Internet Malicious Miscreant

Internet Malicious Miscreants
Muhammad Najmi bin Ahmad Zabidi

najmi.zabidi@gmail.com
29th June 2010

Agenda I
1 Brief background
2 Internet Malicious Miscreant
3 Threats
Protecting people
Protecting money
Protecting integrity
4 Attack vectors
5 Type of attacks
6 Prevention
7 Domain Name System
8 Malware
Intro
Deception
9 Attack Containment/Prevention
Agenda II
Honeypotting
Malware analysis
Encryption in Malware
10 Libemu
Example of libemu in action
11 Honeypots
SSH-based honeypot
Misc protocol based honeypot-Amun
Misc protocol based honeypot-Honeytrap
Misc protocol based honeypot-Mwcollect
Misc protocol based honeypot-Nepenthes
Misc protocol based honeypot-Dionaea
12 Special section - Dionaea
SQLite
Agenda III
13 Visualization
Gnuplot
Afterglow+Graphviz
Dionaea in action
14 Interpreting outputs
Some statistics of incoming IPs
Brief background
A full time academic staff of International Islamic University

Malaysia (IIUM/UIA)
Full time student working on his research degree at Universiti
Teknologi Malaysia, Skudai, Johor Bahru
Internet Malicious Miscreant
Focus today
Understand the threats

Focus on malicious creations on the Net
Look at several attack vectors
Containment, prevention workarounds
Threats
Threats and things to protect
Protecting:
You, your family and people who’re important around you
Threats
Protecting:
Your belonging (money, for example)
Threats
Protecting:
Your belonging (money, for example)
Your integrity (come to this later)
Threats
Protecting people
Protecting people
Your data, your pictures might be super sensitive

Threats
Protecting people
Protecting people

Online social network is very enjoyable, but something that
you have to worry as well
Threats
Protecting people
Protecting people

Default settings are the least to be trusted, take some time to
fine tune them
Threats
Protecting people
Protecting people

fine tune them
For example, Company X who has the most popular online
social network on earth doesn’t seems bother about your
privacy
Threats
Protecting people
Protecting people

fine tune them
For example, Company X who has the most popular online
social network on earth doesn’t seems bother about your
privacy
In some sense, it is correct, afterall, why do you have to share if
you want them to be private, keep them in your storage instead
Threats
Protecting money
Example of stolen credit cards for sale

Threats
Protecting money
Threats
Protecting integrity
Beware of webcam, it may be activated without you realized

Talking about identity theft, where it may affect the previous
points before(money for e.g)
Attack vectors
Example
Example Machine side
People side Vulnerable host
Vulnerable people
Attack vectors
Example
Vulnerable people Needs frequent
Needs frequent knowl- updates/patches
edge/advice/tazkirah
Attack vectors
Example
Vulnerable people Needs frequent
Needs frequent knowl- updates/patches
edge/advice/tazkirah Prey/victim in the same
Prey/victim in the same time(machine that was
time (people who attack compromised, and later
and the victim) become stepstone to
attack)
Type of attacks
Methods of attack
The following are my suggestion on the type of attacks(although

disputable): Active attack
Defacement
Type of attacks
Methods of attack

Defacement
DDOS
Type of attacks
Methods of attack

Defacement
DDOS
XSS
Type of attacks
Methods of attack
Passive attack
Worms - although vague, depends on the several issues -
network connections etc.
Type of attacks
Methods of attack
Passive attack
Phishing
Type of attacks
Methods of attack
Passive attack
Phishing
PDF exploits
Type of attacks
Methods of attack
Passive attack
Phishing
PDF exploits
Anything drive-by-download type
Prevention
Sucess story of underground economics containment
Univ of California Santa Barbara

(UCSB) taking over Torpig botnet
aka botnet infiltration
Microsoft won on Waledac
shutdown in court
Spain police arrested three for
Mariposa botnet
Figure 1: Fringe Season 2 Ep 23

Domain Name System
Threats
Fast-flux network
DNS Poisoning
Victim preyed to
Happens in “cache” server follow/click the bait URL
Domain Name System
Threats
Fast-flux network
DNS Poisoning
Victim preyed to
Attacks certain population Able to decieve everyone on
(say if the cache name the Internet
server for Organization X
was attacked, it only
happens there)
Domain Name System
Threats
Fast-flux network
DNS Poisoning
Victim preyed to
was attacked, it only Serving malware, spam,
happens there) extreme p0rn, on
bulletproof webhosting
Deceiving users to say,
expose online banking pins
or passwords
Domain Name System
Threats
Fast-flux network
DNS Poisoning
Victim preyed to
was attacked, it only Serving malware, spam,
happens there) extreme p0rn, on
bulletproof webhosting
Deceiving users to say,
expose online banking pins Characteristics: one domain
or passwords map to a lot of IPs, with
short Time to Live (TTL)
Domain Name System
DNS Poisoning
Picture taken from http://www.technicalinfo.net/papers/Pharming2.html

Domain Name System
Fast-flux network
Pix taken from Honeynet’s website

Domain Name System
Fast-flux animation
Source: http://www.f-secure.com/weblog/archives/fastflux.gif
Play in external player

Domain Name System
Source:Fortinet
Domain Name System
Source:Fortinet
Malware
Intro
Malware
Malware needs to be collected for analysis

Malware
Intro
Malware

In order to collect, it has to be recognized first
Malware
Intro
Malware

To recognize a malware, it must has a pattern
Malware
Intro
Malware

Do you watch Fringe TV Series, where Agent Dunham and the
Bishops dealing with the pattern.
Malware
Intro
Malware

Do you watch Fringe TV Series, where Agent Dunham and the
Bishops dealing with the pattern.
Remember malware, is a software, so how to differentiate a
benign and a malicious one?
Malware
Deception
The way the bad guys doing their job. . .
The simplest example;drive by download style;

Tell people to click interesting links; create some money, funny
pics, or p0rn.
Once click, they might already being infected or at least once
they already installed the fake software
Another example, rogue antivirus/free AV. And some even
need you to buy..
Attack Containment/Prevention
If the attack is difficult to be stopped, at least we can

decrease the level of the adversaries from time to time
Security is a process, remember!
Honeypotting
Emulating vulnerable machines/services

Depends on your resource or purpose
Honeypotting
Light interaction honeypot
Kippo
Kojoney
Nepenthes/Dionaea
Mwcollect
Malware analysis
Ways of doing analysis
Malware analysis - static and dynamic

Malware analysis

Static means we have to decompile or do some reverse
engineering exercise
Malware analysis

Static means we have to decompile or do some reverse
engineering exercise
Dynamic however, needs us to execute the malware and
monitor the behavior
Finding XOR with XORSearch

Using Amun internal utils
/opt/dionaea/var/dionaea/binaries/4a6e5980ad7d1a4bbe71ec46fa96755e
>> checking binary for known windows API calls
>> checking for plaintext commands or calls >> found plaintext: kernel32
>> found plaintext: CreateProcessA >> found plaintext: GetProcAddress
>> found plaintext: http address
>> checking for windows api calls >> done
/opt/dionaea/var/dionaea/binaries/d7904fa2b3bba7bde11c01073a4b1fdf
>> checking for plaintext commands or calls
>> found plaintext: possible windows cmd
>> found plaintext: kernel32
>> found plaintext: GetProcAddress
/opt/dionaea/var/dionaea/binaries/dd128e54320ce15ab7e3c1f0648740be
>> checking for plaintext commands or calls
>> found plaintext: possible windows cmd
>> found plaintext: kernel32
>> found plaintext: GetProcAddress
Later, grab using XORsearch
dd128e54320ce15ab7e3c1f0648740be
Found XOR 00 position 9DC34: http://broker.adobe.com/Acrobat/index.cgi
Found XOR 00 position E7BE8: http://mail.ru/:StringDatat_play....vk.
Found XOR 00 position E7D7C: http....nk
Found XOR 00 position E7DD0: http://mail.ru/:StringIndex
Found XOR 00 position E7F8C: http. Found XOR 00 position E7F94: http....vk.
Found XOR 00 position E8070: http://win.mail.ru/cgi-bin/auth:StringData
Found XOR 00 position E81A8: http://win.mail.ru/cgi-bin/auth:StringIndex
Found XOR 00 position E8330: https://www.google.com/accounts/ServiceLogin:Strin
...
Found XOR 00 position E84E0: https://www.google.com/accounts/ServiceLogin:Strin
Found XOR 00 position F1B0B: http://www.usertrust.com1.0...U....UTN-USERFirst-H
Found XOR 00 position F1D7B: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl
Found XOR 00 position F1DB5: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0.
Found XOR 00 position F1E04: http://crt.comodoca.com/UTNAddTrustServerCA.crt09.
Found XOR 00 position F1E41: http://crt.comodo.net/UTNAddTrustServerCA.crt0...*
Found XOR 00 position F23BC: http://www.public-trust.com/CPS/OmniRoot.html0...U
Found XOR 00 position F2498: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.c
...
....so on
Finding XOR with xray

Libemu
Libemu
From Libemu’s website :
Features
executing x86 instructions
reading x86 binary code
register emulation
shellcode execution
shellcode detection
static analysis
win32 api hooking
Using libemu one can:
Benefits
detect shellcodes
execute the shellcodes
profile shellcode behaviour
Libemu
Step 1
Let say we have such collections of PDF exploits . . .
Libemu
Step 2
They are PDF, but the malicious ones . . .
Libemu
Step 3
Checking the PDFs using AV . . .
Libemu
Step 4
Now, using a PDF decoder, we strip the suspected shellcode . . .
Libemu
Step 5
Put them into a blank textfile . . .
Libemu
Step 6
By using libemu’s tool “sctest”
Libemu
Step 7
We got a nicely drawn flow graph
Honeypots
SSH-based honeypot
Kippo Honeypot
Honeypots
SSH-based honeypot
Kippo Honeypot
Honeypots
Amun honeypot I
.::[Amun - Main] ready for evil orders: ::.
.::[Amun - vuln_check] CHECK Incoming: 213.XX.XX.7:31204
(Bytes: 18) ::.
.::[Amun - vuln_check] CHECK Incoming: cisco
(Bytes: 7) ::.
.::[Amun - vuln_check] CHECK Incoming: telnet 213.XX.XX.7 31204
(Bytes: 25) ::.
(Bytes: 7) ::.
(Bytes: 18) ::.
(Bytes: 25) ::.
(Bytes: 18) ::.
(Bytes: 7) ::.
(Bytes: 25) ::.
(Bytes: 18) ::.
(Bytes: 7) ::.
(Bytes: 25) ::.
.::[Amun - shellcode_manager] found langenfeld xor decoder (key: 153) ::.
.::[Amun - shellcode_manager] found langenfeld shellcode (key: 153 port: 56, ip: 222.XX.XX.61) ::
Honeypots
Amun honeypot II
Honeypots
Got something?
.::[Amun - shellcode_manager] found leimbach xor decoder (key: 19) ::.

.::[Amun - shellcode_manager] found leimbach tftp download
(key: 19, ip: 115.XX.XX.245, file: ssms.exe) ::.
.::[Amun - submit_md5] download (tftp://115.XX.XX.165:69/ssms.exe):
e269d0462eb2b0b70d5e64dcd7c676cd (size: 154624) - DCOM ::.
.::[Amun - submit_anubis] could not submit sample to anubis: 404 timed out ::.
.::[Amun - submit_cwsandbox] submit cwsandbox successfull ::.
.::[Amun - submit_md5] download (tftp://115.XX.XX.165:69/ssms.exe):
a3e695427fca4fe11ae06a196286de0b (size: 155648) - DCOM ::.
.::[Amun - submit_anubis] submit anubis successfull ::.
Honeypots
Another caught binaries ;-)
.::[Amun - Main] ready for evil orders: ::.

.::[Amun - shellcode_manager] found furth xor decoder (key: 119) ::.
.::[Amun - ftp_download] ftp waiting data connection on port: 192.168.2.2:60624 ::.
.::[Amun - ftp_download] ftp connect to: 218.xx.xx.227 2689 (user: 123 pass: 123) ::.
.::[Amun - shellcode_manager] found download URL: http://174.xx.xx.11:5688/x.exe ::.
.::[Amun - submit_md5] download (http://174.xx.xx.11:5688/x.exe):
f45285574eb804f7b7431fcbb1323908 (size: 16897) - LSASS ::.
.::[Amun - submit_anubis] submit anubis successfull ::.
.::[Amun - shellcode_manager] found furth xor decoder (key: 119) ::.
.::[Amun - ftp_download] ftp waiting data connection on port: 192.168.2.2:62672 ::.
.::[Amun - ftp_download] ftp connect to: 218.xx.xx.227 2689 (user: 123 pass: 123) ::.
Honeypots
Misc protocol based honeypot-Honeytrap
Honeytrap honeypot
BPF s t r i n g i s ’ ( ( t c p [ 1 3 ] & 0 x04 != 0 and t c p [ 4 : 4 ] == 0 ) o r
( icmp [ 0 ] == 3 and icmp [ 1 ] == 3 ) ) and ( s r c h o s t ( 1 9 2 . 1 6 8 . 2 . 2 ) ) ’ .
Logging to / opt / honeytrap / honeytrap . l o g .
I n i t i a l i z a t i o n complete .
h o n e y t r a p v1 . 1 . 0 C o p y r i g h t (C) 2005−2009 T i l l m a n n Werner <t i l l m a n n . werner@gmx . de>

[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 M a s t e r p r o c e s s p i d w r i t t e n t o / v a r / r u n / h o n e y t r a p . p i d .
[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 C r e a t i n g pcap c o n n e c t i o n m o n i t o r .
[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 L o o k i n g up d e v i c e p r o p e r t i e s f o r e t h 0 .
[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 C r e a t i n g pcap s n i f f e r on e t h 0 .
[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 U s i n g a 14 b y t e s o f f s e t f o r EN10MB .
[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 −−−− T r a p p i n g a t t a c k s on e t h 0 v i a PCAP . −−−−
[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 2 1 8 . 2 5 . 1 1 . 2 0 7 : 6 0 0 0 r e q u e s t i n g t c p c o n n e c t i o n on i
192.168.2.2:1433.
[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 P o r t 1433/ t c p h a s no e x p l i c i t c o n f i g u r a t i o n .
[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 C a l l i n g p l u g i n s b e f o r e dynamic s e r v e r s e t u p .
[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 Requesting tcp socket .
[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 S o c k e t c r e a t e d , f i l e d e s c r i p t o r i s 1 6 .
[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 S e r v e r i s now r u n n i n g w i t h u s e r i d 65534 and
group i d 65534.
[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 L i s t e n i n g on p o r t 1433/ t c p .
[2010−06−23 1 1 : 0 7 : 3 3 ] 18127 −> 1433/ t c p No i n c o m i n g c o n n e c t i o n f o r 120 s e c o n d s −
server terminated .
[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 P r o c e s s 17993 r e c e i v e d s i g n a l 17 on p i p e .
[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 SIGCHILD r e c e i v e d .
[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 P r o c e s s 18127 t e r m i n a t e d .
[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 S i g n a l h a n d l e r f o r SIGCHLD r e i n s t a l l e d .
Honeypots
Misc protocol based honeypot-Mwcollect
Mwcollect
root@auber:~# mwcollectd -l
_ __ _____ _____ ___ | | | ___ ___| |_ __| |
| ’_ ‘ _ \ \ /\ / / __/ _ \| | |/ _ \/ __| __/ _‘ |
| | | | | \ V V / (_| (_) | | | __/ (__| || (_| |
|_| |_| |_|\_/\_/ \___\___/|_|_|\___|\___|\__\__,_|
Copyright 2009 Georg Wicherski, Kaspersky Labs GmbH <gw@mwcollect.org>
This program is licensed under the GNU Lesser General Public License.
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/dynserv-nfqueue.so with configur
/opt/mwcollectd/etc/mwcollectd/dynserv-nfqueue.conf...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/dynserv-mirror.so with configura
/opt/mwcollectd/etc/mwcollectd/dynserv-mirror.conf...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/filestore-streams.so with config
/opt/mwcollectd/etc/mwcollectd/filestore-streams.conf...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/filestore-binaries.so with confi
/opt/mwcollectd/etc/mwcollectd/filestore-binaries.conf...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/shellcode-libemu.so with no conf
[2010-06-23 11:44:23 INFO] Creating 1 shellcode testing threads.
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/download-tftp.so with no configu
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/download-curl.so with no configu
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/submit-mwserv.so with configurat
/opt/mwcollectd/etc/mwcollectd/submit-mwserv.conf...
[2010-06-23 11:44:24 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/log-file.so with no configuratio
[2010-06-23 11:44:27 EVENT] ["download.result.success":xxx]
{ url = "https://xxx.mwcollect.org/xxx", response = "OK: 120", type = "submit-mwserv.xxx" }
Honeypots
Misc protocol based honeypot-Nepenthes
Nepenthes honeypot
# #
Nepenthes Ampullaria
# #
Nepenthes Version 0.2.2

Compiled on Linux/x86 at Dec 13 2009 18:59:06 with g++ 4.4.2
Started on notre-dame running Linux/i686 release 2.6.32-23-generic
..........
[ spam down handler module ] <in virtual bool nepenthes::CSendDownloadHandler::Init()>
[ debug down mgr ] Registerd csend download handler as handler for protocol csend
(1 protocols supported)
[ debug down mgr ] Registerd creceive download handler as handler for protocol creceive
[ debug down mgr ] Registerd ftp download handler as handler for protocol ftp
[ debug down mgr ] Registerd http download handler as handler for protocol http
Honeypots
Misc protocol based honeypot-Dionaea
Dionaea honeypot
root@auber:~# dionaea -l all,-debug -L ’*’

Dionaea Version 0.1.0
Compiled on Linux/x86 at Jun 15 2010 10:44:57 with gcc 4.4.3
Started on auber running Linux/i686 release 2.6.32-22-generic
[23062010 11:41:06] dionaea dionaea.c:574: glib version 2.24.1
[23062010 11:41:06] dionaea dionaea.c:578: libev api version is 3.9
[23062010 11:41:06] dionaea dionaea.c:593: libev backend is epoll
[23062010 11:41:06] dionaea dionaea.c:596: libev default loop 0x2c11e0
....
[23062010 11:41:06] logxmpp dionaea/logxmpp.py:130:
I am anonymous@sensors.carnivore.it/rgzUXgqL
[23062010 11:41:06] dionaea dionaea.c:727: Installing signal handlers
[23062010 11:41:06] dionaea dionaea.c:745: Creating 2 threads in pool
...
trying to join anon-files@dionaea.sensors.carnivore.it/anonymous-rgzUXgqL
trying to join anon-events@dionaea.sensors.carnivore.it/anonymous-rgzUXgqL
[23062010 11:41:19] logxmpp dionaea/logxmpp.py:346: logxmpp is online!
Special section - Dionaea
Dionaea-some features
Supports ipv4 and ipv6

Uses libemu
Enable binaries sharing (needs to enable XMPP support)
Uses SQLite, no need for log parsing skill-fu
That means, you can leech somebody else’s binaries and seed
yours to them
Succesful downloads
SQLite
SQLite in Dionaea
SQLite
SQLite
Visualization
Filter out important stuffs

Visualization
Gnuplot
Plot to Gnuplot
Visualization
Gnuplot
Visualization
Gnuplot
Visualization
Afterglow+Graphviz
Afterglow+Graphviz
Visualization
Dionaea in action
Interpreting outputs
The following IPs are just examples
n a j m i @ a u b e r : ˜ $ f o r i i n ‘ awk −F ” | ” { ’ p r i n t $1 ’ } r e m o t e h o s t . t x t ‘ ;
do e c h o $ i ‘ g e o i p l o o k u p $ i | awk −F ” GeoIP C o u n t r y E d i t i o n ” { ’ p r i n t $2 ’ } ‘ ; done
8 5 . 1 9 0 . 0 . 3 : DE , Germany
9 0 . 2 1 3 . 2 1 8 . 7 6 : GB, U n i t e d Kingdom
1 2 1 . 1 5 . 1 6 6 . 2 3 7 : CN, C h i n a
6 0 . 6 3 . 2 1 7 . 2 0 0 : CN, C h i n a
5 8 . 2 3 . 1 8 4 . 1 0 4 : CN, C h i n a
2 1 8 . 2 8 . 1 9 . 2 2 9 : CN, C h i n a
1 2 4 . 1 0 6 . 1 8 9 . 2 2 5 : PH, P h i l i p p i n e s
1 4 0 . 2 1 1 . 1 6 6 . 4 : US , U n i t e d S t a t e s
8 9 . 1 6 . 1 7 6 . 1 6 : GB , U n i t e d Kingdom
5 8 . 2 5 . 3 9 . 2 2 1 : CN, C h i n a
7 5 . 7 5 . 1 8 . 5 3 : US , U n i t e d S t a t e s
2 2 1 . 2 1 2 . 1 2 1 . 6 8 : CN, C h i n a
8 9 . 2 1 1 . 1 5 9 . 4 3 : QA, Q a t a r
2 1 2 . 1 1 7 . 1 6 3 . 1 9 0 : LU , Luxembourg
2 1 3 . 1 6 1 . 1 9 6 . 1 1 : FR , F r a n c e
1 2 5 . 6 0 . 2 4 1 . 1 7 4 : PH, P h i l i p p i n e s
2 1 8 . 5 9 . 2 3 5 . 1 4 6 : CN, C h i n a
Sorting datasets I
n a j m i @ a u b e r : ˜ $ c a t l i s t | s o r t −d | u n i q −c | s o r t −n
1 FI , F i n l a n d
1 GR , G r e e c e
1 HK, Hong Kong
1 LU , Luxembourg
1 MO, Macau
1 MX, Mexico
1 PK , P a k i s t a n
1 RS , S e r b i a
1 RU , R u s s i a n F e d e r a t i o n
1 SG , S i n g a p o r e
2 AU, A u s t r a l i a
2 CO, C o l o m b i a
2 CR , C o s t a R i c a
2 ES , S p a i n
2 IR , I r a n , I s l a m i c R e p u b l i c o f
2 NO, Norway
2 QA, Q a t a r
2 SE , Sweden
2 TH, T h a i l a n d
2 TW, Taiwan
3 BN, B r u n e i D a r u s s a l a m
3 BR , B r a z i l
3 DE , Germany
3 GB , U n i t e d Kingdom
3 KR, Korea , R e p u b l i c o f
4 CA , Canada
Sorting datasets II
4 IT , I t a l y
5 FR , F r a n c e
5 IP Address not found
5 PH, P h i l i p p i n e s
6 VN, Vietnam
8 IN , I n d i a
9 EG , E gypt
13 JP , Japan
15 TR , T u r k e y
17 MY, M a l a y s i a
21 PE , Peru
24 US , U n i t e d S t a t e s
115 CN, C h i n a
Checking downloaded binaries
We can use any AV or in Linux simply the CLI based AV, or some other
options, such as the following Ruby-based script from
http://hammackj.com/2010/02/22/tool-virustotal-rb/;
$cat f i l e
042774 a 2 b 7 7 8 4 e e 0 f 7 4 6 2 e 3 c e 7 2 1 e c 0 f
$ . / v i r u s t o t a l . r b −f f i l e
042774 a 2 b 7 7 8 4 e e 0 f 7 4 6 2 e 3 c e 7 2 1 e c 0 f : S c a n n e r : a−s q u a r e d R e s u l t :
T r o j a n−D r o p p e r . Win32 . P a r a d r o p ! IK
042774 a 2 b 7 7 8 4 e e 0 f 7 4 6 2 e 3 c e 7 2 1 e c 0 f : S c a n n e r : AhnLab−V3 R e s u l t :
Win32 / Korgo . worm . 1 0 8 7 9
042774 a 2 b 7 7 8 4 e e 0 f 7 4 6 2 e 3 c e 7 2 1 e c 0 f : S c a n n e r : A n t i V i r R e s u l t : Worm/ Korgo . I
042774 a 2 b 7 7 8 4 e e 0 f 7 4 6 2 e 3 c e 7 2 1 e c 0 f : S c a n n e r : A n t i y−AVL R e s u l t :
Worm/ Win32 . Padobot . gen
042774 a 2 b 7 7 8 4 e e 0 f 7 4 6 2 e 3 c e 7 2 1 e c 0 f : S c a n n e r : A u t h e n t i u m R e s u l t : W32/ Korgo . I
042774 a 2 b 7 7 8 4 e e 0 f 7 4 6 2 e 3 c e 7 2 1 e c 0 f : S c a n n e r : A v a s t R e s u l t : Win32 : Korgo−G
042774 a 2 b 7 7 8 4 e e 0 f 7 4 6 2 e 3 c e 7 2 1 e c 0 f : S c a n n e r : A v a s t 5 R e s u l t : Win32 : Korgo−G
-end-
&

ÕºË @Qº

Internet Malicious Miscreant

Uploaded by

Document Information

Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Description:

Copyright:

Available Formats

Internet Malicious Miscreant

Uploaded by

Description:

Copyright:

Available Formats

Internet Malicious Miscreants

Muhammad Najmi bin Ahmad Zabidi

29th June 2010

A full time academic staff of International Islamic University

Understand the threats

Threats and things to protect

Threats and things to protect

Threats and things to protect

Your data, your pictures might be super sensitive

Your data, your pictures might be super sensitive

Your data, your pictures might be super sensitive

Your data, your pictures might be super sensitive

Your data, your pictures might be super sensitive

Example of stolen credit cards for sale

Beware of webcam, it may be activated without you realized

The following are my suggestion on the type of attacks(although

The following are my suggestion on the type of attacks(although

The following are my suggestion on the type of attacks(although

Sucess story of underground economics containment

Univ of California Santa Barbara

Figure 1: Fringe Season 2 Ep 23

Picture taken from http://www.technicalinfo.net/papers/Pharming2.html

Pix taken from Honeynet’s website

Play in external player

Malware needs to be collected for analysis

Malware needs to be collected for analysis

Malware needs to be collected for analysis

Malware needs to be collected for analysis

Malware needs to be collected for analysis

The way the bad guys doing their job. . .

The simplest example;drive by download style;

If the attack is difficult to be stopped, at least we can

Emulating vulnerable machines/services

Light interaction honeypot

Ways of doing analysis

Malware analysis - static and dynamic

Ways of doing analysis

Malware analysis - static and dynamic

Ways of doing analysis

Malware analysis - static and dynamic

Finding XOR with XORSearch

Using Amun internal utils

Later, grab using XORsearch

Finding XOR with xray

Using libemu one can:

.::[Amun - shellcode_manager] found leimbach xor decoder (key: 19) ::.

Another caught binaries ;-)

.::[Amun - Main] ready for evil orders: ::.

h o n e y t r a p v1 . 1 . 0 C o p y r i g h t (C) 2005−2009 T i l l m a n n Werner <t i l l m a n n . werner@gmx . de>

Nepenthes Version 0.2.2

root@auber:~# dionaea -l all,-debug -L ’*’

Supports ipv4 and ipv6

Filter out important stuffs

The following IPs are just examples

Checking downloaded binaries

Related Interests

You might also like