Honeynet Challenge 12
These are my notes in answering the questions to the Honeynet Challenge 12 Hiding in plain sight. The Honeynet challenges are a devised by members of the Honeynet Project to allow the security community to analyse attacks (through packet traces, log files, forensic disk images etc).
A word of warning this is just in note form (i.e. brain dump) and lacking in structure.
Nor have I found all the answers to the questions in the challenge, partly because the malware is 64-bit ELF Linux executable and I don't have a 64-bit machine to (I don't have a PC with hardware assisted virtualisation so I can't even run a 64-bit guest on a 32-bit host).
The challenge consists of a pcap network packet trace, a copy of the shadow and sudoers file and the output from the 'ps aux' command from the compromised system
Hosts
-------
The following hosts and services running on the hosts can be identified from the packet trace.
10.252.174.188 (IANA RESERVERD IP)
Web Browser User-Agent 1 : Wget/1.13.4 (linux-gnu)
SSH Application : OpenSSH_5.9p1 Debian-5ubuntu1
Mostly received / endpoint for SSH traffic
Also sent some HTTP requests to 23.20.23.147 (and some to 174.129.57.253)
23.20.23.147 is the Amazon EC2 host ec2-23-20-23-147.compute-1.amazonaws.com
Web Server Banner 1 : TCP 80 : Apache/2.2.22 (Ubuntu)
SSH Application : OpenSSH_5.0
Port 80 open
23.21.35.128
Web Server Banner 1 : TCP 80 : Apache/2.2.22 (Ubuntu)
No outgoing sessions/traffic. Only port 80 traffic from itself?!
23.22.228.174
As above
174.129.57.253
As above
Packet Info
-----------
Using the Statistics > Protocol Hierarchy menu item in Wireshark shows the only interesting traffic is HTTP and SSH.
HTTP Traffic
------------
Using the filter 'http', a number of interesting tcp streams can be seen, that are discussed below.
tcp.stream eq 54
In frame 1744: 10.252.174.188 issues a GET /d/1 HTTP/1.1 to 23.20.23.147 using Wget/1.13.4
This results in 23.20.23.147 sending back a packed binary file (packed with UPX 3.0.8) as a HTML file 1 (the malware).
tcp.stream eq 55
In frame 1795 10.252.174.188 issues a GET /d/2 HTTP/1.1 to 23.20.23.147 using Wget/1.13.4
This results in the server sending back another binary (but this one is not packed) as a HTML file 2 (the kernel module malware/rootkit).
tcp.stream eq 56
In frame 2020 10.252.174.188 issues a GET /d/3 HTTP/1.1 to 23.20.23.147 using Wget/1.13.4
This results in the server sending a bash shell script as a HTML file 3.
Packed Binary
---------------
The packed binary (with the hash 64765c87a2a28262981e1dae7bad272a) is an ELF 64-bit LSB executable, statically linked and stripped. Running strings against the packed binary shows fragments such as
Shadow.log
-------------
VirusTotal shows that all the files (binaries and bmp images) were scanned on 2012-08-03, but none were detected as being malicious by the 41 antivirus engines VirusTotal uses.
A word of warning this is just in note form (i.e. brain dump) and lacking in structure.
Nor have I found all the answers to the questions in the challenge, partly because the malware is 64-bit ELF Linux executable and I don't have a 64-bit machine to (I don't have a PC with hardware assisted virtualisation so I can't even run a 64-bit guest on a 32-bit host).
Honeynet Challenge 12 - Hiding in Plain Sight
The challenge consists of a pcap network packet trace, a copy of the shadow and sudoers file and the output from the 'ps aux' command from the compromised system
Hosts
-------
The following hosts and services running on the hosts can be identified from the packet trace.
10.252.174.188 (IANA RESERVERD IP)
Web Browser User-Agent 1 : Wget/1.13.4 (linux-gnu)
SSH Application : OpenSSH_5.9p1 Debian-5ubuntu1
Mostly received / endpoint for SSH traffic
Also sent some HTTP requests to 23.20.23.147 (and some to 174.129.57.253)
23.20.23.147 is the Amazon EC2 host ec2-23-20-23-147.compute-1.amazonaws.com
Web Server Banner 1 : TCP 80 : Apache/2.2.22 (Ubuntu)
SSH Application : OpenSSH_5.0
Port 80 open
23.21.35.128
Web Server Banner 1 : TCP 80 : Apache/2.2.22 (Ubuntu)
No outgoing sessions/traffic. Only port 80 traffic from itself?!
23.22.228.174
As above
174.129.57.253
As above
Packet Info
-----------
Using the Statistics > Protocol Hierarchy menu item in Wireshark shows the only interesting traffic is HTTP and SSH.
HTTP Traffic
------------
Using the filter 'http', a number of interesting tcp streams can be seen, that are discussed below.
tcp.stream eq 54
In frame 1744: 10.252.174.188 issues a GET /d/1 HTTP/1.1 to 23.20.23.147 using Wget/1.13.4
This results in 23.20.23.147 sending back a packed binary file (packed with UPX 3.0.8) as a HTML file 1 (the malware).
tcp.stream eq 55
In frame 1795 10.252.174.188 issues a GET /d/2 HTTP/1.1 to 23.20.23.147 using Wget/1.13.4
This results in the server sending back another binary (but this one is not packed) as a HTML file 2 (the kernel module malware/rootkit).
tcp.stream eq 56
In frame 2020 10.252.174.188 issues a GET /d/3 HTTP/1.1 to 23.20.23.147 using Wget/1.13.4
This results in the server sending a bash shell script as a HTML file 3.
Packed Binary
---------------
The packed binary (with the hash 64765c87a2a28262981e1dae7bad272a) is an ELF 64-bit LSB executable, statically linked and stripped. Running strings against the packed binary shows fragments such as
- "UPX!" - indicating the binary has been packed with UPX 3.0.8
- "/proc/self/exe" - this is commonly used by an binary that has unpacked itself to determine it's location on the file system.
- "wget -O http://" - the malware uses wget to retrieve files.
- "GCC: (Ubuntu/Linaro 4.6.3-1u" - the binary was compiled on an Ubuntu system.
The (Not Packed) Binary
--------------------------
The other binary with the hash a97138be58d9e6d51e12a7a6c40f0d82 is a ELF 64-bit LSB relocatable executable and is not stripped. This is the kernel mode rootkit.
BMP Images
--------------
A number of BMP images are retrieved using wget 1.13.4:
tcp.stream eq 61
In frame 3167 10.252.174.188 issues a
GET
/n/JURgH3Pd1rSdCYCuI3yWe1Zpir3DVDtlv4FBXmj6I+ylBrg3C9TgPVHh1ETXzDbZqx1ZBS6X6ELuaZ/54UeGNuNRXZqP8jKjjKmPvGZliJgVi4QJWk3ytr/U/B3/7eItdtTM+hmAc+xdp0j9sNXDw94VfQK+m+CgCpyx1AVPFSw= HTTP/1.1
to 23.20.23.147 using Wget/1.13.4
The server sends a bmp image of an newspaper article with the headline "Hackers can turn your home computer into a bomb ... & blow your family to smithereens!" obtained from the other host (23.20.23.147)
tcp.stream eq 61
In frame 3606 10.252.174.188 issues a
GET
/n/d1fv+eJkdZuLjPj8rquuxHFbI0h1Mu6LRG5HGhkiX2dwSUSxwdo3he/pNTFijq8KPzs1c3iMvMDM1HCl0KY2OOI/AoWT8H8LXEOWIBNSYFGRc8Yr4uosTMtirrr23Vx94rc60G+mBfhHWZdVRyo9zF/RLOQHRHZygdpqRABPDSM= HTTP/1.1
to 23.22.228.174 using Wget/1.13.4
The server sends a bmp image of a logo that says "I'd pretend I was one of those deaf-mutes I thought what I'd..." which it received previously from 23.22.228.174.
tcp.stream eq 63
In frame 3649 10.252.174.188 issues a
GET
/n/U/sKN90+bm1yBlLEbgEAOn/BexSAb4ZGNM+yXKryqX4YiT/eWF46qrf3e3E4XRMtY/I+S1XEigJbaCU9ytK7TurMIQdOMPxEiq6/D0r381eGzQ3GNChyOXHGjd0leIeLUgaTTe8LYXQGBinDAKAPW6pUrtiIO4f/+hw1kzWJxr4= HTTP/1.1
to 174.129.57.253 using Wget/1.13.4
The server sends a bmp image of a red light (which it previously obtained from 174.129.57.253)
tcp.stream eq 64
In frame 3744 10.252.174.188 issues a
GET /n/boJHo3Mv1sFAPQbZ1j6D4iH1ZnF1Te3n8Mnuu5SYT6BnbrZSxr2socM6p5JKZGWnSwQZMlqMiVoLZxky5gUO6Fb8Qa+8ZcFfYNh6+Lh7TWsyKFXn5udoYPtmpGGQL+l8gvv9kWKtS8E60ikdS03OiZgwetk/Gqy0OALIsgM+6zU= HTTP/1.1
to 23.21.35.128 using Wget/1.13.4
The server sends a bmp image of a poster from the "anti-dolphin organisation" to the client, which it had previous got from this server.
tcp.stream eq 65
In frame 4086 10.252.174.188 issues a
GET /n/Ssy2T/Ig7G0vxOOHw9DUar67em5WH0RXGMIMmyJsD7Vk+4gt80d63h419MwmIG1wnOI4sG+pM0PRYz9KUqHP1aRCwZrYtKshyoVRnP/WoKjRixQZu3W7wd8jDRN8xR+R2qLRs+AoJTOij7y+C07VXnO/LKBrJ6jLSpMV+D7Rfww= HTTP/1.1
to 23.20.23.147 using Wget/1.13.4
The server sends a bmp image of a woman with the watermark "Copyright Karina Antigua 2012". This image is suspicious and appears to contain data of some sort.
SSH Service Details
---------------------
The host at 23.20.23.147 makes 54 attempts to open an SSH connection to 10.252.174.188 and login - so 53 failed attempts were made before the attacker successfully logged in.
Shadow.log
-------------
The last password change field for the (10) accounts ubuntu, guest, gibson, sean, george, roger, timothy, pierce, sterling and manager is 15,549 days for the accounts, so the password was last changed for all those accounts on Saturday, 28 July 2012. The root password was changed on the same day.
The passwords for guest, manager, gibson, sean, george, roger, timothy, pierce and sterling curiously have salt value that changes from SaltVal1 to SaltVal9.
VirusTotal shows that all the files (binaries and bmp images) were scanned on 2012-08-03, but none were detected as being malicious by the 41 antivirus engines VirusTotal uses.
Comments
Post a Comment