organizations (org) 473 7.20

U.S. Commercial (com) 2749 41.83

U.S. Educational Institutions (edu) 324 4.93

U.S. Government (gov) 198 3.01

Further stats available at www.attrition.org/mirror/attrition/country.html


Defacement Counts and PercentagesCountry Domains

Breakout Defacements Percent

Brazil (br) 359 5.46

United States (us) 236 3.59

United Kingdom (uk) 155 2.36

Mexico (mx) 109 1.66

Thailand (th) 5 0.08


1999 vs. 2000 Daily Cumulative Total Comparison


Defacements per Day January 1999 - July 2000 : Linear Regression


Defacements per DayJanuary 1999 - July 2000


Monthly TotalsJanuary 1999 - July 2000


Histogram of Defacements per DayJanuary 1999 - June 2000


OS Totals by Month

Yellow: NT, White: Linux, Orange: BSD, Green: Solaris, Purple: All Other


29-Day Moving AverageAll

Yellow: NT, Green: Solaris, White: Linux, Orange: BSD, Purple: All Other


Daily Cumulative TotalsAll


Overall OS Shares


Holiday Attacks

After selecting 11 holidays per year, we found that while the average was greater than for non-holidays, the holiday average was not significantly different from the non-holiday average, though there were two holidays that when examined individually were significantly greater than non-holidays: new years eve, 1999 and July 4th, 2000.

Defacement activity is not statistically different on holidays than non-holidays


The Future

Faster updates of the main mirror page with defacements in real-time

The introduction of dynamically generated pages via user-defined queries against our defacement database(s)

Never before seen on attrition.org, user interaction with actual pages

With the introduction of the SQL database(s), more breakouts pertaining to each defacement mirrored


References

Attrition Mirrorhttp://www.attrition.org/mirror

Statistics / Graphshttp://www.attrition.org/mirror/attrition/stats.html

Updated Slide Presentationhttp://www.attrition.org/mirror/presentation.ppt


FinContact Information

• Brian [email protected]

• Matt [email protected]

• Dale [email protected]

Date post:	04-Jan-2017
Category:	Documents
Upload:	phungdang
View:	216 times
Download:	3 times

Hardcore Defacement Statistics Presented by Brian Martin / Matt ...

Documents