Event Analysis Training - Run NT and Pay the Price
Most large enterprise networks have a few legacy systems around – either because they were “forgotten” or because they support an old application that was never ported to a newer release. Such legacy systems can be the Achilles heel of network security.
The following sanitized screen shot comes from one of Tenable’s research sites:
What we are looking at (click on it to see a high resolution image) is a Windows NT 4.0 system that has been “forgotten” and is also being controlled as part of a botnet. This blog entry will discuss how the above Security Center screen shot can be analyzed to arrive at this conclusion.
Analyzing IDS Events
The Security Center can process network IDS events from a wide variety of sources including application specific detections from the Passive Vulnerability Scanner (PVS). The primary focus of the PVS is to passively identify all client and server applications in network traffic and generate an alert when there are specific vulnerabilities associated with them. In the case of botnet traffic, a certain percentage of HTTP, IRC and other client detection rules implemented by Tenable for the PVS will often highlight compromised systems.
In the above screen shot, the Security Center user has listed IDS events and focused on a system that had multiple “Generic BOTNET Client Detection” events. Regardless of what type of network monitoring solution you use (Snort, TippingPoint, etc.), I tend to find the signatures that look for “known” botnet and command and control events to be very reliable with a low false positive rate.
Another example of this was detected by the Snort sensor also running in this environment, with the Emerging Threats signature set. One of the interesting rules in that signature set is to look for IRC traffic on ports not normally associated with IRC, such as port 80:
The above screen was generated by analyzing logs gathered with the Log Correlation Engine (LCE).
How do we know it is an NT 4 System?
Nessus has a very sophisticated operating system identification system designed for IT audits. It uses the most reliable forms of system fingerprinting available.
In this case, the remote system was detected as being Windows NT 4.0 through interaction with the MS RPC service as shown below:
This same network also had the PVS running on it, and it also fingerprinted it as NT 4.0:
Looking at the Windows User Management set of plugins (shown below) we can see a few that have been protected. In particular plugin 10907 checks if the Guest account belongs to a group, which was very common on NT 4.0 default installations.
How do we know it is forgotten?
Determining that a computer has been “forgotten” is more a matter of opinion than something that can be detected with a plugin. Let’s ask some questions:
Why would a Windows NT 4.0 system still be around? Perhaps the server is part of an embedded device such as a medical system, printer or other legacy service. In this case however, there were no unknown services on this host and no other “odd” devices on the network this computer was on.
Why would it not be in DNS? If you notice on the popup “System Information Summary” screen, the DNS name for this IP address is unknown. If a system on a large corporate network is not part of DNS or the AD, there is a good chance that the IT group does not know about this system.
How Could this System Have Been Exploited?
The LCE was running on this network for some time, but the botnet activity was only recently discovered. There were no inbound network connections that resulted in “attack” events or other types of correlated activity. One day, the “guest” account simply was part of a group.There are many “LAN” aware worms such as SirCam and Nimba variants that look for local network shares in an attempt to exploit more computers. It is quick likely that this NT 4.0 system was victim to a worm-style attack.
For More Information
Microsoft runs a web page of their products which have been “end of lifed” (EOL) here:
In particular, Windows NT has been EOL’ed since December 31st 2004. It contains many vulnerabilities that Microsoft has not offered patches for.
There may be many good reasons for having an older computer system on your network. A great example would be to run older software application that was never ported to a newer OS platform. You might not have a choice either. It is possible that Windows NT comes as part of your printer, phone system, security camera or other type of embedded applications.
Regardless, being able to identify these types of systems on an ongoing basis is very useful. If the system is needed, you can develop a risk mitigating strategy to compensate for any vulnerabilities associated with these unsupported operating systems. If the system is not needed it be removed from the network, thus closing the security exposure.