"Security Protection" my ass. My desktop was infected with malware and I'm a network and systems engineer wanting to move into the realm of information security and information assurance. I feel like a dentist getting a cavity or a police officer getting pulled over for speeding.
I was caught with my pants down...at my ankles...while bending over. See http://nooooooooooooooo.com/ for my initial reaction upon seeing the above image. I don't think I've been infected by malware in close to 4-5 years.
My "check my email for before I head out" quickly became "figure out what the hell happened and block your desktop from connecting back to out to the Internet, and fix it when you get home."
I remembered that no more than a month ago I had installed Snort 2.9.0.5 inline (between my cable modem and embedded x86 ALIX router running Linux) on an old Pentium III desktop to vet my CentOS 6.0 32-bit hardened build for work. Cool, I thought, maybe I can analyze the packet captures, log files, and alerts and see what else I can find.
Alas, my poor desktop PC, became a case study for incident response and network analysis of a malware infected PC.
It was almost 9:30 AM by this time, and I had to head back to work so I came up with a game plan:
1. Check Snort logs to see if anything was alerted.
2. Block all traffic from the entire local subnet reaching out to the Internet, log it, and see
what shows up in the logs.
3. Try to run a quick diagnostics and scans on infected desktop before I head back to work.
4. Analyze everything further and decide how I will re-mediate my desktop.
Game Plan Item #1: check Snort logs
I had been running Snort in the background with
snort -c /etc/snort/snort.conf -A fast -b -K pcap -i br0 on and off for the past two weeks to get an idea of what kind of alerts I would see over time.A quick look at /var/log/snort/alerts, the default log file for Snort alerts, and I saw a couple suspicious entries:
09/01-02:33:13.716611 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54027 -> 76.74.152.98:8080
09/01-02:33:13.716718 [**] [1:2011582:8] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.X:54028 -> 76.74.152.98:8080
The good news was Snort did detect something malicious going on; I didn't have time to check out it further until later.
Game Plan Item #2: block local egress traffic
I had to cage this beast quickly before it downloaded even more malware and did more damage. I went with a quick rule in Shorewall on my Linux router to block (and log) the entire local subnet from reaching the Internet until I got home.
/etc/shorewall/rules:
# BLOCK!
DROP:info loc net
Shorewall is a front-end for iptables; the actual iptables command would have been
iptables -I FORWARD 0 -s 192.168.11.0/24 -j DROP.I restarted Shorewall, went to grab a drink, and actually started to do my errands. You know, what I originally had intended to do when I made a quick stop home.
These were a couple entries in /var/log/messages:
Sep 1 08:57:42 voyage localadmin: Shorewall restarted
Sep 2 09:04:14 voyage kernel: [2084722.015845] Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=192.168.11.10 DST=65.55.94.220 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=429 DF PROTO=TCP SPT=49192 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x2
Sep 2 09:04:17 voyage kernel: [2084725.097856] Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=192.168.11.10 DST=65.55.94.220 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=430 DF PROTO=TCP SPT=49192 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x2
Sep 2 09:04:23 voyage kernel: [2084731.247840] Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=192.168.11.10 DST=65.55.94.220 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=431 DF PROTO=TCP SPT=49192 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x2
Sep 2 09:06:13 voyage kernel: [2084841.657851] Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=192.168.11.10 DST=65.55.53.156 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=440 DF PROTO=TCP SPT=49193 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x2
Sep 2 09:06:16 voyage kernel: [2084844.741827] Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=192.168.11.10 DST=65.55.53.156 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=441 DF PROTO=TCP SPT=49193 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x2
Sep 2 09:06:22 voyage kernel: [2084850.890854] Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=192.168.11.10 DST=65.55.53.156 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=442 DF PROTO=TCP SPT=49193 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x2
As you can see I restarted Shorewall at 8:57 AM, and at 9:04 AM my infected desktop (192.168.11.10) was trying to tunnel out via SSL (TCP 443) to destination address 65.55.94.220! It obviously failed 3 times to reach that address, so it tried again but a different IP at 65.55.53.156. I had an idea of what was to come, so I went on to my next plan of action.
Game Plan Item #3: attempt diagnostics
Since I cut it off from the Internet, I tried to characterize the behavior of the malware and its effect it had on my desktop. I didn't click anything on the Security Protection Center window, I wanted to kill the process directly.
Open up task manager to try to kill process directly? The window automatically closed.
Open up command prompt from Start > Run? The window automatically closed.
Open up anti-virus software? The window automatically closed.
Open up anti-spyware software? The window automatically closed.
Well that was characterized quite quickly.
I headed back to work and had an excited yet anxious feeling during my shift. On one hand my desktop had malware on it, on the other hand I had Snort packet captures and log files of real malware I could analyze; something I've always wanted to do.
Game Plan Item #4: additional analysis
When I got home, the first thing I did was check out what new log entries had appeared since I started blocking traffic from loc -> net. Since I normally don't log traffic from loc -> net, a simple grep command on my Linux router would filter my exact results:
grep Shorewall:loc2net /var/log/messages. Let's just say there were A LOT of log entries.I did a word count on my grep command to tell me exactly how many log entries there were:
# grep loc2net messages | wc -l
3869
So between approximately 9:00 AM this morning and 6:00 PM, there were close to 4000 denied attempts from my desktop to reach other malicious hosts on the Internet. That's some persistent malware, to say the least.
I ran the following command to get an idea of how many of those destination IPs were unique:
# grep loc2net messages | awk '{print $10}' | sort -rn | uniq -c
3 DST=91.209.196.169
4 DST=83.145.197.2
14 DST=74.54.61.194
95 DST=74.125.53.188
6 DST=74.125.53.141
9 DST=74.125.53.132
9 DST=74.125.53.125
34 DST=74.125.47.108
15 DST=74.125.239.9
39 DST=74.125.239.8
48 DST=74.125.239.7
42 DST=74.125.239.6
48 DST=74.125.239.5
48 DST=74.125.239.4
39 DST=74.125.239.3
6 DST=74.125.239.2
6 DST=74.125.239.15
6 DST=74.125.239.14
6 DST=74.125.239.13
12 DST=74.125.239.12
8 DST=74.125.239.11
6 DST=74.125.239.10
12 DST=74.125.239.1
12 DST=74.125.239.0
6 DST=74.125.224.82
51 DST=74.125.224.239
36 DST=74.125.224.238
42 DST=74.125.224.237
39 DST=74.125.224.236
24 DST=74.125.224.235
30 DST=74.125.224.234
48 DST=74.125.224.233
66 DST=74.125.224.232
84 DST=74.125.224.231
72 DST=74.125.224.230
90 DST=74.125.224.229
99 DST=74.125.224.228
81 DST=74.125.224.227
84 DST=74.125.224.226
75 DST=74.125.224.225
69 DST=74.125.224.224
9 DST=74.125.224.191
...additional output omitted...
3 DST=69.171.228.14
12 DST=69.171.224.67
5 DST=66.235.120.98
105 DST=66.220.146.22
3 DST=65.55.94.220
3 DST=65.55.94.216
21 DST=65.55.53.190
3 DST=65.55.53.156
18 DST=65.55.27.219
24 DST=65.55.25.59
9 DST=65.55.200.156
3 DST=65.55.200.155
9 DST=65.55.200.139
12 DST=65.55.184.16
9 DST=65.55.184.152
4 DST=65.55.17.39
9 DST=65.55.119.90
6 DST=65.54.75.98
9 DST=65.54.75.95
9 DST=65.54.75.93
15 DST=65.54.75.92
15 DST=65.54.75.8
3 DST=65.54.75.71
18 DST=65.54.75.6
3 DST=65.54.75.51
3 DST=65.54.75.40
3 DST=65.54.75.25
...additional output omitted...
49 DST=24.28.193.9
12 DST=24.25.230.9
45 DST=24.25.230.8
42 DST=24.25.230.18
30 DST=24.25.230.16
9 DST=24.25.230.10
4 DST=217.149.52.196
84 DST=216.228.124.39
63 DST=216.18.194.133
3 DST=216.156.213.179
3 DST=216.156.213.152
3 DST=213.35.100.25
4 DST=209.62.68.168
15 DST=209.18.46.99
15 DST=209.18.46.91
6 DST=209.18.46.66
3 DST=209.18.46.50
6 DST=209.18.46.42
3 DST=209.18.46.123
3 DST=209.151.233.98
28 DST=208.49.52.91
26 DST=208.49.52.106
1 DST=208.43.217.90
12 DST=207.46.21.123
10 DST=207.171.162.56
2 DST=207.171.162.142
36 DST=204.160.114.254
3 DST=199.66.201.169
3 DST=199.47.217.174
35 DST=199.47.217.173
30 DST=199.47.217.144
3 DST=178.255.83.0
9 DST=173.223.52.217
9 DST=173.223.52.186
12 DST=107.20.249.120
I piped the above grep command through word count to give me an exact number:
# grep loc2net messages | awk '{print $10}' | sort -rn | uniq | wc -l
163
That makes 163 unique IP addresses my malware infected desktop was trying to contact, and on many of those IPs, they were trying to be contacted several times.
I decided to check out those Snort alerts in further detail.
I accumulated roughly 642 Snort alerts in /var/log/snort/alerts in the past week. There were a bunch of false positives that were triggered by my PC games, IMs, etc. A quick and dirty regex filtered out all that and gave me what I really needed to see:
# cd /var/log/snort
# egrep "X.X.X.X:.* -> .*" alert | egrep -v "GAME|P2P|Skype|Google" | less -S
Output from the above command:
08/30-02:27:54.042284 [**] [1:2012607:2] ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE [**] Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:33852 -> 70.37.68.225:80
08/30-02:29:11.933137 [**] [1:2012607:2] ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE [**][Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54918 -> 70.37.68.225:80
09/01-02:32:38.984298 [**] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 116.255.188.165:6000 -> X.X.X.X:3306
09/01-02:33:13.716611 [**] [1:2011582:8] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.X:54027 -> 76.74.152.98:8080
09/01-02:33:13.716611 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54027 -> 76.74.152.98:8080
09/01-02:33:13.716718 [**] [1:2011582:8] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.X:54028 -> 76.74.152.98:8080
09/01-02:33:13.716718 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54028 -> 76.74.152.98:8080
09/01-02:33:13.716987 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54026 -> 76.74.152.98:8080
09/01-02:33:13.717114 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54029 -> 76.74.152.98:8080
09/01-02:33:13.717287 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54024 -> 76.74.152.98:8080
09/01-02:33:13.717449 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54025 -> 76.74.152.98:8080
09/01-02:33:13.900829 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54033 -> 76.74.152.98:8080
09/01-02:33:13.901049 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54032 -> 76.74.152.98:8080
09/01-02:33:13.901278 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54031 -> 76.74.152.98:8080
09/01-02:33:13.901574 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54030 -> 76.74.152.98:8080
09/01-02:33:13.907570 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54034 -> 76.74.152.98:8080
09/01-02:33:13.907705 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54035 -> 76.74.152.98:8080
09/01-02:36:19.794010 [**] [1:2011894:8] ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54071 -> 178.238.233.154:80
09/01-02:36:55.080334 [**] [1:2003579:4] ET MALWARE Findwhat.com Spyware (clickthrough) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54215 -> 206.123.102.103:80
09/01-02:37:12.889356 [**] [1:2003579:4] ET MALWARE Findwhat.com Spyware (clickthrough) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54323 -> 206.123.102.103:80
09/01-02:37:13.026983 [**] [1:2003579:4] ET MALWARE Findwhat.com Spyware (clickthrough) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54323 -> 206.123.102.103:80
09/01-02:37:35.670005 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54480 -> 109.236.82.46:80
09/01-02:37:35.670716 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54482 -> 109.236.82.46:80
09/01-02:37:36.505659 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54484 -> 109.236.82.46:80
09/01-02:37:36.508068 [**] [1:2012609:2] ET CURRENT_EVENTS Java Exploit Attempt Request for .class from octal host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54485 -> 109.236.82.46:80
09/01-02:37:41.788934 [**] [1:2012612:4] ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54489 -> 205.234.129.135:80
09/01-02:37:41.997022 [**] [1:2012612:4] ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} X.X.X.X:54490 -> 205.134.252.251:80
I'm unsure as to whether the initial alerts on August 30 from 2:27-2:29 AM are related or have something to do with the alerts that started firing off on September 1st. Regardless, the bulk of it started at 2:32 AM on September 1st.
No comments:
Post a Comment