So Long, and Thanks for All the Fish

This is going to be my last post for a while, because the primary purpose of my blog has been achieved.

I started this blog as a way to showcase malware analysis work that I’ve done, like a portfolio. I recently accepted an offer at a fantastic organization to do exactly this kind of work. I couldn’t have asked for a better role. I plan to focus solely on my work there which is why I’m going to basically shut down this blog for now.

If I have the time, I may post about malware when I have a chance, or about other topics of interest, but for now I’m going quiet.

Don’t forget your towel.

NYMJCSC Notes and Other Things

I attended the third annual New York Metro Joint Cyber Security Conference on Wednesday, October 5th and I got to see Lenny Zeltser’s presentation in the morning. I had been up until about 2 AM that morning working on a project to submit to someone, so I got a bit of a late start but managed to make it into the room just as he was beginning his talk.

Lenny’s talk was his usual great content, this time focusing on sort of a “Malware 101” for the attendees. Lenny has a framework for malware analysis which starts at the simplest (automated analysis) and escalates in difficulty up to manual code reversing at the top. He covered his first three areas which encompassed automated analysis (sandboxes), static and dynamic analysis.

Some of the tools he mentioned were new to me, and I plan on checking them out. The most interesting ones to me were:

PE Studio
Nice tool for looking at PE headers. You can see full feature list on their site. Notice that there’s a standard and professional license and the feature list reflects what you can and can’t do with each. The interface looks really nice, and there are some features in the standard (free) edition that could be really helpful like entropy detection and anti-debugging import detection. There are a few things missing in the standard edition, though, like listing exports and resources that I’d miss if I switched to PE Studio completely, so I think I’m going to add this to my toolbox and switch back and forth between this and PEview. If budget were no option, I’d definitely start using the professional version of PE Studio going forward, though.

CaptureBAT
CaptureBAT is a tool that, as Lenny put it, makes a good compliment for something like Process Monitor. This software records state changes and is good for capturing information on file creation, deletion, and other things that you’d be interested in knowing about during dynamic analysis. The only issue with CaptureBAT is that it’s only for 32-bit Windows systems. Lenny said that NoVirusThanks has some tools that can approximate the same functionality for 64-bit machines, though.

ProcDOT
This is a really cool tool for visualizing the output of Process Monitor logs. I wish I had this when I was working on this copy of Adwind and I was manually doing the visualizations. Basically, you let Process Monitor collect data and then you export the data as a .csv and then import this into ProcDOT. ProcDOT will then graph this data and visually show you process and thread creation, function calls, etc. You can see some examples of this output on the ProcDOT blog. I’m definitely going to start using this. I remember having a sample that created 16 child processes and I went through all of that manually, which was no fun…

REMnux
This is a Linux distribution maintained by Lenny Zeltser that comes preloaded with tools for malware analysis. You can browse the full tool list yourself, but this comes with a ridiculous amount of tools both for doing malware analysis directly and for activity in support of malware analysis (such as simulating an Internet connection). I almost think of this as like a Kali for malware.

As far as the other things, I’m going to write up a couple of little topics that came up during some of my analyses that might be of interest to people doing malware analysis.

An easy way to capture dropped files before they are deleted

In one of my Adwind analyses, I noted that there were two .vbs files dropped that were deleted by the malware after execution. I didn’t have any tool that I could use to intercept these files, but I could see where they were being dropped by reviewing Process Monitor results. What I did was I created a .bat file in that directory that contained the following lines:

:loop
copy *.vbs *.vbs.bac
goto loop

Nothing groundbreaking here, but it worked. I put this file into the directory where the malware dropped the .vbs files, and then started the .bat file before I started the malware. When the malware executed, this batch file was able to catch both of the dropped files and made a copy for me to review later. Obviously you could change this to work with different types of files or whatever else you wanted, but this was just a really quick and easy workaround to this issue.

Not very obvious file deletion in Process Monitor

DeleteFile is a fairly common imported function in malware I’ve analyzed, so you’d think that you’d see calls to it in Process Monitor. Another thing I’ve observed is some malware will delete files from a command prompt, and this is fairly easy to pick up in Process Monitor as well. This copy of Adwind, however, deleted files in such a way that it wasn’t immediately obvious to me. What it did was make a call to SetDispositionInformationFile to set Delete:True. If you have files that “disappear” during your analysis, take a look in Process Monitor and set a filter on Operation for SetDispositionInformationFile — you should see the disappearing files show up here. Basically, when this is set to True, then the file is deleted when it is closed, as explained by this MSDN article. This blog post from Malcolm McCaffery goes into more detail here and explains why you shouldn’t expect to see a call to DeleteFile in your Process Monitor results.

That’s all for now.

September 2016 Honeypot Results

Honeypot update – I still have four Dionaea honeypots running in NYC, Frankfurt, Bangalore and Singapore (the GRAB series) and a single Conpot running in NYC (JUMPSEAT).

sepstats1

I didn’t have a similar issue in September as I did in August (when the sheer volume of traffic caused the honeypots to run out of inodes in the first 3-10 days of the month) though Frankfurt ran out towards the very end of the night on the 30th of September, so that cut it close a bit.

GRAB-NYC03:
Connections: 752,296
Unique IPs: 19,507
Files Downloaded: 5
sepstats2

sepstats3

 

Interesting to see Kazakhstan make the list this time, with Romania making up a sizable portion of the totals this time around.

sepstats4

UPnP, again, strongly the most popular, and therefore no surprise when we look at the ports:

sepstats5

sepstats6

The top IP address, 40.84.185.138 leads back to Microsoft, actually, as do the next three addresses. 191.237.45.46 apparently leads back to Microsoft also, but this particular entry gets associated with someone apparently with Microsoft in Brazil (Benjamin Orndorff, who apparently is located in Seattle). Maybe this is just a provocation… The next two after that lead back to hosting providers in Europe, while the one after that, 65.19.129.154, seem to lead back to an electric company in California, with a NOC in Sterling, VA. The last two are Microsoft and a hosting provider in Canada.

Here’s a map showing the attacker locations:

sepstats7
sepstats8

 

Next is the Frankfurt honeypot:

GRAB-FRA01:
Connections: 1,127,930
Unique IPs: 20,659
Files Downloaded: 15

Pretty spectacular number of connections – this is a new personal record for any of my honeypots.

sepstats9
sepstats10
Vietnam making the top 3 this time!

Similar results in terms of the shape of the graph for services, but wow – over a million UPnP connections.

sepstats11

sepstats12
sepstats13
The top IP address leads back to some person in Vietnam. The second highest leads back to that electric company. Turns out it’s actually a hosting provider (Hurricane Electric), so not mysterious anymore. The remainder are hosting providers in France, Hong Kong, and also some of the same parties from Microsoft that we saw earlier with GRAB-NYC.

Now for the maps:

sepstats14
sepstats15

 

GRAB-SIN01:
Connections: 500,737
Unique IPs: 21,688
Files Downloaded: 10,518

Again, not a mistake – this honeypot set a new record for number of samples collected. Like last month – almost ALL of these downloads were Conficker variants. I did find one other piece of malware in there (Parite-C). I find it really interesting that there is so much Conficker in this region, and how it doesn’t seem to spread to my other honeypots.

sepstats16
sepstats17

 

India makes the list, which is a first, as well as Venezuela and Ireland.

sepstats18

sepstats19

Services and ports are pretty much in line with other regions.

sepstats20
Microsoft coming in at number 1! And 2, and 3, and 4, 5… and 7… and 10. What the hell? The rest were just some hosting providers in various places (one in India).

Now, maps:

sepstats21

sepstats22

Bangalore:

GRAB-BAN01:
Connections: 457,464
Unique IPs: 21,221
Files Downloaded: 2

As usual, dismal number of files collected from Bangalore. Also, like last month,this honeypot has the highest number of unique IPs of all the GRAB honeypots.

sepstats23

sepstats24

Services/ports in line with other regions:

sepstats25

sepstats26

Microsoft dominates these results also, 7/10. The rest are hosting providers (including one from AWS).

sepstats27

Some maps:

sepstats28

sepstats32

Much more activity on JUMPSEAT in September, here are the total connections by protocol:

sepstats30

Last month saw Modbus as the most popular protocol, followed by all variants of HTTP, so much different this month. Perhaps the parties involved noticed that my honeypot doesn’t quite seem right and stopped bothering.

sepstats31

Lots of activity, but nothing as clearly anomalous as when we had shodan.io scanning the honeypot in August. 80.82.70.24 leads back to a hosting provider in Seychelles. 184.105.139.67 is Shadow Server, again. 52.42.34.123 leads back to Amazon while the next two lead back to Poland. One of them is actually a security company I’m familiar with! Hello there! The last one leads back to UC Berkeley.

That’s it for September, on to other things.