How Does JavaScript Right Shift Zero Fill Work

I have converted several online Classic cipher tools from Java Script, Python, C, and C++ to VB.Net for some of my projects.

I will at times create small projects to get a better understanding of how a certain function works given different input.

In this project I needed to understand how the Java Script “>>>” Right shift zero fill worked for a function I’m trying to convert.

The closest I got to an explanation was this https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Bitwise_Operators

If the number input was “Positive” then it was just a normal right shift operation that should be found in just about any programming language.

If the number was “Negative” then it starts getting more complicated.

If we look at the simple example they have there.

BorrowedExample

In my test program we see.

NineShit2

We start by converting the negative number to a positive.

Get the binary bits for the number

Flip the bits , what was a “1” is now a “0” and what was a “0” is now a “1”.

Next we trim the right side 2  bits for the shift amount of 2. That only leave us with 2 bits left.

If we convert that back to a Integer then we end up with “1”.

As we’ve seen above in the borrowed example and my test program the expected result is not “1” but “1073741821”. So what else do we have to do ?

Well, this function is based on 32 “Bits” , so.

We subtract the shift amount from 32 and get 30.

Since there are 2 bits left we subtract 2 from 30 and get 28

Next we pad the left side of the remaining bits with 28 “1’s” .

Finally  we convert the binary string back to Integer or Long.

The amount of bits to fill is, (32- Shift Amount) – remaining bits or in this case
(32-2 = 30) –2 bits left = 28.

Now what if we want to shift more than 4 which is the the number of bits for “9”,
“1001” for the Positive value and “0110” for the Flipped bit version.

Then we pad the left side with bits equal to the amount left needed to equal the shift length. For instance we start with 4 bits and want to shift 5 then we pad 1 bit to the left.

Now when we get done shifting there are no bits left . Or we could just say if the shift amount is greater than the available bits then the remaining bits is “0”.

As we see the math above, in this case it would be (32 –5 = 27) – 0 since there are no bits left.

So we end up with 27 “1’s” , “111111111111111111111111111” , convert back to Integer or Long and end up with 134217727 which is the result we were expecting.

NineShift5

During the research of this process, I created some test data from Html/JavaScript to test my program with. After compiling this data and viewing the bits it was easier to see the relationship for the the length and the amount of bits we are working with.

TestData

I randomly chose those numbers to give a wider variety and lengths to work with.

After testing every number and shift on the list, my program agreed with the results shown above.

The bottom set is the last set I was testing once I started asking myself what happens when the shift is greater than the bits available.

In conclusion, the name of this function is a little misleading. When I fist started testing I was trying to “Zero Fill” the left side, taking it literally. That was not working.

After several try’s and building the test data is became clear on how it worked.

I hope this saves someone else several days of testing.

Posted in Programming | Tagged | Leave a comment

2016-03-30 – TRAFFIC ANALYSIS EXERCISE – MARCH MADNESS

Here is another “Malware Traffic Exercise”.

The Scenario:

The last company we were working for at Cupids Arrow in one of the last exercise went bankrupt and do to needing  a job we accepted the offer from the former owners to work for their new company but this time we are working alone and with less resources than before.

At least we don’t have  Sven staring at us.

The System:

Filter used: “bootp.fqdn.name”

Client name: Rockword-PC
Client MAC address: Micro-St_a6:fb:ce (00:1d:92:a6:fb:ce)
Your (client) IP address: 10.21.101.121 (10.21.101.121)

In this one we have a large Pcap file and a screenshot of the alerts generated.

2016-03-30-traffic-analysis-exercise-image-03

Here we see several alerts coming from several different IP’s so we will just have to go down the list and check them all out.

Alert list and filters used , some of my initial notes.

ip.addr eq 198.154.248.183 and (http.request or http.response) Link from Google search.
ip.addr eq 85.93.0.34 and (http.request or http.response)  First redirect using flash.
ip.addr eq 185.46.11.245 and (http.request or http.response) This is Angler EK
ip.addr eq 23.211.235.162 and (http.request or http.response)  Getting currency rates.
ip.addr eq 82.141.230.141 and (http.request or http.response)  2 packets, 1 POST 1 Response ok
ip.addr eq 171.35.182.56 and (http.request or http.response)  POST and 404 replies using hidden Base64 encoded string.
ip.addr eq 103.234.36.148 and (http.request or http.response)  Down;oad a downloader program.
ip.addr eq  104.193.252.234 and (http.request or http.response) not real sure what this one is doing.
ip.addr eq  89.163.241.90 and (http.request or http.response) Not Sure, more ad’s ??
ip.addr eq  162.244.32.122 and (http.request or http.response)  More ad’s ??
ip.addr eq  162.244.32.121 and (http.request or http.response) more ad’s / BDEP ??
ip.addr eq  85.25.41.95 and (http.request or http.response) more.
ip.addr eq  143.95.32.93 and (http.request or http.response)  GameBuilder ??
ip.addr eq  68.177.32.113 and (http.request or http.response) Strange. Encoded /XOR ed escaped string.

As we can see here we got quite a few alerts to deal with but I will start with something that did not make the alert list.

Is this screenshot we see some “Gif89a” files with something called Xmp Data in them. This is the first time I’ve noticed them. A quick search tells us it is supposed to be for metadata for the file.

Gif-Xmp

There is an exploit that can use this section for crashing the viewing application and the amount of spaces and return characters in between the opening and closing tags for this type seems excessive to me. More research on this certain file will need to be done.

The first 3 look similar and are all served up by the roadrunner email client that was used most likely from the advertisements used in it. Packets 3542, 3833 and 3890.

But the last one looks like this which is more like what the description here at http://www.vurdalakov.net/misc/gif/netscape-buffering-application-extension makes it sound like it is supposed to be like. The search term used to find that link was “Extension label: Application (0xff)”

The Wireshark filter used to find just those 4 was “image-gif.extension.label == 0xff”

Normal

After all of the email stuff we next see a click on a link from a Google search.

The Google link leads us to thingstodo.viator[.]com: type A, class IN, addr 198.154.248.183

Packet 7892 is our Get request and we next land at the Response in packet 8009.

Wow a lot of traffic has went by already.

Here  we have a compression failed error  in Wireshark but we can still see the information at the end of the page by following the TCP Stream.

FlashRedirect1

We see 2 get request  packets. One at packet 9696 that downloads a flash file packet 9745 does some form of base 64 decoding and the send out a link to another site.

The get request for packet 9809 is exactly like the one from with the exception, except  that “/index.php” is tacked on to the end which we get redirected again at packet 9913 to http:[//]fireman.carsassurance[.]info/topic/82711-crammer-warder-wept-scenically-wad-difficult-sparingly/’

This leads us to packet 9957 and the response is at packet 10198 which is indeed the Angler EK.

AnglerTraffic

If we view the traffic here associated with the Angler EK we see at packets 9957 and 10205 they are associated with the first flash file that directed us to the exploit kit. 9957 is the get request for the Angler EK landing page and 10205 appears to be a encoded form of base 64 with some data in it. In packet 102011 we have the get request for the Flash file from the Angler EK and in packet 111201 we have a encrypted payload which is most likely decoded by the Flash file.

This in turn leads us to the next Alert at packet 11766 and the response at 11844 which is some currency rates. The alert suggest that it may be a connectivity beacon.

The next alert in packets 11854 and 11863 appear to be from the malware sending data using a base64 encoded string using a post request.

The next alerts at packet 14212 and IP 171.35.182.56 are listed as ETPRO TROJAN Win32/Neutrino checkin 4 .

HiddenDataPost

If we take a closer look at this traffic this is hidden communications with the Command and control server.

CNCTraffic

This traffic is using a Post and 404 Not found pages to pass information back and forth.

The 404 traffic is hiding base 64 string in comment fields.

This leads us to the next alert where this traffic is downloading a binary file named domand756.exe

our next alert is for IP 104.193.252.234 I’m still not totally sure what this is doing but appears to be sending some host information.

FirstUnknown

If we look at these DNS request, back to back right after the EXE was downloaded it would suggest that the calls was made from the malware.

If we look at the malware using PE Studio and look at the Virus total report it has several different names.

PeStudioVirustotal

We see traffic in the alerts for the Bedep  server response from

We also see query’s for NPT servers in several locations and using 2 different Google DNS servers.

NPTQuerys

Here is the traffic associated with what the alerts is saying is the CnC traffic

moregoodstafsforus.com: type A, class IN, addr 85.25.41.95
jimmymorisonguitars.com: type A, class IN, addr 89.163.241.90
daytonamagik.com: type A, class IN, addr 162.244.32.122
bookersmartest.xyz: type A, class IN, addr 162.244.32.121
lovelyroomsforday.com: type A, class IN, addr 104.193.252.234
kjnoa9sdi3mrlsdnfi.com: type A, class IN, addr 89.163.240.118

Each one calls out and and ends up with “HTTP/1.1 302 Moved Temporarily”

Looking at these they all call out to http[:]//popcash[.]net/world/go/103680/204726
Which is a Popup advertiser.

All of the above appear to be doing the cascading calls. the last on in the list is using the same type of calls but is calling out to http[://]c.feed-xml[.]com which is another ad network.

In packets 14847 and 14925 we see that the popcash is directing to a online game

location: http[:]//track.diginews[.]pw/f8a38426-2a48-4dd4-817e-3b521b9af37d?siteid=204726&country=US\r\n

In packets 15003 and 15028 IP: 68.177.32.113 we se another redirect from popcash to the Fake POP Up alert. (part of the decoded source below)

FakeAlert

This also at the bottom of the script direct to histats.com

HitStats

s4.histats.com: type A, class IN, addr 184.173.167.98
s4.histats.com: type A, class IN, addr 208.43.241.178
s4.histats.com: type A, class IN, addr 208.43.241.179
s4.histats.com: type A, class IN, addr 208.43.241.181

The last alert Listed is another Redirect from popcash to a adult site.

Referer: http://popcash%5B.%5Dnet/world/go/103680/204726/

Full request URI: http://xxxsexcamera%5B.%5Dclub/

There is more traffic that did not make the alert list from popcash and the redirects associated with them.

In conclusion this infection generated a lot of traffic and no doubt dropped several files on the infected system. I’m also sure that a lot of windows popped up at the time.

Recommendations :

Follow up with the user and clean the system or do a clean install.

Posted in Malware, Networking, security | Tagged , | Leave a comment

2016-03-24 – ANGLER AND NUCLEAR EK KICKED OFF BY SAME COMPROMISED SITE

In this Traffic we get the chance to look at 2 infections from the same site, but I will concentrate mainly on the exploit kits themselves and the similarities between them noticed while looking at the decoded source code.

You can find Pcap for this Here,

http://www.malware-traffic-analysis.net/2016/03/24/index.html

I may still be fairly new at network traffic analysis but I’m not that new to viewing various types and “Styles” of code.

Although I have been looking at Angler EK for over a year now this is my first look at the Nuclear EK.

We first look at the exploited or compromised website to view the code that will redirect us eventually to the exploit kit of choice for this compromise. For some reason they chose to infect this site twice with 2 different exploit kits. Perhaps the infections are automated and not being checked for any previous infections, or perhaps it was a race to see who’s kit infected first.

Here is a view of the code from the compromised page.

compromisedsitecodepng-B

As we can see here they chose not to obfuscate the redirect for the Nuclear EK but did for the Angler EK.

If we look at the final landing page for both we can see a similar encoding style.

Angler EK

AngularLandingScript

Nuclear EK

NuclearLandingScripte

Both of these use a Modified Base64 decoding scheme but the Angler EK also requires an embed decryption key to decode the sections used.

The current Angler EK with the Flash and the Silverlight exploits have 6 sections that get decoded along with another section that the parameters get decoded from using a different encoding scheme. The nuclear EK in this one only has 2 large sections that get decoded.

Here we also see that the Nuclear EK is employing reversed strings to obfuscate what it is doing and to help hide from string searches.

NuclearRevStr

If we look at this post from FireEye entitled,

“ANGLER EXPLOIT KIT USING K33NTEAM’S OCTOBER INTERNET EXPLORER USE AFTER FREE”

https://www.fireeye.com/blog/threat-research/2015/02/angler_exploit_kitu.html

We can see some similarities of what is used here.

Angler EK

AngularFlash

Nuclear EK

NuclearFlash

The layout for the Angler EK is more alike to the screenshots in the blog article but both are serving up a flash exploit. Also notice the object Id has moved to the left side in this version of the Angler EK.

Looking at the embedded exploit for angler we see it is again very similar to the above mentioned blog article but it is showing more code to decode this section.

AngularExploitPNG 

 

In the Nuclear EK version we see a little different decoding scheme.

NuclearExploit

This version can “currently” be decoded with a standard bas64 decoder.

Once we get these decoded then we start seeing the similarities again but they are not exact. In these 2 screenshots we see, based on reading other articles, what may be the final encrypted payload.

Angular EK

AngularPayload 

Nuclear EK

NuclearPayload

As we have see so far these are highly obfuscated and highly complicated Exploit kits.

The modular nature of them allows for semi-quick changes in the payload and the kit builder most likely employs  the ability for randomize naming of the variables to make it more difficult for a researcher to follow along from one infection to the next.

In conclusion these kits are very complicated and not easily decoded and I am far from discovering all of the secrets they have to offer. Every time you think you figured it out you find yet another layer of encryption/obfuscation. This is more than enough to put off all but the most dedicated of researchers. Also in order to stay ahead of detections they often change various aspects of the encoding scheme to throw off any signatures that may be generated for them and to break tools designed to decode them.  This post is a little shorter than normal.

Thanks for reading if you made it this far.

Posted in Malware, Networking, security | Tagged , , | Leave a comment

2016-02-28 – TRAFFIC ANALYSIS EXERCISE – IDEAL VERSUS REALITY

Here is another Malware Traffic Exercise write-up.

http://www.malware-traffic-analysis.net/2016/02/28/index.html

Scenario:

What’s my definition of a security analyst? Security analysts are responsible for monitoring their employer’s network and providing near-real-time detection of suspicious activity. Ideally, these analysts have access to intrusion detection systems (IDS) that cover the company’s entire infrastructure. In reality, the situation is less than ideal.

That is the Scenario given us for this exercise. All we have in this case is just a Pcap file to view the traffic and see what happened.

The Traffic:

The first thing we will do here is set a filter in Wireshark of “dns’ to get an overall view of what transpired in the traffic.

A quick review reveals some strange traffic I have not seen up to this point and further review shows that the traffic is from more than 1 system.

Now lets set a filter on the traffic  of “bootp.option.hostname” this narrows the traffic down to 3 packets which is our 3 system that are connecting to this network.

Next we set a filter of
“eth.addr == b8:97:5a:ac:5d:f2” for the first one, 
“eth.addr == 00:c0:4f:f6:3e:74” for the second one,
”eth.addr == 00:16:cb:3d:9f:8c” for the last one.

For each of the filters we will export the filtered packets to a new Pcap file so we can deal with them one at a time.

Found Host:

Host Name: mint-jagger-laptop
Client MAC address: BiostarM_ac:5d:f2 (b8:97:5a:ac:5d:f2)
Requested IP Address: 172.16.181.133 (172.16.181.133)
Your (client) IP address: 172.16.181.133 (172.16.181.133)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Ubuntu Linux x64

Host Name: WIN-DJ3W602WC9M
Client MAC address: Dell_f6:3e:74 (00:c0:4f:f6:3e:74)
Requested IP Address: 172.16.181.176 (172.16.181.176)
Your (client) IP address: 172.16.181.176 (172.16.181.176)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
Windows Vista

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko  UA End

Host Name: Horaces-Mac
Client MAC address: Apple_3d:9f:8c (00:16:cb:3d:9f:8c)
Requested IP Address: 172.16.181.96 (172.16.181.96)
Your (client) IP address: 172.16.181.96 (172.16.181.96)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1
Mac OS X 10_8_5

 

Host Name: mint-jagger-laptop:

This machine was browsing “http://missplus[.]hu/” which appears by the traffic to be a form of online store. In packet 102 we see the first GET request and in packet 332 we see evidence that this site was compromised with the “megaadvertize” campaign.

Mega1

Above we see the very notable way that the code is presented in the site.

Below we see it after doing a hex decode of the values.

Mega2 

Further investigation into the site above reveals that this system did not call out to the site nor get infected with site.

The best I can tell no other malicious content is in this packet capture.

I also Noted that this system seems to be set up as Backup Server.

Recommendations:

Follow up with with system owner to verify nothing infected the system.
Train myself to better understand Linux style packet captures.

Host Name: Horaces-Mac

As the name implies this is a Mac , I’ve never used one.

The traffic associated with this system appears to be normal traffic associated with connecting to a network with other systems attached.

We first see a search request to Google and a link is opened for
“http://dynamicdevices[.]com/”  Nothing to see here that I can tell.

Recommendations:

Train myself to better understand Mac traffic.

Host Name: WIN-DJ3W602WC9M

I saved this one for last because it is the bad one.

I generally start with looking at the DNS traffic looking for anything interesting then move on to a filter of “http.request or http.response” I can quickly scroll thru looking for anything that stands out.

I have recently went thru almost every packet capture since the site started labeled as Angler EK and  pseudo-Dark Leech at http://www.malware-traffic-analysis.net/index.html. so I can now spot the packets very quickly.

Our traffic on this one starts with a Bing search for “mysecretdeals”

Using a filter of,
”http.request.full_uri contains “AS/Suggestions?pt=page.home&mkt=en-au”” we see this.

BingSearch

We can see as each letter was entered into the search term.

We see the first GET request in packet 2069 from clicking on the search link.

The main page is found at packet 2127 but appears to be clean. but if we keep scrolling down we see this.

AngularEK

Notice the link, it has been a standard link style for a while. So that means I scrolled over what ever it was that did the redirect.

Do to the amount of files that could potentially hold the obfuscated redirect script I extracted the most likely ones dropped them into a separate folder and then ran a strings utility on the files in the  folder looking for  “=”\x” . That string should be able to be found in almost every one of the scripts I’ve looked at so far. If you do not limit the extracted objects you are searching thru  you may end up with plenty of false positives.

After the search it dropped me in on packet 2127 and only 1 result. and we see this towards the bottom of the page.

RedirectCode

Looking at the picture you can see what my search string may have hit on.

Just finding it is only part of the battle.

We first have to evaluate all of the variables under the script tag which then reveals a script that decodes the semicolon delimited decimal Character code values, which this in-turn  reveals the final script that decodes the encoded strings above to finally reveal the familiar PHP redirect code.

PHPRedirect 

This will direct us to the AnglerEK . At packet 2628 we see the get request and we end up at packet 3994 staring straight at the AnglerEK. This is one of the newer styles also.

AngularEK2

Here we can see the traffic associated with the Angler IP.

angularektraffic-2

This is the stream for “GET /center.zhtml”

Call1

After this there was 2 post.

FinalPost

After this there appears to be no more traffic associated with this Infection.

These 2 post appear to be associated with the Flash malware.

Just uploaded and reanalyzed the flash file by Virus Total.

SHA256:
eca4004459c2e8cc148fb4838b7c6f909d796492e9c375e8ee22923fdbc12c0c

File name: Packet-4098.sfw

Detection ratio: 21 / 54

Analysis date:
2016-03-22 18:54:42 UTC ( 3 minutes ago )

VirusTotal1

Here we can see it is indeed now flagged as a malicious file.

In conclusion this system was hit with the Angular EK and downloaded some flash malware.

The network traffic and virus total report is inconclusive as to what the malware was or the extent of the infection.

Recommendations.

Follow up with system owner and verify the extent of the damage by this infection.

Reverse the Flash malware to understand the full impact of what it is doing.

 

NOTE: the packet numbers for the individual analysis if for the separated unique system packets.    

Posted in Networking, security | Tagged , | Leave a comment

Trouble shooting HxD hex editor hang.

Recently while working on the malware-traffic-analysis.net exercise “2016-02-06 – TRAFFIC ANALYSIS EXERCISE – NETWORK ALERTS AT CUPID’S ARROW ONLINE”

I ran into a problem where when you loaded any file into the hex editor or just open it on its own it would push 1 core to 100% or use 25% of the CPU power.

HexEditor25percent

David Solomon coined the phrase and Mark Russinovich passes it along.

“When in doubt run process monitor” . So that is what I did.

Here is what I seen.

LastThing-c

When we look at this it show us the last thing it did before going out to lunch was to create a mount point.

From the time we started the program until the thread exits is a little more that 10 minuets, at which point the program finally shows up but the core is still pegged.

TimeDiff

TimeDiff-2

So I got to wondering what it was I had done last. After looking in the registry at the key referenced for the mount points, one of the mount points reminded me that the last thing I had done was install some “unnamed popular” software, which also created a mount point. So I quickly jumped on that scenario opened the command prompt as admin and ran  mountvol /R which removes old mount points that are no longer used and can sometimes correct problems involved with mounted volumes.

But to my dismay, after restarting the system , that did not work.

Neither did uninstalling and then reinstalling the program.

So back to process monitor.

While scrolling thru the log file looking for anything of interest I ran across this.

iniFile

Before the hang, the hex editor was looking for the .ini file to load some settings.

I didn’t think to take a screen shot of it, but what I found was one of the item paths in the file was duplicated several hundred time for 1 path entry. Here is what it should look like when it is working.

IniHistory

So the .ini file got corrupted most likely when I copied pasted from a VM straight to the hex editor. Strange things happen when running this VM in the background so I have to restart my system after every use with its services set to start in manual instead of automatic.

After deleting the current .ini file and allowing the program to recreate it the problem was solved.

So how did I know that was the problem ? I didn’t, but after seeing that many lines where there shouldn’t have been it was a more reasonable conclusion than the mount point idea.

I hope this helps someone else that has had the same problem.

Posted in Malware, System Tools, System Trouble Shooting | Tagged | Leave a comment

2016-02-06 – TRAFFIC ANALYSIS EXERCISE – NETWORK ALERTS AT CUPID’S ARROW ONLINE

Scenario:

You recently hired on as a security analyst for Cupid’s Arrow Online, the largest online retailer for novelty arrows world-wide.

Unfortunately, it’s after normal work hours, and you’re the only person reviewing network events. You silently curse your coworker Sven, who called in sick this evening. Maybe it’s for the best, though. Strange things tend to happen whenever Sven is around.

Later, you see alerts on suspicious activity. Time to investigate!

You identify the IP address and pull the associated traffic, along with the Snort and Suricata event logs. You were already examining some malicious emails that made it through the spam filter, so you have those items on hand. Finally, you retrieved a list of people on the network during the timeframe of these alerts (you might have to contact them about this activity).

We are given the 2 alert logs, List of employees online, traffic capture , and the 7 suspect emails.

The events:

Since we were already working on the emails lets start with the information retrieved from those.

092704-UTC
“Tsutsumi, Maki”,maki.tsutsumi,Network Security Engineer,mtsutsumi@cupidsarrowonline[.]com,555-4405
Malware Links:
http://kyocerachannelevent%5B.%5Dcom/wp-content/plugins/304.exe,
http://inoffsetnhatrang%5B.%5Dcom/wp-content/plp://kuriens%5B.%5Dcom/wp-content/plugin304.exe

093413-UTC
“Dekker, Justini H.”,justini.dekker,Finance Director,jdekker@cupidsarrowonline[.]com,555-5189
Malware Links:
http://helloworldqqq%5B.%5Dcom/34.exe
http://wtfisgoinghereff%5B.%5Dcom/34.exe  &nbsp; <— Interesting

114238-UTC
“Munro, Shane I.”,shane.munro,Help Desk Technician,smunro@cupidsarrowonline[.]com,555-2975
Malware Links:
(http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns1.jpg&#8221;, “5174935.exe”, 1)
(http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns2.jpg&#8221;, “9274935.exe”, 1);
(“http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns3.jpg&#8221;, “1354869.exe”, 1);

133037-UTC
for <mtraugott@cupidsarrowonline[.]com>  <—”for” instead of “To:”
“Traugott, Matthias Y.”,matthias.traugott,Applicaion Support Engineer,mtraugott@cupidsarrowonline[.]com,555-1484
MalwareLinks:
(“http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns1.jpg&#8221;, “5174935.exe”, 1);
(“http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns2.jpg&#8221;, “9274935.exe”, 1);
(“http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns3.jpg&#8221;,”1354869.exe”, 1);

 

134027-UTC
“Munro, Shane I.”,shane.munro,Help Desk Technician,smunro@cupidsarrowonline[.]com,555-2975
Malware Links:
http://wolftonesmusic%5B.%5Dcom/wp-content/plugins/304.exe
http://yevsey-tseytlin%5B.%5Dcom/wp-content/plugins/304.exe
http://zenyfood%5B.%5Dfr/wp-content/plugins/304.exe
http://visioni%5B.%5Din/wp-content/plugins/304.exe
http://wormswood%5B.%5Dcom/wp-content/plugins/304.exe
http://wrkdesigns%5B.%5Dcom/wp-content/plugins/304.exe&#8217;

182342-UTC
“Dekker, Justini H.”,justini.dekker,Finance Director,jdekker@cupidsarrowonline[.]com,555-5189
Malware Links:
http://g6series%5B.%5Dcom/wp-content/plugins/304.exe,
http://funkyweb%5B.%5Dfr/wp-content/plugins/304.exe,
http://formativamente%5B.%5Dit/wp-content/plugins/304.exe,
http://fxme%5B.%5Deu/wp-content/plugins/304.exe,
http://gesvilla%5B.%5Dcom/wp-content/plugins/304.exe

182343-UTC
“Ulyanova, Cleo C.”,cleo.ulyanova,System Administrator,culyanova@cupidsarrowonline[.]com,555-8544
Malware Links:
http://enzymebiosystems%5B.%5Dcom/wp-content/plugins/304.exe,
http://datla%5B.%5Dinfo/wp-content/plugins/304.exe,
http://elenasuleymanova%5B.%5Dcom/wp-content/plugins/304.exe,
http://estelalcaraz%5B.%5Dcom/wp-content/plugins/304.exe,
http://daughterofisrael%5B.%5Dorg/wp-content/plugins/304.exe

 

Above we see the names of the users associated with the emails and the locations that the embedded malware was looking for.

If we look at the alert logs we see pretty much every alert is for 10.41.245.114

Name: DEKKER-PC<00> (Workstation/Redirector)

MAC: 00:17:31:7d:52:ba

IP: 10.41.245.114

If we put a filter in Wireshark of  “!(ip.addr eq 10.41.245.114)” we can filter out the traffic for the known infected host to see if anymore were there. There wasn’t.

Looking at the links from the malware in the emails, none show up in the network traffic.

Also while looking at the emails we see something strange.

Email-c

What is wrong with this picture ?

If you said the “To:” field you would be right. So what is causing the problem ?

emailcomp-b

As we can see here this email was either tampered with or created using a program that had a problem. If we remove the extra spaces and change “for” to “To:” we now get this.

HeaderRepaird-c

 

After Seeing that the traffic and alerts all belong to the DEKKER-PC we go back and verify the links in the malware extracted from the emails, and that there are no embed links in the email that will direct him to a malware download.

So how the heck did he get infected ? Back to the alert logs.

If we look at the snort log we see this.

log1

This is hard to see like this but at the top there is an alert 02/05-21:28:20.878878 for Attempted User Privilege Gain.

The first part of that script is checking user agent strings.

One of the next alert is for “Sensitive Data”. In fact when located, it is a script for “user like”. This is starting to look like they clicked on that they ‘Liked” something.

FBLike

Above is the source it comes from.

Next is a DNS query for bsbkxs.zdxwx3m[.]pw then we land on the page that redirects to the Angler exploit kit.

Finally the last item in the screen shot is the alert for the angler exploit kit page. Below.

AnglerEKPNG

It is defiantly very distinctive.

After looking at the traffic and malware sites the chain of infection can best be followed by looking at the DNS request.

 

DNS-Chain-c

 

The comments in between are for DNS query’s that are not shown, just my thoughts at the time.

From this we see that the user logged into Yahoo Mail , next they clicked on an ad for German Coffee then clicked on an ad for  a Site in German that translates to 

“Promotional products, promotional advertising gifts”

While viewing this site (www.source-werbeartikel[.]com   213.174.33.141 ) they clicked the “Like” button which triggered the the malware along with opening Facebook to record their star rating.

While on Facebook they appeared to click and view a few more items and “Liking” one other page.

On the Malware side:

When clicking the Like button it triggers the embeded flash item.
See screenshot above or the source code.

After clicking on the Like button they landed at  (lsbery[.]tk 85.93.0.32 )

Full request URI: http: //lsbery[.]tk/shop.php?sid=4046AAB187AB2C1563B214BE7AC6702950B304E2E9E1696E18244B8501B268FD92DA0D313D2273E24C283B

From here it opens a flash file  (x-flash-version: 15,0,0,189) from the above link

Create a new page and redirects to (http:// bsbkxs.zdxwx3m[.]pw/civis/index.php?PHPSESSID=3.b7&action=714324p02212u2q4548f8)

This is the Angler EK Landing page.

Here it does a post of a some form of base 64 encoding string .

Full request URI: http:[//]bsbkxs.zdxwx3m.pw/civis/so[.]cpg?directly=-pf&commission=&important=n0IP&color=xMZn&and=&analysis=doL0EY
&hundred=nJBKRWWP4&name=Xe5tZx&any=bMXK&certain=aWh-AJtz7&rather=PEd

It also calls out to

Full request URI: http:[//]bsbkxs.zdxwx3m[.]pw/charge.zhtml?dead=sVShjH&society=KgXs1bcH&level=O29Gm9T3&go=VdL&
once=XN3S3cuYQ&way=Z41t&nothing=sTJVXv7X&art=Jw

This request resulted in a Malformed Packet.

The next response is yet another Flash file Download. ( x-flash-version: 15,0,0,189)

That finally leads us to.

Full request URI: http:[//]bsbkxs.zdxwx3m[.]pw/today.jst?technical=_MNsOrB&captain=&something=gxPx-&own=&themselves=T_wh7g5&eye=l3_LBg&citizen=zdelxIDGFLQvZFA8KbsEuiX

This in turn  downloads an encrypted file which should be the final payload.

As of the writing I have not been able to acquire the malware payload in the decrypted form.

Wireshark Filters:

Using the following filters we can quickly filter down to the affected traffic for each site.

ip.addr eq 213.174.33.141 and (http.request or http.response)   source-werbeartikel.com
ip.addr eq 85.93.0.32 and (http.request or http.response)       lsbery.tk
ip.addr eq 86.106.93.167 and (http.request or http.response)    bsbkxs.zdxwx3m.pw
See what they Read
ip.addr eq 128.183.114.107 and (http.request or http.response)  nssdc.gsfc.nasa.gov

Recommendations:

Follow up with the recipients of the spam email to make sure they didn’t open and run them by accident. (Like, um , I did Winking smile)

Follow up with the User, Dekker, Justini H to verify the extent of the infection and find out what was run on the system.

Warn user about clicking “Like” on unknown pages.

Posted in Computer, Malware, Networking, security | Tagged , | Leave a comment

2016-01-07 – TRAFFIC ANALYSIS EXERCISE – ALERTS ON 3 DIFFERENT HOSTS

SCENARIO:

You are working as an analyst reviewing suspicious network events at your organization’s Security Operations Center (SOC). Things have been quiet for a while. However, you notice several alerts occur within minutes of each other on 3 separate hosts.

We are given a Screenshot of the alerts, a snort events file , a suricata events file and the .Pcap file of the traffic.

The Affected Host: (In order found in the Pcap)

Client 1:

  Client IP address: 192.168.122.130 (192.168.122.130)
  Client MAC address: Dell_e2:4b:86 (00:22:19:e2:4b:86)
  Host Name: FULL-METAL-JACK

Client 2:

  Client IP address: 192.168.122.52 (192.168.122.52)
  Client MAC address: HewlettP_32:a9:17 (00:26:55:32:a9:17)
  Client name: Jennifer-PC

Client 3:
 
  Client IP address: 192.168.122.132 (192.168.122.132)
  Client MAC address: AsustekC_c1:f2:48 (48:5b:39:c1:f2:48)
  Host Name: Hokaydoo-PC

2016-01-07-traffic-analysis-exercise-image-01-Boxed

If we take a closer look at the alerts screenshot we see boxed in “Red” the events for the IP of 192.168.122.52 and appears to have been redirected to a Exploit Kit page but we are missing what kind from the screen shot.

Boxed in “Purple” we have the events for the IP of 192.168.122.132 and it appears that that is was infected with Crypto wall or Alpha Crypt by means of the Neutrino Exploit kit.

Boxed In “Blue” we have events for the IP of 192.168.122.130 and appears to have downloaded an Evil File, no further information available in the screenshot.

Since we are working with 3 different infected systems lets extract the traffic for those systems to their own Pcap file. For that we will use Tshark which is the command line version of Wireshark.

The command will look like:

tshark -2 -R ip.addr==192.168.122.130 -r [Full Path \] 2016-01-07-traffic-analysis-exercise.pcap -w [Full Path \] 192-168-122-130.pcap , and remember to use double quotes around the full paths.

Once we get the Individual files we can then search for items not having to filter out the traffic from the other two systems. Note these packets only contain those that are listed “with” the stated IP Address. So those items before it was assigned an IP should not show up.

Side Note: When looking at the timestamps in the TShark generated Pcap files the timestamps were different in the hex editor than the ones in older Wireshark. I stopped long enough on this post to write another post (and a timestamp converter) on the timestamps located Here. I also discovered that they are the same as the Pcapng format saved by the newer version of Wireshark.

Now lets split out the IP’s with the Snort and the Suricata events files also.

If we open each of the events files  using Notepad++ then we can do a search for the IP Address for each of the 3 IP addresses then use the mark tab to mark all of the Instances of the one we are looking for and then copy paste those to a new file and save it, that way we can research each IP separately with the traffic and the events.

Now that we have everything separated we can go thru each systems incident without getting confused by data from the other two.

Lets just start in order found in the original Pcap file.

Client 1:

  Client IP address: 192.168.122.130 (192.168.122.130)
  Client MAC address: Dell_e2:4b:86 (00:22:19:e2:4b:86)
  Host Name: FULL-METAL-JACK

A quick look thru the log files tells us that files were downloaded to the computer and executed.

The last get request we see for this IP before the infection is to Yahoo mail.

YahooMail

After that we see multiple request GET /Counter ……….

The Suricata Events log supports this with,

Count:1 Event#3.8880 2016-01-07 22:11:26
ETPRO TROJAN Nemucod Downloading Payload

Which tell us that the user opened and infected file from a spam email message.

The first one calls out to (ma-wt.com.sa) 216.158.85.7 but the response resulted in a malformed packet.

Next it called out to (dariostoka.com) 174.36.186.235 where it returned a normal ok but no files downloaded when it was looking for a image file.

Next it calls out to (freshanointingministries-sc.org) 184.168.173.1

Lets take a closer look at this.

getcounterrequest-b

If we take a closer look at this we have a total of 9 request, it calls out to each of the three sites once, increments the counter then calls again. so I would assume that the “rnd” number has something to do with deciding on if a file gets downloaded or not. The first three did not return a file but the last 6 did. Also note the the “id” value in each are exactly the same.

Another interesting thing is if we drop the “id” in to a hex editor we see this.

CounterID-bin

It appears as though it is identifying this system as being in the US and also appears to have some sort of encoded format for transmitting information.

The  six files downloaded was supposed to be “Media Type: image/gif “ but in fact are are .exe files.

ExeFile

(Frame Numbers) are from the extracted individual IP Pcap files.
(7382) filename=66b32.gif Size: 260613 bytes
IP: 216.158.85.7
Host: ma-wt.com.sa
SHA-1: 4d1c87e219a417c3aa86a6cd6847a82d352a8b4e

(7662) filename=174125.gif Size: 260613 bytes SHA1 Hash:
IP: 174.36.186.235
Host: dariostoka.com
SHA-1: 4d1c87e219a417c3aa86a6cd6847a82d352a8b4e

(7958) filename=c9a63078fe7d3741.gif Size: 260619 bytes SHA1 Hash:
IP: 184.168.173.1
Host: freshanointingministries-sc.org
SHA-1: 9a843ce345c45e1ec8b96df2785336c7d2a48af5

(8079) filename=250acae.gif Size: 114688 bytes SHA1 Hash:
IP; 216.158.85.7
Host: ma-wt.com.sa
SHA-1: d5cd460e184120f154d0017b929ede46b56d49ff

(8223) filename=d50f729942631.gif Size: 114688 bytes
IP: 174.36.186.235
Host: dariostoka.com
SHA-1: d5cd460e184120f154d0017b929ede46b56d49ff

(8451) filename=2487ff63fb4e79.gif Size: 145922 bytes
IP: 184.168.173.1
Host: freshanointingministries-sc.org
SHA-1: e63932430d4028b51fa25dae13d9e0188e9a02a5

the first 3 files are the same from 3 different sites. The 3rd one has a few extra bytes changing the Hash value. The next 2 files from 2 different sites are the same but the last is the odd one (C++) from the third site.

The first 5 are VB 5/6 files the last one is C++ 6.0

Here is the Diff on the second and third files.

FileDiff

Without running these files I can not be sure what they do, I am not finding enough information online about them.

The first 3 have a string table of Language ‘Lithuanian” but decompiles to English. the fourth and fifth file has a Version info with Language of “Chinese Traditional” but decompiles to what appears to be German.

An interesting import to me for the last one is “ SetCommBreak” MSDN Link 

Suspends character transmission for a specified communications device and places the transmission line in a break state until the ClearCommBreak function is called.

I’m not sure yet what it would be used for in this case, or even if it was used, but the Clear command is not listed in the imports that I have  seen, suggesting that communication with a device may have been blocked.

Without running these this as far as I can go with client one.

In collusion follow up with user machine for more details on the infection , and retrain the user not to open the spam emails.

Client2:

Client IP address: 192.168.122.52 (192.168.122.52)
Client MAC address: HewlettP_32:a9:17 (00:26:55:32:a9:17)
Client name: Jennifer-PC

The initial alerts shown tells us we are dealing with some kind of “Evil” redirector .

The first part of the traffic tells us the user is doing a Yahoo search for “http://planetside.co. uk /” we find this in packet 1343 in my IP only file or packet 9692 in the original Pcap file. This is the start of the incident, not counting clicking on the link in the search engine.

In order to find the the full chain we need to follow the leads and work backwards to find the beginning of the chain of events .

With as many request as there are and nothing stands out lets try the event logs to see what we can find.

Here is an interesting one in the Snort Events .

BadSript1

Using the highlighted portion of the timestamp from the Snort log we can search in Wireshark for that hit. Once we find that point, then we can “Follow stream” for that packet and we do end up getting a “Packed” script. After unpacking the script we see this.

UnpackedScript

Looking at this scrip it appears to be a benign script for page navigation. Why they decided to pack this thing who knows.

Following up on several of the alerts in the logs turned out to be false leads and several hits were for packets of encrypted traffic.

In conclusion this appears to be several false positives making it appear that this system was infected. I have not found any actual infections thru the traffic.

I recommend checking the users system to verify.

 

Client 3:

Client IP address: 192.168.122.132 (192.168.122.132)
Client MAC address: AsustekC_c1:f2:48 (48:5b:39:c1:f2:48)
Host Name: Hokaydoo-PC

This incident begins with a Google search and a link clicked in the search results for “www.koeppl [dot] com”

This turns out to be the landing page for a Angler EK .

LandingPage

The end of this section of the script looks like this.

Normal

After decoding the  “Eval” section of the script we end up with this.

DecodeLayer1

Then yet another layer of encoding , I see in this picture a few of the characters are missing using an earlier version of my decoder. I still have more work to do on this to fully decode/understand this part of the script.

The result of this compromised page though is a redirect to another page to download the malware flash file.

If we set a filter of  “ http.request.full_uri contains top “ we can see most of the remainder of the infection chain.

FinalChain

The Suricata Events Log tells us we are dealing with a Neutrino EK and they say the check-in is crypto wall but the payment page info here says  Alpha Crypt.

checkin1a

The source code of the extracted payment page contains “How to buy CryptoWall decrypter”.

In conclusion this user clicked on a link in Google that that landed them on the Angler EK landing page.

Compromised site: http://www.koeppl.com&nbsp; 92.51.131.150

Landing page for Angler EK :

89.38.144.75  uacltr.securetopc.top GET /1993/10/14/madness/willow/dick-sort-southward-swallow.html

Associated request:

89.38.144.75  uacltr.securetopc.top GET /1987/09/28/behave/cheerful-stumble-broad.html.swf  (Called twice)

89.38.144.75  gbesbsdsb.securetopc.top GET /surprise/1430317/fellow-touch-death-curl-cast-dance-bubble-moonlight-shock (Resulted in malformed packet)

89.38.144.75 gbesbsdsb.securetopc.top  GET /officer/1277929/tidings-humble-communication  (resulted in possible encrypted file download  (421888 bytes)).

95.128.181.144 3wzn5p2yiumh7akj.waytopaytosystem.com  GET /1f96s0p Payment page.

In conclusion follow up with system to verify the extent of the damage.

This puppy got hammered.

Posted in Malware, Networking, security | Tagged , | 1 Comment