onHacks

基於二進制的惡意軟件分類能節省時間和工作量。作為個人兼職性安全研究人員，這種提高效率的方法很有用。日積月累，收集回來的惡意軟件會越來越多。可能有 2000 多個。要全部分析它們頗為費時。若要節省時間和工作量，我們可以把類似甚至是一樣的惡意軟件濾掉。那麼可以怎樣做呢？

我們假設所有要分析的檔案皆為惡意，因為蜜罐等方法收集回來的皆定義為惡意的。

其中一種分類方法便是用掃毒軟件來分類。被檢測到屬同類的的病毒，我們可以抽其中一個或兩個分析就可以。例如只抽一個 “Conficker.B” 的樣本。因為 Conficker 家族是比較常見，這樣就可以節省很多重覆的工作。這做法的壞處是，沒能被檢測出來的病毒都被放屬同一組。

Clamscan 的一些節錄…

/tmp/4c71b97435a24ffb8fd7fedd1b1790e1: OK
/tmp/82dd3a3d386d4ea09870dcee4a75a531: OK
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin: OK
/tmp/24bd1722b994f7daa193458348108bfc.bin: OK
/tmp/39960c5ff1922466ded71a4a2799c295: Trojan.VanBot-366 FOUND
/tmp/33f5f14c33bf2f71556204705407a885: W32.Virut-54 FOUND
/tmp/880ce6df69aaeb1d3c57e756f53dd158.bin: Trojan.Delf-911 FOUND
/tmp/7e0ce66bb299370010016f4522152969: Trojan.VanBot-366 FOUND
/tmp/4f2d9f8129e7d7fd9b37f700aacdc9aa.bin: Trojan.Hupigon-25647 FOUND
/tmp/5b69ff6f331ece36558516f66306f969: Trojan.Small-4287 FOUND
/tmp/078aedb8630339487cf39d028b0156bd.bin: OK
/tmp/417bdef0688996a845701da9dcf1b145: Trojan.VanBot-366 FOUND
/tmp/eda3b7766c23dfffc0b85d0ba546b0c1: W32.Virut-54 FOUND
/tmp/86f22ff53382dbb54e2c22560a3db373: Trojan.VanBot-366 FOUND
/tmp/a4a41d2122c4d3552e3d59315f42d4e3: W32.Virut-54 FOUND

看看上面的輸出。若果沒有掃毒軟件的分類，何以判斷4c71b97435a24ffb8fd7fedd1b1790e1 和 82dd3a3d386d4ea09870dcee4a75a531 是不是同類？如果在眾多樣本中找出獨特罕有的病毒？若要你手動分析 600 多個，不多，但恐怕是很多工作量了。

另一種方法是用 ssdeep 了，是一個模糊 hashing 的工具。專門用來檢測文件相似性，可能相差某些字節和內容。它是會計算出一個 hash 簽名，但和 md5 不同，改一小個字節不會造成差異很大的 hash 簽名。 ssdeep 的概念是 把一個檔案分為多個小部分，並為每個部分計算 hash 簽名。

以下是一個 exe 檔安樣本 (“file1.exe”)，並拷背了一份再加多了一個字元，並為此兩檔案計算 md5 hash。

$ cp file1.exe file2.exe
$ echo 1 >> file2.exe

$ md5sum file1.exe file2.exe
72bdd3bd37a0b5d1dd5f1be80cb29639  file1.exe
a626b78fa6ba13fdd9cfddb9f55ee7c6  file2.exe

只是一字元的分別，這兩個 md5 hash 基本上是不一樣了。再看看這兩檔案的 ssdeep 簽名。

(為了清楚一點，分為數行)

$ ssdeep -b file1.exe file2.exe
ssdeep,1.0–blocksize:hash:hash,filename
768:my+qxlsz7yiV0+7YUaFhLFAtVI0xbM
LvzEg1B1Ki8nJ78:R+qxlsHvGhLFyI0l8tC5J78,”file1.exe”
768:my+qxlsz7yiV0+7YUaFhLFAtVI0xbM
LvzEg1B1Ki8nJ7V:R+qxlsHvGhLFyI0l8tC5J7V,”file2.exe”

以冒號分隔，第一個 (768) 是每塊單元的大小，其後兩個是檔案的 ssdeep hash 簽名 (my+qxlsz7yiV0+7YUaFhLFAtVI0xbMLvzEg1B1Ki8nJ7V 和 R+qxlsHvGhLFyI0l8tC5J7V)，最後便是 檔案的位置 (“file2.exe”)。這裡要看的是那兩個 ssdeep hash 簽名 － 由兩個很相似的檔案計算出來 ssdeep 簽名是非常像，除了最後一個字元 ( “8″ 對 “V” )。

若果你有大量的未能被檢測的惡意軟件，雖然掃毒軟件不能幫你，但 ssdeep 可以。以下是用 ssdeep 分析大量惡意軟件的相似性關係。檔名同時亦是該檔的 md5 hash 簽名。

$ ssdeep -dr .

…
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/fa7c91b738e763eccf69676bd393925e.bin (88)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/ae142ce3b35cc04f5648a0c17c37ea30.bin (82)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/794b74fc4e833d245eb005e078dc21da.bin (82)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/46fb9678675df8dc83d38761a76c7950.bin (99)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/f412d41aacb4b16ded7b158b89fd3552.bin (90)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/4bfba885ed3dc4ba800446df49051af0.bin (82)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/13776c2b604290906305a56c4e7c61e5.bin (99)
/tmp/72bdd3bd37a0b5d1dd5f1be80cb29639.bin matches /tmp/5a8424f4e1504b5823ca8742e2b1ce8d.bin (82)
…

從以上看得出來，每個檔案的 md5 很不同。但，ssdeep 是可以關聯起來的。若果沒有被關聯起來，可以先假定為少數特別的惡意軟件，並以後對它多加分析。此外，ssdeep 還能對 打包了 (packers) 的 exe 作分類，因為它們只是壓縮軟件，而類似的軟件當然壓出來也是相似的。

有幾個要注意的地方。第一，ssdeep 是把一個檔案拆散作分析的，若果檔案在每100字元被修改一個字元的話，ssdeep 是認不出來的（某些混淆算法就是會加些垃圾，簡單的如 no-ops。）。再者，若果用來分析惡意軟件的登錄資料，類似的檔案有可能是連去不同的僵屍網絡控制台，若以被錯誤地濾掉。當然，你亦可以去分析當中的同通點並分析登錄的算法。

以 ssdeep 作惡意軟件分類應可以減輕個人的工作量，算是一種方法。

===

ssdeep – http://ssdeep.sourceforge.net/

UPX – http://upx.sourceforge.net/

This is a report more than discovery in spam collection. I was working on setting up a spampot using spampot.py which was written by Neale Pikett back to 2003. Although the result is not as my expectation, it does gives me more information about setting up a spampot.

Goal

The goal of running a spampot (honeypot which only care about spam) is to collect spam and analysis the trend of them, hopefully we can find some interesting techniques that spammers/ hackers use in junk and phishing emails.

Approach
So far, there are at least two types of spampot hosting method that I know. The names of them are designed by me, if there are formal names for them, please let me know.

Open Relay Spampot: This kind of honeypot is running as an open mail relay server. In case you are not familiar with, open relay means users can send message through the server anonymously.

Close Relay Spampot: The spampot is running as a close mail relay server. To expose the server to spammers, you need to have your own domain binding to this server with email address(es) exposing to spammers/ hackers. For example, we can have onhacks.org binding to a spampot and spam@onhacks.org is one of the email address we want to expose to spammers. However, about the methods to increase the exposure of an email addresses is out of scope, we can discuss more on it later.

In my setup, I decided to run spampot as open mail relay server.

Setup
I have VirtualBox installed on top of Windows 7. I am using Ubuntu as the guest OS, this is because it seems the implementation was done in *nix system. Since port 25 is the default port for SMTP service, we need to forward packets from host (Win7) to guest (Ubuntu) so that the spampot in guest OS can react to incoming connection at host port 25.

(Assuming that you are using NAT for VirtualBox)
To enable port forwarding, you need to set the HostPort 25 forwarding to GuestPort 25. For more detail around port forwarding in VirtualBox, please refer to this article.

However, you will soon discover that it is not possible to perform port forwarding if the port is reserved (< 1024). This can easily be resolved by running VirtualBox with admin credential (ie. Run As Administrator).

The spampot.py requires Sendmail being installed in Linux. Since sendmail actually is a service listening to port 25, I will do the follow to switch to spampot.py:

sudo /etc/init.d/sendmail stop
sudo spampot.py 0.0.0.0

Surely you can set this automatically run when the system is started.

The last thing is to add a DNS record pointing to my machine. I have smtp.onhacks.org. pointing to it. Since it is still under experiment, the machine is running at home and IP is dynamic, I need to change it often.

Result
Currently, I got 0 message after running the spampot for few days. I have google around and looks like open relay spampot is not that popular anymore because many server admins aware that spammers were abusing open mail relay servers, they don’t allow open relay anymore. As a result, submitting spams to open relay servers is not efficient anymore.

I will continue running the spampot these days and see if we can get more spam through open relay honeypot. Afterward, I will work on close relay spampot.

Reference

1. Open mail relay – Wikipedia
2. spampot.py – written by Neale Pickett
3. Configure Port Forwarding to a VirtualBox Guest OS – Tombuntu
4. SpamPots Project – Cert.org
5. Brazilian Honeypots Alliance

Last night, I was waken by a call that a server was not working. This server is hosting an online judging system (similar to uva.onlinejudge.org, which has algorithmic problems that users can solve). I took a quick look at the compilation process and web pages, everything looked good except it always return “Compilation Error” no matter what was the content in source code (even a HelloWorld!). By manually compiled the source code, the compilation error message gave more detail information about the root cause…Not enough space to link the object files! When I did a “df”, it said that the data partition was used 100%!!

After a deeper investigation, I discovered that one of the user was preparing questions on the machine, and generated a 12GB test data unexpectedly. Since this is a very old machine, it only has a 14GB hard disk for data storage and it already had 2GB data on it. This is kind of DoS attack since no one can submit sources to the judging system even though they can navigate to it.

Lesson learned: We should have restriction on storage usage of each user instead of unlimited.

Any other suggestion to prevent this happen again?

Details at Jose Nazario of Arbor Networks : http://asert.arbornetworks.com/2009/11/malicious-google-appengine-used-as-a-cnc/ .

Log0 is quite busy lately.

Botherder 0.1 可以在這裡下載了，或在 Source 頁面。Zip 包裡有 README。

本來不打算開放的，但發現又有一定用處。以後裡頭還有很多可以加的功能如 監聽任何的協議、更易用、更易自動化、及可以寫腳本等。

這次的演講的 PPT 在這 :

我在寫好用法之後再公開代碼。若果你有我的卡片，歡迎電郵來找我 =)

Hac.ka 就是我在結尾時提到的朋友和另一位隊員，他是搞電郵和 DNS 的。

Microsoft Security Intelligence Report 7th is out! Interested individuals should check it out. =)

對，我突然決定做講者而非暖席者。

題目是 “A DIY Botnet Tracking System”. 我將會分享一下自己建的殭屍網絡監控系統。我將會分享一下自己對於殭屍網絡監控系統的心德，有機會會碰上的問題。

如果你打算出席 ISF 2009，一定要來聊聊及飲返杯！

分享幾篇關於殭屍網絡的新聞：

ClickForensics : Botnets Accounted for 42.6 Percent of All Click Fraud in Q3 2009.

Symantec : Botnets Generate 87.9% of Total Spam Messages

DarkReading : Botnet Unleashes Variety Of New Phishing Attacks <– 這個在冒充微軟的客戶服務.

OWASP简介：

OWASP是一个开源的、非盈利的全球性安全组织，致力于应用软件的安全研究。我们的使命是使应用软件更加安全，使企业和组织能够对应用安全风 险作出更清晰的决策。目前OWASP全球拥有130个分会近万名会员，共同推动了安全标准、安全测试工具、安全指导手册等应用安全技术的发展。 　　近几年，OWASP峰会以及各国OWASP年会均取得了巨大的成功，推动了数以百万的IT从业人员对应用安全的关注以及理解，并为各类企业的应用安全 提供了明确的指引。作为OWASP中国的第一届年会，OWASP安全专家将为大家带来精彩的演讲

CISRG简介：

CISRG是一个活跃的技术研究团队，团队成员都拥有自己特定的技术研究方向，目前的研究方向主要有：操作系统内核、逆向工程、漏洞挖掘、WEB漏洞挖掘及漏洞利用、渗透测试、信息搜集与社会工程。

议题征集范围（不限于以下范围）

• 应用程序威胁建模及其防御技术
• WEB2.0方向的安全技术
• WEB应用程序漏洞挖掘及分析
• 数据及数据库安全
• 浏览器安全（Firefox、IE、Safari、Chrome等）
• 操作系统研究（Vista、Windows7）
• 逆向工程
• 反恶意代码前瞻性技术
• 漏洞挖掘技术
• 智能移动设备安全研究
• 硬件设备安全性研究
• 取证分析
• 入侵检测
• 点对点网络
• 渗透测试

参会者票价

10月31日前报名：￥300
10月31日后报名：￥500

付款方式

户名：杭州安恒信息技术有限公司
账号：77818100000385
开户行：杭州银行科技支行
交款事项：写明姓名，注明年会

会议时间安排

2009年11月12日
2009年11月13日
全天两日

会议地点

中国 上海
详细地址：待定

联系我们

联系人：刘彦俊（小姐）
联系电话：+86 137 1380 7300
电子邮箱：rip@owasp.org

===

I should be there. Are you coming? =)