Enhanced CC2ASN
For over 9 months we’ve run our CC2ASN service, allowing you to lookup up ISO-3166 country codes and get back all ASNs, IPv4 or IPv6 prefixes for that specific country. Now the time had come to do an update.
A major issue with the RIR data (delegated-feeds) used by the CC2ASN service, is ASNs registered to a region instead of a specific country. There are currently two regions in use; European Union (EU) and Asia Pacific (AP). The reason for using this is the ever increasing globalization of corporations and organizations, and hence quite understandable. But when you want a list of AS numbers for any given country code, the regional registrations have to be included.
This is where the enhanced database comes into action. In this database we’ve manually overridden the country code assignments for those ASNs that in the RIR data were registered to either EU or AP. In addition we’ve also corrected a few other ASNs that we knew had a wrong country code. The list we’ve compiled is publicly available: asn_override.txt.
It’s all been a manual job, going through all the EU and AP ASNs, plus a good portion of the CCs also. The CC override decision is based on one or more of the following actions:
- Looking at references to location in whois descr, address or country records.
- Using location info in router names from tracepath of the AS prefixes.
- The nationality of peers and upstream providers.
- Location of corporate headquarters or regional headquarters.
- General googling/binging.
And this is a continuing job, whenever new ASNs are allocated to either EU or AP.
So, how do you access this new database? From the CC2ASN web-interface make sure you check the box labeled “Use Enhanced Database“. The database is also available by directly querying port 44/tcp (the normal CC2ASN database is available on standard whois port 43/tcp). Note that the enhanced database only outputs ASNs, not prefixes.
$ echo "GB" | nc atari.honeynor.no 44
Every day, when the latest RIR data are downloaded and parsed, all changes to the enhanced database are recorded. This allows us to provide you with an ASN history tool; CC2ASN Delta. The main page lists changes over the last 90 days for ASNs registered to a spesific country. By clicking on a county, you get a textual representation of all registered changes for that country. By further clicking on an ASN, you get a listing of potential country changes for that AS.
For more information, take a look at the documentation.
Country Lookup
We’re pleased to announce a new service; CC2ASN – Country Lookup. This service will provide you with AS-numbers, IPv4 and IPv6 prefixes belonging to a specific country. The data is all based on publicly available information from the five RIRs in the world; ARIN, RIPE NCC, APNIC, LACNIC and AfriNIC. The database is updated once every day.
As input to this service, use ISO-3166-1 alpha-2 country codes (more info). Note that in addition to the ISO defined codes, the following two codes are also used when dealing with multi-regional networks; AP (asia-pacific) and EU (european union).
You may access the data either through the web-interface, or via your command line interface. A standard whois client can be used when the result set is “not too large”. The preferred way is to use a raw socket tool, like netcat. Here are some examples illustrating both ways:
whois -h atari.honeynor.no no
whois -h atari.honeynor.no ipv4 ke
echo "all us" | nc atari.honeynor.no 43
The first will list all AS-numbers registered for Norway, while the second example will list all IPv4 prefixes for Kenya. The last line uses netcat to fetch everything (ASN, IPv4 and IPv6) registered for USA (this query will fail when using a standard whois client).
For more information, please read the documentation (There are some caveats to be aware of, and more alternatives to download this data. It’s all in the docs).
Using Nmap to scan for Conficker
As a result of the latest KYE paper (Containing Conficker), many of the scanner tools out there have implemented (or are in the process of doing so) the method presented in chapter 5 of the paper, which explains basically how you may remotely scan a machine, and have the machine tell you whether or not Conficker has compromised the system. The method works for all current Conficker variants and is indiscriminate of the infection vector!
Nmap was one of the first tools to implement this. Lets try it out!
Download the latest development release from http://download.insecure.org/nmap-dist/ (at the time of writing: 4.85BETA6) and the usual configure, make, sudo make install should to the trick, but in case you run into compile- or run-time errors you may want to check out this page. (If you face run-time complaints about openssl, you should follow this link). There’s also binaries available for Windows and OSX.
The following is an example of a basic scan for conficker
nmap -sC -PN -d -p445 --script=smb-check-vulns \
--script-args=safe=1 192.168.1.1
For large-scale scans, you may invoke nmap with some optimisations parameters as recommended here.
nmap -sC -PN -d -p445 -n -T4 --min-hostgroup 256 \
--min-parallelism 64 --script=smb-check-vulns \
--script-args=safe=1 10.0.0.0/8
In addition to the no-ping (PN) and port specific scan (p) we added no-dns-resolution (n), more aggressive timing controls (T) and parallel scanning with group of 256 hosts (with at least 64 simultaneously). The two latter parameters may be tuned even further for increased performance. The recommendation is to maintain a 4:1 ratio between the two values, and keep the upper limit to 4096/1024.
Using safe=1 as an argument sent to the script, the MS08-067 vulnerability is not really checked. Using unsafe=1 and it will be checked, however be aware of a possibility that the vulnerable server service may crash.
Here are some examples of the output from the script smb-check-vulns (with MS08-067 check enabled):
| MS08-067: LIKELY VULNERABLE (host stopped responding) | Conficker: Likely INFECTED | MS08-067: FIXED | Conficker: Likely CLEAN
…So, scan your network now, while it’s still possible.
Fighting Back!
Yesterday, The Honeynet Project released a brand new Know-Your-Enemy (KYE) paper titled; Containing Conficker. Previous papers about the Conficker variants (like SRI’s analysis) have focused on explaining the inner workings of the malware. The KYE paper, on the other hand, proposes new ideas on how to identify, mitigate and remove Conficker from compromised hosts.
The paper contains a wealth of excellent information and actionable intelligence for both security analysts and network/system engineers trying to defend against the vexing issue that is; Conficker. Together with the paper, a series of different open source tools have also been released:
- Domain Name Generation Tool – Downatool2
- Memory Disinfectant – conficker_mem_killer.exe
- File and Registry Detector – regnfile.exe
- Conficker Remote Scanner – scs.exe
- Nonficker Vaccination Tool – nonficker.zip
The collection page includes the source code for all these tools and also Nebula-generated Snort signatures for Conficker.
Here is the link to the paper again, in case you missed it: PDF.
Daemonlogger 1.1
Marty just released version 1.1 of daemonlogger. In addition to a small bug fix, it now includes the missing functionality I wrote about in the previous post; ring buffer activation based on disk utilization. The new option -M takes a percentage value as argument. The value specify the percentage of disk utilization you want before the ring buffer gets activated. Here is an example where old log files are deleted when there is only 2% of free space left:
daemonlogger -i eth0 -d -l /var/log/pcap -S 0 -t 1h -M 98 -r
Get it at: http://www.snort.org/users/roesch/code/daemonlogger-1.1.0.tar.gz
Daemonlogger Patch
I’ve been using Daemonlogger now for some time, and really like this compact yet highly functional packet capture tool from Marty Roesch (mr. Snort himself). It’s libpcap based and has some nice features like log-&-replay, log rotation and ring-buffer. Features that are missing in the tcpdump implementation I used prior to Daemonlogger.
In many situations I like to use the -t option to partition the log files based on time, e.g. -t 1h to get one pcap file each hour (aligned on the hour). Also, I usually create a dedicated disk partition for pcap storage. In these situations I think Daemonlogger doesn’t quite “cut the mustard”. It’s missing an easy way to have it utilize most of the dedicated disk space and rotating the pcap files based on time intervals whilst maintaining an active ring-buffer. Of course, you may use the -s option to rotate based on the size of the log file (in bytes) and also set a count limit with -m. But, as I mentioned, I’m more of a time guy.
This is why I made a small patch to Daemonlogger which implements the missing feature. The added option (-x) lets you specify the amount of free space you want to have on the disk where the pcap files are stored.
daemonlogger -i eth0 -d -l /var/log/pcap -S 0 -t 1h -x 500 -r
In the above example, daemonlogger sniffs on eth0 interface, runs in daemon mode, logs to /var/log/pcap with a max snap length and creates a new file every hour on the hour. When there is less than 500 MiB of free space on the disk device that holds /var/log/pcap, the ring-buffer will activate and delete the oldest file in that directory.
Download file: daemonlogger.honeynor.patch
Disclamer: I’m by no means an experienced C-programmer, so you’re on your own pal if you apply this patch :)
Capture-HPC 2.1
The Honeynet Project and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington, New Zealand are excited to announce the release of Capture-HPC v2.1.
Capture-HPC is a computer security product that allows anyone to: investigate client-side computer attacks; security researchers to find and study malicious servers; virus and malware researchers to collect malware pushed by malicious servers; network administrators to monitor their systems for client-side attacks; and web site operators to monitor their web sites for unauthorized modifications with client-side attack code.
The new version have a 500% increase in performance over the previous version, which should be greatly appreciated by those already familiar with the tool. Besides malware and unauthorized state changes, Capture-HPC now collects network traffic for all client/server interactions. In addition, Capture-HPC now reports statistics about the performance of the system allowing operators to monitor and tune the Capture-HPC system during operation. Introduction of a client plug-in framework.. This framework allows third-party developers to include client applications that are currently not supported by Capture-HPC. A Safari browser plug-in that makes use of this feature is provided with the 2.1 version of Capture-HPC adding support for this browser and demonstrating the capabilities of this framework. In addition, a wide range of browsers, office applications, and media players are supported by Capture-HPC.
