-
Notifications
You must be signed in to change notification settings - Fork 21
/
BroExchange2013-Malware.txt
240 lines (147 loc) · 8.33 KB
/
BroExchange2013-Malware.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
https://github.com/LiamRandall/BroExchange2013-Malware
================================
Bro Exchange 2013 Malware Analysis
================================
.. class:: opening
Bro is an incredibly flexible platform that offers incident responders a wide variety of detection mechanisms coupled with a powerful domain specific language. In this session we will examine common exploit kits and implement a variety of signature and heuristical based detection methods.
Setup
=================================
For all of these exercises we'll be using the files hosted on my github; all malware samples are courtesy of **http://contagiodump.blogspot.com/**
.. exercise::
First lets get all of the appropriate samples and solutions down to your VM; perform one of the following:
.. code:: bro
Download the zipfile directly down to your VM:
https://github.com/LiamRandall/BroExchange2013-Malware/archive/master.zip
Or if you'd like to use the git repo..
If you need the cheatsheet, you can find it here: http://tinyurl.com/l6gzuwd
.. code:: bro
git clone https://github.com/LiamRandall/BroExchange2013-Malware.git
Ok, so let us orient ourselves a little bit; we have eight traffic samples and handful of solutions. As a reminder, we can replay traffic through Bro from the command line with:
.. console::
bro -r exercise.pcap scriptfile-to-load.bro
It is quite common to launch bro with "local" at the end; this will tell bro to load the local file used at normal start; in this case stored in /opt/bro/share/bro/site/local.bro
The two techniques may be combined.
.. console::
bro -r exercise.pcap local scriptfile-to-load.bro
Ok, one last tip before we get started... you know how to use **bro-cut** right? Pass it a column name(s) and quickly generate power summary statistics
.. console::
less http.log | bro-cut user_agent resp_mime_types | sort | uniq -c | sort -n
Resources
=================================
If you are new to malware analysis or Bro, there are some wonderful resources out there to help get you up to speed. Beyond the usual suspects, it is helpful to understand that there are common exploit kits that lead to malware deployments. Understanding the exploits available in the various exploit kits can help to cover a lot of ground:
MALWARE TRAFFIC PATTERNS:
https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dDFfWHduQlA5THBRd081eFhsZThwUlE#gid=0
EXPLOIT PACK TABLE 2013:
https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhTmphLUE#gid=0
1-blackhole-medfos
=================================
.. exercise::
Let's get started with a couple of warm up exercises. Blackhole is one of the most common and frequently updated exploit kits around. Let's see what they look like with Bro's new File Analysis Framework.
How many executable files were downloaded to t
.. code:: bro
bro -r EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04.pcap
How many executable files were downloaded?
.. visible_solution::
::
less files.log | grep "application" | wc -l
What notices were fired?
.. console::
less notice.log
Ok, that was a pretty easy one; let's do another warm up. Did you see the unanalyzed traffic in conn.log? Doesn't match any protocol that Bro can speak; let's look at a couple more and we'll come back to that.
Contagio has posted an analysis of this one:
http://contagiodump.blogspot.com/2012/09/cve-2012-4681-samples-original-apt-and.html
2-blackhole_v2-2012-09
=================================
Let's look at another
-mswab_yayih
=================================
The hardest part about Bro is wrapping your head around all of the various use cases- there are just an incredible number of tools at your disposal. Did you know that Bro has a signature framework?
http://www.bro.org/sphinx/scripts/base/frameworks/signatures/main.html
Let's take a look at somethings we've got incldued right out of the box.
.. code:: bro
bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local
Ok, let's use the OODA loop on this one.
.. code:: bro
bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local
What protocols are being spoken on which ports?
.. code:: bro
less conn.log | bro-cut id.orig_h id.resp_h proto service id.resp_p | sort | uniq -c | sort -n
.. console::
1 10.0.2.15 199.192.156.134 tcp - 443
4 10.0.2.15 4.2.2.4 udp dns 53
6 10.0.2.15 199.192.156.134 tcp http 443
Well, http on port 443? That's atypical. Let's dig a little further. What does the http traffic look like?
Now let's check the notice.log? What is Bro trying to tell you?
Now let's check the **signature.log**. Wow, a Windows shell tunneled over HTTP on port 443.
4-smokekt150
=================================
We have Bro identifying signatures in ports and protocols that it understands; in this example, we are going to have Bro key on a specific protocol related feature.
Let's replay the sample with Bro:
.. code:: bro
bro -r EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local
Explore the log files; I see a number of potential canidates for items we could fire on. Let's look a little deeper..
.. code:: bro
bro -r EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local ../solutions/extract-header-names-and-values.bro
Now let's investigate the http.log a little further. There is one indicator that may stand out:
.. console::
le
5-tbot
=================================
6-zeroaccess
=================================
7-purplehaze-pihar
=================================
TDL4 reloaded: Purple haze all in my brain:
http://www.welivesecurity.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain/
TDL4 - Purple Haze (Pihar) Variant- sample and analysis
http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html
8-lurk
=================================
.. visible_solution::
::
-----------
192.168.1.102 did 17 total and 6 unique DNS requests in the last 6 hours.
192.168.1.103 did 18 total and 6 unique DNS requests in the last 6 hours.
192.168.1.104 did 20 total and 10 unique DNS requests in the last 6 hours.
-----------
192.168.1.102 did 430 total and 343 unique DNS requests in the last 6 hours.
192.168.1.103 did 219 total and 168 unique DNS requests in the last 6 hours.
192.168.1.105 did 508 total and 306 unique DNS requests in the last 6 hours.
192.168.1.104 did 112 total and 90 unique DNS requests in the last 6 hours.
-----------
.. exercise::
Now we can go a slightly different direction and set a threshold on the number
of unique DNS requests. Use the same bit of code from above for doing the
observation but replace the bro_init event handler from the previous exercise
with the following code into a new file named "sumstats-2.bro".
.. code:: bro
event bro_init()
{
local r1 = SumStats::Reducer($stream="dns.lookup", $apply=set(SumStats::UNIQUE));
SumStats::create([$name="dns.thresholding",
$epoch=6hrs,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["dns.lookup"]$unique+0.0;
},
$threshold=150.0,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
print fmt("%s did more than 150 unique requests!", key$host);
}]);
}
Now run
.. console::
bro -r exercise-traffic.pcap sumstats-2.bro
.. visible_solution::
::
192.168.1.103 did more than 150 unique requests!
192.168.1.105 did more than 150 unique requests!
192.168.1.102 did more than 150 unique requests!
Part 2: Probabilistic Top-K
===========================
There are times where the top most frequently seen things are something
that is interesting from a performance monitoring, network tuning, or
even security perspective. Bro 2.2's new probabilistic Top-K support
can provide that data in a