Quantcast

No Budget Threat Intelligence 4: Reversing Malware Samples

Having deliberately exposed a honeypot machine to attackers, Andrew Morris got a lot of incoming malware data, which he then reversed to get a better insight.

Reverse engineering obtained samples

Reverse engineering obtained samples

Reversing these samples (see right-hand image) is a talk in and of itself. Actually, it’s reverse engineering the malware samples that you find. And I’m not the best reverse engineer, so don’t listen to anything that I say about it. If you are also bad at reversing, check out malwr.com or virustotal.com, because they are two malware sandboxes. Malwr.com is awesome because they don’t share anything unless you let them. Virustotal.com has a cooler, prettier engine, but it will share your stuff; it’s owned by Google, so you can put two and two together.

Attacks from a particular IP address

Attacks from a particular IP address

So, I was getting hit a lot by one particular IP address (see left-hand image). It was hitting my sensors a lot using a lot of different passwords, and whenever they would get in they would try to pull a lot of malware. They were running a pretty big campaign. They guessed one of my good passwords that I had configured, and they logged in and they ‘wgot’ a malware sample, so to speak. The same web server that they were grabbing it from had directory traversal. Obviously, they were grabbing an ELF binary, because it was a Linux box, but I noticed that that same web server had directory listing enabled, so I grabbed all of the malware samples that were on there. There were a couple of Windows samples.

Specificity of the malicious code

Specificity of the malicious code

And so, I ran it and I was doing some manual reversing, and I found that it was passing a ton of IP addresses in ASCII, which was weird, over this custom binary protocol over port 36000 (see right-hand image). I was executing malware on the machine that I was analyzing it on, it was reaching out and trying to talk to the C2, and the C2 was just passing this weird binary protocol back. It wasn’t IRC, it wasn’t HTTP, it wasn’t anything like that, and in it was a bunch of IP addresses.

The sustained DDoS campaign

The sustained DDoS campaign

And those IP addresses were DDoS targets (see left-hand image). So, you know, that’s pretty standard: it’s reaching out and the server is just giving it back “Hey, here’s all the DDoS targets, we want you to DDoS this box, we want you to DDoS this box.” And it was sending that out to all of their bots. The C2 was architected to pass this to everyone. If I wrote malware, that’s not how I would do it, but I guess it’s a good thing I don’t write malware. The bots receive the IP addresses and they start spraying traffic at them. If you reverse the malware samples, you are going to actually find the function names, like SYN flood or UDP flood or whatever.

We don’t do this for money – we do it because we hate malware.

At this point, I’m trying to reverse a bunch more stuff. If you have ever seen #MalwareMustDie on Twitter, which is either a person or it’s a group of people – all I know is that he is insane. I hit him up and I’m like “Hey man, can you help me reverse some of these malware samples?” He’s like “Yes! Send me all of them!” And I was like “Ok, dude…” And so, he helped me reverse a bunch of these malware samples, and I was like “Dude, this is awesome, can I donate, like, 20 bucks to you guys via PayPal or something?” He’s like “No! We don’t do this for money – we do it because we hate malware!” I thought, oh my god, I wish I loved anything as much as you hate malware, man.

Screen sharing session mentioned

Screen sharing session mentioned

So, in a bunch of materials that he was publishing I saw this (see right-hand image). He published a video of all the crazy stuff that he does, and this was a video of him recording a screen sharing session of one Chinese operator training another Chinese operator how to use a product that he had developed and sold him, which generates ELF binaries and has the C2 package and all that stuff. I don’t know how about you guys, but I don’t speak Chinese.

Probably not a coincidence

Probably not a coincidence

But I did notice in there, a little bit closer, in the bottom right, the port number is 36000 by default (see left-hand image). And I was like “Huh, I bet that’s the same family of malware as this Windows binary that I found, and I’ve actually been seeing other things that have been speaking in the same protocol or whatever.” By the way, if you already know what I’m talking about and you know where this is going, if you ever copy this software, I would love for you to send it to me. I’ve been trying to find it everywhere, but I don’t want to buy it from the Chinese dude because I’m not trying to be on watchlist and stuff.

The C2 network service scanner

The C2 network service scanner

So, I realized that this C2 was one of lots of different C2s. I fingerprinted the C2 network service and I wrote a scanner for it (see right-hand image). It’s on my GitHub page. I also wrote an NSE script for it, but I don’t actually know Lua. I mean, it works and it gets the job done if you want to use it. I also stared at Wireshark for what felt like an eternity, and I basically built a scanner that logs into these C2 servers and it reports back to me all of the IP addresses that it’s currently targeting.

Scanner gotchas

Scanner gotchas

It turns out it’s actually really hard to write a client for a server that you don’t control (see left-hand image). I’m trying to write a client for this malware C2 thing, and the server is going up and down and it’s using a protocol I don’t understand. I had to cycle through a couple of different C2s to actually write the client out. It’s like trying to learn Spanish when you got two Spanish dudes in the room with you, but you don’t know Spanish and they are just talking in Spanish to each other, and then they keep walking out and you have to go and find more Spanish dudes. That’s basically what it’s like.

Chuilang C2 scanner in action

Chuilang C2 scanner in action

But yeah, I wrote a scanner, I was going to demo it, but all the C2s that I’m looking at right now are down, so I couldn’t. But this (see right-hand image) is a screenshot of what the scanner looks like. It logs in and it pulls all of the DDoS targets. I guess the reason why this is important is because it’s really cool, as an outsider or as someone running your no budget threat intel – organization or company, whatever – you can actually see who these bad guys are targeting, which can be cool for a number of different reasons. You can see who they are sending the DDoS attacks to. It can help you identify who they are. It can help you make the world a better place. You can warn them, you can do a lot of stuff using this information. And there’s a thousand ways that they could do it better so that you couldn’t, but they don’t, thank god.
 

Read previous: No Budget Threat Intelligence 3: Discovery and Investigation

Read next: No Budget Threat Intelligence 5: Automation

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: