Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: How to Set Up Your Own Malware Trap - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How to Set Up Your Own Malware Trap

I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware. Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular, if they receive e-mail from sources other than your corporate e-mail system.

Sadly, many corporations these days switch to cloud providers for e-mail. But it can still be useful to setup a relay to pre-filter your e-mail before it hits the cloud provider to get more insight into e-mail that your cloud providers limited logs do not provide.

Personally, I am using postfix, so what I am going to talk about, will be postfix specific (and some procmail... which may be used with other mail servers). If you have similar tricks for other mail servers, then please comment.

(1) improved logging

Quite often, a user (or maybe even an AV system) may flag an e-mail as suspect. If this turns out to be a real malicious e-mail (phishing, malware...), then it is nice to be quickly able to look for other e-mails with the same subject or the same "From" address. In order to make this easier, I like to have Postfix log "From", "To" and "Subject" headers. You can easily accomplish this by adding "header check". In postfix, "header checks" can be used to filter e-mail with specific headers. But if you flag them just as a "Warning", then the header will be logged. I added the following lines to my "header_check" file to log the Subject, To, and From:

/^subject:/      WARN
/^to:/           WARN
/^from:/         WARN
/^Subject:/      WARN
/^To:/           WARN
/^From:/         WARN

 You then need to add the following line to your main.cf to use these header checks:

header_checks = regexp:/etc/postfix/header_checks 

(/etc/postfix/header_checks is the name of the file. Your's may be different)

you will now see lines like this in your maillog:

Sep  6 15:26:50 mail postfix/cleanup[24158]: 39B0D7FFA9: warning: 
 header Subject: August invoice from unknown[39.46.85.64]; 
 from=Burnett.84@corporate-change.com to=list@dshield.org proto=ESMTP helo=<[39.46.86.81]>

Next, a little procmail trick that will get rid of most of current malicious e-mail: A simple check to see if any compressed attachments include known bad extensions:

:0 B
* ^Content-Type: (application/zip|application/x-zip-compressed);
{
        :0 fbhw
        | /usr/local/bin/mime-zip-trojan.pl
}

"mime-zip-trojan.pl" is an amazingly simple perl script. You can very easily modify it to extend the extension blacklist. (I can't bring up the site for this script right now. so please trust the Google to find it for you)

The script doesn't block anything, but instead, it just adds a header to the e-mail (X-Zip-Trojan: Yes) that you can then use to filter the e-mail with additional procmail rules.

Finally, you should of course send all e-mail (including e-mail found by mime-zip-trojan.pl) through an AV scanner so you don't waste your time analyzing old malware.

One thing you SHOULD NEVER do: Send all attachments to Virustotal. Virustotal is a great service, and they offer some tools to automate submissions. But do not send anything beyond a hash, unless you are pretty sure it is malicious, and absolutely sure it is not confidential. Any files send to Virustotal are made available to researchers and others.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019

Johannes

3578 Posts
ISC Handler
I added a fork of the script on my github repo:
github.com/xme/toolbox/blob/master/…

- Added more suspicious extensions
- Changed the script to scan *ALL* files in the zip files to catch stuff like this:

# unzip -t d0043a3437.zip
Archive: d0043a3437.zip
testing: E13C9ED1 agreement_form_doc - 1.js OK
testing: E13C9ED1 agreement_form_doc.js OK
No errors detected in compressed data of d0043a3437.zip.
Xme

463 Posts
ISC Handler
Great! Thanks for doing that.
Johannes

3578 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!