I used Wireshark to analyze the pcap. Tcpdump is a good choice as well, if one is familiar with how to use the filters. One of my favorite features of Wireshark is the File/Export Objects menu item. I exported the http files to gather some interesting artifacts. Malware can't always be found using this, because some malware authors have found more sophisticated methods of hiding malware, like encryption, obfuscation, encoding traffic, etc. Another one of my favorite features of Wireshark is the ability to look at the Statistics/Protocol Hierarchy so that I can see exactly what protocols/ports are in use in the traffic, and what is the most traffic. Some protocols are readable without extra knowledge, making them easy to analyze. I also like the Statistics/Conversations, and Statistics/Endpoints. This helped me determine that 104.236.210.97 was being SYN flooded.
After I dumped the files into a directory, I compressed the directory and submitted it to VirusTotal. The Antivirus engines on VirusTotal gave different names for the malware contained in the files. I'm inclined to believe that it's the malware used in the Bill Gates botnet. The reason I believe that it is the malware from the Bill Gates botnet is that I used the terminal and the strings command to analyze some of the malicious files, and it wasn't exactly subtle about what it was. It had "Bill" and "Gates" written all over it, literally. Some antivirus engines were calling it Elknot.
I created MD5 hashes of all of the files in the directory, to see if some of the files were the same, or if the hashes of the files were associated with other submissions to VirusTotal. Found out that the pcap itself was submitted for analysis.
After doing research, I found out that the Bill Gates botnet malware contains some of the source code from Elknot, where the author(s) reused code. I also found this nice pdf about the Bill Gates bot net.
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf
The article describes a tcpdump filter to find the initial communication to a command & control server. When running the filter on this pcap, there was communication from the IP 104.236.210.97 —> 118.192.137.245. The 118.192.137.245 IP Address was submitted to Virus Total. Virus Total shows that malicious files have been served from this IP Address, including some of the artifacts in this pcap. The malware served on the website is the WebToos Trojan, Prockill-A Rootkill, and a Backdoor/Downloader.
I'm listing some of the artifacts found in this pcap below:
The files that VirusTotal found to be malicious were:
back(1).pl —> 3 of 57 scanners noted that it was malicious
-backdoor
-trojan
-examining the file, using the strings command, one fines that it is a perl script that sends a shell
to the person using it.
-according to the MD5 hash, this file is the same file as back.pl
back.pl —> 3 of 57 scanners noted that it was malicious
-backdoor
-trojan
-examining the file, one fines that it is a perl script that sends a shell to the person using
it.
-according to the MD5 hash, this file is the same file as back(1).pl
2.6.32 —> 27 of 55 scanners determined that it was malicious
-Linux Exploit
-Trojan
-CVE 2013 2094
-Cornet GEN 1364(B)
java.log —> 29 of 55 scanners determined that it was malicious
-Linux Billgates.G
-Backdoor
-SETag
-DDOS
-Chikdos
SYN_1902 —> 31 of 56 scanners determined that it was malicious
-Linux Billgates.G
-Backdoor
-SETag
-DDOS
-Chikdos
xmapp —> 33 of 56 scanners determined that it was malicious
-Backdoor.Gates.9
-Backdoor
-SETag
-Elknot-AE
-Chikdos
Trustr —> 33 of 55 scanners determined that it was malicious
-Linux Billgates.G
-Elknot_AE
-SETag
-Gates.9
-Backdoor
-Trojan
-according to MD5 hash, it is the same file as SYN
16081 —> 33 of 55 found that this file was malicious
-Linux Billgates.G
-SETag
-Backdoor
-Trojan
SYN —> 33 of 55 scanners determined that it was malicious
-Linux Billgates.G
-Elknot_AE
-SETag
-Gates.9
-Backdoor
-Trojan
-according to MD5 hash, it is the same file as Trustr
nc.exe —> 38 of 57 scanners determined that it was malicious
-riskware
-hack tool
-example of a false positive. nc.exe isn’t usually malicious in of itself. It is used to
create connections between computers.
-according to MD5 hash, it is the same file as nc(1).exe.
nc(1).exe—> 38 of 57 scanners determined that it was malicious
-riskware
-hack tool
-example of a false positive. nc.exe isn’t usually malicious in of itself. It is used to
create connections between computers.
-according to MD5 hash, it is the same file as nc.exe.
winappes.exe —> 52 of 58 scanners found this file to be malicious
-Backdoor
-Trojan
-Win32.Prockill.A
-Eldorado
-Rootkit
-Webtoos
-according to MD5 hash, same file as Windows_1902
Windows_1902—> 52 of 58 scanners found this file to be malicious
-Backdoor
-Trojan
-Win32.Prockill.A
-Eldorado
-Rootkit
-Webtoos
-Gates.8
-Artemis
-according to MD5 hash, same file as winappes.exe
Other files didn’t detect as being malicious, but they were suspicious.
%2F
-according to MD5 hash-same file as index.html.1, and index.html(1).1
-when using strings on this file, there is a link to a website that explains how to create an
Http File Server (HFS)-http://www.rejetto.com/hfs
-this file is written in http, indicating that it may be a web page, and it has malicious files
as image sources. If someone requests the page, these files will be downloaded.
index.html.1
-according to MD5 hash-same file as %2F, and index.html(1).1
-when using strings on this file, there is a link to a website that explains how to create an
Http File Server (HFS)-http://www.rejetto.com/hfs
-this file is written in http, indicating that it may be a web page, and it has malicious files
as image sources. If someone requests the page, these files will be downloaded.
index.html(1).1
-according to MD5 hash-same file as %2F, and index.html(1).1
-when using strings on this file, there is a link to a website that explains how to create an
Http File Server (HFS)-http://www.rejetto.com/hfs
-this file is written in http, indicating that it may be a web page, and it has malicious files
as image sources. If someone requests the page, these files will be downloaded.
Files with the same hash that didn’t detect as malicious. These are suspicious. (When looking up the hash of these files on VirusTotal, someone indicated that it is "snorkerz.bat" They state that is is a CRDF.Malware.Generic.1117511951)
cfbeaf604823f038b8b46f0ac862b98c ./apache2_2.4.18-2ubuntu3.1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./apache2-bin_2.4.18-2ubuntu3.1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./apache2-data_2.4.18-2ubuntu3.1_all.deb
cfbeaf604823f038b8b46f0ac862b98c ./apache2-utils_2.4.18-2ubuntu3.1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./libapr1_1.5.2-3_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./libaprutil1_1.5.4-1build1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./libaprutil1-dbd-sqlite3_1.5.4-1build1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./libaprutil1-ldap_1.5.4-1build1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./liblua5.1-0_5.1.5-8ubuntu1_amd64.deb
cfbeaf604823f038b8b46f0ac862b98c ./ssl-cert_1.0.37_all.deb
I tried to write a Snort rule to find the initial C&C communication as described in the article, but I'm not familiar with writing Snort rules.
This may result in many false positives. This rule is based on the tcpdump filter for detecting the initial connection between the compromised computer and the command and control (C&C) server.
alert tcp any any -> any any (msg: “Potential communication with Bill Gates C&C”; content:”|01000000|”; depth: 4; content:”|3a47|; distance: 0;)
I found an article with rules for detecting SIPvicious. http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html
No comments:
Post a Comment