2016-02-28 – TRAFFIC ANALYSIS EXERCISE – IDEAL VERSUS REALITY

Here is another Malware Traffic Exercise write-up.

http://www.malware-traffic-analysis.net/2016/02/28/index.html

Scenario:

What’s my definition of a security analyst? Security analysts are responsible for monitoring their employer’s network and providing near-real-time detection of suspicious activity. Ideally, these analysts have access to intrusion detection systems (IDS) that cover the company’s entire infrastructure. In reality, the situation is less than ideal.

That is the Scenario given us for this exercise. All we have in this case is just a Pcap file to view the traffic and see what happened.

The Traffic:

The first thing we will do here is set a filter in Wireshark of “dns’ to get an overall view of what transpired in the traffic.

A quick review reveals some strange traffic I have not seen up to this point and further review shows that the traffic is from more than 1 system.

Now lets set a filter on the traffic  of “bootp.option.hostname” this narrows the traffic down to 3 packets which is our 3 system that are connecting to this network.

Next we set a filter of
“eth.addr == b8:97:5a:ac:5d:f2” for the first one, 
“eth.addr == 00:c0:4f:f6:3e:74” for the second one,
”eth.addr == 00:16:cb:3d:9f:8c” for the last one.

For each of the filters we will export the filtered packets to a new Pcap file so we can deal with them one at a time.

Found Host:

Host Name: mint-jagger-laptop
Client MAC address: BiostarM_ac:5d:f2 (b8:97:5a:ac:5d:f2)
Requested IP Address: 172.16.181.133 (172.16.181.133)
Your (client) IP address: 172.16.181.133 (172.16.181.133)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Ubuntu Linux x64

Host Name: WIN-DJ3W602WC9M
Client MAC address: Dell_f6:3e:74 (00:c0:4f:f6:3e:74)
Requested IP Address: 172.16.181.176 (172.16.181.176)
Your (client) IP address: 172.16.181.176 (172.16.181.176)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
Windows Vista

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko  UA End

Host Name: Horaces-Mac
Client MAC address: Apple_3d:9f:8c (00:16:cb:3d:9f:8c)
Requested IP Address: 172.16.181.96 (172.16.181.96)
Your (client) IP address: 172.16.181.96 (172.16.181.96)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1
Mac OS X 10_8_5

 

Host Name: mint-jagger-laptop:

This machine was browsing “http://missplus[.]hu/” which appears by the traffic to be a form of online store. In packet 102 we see the first GET request and in packet 332 we see evidence that this site was compromised with the “megaadvertize” campaign.

Mega1

Above we see the very notable way that the code is presented in the site.

Below we see it after doing a hex decode of the values.

Mega2 

Further investigation into the site above reveals that this system did not call out to the site nor get infected with site.

The best I can tell no other malicious content is in this packet capture.

I also Noted that this system seems to be set up as Backup Server.

Recommendations:

Follow up with with system owner to verify nothing infected the system.
Train myself to better understand Linux style packet captures.

Host Name: Horaces-Mac

As the name implies this is a Mac , I’ve never used one.

The traffic associated with this system appears to be normal traffic associated with connecting to a network with other systems attached.

We first see a search request to Google and a link is opened for
“http://dynamicdevices[.]com/”  Nothing to see here that I can tell.

Recommendations:

Train myself to better understand Mac traffic.

Host Name: WIN-DJ3W602WC9M

I saved this one for last because it is the bad one.

I generally start with looking at the DNS traffic looking for anything interesting then move on to a filter of “http.request or http.response” I can quickly scroll thru looking for anything that stands out.

I have recently went thru almost every packet capture since the site started labeled as Angler EK and  pseudo-Dark Leech at http://www.malware-traffic-analysis.net/index.html. so I can now spot the packets very quickly.

Our traffic on this one starts with a Bing search for “mysecretdeals”

Using a filter of,
”http.request.full_uri contains “AS/Suggestions?pt=page.home&mkt=en-au”” we see this.

BingSearch

We can see as each letter was entered into the search term.

We see the first GET request in packet 2069 from clicking on the search link.

The main page is found at packet 2127 but appears to be clean. but if we keep scrolling down we see this.

AngularEK

Notice the link, it has been a standard link style for a while. So that means I scrolled over what ever it was that did the redirect.

Do to the amount of files that could potentially hold the obfuscated redirect script I extracted the most likely ones dropped them into a separate folder and then ran a strings utility on the files in the  folder looking for  “=”\x” . That string should be able to be found in almost every one of the scripts I’ve looked at so far. If you do not limit the extracted objects you are searching thru  you may end up with plenty of false positives.

After the search it dropped me in on packet 2127 and only 1 result. and we see this towards the bottom of the page.

RedirectCode

Looking at the picture you can see what my search string may have hit on.

Just finding it is only part of the battle.

We first have to evaluate all of the variables under the script tag which then reveals a script that decodes the semicolon delimited decimal Character code values, which this in-turn  reveals the final script that decodes the encoded strings above to finally reveal the familiar PHP redirect code.

PHPRedirect 

This will direct us to the AnglerEK . At packet 2628 we see the get request and we end up at packet 3994 staring straight at the AnglerEK. This is one of the newer styles also.

AngularEK2

Here we can see the traffic associated with the Angler IP.

angularektraffic-2

This is the stream for “GET /center.zhtml”

Call1

After this there was 2 post.

FinalPost

After this there appears to be no more traffic associated with this Infection.

These 2 post appear to be associated with the Flash malware.

Just uploaded and reanalyzed the flash file by Virus Total.

SHA256:
eca4004459c2e8cc148fb4838b7c6f909d796492e9c375e8ee22923fdbc12c0c

File name: Packet-4098.sfw

Detection ratio: 21 / 54

Analysis date:
2016-03-22 18:54:42 UTC ( 3 minutes ago )

VirusTotal1

Here we can see it is indeed now flagged as a malicious file.

In conclusion this system was hit with the Angular EK and downloaded some flash malware.

The network traffic and virus total report is inconclusive as to what the malware was or the extent of the infection.

Recommendations.

Follow up with system owner and verify the extent of the damage by this infection.

Reverse the Flash malware to understand the full impact of what it is doing.

 

NOTE: the packet numbers for the individual analysis if for the separated unique system packets.    

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Networking, security and tagged , . Bookmark the permalink.