Internet Malicious Miscreant

Internet Malicious Miscreants

Muhammad Najmi bin Ahmad [email protected]

29th June 2010

Agenda I

1 Brief background

2 Internet Malicious Miscreant

3 ThreatsProtecting peopleProtecting moneyProtecting integrity

4 Attack vectors

5 Type of attacks

6 Prevention

7 Domain Name System

8 MalwareIntroDeception

9 Attack Containment/Prevention

Agenda II

HoneypottingMalware analysisEncryption in Malware

10 LibemuExample of libemu in action

11 HoneypotsSSH-based honeypotMisc protocol based honeypot-AmunMisc protocol based honeypot-HoneytrapMisc protocol based honeypot-MwcollectMisc protocol based honeypot-NepenthesMisc protocol based honeypot-Dionaea

12 Special section - DionaeaSQLite

Agenda III

13 VisualizationGnuplotAfterglow+GraphvizDionaea in action

14 Interpreting outputsSome statistics of incoming IPs

Brief background

A full time academic staff of International Islamic UniversityMalaysia (IIUM/UIA)

Full time student working on his research degree at UniversitiTeknologi Malaysia, Skudai, Johor Bahru

Internet Malicious Miscreant

Focus today

Understand the threats

Focus on malicious creations on the Net

Look at several attack vectors

Containment, prevention workarounds

Threats

Threats and things to protect

Protecting:

You, your family and people who’re important around you

Your belonging (money, for example)

Your integrity (come to this later)

Threats

Protecting people

Protecting people

Your data, your pictures might be super sensitive

Online social network is very enjoyable, but something thatyou have to worry as well

Default settings are the least to be trusted, take some time tofine tune them

For example, Company X who has the most popular onlinesocial network on earth doesn’t seems bother about yourprivacyIn some sense, it is correct, afterall, why do you have to share ifyou want them to be private, keep them in your storage instead

Threats

Protecting people

Protecting people




For example, Company X who has the most popular onlinesocial network on earth doesn’t seems bother about yourprivacy

In some sense, it is correct, afterall, why do you have to share ifyou want them to be private, keep them in your storage instead

Threats

Protecting people

Protecting people




For example, Company X who has the most popular onlinesocial network on earth doesn’t seems bother about yourprivacyIn some sense, it is correct, afterall, why do you have to share ifyou want them to be private, keep them in your storage instead

Threats

Protecting money

Example of stolen credit cards for sale

Threats

Protecting money

Threats

Protecting integrity

Beware of webcam, it may be activated without you realized

Talking about identity theft, where it may affect the previouspoints before(money for e.g)

Attack vectors

Example

People side

Vulnerable people

Needs frequent knowl-edge/advice/tazkirah

Prey/victim in the sametime (people who attackand the victim)

Example

Machine side

Vulnerable host

Needs frequentupdates/patches

Prey/victim in the sametime(machine that wascompromised, and laterbecome stepstone toattack)

Type of attacks

Methods of attack

The following are my suggestion on the type of attacks(althoughdisputable): Active attack

Defacement

DDOS

XSS

Type of attacks

Methods of attack

Passive attack

Worms - although vague, depends on the several issues -network connections etc.

Phishing

PDF exploits

Anything drive-by-download type

Prevention

Sucess story of underground economics containment

Univ of California Santa Barbara(UCSB) taking over Torpig botnetaka botnet infiltration

Microsoft won on Waledacshutdown in court

Spain police arrested three forMariposa botnet

Figure 1: Fringe Season 2 Ep 23

Domain Name System

Threats

DNS Poisoning

Happens in “cache” server

Attacks certain population(say if the cache nameserver for Organization Xwas attacked, it onlyhappens there)

Deceiving users to say,expose online banking pinsor passwords

Fast-flux network

Victim preyed tofollow/click the bait URL

Able to decieve everyone onthe Internet

Serving malware, spam,extreme p0rn, onbulletproof webhosting

Characteristics: one domainmap to a lot of IPs, withshort Time to Live (TTL)

Domain Name System

DNS Poisoning

Picture taken from http://www.technicalinfo.net/papers/Pharming2.html

http://www.technicalinfo.net/papers/Pharming2.html

Domain Name System

Fast-flux network

Pix taken from Honeynet’s website

Domain Name System

Fast-flux animation

Source: http://www.f-secure.com/weblog/archives/fastflux.gif

Play in external player

http://www.f-secure.com/weblog/archives/fastflux.gif

Domain Name System

Source:Fortinet

Malware

Intro

Malware

Malware needs to be collected for analysis

In order to collect, it has to be recognized first

To recognize a malware, it must has a pattern

Do you watch Fringe TV Series, where Agent Dunham and theBishops dealing with the pattern.

Remember malware, is a software, so how to differentiate abenign and a malicious one?

Malware

Deception

The way the bad guys doing their job. . .

The simplest example;drive by download style;

Tell people to click interesting links; create some money, funnypics, or p0rn.Once click, they might already being infected or at least oncethey already installed the fake softwareAnother example, rogue antivirus/free AV. And some evenneed you to buy..

Attack Containment/Prevention

If the attack is difficult to be stopped, at least we candecrease the level of the adversaries from time to time

Security is a process, remember!


Honeypotting

Emulating vulnerable machines/services

Depends on your resource or purpose


Honeypotting

Light interaction honeypot

Kippo

Kojoney

Nepenthes/Dionaea

Mwcollect


Malware analysis

Ways of doing analysis

Malware analysis - static and dynamic

Static means we have to decompile or do some reverseengineering exercise

Dynamic however, needs us to execute the malware andmonitor the behavior


Encryption in Malware

Finding XOR with XORSearch



Using Amun internal utils

/opt/dionaea/var/dionaea/binaries/4a6e5980ad7d1a4bbe71ec46fa96755e

>> checking binary for known windows API calls

>> checking for plaintext commands or calls >> found plaintext: kernel32

>> found plaintext: CreateProcessA >> found plaintext: GetProcAddress

>> found plaintext: http address

>> checking for windows api calls >> done

/opt/dionaea/var/dionaea/binaries/d7904fa2b3bba7bde11c01073a4b1fdf


>> checking for plaintext commands or calls

>> found plaintext: possible windows cmd

>> found plaintext: kernel32

>> found plaintext: GetProcAddress



/opt/dionaea/var/dionaea/binaries/dd128e54320ce15ab7e3c1f0648740be


>> checking for plaintext commands or calls

>> found plaintext: possible windows cmd

>> found plaintext: kernel32

>> found plaintext: GetProcAddress





Later, grab using XORsearch

dd128e54320ce15ab7e3c1f0648740be

Found XOR 00 position 9DC34: http://broker.adobe.com/Acrobat/index.cgi

Found XOR 00 position E7BE8: http://mail.ru/:StringDatat_play....vk.

Found XOR 00 position E7D7C: http....nk

Found XOR 00 position E7DD0: http://mail.ru/:StringIndex

Found XOR 00 position E7F8C: http. Found XOR 00 position E7F94: http....vk.

Found XOR 00 position E8070: http://win.mail.ru/cgi-bin/auth:StringData

Found XOR 00 position E81A8: http://win.mail.ru/cgi-bin/auth:StringIndex

Found XOR 00 position E8330: https://www.google.com/accounts/ServiceLogin:Strin

...

Found XOR 00 position E84E0: https://www.google.com/accounts/ServiceLogin:Strin

Found XOR 00 position F1B0B: http://www.usertrust.com1.0...U....UTN-USERFirst-H

Found XOR 00 position F1D7B: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl

Found XOR 00 position F1DB5: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0.

Found XOR 00 position F1E04: http://crt.comodoca.com/UTNAddTrustServerCA.crt09.

Found XOR 00 position F1E41: http://crt.comodo.net/UTNAddTrustServerCA.crt0...*

Found XOR 00 position F23BC: http://www.public-trust.com/CPS/OmniRoot.html0...U

Found XOR 00 position F2498: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.c

...

....so on



Finding XOR with xray

Libemu

LibemuFrom Libemu’s website :

Features

executing x86 instructions

reading x86 binary code

register emulation

shellcode execution

shellcode detection

static analysis

win32 api hooking

Using libemu one can:

Benefits

detect shellcodes

execute the shellcodes

profile shellcode behaviour

Libemu

Example of libemu in action

Step 1

Let say we have such collections of PDF exploits . . .

Libemu


Step 2

They are PDF, but the malicious ones . . .

Libemu


Step 3

Checking the PDFs using AV . . .

Libemu


Step 4

Now, using a PDF decoder, we strip the suspected shellcode . . .

Libemu


Step 5

Put them into a blank textfile . . .

Libemu


Step 6

By using libemu’s tool “sctest”

. . .

Libemu


Step 7

We got a nicely drawn flow graph

. . .

Honeypots

SSH-based honeypot

Kippo Honeypot

Honeypots

Misc protocol based honeypot-Amun

Amun honeypot I

.::[Amun - Main] ready for evil orders: ::.

.::[Amun - vuln_check] CHECK Incoming: 213.XX.XX.7:31204

(Bytes: 18) ::.

.::[Amun - vuln_check] CHECK Incoming: cisco

(Bytes: 7) ::.

.::[Amun - vuln_check] CHECK Incoming: telnet 213.XX.XX.7 31204

(Bytes: 25) ::.


(Bytes: 7) ::.


(Bytes: 18) ::.


(Bytes: 25) ::.


(Bytes: 18) ::.


(Bytes: 7) ::.


(Bytes: 25) ::.


(Bytes: 18) ::.


(Bytes: 7) ::.


(Bytes: 25) ::.

.::[Amun - shellcode_manager] found langenfeld xor decoder (key: 153) ::.

.::[Amun - shellcode_manager] found langenfeld shellcode (key: 153 port: 56, ip: 222.XX.XX.61) ::.

Honeypots


Amun honeypot II

Honeypots


Got something?

.::[Amun - shellcode_manager] found leimbach xor decoder (key: 19) ::.

.::[Amun - shellcode_manager] found leimbach tftp download

(key: 19, ip: 115.XX.XX.245, file: ssms.exe) ::.







.::[Amun - submit_md5] download (tftp://115.XX.XX.165:69/ssms.exe):

e269d0462eb2b0b70d5e64dcd7c676cd (size: 154624) - DCOM ::.

.::[Amun - submit_anubis] could not submit sample to anubis: 404 timed out ::.

.::[Amun - submit_cwsandbox] submit cwsandbox successfull ::.




.::[Amun - submit_md5] download (tftp://115.XX.XX.165:69/ssms.exe):

a3e695427fca4fe11ae06a196286de0b (size: 155648) - DCOM ::.

.::[Amun - submit_anubis] submit anubis successfull ::.


Honeypots


Another caught binaries ;-)

.::[Amun - Main] ready for evil orders: ::.

.::[Amun - shellcode_manager] found furth xor decoder (key: 119) ::.

.::[Amun - ftp_download] ftp waiting data connection on port: 192.168.2.2:60624 ::.

.::[Amun - ftp_download] ftp connect to: 218.xx.xx.227 2689 (user: 123 pass: 123) ::.

.::[Amun - shellcode_manager] found download URL: http://174.xx.xx.11:5688/x.exe ::.

.::[Amun - submit_md5] download (http://174.xx.xx.11:5688/x.exe):

f45285574eb804f7b7431fcbb1323908 (size: 16897) - LSASS ::.

.::[Amun - submit_anubis] submit anubis successfull ::.


.::[Amun - shellcode_manager] found furth xor decoder (key: 119) ::.

.::[Amun - ftp_download] ftp waiting data connection on port: 192.168.2.2:62672 ::.

.::[Amun - ftp_download] ftp connect to: 218.xx.xx.227 2689 (user: 123 pass: 123) ::.

Honeypots

Misc protocol based honeypot-Honeytrap

Honeytrap honeypot

BPF s t r i n g i s ’ ( ( tcp [ 1 3 ] & 0x04 != 0 and tcp [ 4 : 4 ] == 0) or( icmp [ 0 ] == 3 and icmp [ 1 ] == 3)) and ( s r c hos t ( 1 9 2 . 1 6 8 . 2 . 2 ) ) ’ .

Logg ing to / opt / honey t rap / honey t rap . l o g .I n i t i a l i z a t i o n complete .

honey t rap v1 . 1 . 0 Copy r i gh t (C) 2005−2009 Ti l lmann Werner <t i l l m a n n . werner@gmx . de>[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 Master p r o c e s s p i d w r i t t e n to / va r / run / honey t rap . p i d .[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 C r e a t i n g pcap conne c t i on mon i to r .[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 Look ing up d e v i c e p r o p e r t i e s f o r eth0 .[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 C r e a t i n g pcap s n i f f e r on eth0 .[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 Us ing a 14 by t e s o f f s e t f o r EN10MB.[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 −−−− Trapping a t t a c k s on eth0 v i a PCAP. −−−−[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 218 . 25 . 1 1 . 2 07 : 6 000 r e q u e s t i n g tcp connec t i on on i1 9 2 . 1 6 8 . 2 . 2 : 1 4 3 3 .[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 Port 1433/ tcp has no e x p l i c i t c o n f i g u r a t i o n .[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 C a l l i n g p l u g i n s b e f o r e dynamic s e r v e r s e tup .[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 Reque s t i ng tcp s o ck e t .[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 Socket c r ea t ed , f i l e d e s c r i p t o r i s 16 .[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 Se r v e r i s now runn ing wi th u s e r i d 65534 andgroup i d 65534 .[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 L i s t e n i n g on po r t 1433/ tcp .[2010−06−23 1 1 : 0 7 : 3 3 ] 18127 −> 1433/ tcp No incoming connec t i on f o r 120 seconds −s e r v e r t e rm ina t ed .[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 Proce s s 17993 r e c e i v e d s i g n a l 17 on p i p e .[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 SIGCHILD r e c e i v e d .[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 Proce s s 18127 t e rm ina t ed .[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 S i g n a l h and l e r f o r SIGCHLD r e i n s t a l l e d .

Honeypots

Misc protocol based honeypot-Mwcollect

Mwcollect

root@auber:~# mwcollectd -l

_ __ _____ _____ ___ | | | ___ ___| |_ __| |

| ’_ ‘ _ \ \ /\ / / __/ _ \| | |/ _ \/ __| __/ _‘ |

| | | | | \ V V / (_| (_) | | | __/ (__| || (_| |

|_| |_| |_|\_/\_/ \___\___/|_|_|\___|\___|\__\__,_|

Copyright 2009 Georg Wicherski, Kaspersky Labs GmbH <[email protected]>

This program is licensed under the GNU Lesser General Public License.

[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/dynserv-nfqueue.so with configuration

/opt/mwcollectd/etc/mwcollectd/dynserv-nfqueue.conf...

[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/dynserv-mirror.so with configuration

/opt/mwcollectd/etc/mwcollectd/dynserv-mirror.conf...

[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/filestore-streams.so with configuration

/opt/mwcollectd/etc/mwcollectd/filestore-streams.conf...

[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/filestore-binaries.so with configuration

/opt/mwcollectd/etc/mwcollectd/filestore-binaries.conf...

[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/shellcode-libemu.so with no configuration...

[2010-06-23 11:44:23 INFO] Creating 1 shellcode testing threads.

[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/download-tftp.so with no configuration...

[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/download-curl.so with no configuration...

[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/submit-mwserv.so with configuration

/opt/mwcollectd/etc/mwcollectd/submit-mwserv.conf...

[2010-06-23 11:44:24 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/log-file.so with no configuration...

[2010-06-23 11:44:27 EVENT] ["download.result.success":xxx]

{ url = "https://xxx.mwcollect.org/xxx", response = "OK: 120", type = "submit-mwserv.xxx" }

Honeypots

Misc protocol based honeypot-Nepenthes

Nepenthes honeypot

# #

Nepenthes Ampullaria

# #

Nepenthes Version 0.2.2

Compiled on Linux/x86 at Dec 13 2009 18:59:06 with g++ 4.4.2

Started on notre-dame running Linux/i686 release 2.6.32-23-generic

..........

[ spam down handler module ] <in virtual bool nepenthes::CSendDownloadHandler::Init()>

[ debug down mgr ] Registerd csend download handler as handler for protocol csend

(1 protocols supported)

[ debug down mgr ] Registerd creceive download handler as handler for protocol creceive


[ debug down mgr ] Registerd ftp download handler as handler for protocol ftp


[ debug down mgr ] Registerd http download handler as handler for protocol http


Honeypots

Misc protocol based honeypot-Dionaea

Dionaea honeypot

root@auber:~# dionaea -l all,-debug -L ’*’

Dionaea Version 0.1.0

Compiled on Linux/x86 at Jun 15 2010 10:44:57 with gcc 4.4.3

Started on auber running Linux/i686 release 2.6.32-22-generic

[23062010 11:41:06] dionaea dionaea.c:574: glib version 2.24.1

[23062010 11:41:06] dionaea dionaea.c:578: libev api version is 3.9

[23062010 11:41:06] dionaea dionaea.c:593: libev backend is epoll

[23062010 11:41:06] dionaea dionaea.c:596: libev default loop 0x2c11e0

....

[23062010 11:41:06] logxmpp dionaea/logxmpp.py:130:

I am [email protected]/rgzUXgqL

[23062010 11:41:06] dionaea dionaea.c:727: Installing signal handlers

[23062010 11:41:06] dionaea dionaea.c:745: Creating 2 threads in pool

...


trying to join [email protected]/anonymous-rgzUXgqL


trying to join [email protected]/anonymous-rgzUXgqL

[23062010 11:41:19] logxmpp dionaea/logxmpp.py:346: logxmpp is online!

Special section - Dionaea

Dionaea-some features

Supports ipv4 and ipv6

Uses libemu

Enable binaries sharing (needs to enable XMPP support)

Uses SQLite, no need for log parsing skill-fu

That means, you can leech somebody else’s binaries and seedyours to them


Succesful downloads


SQLite

SQLite in Dionaea


SQLite

Visualization

Filter out important stuffs

Visualization

Gnuplot

Plot to Gnuplot

Visualization

Gnuplot

Visualization

Afterglow+Graphviz

Afterglow+Graphviz

Visualization

Dionaea in action

Interpreting outputs

Some statistics of incoming IPs

The following IPs are just examples

najmi@auber : ˜ $ f o r i i n ‘ awk −F” |” { ’ p r i n t $1 ’} r emotehos t . t x t ‘ ;do echo $ i ‘ g eo i p l ookup $ i | awk −F ”GeoIP Country Ed i t i o n ” { ’ p r i n t $2 ’} ‘ ; done

8 5 . 1 9 0 . 0 . 3 : DE, Germany90 . 213 . 218 . 76 : GB, Un i ted Kingdom121 . 15 . 166 . 237 : CN, China60 . 63 . 2 17 . 2 00 : CN, China58 . 23 . 1 84 . 1 04 : CN, China218 . 28 . 19 . 2 29 : CN, China124 . 106 . 189 . 225 : PH, P h i l i p p i n e s140 . 211 . 166 . 4 : US , Un i ted S t a t e s8 9 . 1 6 . 1 76 . 1 6 : GB, Un i ted Kingdom58 . 2 5 . 3 9 . 2 21 : CN, China75 . 7 5 . 1 8 . 5 3 : US , Un i ted S t a t e s221 . 212 . 121 . 68 : CN, China89 . 211 . 159 . 43 : QA, Qatar212 . 117 . 163 . 190 : LU , Luxembourg213 . 161 . 196 . 11 : FR , France125 . 60 . 241 . 174 : PH, P h i l i p p i n e s218 . 59 . 235 . 146 : CN, China



Sorting datasets I

najmi@auber : ˜ $ ca t l i s t | s o r t −d | un iq −c | s o r t −n1 FI , F i n l a nd1 GR, Greece1 HK, Hong Kong1 LU , Luxembourg1 MO, Macau1 MX, Mexico1 PK, Pak i s t an1 RS , S e r b i a1 RU, Rus s i an F ed e r a t i o n1 SG , S ingapo r e2 AU, A u s t r a l i a2 CO, Colombia2 CR, Costa R ica2 ES , Spa in2 IR , I r an , I s l am i c Repub l i c o f2 NO, Norway2 QA, Qatar2 SE , Sweden2 TH, Tha i l and2 TW, Taiwan3 BN, Brune i Darussa lam3 BR, B r a z i l3 DE, Germany3 GB, Un i ted Kingdom3 KR, Korea , Repub l i c o f4 CA, Canada



Sorting datasets II

4 IT , I t a l y5 FR , France5 IP Address not found5 PH, P h i l i p p i n e s6 VN, Vietnam8 IN , I n d i a9 EG, Egypt13 JP , Japan15 TR, Turkey17 MY, Ma lay s i a21 PE , Peru24 US , Un i ted S t a t e s115 CN, China



Checking downloaded binaries

We can use any AV or in Linux simply the CLI based AV, or some otheroptions, such as the following Ruby-based script fromhttp://hammackj.com/2010/02/22/tool-virustotal-rb/;

$cat f i l e042774 a2b7784ee0 f7462e3ce721ec0 f

$ . / v i r u s t o t a l . rb −f f i l e042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : a−squa red Re s u l t :Trojan−Dropper . Win32 . Paradrop ! IK042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : AhnLab−V3 Re su l t :Win32/Korgo . worm .10879

042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : An t iV i r R e s u l t : Worm/Korgo . I042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : Ant iy−AVL Re su l t :Worm/Win32 . Padobot . gen042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : Authentium Re su l t : W32/Korgo . I042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : Avast Re s u l t : Win32 : Korgo−G042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : Avast5 Re s u l t : Win32 : Korgo−G

http://hammackj.com/2010/02/22/tool-virustotal-rb/

- e n d -&

Õ�º

�Ë @ �Qº

��

�

Internet Malicious Miscreant

Documents

Transcript of Internet Malicious Miscreant