No Budget Threat Intelligence 6: Defensive Strategies

As this ShmooCon presentation is coming to an end, Andrew Morris dwells on defenses against the attacks and shares his plans regarding the upcoming projects.

Defensive Strategies

Tips to implement the defenses

Tips to implement the defenses

So, a couple of defensive strategies (see right-hand image). It’s, basically, standard threat intelligence stuff, whatever you want to do with the data. I mean, you can check for connections to or you can block known C2s, which is a pretty standard thing; flag connections to known-malicious subnets, same thing; look for connections to malware distribution web servers – those HFS boxes that I was talking about before, you should never talk to those under any circumstance. If something is talking to one of those, it’s probably bad, you probably got a compromise. You can check standard indicator stuff, presence of files with MD5s or Yara signatures of any of the malware that’s collected.

SSH attack countermeasures

SSH attack countermeasures

Defending against attacks on SSH – this is so easy (see left-hand image). It’s stupid-easy. Use SSH keys, disable password authentication. If this is not possible for whatever reason, then you can audit: use strong passwords, audit against John the Ripper with the wordlists that I’m providing. You can blast it with Medusa if you want. Blast your own environment with Medusa, with the password list that I provided and see if any bad guys could potentially get into your stuff if it’s using password authentication.


So, roadmap of some of the stuff I want to do in the future, and there’s a lot of this. This is my to-do list for this stuff, and it just keeps getting bigger and bigger. The problem that I’ve actually run into is I did these slides in, like, five minutes, because I keep working on it. I wrote Threatbot about two days ago, and everything just keeps blowing up bigger and bigger, and there are so many different things that I’ve been looking at, and I’m like, man, I really need to start doing my slides more than two days in advance.

Topics covered

Topics covered

Recap – real quick just what we’ve talked about (see right-hand image). We’ve talked about going from sensors to attacks, to malware artifacts (malware samples), to DDoS target leaks, to mass scanning the Internet. We don’t even need to capture samples to find C2s anymore, at least for this family. Conventionally, it’s going to be like, oh hey, I have a piece of malware, and I want to find the C2 for that piece of malware. And you still need samples to find C2s and stuff, but with this family, with this one thing that I’ve been looking at obsessively, you don’t even need to have a malware sample that talks to that C2. You’d scan the whole Internet, it’s easy, people do it every day. You could scan the Internet in, like, five minutes if you use mass scan and don’t mind responding to abuse complaint reports that you’re going to get a lot of.

Statistics collected

Statistics collected

Here are some stats of stuff that I’ve seen to date (see left-hand image). I’ve seen 6,279,676 authentication attempts – this is over the course of six months, but I’d need to graph it out properly. I’ve seen 2 million in the last two weeks. I’ve seen 5,573 unique IP addresses since October of 2014. I’ve seen over 500,000 unique passwords being used. I’ve located a total of 30 Chuilang C2s. I’ve identified 27 malware samples – that’s right, that number is less than the number of C2s, think about that. And I’ve leaked 750 different DDoS targets belonging to 40 different organizations, and that’s just in one month, because that is when I’ve started to get the Chuilang logger working.

To-do list

To-do list

Future plans: I want to build more signatures to identify different types of C2s (see right-hand image). I know there are more C2s that use other binary protocols and things that can be identified. Obviously, you’re going to have HTTP stuff, you’re going to have IRC stuff. It’s going to be a little harder, but it’s still doable. I want to expand Threatbot’s capability. I want you to be able to email him, I want you to be able to Pinterest to him, I want you to be able to do whatever you want. And I want to build that so that he’s got more data and he’s got more things that he can report back to you with more useful information, especially doing more things other than just Twitter. That’s just because maybe you don’t want people to see the IP addresses that you’re looking at, and I’m aware of this.

I want to deploy more sensors, because hell yeah, I want more data. I want to build automation for warning that DDoS attacks are coming. I want to build something that reaches out to the DDoS targets’ abuse contact thing, and I want to let them know: hey, you are probably about to get a DDoS attack, it’s going to come from these people. I want to expand more stuff with Shellshock and Heartbleed and other vulnerabilities that are being executed. I’m focusing really heavily on SSH right now, just because the capability is already there, the attacks are happening, and it’s really cool stuff. I want to build an HFS web server watch script, something that, when I find known HFS malware hosting repositories or whatever you want to call it – I want to build something that reaches out and looks at those all the time, and it’s always refreshing that and it’s checking those, and whenever new malware goes up I want to grab it.

I’m focusing really heavily on SSH right now.

I want to improve the mass scanning and the dorking for HFS. So, I want to be able to find more of those HTTP file servers that host malware without necessarily looking at an operator log into my box and reach out. It’s 2015, you can mass scan the crap out of the Internet, so I want to find it like that. I want to improve the automated signature generation. I want to be able to build Yara signatures and things like that from malware that I get as it happens, as they come in. And I want to build more useful information into the Animus threat reports, because right now it’s kind of trivial information that can help you, but it can’t really-really help you. And there’s so much more data to collect. I mean, there are so many different IOCs that I could look at, there are more web servers storing malware, there are more C2s sitting out there, there’s a ton of stuff.



So, I just wanted to give some credit to ThreatStream. This dude, Jason, has answered all of my questions with everything. I’d like to also thank the Kippo developers for developing something so awesome. HD Moore helped me with a couple of things; I reached out to him and he responded. If you ever email him, he emails you back in, like, three minutes. It doesn’t matter when you do it. It’s like “Dude, what do you do with your life?” Brian Baskin – this guy helped me reverse some samples. Johnny Vestergaard – he is the developer of Mnemosyne, the thing that sits between MHN and MongoDB. HTTP feed talks to it, it’s an awesome database, and it’s really cool.

@MalwareMustDie – that dude is awesome. Rob Blody is a buddy of mine, he helped me reverse some samples. I wanted to really say thanks to ShmooCon for having me. I came here for the first time when I was 18 years old. I was so stoked, and because of it I got my first job in security and all that stuff, so that’s the reason why I’m here right now. And the Linode abuse team – they’ve been pretty nice to me with everything. They would literally email me four times a day, and they’re like “Hey, we got more complaints, gonna have to block these people.” And I’m like “You got it!” So, I want to say thanks to all of them, and thanks to all of you guys for coming here to my talk. Do you guys have any questions?

Question: Do you do any log analysis on TTY logs to identify if this is a human or if this is a bot?

Andrew Morris: No, I don’t. That’s a really good idea. I’ll look at doing something like that.

Question: Can you share some of the names of the targets?

Andrew Morris: No, I’m not going to do that. Sorry. But it’s a good question. Any other questions?

Question: Are you doing any IPv6 yet?

Andrew Morris: I don’t have that capability quite yet. That’s on the to-do list. Thank you, though. But really, you are not going to mass scan IPv6, I don’t know… But that’s a good question, I should look at doing something like that.

Question: What are you doing with the source IP addresses that are coming in? Are you doing any verification to see if the things that are coming in are compromised or anything like that?

Andrew Morris: No, I’m not doing anything like that. I know somebody else who runs a project, where he’ll actually just turn right back around and he’ll ‘nmap’ the box and he’ll look for a web server and stuff. And he’s got good results doing that. That’s something that you can do and I could do, I just haven’t implemented it yet. This is all still pretty half-baked stuff that I’m working with.

Okay, thank you guys so much for coming!

Read previous: No Budget Threat Intelligence 5: Automation

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: