You might have noticed that I used md5 as filenames in the previous (old!) post. In most cases, it is fine.

However, what if the malware depends on a file called hgz.dll? You can calculate hgz.dll as md5, then find the filename out, now put that in the VM again – fine. But you see it is a troublesome process… that you can’t easily automate. There are other cases… of course.

Well, you get the point!

For this problem, we assume all the files are malicious as honeypots do not collect innocent software.

One way is to use virus scanners to scan and classify the files. After a scan, group together all the files that are detected as “Conficker.B” for example. As Conficker family is quite prevalent, such duplication identification can save a lot of time and effort. This way, just analyzing one or two of them is sufficient. However, the drawback is that all the undetected samples will be left as a big group which you must analyze one-by-one.

Extract of a clamscan result…

/tmp/4c71b97435a24ffb8fd7fedd1b1790e1: OK
/tmp/82dd3a3d386d4ea09870dcee4a75a531: OK
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin: OK
/tmp/24bd1722b994f7daa193458348108bfc.bin: OK
/tmp/39960c5ff1922466ded71a4a2799c295: Trojan.VanBot-366 FOUND
/tmp/33f5f14c33bf2f71556204705407a885: W32.Virut-54 FOUND
/tmp/880ce6df69aaeb1d3c57e756f53dd158.bin: Trojan.Delf-911 FOUND
/tmp/7e0ce66bb299370010016f4522152969: Trojan.VanBot-366 FOUND
/tmp/4f2d9f8129e7d7fd9b37f700aacdc9aa.bin: Trojan.Hupigon-25647 FOUND
/tmp/5b69ff6f331ece36558516f66306f969: Trojan.Small-4287 FOUND
/tmp/078aedb8630339487cf39d028b0156bd.bin: OK
/tmp/417bdef0688996a845701da9dcf1b145: Trojan.VanBot-366 FOUND
/tmp/eda3b7766c23dfffc0b85d0ba546b0c1: W32.Virut-54 FOUND
/tmp/86f22ff53382dbb54e2c22560a3db373: Trojan.VanBot-366 FOUND
/tmp/a4a41d2122c4d3552e3d59315f42d4e3: W32.Virut-54 FOUND

In the above, without signatures, how can you tell if 4c71b97435a24ffb8fd7fedd1b1790e1 and 82dd3a3d386d4ea09870dcee4a75a531 is not the same family? How can you tell which malware is unique? You have to analyze them. Now scale the problem to perhaps 600, for yourself only.

The other way is to use ssdeep, a fuzzy hashing tool. It is used to match inputs that are similar, perhaps only some bytes and length. It will produce a hash signature like md5 but unlike md5, a single change of byte will not create a wildly different signature. The concept of ssdeep is to chop the files into many sections, and calculate the hash for each section.

Below I take a sample of an exe file (“file1.exe”). I copied the file and concatenates a byte after it (“file2.exe”), and computes the md5 sum of the two files.

$ cp file1.exe file2.exe
$ echo 1 >> file2.exe

$ md5sum file1.exe file2.exe
72bdd3bd37a0b5d1dd5f1be80cb29639  file1.exe
a626b78fa6ba13fdd9cfddb9f55ee7c6  file2.exe

Just a difference in one byte, and the md5 hash is completely different. Let us do the ssdeep sum of the two files.

(broken into lines for clarity)

$ ssdeep -b file1.exe file2.exe
ssdeep,1.0–blocksize:hash:hash,filename
768:my+qxlsz7yiV0+7YUaFhLFAtVI0xbM
LvzEg1B1Ki8nJ78:R+qxlsHvGhLFyI0l8tC5J78,”file1.exe”
768:my+qxlsz7yiV0+7YUaFhLFAtVI0xbM
LvzEg1B1Ki8nJ7V:R+qxlsHvGhLFyI0l8tC5J7V,”file2.exe”

Separated by colon, the first (768) is the blocksize, then two ssdeep hashes (my+qxlsz7yiV0+7YUaFhLFAtVI0xbMLvzEg1B1Ki8nJ7V and R+qxlsHvGhLFyI0l8tC5J7V) , then the last is the file path name (“file2.exe”). The main point are the two hashes – the signatures of the file. Both file hashes of the two files are really alike except for the last byte ( “8″ vs “V” ).

If you have a large number of unidentified malware, antivirus scanners will not help to classify, but ssdeep can try. Below is extracted output of file matching with ssdeep. Each file name is the md5 of the file itself.

$ ssdeep -dr .

…
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/fa7c91b738e763eccf69676bd393925e.bin (88)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/ae142ce3b35cc04f5648a0c17c37ea30.bin (82)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/794b74fc4e833d245eb005e078dc21da.bin (82)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/46fb9678675df8dc83d38761a76c7950.bin (99)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/f412d41aacb4b16ded7b158b89fd3552.bin (90)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/4bfba885ed3dc4ba800446df49051af0.bin (82)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/13776c2b604290906305a56c4e7c61e5.bin (99)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/5a8424f4e1504b5823ca8742e2b1ce8d.bin (82)
…

In the above, all of them are undetected malware and gives wildly different md5 signature. Yet, ssdeep can relate them. For malware that does not match any other files, it can be assumed to be a unique malware in your collection, and you should pay more attention to it. Moreover, even packed executables (tested on UPX) still can be matched since packers are just compressors – the similar code will be compressed into a similar binary pattern.

There are a few culprits. First, remembering that ssdeep just does mini-hashes, if some bytes vary a little throughout the file ( by some obfuscation, etc, every 1 byte change at 100 byte intervals, i.e. no-ops) will cause the ssdeep to fail to identify matches. Then, for botnets credentials identification, similar files could contain very different login credentials and wrongly discarded due to highly similar binary structure. However, you can analyze the access control logic through such duplicated samples, then you can generalize the login credentials.

With ssdeep, you can now group duplicated undetected malware into groups for more efficient analysis.

===

ssdeep – http://ssdeep.sourceforge.net/

UPX – http://upx.sourceforge.net/

Games have always been a big business, just that it’s the same for the underground, too. A lot of money, even if you’re the good guys. On the other hand, you haven’t heard people pirating “Microsoft High Performance Computing Cluster” CDs, right? =) Oh, and hey, they sell OK, and in China. There’s really money there. Yada yada…

Another thing though, as if getting infected is not enough, malware (Zbot here) could put you into legally trouble. It is no news that victims are being used as stepping stone for futher crime, and you really need proof that you are not. Zbot goes further by rendering your computertotally unusable by wiping out the registry HKEY root keys. This is enough to force a user to immediately formatting, thus killing all chances for forensics. Behind bars anyone?

I need a large sample of different varieties of HTTP bots. I have not captured many life working samples of HTTP bots.

Could someone share me PCAPs/Binaries of HTTP Bot? ( Or also the MD5sum ? ). Please kindly send to log0 [ at ] onhacks [ dot ] org . Thanks!

It’s 2009 now. When I was writing “Who is Hacking Me? ~’Who Will Care’ is Wrong~“, I used local ClamAV to check how many can ClamAV detect, then sent the 53 binaries through Gmail to VirusTotal. Since Gmail is powered by Sophos, malware that went through Gmail should not be detected by VirusTotal.

I sent all the 53 binaries to Gmail, and scanned the binaries locally with ClamAV.

Then, I sent these 12 undetected binaries to VirusTotal.

All undetected by ClamAV, but Sophos detected 10 of them! It looks to me Gmail has switched AV vendor from Sophos to ClamAV!

What if people are deliberately messing with my honeypot with spoofed IP addresses? Will my results be unreliable?

True, IP can be spoofed. However, with respect to extranet, if communication is required, a connection is expecting packets forward and back and thus it is not feasible to spoof the IP ( remember IP packets need to know where to route back. ). Now, think even about TCP sequence randomization, etc. The case is different in intranet however, where you can cause the routers to route the whole address space (e.g. 192.168.0.0/16) to yourself.

A lot of the automated attacks onto your computers expect you to reconnect back to the host that hosts the payload.

A seasoned hacker would use a few compromised hosts as hops – much more realistic. For botnets, it is the same. Unless it is an organized targeted attack, the abundance of IP makes it less necessary to have IP spoofing. Why spoof?

===

Reference / 參考 / 参考 / さんこう / Referencia / Referenz / Справка :

IP Spoofing : An Introduction – http://www.securityfocus.com/infocus/1674

Over 1 Million Potential Victims of Botnet Cyber Crime – http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm

Nepenthes has been collecting data these few days, and I’d like to share some of the rough data now. Since it is just a single server, do not generalize it over the banks’, corporates’, significantly valued servers’ situation, but this is what YOUR computer can see. Remember, I never exposed the honeypot, so ALL connections are malicious.

** Most Attacks Region **
[       Russian Federation] has 57 attacks on you.
[                   Taiwan] has 36 attacks on you.
[                   Brazil] has 32 attacks on you.
[                  Germany] has 21 attacks on you.
[            United States] has 20 attacks on you.
[                    Italy] has 16 attacks on you.
[                  Romania] has 15 attacks on you.
[           United Kingdom] has 14 attacks on you.
[       Korea, Republic of] has 13 attacks on you.
[                    India] has 11 attacks on you.
[                   Poland] has 10 attacks on you.
[              Philippines] has 10 attacks on you.
[                    Japan] has 10 attacks on you.
[                   Canada] has 9 attacks on you.
[                 Bulgaria] has 9 attacks on you.
[                  Hungary] has 8 attacks on you.
[                 Malaysia] has 8 attacks on you.
[                   France] has 6 attacks on you.
[                Argentina] has 6 attacks on you.
[                    China] has 6 attacks on you.

This is 12 July 2009.

Apparently, Russian seems to be the largest supplier of zombies (much like Resident Evil!), being steadily the first ( I have a week of data ). Next, surprisingly (to me), comes Taiwan. The next one is easy, Brazil, as Microsoft SIR 5th report geolocation section has suggested. The next one is Germany, which is not like what I’ve seen on Microsoft SIR 5th. Afterall, this is just too weak to generalize, but you can check it out.

Remember, IP address has no national boundaries.

** Most Visited Ports **
[  445] : 385
[  135] : 39
[  139] : 7
[   25] : 1

Port 445 and Port 135 score highest. Very likely to be :

Port 445 – MS04-011 at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Port 135 -MS03-026, a.k.a W32 Blaster at http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

I am still in the middle of making sense of all the data, but the above is something you may glimpse from the mess.

(Yes, I think I should write an English version for the previous “Who is hacking me?” post.)

(7/16/2009 Updated title, and read here for the first story.)

===

Reference / 參考 / 参考 / さんこう / Referencia / Referenz / Справка :

Microsoft Security Intelligence Report volume 5
Zombie Computer – Wikipedia
殭屍電腦 – 維基百科

** Most Visited Ports **
[  445] : 385
[  135] : 39
[  139] : 7
[   25] : 1

Not sure how wildly reported outside of China, but here I should bring to your attention.

The protests, of course, are present. Chinese people are not stupid, but…

On 10 June, amidst massive criticism circling within the internet about the software and the MIIT’s directive, the Publicity Department of the Communist Party of China Central Committee, the agency responsible for censorship, issued an instruction attributed to “central leaders” requiring the Chinese media to stop publishing questioning or critical opinions. Reports in defense of the official stand appeared subsequently, with a commentary by the state-run Xinhua news agency saying “support largely stems from end users, opposing opinions primarily come from a minority of media outlets and businesses”.^[20][21] The instruction also required online forums to block and remove “offensive speech evolved from the topic” promptly.^[22] Zhang attacked the Wolchok et al report as irresponsible action and breach of his company’s copyright, and said that Jinhui had been ordered to patch the weaknesses.^[23]

So, there goes the end of newspaper. What is left? I heard a term called propaganda. =)

I will not discuss the political implications since it is so painfully obvious. If you do not, go do a search and study, then you will see how ridiculous is to believe in the benevolence.

On the other hand, this software is buggy. Despite the development company JinHui claims “all software has a bug”, it seems he means it is OK to have bugs that can root the whole China. I guess that is good news to the cybercriminals. I could hear them giggling ready to pwn n00bies!

Anyway, here is an interesting security analysis from The University of Michigan.

You see, the problems will just continue to arise. Workarounds will be distributed. Well. What’s next? Hardware rootkits? Let’s look forward to 1984.