Thursday, February 22, 2007

Bot C&C


The other day I browsed to a site hosting unknown malware on my home VM host as part of an investigation. Fortunately for me I also run Snort and tshark on my home network 24/7 to fully understand and capture everything that traverses my home systems. This came in very handy the other day, and I thought I would document my network investigation procedure for others to use and follow. Let me preface this with the fact that I subscribe fully to Richard Bejtlich's NSM principals. I capture both alert data and full content data for intrusion analysis. The alert data is Snort w/ both registered and bleeding rules, and the full content data is tshark running some simple BPF's at the command line logging to a "ring buffer" of ten 100M files.

This all started when I was investigating a suspicious website in my VM system. After browsing to the site, I immediately went to my IDS data to determine what happened. Snort gave me the following alert:

1 [**] [1:2404000:602] BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) [**]

This was promising. Pulling the full alert from snort an analyst can see the connection attempt to 6667 on host 161.53.178.240:

# cat alert | grep -A 5 "C&C"
[**] [1:2404000:602] BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) [**]
[Classification: A Network Trojan was detected] [Priority: 1]
02/21-10:17:54.366236 192.168.0.31:2253 -> 161.53.178.240:6667
TCP TTL:128 TOS:0x0 ID:13198 IpLen:20 DgmLen:48 DF
******S* Seq: 0xCA53141F Ack: 0x0 Win: 0xFC00 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK


A quick look at the rule shows that this IP is included in the bleeding botcc "DROP" rules:


alert ip $HOME_NET any -> [121.6.201.216,125.250.188.204,130.233.48.242,130.243.52.250,132.205.87.223,
140.115.182.242,140.123.227.100,140.131.142.236,142.231.68.25,143.225.92.103,
143.248.138.213,143.248.4.136,143.248.52.33,143.248.62.116,149.9.1.16,
151.1.191.184,154.20.114.95,161.184.175.95,161.53.178.240,163.19.35.2,
163.20.97.131,163.25.97.83,168.187.115.136,168.187.62.190,172.212.55.194,
190.49.108.103,192.116.231.44,193.109.122.67,193.109.122.77,193.13.137.194,
193.163.220.3,193.164.131.50,194.109.11.65,194.109.129.220,194.109.64.131,
194.14.236.50,194.146.226.245,194.159.164.195,194.242.45.151,194.68.45.50,
195.101.94.137,195.111.64.195,195.144.12.5,195.225.204.134,195.226.51.77,
195.47.220.2,195.50.191.12,195.68.206.250,195.68.221.221,200.31.43.33,
200.80.43.9,200.95.144.26,201.45.127.125,202.133.108.11,202.134.0.13,
202.143.132.82,202.222.19.53,202.54.38.12,202.71.144.176,
202.8.87.197] any (msg:"BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405000; rev:602; fwsam: dst, 30 days;)


I immediately went to my full content data. Noticing from the alert, this fired at 02/21-10:17:54 I searched through my "ring buffer" capture files and found honeytrap_00013_20070221091354. This file states that the capture started at approx. 9:13 on 02.21 2007. Parsing the data with capinfos I got the full start and stop time for this file:

#capinfos honeytrap_00013_20070221091354
File name: honeytrap_00013_20070221091354
File type: Wireshark/tcpdump/... - libpcap
Number of packets: 259439
File size: 102401487 bytes
Data size: 98250439 bytes
Capture duration: 23117.468285 seconds
Start time: Wed Feb 21 09:13:54 2007
End time: Wed Feb 21 15:39:12 2007
Data rate: 4250.05 bytes/s
Data rate: 34000.41 bits/s
Average packet size: 378.70 bytes

The target time frame for the alert falls within this capture file. To find out what type of connection was made from this malware I parsed the file with tcpdump:

# tcpdump -vvnnXs 1514 -r honeytrap_00013_20070221091354 host 161.53.178.240
reading from file honeytrap_00013_20070221091354, link-type EN10MB (Ethernet)
10:17:54.366236 IP (tos 0x0, ttl 128, id 13198, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.31.2253 > 161.53.178.240.6667: S, cksum 0x70e6 (correct), 3394442271:3394442271(0) win 64512
0x0000: 4500 0030 338e 4000 8006 b24c c0a8 001f E..03.@....L....
0x0010: a135 b2f0 08cd 1a0b ca53 141f 0000 0000 .5.......S......
0x0020: 7002 fc00 70e6 0000 0204 05b4 0101 0402 p...p...........
10:17:57.287574 IP (tos 0x0, ttl 128, id 13283, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.31.2253 > 161.53.178.240.6667: S, cksum 0x70e6 (correct), 3394442271:3394442271(0) win 64512
0x0000: 4500 0030 33e3 4000 8006 b1f7 c0a8 001f E..03.@.........
0x0010: a135 b2f0 08cd 1a0b ca53 141f 0000 0000 .5.......S......
0x0020: 7002 fc00 70e6 0000 0204 05b4 0101 0402 p...p...........
10:18:03.306453 IP (tos 0x0, ttl 128, id 13383, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.31.2253 > 161.53.178.240.6667: S, cksum 0x70e6 (correct), 3394442271:3394442271(0) win 64512
0x0000: 4500 0030 3447 4000 8006 b193 c0a8 001f E..04G@.........
0x0010: a135 b2f0 08cd 1a0b ca53 141f 0000 0000 .5.......S......
0x0020: 7002 fc00 70e6 0000 0204 05b4 0101 0402 p...p...........


From this output one can determine that the infected host only attempted outbound connections to the IRC server but received no responses as this is full content data. From the analysts point of view the bleeding snort rule sets discovered the C&C connection attempt without any data being transferred based soly on the IP. The full content data backed up the fact that the host was compromised and allows the analysts to determine that no data was exfiltrated. From this point the system can be taken off line and restored with known good media.

I used this scenario to illustrate how simply collecting just alert and full packet capture data allows security analysts to fully understand mostly everything that happens on their network.