| Chinese Blackout ? By Ted
Weaver
08/17/2003
Continued Complacency
While most of the media runs from news conference to news conference
looking and sounding like keystone cops, and industry officials jumping
from conclusion to conclusion, I have been looking elsewhere for answers
and possibilities. Because I had good reason to.
After picking up on signals over the past 60 days, I was already
nervous that something was about to happen. I started to become
seriously concerned. To the point of calling up Verizon and make a
complaint two weeks ago and warned them that something was up. I was
concerned about being compromised. Obviously, to no avail. The telephone
techie didn’t think it was important enough to forward to the Verizon
Security center in Virginia. And I did mention the Chinese scans. I also
contacted my firewall software company and sent them a partial log and
explaining strange hacker activity has increased and being concerned
about being compromised. I was told by tech who sends out emails there
that because the software company had upgraded their software, I would
see more types of scans - not that the scanning activity increased. That
didn’t satisfy me whatsoever, because this was occurring before I
upgraded.
After awhile, you just get this gut feeling that no one knows what
the hell they are doing. Kind of makes one wonder if you are the only
one watching for this sort of thing. I’m sure others have had similar
occurrences showing up on their logs. Though, probably not many pay
attention to the patterns and related activity or understand it.
Warning Signs
Over the last two months, I have noticed irregular scanning patterns
and activity coming from the Peoples Republic of China. 24/7. I watch my
system like a hawk. I regularly update windows patches, security
software upgrades or patches and don’t open up any email on my computer
period (secret method:).
I know my computer system. I recognize the slightest change in its
performance. Which includes the lack thereof. Even to the point that if
I notice before a warning from my firewall software that I detect the
slightest change working in the back round, off it goes when I’m online
(experience).
The Chinese hackers have thrown the full range of hacker types of
scans at me. Ranging from the UDP MSRPC Probes in which Someone is
scanning your system for active MSRPC services. MSRPC is Microsoft's
implementation of DCE/RPC (Distributed Computing Environment, Remote
Procedure Calls. It allows remote attackers to make function calls as if
they were operating locally on the computer. And these have been
frequent. Another probe on a regular basis from China has been the UDP
port probe in which Someone has tried to access your computer's UDP
(User Datagram Protocol) ports and failed. A port is a point of entry
into a system. Each Internet-enabled program running on a system is
reached through its own ports. Attackers commonly perform widespread UDP
scans searching for security weaknesses they can use to break into
systems. These types of scans I’ve noticed have been plentiful over a
period of two months. Quite frankly, I’ve lost count.
The most disturbing pattern emerged between the dates and times
listed below. Keep in mind my computer is not online 24 hrs per day or
for hours on end and many times I turn it off when I see numerous scans
close together. Of course, the Chinese hacker scans have been ongoing up
and until this present moment and before these key dates and times. But
not as concentrated as depicted below. Now, I see an enormous number of
infected computers showing up trying to make contact with mine - to
infect me. But that didn't happen. It was shocking at its peak to see
how many computers were infected. At times it seemed that there was
another computer trying to contact mine every 10 seconds as the logs
show beyond what is described below.. It got to the point I just turned
off the computer. It was simply stunning.
Time, Event,
Intruder Count
Origin
8/11/2003
9:54:20 PM, TCP_Probe_MSRPC,
218.1.220.194, 1 China
8/11/2003
9:49:40 PM, UDP_Probe_Other,
218.87.86.104, 4 China
8/11/2003
9:48:23 PM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/11/2003
9:46:40 PM, TCP_Probe_MSRPC, FRONTEND2BDC, 2
8/11/2003
7:54:13 PM, UDP_Probe_MSRPC,
218.15.192.64, 1 China
8/11/2003
7:16:09 PM, Application Terminated, 0.0.0.0, 1
8/11/2003
7:15:40 PM, Application Terminated, 0.0.0.0, 1
8/11/2003
6:54:51 PM, TCP_Probe_MSRPC, JASON-AJO1YLXZG, 1
8/11/2003
6:46:20 PM, TCP_Probe_MSRPC, WSPINOTBLANC, 1
8/11/2003
6:44:19 PM, TCP_Probe_MSRPC, SCANNER, 1
8/11/2003
6:19:12 PM, UDP_Probe_Other,
218.87.86.104, 5 China
8/11/2003
6:17:53 PM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/11/2003
6:14:56 PM, UDP_Probe_Other,
218.15.192.64, 1 China
8/11/2003
5:53:12 PM, TCP_Probe_MSRPC, IHOUSE, 1
8/11/2003
5:40:29 PM, TCP_Probe_MSRPC, pool-151-204-92-246.delv.east.verizon.net,
1
8/11/2003
5:33:54 PM, UDP_Probe_Other,
218.15.192.64, 1 China
8/11/2003
11:47:57 AM, UDP_Probe_Other,
218.15.192.64, 1 China
8/11/2003
11:33:32 AM, UDP_Probe_Other,
218.87.86.104, 5 China
8/11/2003
11:32:16 AM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/11/2003
12:37:32 AM, UDP_Probe_Other,
218.15.192.64, 1 China
8/11/2003
12:15:07 AM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/11/2003
12:10:38 AM, UDP_Probe_MSRPC,
210.5.22.21, 1 China
8/10/2003
11:17:18 PM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/10/2003
10:48:51 PM, UDP_Probe_MSRPC,
218.15.192.64, 1 China
8/10/2003
10:47:56 PM, UDP_Probe_MSRPC,
210.5.22.21, 1 China
8/10/2003
8:46:51 PM, UDP_Probe_MSRPC,
218.15.192.64, 1 China
8/10/2003
8:38:02 PM, UDP_Probe_MSRPC,
210.5.22.22, 1 China
8/10/2003
4:09:56 PM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/10/2003
4:07:05 PM, UDP_Probe_MSRPC,
210.5.22.20, 1 China
8/10/2003
10:53:08 AM, TCP_Probe_Other, ftp.x10.com, 2
8/10/2003
10:49:01 AM, TCP_Probe_Other, ftp.x10.com, 6
8/10/2003
10:09:59 AM, UDP_Probe_MSRPC,
218.15.192.64, 1 China
8/10/2003
5:29:06 AM, UDP_Probe_Other,
dialup-64.156.39.12.Dial1.Denver1.Level3.net, 1
8/10/2003
5:29:06 AM, UDP_Probe_MSRPC,
dialup-64.156.39.12.Dial1.Denver1.Level3.net, 1
8/10/2003
5:27:18 AM, UDP_Probe_MSRPC, adsl-63-193-133-36.dsl.lsan03.pacbell.net,
2
8/9/2003
8:31:23 PM, UDP_Probe_MSRPC,
000795DEED49, 1 China
8/9/2003
8:18:29 PM, UDP_Probe_MSRPC,
000795DEAD6B, 1 China
8/9/2003
8:09:29 PM, UDP_Probe_Other,
218.15.192.64, 1 China
8/9/2003
7:56:33 PM, UDP_Probe_Other,
218.87.86.104, 5 China
8/9/2003
7:55:14 PM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/9/2003
6:52:40 PM, UDP_Probe_Other,
218.15.192.64, 1 China
8/9/2003
4:42:59 PM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/9/2003
3:37:15 PM, UDP_Probe_MSRPC,
210.5.22.11, 1 China
8/9/2003
3:33:42 PM, UDP_Probe_Other, l8.cache.vip.dal.yahoo.com, 15
8/9/2003
3:17:34 PM, UDP_Probe_MSRPC,
218.15.192.64, 1 China
8/9/2003
2:24:24 PM, UDP_Probe_MSRPC,
218.87.86.104, 1 China
8/8/2003
9:48:13 PM, UDP_Probe_MSRPC,
210.5.22.22, 1 China
The Worms
Blaster and all of its variant forms reportedly
started making its first concentrated attack on Monday, Aug. 11, 2003.
But Microsoft reported a known defect and warned of the problem July 16
and made a free corrective patch available. Microsoft probably knew of
the problem some time before and I am surmising that they had to come up
with a patch prior to any announcement.
The code written into the worm causes the operating systems Windows
XP, Windows 2000 systems and Windows NT 4.0 to shut down and reboot
without a command from the operator then go hunting for other vulnerable
computers to infect. . Also, the later variants installed a backdoor
(way to get in) which could essentially take control of your computer to
steal files, delete files and information so on and so forth. Depending
on what your computer does, and who you are, an intrusion like this
could cause a serious compromise of your system and the company you work
for.
The Possibility
Now just supposing you are one of those who work in the upper
management and control level for a utility company. Either at the main
monitoring control or sub-station somewhere or possibly even operating
wireless. But all tied into what is known as the SCADA system, which
stands for “Supervisory Control And Data Acquisition” which sometimes
utilizes the OS Windows XP ,NT 2000 systems and is connected to the
internet. To pose this plausible scenario here lets start with this. The
system administrator of a power plant monitoring facility hasn’t
followed the rules in keeping up with the security patches. Could the
system become infected with the Blaster worm or its variants? Yes. Could
a hacker gain entry through this lapse in security? Yes since it is
connected to the internet through Windows based servers. Could the worm
infect the windows based servers connected to the SCADA system? Yes and
it could spread throughout the rest of the Windows based system via
other computers (controllers) within the same system since they are all
interconnected and to the internet. This is a prime example of how a
cyber attack and catastrophic interconnected rippling effect could occur
. Of course there are other possible scenarios too. But to me, this one
seems to make the most sense. There were just too many redundant
safeguards in place that failed and over quite a distance.
Where This Goes
If it weren’t for all of the hacker scanning activity from China that
has taken place over the last two months and peaking on the same day as
the first reports of concentrated attacks by the blaster worm, I
probably wouldn’t have taken such an interest or made such a possible
connection to the northeast quadrant blackout in which irregular
transmission activity occurred that has been reported all around the
same time frame. As anyone can see from the firewall log above, there
definitely was a strange confluence of events that have occurred within
the same time frame. Quite possibly all interrelated and interconnected
via the internet |
