getting your hands dirty: how to analyze the behavior of malware traffic / sebastian garcia [atg...
TRANSCRIPT
Security Sessions 2016 Workshop
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic
1. Introduction About the teacher and attendants Intro to what is this workshop about.
It is not about tools It Is about learning to analyze malware traffic and to separate it from normal
traffic. Start of notebooks with Kali, connection to Internet. What is an attack? What is the difference with normal? What is Malware? What is a botnet?
2. How network protocols work. A baseline reminder Current knowledge about networking? Network protocols, TCP/IP layers, how do they work? Horizontal and vertical communication Basic protocols. What are they for? Which ports do they use?
Ethernet, ARP, ICMP, IP, TCP, UDP, HTTP, DNS, SSH, SSL/TLS
3. Analysing network traffic, learning what to see. Wireshark
Start wireshark and capture some of your traffic. Identify the hosts, ports and protocols used. See the different layers of protocols and encapsulations. Identify an HTTP connection, see its content.
Follow a TCP stream See a HTTPs connection.
Advanced wireshark: filters IO graphic expert info
Tcpdump Use tcpdump to see information from your network
tcpdump n s0 i eth0 Use filters for tcpdump
host, port, ands and ors Use A to see the ASCII text inside packets. Use tttt to see a more useful timestamp. Read packets
r output.pcap Search with less (/)
Web connections: 1. GET|POST|Host:
A little bit about reputation of IPs This is actually more complex, but we can start with VirusTotal
https://www.virustotal.com/ Search for IPs, domains or URLs See if you can infer something about the reputation of:
1. 89.108.101.61 2. 95.163.121.33 3. 93.184.220.29 4. 13.107.4.50
For domains, better www.passivetotal.com Analysis of capture3.pcap.bz2
Download from : https://mega.nz/#!MkpgjTIR!_IIOQ4ra2CGh9JkZYfhkhwCCDJWy3IPIenkrlV5AWqA
Uncompress it bzip2 d file3.pcap.bz2
What can you say about it?? Malware or normal? Some graphs with CapTipper tool
https://mcfp.felk.cvut.cz/publicDatasets/CTUMalwareCaptureBotnet661/20140407_capturewin13.short.html
Analysis of capture2.pcap.bz2 Goal: To analyze this file and conclude if the host was infected or not. Download form:
https://mega.nz/#!p4xViQ7J!wenCMFUOPGLlfk5rKNcqCNan1rojY5myHjoc0cR3KV8
What can you say about it?? malware or normal? Analysis of file1.small.pcap
Goal: To analyze this file and conclude if the host was infected or not.
Download from https://mega.nz/#!J4oyyYTB!_L5I5IAtid3YQ0ZT0MBnbKanB2qw3ZMh_t1qGYiL5Q
What can you say about it?? is it malware or normal? My conclusions:
1. The mac address of the machine is VirtualBox 2. Initial web connection without DNS. 3. Web connection with referer, but no previous web connection
done. Fake referer. 4. POST of a video? Without cookies? mp4 should have an ID3
header that is not there, so probably the content is not mp4. 5. The content of the POST looks strange. Like a substitution
cipher. 6. The reputation of 95.163.121.33 (and other IPs) is very bad
and tied to Dridex malware 7. Further POSTs are suspicious (long and without readable
data) with Host headers having a fake host names (looks like DGA) and fake referrers again. Is it transmitting data on the Host header? (like ZeroAccess?)
8. Only with Wireshark: The time difference between HTTP connections is too short. Not a manual interaction.
9. Only with Wireshark: The graph shows a very suspicious periodicity on the TCP web connections.
10. The Host header name: “5t9AR us” has a space! this is forbidden in the standard.
11. You can also see that the same IP is used by several dozen hosts and requested by one source IP very quickly. Suspicious.
12. Seems malware 13. Actually is Dridex
Other useful tools we are not covering too much tshark: command line wireshark
tshark r file.pcap n Tfields e ip.src (example for getting the src ip in the packets only)
4. Attacking each other and discovering the traffic Goal: To attack others and get access, to recognize who is attacking you and to report it by email.
Start capturing traffic in your host using tcpdump Goal: To know what happens in the network with the SSH protocol (port 22) tcpdump n s0 i eth0 v w /root/malwarenightsclass1sshattack.pcap
Download this list of passwords
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/best15.txt
Change your root password As root
passwd (and put a good password) Create another user (unprivileged). The name of the user is test
useradd test Start the SSH service
/etc/init.d/ssh restart Change the password of the test user
First get one password randomly from the file. N=`shuf i 115 n 1`; head n $N best15.txt |tail n 1
Then change it with the command (put it twice): passwd test
Put here the password printed by the previous command. Find other hosts in the network with the SSH port open
nmap sS p 22 n v <youripaddress>/24 oN sshservers.txt Bruteforce the SSH password of the active hosts
Medusa tool hydra s 22 l test P best15.txt <IPtocrack> ssh
Analysis of the traffic Analyze your capture file If somebody found the password of your computer or not. And how do you
know. Bonus question: Did they access your computer and type commands on it?
How do you know?