Monday, August 3, 2015

Indicators: Conduit Toolbar

Conduit Toolbar. The name alone is enough to make me wince. The name should ring a bell if you have ever been in any kind of support position or if one of your relatives started to complain about a slow internet browser and asks you to remove "this weird toolbar." So what is Conduit and what is this toolbar?

I haven't done much research on the company itself, but a Google search for "conduit toolbar" will show you just how many people search for this crapware, and how many people have created a "how-to" in order to uninstall the application. The company (Conduit) has a very plain page without offering much detail and appears to be affiliated with a company called Como, which helps businesses create smart phone apps. Whatever, I don't care. I just want the network indicators.

The main reason why I created this post was to, obviously, show you some network indicators for this toolbar. I had a hard time finding any kind of information about indicators for the toolbar; almost all of the sites that I found had information on how to uninstall the toolbar. What does the toolbar do? Well it is pretty malicious and transmits sensitive data to a remote server. File analysis shows that it will attempt to see if a virtual machine is running (anti-forensics), will steal private information from your web browser, fingerprint your system (BIOS, MachineGUID), and even modify your proxy settings. Yeah, this is a nice piece of software. On to the network indicators!

Domains Contacted / HTTP URI Paths:
The following domains are contacted after installation and for application updates. The HTTP URI paths below each domain have been observed for those specific domains.
  • sp-storage.conduit-services.com
    • /autoupdate/
  • sp-storage.spccinta.com
    • /autoupdate/
  • sp-storage.spccint.com
    • /autoupdate/
  • servicemap.conduit-services.com
    • /sp/
    • /sptray/
  • servicemap.spccint.com
    • /sp/
    • /sptray/
  • sp.api.search.conduit.com
    • /up/settings/?ctid=
  • sp-alive-msg.conduit-data.com
  • sp-alive-msg.databssint.com
  • sp-autoupdate.conduit-services.com
    • /autoupdate/
    • /update/
  • sp-autoupdate.spccint.com
    • /autoupdate/
    • /update/
  • sp-ip2location.conduit-services.com
    • /ip/?client=sp
  • sp-ip2location.spccint.com
    • /ip/?client=sp
  • sp-settings.conduit-services.com
    • /searchprotectorsettings/
    • /carrier/
    • /plugins/
  • sp-settings.spccint.com
    • /searchprotectorsettings/
    • /carrier/
    • /plugins/
  • sp-translation.conduit-services.com
    • /?locale=
  • sp-usage.databssint.com

HTTP User-agent String:
  • Starts with: "SearchProtect"
  • Users a semi-colon as a field separator
  • Breakdown of user-agent string values:
    • SearchProtect;<Application Version>;<OS type and version>;<Unique identifier>
  • Example:
    • SearchProtect;1.7.1.50;Microsoft Windows 7 Professional;SP1A9B0A2A-43A1-4D4B-C21B-4CAEDF6B9192
  • Regex to find the unique identifier on the user-agent string:
    • ([a-zA-Z0-9]{10}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{12})
File Downloaded:
An associated file that is downloaded for updating is retrived from the following sites:
  • sp-storage.conduit-services.com
  • sp-storage.spccinta.com
  • sp-storage.spccint.com
Download activity is accomplished thorugh an HTTP GET request over port 80 for the file name "autoupdate.zip."

Further Reading:

Wednesday, July 29, 2015

Indicators - Banking Trojan

Threat: Banking Trojan / ZeuS

These domain requests lit up the DNS logs. After executing an executable file from an email, the malware will attempt many DNS requests to the below sites. There are some good indicators here, along with some regex to help you find the activity in your logs or PCAP files.

Network Analysis:

The malware will make multiple DNS type A queries and HTTP POST connections to the following second level domains (SLDs):
  • dwhxopmcgpix
  • hrjyvfeduuts
  • ipjbvvnjobll
  • jmdwnsmripqn
  • lgccwnffuuwx
  • ncdebbobqmyi
  • njbkkylgqqqp
  • nmhvbbgccckx
  • nnqksrgtdhjk
  • omiwfmnejorf
  • owvcjnfuwtoo
  • pckffwcqdebn
  • pdvxqjnssltt
  • piwxvumpyptp
  • ruutsckgffnj
  • smqwonbiiymq
  • ttsjrnffxovu
  • wwxthsqmupii
Now, each one of these SLDs is followed by one of four top level domains (TLDs):
  • .com
  • .in
  • .net
  • .ru
So all together it will constantly make 72 DNS type A requests. It will also make a single request to the following host:
  • f02783mat0i5r1t.cc
There is also a unique HTTP URI path used when the malware attempts to make HTTP requests:
  • /for193gd63891mat/
Observations:

Each SLD is 12 characters long followed by one of the above four TLDs; the odd ball domain (f02783mat0i5r1t.cc) is the only exception. The SLDs contain all characters in the English alphabet except for the 'a' and 'z' characters; again the f02783mat0i5r1t.cc domain is the only exception.  All HTTP requests are POST over port 80.

Regex:

The following regex should find any of the above hosts.
  • ([b-y]{12})([\.](com|in|net|ru))
Further Information:

Tuesday, July 28, 2015

Houdini Tracker Update

Just a quick post to let you know that I have added a few more indicators to the Houdini RAT tracking list.

Enjoy! I will be updating with another indicator list pretty soon, I just need to clean up a few things.

Wednesday, July 1, 2015

Dyre Controller Servers

I found some interesting connections being made to some remote servers, which appear to be a Dyre botnet. The malware attempts to make a connection to a remote server using a CONNECT request method, followed by a GET with a directory structure containing the host name of the infected machine, the version of Windows the machine is running, and the serial number.

As with any IP address, please be careful when blacklisting as they may be legitimate. Many of the IP's that I looked into were listed on several blacklists, so please do your research. Below is a quick and dirty list of the IP addresses, enjoy!

Remote IP Addresses - CONNECT:
The connections made to the below IP addresses were made with the CONNECT request method.

181.189.152.131:443
184.164.97.60:443
185.31.33.98:443
188.255.236.227:4443
188.255.241.22:4443
194.28.190.84:443
194.28.191.213:443
195.206.255.131:443
195.34.206.204:443
208.123.129.153:4443
208.123.129.218:4443
208.123.135.106:4443
212.37.81.96:4443
212.69.14.89:443
217.23.194.237:443
31.42.170.118:443
38.124.169.163:4443
46.175.23.130:443
67.206.96.30:443
67.206.97.238:443
67.207.228.144:443
67.219.166.113:443
69.118.144.195:4443
75.134.44.251:443
77.104.206.150:443
77.234.235.48:443
80.234.34.137:443
80.87.219.35:443
83.168.164.18:443
84.16.54.22:443
84.16.55.122:443
84.237.229.49:443
85.192.165.229:443
87.116.153.216:443
91.232.157.139:443
91.240.97.141:443
93.91.154.243:443
95.143.131.73:443
184.164.97.242:443
188.123.35.92:443
194.187.219.116:443
213.133.178.154:443
213.174.6.246:4443
31.134.73.151:4443
31.42.172.36:443
46.151.51.75:443
75.98.158.55:443

Remote IP Addresses - GET:
The connections made to the below IP addresses were made with the GET request method. These appear to be the controller servers.

184.164.97.242:443
188.123.35.92:443
194.187.219.116:443
213.133.178.154:443
213.174.6.246:4443
31.134.73.151:4443
31.42.172.36:443

HTTP URI Directory Structure:
The URI directory is a long value that contains unique information pertaining to the infected host. However, there are a few directories that are consistent. Keep in mind that these will only show in the URI when a GET request method has been made.

  • /1106us11/
  • /5/spk/
Thank you for reading, I hope this information is useful!

Monday, June 22, 2015

User-agent Sting Indicator Page Updated

I updated the user-agent string indicator page to include Wireshark display filters using regex to find specific user-agents. I am by no means a regex pro, so if anyone finds any discrepancies or can figure out a cleaner way to search with regex, then please let me know.

A few things I noticed when using regex in Wireshark display filters. I was not able to figure out how to escape an open and close parenthesis (if I did escape those characters normally, it would not find the user-agent), so I had to do a logical AND plus another display filter in order to locate the right value (please see the Dyre user-agent string). Also, I had to be more explicit with the query with a shorted user-agent string value; meaning I had to add a Start of Line and End of Line character to the query.

I hope you all find this information useful, feel free to ask questions or leave comments. Thank you.

Tuesday, June 9, 2015

New User-agent Indicators Page

I made a post a few months back about malicious user-agent string values. It appears to be a pretty popular post, so I decided to create a page dedicated to malicious user-agent strings.

I added several more strings to the list as well as updating some regex. Speaking of which, I still need to add more regex values to that page and I will also add some Wireshark display filters that you can use to find user-agent strings in PCAP files.

I also added a new list on the right side of the page dedicated to just indicators. You can find the new page here. Enjoy!

Monday, June 8, 2015

Indicators - Dridex

I have been seeing a large amount of emails containing malicious Microsoft Word macro-enabled documents attached. These documents, once the macro has been allowed to run by the user, will download and run an executable file to infect the machine. Below are several indicators that I have seen so far, and I have even created a Wireshark/regex filter that will help you find these files in a PCAP file.

Threat Name: Dridex

File Download Locations:
These files may no longer be active, but please use caution when downloading as they are malicious.

7sumur.com/73/20.exe
baypipo.com/55/55.exe
cellsitemanagement.com/73/20.exe
chiokings.com/88/15.exe
crestliquors.com/73/20.exe
croningroup.com/73/20.exe
dalmatian-bizhub.com/55/55.exe
deborah-abesser.com/88/15.exe
elkettasandassociates.com/25/10.exe
empreinte.com.ar/42/91.exe
footingclub.com/85/20.exe
hoinghihoithao.com/88/15.exe
jenisgroup.com/88/15.exe
joyofcamping.com/88/15.exe
kang-ning.com/353/654.exe
kapagrup.com/94/053.exe
m-bikes.gr.193-92-97-57.linuxzone26.grserver.gr/42/91.exe
mercury.powerweave.com/85/20.exe
mindfullivingprograms.com/73/20.exe
njgems.com/55/55.exe
orenkaholidays.com/5/0.exe
revistacannicas.com.ar/42/91.exe
seedsindaphne.org/85/20.exe
segurosdenotebooks.com.br/25/10.exe
thepattersonco.com/85/20.exe
tpsci.com/88/15.exe
tvteachervideos.com/42/91.exe
yubido.web.fc2.com/5/0.exe
zolghadri-co.com/25/10.exe

File Names:
The file names are numerical and 1 through 3 digits long.

0.exe
053.exe
10.exe
15.exe
20.exe
55.exe
654.exe
91.exe

IP Connections:
The malware will attempt to make CONNECT requests to the below IP addresses and ports.

144.76.238.214:4443
185.12.94.48:7443
185.12.95.191:4443
188.120.249.231:8443
70.32.74.108:7443
78.24.218.186:8443
78.46.60.131:4443
94.242.58.146:4443

Regex Query:
The following regex query should find the HTTP URI and file name of the executable file. Since the directory and file names are pretty consistent in the fact that they have been numerical values so far, it should be pretty easy to locate in your logs.
  • \/[1-9]{1,3}\/[0-9]{1,3}\.exe
The following Wireshark display filter (using regex) should also work:
  • http.request.uri matches "\/[1-9]{1,3}\/[0-9]{1,3}\.exe"
You should see similar information below in the Info column in Wireshark when you run the above query:


I am sure that I will be adding more indicators for this malware soon as it has been pretty prevalent over the past few weeks. Thanks for reading.

Wednesday, May 20, 2015

Bad Practice

I was surprised when I saw this one in some logs today. The smart phone application Parlor, exposes your username and password in the HTTP URI through their API, plain as day. These are what we like to call "easy wins" as they require no effort to find in standard event logs, and require no digging through the frames of PCAP files. Here is a screencap of the HTTP field:


Be careful when signing up for some of these applications on your smart phone, you never know what is exposed.

Indicators - Geodo Malware Part 3

Since the last two updates I have collected a few more indicators, and I have decided to make an indicator page. I didn't want to create a tracking page, as there is a much better resource, rather I wanted to create a list of indicators that I have found. Below are a few new additions that I will be adding to the new Geodo indicator list; there are no new C2 servers or use-agent strings.

Link to the Geodo indicator page.

Threat Name: Geodo

File Download Locations:

These are live malware files, download with caution.

hXXp://obchod.vianatura.cz:80/YRgXCNup2zn8/9049.exe
hXXp://f3x.pl:80/modules/mod_aratipas/ex_mss3.exe
hXXp://zonaliberabraila.ro/ud3yRXLgSw2
hXXp://marjav.cl/g3aTdqlJI8
hXXp://intellinum.com/7UPYmxe150K
hXXp://blog.northpointindia.com/gKBwOvxeq

Further Reading:

rebus snippets

Tuesday, May 12, 2015

Indicators - Geodo Malware Part 2

I have some more Geodo/Feodo indicators for you since yesterdays posting. If this keeps up I will make a page dedicated to Geodo indicators similar to the one I created for the Houdini RAT.

Threat Name: Geodo

File Download Locations:

These are live malware files, download with caution.

hXXp://altvramagazine.com:80/wp-content/themes/altura/cr_mss3.exe
hXXp://www.hairlosstreatments4u.com:80/4KVHAGFUPB/949.exe
hXXp://arasshahintools.com:80/wp-content/themes/darya/cr_mss3.exe
hXXp://www.greago.com:80/wp-content/themes/flowmaster/cr_mss3.exe
hXXp://holyspirit.wa.edu.au:80/wp-content/uploads/cr_mss3.exe
hXXp://heliosradio.com:80/WGNz20QXeyK/9049.exe
hXXp://photowaaley.com:80/2g9IiGaouYBOQ/9049.exe
hXXp://region-magdeburg.ramminger-berlin.de:80/modules/mod_aratipas/cr_mss3.exe
hXXp://jomigym.nl:80/80dUCBiJXg/9049.exe
hXXp://tasheelseries.com.au:80/modules/mod_aratipas/cr_mss3.exe

Virustotal File Analysis:

9049.exe

Command and Control Servers:

Request Method: POST

94.126.171.85:8080
94.176.2.168:8080
103.16.26.36:8080
37.59.0.141:8080
46.32.233.226:8080
76.74.252.88:8080
99.249.191.195:8080

Enjoy! Look out for a new indicator list for this malware.

Monday, May 11, 2015

Indicators - Geodo Malware

I have been seeing an influx of Geodo malware and have compiled some data on finding this infection on your network.

Threat Name: Geodo

File Download Locations:

These are live malware files, download with caution.

hXXp://altvramagazine.com:80/wp-content/themes/altura/cr_mss3.exe
hXXp://aqua-system.com.ua/AXMqjiFob
hXXp://arasshahintools.com:80/wp-content/themes/darya/cr_mss3.exe
hXXp://bicycle.ns.ca:80/wp-content/themes/shadow/cr_mss3.exe
hXXp://conservation-wildlife.asn.au/eSxai7o0d/Status_zu_Sendung_916907832086.zip
hXXp://cucifineart.com/wp-content/Z5LIHdweGyb/Status_zu_Sendung_916907832086.zip
hXXp://dpsharma.com/wp-content/themes/twentyfifteen/Hvcmrq2un/Status_zu_Sendung_916907832086.zip
hXXp://fcmtravel.co.ke/7HTCkvNV
hXXp://www.allcameras.tk:80/wp-content/themes/twentyfifteen/cr_mss3.exe
hXXp://www.hairlosstreatments4u.com:80/4KVHAGFUPB/949.exe
hXXp://www.hertzlease.com.mt:80/mCVXg3ucvfG/949.exe

Virustotal File Analysis:


Command and Control Servers:

Request Method: POST

121.50.46.81:8080
173.230.130.252:8080
188.165.235.13:8080
192.126.123.10:8080
192.163.204.172:8080
200.159.128.189:8080
200.75.7.92:8080
201.175.17.35:8080
42.62.40.103:8080

User-agent Strings:

I have yet to determine if these are unique to the malware or not, so please be careful using them to block and/or detect malicious network traffic. If anyone has anymore information on these, then please leave a comment.

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

Further Reading:

Geodo Tracker - website dedicated to tracking all Geodo information. The owner of the site has a blog as well and is well worth the reading.
Hybrid Analysis Results - sandbox analysis results for the executable of the zip file listed above.

Thursday, April 16, 2015

Houdini / h-worm / njRAT Tracking List

I added a tracking list for the Houdini malware (njRAT, h-worm, etc...). This list is best used in a monitoring tool rather than a blocking tool as some of the domains will most likely be out-of-date. If you are not familiar with this malware, then please check out the links listed below.

This list has grown over the past year since I have been tracking it, so I hope it serves you well. I will continue to update the list as I find new variants or indicators, and if you wish to contribute then please feel free to send me an email.

Click here to go to the page. Enjoy!

Further reading:

Tuesday, April 14, 2015

Incoming Houdini Tracking List

I have been seeing a good amount of Houdini traffic in the past, and it seems to be picking up steam again: for a quick refreshed, check out this FireEye report. So I decided to create a list of command and control servers used by the malware.

The list will not be an active/live list such as the ones you find on Abuse.ch, rather it will contain historical data of hosts, as well as other useful information such as user-agent string values, HTTP URI paths, destination ports, and other data.

The list should be posted within the week, so please check back.

Friday, March 20, 2015

Indicators - Zbot Variant

Apologies for not updating for a while, but I think this post willThis one has been showing up pretty frequently. I have labeled it as Zbot, but it is most likely Dridex or Upatre; if anyone has clarification then please let me know.

Threat Name: Zbot / Upatre / Dridex

Indicators: The malware will attempt a connection to the "checkip.dyndns.org" domain in order to ensure connectivity. If successful, then it will attempt to connect to several IP addresses (direct to IP over HTTP) using high level ports. It's hard to nail down exact domain names and IP addresses, but thankfully there are other indicators.

HTTP Indicators:
  • Request Methods
    • CONNECT - this method will be used to connect to "checkip.dyndns.org" to determine network connectivity.
    • POST - will connect to a domain with a URI path of "/gate.php".
    • GET
  • User-agent Strings:
    • Mazilla/4.0
    • Mazilla/5.0
  • HTTP URI Paths:
    • /gate.php
    • /1802us21/
    • /1902us21/
    • /2101us21/
    • /2901us21/
    • /mandoc/
    • /images/
    • /news/
    • /files/
    • /fla/
    • /ar/file/
    • /menu/
    • /dhl/
  • HTTP URI Filenames:
    • /factj.pdf
    • /gunter.pdf
    • /hone.pdf
    • /sdocc.pdf
Dear malware authors, please continue to use unique user-agent strings. Since the malware uses exploits to download the payload, ensure that Java and Adobe is up-to-date. Preventing the above user-agent string values to access the internet is also an effective means, if your web filtering appliance of choice allows you this option.

Friday, February 6, 2015

Indicators - Word Document Macro Virus

There have been may write-ups about these macro viruses on other security blogs and traffic analysis sites. However, I wanted to add a few that I have observed so far.

Threat Name: The macro virus has been seen downloading multiple malware types and names.

Indicators: The email subject may contain the word 'Invoice' along with the invoice number. The file attachment will be a Word document, but will contain the extension of .docm which indicates a macro enabled document. The document may also contain the word 'Invoice' in its name.

Post Infection: The user will only get infected if they allow the macro to run. Microsoft Word will warn the user that enabling macros could damage your computer, which is very true in this case.

Domains Contacted: The following domains were contacted after the macro was allowed to run.

  • drevenak.cz - 217.31.49.20
  • vivercomrequinte.com.br - 174.36.74.119
  • jamesdev.co.uk
  • www.otmoorelectrical.co.uk - 84.22.163.83
  • api.ipify.org
  • *.tor2web.org
  • *.tor2web.ru
Files Downloaded: The following files were observed being downloaded after the macro was enabled.
  • bin.exe - https://www.virustotal.com/en/file/63224095c15ff1206e65d0b8e69a0f7ffc75025d6e5427b206503a5f3e9cf24b/analysis/
  • vv.exe - https://www.virustotal.com/en/file/b261f19aab21889d256266bdeb8c1e3e408d495ef4a5648c4f237696f120706b/analysis/1423149772/
Network Indicators:
  • URI: GET /js/bin.exe
  • URI: GET /wp-content/uploads/vv.exe
  • URI: POST /gate.php
Prevention: Block all .docm file on your email server, if possible. Trying to blacklist the domains may be a futile effort as they can easily change, same with trying to block the executable files.

Links:

Thursday, January 22, 2015

User-agent Strings

A user-agent string is a value used by an application that identifies itself to the server. There are many sites that go into this a bit deeper, so I won't harp on it here. The purpose here is to identify malware that uses unique user-agent string values, which makes it terribly easy to find malicious traffic being generated by certain malware.

The best place to find these values are proxy logs, so you will need to know the field name that your proxy server uses to identify the user-agent string: I believe the field in BlueCoat proxy logs is cs(User-Agent) but yours may be different. Below is a list of user-agent strings that I have seen in our logs and have confirmed that they have been used by malware; there are many other out there, but I will not include those. I have also included a line that you can use to dig through old logs in order to locate past infections.

Malware: Houdini / Iniduoh / njRAT
This one should pop right out in your logs. It uses the below characters as a field separator, so there will be several of these in the user-agent field.
  • User-agent contains: <|>
  • Regex: <\|>
  • Regex: ((\w+)|(\W+))((<\|>)|(\\))((\w+)|(\W+))((<\|>)|(\\))((\w+)|(\W+))((<\|>)|(\\))[^<|\\]+((<\|>)|(\\))((\w+)|(\W+))[^<|\\]+((<\|>)|(\\))[^<|\\]+((\w+)|(\W+))((\w+)|(\W+))+
    • I did not write the above regex for this one and I cannot remember where I found it, so I am unable to give credit. If it's yours then please let me know.
Malware: Zero Access
  • User-agent: nsis_inetc (mozilla)
  • Regex: nsis_inetc\s\(mozilla\)
Malware: Generic Trojan
  • User-agent: Mozilla/5.0 WinInet
  • Regex: Mozilla\/5\.0\sWinInet
Malware: Dyre / Upatre
The following string was found on a Windows machine.
  • User-agent: Wget/1.9+cvs-stable (Red Hat modified)
  • Regex: Wget\/1\.9\+cvs-stable\s\(Red\sHat\smodified\)
Malware: Generic password stealing Trojan
  • User-agent: RookIE/1.0
  • Regex: RookIE\/1\.0
The following two user-agent strings will require the use of Log Parser. Attempting to do a regex search with these will return a large amount of results.

Malware: Tupym
Although AutoIt is legitemate, finding this user-agent may be malicious. Make sure you investigate this a bit further if you find it in your log files.
  • User-agent: AutoIt
  • SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'AutoIt'
Malware: HkMain
Yes, this was actually found in proxy logs.
  • User-agent: M
  • SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'M'
The agents listed below have a high certainty of being malicious, but investigate further as they are very close to being legitimate user-agent values.

Malware: Egamipload
  • User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
  • Regex: Mozilla\/4\.0\s\(compatible;\sMSIE\s8\.0;\sWindows\sNT\s5\.1;\sTrident\/4\.0\)
Malware: Botnet / Adware
This was found in a known botnet as well as some adware.
  • User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  • Regex: Mozilla\/4\.0\s\(compatible;\sMSIE\s6\.0;\sWindows\sNT\s5\.1;\sSV1\)
Malware: Yakes
Notice the lack of spacing within the parantheses.
  • User-agent: Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)
  • Regex: Mozilla\/4\.0\s\(compatible;MSIE\s7\.0;Windows\sNT\s6\.0\)
That is it for now. I will add a separate page for these in the future as I continue to find more malicious user-agent strings.

Further reading:

Monday, January 19, 2015

Using SQL to Sift Through Data

Many things that I have found in the past was accomplished through trial and error, and when I find something that works I get really excited. SQL is lovely and it ranks right up there with regex as one of the need-to-know skills in anyone's tool box.

The problem: tons of log files with multiple columns and thousands of rows, and you only need two or three of those columns.

So what do you do, open every single file, select the columns you want, copy and paste the columns into a new spreadsheet? No.

The solution: SQL, or more specifically Log Parser. It already comes with many queries and scripts you can use, and it also allows you to use SQL to sift through many different types of files. Don't know SQL? No problem, it's easy and the below command will start you off in the right direction (make sure you select the correct file type next to the Log Type option):
  • SELECT hostname, ipaddress FROM '\Files\*.csv'
It may ask you to specify a folder when you attempt to run the query. SQL uses three basic commands to search for data; SELECT, FROM, and WHERE. The above command is basically asking to select the hostname and ipaddress columns from the following files (in this case the files are in the \Files folder), and returning the results.

After the query is finished the results will be displayed in the top window, which you can then export the to a new file. No more opening every single file and searching for columns; this simple tool and query can be used for many different purposes.

Further reading:

Wednesday, January 14, 2015

Indicators - Houdini RAT

Threat Name: Houdini

Variants or Other Possible Names: njRAT, Iniduoh.

This RAT (Remote Access Trojan) has been around for a while, and was first posted by FireEye. It is a pretty nasty RAT, but is quite easy to find in log files. I will brush over the indicators on FireEye's website, as well as some other indicators not listed.

Remote Host Connections:

The author is fascinated with no-ip.info and zapto.org, so start your search with those domains. Below are several other domains used by the RAT:
  • introworld.zapto.org
  • j2w2d.no-ip.biz (31.186.179.230)
  • qwqhack.no-ip.biz (37.239.116.223)
  • paltalk.servequake.com
  • terminator9.zapto.org
  • basss.no-ip.info
  • bg1337.zapto.org
  • ronaldo-123.no-ip.biz

HTTP URI Indicators:
  • /is-ready
HTTP Request Methods:
  • POST
User-agent String Values:

This is an easy catch. The below value is used as a separator in the user-agent string field:
  • <|>
Associated Snort Rule:
  • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; classtype:trojan-activity; sid:28817; rev:3;)
Regex:

Search in the user-agent string field.
  • <\|>
Conclusion:

I was never able to find much information for this RAT and I hope it helps you out in your searches.

Friday, January 9, 2015

Indicators - Mudrop Malware

Threat Name: Mudrop

Mudrop has been around for awhile. There are plenty of Snort rules for it and I am pretty sure that many anti-virus applications can find and remove the infection. However, it is always good to know what to look for no matter how old the data. This information can be used for alerting, blocking, or digging through old logs.

Remote Host Connections:

  • api.batbrowse.com (70.186.131.145)
  • api.jotzey.net (70.186.131.34)
  • api.kozaka.net (70.186.131.178)
  • api.linkswift.co (70.186.131.183)
  • api.luckyleap.net (70.186.131.184)
  • api.myfindright.com (70.186.131.61)
  • api.plurpush.net (70.186.131.198)
  • api.secretsauce.biz (70.186.131.214)
  • api.webconnect.co (70.186.131.230)
  • api.whilokii.net (70.186.131.234)
  • api.lemurleap.info (70.186.131.186)
  • api.a-tu-zi.com (70.186.131.16)

HTTP URI Indicators:

The following can be found in the URI:
  • /gdp?alpha=
  • /gdi?alpha=
  • /gcs?alpha=
  • /gmi?alpha=
  • /rs
The URI's containing "alpha" will be followed by Base64 values. The URI containing "/rs" will not be followed by other characters.

HTTP Request Methods:
  • POST
  • GET
POST methods will contact the host with the "/rs" in the URI, while GET methods will contact the other hosts with "alpha" in the URI.

Regex:

The following is a good start at locating Mudrop infections in log files:
  • \/([a-z]{3})\?alpha=
Conclusion:

Feel free to ask questions or comment on the information. Thank you for reading!

Monday, January 5, 2015

Finding Malicious Activity

Prior to going crazy with tons of network indicators, we need to know how to search through many text based log files in order to find malicious activity. How do we doing this? Regular expressions (regex) are the answer. Knowing how to write a regex query is not required (so long as you already have a query you can use), but it is certainly helpful (seriously though, learn it). A trend with this blog is that most of my work will be done on a Windows machine, unless there is no Windows alternative to a piece of software.

In order to dig through thousands of lines of text we will use a tool called grepWin. As its name implies, it is a Windows based grep tool and will allow us to dig through files using regex or text based searches. As we know, finding threats is never a one-shot deal. We may find a new indicator and we will need to dig through old logs files (again, and again, and...) to see if there has been past activity that we may have missed.

So where do we find pre-made regex queries? There are a few sites, such as; MalwareSigs, CoffeeShopSecurity, and many Snort rules. Grab those expressions, toss them into grepWin and press the search button. Too easy right? OK, grepWin is pretty straight forward. Make sure you enter the location of the files in the "Search in" field (preferably these files should be in a comma separated format). In the "Search" section, choose "Regex search" and enter the regex query into the "Search for" field; if you click the / button it will allow for multiple lines of regex which comes in very useful. Under the "Limit search" section, select "All sizes" and "Include subfolders."

Before you press that search button, you want to make sure your regex will work. The grepWin application allows you to test the query, but I prefer something a bit more visual https://regex101.com. It tests your query against a text string and will also give you an explanation of the regex query, which is great when you are learning, and it will let you know if there is a match. Let's do a quick test run on that website and use the following information:
Regular Expression: \/([a-z]{3})\?alpha=
Test String: hXXp://api.browseburst.com/gdi?alpha=0/
The regex query will search for the Mudrop infection, and the test string is/was an actual host used by Mudrop (don't go to the site). Read through the explanation on the right if you are unfamiliar with regex. Also, notice how it matched on "/gdi?alpha=" in the URI. Now that we know the regex will work, go ahead and click the search button in grepWin and, depending on how many files you have, grab a cup of coffee.

If grepWin found any hits, it will display them in the "Search results" window. On the bottom right of the application you will see "Files" and "Content." Files will show all of individual files with content that matched the query, and Content will show each individual line within those files. You can open each file by right clicking the line and selecting Open. After digging through your search results you can grab any unique indicators to create new alerts and use those indicators to dig deeper to find more malicious activity.

That's it, pretty straight forward. There are, of course, many other tools that can be used to find malicious activity but this is a good start if you are fresh. When performing these kinds of searches, always keep notes of the regex strings you have used as well as any unique indicators. If you really want to have some fun, grab about 10 through 20 regex strings and run a multi-line search on your log files. You may be surprised, or saddened, by what you find.

Thursday, January 1, 2015

11111011111

What a great year 2014 was for information security; spam campaigns, Home Depot, Sony, too many hits to list. One thing I enjoy doing around this time of year is checking the previous years predictions and trends, and seeing who got close.

What will 2015 bring for us? I am not certain but I feel that cloud security, spam (as always), and BYoD devices will continue to be major pain points for any company. As for the rise of retail hacking, I can only assume that the trend will continue this year. A few questions that any system/network/security administrator should ask themselves; "Are my printers secure?"; "How good is my spam filtering?"; "Do we use any clear-text passwords?"; "Do we have a plan when we have a breach?"

Read the SANS 2015 Predictions, as well as Verizon's Data Breach Investigations Report. Proactive monitoring is my mantra. Keep an eye out for the bad guys and have a great year!