Escolar Documentos
Profissional Documentos
Cultura Documentos
Welcome
najmi@kict.iiu.edu.my
Created with LATEX
Agenda I
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
Robot network botnet
Vicious circle of evils
Logging communications
Logs
Graphviz diagram
Logs
Logs in a table
Some math stuffs
Muhammad Najmi myGOSSCON 2009, Malaysia
myGOSSCON 2009, Malaysia
Agenda
Agenda II
Capabilities
Issues in malware containment
7 Selection of solutions
IDS
Antivirus and friends
Reporting sensors
8 Nepenthes Honeypot
Setup
Setup
Malware flow illustrated
9 Amun Honeypot
List of open connections
10 SurfIDS
Muhammad Najmi myGOSSCON 2009, Malaysia
myGOSSCON 2009, Malaysia
Agenda
Agenda III
11 New honeypot
Dionaea
13 Conclusion
User’s perspective
Host level
IT admin perspective
Network level, policy level
Focus. . .
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Intro to Malware
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
What is malware
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Botnets
Decieved malware
1 9 2 . 1 6 8 . 2 . 8 2 −> 1 9 2 . 1 6 8 . 1 . 2 4 5 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / s e t u p 4 2 2 7 8 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 5 1 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / s e t u p 5 1 1 8 2 . e x e
1 9 2 . 1 6 8 . 2 . 8 2 −> 1 9 2 . 1 6 8 . 1 . 2 3 4 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / s e t u p 6 0 0 5 8 . e x e
1 9 2 . 1 6 8 . 2 . 5 8 −> 1 9 2 . 1 6 8 . 1 . 2 4 8 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 5 8 : 5 3 9 9 / s e t u p 1 5 5 3 8 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 4 3 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / s e t u p 1 4 4 4 5 . e x e
1 9 2 . 1 6 8 . 2 . 8 2 −> 1 9 2 . 1 6 8 . 1 . 2 3 1 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / s e t u p 1 3 8 3 6 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 4 2 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / e r a s e m e 2 2 4 0 2 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 4 2 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / s e t u p 7 5 2 7 6 . e x e
1 9 2 . 1 6 8 . 2 . 8 8 −> 1 9 2 . 1 6 8 . 1 . 2 4 8 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 8 : 2 6 6 5 5 / s e t u p 1 7 7 8 8 . e x e
1 9 2 . 1 6 8 . 2 . 1 3 1 −> 1 9 2 . 1 6 8 . 1 . 2 3 1 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / s e t u p 2 4 3 4 6 . e x e
Visualization program
Zoom in!
Zoom in!
da
= Ka(1a)
dt Explanation by (Goranin et. al,2008)
What it does
Mass scanning
Find vulnerable machines
Since it’s a parasite, it start consumes its host resources
Processing power
Storage
Issue
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Intrusion Detection/Prevention
Snort
Hogwash
Snort inline
SurfIDS
AV related tools
WinPooch
ClamAV
seems abandoned
Currently under
hence
Sourcefire
abandonware
Sourcefire
it works side by
sponsors Snort
side with ClamAV
IDS too
or Bitdefender
Methods
Deploy sensors
IDS/IPS
Honeypot
Network Management System, e.g : OpenNMS
Collect binaries
Nepenthes sensor for example, allow automated binary
submission to sandboxes
Turn on reporting
Analyze infected host
Clean up infected host
Honeypot
Heavy interaction
Light interaction
A dedicated machine, which
Emulates potential emulates real machine and
vulnerable services i.e software
HTTP,FTP,SSH Difficult(relatively)
Most of the time attracts
Known to attract real
automated malware
attacker (human)
Comparison
Light interaction
Nepenthes
Glastopf
Labrea Heavy interaction
tinyhoneypot
Honeyd
Amun
Dionaea
Kojoney
Capture-HPC
FFdetect
detects fast-flux domain
CaptureBAT
analyze outputs from CaptureHPC
Malzilla
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Nepenthes setup
Nepentes setup
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Amun. . .
n a j m i @ n o t r e−dame : ˜ / D e s k t o p /amun$ s u d o . / a m u n s e r v e r . py
[ sudo ] password f o r najmi :
/ \
/ / \ \ / \| | \/ \
/ | \ Y Y \ | / | \
\ | / | | / /| | /
\/ \/ \/
s t a r t i n g Amun s e r v e r . . .
. : : [ Amun − Main ] a l l s e r v e r s l i s t e n i n g on : 0 . 0 . 0 . 0 : : .
. : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul v u l n−ms08067 : : .
. : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul v u l n−w i n s : : .
. : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul v u l n−a x i g e n : : .
. : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul v u l n−s l m a i l : : .
...........
. : : [ Amun − D e c o d e r ] c o m p i l i n g bonn x o r d e c o d e r : : .
. : : [ Amun − D e c o d e r ] c o m p i l i n g p l a i n 1 s h e l l c o d e : : .
. : : [ Amun − D e c o d e r ] c o m p i l i n g p l a i n 2 s h e l l c o d e : : .
. : : [ Amun − a m u n s e r v e r ] P o r t a l r e a d y i n u s e : I P : 0 . 0 . 0 . 0 P o r t : 25 : : .
. : : [ Amun − Main ] r e a d y f o r e v i l o r d e r s : : : .
Open connections
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
What is SurfIDS
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Dionaea
Before . . .
$nmap l o c a l h o s t
Execute . . .
nmap l o c a l h o s t
/ o p t / d i o n a e a / b i n / d i o n a e a −l a l l ,−debug −L ’ ∗ ’
Dionaea V e r s i o n 0 . 1 . 0
C o m p i l e d on L i n u x / x86 a t Oct 31 2009 0 0 : 2 3 : 4 8 w i t h g c c 4 . 3 . 3
S t a r t e d on n o t r e−dame r u n n i n g L i n u x / i 6 8 6 r e l e a s e 2.6.28 −15 − g e n e r i c
After . . .
$nmap l o c a l h o s t
Check services . . .
dionaea 4590 root 8u I P v 4 176514 TCP 1 2 7 . 0 . 0 . 1 : 8 0 ( LISTEN )
dionaea 4590 root 9u I P v 4 176515 TCP 1 2 7 . 0 . 0 . 1 : 4 4 3 ( LISTEN )
dionaea 4590 root 10 u I P v 4 176518 UDP 1 2 7 . 0 . 0 . 1 : 6 9
dionaea 4590 root 11 u I P v 4 176519 TCP 1 2 7 . 0 . 0 . 1 : 2 1 ( LISTEN )
dionaea 4590 root 12 u I P v 4 176520 TCP 1 2 7 . 0 . 0 . 1 : 4 2 ( LISTEN )
dionaea 4590 root 13 u I P v 4 176521 TCP 1 2 7 . 0 . 0 . 1 : 4 4 5 ( LISTEN )
dionaea 4590 root 14 u I P v 4 176522 TCP 1 2 7 . 0 . 0 . 1 : 1 3 5 ( LISTEN )
dionaea 4590 root 15 u I P v 6 176523 TCP [ : : 1 ] : 8 0 ( LISTEN )
dionaea 4590 root 16 u I P v 6 176524 TCP [ : : 1 ] : 4 4 3 ( LISTEN )
dionaea 4590 root 17 u I P v 6 176529 UDP [ : : 1 ] : 6 9
dionaea 4590 root 18 u I P v 6 176530 TCP [ : : 1 ] : 2 1 ( LISTEN )
dionaea 4590 root 19 u I P v 6 176531 TCP [ : : 1 ] : 4 2 ( LISTEN )
dionaea 4590 root 20 u I P v 6 176532 TCP [ : : 1 ] : 4 4 5 ( LISTEN )
dionaea 4590 root 21 u I P v 6 176533 TCP [ : : 1 ] : 1 3 5 ( LISTEN )
dionaea 4590 root 22 u I P v 4 176534 TCP 1 9 2 . 1 6 8 . 2 . 2 : 8 0 ( LISTEN )
dionaea 4590 root 23 u I P v 4 176535 TCP 1 9 2 . 1 6 8 . 2 . 2 : 4 4 3 ( LISTEN )
dionaea 4590 root 24 u I P v 4 176542 UDP 1 9 2 . 1 6 8 . 2 . 2 : 6 9
dionaea 4590 root 25 u I P v 4 176543 TCP 1 9 2 . 1 6 8 . 2 . 2 : 2 1 ( LISTEN )
dionaea 4590 root 26 u I P v 4 176544 TCP 1 9 2 . 1 6 8 . 2 . 2 : 4 2 ( LISTEN )
dionaea 4590 root 27 u I P v 4 176545 TCP 1 9 2 . 1 6 8 . 2 . 2 : 4 4 5 ( LISTEN )
dionaea 4590 root 28 u I P v 4 176546 TCP 1 9 2 . 1 6 8 . 2 . 2 : 1 3 5 ( LISTEN )
dionaea 4590 root 29 u I P v 6 176549 TCP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ] : 8 0 ( LISTEN )
dionaea 4590 root 30 u I P v 6 176554 TCP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ] : 4 4 3 ( LISTEN )
dionaea 4590 root 31 u I P v 6 176567 UDP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ]:69
dionaea 4590 root 32 u I P v 6 176572 TCP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ] : 2 1 ( LISTEN )
dionaea 4590 root 33 u I P v 6 176577 TCP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ] : 4 2 ( LISTEN )
dionaea 4590 root 34 u I P v 6 176582 TCP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ] : 4 4 5 ( LISTEN )
dionaea 4590 root 35 u I P v 6 176587 TCP [ f e 8 0 : : 2 1 3 : c e f f : f e b a : c e d f ] : 1 3 5 ( LISTEN )
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Analysis of binaries I
Static Analysis
*nix strings, strace, ltrace, lsof
Objdump
readelf
Ollydbg though is free, but yet to be open sourced
Analysis of binaries II
Dynamic Analysis
Anubis
Open framework, but source code isn’t available
Running of Qemu
Wepawet
Service is free,handling Flash/JavaScript files
Bitblaze
Developed by Univ of Berkeley
What to emulate?
Qemu and Virtualbox can be used as a sandbox as well
Since malware loaded on a virtual machine, chance is safer
than running on host machine
But for precautious purpose, plug it off from any networking
device
Apart from them, Wine can be used as a fishbowl as well
Unless it’s a wine-aware malware, you should be able to look
at the malware’s behavior on guest OS
Example
Nebula for example, creates signature from
honeytrap
argos
Agenda
1 What this presentation covers. . .
2 Intro
3 Malware origin
4 Malware infection method
5 Malware behavior
6 Malware Communication
7 Selection of solutions
8 Nepenthes Honeypot
9 Amun Honeypot
10 SurfIDS
11 New honeypot
12 Toying with binaries
13 Conclusion
Summary of everything . . .
fin()
najmi{at}kict.iiu.edu.my