Muhammad Najmi bin Ahmad Zabidi Department of Computer Science Kulliyyah of Information & Communication Technology International Islamic University Malaysia 6th November 2009 najmi@kict.iiu.edu.my Created with L A T EX Muhammad Najmi myGOSSCON 2009, Malaysia
covers. . . 2 Intro 3 Malware origin 4 Malware infection method 5 Malware behavior 6 Malware Communication Robot network botnet Vicious circle of evils Logging communications Logs Graphviz diagram Logs Logs in a table Some math stuffs Muhammad Najmi myGOSSCON 2009, Malaysia
containment 7 Tools 8 Selection of solutions IDS Antivirus and friends Reporting sensors 9 Nepenthes Honeypot Setup Setup Malware flow illustrated 10 Amun Honeypot List of open connections Muhammad Najmi myGOSSCON 2009, Malaysia
. . We’ll go on the malware origin Later the problem they cause Finally the containment/threat prevention method I use the word avoidance since it is broad . . . Muhammad Najmi myGOSSCON 2009, Malaysia
shortform for Malicious Software Motives : Identity theft (privacy breach) Financial loss (which may caused by above) Denial of service Information espionage Underground economics Muhammad Najmi myGOSSCON 2009, Malaysia
a program, doing malicious activity Also known as a binary, since it is in a compiled nature Some actions that it can do after infection are: Delete files Lock command from user, say Ctrl+Alt+Del Prevent connection to antivirus(AV) websites - e.g Conficker did this Remotely activate webcam - espionage purpose .. or perhaps peeping Remember ghostnet? Affect mainly Windows, there’s existence on Linux too Muhammad Najmi myGOSSCON 2009, Malaysia
It can infect a machine by. . . Drive by downloads Email attachments File shares Decoy (warez movies, free wallpaper and stuffs) Muhammad Najmi myGOSSCON 2009, Malaysia
to be a normal system process Current method - packing - more sophisticated, since it can minimize its size while being an executable file If it is a botnet, it starts to create communication to external machines Muhammad Najmi myGOSSCON 2009, Malaysia
a robot network communicates to its herder Known as C & C Communication can be viewed by looking at open ports used Muhammad Najmi myGOSSCON 2009, Malaysia
helps in term of data analyzing Tools available - graphviz for example Or you may just read log file. . . but don’t that hurts you in any way? Muhammad Najmi myGOSSCON 2009, Malaysia
rate da dt = Ka(1a) where a = eK(t−T) 1 + eK(t−T) The number of infected hosts at time t if K is known. (Nazario) Explanation by (Goranin et. al,2008) K is the constant average compromise rate, which is de- pendant on worm processor speed, network bandwidth and location of the infected host a(t) is the proportion of vulnerable machines which have been compromised at the instant t, Na(t) is the number of infected hosts, each of which scans other vulnerable machines at a rate K per unit of time. Since a portion a(t) of the vulnerable machines is already infected, only K(1-a(t)) new infections will be generated by each infected host, per unit of time. The number n of machines that will be compromised in the interval of time dt (in which a is assumed to be constant) Muhammad Najmi myGOSSCON 2009, Malaysia
ports Malware’s Name Origin IP FTP ports No of time used Trojan.DsBot-15 192.168.2.51 15807 2 19735 2 23154 2 30487 2 10040 3 Trojan.SdBot-8638 192.168.2.100 4471 44 17747 44 Muhammad Najmi myGOSSCON 2009, Malaysia
scanning Find vulnerable machines Since it’s a parasite, it start consumes its host resources Processing power Storage Muhammad Najmi myGOSSCON 2009, Malaysia
What make it so troublesome. . . Malware also become open source, even some was GPL’ed! Experienced, professional cyber criminal Tools to create malware are also available Botherders rent their malware for profit Fastflux problem Become a problem to crack down Malware analysis is challenging Malware become polymorphic, metamorphic Use code obfuscation, anti disassembly, anti forensic, anti sandbox etc Some use encryption, even beta - md6! Muhammad Najmi myGOSSCON 2009, Malaysia
related tools ClamAV Currently under Sourcefire Sourcefire sponsors Snort IDS too WinPooch seems abandoned hence abandonware it works side by side with ClamAV or Bitdefender Muhammad Najmi myGOSSCON 2009, Malaysia
obtain data for analysis Methods Deploy sensors IDS/IPS Honeypot Network Management System, e.g : OpenNMS Collect binaries Nepenthes sensor for example, allow automated binary submission to sandboxes Turn on reporting Analyze infected host Clean up infected host Muhammad Najmi myGOSSCON 2009, Malaysia
emulates operating system (heavy) or services (light) It can be either server (passive) or client (active crawl) Light interaction Emulates potential vulnerable services i.e HTTP,FTP,SSH Most of the time attracts automated malware Heavy interaction A dedicated machine, which emulates real machine and software Difficult(relatively) Known to attract real attacker (human) Muhammad Najmi myGOSSCON 2009, Malaysia
was using Nepenthes so I’ll share my experience Set virtual IPs.. either local IPs or public IPs Only use unused IPs with permission, somebody may complain later :— Since Linux allow IP aliasing, you can simulate hundreds of IPs, as if there’s a lot of machines Nepenthes emulates Windows vulnerable services Muhammad Najmi myGOSSCON 2009, Malaysia
. . . as easy as “apt-get install nepenthes” Tune a little bit on config file, such as services that you plan to emulate and your email address Will generate a lot of alerts if you’re in polluted traffic IP aliasing can be done by for x in ‘seq in 230 254‘ ; do ip addr add 192.168.1.$x/24 dev eth0; done Muhammad Najmi myGOSSCON 2009, Malaysia
Desktop /amun$ sudo ./ amun server . py [ sudo ] password f o r najmi : / \ / / \ \ / \| | \/ \ / | \ Y Y \ | / | \ \ | / | | / /| | / \/ \/ \/ s t a r t i n g Amun s e r v e r . . . . : : [ Amun − Main ] a l l s e r v e r s l i s t e n i n g on : 0 . 0 . 0 . 0 : : . . : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul vuln−ms08067 : : . . : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul vuln−wins : : . . : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul vuln−axigen : : . . : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul vuln−s l m a i l : : . . . . . . . . . . . . . : : [ Amun − Decoder ] c o m p i lin g bonn xor decoder : : . . : : [ Amun − Decoder ] c o m p i lin g p l a i n 1 s h e l l c o d e : : . . : : [ Amun − Decoder ] c o m p i lin g p l a i n 2 s h e l l c o d e : : . . : : [ Amun − amun server ] Port a l r e a d y i n use : IP : 0 . 0 . 0 . 0 Port : 25 : : . . : : [ Amun − Main ] ready f o r e v i l o r d e r s : : : . Muhammad Najmi myGOSSCON 2009, Malaysia
suggests, it is an IDS Development led by a group of researcher in Univ of Amsterdam Offers system install or USB as sensor Muhammad Najmi myGOSSCON 2009, Malaysia
Markus Koetter as a part of GSoC, Google Summer of Code Suppose to be better than Nepenthes Check http://dionaea.carnivore.it/ Muhammad Najmi myGOSSCON 2009, Malaysia
$nmap l o c a l h o s t S t a r t i n g Nmap 4.76 ( http :// nmap . org ) at 2009−10−31 12:42 MYT Warning : Hostname l o c a l h o s t r e s o l v e s to 2 IPs . Using 1 2 7 . 0 . 0 . 1 . I n t e r e s t i n g p o r t s on l o c a l h o s t ( 1 2 7 . 0 . 0 . 1 ) : Not shown : 994 c l o s e d p o r t s PORT STATE SERVICE 22/ tcp open ssh 25/ tcp open smtp 631/ tcp open ipp 9091/ tcp open unknown 15000/ tcp open unknown 45100/ tcp open unknown Muhammad Najmi myGOSSCON 2009, Malaysia
nmap l o c a l h o s t / opt / dionaea / bin / dionaea −l a l l ,−debug −L ’∗ ’ Dionaea Version 0 . 1 . 0 Compiled on Linux /x86 at Oct 31 2009 00:23:48 with gcc 4 . 3 . 3 S t a r t e d on notre−dame running Linux / i686 r e l e a s e 2.6.28−15− g e n e r i c Muhammad Najmi myGOSSCON 2009, Malaysia
$nmap l o c a l h o s t S t a r t i n g Nmap 4.76 ( http :// nmap . org ) at 2009−10−31 12:46 MYT Warning : Hostname l o c a l h o s t r e s o l v e s to 2 IPs . Using 1 2 7 . 0 . 0 . 1 . I n t e r e s t i n g p o r t s on l o c a l h o s t ( 1 2 7 . 0 . 0 . 1 ) : Not shown : 988 c l o s e d p o r t s PORT STATE SERVICE 21/ tcp open f t p 22/ tcp open ssh 25/ tcp open smtp 42/ tcp open nameserver 80/ tcp open http 135/ tcp open msrpc 443/ tcp open h t t p s 445/ tcp open microsoft−ds 631/ tcp open ipp 9091/ tcp open unknown 15000/ tcp open unknown 45100/ tcp open unknown Muhammad Najmi myGOSSCON 2009, Malaysia
binaries I Static Analysis *nix strings, strace, ltrace, lsof Objdump readelf Ollydbg though is free, but yet to be open sourced Muhammad Najmi myGOSSCON 2009, Malaysia
binaries II Dynamic Analysis Anubis Open framework, but source code isn’t available Running of Qemu Wepawet Service is free,handling Flash/JavaScript files Bitblaze Developed by Univ of Berkeley Muhammad Najmi myGOSSCON 2009, Malaysia
Qemu and Virtualbox can be used as a sandbox as well Since malware loaded on a virtual machine, chance is safer than running on host machine But for precautious purpose, plug it off from any networking device Apart from them, Wine can be used as a fishbowl as well Unless it’s a wine-aware malware, you should be able to look at the malware’s behavior on guest OS Muhammad Najmi myGOSSCON 2009, Malaysia
worms IDS is Intrusion Detection System Trigger alerts Somehow a project such as snort inline includes firewall reaction hence it’s known as an IPS - P for prevention IDS can be used to trigger the existence of malicious attack Remember Conficker? Muhammad Najmi myGOSSCON 2009, Malaysia
Why automated signature generation? Writing alert signature for IDS isn’t fun Automation is good especially when there’s existence of unknown/unclassified attack Hence the automated signature is really helpful Isn’t false positive free though . . . Example Nebula for example, creates signature from honeytrap argos Muhammad Najmi myGOSSCON 2009, Malaysia
Conficker A and B The following alerts was created automatically by Nebula a l e r t tcp any any − > $HOME NET 445 (msg : ” c o n f i c k e r . a s h e l l c o d e ”; content : ”| e8 f f f f f f f f c1 |ˆ|8 d |N|10 80|1| c4 | Af |81|9 EPu| f5 ae c6 9d a0 |O|85 ea |O|84 c8 |O|84 d8 |O| c4 |O|9 c cc | IrX | c4 c4 c4 | , | ed c4 c4 c4 94|&<O8 | 9 2 | \ ; | d3 |WG|02 c3 | , | dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 9 5 | \ ; | b3 c0 96 96 95 92 9 6 | \ ; | f3 | \ ; | 2 4 | i | 95 92|QO|8 f f8 |O|88 c f bc c7 0 f f7 |2 I | d0 |w| c7 95 e4 |O| d6 c7 17 f7 04 05 04 c3 f6 c6 86|D| f e c4 b1 | 1 | f f 01 b0 c2 82 f f b5 dc b6 1b |O|95 e0 c7 17 cb | s | d0 b6 |O|85 d8 c7 07|O| c0 |T| c7 07 9a 9d 07 a4 | fN | b2 e2 |Dh|0 c b1 b6 a8 a9 ab aa c4 | ] | e7 99 1d ac b0 b0 b4 f e eb eb | ” ; s i d : 2000001; rev : 1 ; ) a l e r t tcp any any − > $HOME NET 445 (msg : ” c o n f i c k e r . b s h e l l c o d e ”; content : ”| e8 f f f f f f f f c2 | |8 d |O|10 80|1| c4 | Af |81|9MSu| f5 | 8 | ae c6 9d a0 |O|85 ea |O|84 c8 |O|84 d8 |O| c4 |O|9 c cc | I s e | c4 c4 c4 | , | ed c4 c4 c4 94|&<O8 | 9 2 | \ ; | d3 |WG|02 c3 | , | dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 9 5 | \ ; | b3 c0 96 96 95 92 9 6 | \ ; | f3 | \ ; | 2 4 | i |95 92|QO|8 f f8 |O|88 c f bc c7 0 f f7 |2 I | d0 |w| c7 95 e4 |O| d6 c7 17 cb c4 04 cb |{|04 05 04 c3 f6 c6 86|D| f e c4 b1 | 1 | f f 01 b0 c2 82 f f b5 dc b6 1 f |O|95 e0 c7 17 cb | s | d0 b6 |O|85 d8 c7 07|O| c0 |T| c7 07 9a 9d 07 a4 | fN | b2 e2 |Dh|0 c b1 b6 a8 a9 ab aa c4 | ] | e7 99 1d ac b0 b0 b4 f e eb eb | ” ; s i d : 2000002; rev : 1 ; ) Muhammad Najmi myGOSSCON 2009, Malaysia
raden
kkuv
.jpg){kind=avatar}
ikuodanaka
yhana
lycorptech_jp
motoyoshi_kakaku
bengo4com
kzkmaeda
itohiro73
ahus1
dayjournal
oracle4engineer
vanstee
maltzj
sstephenson
csswizardry
eileencodes
tammielis
marcelosomers
afnizarnur
addyosmani
hannesfritz
michaelherold
