Secure Honey

SSH honeypot written in C

Trojan Horse Uploaded Part 2: Malware Analysis

Thursday 6th February 2014 11:23

Coming up in this blog post: trojan horse receives commands from a Chinese C&C server and sends DDoS attacks to a Malaysian online casino website.

I'll be analysing the malware to determine what it does and also update you on the rest of the project as it's been a while since my last blog post.

My last post was back on the 14th December 2013 and since then I've been buried in revision for exams in January, along with post-graduate applications and graduate scheme applications.

This means there's not been a huge amount of progress on the project, but I'm aiming to get straight back into focusing on it now. I'm also eager to share some insights into the "disknyp" malware which came to light back in December.

Before I get started with the malware analysis, there have been a number of other blog posts discussing the malware. Thanks to the authors of the following articles for sharing their research on the "disknyp" binary:

Analysing Malware

One of my previous blog posts (Trojan Horse Uploaded) describes an attacker that uploaded malware to the honeypot. In that post I described some basic research I carried out to conclude that the uploaded malware was a trojan horse.

Since writing that previous blog post, Dr. Gareth Owen from the University of Portsmouth has been in touch to share some early results from a similar research project that is analysing the same malware.

A big thank you to Gareth and his student Rich for getting in touch. Thanks to their help I now have a much better understanding of exactly what the malware does which I'll be explaining now.

Gareth sent over the strace (system call trace) output from the malware running on a Linux virtual machine along with a network pcap (packet capture) file. A sample of these files is shown below: (as usual, I've masked IP and MAC addresses to keep identities anonymous.

First, let's look at a snippet from the strace (system call trace) output where a connection to the C&C server is established:

[80642e1] connect(5, {sa_family=AF_INET, sin_port=htons(6009), sin_addr=inet_addr("198.40.**.***")}, 16) = -1 EINPROGRESS (Operation now in progress)

Here we can see that a connection on port 6009 is made to the IP address 198.40.**.*** (the C&C server).

Now let's look at the pcap (packet capture) file produced from the malware:

No. Time Source Destination Protocol Length Info
1 2013-12-04 12:48:13 CadmusCo_* Broadcast ARP 42 Who has 10.*.*.*? Tell 10.*.*.*
2 2013-12-04 12:48:13 RealtekU_* CadmusCo_* ARP 60 10.*.*.* is at 52:**:**:**:**:**
3 2013-12-04 12:48:13 10.*.*.** 198.40.**.*** TCP 74 50512 > 6009 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=564880 TSecr=0 WS=1024
4 2013-12-04 12:48:13 198.40.**.*** 10.*.*.** TCP 60 6009 > 50512 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
5 2013-12-04 12:48:13 10.*.*.** 198.40.**.*** TCP 468 50512 > 6009 [PSH, ACK] Seq=1 Ack=1 Win=14600 Len=414
6 2013-12-04 12:48:13 198.40.**.*** 10.*.*.** TCP 60 6009 > 50512 [ACK] Seq=1 Ack=415 Win=65535 Len=0
7 2013-12-04 12:48:18 198.40.**.*** 10.*.*.** TCP 123 6009 > 50512 [PSH, ACK] Seq=1 Ack=415 Win=65535 Len=69
8 2013-12-04 12:48:18 10.*.*.** 198.40.**.*** TCP 81 50512 > 6009 [PSH, ACK] Seq=415 Ack=70 Win=14600 Len=27
9 2013-12-04 12:48:18 198.40.**.*** 10.*.*.** TCP 60 6009 > 50512 [ACK] Seq=70 Ack=442 Win=65535 Len=0
10 2013-12-04 12:48:26 10.*.*.** 198.40.*.*** TCP 54 50512 > 6009 [RST, ACK] Seq=442 Ack=70 Win=14600 Len=0

In the above pcap file; the malware sends and receives packets from the C&C server at 198.40.*.***. Presumably these packets communicate to the C&C server that the malware is connected and ready to receive commands.

In the next pcap file, the malware receives instructions from the C&C server (198.40.*.***) to carry out a DDoS attack. The actual DDoS attack packets are then captured from packet number 13:

No. Time Source Destination Protocol Length Info
1 2013-12-04 12:22:20 RealtekU_* Broadcast ARP 60 Who has 148.***.**.***? Tell 10.*.*.*
2 2013-12-04 12:22:24 CadmusCo_* Broadcast ARP 42 Who has 10.*.*.*? Tell 10.*.*.**
3 2013-12-04 12:22:24 RealtekU_* CadmusCo_* ARP 60 10.*.*.* is at 52:**:**:**:**:**
4 2013-12-04 12:22:24 10.*.*.** 198.40.**.*** TCP 74 50497 > 6009 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=177773 TSecr=0 WS=1024
5 2013-12-04 12:22:24 198.40.**.** 10.*.*.** TCP 60 6009 > 50497 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
6 2013-12-04 12:22:24 10.*.*.** 198.40.**.*** TCP 468 50497 > 6009 [PSH, ACK] Seq=1 Ack=1 Win=14600 Len=414
7 2013-12-04 12:22:24 198.40.**.*** 10.*.*.** TCP 60 6009 > 50497 [ACK] Seq=1 Ack=415 Win=65535 Len=0
8 2013-12-04 12:22:32 RealtekU_* Broadcast ARP 60 Who has 148.***.**.***? Tell 10.*.*.*
9 2013-12-04 12:22:44 RealtekU_* Broadcast ARP 60 Who has 148.***.**.***? Tell 10.*.*.*
10 2013-12-04 12:22:47 198.40.**.*** 10.*.*.** TCP 123 6009 > 50497 [PSH, ACK] Seq=1 Ack=415 Win=65535 Len=69
11 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 310 Continuation or non-HTTP traffic
12 2013-12-04 12:22:47 RealtekU_* Broadcast ARP 60 Who has 148.***.**.***? Tell 10.*.*.*
13 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 312 [TCP Out-Of-Order] Continuation or non-HTTP traffic
14 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 314 [TCP Out-Of-Order] Continuation or non-HTTP traffic
15 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 316 [TCP Out-Of-Order] Continuation or non-HTTP traffic
16 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 318 [TCP Out-Of-Order] Continuation or non-HTTP traffic
17 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 320 [TCP Out-Of-Order] Continuation or non-HTTP traffic
18 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 322 [TCP Out-Of-Order] Continuation or non-HTTP traffic
19 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 324 [TCP Out-Of-Order] Continuation or non-HTTP traffic
20 2013-12-04 12:22:47 148.***.**.*** 199.83.***.** HTTP 326 [TCP Out-Of-Order] Continuation or non-HTTP traffic

As we can see from the above pcap data, the IP address 199.83.***.** is the unfortunate recipient of this DDoS attack and the sender is 148.***.**.***.

It's important to stress at this point that the outgoing packets are being blocked - i.e. the recipient of the DDoS attack isn't actually being attacked. The malware is running inside a virtual machine whereby only C&C traffic is being sent.

But this data does highlight how easy it is for a malicious file to send DDoS attacks from an infected machine without the owner of the infected machine knowing about it.

It's also worth pointing out that I've tried running the "disknyp" malware on a VM and was unable to connect to the C&C server. So it looks like the C&C server has either moved on or shut down.

I did some searching around to determine who is behind these IP addresses. It turns out the C&C server sending the commands (198.40.*.***) is located in China and that the IP address being attacked (199.83.***.**) is an online casino website based in Malaysia.

Further Malware Analysis Resources

Thank you to Gareth for recommending these resources. I'm aiming to start reading Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig (No Starch Press, 2012).

I've also registered an account over at Virus Share, they're a "repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code".

Other project updates

Thanks to Matthew from Mercer University (Georgia, US) for getting in touch. He's working on a similar project using Kippo honeypot to research SSH cyber attacks. We're planning to join forces and collaborate our data to compare SSH cyber attacks across the pond.

I'm also currently in the process of planning data collaboration with Rich from the University of Portsmouth (here in the UK), again to compare our data and see what conclusions we can draw from the comparisons.

Image credit: "Dengue virus infection" by Sanofi Pasteur, flickr.com/photos/sanofi-pasteur/7413644166

Comments

There are no comments for this blog post yet

Add Comment

Name

Email (won't be displayed)

Website (optional)

Comments

Live Stats (see full stats)

Attempted logins

date range # attempts
today393
yesterday194
past 7 days4,426
past 30 days17,357
all time4,114,040

Top 5 passwords

password # attempts
12345618,562
admin8,503
password6,536
-6,393
root4,833

Top 5 usernames

username # attempts
root3,927,129
admin78,772
test4,046
oracle3,356
nagios2,648

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Tue, 07 Jun 2016 16:33:48 +0100

Live Password Cloud

12qwaszx 963852741 1234%^ POIUYT 12344321 zxcvbn 111 zaqxsw 888888 111111 asdfghjkl a123456 windows qwer1234 q1w2e3 Passw0rd zxcv support 1111 server iloveyou welcome123 user !@ abcdef a cisco 123abc qwer qwerty123 q123456 manager 54321 alpine qq123456 huawei 11223344 password zaqxswcde qazwsx default 1 qwe123 test okokok 88888888 ubnt dragon 159753 147852369 12345678 passwd qwertyuiop 23456 power qwaszx huawei123 changeme123 123123123 5201314 Aa123456 qwe 1qazxsw2 nagios redhat zaqxswcdevfr q1w2e3r4 1234qwer 1qaz2wsx3edc monitor 12345 pass root1234 password123 123qweasd 000000 z1x2c3v4 qaz qazwsx123 f**kyou admin123!@# Pass123 121212 p@ssword 1a2s3d4f 1qaz2wsx Admin123456 woaini zaq1xsw2 linux adminadmin _ system 1qaz@WSX P@ssw0rd1 sapp a1b2c3d4 654321 qazwsxedc 1234 sqlpp qazxsw asdf sysadmin qqpp abc123 idc2008 123123 666666 123456 123qwe 987654321 admin123 admin@123 zhang 789789 11111111 idcidc qwerty123456 secret Huawei@123 !@#$%^ changeme 1q2w3e 147258369 superman 147258 admin1 mnbvcxz admin welcome 225588 !qaz1QAZ 123 p0o9i8u7 apple aaa !QAZ2wsx administrator zzzzzz oracle qwerty china 0000 rootpass 7890pp letmein abcd1234 1122334455 raspberry abc1234 a1s2d3f4 rootroot P@ssw0rd qwert public adminpp 1q2w3e4r5t root 1234567890 qweasd guest asdfgh test123 zxcvbnm caonima - !QAZ@WSX 112233 147147 123654 q1w2e3r4t5 1234567 1q2w3e4r password1 root123 123456789 12345qwert qweasdzxc 110110 159357