Friday, May 15, 2015

Post #3 (Or "Bot, Begone! Let's Get Dirty With Some Cleanup.") - Part 1

So, let's dig into things a bit, shall we?

I recently had to respond to a potential botnet infection for a client. The company I work for employs OpenDNS Umbrella for managed clients, which allows us to apply their filters to all DNS queries coming from a specific WAN IP. In this particular instance, we received alerts that there were DNS queries coming from the client's WAN IP that were flagged as being related to malware/botnet (separate flags in OpenDNS Umbrella, though one domain can belong to multiple flags) activity.

You can see the requests being made in this image; there are malware requests, botnet requests, and some requests that fall into both categories.

At this point, I typically take four steps. Firstly, I immediately access the client's firewall—which we manage—and kick off a packet capture for any requests destined for the OpenDNS Umbrella botnet WAN IP, as OpenDNS functions by replying to flagged DNS queries with its sinkhole IP to block the traffic. After that, I check our managed anti-virus dashboard to see if any recent threats have been detected. Luckily for me, both actions were fruitful in this case; you will see those results below. After that, I tend to perform some passive analysis of the flagged domains online; again, read on for the results. Finally, I check the client's WAN IP on VirusTracker (https://virustracker.net) and VirusTotal (https://www.virustotal.com/) to see if there has been any history, recent or distant, of malicious activity; neither of these sites turned up anything.

Wireshark, Network Miner, and Fiddler analysis of the single packet hex that I decided to view for this incident; unfortunately, the request I managed to capture was to one of the dead hosts (see below), so I had no response packet in the stream to analyze as well. This will wash out later on in the analysis, however.

List of recent detections by ESET anti-virus from the endpoint in question (information in black has been redacted.)

"ueltjtxxlblbxvw7p.com" (lookup failed)

"ogghhtkcvr9z.com" (148.251.161.138) (https://www.virustotal.com/en/ip-address/148.251.161.138/information/)

"ygcyvrjvau52.com" (lookup failed)

"hzvwwgsjnmkd.com" (lookup failed)

"rgwzptamuyztjn72.com" (lookup failed)

A succinct summary of lookups for the botnet queries flagged by OpenDNS; only one of the domains had an active domain registration at the time of the lookups.

At this point, I now know the IP address, MAC address, etc. of the offending host. As we manage the client's entire network, I was able to locate the host in question very quickly. That is where I am going to terminate this post. In the next post, I will cover accessing the machine, performing live Fiddler captures while the infection was active, and generating a memory dump during infection (plus analysis of said dump.)

See you soon! Be safe out there!

Tuesday, May 12, 2015

Post #2 (Or "MHN, Maltrieve, And A Malicious Internet.")

So, finally got the analysis lab set up to the point where I can actually use it without building it as I go. Last thing I did last night was get the Modern Honey Network (https://github.com/threatstream/mhn) and maltrieve (https://github.com/krmaxwell/maltrieve) running on an Ubuntu box I have completely segregated from the rest of the lab.

I have read a multitude of reports in the past detailing just how quickly a box placed on the public Internet without any protections will suffer attacks, and I have reviewed my own firewall logs every morning long enough to know that port scanning and general poking around is ubiquitous on the public Internet, but to see it broken down and in such a nice format really adds some gravity to the notion. Hoping that dionaea (http://dionaea.carnivore.it/, but I set it up with the MHN deployment script) picks up some decent payloads to analyze soon.

These attacks were logged less than 10 minutes after I opened up the machine to the public Internet.

Maltrieve ran for the first time last night, and in one run it pulled over 1k malicious samples to be reviewed. Probably going to cron it to run every night at the same time so I can keep a fresh stock of samples for analysis.

On the other side of the network pond, finally got enough guest VMs set up to perform both static and dynamic analysis of malware samples that I gather, either automatically via the honeypot or manually as I clean up machines in day-to-day work.

Anyway, just wanted to drop a post and let everyone know that, if you have ever had the pleasure (and I say that with sarcasm) of setting up a honeypot/honeynet manually piece-by-piece, you should definitely try the MHN by ThreatStream. It is amazingly simple to use and they are adding more and more to it all the time.

Cheers, and stay safe out there!

***EDIT (05/14/2015, 17:48 Eastern): I had originally stated that Suricata is an upcoming addition to the MHN, but as it turns out it is already present!