Security Sessions 2016 Workshop

Getting your hands dirty: How to Analyze the Behavior of Malware Traffic

1. Introduction About the teacher and attendants Intro to what is this workshop about.

It is not about tools It Is about learning to analyze malware traffic and to separate it from normal

traffic. Start of notebooks with Kali, connection to Internet. What is an attack? What is the difference with normal? What is Malware? What is a botnet?

2. How network protocols work. A baseline reminder Current knowledge about networking? Network protocols, TCP/IP layers, how do they work? Horizontal and vertical communication Basic protocols. What are they for? Which ports do they use?

Ethernet, ARP, ICMP, IP, TCP, UDP, HTTP, DNS, SSH, SSL/TLS

3. Analysing network traffic, learning what to see. Wireshark

Start wireshark and capture some of your traffic. Identify the hosts, ports and protocols used. See the different layers of protocols and encapsulations. Identify an HTTP connection, see its content.

Follow a TCP stream See a HTTPs connection.

Advanced wireshark: filters IO graphic expert info

Tcpdump Use tcpdump to see information from your network

tcpdump ­n ­s0 ­i eth0 Use filters for tcpdump

host, port, ands and ors Use ­A to see the ASCII text inside packets. Use ­tttt to see a more useful timestamp. Read packets

­r output.pcap Search with less (/)

Web connections: 1. GET|POST|Host:

A little bit about reputation of IPs This is actually more complex, but we can start with VirusTotal

https://www.virustotal.com/ Search for IPs, domains or URLs See if you can infer something about the reputation of:

1. 89.108.101.61 2. 95.163.121.33 3. 93.184.220.29 4. 13.107.4.50

For domains, better www.passive­total.com Analysis of capture3.pcap.bz2

Download from : https://mega.nz/#!MkpgjTIR!_IIOQ4ra2CGh9JkZYfhkhwCCDJWy3IPIenkrlV5AWqA

Uncompress it bzip2 ­d file3.pcap.bz2

What can you say about it?? Malware or normal? Some graphs with CapTipper tool

https://mcfp.felk.cvut.cz/publicDatasets/CTU­Malware­Capture­Botnet­66­1/2014­04­07_capture­win13.short.html

Analysis of capture2.pcap.bz2 Goal: To analyze this file and conclude if the host was infected or not. Download form:

https://mega.nz/#!p4xViQ7J!wenCMFUOPGLlfk5rKNcqCNan1rojY5myHjoc0cR3KV8

What can you say about it?? malware or normal? Analysis of file1.small.pcap

Goal: To analyze this file and conclude if the host was infected or not.

Download from https://mega.nz/#!J4oyyYTB!_L5I5IAti­d3YQ0ZT0MBnbKanB2qw3ZMh_t1qGYiL5Q

What can you say about it?? is it malware or normal? My conclusions:

1. The mac address of the machine is VirtualBox 2. Initial web connection without DNS. 3. Web connection with referer, but no previous web connection

done. Fake referer. 4. POST of a video? Without cookies? mp4 should have an ID3

header that is not there, so probably the content is not mp4. 5. The content of the POST looks strange. Like a substitution

cipher. 6. The reputation of 95.163.121.33 (and other IPs) is very bad

and tied to Dridex malware 7. Further POSTs are suspicious (long and without readable

data) with Host headers having a fake host names (looks like DGA) and fake referrers again. Is it transmitting data on the Host header? (like ZeroAccess?)

8. Only with Wireshark: The time difference between HTTP connections is too short. Not a manual interaction.

9. Only with Wireshark: The graph shows a very suspicious periodicity on the TCP web connections.

10. The Host header name: “5t9AR us” has a space! this is forbidden in the standard.

11. You can also see that the same IP is used by several dozen hosts and requested by one source IP very quickly. Suspicious.

12. Seems malware 13. Actually is Dridex

Other useful tools we are not covering too much tshark: command line wireshark

tshark ­r file.pcap ­n ­Tfields ­e ip.src (example for getting the src ip in the packets only)

4. Attacking each other and discovering the traffic Goal: To attack others and get access, to recognize who is attacking you and to report it by email.

Start capturing traffic in your host using tcpdump Goal: To know what happens in the network with the SSH protocol (port 22) tcpdump ­n ­s0 ­i eth0 ­v ­w /root/malware­nights­class­1­ssh­attack.pcap

Download this list of passwords

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/best15.txt

Change your root password As root

passwd (and put a good password) Create another user (unprivileged). The name of the user is test

useradd test Start the SSH service

/etc/init.d/ssh restart Change the password of the test user

First get one password randomly from the file. N=`shuf ­i 1­15 ­n 1`; head ­n $N best15.txt |tail ­n 1

Then change it with the command (put it twice): passwd test

Put here the password printed by the previous command. Find other hosts in the network with the SSH port open

nmap ­sS ­p 22 ­n ­v <your­ip­address>/24 ­oN ssh­servers.txt Bruteforce the SSH password of the active hosts

Medusa tool hydra ­s 22 ­l test ­P best15.txt <IP­to­crack> ssh

Analysis of the traffic Analyze your capture file If somebody found the password of your computer or not. And how do you

know. Bonus question: Did they access your computer and type commands on it?

How do you know?