Adventures In Cyber Challenges: January 2016

Sunday, January 10, 2016

SANS ICS Cyber Security Challenge Write-Up-Part 7

402 – Malicious Traffic Analysis

Objectives

Demonstrate Skills Related to Analyzing and Detecting Malicious Network Traffic.

Background: This challenge will use the traffic capture identified as “Challenge Traffic Capture 2.pcap”. It is important to be able to identify and analyze malicious communications in an ICS. This challenge will test those skills as well as the creation of IDS rules.

Questions

What two ICS Protocols are in this traffic capture?
How many control system related clients are there and what are their IP addresses?
What malicious activity is occurring in the traffic?
What malicious script is found in the traffic?
What specific actions is the script performing?
What impact could this have on the ICS and why?
Create a Snort IDS Signature that would detect on the malicious activity or capability without generating many false positives. Supplying the text or a screenshot of the signature is sufficient.

Answers

Modbus, DNP3
There are 3 ICS related clients. The masters, including the IP of malicious intent, are: 10.25.22.101, 10.25.22.103, 10.25.22.105.
I uploaded it to Virus Total because it has snort rules. Note: It could have false positives. Here is what was found:

PROTOCOL-ICMP unassigned type 1 undefined code (Misc activity) [459]

OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (Generic Protocol Command Decode) [16400]

PROTOCOL-SCADA Modbus read coils from external source (Generic Protocol Command Decode) [17788]

INDICATOR-SHELLCODE ssh CRC32 overflow filler (Executable code was detected) [1325]

PROTOCOL-SCADA Modbus read discrete inputs from external source (Generic Protocol Command Decode) [17787]

PROTOCOL-SCADA Modbus write single coil from external source (Generic Protocol Command Decode) [17784]

FILE-IDENTIFY Microsoft Windows Address Book file magic detected (Misc activity) [9639]

OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt (Generic Protocol Command Decode) [3000]

DELETED NETBIOS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (Attempted User Privilege Gain) [20541]

FILE-EXECUTABLE Portable Executable binary file magic detected (Potential Corporate Privacy Violation) [15306]

(spp_modbus): Length in Modbus MBAP header does not match the length needed for the given Modbus function. (Generic Protocol Command Decode) [1]

SERVER-SAMBA Samba wildcard filename matching denial of service attempt (Attempted Denial of Service) [15581]

FILE-EXECUTABLE Microsoft Windows executable file load from SMB share attempt (Potential Corporate Privacy Violation) [17210]

INDICATOR-SCAN UPnP service discover attempt (Detection of a Network Scan) [1917]

PROTOCOL-ICMP Destination Unreachable Port Unreachable (Misc activity) [402]

OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (Attempted User Privilege Gain) [18206]

DELETED NETBIOS SMB named pipe bruteforce attempt (Attempted Information Leak) [26322]

PROTOCOL-SNMP public access udp (Attempted Information Leak) [1411]

DELETED OS-WINDOWS Microsoft Windows wab32res.dll dll-load exploit attempt (Attempted User Privilege Gain) [21633]

(spp_dnp3): DNP3 Link-Layer Frame was dropped. (Generic Protocol Command Decode) [2]

PROTOCOL-ICMP IPv6 multicast neighbor add attempt (Misc activity) [24303]

PROTOCOL-ICMP Truncated ICMPv6 denial of service attempt (Detection of a Denial of Service Attack) [27611]

DELETED BAD TRAFFIC Non-Standard IP protocol (Detection of a non-standard protocol or event) [1620]

INDICATOR-SCAN UPnP WANIPConnection (Detection of a Network Scan) [28003]

INDICATOR-SCAN UPnP WANPPPConnection (Detection of a Network Scan) [28002]

DELETED WEB-IIS header field buffer overflow attempt (Web Application Attack) [1768]

OS-WINDOWS Microsoft Windows UPnP malformed advertisement (Misc Attack) [1384]

DELETED NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt (Detection of a Denial of Service Attack) [2102]

PROTOCOL-SNMP request udp (Attempted Information Leak) [1417]

:loop

mbtget.pl -w5 1 -a 1 10.25.22.3

mbtget.pl -w5 1 -a 2 10.25.22.5

mbtget.pl -w5 1 -a 3 10.25.22.6

mbtget.pl -w5 1 -a 4 10.25.22.8

mbtget.pl -w5 1 -a 5 10.25.22.25

GOTO loop

5. It’s writing the word value 1 at addresses 10.25.22.3, 10.25.22.5, 10.25.22.6, 10.25.22.8, and 10.25.22.25. It’s doing it in a loop, which means that it’s doing it more than once.

6. It’s changing the value of a single coil on those ICSs, which means that whatever switches those particular ICSs are controlling can turn on. So, for instance, if it was controlling flood gates, this may cause flood gates to open and flood an area, which would be bad. I’m also wondering if it’s in a loop because it’s causing a denial of service? If the ICSs are busy processing those queries, that means that they may not be processing anything else?

7. __________________________________

Walkthrough (Show How You Got Your Answers)

https://github.com/sourceperl/mbtget

1 and 3) I uploaded this pcap to Virus Total. I’m not well versed in analyzing traffic, so I thought that I could use a tool to help me. Virus Total has snort rules. I realize that some of the answers could be false positives, and that the rules are only as good as the people who wrote them, but I think that most of the information is true. For answer 1, it showed a DNP3 frame dropped. I checked the traffic, and 10.25.22.105 was using port 20000 which is the DNP3 port.

2) I assume that the client is the master, because that’s the one doing the querying, but considering that I haven’t taken a course on ICSs, I thought that I could try to get partial credit for providing the information that I feel that I’m familiar with. The slaves are: 10.25.22.3, 10.25.22.5, 10.25.22.6, and 10.25.22.8.

4) 10.25.22.105 was looking a bit suspicious, with all of it’s port activity, so I looked up that particular IP address, followed the TCP traffic, and found the script. *I created a screen filter in Wireshark to show only that IP Address*

5 and 6) I looked mbtget.pl online to find out what it is and what it does.

7) I’m not sure how to write Snort rules. I wish that I had more time. I will look it up.

SANS ICS Cyber Security Challenge Write-Up-Part 6

401 – Threat Analysis

Objectives

Demonstrate Skills Related to Analyzing a Campaign.

Background: This challenge will build off of 400. It is important to be able to recognize individual intrusions as linked when they are part of a larger campaign. The Cyber Kill Chain by Lockheed Martin analysts was useful for analyzing intrusions and identifying links between them to define an adversary campaign. The ICS Cyber Kill Chain was developed by members of the SANS ICS team to analyze identified ICS related campaigns.

Questions

What was the campaign associated with the previously identified piece of malware?
Using open source information about the campaign map the campaign’s stages to the ICS Cyber Kill Chain’s steps and stages. Not all phases will be represented. As an example, the campaign had no observable Reconnaissance performed. Provide an original sentence or two about each step discussing the observed activity.

Answers

The Havex malware is associated with more than one campaign name: Dragonfly, Energetic Bear/Crouching Yeti-It depends on which antivirus company was observing it. The one in our example appears to have been compiled in November of 2013, judging by the time stamp on Virus Total. That doesn’t mean that it was made in 2013. The different campaigns typically reuse malware.
There were actually 3 different types of known intrusions for Havex. I think that it’s the first one, based on the mutexes that I found. One mutex was associated with an exploited Flash Player vulnerability. I also found a mutex associated with an e-mail worm.

First Havex Intrusion:

Stage 1: Cyber Intrusion Preparation and Execution

Planning:

Reconnaissance-None Observed. Just because reconnaissance wasn’t observed, doesn’t mean that it didn’t happen. People were sent spear phishing e-mails. They had to figure out who to send the spear phishing e-mails to.

Preparation

Weaponization: They put a malicious attachment on a spear-fishing e-mail.

Targeting: The ICS’s that the people who received the spear-phishing e-mails used were the target.

Cyber Intrusion:

Delivery: The delivery mechanism was a malicious e-mail attachment.

Exploit: When the user opened the file, it exploited the system. The file was a pdf embedded with an exploit that took advantage of a Flash vulnerability.

Install: A Remote Access Trojan (rat) is installed that allows someone to remotely connect into the device and issue commands.

Modify: The malicious file modifies existing dlls by placing API hooks into them, it also modifies registry keys, and places autoruns entries so that the malicious process starts at the start up of the machine.

Management and Enablement:

C2: The malware has the ability to gather information about the ICS devices on the network, and it sends this information to C&Cs. These C&Cs instruct the malware to download and execute further components. It uses existing COM interfaces to connect to specific services.

Sustainment, Entrenchment, Development and Execution:

Act: It scans a network for ICS connected devices. It gathers information about the ICS connected devices and exfiltrates that information to a command and control system.

Stage 2: ICS Attack

In this particular campaign, ICS Attacks have not been observed.

https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

http://www.pcworld.com/article/2367240/new-havex-malware-variants-target-industrial-control-system-and-scada-users.html

Walkthrough (Show How You Got Your Answers)

I analyzed the memory image using volatility and Virus Total. I located evidence that appeared to support my conclusion. I looked for other evidence of compromise, as well, to make certain that my conclusion was correct.
I used the evidence gathered, and my favorite search engine to search for the ICS kill chain’s steps and stages as well as a description of each step and stage. Then I simply added the appropriate information to each step and stage as I understood it.

SANS ICS Cyber Security Challenge Write-Up-Part 5

400 – Indicators of Compromise

Objectives

Demonstrate Skills Related to Created IOCs from the Threat from Challenge 303.

Background: For this challenge you will use the memory image provided identified as “Infected-Memory-Image”. You will analyze the threat in a more comprehensive manner demonstrating your ability to create indicators of compromise (IOCs) for use by incident responders.

Questions

What is the digital hash of the malware on the system?
What is the malware?
Develop a tailored YARA rule that will match the threat but not generate a lot of false positives on other Windows based systems. You should provide a screenshot of the YARA rule or the text of the rule and not the rule file. It is recommended that you test the rule against an image you acquire from a Windows system as to eliminate obvious false positives (such as including lsass.exe in the rule).*These are most likely not correct.*
Develop another IOC for the indicators observed from the threat in any other IOC format of your choice (must be an existing IOC format) *I didn't get around to doing this. I think that I will try even though I'm no longer eligible for a reward. I like writing the yara rules.*

Answers

bddd4e2b84fa2ad61eb065e7797270ff
Havex
I put the answer in the description below. I tried my best with the knowledge and indicators that I have. Hopefully they are at least partially correct. I don’t have any experience with this at all.
I’m currently researching OpenIOC. I’m submitting a partial submission right now because I’m running out of time. I am trying the Holiday Hack Challenge as well. Hopefully I have time to complete this.

Walkthrough (Show How You Got Your Answers)

1 & 2. From 303 Solution: My solution was simple. I found the name of the file that was being analyzed. The file name was bddd4e2b84fa2ad61eb065e7797270ff.exe. I first saw it in the filescan plugin file that I had made. I found it in the timeliner text file as well. That span of number and characters looked like the digital has that was given to me in the last problem. So, I uploaded it to Virus Total. Sure enough, 35 out of 55 antivirus software found it as malicious. It looks like the Havex malware. To confirm my finding, I looked at the “netscan.txt” file that I made with volatility. This is what I saw:

cat netscan.txt | grep "bddd4e2b84fa2a"

0x38c8dcf0 TCPv4 -:49926 172.16.192.214:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x3a642a20 TCPv4 -:49928 172.16.192.164:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x3a89d010 TCPv4 -:49924 172.16.192.14:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x3accacf0 TCPv4 -:49926 172.16.192.214:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x40942cf0 TCPv4 -:49926 172.16.192.214:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x43770160 TCPv4 -:49927 172.16.192.64:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x460ad350 TCPv4 -:49925 172.16.192.114:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x59dba160 TCPv4 -:49927 172.16.192.64:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x65f1da20 TCPv4 -:49928 172.16.192.164:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x667e2cf0 TCPv4 -:49926 172.16.192.214:12401 SYN_SENT 1976 bddd4e2b84fa2a

0x7ce079f0 TCPv4 -:50258 172.16.192.214:44818 SYN_SENT 1976 bddd4e2b84fa2a

0x7d4e2ba0 TCPv4 -:50257 172.16.192.114:44818 SYN_SENT 1976 bddd4e2b84fa2a

0x7d613500 TCPv4 -:50260 172.16.192.164:44818 SYN_SENT 1976 bddd4e2b84fa2a

0x7f805cf0 TCPv4 -:50256 172.16.192.14:44818 SYN_SENT 1976 bddd4e2b84fa2a

0x7faa3180 TCPv4 -:50259 172.16.192.64:44818 SYN_SENT 1976 bddd4e2b84fa2a

So, it looks like a bunch of SYN packets are being sent out over the port 12401 and over port 44818. Port 12401 is the port utilized by the Interactive Graphical SCADA System (IGSS), which is utilized for monitoring and controlling industrial processes. Port 44818 is the port that is used for the Ethernet/IP or RSLink protocols. Both of these ports are targeted by Havex malware.

//Yara rules that detect the Havex Network Scanning Module

rule Havex_Network_Scanning_Module

{

strings:

$assemblyxmlns = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">" nocase wide ascii

$trustinfoxmlns = "<trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" nocase wide ascii

$security = "<security>" nocase wide ascii

$requestedprivs = "<requestedPrivileges>" nocase wide ascii

$requestedexecutionlev = "<requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" nocase wide ascii

$endrequestedprivs = "</requestedPrivileges>" nocase wide ascii

$endsecurity = "</security>" nocase wide ascii

$endtrustinfo = "</trustInfo>" nocase wide ascii

$endassemblyxmlns = "</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" nocase wide ascii

condition:

all of them

}

rule Havex_File_Created

{

strings:

$createtracedfile = "\\AppData\\Local\\Temp\\~tracedscn.yls" nocase ascii wide

condition:

$createtracedfile

}

rule Havex_Used_DLLs

{

strings:

$mswsock = "c:\\windows\\system32\\mswsock.dll" nocase ascii wide

$dnsapi = "dnsapi.dll" nocase ascii wide

$rpcrt4 = "rpcrt4.dll" nocase ascii wide

$winrnr = "c:\\windows\\system32\\winrnr.dll" nocase ascii wide

$rasadhelp = "rasadhlp.dll" nocase ascii wide

$hnetcfg = "hnetcfg.dll" nocase ascii wide

$wshtcpip = "c:\\windows\\system32\\wshtcpip.dll" nocase ascii wide

condition:

4 of ($mswsock,$dnsapi,$rpcrt4,$winrnr,$rasadhelp,$hnetcfg,$wshtcpip)

}

rule Havex_Write_Mutex

{

strings:

$writemutex = "WriteMutex" nocase ascii wide

condition:

$writemutex

}

SANS ICS Cyber Security Challenge Write-Up-Part 4

303 – Memory Analysis of an Infected HMI

Objectives

Demonstrate Skills Related to Identifying Malware in a Memory Image of an Infected HMI.

Background: For this challenge you will use the memory image provided identified as “Infected-Memory-Image”. Note that there is real malware inside the memory image. It cannot infect your system as it is however if you carve out the malware and execute it on your system it will infect it. This takes work to do and thus without intentionally performing these steps you run no risk of being infected.

Often, incident response in ICS requires lightweight acquisition, such as acquiring memory vs. the entire disk, and requires timely analysis of Windows control systems such as an HMI. Using any memory analysis tools you would like analyze the image and answer the questions below.

Questions

What is the IP address of the system?
When was the digital acquisition performed?
What malicious process was running on the system at the time of acquisition?
(Open-ended) What other interesting activity can be observed on the image?

Answers

The IP Address of the system is: 172.16.192.200.
The digital acquisition was performed on 1-23-2015 at 01:25:34 AM UTC.
The malicious process that was running on the system at the time of acquisition was bddd4e2b84fa2ad61eb065e7797270ff.exe with a PID of 1976
There are some ICS protocols in the netscan, namely Ethernet/IP on port 44818, and Modbus on port 502. A process called “Runtime.exe” with a PID of 1476 established a connection from the local machine to another machine using the Modbus protocol.

The machine being analyzed is a Virtual Machine. VMWare tools was installed on it. It also has VMWare drivers.

I found an interesting plugin called, “ethscan” that produced a pcap of potential traffic between this machine and other machines. I’ve read that it can have a lot of false positives. This particular network was made up of 4 Raspberry devices, 1 ASUS, and one Virtual Machine. It looks as though one of the Raspberry devices was configured to pretend to be a traffic control light. I saw it mentioned in the “shellbags” plugin.

Registry: \??\C:\Users\Robert Lee\AppData\Local\Microsoft\Windows\UsrClass.dat

Key: Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0

Last updated: 2015-01-22 18:15:01 UTC+0000

Value Mru File Name Modified Date Create Date Access Date File Attr Path

------- ----- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ----

0 0 CYBATI~1 2015-01-22 13:01:24 UTC+0000 2015-01-22 13:01:24 UTC+0000 2015-01-22 13:01:24 UTC+0000 DIR Users\CYBATI\Desktop\CybatiWorks_RASPI_5_TrafficLight

I was warned that this image has malware on it that could infect my machine if I’m not careful. I went ahead and extracted the files using the “dumpfiles” plugin. I made sure that I didn’t open anything. I was also on a VM without VMWare tools installed, and no Internet Connection. I had the network interface disabled. I made a snapshot to return to the previous settings, just in case. The risk was worth it in my estimation. In one of the PID 1976 files, which is the malicious process, I found this: (I cut the output that wasn’t interesting to me.) *I don't know what normal is. This looked odd to me at the time. I've since learned that some processes can have this in them.*

strings file.1976.0xfffffa801a04f1c0

</requestedPrivileges>

</security>

</trustInfo>

</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

This looks suspicious to me, especially considering that Havex is known to use xml. I uploaded the file to Virus Total, and it indicated that it is a trojan. Nano Antivirus: Trojan.Win32.Havex.dyufsj , Kaspersky: Trojan-Spy.Win32.HavexNetscan.b

It looks like the virtual machine may have been infected with the Simda A Rootkit. I checked some names of drivers because I’m not familiar with most of them, and Virus Total showed that this driver, Wdf01000.sys, may indicate the presence of a rootkit.

https://www.virustotal.com/en/file/aed8575924b627281fee830a078399ed41550434cae4fd72d763324b871c88ee/analysis/

I also followed the directions from the SANS forensics poster about how to detect a rootkit, and I’m not certain, but I think that it indicated that there is a rootkit on the image.

vol.py -f Infected-Memory-Image --profile=Win7SP0x64 ssdt | egrep -v 'ntosk|win32k'

Volatility Foundation Volatility Framework 2.4

[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable...

Finding appropriate address space for tables...

SSDT[0] at fffff800028cf300 with 401 entries

SSDT[1] at fffff96000151f00 with 827 entries

I looked for hooked SSDT functions.

vol.py --profile=Win7SP0x64 -f Infected-Memory-Image driverirp --regex=tcpip | grep IRP | egrep -vi '(tcip|ntos)'

Volatility Foundation Volatility Framework 2.4

0 IRP_MJ_CREATE 0xfffff880019de070 tcpip.sys

2 IRP_MJ_CLOSE 0xfffff880019de070 tcpip.sys

14 IRP_MJ_DEVICE_CONTROL 0xfffff88001917fd0 tcpip.sys

15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xfffff880019de070 tcpip.sys

18 IRP_MJ_CLEANUP 0xfffff880019de070 tcpip.sys

0 IRP_MJ_CREATE 0xfffff880019de070 tcpip.sys

2 IRP_MJ_CLOSE 0xfffff880019de070 tcpip.sys

14 IRP_MJ_DEVICE_CONTROL 0xfffff88001917fd0 tcpip.sys

15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xfffff880019de070 tcpip.sys

18 IRP_MJ_CLEANUP 0xfffff880019de070 tcpip.sys

0 IRP_MJ_CREATE 0xfffff880019de070 tcpip.sys

2 IRP_MJ_CLOSE 0xfffff880019de070 tcpip.sys

14 IRP_MJ_DEVICE_CONTROL 0xfffff88001917fd0 tcpip.sys

15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xfffff880019de070 tcpip.sys

18 IRP_MJ_CLEANUP 0xfffff880019de070 tcpip.sys

0 IRP_MJ_CREATE 0xfffff880019de070 tcpip.sys

2 IRP_MJ_CLOSE 0xfffff880019de070 tcpip.sys

14 IRP_MJ_DEVICE_CONTROL 0xfffff88001917fd0 tcpip.sys

15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xfffff880019de070 tcpip.sys

18 IRP_MJ_CLEANUP 0xfffff880019de070 tcpip.sys

0 IRP_MJ_CREATE 0xfffff880019de070 tcpip.sys

2 IRP_MJ_CLOSE 0xfffff880019de070 tcpip.sys

14 IRP_MJ_DEVICE_CONTROL 0xfffff88001917fd0 tcpip.sys

15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xfffff880019de070 tcpip.sys

18 IRP_MJ_CLEANUP 0xfffff880019de070 tcpip.sys

I’m wondering if the host machine was infected as well as the guest. A couple of the dlls, dnsapi.dll and RPCRT4.dll, associated with the malicious Havex process was doing something with the vmtoolsd.exe PID 1244. The malicious process may have just been checking for the presence of a VM. Some are programmed not to run if they encounter a VM. Other malicious processes are programmed to do some nasty things. The ethscan traffic showed an Asus computer, which could be the host. So, if the host and guest were running in bridged mode, it’s possible, although unlikely, for the host to be infected as well as the guest. I unfortunately, don’t know what to look for for proof of that.

The “uninstallinfo” plugin text file that I made showed a bunch of unicode characters when opened with gedit. Most of them were Chinese characters. I used the terminal to try to read the same file, and this is what printed on the screen. If you look closely, you can see that some files were reported to have been removed on 7-14-2009. I think that the removed files were from the Havex malware trying to keep itself from being detected. Malware puts false dates on creation and removal to hinder analysis. The same dates are on the registry keys created by the malware, and the autoruns created by the malware.

cat uninstallinfo.txt

Legend: (S) = Stable (V) = Volatile

----------------------------

Registry: \SystemRoot\System32\Config\SOFTWARE

Key name: Uninstall (S)

Last updated: 2015-01-22 13:03:30 UTC+0000

Subkeys:

Subkey: AddressBook