2 Days Left to Save $400 on SANS Scottsdale 2015

Intrusion Detection FAQ: What was the Ring Zero scan?

Massive scanning for proxies/possible Trojan activity
Stephen Northcutt
Updated October 11, 1999 22:00 EST

Thank you for responding, this is the latest information that we have been able to piece together!

Problem:
On October 7, 1999, SANS Network Professionals, in cooperation with the internet community identified a new scan pattern for proxies looking at port 80, 8080, and 3128. The story of this attack is called "Hunt for RingZero." View the PowerPoint slides that describe this threat, how to recognize its behavior, the steps used to isolate this program and methods for tracing the origin of this malicious virus. To download the slides, click here View the PowerPoint slides

History:
Sep. 30, 1800 EST. The SANS community has detected massive Internetwide scanning for proxies on ports 8080 and 3128. SANS' participants from around the world are reporting scans on port 80 (common port for world wide web), 8080 (common location for proxy), 3128 (squid proxy) and occasionally other 8000 series ports. There is no evidence of accurate targeting, in many cases the target system does not exist. We have more reports of Windows based Trojans that are a primary cause of this activity.

To Investigate:
The Trojan may be called RingZero if you have OUTBOUND traffic for ports 80, 8080, and 3128 you may want to examine the system the traffic originated from. One system administrator has reported finding pieces of the code, specifically a file called its.exe and a file that was Ring0.vxd. Special thanks to Ron Marcum, Network Security Officer, Vanderbilt University for finding the Trojan. Four sites have submitted evidence that at least one site involved in this is: www.rusftpsearch.net. If you are able to inspect the content of the probe for port 3128 and it is for other than www.rusftpsearch.net, please let us know immediately.

Action To Take:
If your site does NOT use proxies on port 8080 and 3128 and you can block these incoming services, that is probably a good idea. If you do use proxies, you should check to see if they are open to the public, you may wish to restrict these for your site's use only.

How To Help The Community:
We do not need any more traces with 8080 and 3128, we have over two hundred. Thanks to those who sent them. They were very helpful. We need to find the client program(s) that are generating this activity. There is a possibility of a Trojan or malware (new term being used at NSA for software that is designed to do harm). If:
  1. your site does not use proxies and
  2. you see OUTGOING 8080 or 3128 from any system at your site,
PLEASE contact the person who owns the system owner and work together to determine what software or process is causing the connections to occur. Also, if you have pst.pl running on your web server, please examine your logs for odd connections and examine your homepage and web tree source for odd ".cgi" files such as checkproxy.cgi. If you find these or have further information, please send them to us, mail info@sans.org with 3128 in the subject line. The most current data will be post at the sans web server www.sans.org.