Detecting Botnet Propagation

Transcription

1 Detecting Botnet Propagation How to confirm maliciousness

2 Table of Contents This paper describes techniques that should only be performed by qualified experts in a controlled and isolated environment. Any attempt to recreate or duplicate the descriptions are at your own risk. This white paper was written by: Tony Lee Principal Security Consultant McAfee Foundstone Professional Services The Environment...3 Initial Discovery...4 Tale of Two Events...5 Suspicious event 1 TFTP...5 Suspicious event 2 HTTP...9 Static and Dynamic Analysis...14 File information...14 Imports Registry keys...14 Files involved...14 DNS requests...14 What Now?...15 Conclusion...15 About the Author...15 About McAfee Foundstone Professional Services...16 Detecting Botnet Propagation 2

3 Discovering and triaging network nastiness can be tricky at times so it helps to have some tools and techniques to aid you in that task. This paper explains botnet propagation techniques uncovered during a recent investigation along with the tools and techniques used to quickly evaluate two separate events. From discovery to confirmation, it should not take more than 10 to 15 minutes per event if the proper environment is already established. Warning: Please take great care when surfing to or obtaining files from any of the addresses listed in this paper these programs are designed to spread quickly and maintain persistence. The Environment Detection and analysis environments can vary widely. The environment outlined in this paper was used to quickly triage events. Other devices can be substituted or added as necessary, but it may be helpful to explain our core detection and analysis setup. McAfee Global Threat Intelligence Internet URL Web File Network Signatures File Mismatch Internal Analysis Antivirus Shell Code McAfee Network Threat Response Stage 1 Samples Share [File Drop] Automated Analysis File Scan Encoding Analysis Engine ValidEdge Manual Analysis Stage 3 Analyst Analysis Share [Reports] Stage 2 Cuckoo Figure 1. The environment used to detect and quickly analyze the propagation outlined in this paper. The environment shown in Figure 1 is designed for rapid detection and triaging of events. Stage 1 of the environment leverages a McAfee Network Threat Response appliance part of the Intel Security product offering which captures traffic from the Internet and uses a series of internal criteria to determine maliciousness. It contains the following detection mechanisms: 1. Network signatures. 2. Antivirus definitions. 3. File reputation (McAfee Global Threat Intelligence). 4. IP and URL reputation (McAfee TrustedSource ) technology. 5. Static file analysis: a. Hidden information. b. Shellcode detection. c. Obfuscation detection. Detecting Botnet Propagation 3

4 McAfee Network Threat Response can be used to view the detection, raw traffic, decoded traffic, parties involved, and file metadata. If a file is determined to be malicious, McAfee Network Threat Response can alert the analyst to an event and send the carved file to an automated analysis engine, which performs static and dynamic analysis to produce an automated analysis report. The analyst can review the report and then make a decision as to whether further analysis is necessary. Since stage 3 analysis is a manual process performed by a human being, it is costly in time, money, and resources. Initial Discovery Finding malicious packets in a sea of packets is a difficult task. Fortunately, there are products that spend all of their CPU cycles looking for them. The product that we happen to have deployed is McAfee Network Threat Response. McAfee Network Threat Response dashboard notifies analysts of anomalies, as shown in Figure 2 below. While investigating shellcode detections, we ran across two unrelated, but very interesting, events. Figure 2. McAfee Network Threat Response dashboard. Detecting Botnet Propagation 4

5 Tale of Two Events What made the two suspicious events in the McAfee Network Threat Response dashboard most interesting is that they served up different bots and used different propagation techniques and protocols. Suspicious event 1 TFTP After clicking on the shellcode event, we see the session detail of the two hosts involved in the first incident: Source Host: XX.XXX Source Port: 1922 Destination Host: XX.XXX Destination Port: 135 Figure 3. Session details of the event after clicking on the dashboard indicator. In the session view shown above, McAfee Network Threat Response gives us the option to drill down and view the raw network traffic by clicking on the TCP hyperlink. The traffic was illegible in its raw form; however, McAfee Network Threat Response detected that it was XOR encoded with a static hex value of 0x13. From there, it was possible to leverage McAfee Network Threat Response s shellcode detector (shown in the screenshot below) to apply the key and decode the traffic. The decoded traffic revealed a TFTP file transfer request back to the suspected attacker s address for a file called host.exe. TFTP is a very common file transfer protocol used by attackers and worms to transfer additional files (such as hacking tools or malicious software) to and from a remote host. Detecting Botnet Propagation 5

6 Figure 4a. Detailed view of raw traffic and McAfee Network Threat Response decoded traffic. Raw traffic reveals a potential signature of MEOW and decoded traffic reveals the propagation mechanism. Figure 4b. Magnified view of raw and decoded traffic in Figure 4a. Oddly, within the raw encoded traffic, the string MEOW appears multiple times. This could be potentially used as a signature to detect this malicious traffic. To more easily explain the propagation method, we have diagrammed the events. Detecting Botnet Propagation 6

7 Figure 5. The first stage in the propagation. The diagram above depicts the attacker remotely issuing the TFTP command to the victim. This command will be executed on the victim s system, which communicates back to the attacker s system to obtain the host.exe file (as shown in the Figure 6 diagram). Figure 6. The resulting transfer. Detecting Botnet Propagation 7

8 So what is this host.exe? It doesn t sound too bad, right? Running the MD5 hash through VirusTotal.com confirmed our suspicions that this is an undesirable file. Figure 7. Results of running the hash through VirusTotal. It appears that it is an Internet worm (Win32/Sdbot) that spreads through weak Microsoft Windows credentials on network shares. According to McAfee Labs, this worm has the following characteristics: Exploits the MS vulnerability. Provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker). Propagates to machines with poorly secured network shares (weak username/password combinations) or accessible share (where local credentials are sufficient to write files to other systems). Propagates to remote machines (it generates random IPs) by attempting to copy itself to a number of shares. The bot also listens locally on a random high TCP port, as well as UDP port 69 (presumably for use in TFTP callback attacks). Analysis suggests the bot provides its author with extensive control functions such as downloading additional software or updates, control and reporting for further spreading, reporting host system characteristics, and others. Source: Detecting Botnet Propagation 8

9 Suspicious event 2 HTTP A second, believed-to-be-unrelated event was also detected and the session details are shown below: Source Host: XX.XXX Source Port: Destination Host: XX.XX Destination Port: 445 Figure 8. Session details after clicking on the dashboard show the hosts and ports involved. Detecting Botnet Propagation 9

10 Inspecting the raw traffic of this session yields more encoded traffic this time XOR d with the static key of 0x85. When decoded, it appears that the attacker is issuing an HTTP request to a third-party server hosting the dd.exe file. Figure 9a. Decoded suspicious traffic yields an HTTP request. Figure 9b. Magnified view of raw and decoded traffic in Figure 9a. Detecting Botnet Propagation 10

11 A WHOIS query using DomainTools.com shows that the server hosting the file is registered in Russia. Figure 10. Contact details for the organization that registered the web server that is hosting our malicious dd.exe. We have once again diagrammed the attacker-to-victim communication to more easily explain the propagation method. Figure 11. The first stage in the propagation. The image above shows the initial communication with the host. The attacker instructs the victim to make a request to a web server at hxxp:// to obtain the dd.exe executable. The victim then downloads the file, as shown in Figure 12. Detecting Botnet Propagation 11

12 Figure 12. Diagram shows the victim reaching out to the Russian malware repository in order to grab dd.exe. The name, dd.exe, is a commonly used name for the Windows port of the *nix disk copy tool, however upon inspection, it was determined that the executable hosted within the malware repository was not this tool. The file was then sent to VirusTotal.com to determine if a known signature could be found. Figure 13. At the time, VirusTotal showed 21 out of 46 virus engines detected this malware. Detecting Botnet Propagation 12

13 VirusTotal.com identified the dd.exe file as a known malicious file. McAfee classified this particular variant as PWS-Zbot.gen.arj. According to McAfee Labs, there is antivirus coverage in a.dat file, and the malware proliferation is heaviest in Russia. This information seems to reinforce our findings. Figure 14. McAfee Labs heat map showing the proliferation of zbot. Detecting Botnet Propagation 13

14 Static and Dynamic Analysis Cuckoo Sandbox was used to further analyze the host.exe and dd.exe binaries. Cuckoo Sandbox is an extremely powerful tool available as part of the NTR CADS framework used for stage-two automated analysis. Just a sample of the stage-two analysis is shown below on dd.exe. File information File Name File Size File Type CRC32 MD5 SHA1 SHA256 dd.exe bytes PE32 executable (GUI) Intel 80386, for MS Windows AFAB5FC6 00c713ad2f0b189db600dfdc730b5034 7b9e1c5e95538c48a4a16ca2fdf90a9cdbe3a466 f116b4fba18b5b12f04b4b0d31df7701bac1440d9e82659be258efaf3fbd8808 Imports Library KERNEL32.dll: DNS requests Hostname tv.zabetwo.com 0x ExitProcess 0x VirtualFree 0x lstrcmpw 0x40700c - MultiByteToWideChar 0x GetCommandLineA 0x HeapSetInformation 0x GetStartupInfoW 0x40701c - TerminateProcess 0x GetCurrentProcess 0x UnhandledExceptionFilter 0x SetUnhandledExceptionFilter 0x40702c - IsDebuggerPresent 0x GetProcAddress 0x GetModuleHandleW 0x DecodePointer 0x40703c - WriteFile 0x GetStdHandle 0x GetModuleFileNameW 0x GetModuleFileNameA 0x40704c - FreeEnvironmentStringsW 0x WideCharToMultiByte 0x GetEnvironmentStringsW 0x SetHandleCount 0x40705c - InitializeCriticalSectionAndSpinCount 0x GetFileType 0x DeleteCriticalSection 0x EncodePointer 0x40706c - TlsAlloc 0x TlsGetValue 0x TlsSetValue 0x TlsFree 0x40707c - InterlockedIncrement 0x SetLastError 0x GetCurrentThreadId 0x GetLastError 0x40708c - InterlockedDecrement 0x HeapCreate 0x QueryPerformanceCounter 0x GetTickCount 0x40709c - GetCurrentProcessId 0x4070a0 - GetSystemTimeAsFileTime 0x4070a4 - LeaveCriticalSection 0x4070a8 - EnterCriticalSection 0x4070ac - LoadLibraryW 0x4070b0 - GetCPInfo 0x4070b4 - GetACP 0x4070b8 - GetOEMCP 0x4070bc - IsValidCodePage 0x4070c0 - HeapFree 0x4070c4 - Sleep 0x4070c8 - RtlUnwind 0x4070cc - HeapSize 0x4070d0 - LCMapStringW 0x4070d4 - GetStringTypeW 0x4070d8 - HeapAlloc 0x4070dc - HeapReAlloc 0x4070e0 - IsProcessorFeaturePresent Registry keys HKEY_LOCAL_MACHINE\SYSTEM\ Setup Files involved C:\ C:\analyzer\ C:\WINDOWS\system32\shell32.dll C:\WINDOWS\system32\shell32. dll.124.manifest C:\WINDOWS\system32\shell32. dll.124.config Detecting Botnet Propagation 14

15 What Now? At this point, since we have confirmed that these files are malicious, we need to do some clean up. Using McAfee Network Threat Response session analysis, we can pivot around the attacking host and see all of the other hosts that were potentially compromised through communication with the infected host. If the host falls under our administration, we can have it removed from the network and re-imaged. Otherwise, if the host is out of our administrative control, we may block communication to the infected host. To prevent further outbreak, a review of policies and procedures should take place to address the root cause of the infection and propagation. Conclusion This traffic is difficult to detect and analyze without the proper people, processes, and technology in place. You don t necessarily need to do reverse engineering; however, it is helpful to be able to do first- and second-stage triaging in order to gain perspective on the sophistication and damage that is constantly knocking at the door. Utilizing a tool like McAfee Network Threat Response can give you an immediate starting point for your investigation and take a significant amount of analysis and condense it down to a few minutes. About the Author Tony Lee has more than eight years of professional experience pursuing his passion in all areas of information security. He is a principal security consultant at McAfee Foundstone Professional Services part of the Intel Security product and service offering in charge of advancing many of the network penetration service lines. His interests include Citrix and kiosk hacking, post exploitation, and SCADA exploitation. As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a contributing author to Hacking Exposed 7 and was a lead instructor for a series of classes that includes McAfee Foundstone s Ultimate Hacking (UH), UH: Windows, UH: Expert, UH: Wireless, and UH: Web. He holds a bachelor of science in computer engineering from Virginia Polytechnic Institute and State University and a master of science in security informatics from The Johns Hopkins University. Detecting Botnet Propagation 15

16 About McAfee Foundstone Professional Services McAfee Foundstone Professional Services, a division of McAfee, part of Intel Security, offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, McAfee Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The company s professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military. About Intel Security McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security is combining the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. Intel Security s mission is to give everyone the confidence to live and work safely and securely in the digital world. McAfee. Part of Intel Security Mission College Boulevard Santa Clara, CA Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee, the McAfee logo, Foundstone, and TrustedSource are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2013 McAfee, Inc wp_botnet-prop_0113B_ETMG