• LOGIN
  • No products in the cart.

Two Real Network Forensics Analysis FORENSICS ANALYSIS RELATED WITH THE ATTACKS TO PHP.NET AND THE BOSTON BOMBS.

We could say that we live an era where the signature-based Antivirus has less sense if we want to fight against hackers who are creating customized malware only for their targets. Also, there are a lot of Zero-Days attacks which are being used to infect millions of computers just visiting a website. These Zero-Days attacks take advantages of unknown vulnerabilities of for example Adobe or Flash player plugins installed in the web browser to download and install malware which has not been recognized yet. Also the majority of them make connections with the Command and Control servers to get the instructions of the hackers. Sometimes it is easier to detect infected hosts looking at their behaviour in our network if we analyze the network traffic than using an Antivirus running on the host…

What you will learn:

  • Sites in your network where you can get traffic captures.

  • Useful tools to aid in getting/analyzing traffic captures.

  • How to use Virustotal and Wireshark in a real incident.

  • How to detect attacks and more details from a pcap file with an IDS system.

  • How to get information about how malware works.

  • How to detect exploits and malware in an incident handle.

  • File carving using Wireshark.

  • How to create a map report with connections established in the capture data.

What you should know:

  • Get familiarized with the network devices.

  • Get familiarized with the Internet Protocols and modern malware.

As you know, the modern malware or APTs are winning the match to the Antivirus manufacturers. For this reason, there are some new technologies like Sandboxes where you can run the suspicious files in order to study their behaviour. For example, the sandboxes Cuckoo or Anubis run the malware in a secure environment and get a network traffic capture to help us to achieve this goal “to fight against the malware”. Also, some IDS like Snort, gets traffic captures in a pcap format to obtain the evidence about a certain attack.

For all this, it’s really important that the Security IT Department has a high knowledgeabout how to get and how to analyze the traffic that is crossing into their networks.

In this post I’m going to talk about how, where, with and which tools we can use to get and analyze a traffic network capture. Then I will show you two real examples used by hackers who infected thousand of computers using different techniques.

 

HOW TO GET TRAFFIC CAPUTERS

TOOLS AVAILABLE

There are a lot of tools to get traffic captures: Wireshark, Tshark, Tcpdump, NetworkMiner, Cain and Abel, Xplico, Capsa, ngrep… In this article we will be focused on tools commonly used to achieve this goal: Wireshark and Tshark.

WHY WIRESHARK OR TSHARK

Wireshark (before known as Ethereal) and Tshark are a really popular network protocol analyzer. Both of them are the same tool. The first one has a graphical user interface(GUI) and the second one has a command line interface (CLI).

The main reasons to work with these tools are:

  1. Both of them are Open Source with GPL license.

  2. Available in all platforms (Windows, Linux, MAC…).

  3. Both take traffic captures in live and offline mode.

  4. They can understand the majority of Internet Protocols (TCP, DNS, FTP, TFTP, HTP…).

  5. They have advanced filters and searches, TCP Follow Stream, Flow Graph, Maps reports, etc…

  6. There are a lot of tutorials in the Internet.

CAPUTRE DATA ON THE MACHINE YOU ARE INTERESTED IN

There are several methods to capture traffic from your network. In this article, I’m going to talk about which are most commonly used.

If you only need to capture the network traffic to/from a specific host, you can just install Wireshark on that host (computer) and start to sniff. It’s really easy to use but the traffic exchanged between other hosts of the network will be unavailable (except broadcast traffic).

This type of capture could be helpful when you suspect there is a problem in your network involving the host you are testing or when you just want to analyze the traffic exchanged from that host on the network.

1

Network scheme of a simple capture

CAPUTRE DATA USING A PORT MIRROR

Some Ethernet switches have a monitor mode. A monitor mode is the capability of the switch to use as a single port to merge the traffic of all other ports: that is, the port acts like a hub.  If this monitor port is connected to the host when running the sniffer, all the network traffic (crossing that switch) will be captured. It’s sometimes named ‘port mirroring’, ‘port monitoring’, ‘Roving Analysis’ (3Com), or ‘Switched Port Analyzer’ or ‘SPAN’ (Cisco). Using the switch management, you can select both the monitoring port and assign a specific port you wish to monitor. 

1

Port Mirror examples on a switch.

Some switch models could allow the mirroring of just one port instead of all ports: in this case it’s really interesting, the mirroring of the port reserved to the router/firewall (which connects the internal network to the Internet).

Untitled

Port mirror of the port reserved to the router.

Mirroring the port used by the router/firewall, the switch will duplicate the incoming/outgoing traffic of our network to the Internet and send it to a host where it is running a sniffer or an IDS like Snort or Suricata in order to get security events. If you are interested in installing an IDS, you should read the tutorial from the original IDS website before installing it.

It’s also possible to lose some traffic if we are sniffing a high traffic network…

This type of capture is easy to use if such a switch is available; we just need to read the switch manufacturer documentation to get the instructions.

HOW TO WORK WITH WIRESHARK AND TSHARK

The goal of this article is not to train you on how to use Wireshark or Tshark, later we will analyze two real traffic capture with Wireshark… This is only a brief introduction but I think it could be interesting to show you some examples that will help you to start with these tools.

I commented that when we want to capture traffic to research some problems in our network or we want to do some tests, we can capture data on the machine we are interested in by using Wireshark. This is really easy to do by installing the sniffer software in this machine. We can see “in live” the traffic capture. In these kinds of captures, it’s common to capture all traffic in a certain network card and then, working with filters.

1

Default captures traffic in the Wireless interface.1

Filter in a live network capture.

When we want to capture traffic using a Port Mirror, we won’t see the data capture “in live” mode. The sniffer is going to deal with a great amount of data because we will analyze all the traffic of the network. For this reason, it’s common to use Tshark in CLI mode on a Linux Machine instead of Wireshark. We are going to capture only the protocols, subnets or hosts we are interested in and save the capture data in a pcap format. For example we will save the captures automatically in 64Mb files to work easily with them. Why do we need to break up the capture data file in 64Mb? In the next part of the article, we are going to see how Virustotal could help us with the traffic capture because they can analyze it. They accept a maximum size of 64Mb.

With the commands below, Tshark saves all traffic on the interface eth0, it switches to a new file every 64Mb and it stops capturing after 20 files:

$ tshark -i eth0 -b filesize:65536 -a files:20 -w mf3.pcap

I don’t talk much more about the filters because there is a lot of information on the internet about how to sniffer only an IP, network or protocol with Wireshark (http://www.wireshark.org/docs/dfref/) or Thsark (http://www.wireshark.org/docs/man-pages/tshark.html).

NETWORK FORENSICS OF THE PHP.NET ATTACK

Some months ago we could read in some blogs like the AlientVault blog: “Google was flagging the php.net website as potentialy harmful”.

It is really interesting because if you are able to hack this site and you can spread malware from php.net which according to Alexa, php.net is the 228th most visited site in the world, you will be capable to infect to millions of computers. This is what the hacker did.

Currently we can’t analyze the php.net website because the page which was hosting the malicious code has been removed (obviously), but the guys from Barracuda have published a PCAPfrom http://barracudalabs.com/downloads/5f810408ddbbd6d349b4be4766f41a37.pcap

This traffic capture was taken from a computer which visited this website and was infected.

If we upload the PCAP file to VirusTotal we can see the URLs which were visited by the infected computer in the “File details” section. You can see the report of this PCAP file here:

https://www.virustotal.com/en/file/6e522e376e67c09adb6093a293452ba96ab1ea37db905c71cd58a6b5194115e7/analysis/

 

Untitled

 

We can check this info opening the Pcap file with Wireshark.

Untitled

We can see that the www.php.net website was visited. You can see that www.php.net/userprefs.js is the first script loaded. If we select the frame and right clicking on it, we can select “Follow TCP Stream” option. Then, we obtain the script with the obfuscated code in the picture below. (This malicious code has been removed from the website when it was discover by the php.net administrators).

Untitled

The guys from Alienvault have decoded the script. Here they have published the picture below with the code de-ofuscated. We can see an IFRAME with a 10x10px size which redirects the connection to another website was able in the php.net site.

If we research with Wireshark the link contained in the IFRAME in the picture above, we will see how the code is trying to get the information about the computer. It wants to know if the browser has the Java or AdobeReader plugins installed and enabled.

To see that you can type the filter in the picture below…

Untitled

… and right click on it and select “TCP Follow Stream”.

Untitled

Notice the line * PluginDetect v0.7.5

The next URL where the computer is redirected is /PluginDetect_All.js. In the payload of this connection we can see that the hackers are using PluginDetect in order to detect the browser plugins.

Notice the line PluginDetec.getversino(‘Java’,’./getjavainfo.jar);

In the PCAP file we can see how the computer send a POST connection telling to the website if it has the Java or AdobeReader plugin enabled. Then, the web browser is redirected again.

Untitled

Untitled

And then, the connection is redirected again to other site…

Untitled

…where there are another iframe…

Untitled

… to this site…

Untitled

… which is the last site visited before to detect a malicious executable and contain a .swf file which is the possible exploit. Also, if we visit these sites:

Untitled

We get the next advice in our browser.Untitled

The next URL which was visited is marked in bold in VirusTotal. This means that the files that were downloaded are categorized as malware by some antivirus engines.

Untitled

If we click in the sha256 link…

Untitled

…we can see that this executables are categorized as malicious.

Untitled

There are five files categorized as malware which are been downloaded. You can check it in the links bellow.

https://www.virustotal.com/en/file/d78fb2c23422471657a077ff68906d6f6b639d7b7b00ef269fa3a2ce1b38710a/analysis/

https://www.virustotal.com/en/file/816b21df749b17029af83f94273fe0fe480d25ee2f84fb25bf97d06a8fadefe4/analysis/

https://www.virustotal.com/en/file/3483a7264a3bef074d0c2715e90350ca1aa7387dee937679702d5ad79b0c84ca/analysis/

https://www.virustotal.com/en/file/5d651f449d12e6bc75a0c875b4dae19d8b3ec8b3933b6c744942b5763d5df08d/analysis/

https://www.virustotal.com/en/file/bd56609c386a6b5bc18254c7327d221af182193eee5008f6e405ab5c1215b070/analysis/

Now, the computer is infected. The first network connection that the malware does is to visit a website where there are a javascript that detects the computer location.

Untitled

If we check the next network connections, we can see a lot of them creating connections by 16471/UDP port. This port is usually used by the ZeroAccess Trojan. At the bottom of this post you will find the links which redirects you to other Post talking about some analysis of this Trojan.

Untitled

If we look at the Snort alerts in the Virustotal website where we loaded the pcap file, we can see the security events detected by this IDS. We can see that it has detected the ZeroAcces Trojan and other interesting events.

Untitled

If we trust in the PCAP file that Barracuda offers us, we can tell that www.php.net was compromised by hackers. These hackers uploaded a javascript to the main page of this site which redirected to another one where there was a web plugin detector. Depends of what browser plugins are enabled in the computer, the website could redirects you to a Java or AdobeReader exploit. Then, after exploiting the vulnerability, a trojan that seems to be the ZeroAccess trojan is donwloaded and installed. It seems that this trojan is focused in click-fraud.

 

EXTRATCT MALICIOUS FILES FROM THE PCAP FILE 

In order to research the malware which are involved in this incident, we can extract these files from the Pcap file, and then, upload them to Virustotal to know more of them. Also, It is really interesting to make a reverse engineer of the malware files…

There are some techniques to extract the files but in this article, I will show you only one using Wireshark.

With the Pcap file opened in Wireshark, click on File -> Export Objects -> HTTP.

Untitled

Click on “Save All” to save all the files. When they are saved, we can execute “file * | grep PE32” to look for the executables file types.

Untitled

If we get the sha 256 sum, we can check that they are the same that Virustotal has detected and we can to start with the reverse engineer.

Untitled

ANOTHER REAL NETWORK FORENSICS EXAMPLE 

This pcap was sent to me as a real incident I handled and contains the traffic generated by only one suspicious computer. This pcap file was captured sniffing with Tshark in a Port Mirror of the reserved port of the firewall.

The first thing I usually do (if I allowed to do it) is to upload the pcap file to Virustotal. It will give us a lot of valuable information about our traffic captures.

You can see (clicking on the link below) the analysis of our pcap file by Virustotal: https://www.virustotal.com/file/f67b8c98bba320a2895962107f0c5e794d3eb85f8a09bb321787634cb12f8c9a/analysis/

Ok, let’s go. After uploading the pcap file to www.virustotal.com we can see that three files have been downloaded and the website detects them as Malware. Also we can see that there are 15 alerts from Snort IDS and 30 alerts from Suricata IDS.

1

First details from Virustotal

If we go to “File detail” section, Virustotal will help us to locate what websites have been visited in the traffic capture.

1

Some URLs visited in the incident handle

We can see several searches on Google. The majority of them are searches related with the Boston Marathon. You noticed this traffic capture was taken days before the Boston Marathon explosion.

1

Websites visited during the live capture.

Also, some videos have been seen about the Boston Marathon explosion.

1

Some videos watched on YouTube.

1

Screenshot of YouTube video.

After that, Virustotal gives us the best information, the files that have been downloaded and have been recognized by the majority of Antivirus. We can seethe following linksin bold.

1

Malicious files

If we expand the URL we will get information about the requested files.

1

First information about the suspicious file.

If we click on the sha 256 checksum, the website redirects us to other Virustotal page where it will give us the security details of the file. In the information in the picture below, we can see the first two downloads (vz1.jar) are an exploit. This exploit take advantage of the CVE-2012-1723 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723). It’s an unspecified vulnerability in the Java Runtime Environment that allows the remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

1

Antivirus detects the vz1.jar file as exploit.

The last file (newbos3.exe) is detected by the majority of the Antivirus as Trojan Malware.

1

The newbos3.exe file is detected as malware.

 

Currently, we have an idea of what is happening in this incident. We are still working on it and in the last part of the article, we will show you the conclusion.

Another function Virustotal gives us is the information about the DNS requests in the pcap file.

1

Some DNS requested in the incident.

Other really valuable information Virustotal offers us, is to send to their IDS system, Snort and Suricata the pcap file in order to search security events like attacks, exploits, vulnerabilities… etc.  If you do not have this system, it could help you a lot. These IDS are really useful because they have thousands of signatures which recognize every security event and they are free. Also, if you install these systems in “live mode” sniffing in a “port span” or “port mirror”, they will collect the evidences of the security attacks in a pcap file… We can see the Snort and Suricata events in the picture below.

1

Snort IDS alerts.

1

Suricata IDS alerts.

We can see the next interesting events from both, Suricata and Snort alerts. 

ET POLICY Java JAR Download Attempt (Potentially Bad Traffic) 

ET POLICY Vulnerable Java Version 1.6.x Detected (Potentially Bad Traffic) 

EXPLOIT-KIT Redkit exploit kit java exploit request (A Network Trojan was Detected) 

ET INFO EXE Download With Content Type Specified As Empty (A Network Trojan was Detected) 

EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (A Network Trojan was Detected) 

ET CURRENT_EVENTS W32/Zbot.Variant Fake MSIE 6.0 UA (A Network Trojan was Detected)

ET POLICY Possible Spambot Host DNS MX Query High Count (Potentially Bad Traffic) 

ET SMTP Abuseat.org Block Message (Not Suspicious Traffic) 

ET CURRENT_EVENTS Suspicious double HTTP Header possible botnet CnC (A Network Trojan was Detected) 

ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan (Attempted Information Leak)

It’s totally necessary to review all the information with Wireshark, but in order to not extend a lot this article; we are going to trust Virustotal.  At this moment, we can say that our host in our network has been searching on Google news about the Boston Marathon bombs and it visited a website (http://heathawkheaters.com/vz1.jar) where there was an exploit which takes advantage of the CVE-2012-1723 vulnerability.  Just the host was exploited, a Trojan horse was downloaded from another website and maybe installed on the host. (http://kolasoeg.ru/newbos3.exe)

This type of attack is knows as Drive by Download Attack. (http://en.wikipedia.org/wiki/Drive-by_download)

Remember we have just seen some IDS events talking about Spam and a possible Botnet Command and Control connections. We are going to inspect these events with Wireshark in the next part of the article.

Remember we saw the events below on the IDS alerts:

ET POLICY Possible Spambot Host DNS MX Query High Count (Potentially Bad Traffic) 

ET SMTP Abuseat.org Block Message (Not Suspicious Traffic) 

 

INSPECT THE PCAP FILE WITH WIRESHARK 

In this section we are going to inspect the pcap file searching connections that Virustotal didn’t provide information.

Ok, let’s go.

First of all, we need to load the pcap file on Wireshark. Then, if we use a SMTP filter, we can see several SMTP connections.

1

SMTP filter in order to search mail delivering.

It’s seems impossible that a simple user, can send so many emails in so little time. Maybe the computer is sending Spam with the lack of user knowledge.

Some SMTP servers respond to the sender that they are denying the connections with their email servers because the sender is delivering SPAM or the sender is included in a blacklist for the same reason.

We can see if some SMTP refused the emails with this command:

smtp contains spam

1

Payload with details of connections refused.

We saw next Snort Event “ET SMTP Abuseat.org Block Message (Not Suspicious Traffic)” This event means some SMTP servers have rejected the email because the sender IP is blacklisted. Also, the payload contains a link that redirects us to http://cbl.abuseat.org and it will give us more information about the problem. We can use a similar filter in order to search these events in the capture data file on Wireshark with the command below:

smtp contains Abuseat

1

Connection details from abuseat.org

We are going to continue looking for more SMPT packets to get more information… But it seems clear that the goal of the attack is to send Spam and it was successful.

Now, we want to know the body of the Spam which has been sent.

One of the best options of Wireshark is the “Follow TCP” option.  It is very helpful to see the payload with TCP stream in the way that the application layer sees it. With this option we can see the body of the Spam that our network user is delivering.

You can use this option by right clicking on a line selecting “Follow TCP Stream”.

1

Follow TCP Stream option

And then, we can see the body of the Spam.  Have an eye to the follow pictures.

1

 TCP Stream details

1

 Body of the mail delivered.

As you can see, this option is really interesting.

Also, we have a suspicion that our computer is included as node in a Botnet.

Remember we saw the event below in the IDS alerts:

ET CURRENT_EVENTS Suspicious double HTTP Header possible botnet CnC (A Network Trojan was Detected) 

At the bottom of the traffic capture we can see a lot of requests like that: “GET /PXFAHN” 

1

 Connections suspicious to some possible C&C servers.

It seems the host infected currently is a “Zombie” in a Botnet. The computer is connecting to several web servers using the IP addresses instead of the domain name and always to the same URL path (PXFHN). In the traffic capture we can’t detect anything about the payload of the Command and Control connections… The nodes of the Command and Control servers could be down.

1

Follow TCP stream details about possible C&C server connection.

HOW TO CREATE A MAP REPORTS WITH WIRESHARK 

Sometimes, it’s really interesting to know how to create a report drawing the connections in an incident handling on a map. Wireshark offers us this option.

Now, I’m going to show you how to configure this option.

  1. First of all you need to download the GeoIP databases: GeoLite City, Country, and ASNum from the lik below: http://geolite.maxmind.com/download/geoip/database/ (free download)

  1. You need to put all of the databases in the same directory. You must tell Wireshark where the databases are. You need to go to Edit -> Preferences -> Name Resolution and select GeoIP database directories.

Untitled

GeoIP Databae Paths

  1. Restart Wireshark.

  2. Load the pcap file again and select Statistics –> Endpoint and click on Map. In this example, I want to show you where the spam has been sent printing the connections on a map. You notice in the picture below that I’ve created a SMTP filter and I have selected “Limit to display filter.”

1

Details to create map.

Then click on the map button. Now, we can see on the map the connections with the SMTP servers by the Trojan when it was sending SPAM

1

Map with the SMTP connections to send SPAM. 

SUMMARY

In my opinion it’s really important to have a good network capture policy in an organization.  In this article, we have seen how two real examples about how to make a network forensics analysis.

We have seen the real case which happened some month ago. We have seen how the hackers have uploaded a malicious javascript to www.php.net which tried to detect the vistor’s Adobe and Flash Player version in order to figure out if there are vulnerable. Depend on which plugin was vulnerable, the hackers used an exploit or another one in order to download five Trojans. We have seen the well-known ZeroAccess which is one of the most commonly spread torjan and is focused in click-fraud to make money. It is thought that it has infected more than 2 million computers.

In the case of the malware related with marathon bombs, we have seen how a single user of our network was searching and watching videos about the Boston Marathon bombs.  In one of these searches the user visited a dangerous website which took an advantage of a vulnerability of its computer with CVE-2012-1723 using the exploit vz1.jar. Thanks to this exploit, a Trojan horse named newbos3.exe was downloaded and installed with the lack of user knowledge. We have seen that the Trojan horse began to send Spam

and the public IP of the organization was included in a blacklist. The company could have problems with their corporate email servers if the server shares the public IP with the rest of the computers in the network. If this happen, the emails sent by the workers in the company would be denied by the Anti Spam systems.

Also, we have serious suspicion that the computer was a node of a Botnet but we are not sure at all because we have no evidences…

Thanks to a good data capture we can learn a lot about an incident.

 

ABOUT THE AUTHOR

I was involved in the computer science when I was a child and I got my first job as Security Technician when I was 20 years old. I have more than 6 years work in the field of security. I am a network security expert and a specialist in managing Firewalls, VPN, IDS, Antivirus and other security devices in large networks with more than 30,000 users and a 10 GB connection on the Internet.1

I’ve worked in numerous types of environments with the latest technologies. Currently I’m working for the main Research Center in Spain as Senior Security Administrator.

In my spare time, I write in my blog http://www.behindthefirewalls.com where I try to share with people the new hacker techniques, malware analysis, forensics analysis, examples and other things related with security.

You can know more from me at http://es.linkedin.com/pub/javier-nieto-ar%C3%A9valo/25/2a/bb4 . You can contact me at the bottom on my blog by writing on the contact form or sending an email to [email protected] or [email protected]

 

REFERENCES 

http://www.alienvault.com/open-threat-exchange/blog/phpnet-potentially-compromised-and-redirecting-to-an-exploit-kit

http://www.inteco.es/file/5j9r8LaoJvwuB2ZrJ-Xl7g.

http://www.sans.org/reading-room/whitepapers/incident/expanding-response-deeper-analysis-incident-handlers-32904

http://es.slideshare.net/titanlambda/network-forensic-packet-analysis-using-wireshark

http://networkminer.sourceforge.net/documents/Network_Forensics_Workshop_with_NetworkMiner.pdf

http://wiki.wireshark.org/CaptureSetup/Ethernet

http://www.wireshark.org/docs/man-pages/tshark.html

http://wiki.wireshark.org/HowToUseGeoIP

http://www.tamos.com/htmlhelp/monitoring/monitoringusingswitches.htm

 

October 15, 2014

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013