nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malware Identification
Weekend Malware Research 2012
-
Upload
andrew-morris -
Category
Data & Analytics
-
view
50 -
download
0
Transcript of Weekend Malware Research 2012
![Page 1: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/1.jpg)
Weekend Malware Research
Andrew Morris
![Page 2: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/2.jpg)
About
• Over the weekend I collected two different categories of malware
• Dionaea Honeypot malware (Conficker)– Windows– SMB-Based Exploits
• JBoss ZECMD worm– Cross platform/Java– JMX Console-based Exploits
![Page 3: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/3.jpg)
Dionaea
![Page 4: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/4.jpg)
Dionaea
• Dionaea is an open-source honeypot daemon used to catch malware samples
• Installed and run on Linux• Emulates a Windows 2000 Server
![Page 5: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/5.jpg)
Protecting yourself
• Whenever you are doing any type of malware research, be sure to protect yourself
• Segment the honeypot/analysis machine from the rest of your network
![Page 6: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/6.jpg)
Dionaea Log piped to “tail –f”
Tcpdump on port 445
Binaries collected
![Page 7: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/7.jpg)
Commands
# tail -f dionaea.log# tcpdump -i eth0 –XX –vvv tcp port 445
(-w capture.pcap)# while [ 1 ]; do ls –lah ; ls | wc ; sleep 1 ; done
![Page 8: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/8.jpg)
Results
• Over 24 hours, the Dionaea honeypot collected over 100 malware samples
• There were more attacks, but the honeypot failed to capture binaries for more sophisticated malware
• Over five attacks per minute
![Page 9: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/9.jpg)
![Page 10: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/10.jpg)
![Page 11: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/11.jpg)
Anyone interested?
• I have over 100 malware samples directly from the wild
• If anyone is interested in setting up an offline lab with me for manual analysis, shoot me an email
• Makes good practice for reverse engineering
![Page 12: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/12.jpg)
ZECMD
![Page 13: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/13.jpg)
ZECMD
• Steve Nawoichik and I first encountered this during a penetration test one year ago
• Our client thought they would be cool and stand up an intentionally vulnerable server to test if we were doing our jobs
• They got hit with a Jboss worm
![Page 14: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/14.jpg)
Worming Mechanism
• I did a bit of OSINT on the term “ZECMD.jsp” and found a couple writeups by Carnal0wnage, Kaspersky, and a few others
• The worm infects machines over the internet by attacking exposed Jboss JMX consoles
• Deploys it’s own custom malicious WAR file
![Page 15: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/15.jpg)
So…
• I set up a Linux box and install Jboss• Exposed the JMX console, no username, no
password
![Page 16: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/16.jpg)
Infected
• Jboss worm hit me within 24 hours• Again, ZECMD• Good part about this worm– Modular malware– Portions are in Perl, C, and Java– Drops the source code, relies on the machine to
compile– No reversing necessary!
![Page 17: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/17.jpg)
Perl
![Page 18: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/18.jpg)
C
![Page 19: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/19.jpg)
Java
![Page 20: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/20.jpg)
Nicks
![Page 21: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/21.jpg)
Scanning
![Page 22: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/22.jpg)
Digging Deeper
![Page 23: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/23.jpg)
What I learned from the malware
• C2 (command and control) servers• Propagation mechanism• Able to identify compromised machines• Handles of botmaster• Methods of data exfiltration• How to tell if a machine is infected
![Page 24: Weekend Malware Research 2012](https://reader036.fdocuments.in/reader036/viewer/2022062515/55c3f6f7bb61eb32438b467a/html5/thumbnails/24.jpg)
Questions?