User-agent Strings

A user-agent string is a value used by an application that identifies itself to the server. There are many sites that go into this a bit deeper, so I won't harp on it here. The purpose here is to identify malware that uses unique user-agent string values, which makes it terribly easy to find malicious traffic being generated by certain malware.

The best place to find these values are proxy logs, so you will need to know the field name that your proxy server uses to identify the user-agent string: I believe the field in BlueCoat proxy logs is cs(User-Agent) but yours may be different. Below is a list of user-agent strings that I have seen in our logs and have confirmed that they have been used by malware; there are many other out there, but I will not include those. I have also included a line that you can use to dig through old logs in order to locate past infections.

Malware: Houdini / Iniduoh / njRAT
This one should pop right out in your logs. It uses the below characters as a field separator, so there will be several of these in the user-agent field.

• User-agent contains: <|>
• Regex: <\|>
• Regex: ((\w+)|(\W+))((<\|>)|(\\))((\w+)|(\W+))((<\|>)|(\\))((\w+)|(\W+))((<\|>)|(\\))[^<|\\]+((<\|>)|(\\))((\w+)|(\W+))[^<|\\]+((<\|>)|(\\))[^<|\\]+((\w+)|(\W+))((\w+)|(\W+))+
• I did not write the above regex for this one and I cannot remember where I found it, so I am unable to give credit. If it's yours then please let me know.

Malware: Zero Access

• User-agent: nsis_inetc (mozilla)
• Regex: nsis_inetc\s\(mozilla\)

Malware: Generic Trojan

• User-agent: Mozilla/5.0 WinInet
• Regex: Mozilla\/5\.0\sWinInet

Malware: Dyre / Upatre

The following string was found on a Windows machine.

• User-agent: Wget/1.9+cvs-stable (Red Hat modified)
• Regex: Wget\/1\.9\+cvs-stable\s\(Red\sHat\smodified\)

Malware: Generic password stealing Trojan

• User-agent: RookIE/1.0
• Regex: RookIE\/1\.0

The following two user-agent strings will require the use of Log Parser. Attempting to do a regex search with these will return a large amount of results.

Malware: Tupym

Although AutoIt is legitemate, finding this user-agent may be malicious. Make sure you investigate this a bit further if you find it in your log files.

• User-agent: AutoIt
• SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'AutoIt'

Malware: HkMain

Yes, this was actually found in proxy logs.

• User-agent: M
• SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'M'

The agents listed below have a high certainty of being malicious, but investigate further as they are very close to being legitimate user-agent values.

Malware: Egamipload

• User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
• Regex: Mozilla\/4\.0\s\(compatible;\sMSIE\s8\.0;\sWindows\sNT\s5\.1;\sTrident\/4\.0\)

Malware: Botnet / Adware

This was found in a known botnet as well as some adware.

• User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
• Regex: Mozilla\/4\.0\s\(compatible;\sMSIE\s6\.0;\sWindows\sNT\s5\.1;\sSV1\)

Malware: Yakes

Notice the lack of spacing within the parantheses.

• User-agent: Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)
• Regex: Mozilla\/4\.0\s\(compatible;MSIE\s7\.0;Windows\sNT\s6\.0\)

That is it for now. I will add a separate page for these in the future as I continue to find more malicious user-agent strings.

Further reading:

• Deepend Security - great repository of malicious traffic values.
• Malware Traffic Patterns - more indicators and analysis than you can handle.
• 2013 User-agent Blacklist - old but it still contains useful data.

Using SQL to Sift Through Data

Many things that I have found in the past was accomplished through trial and error, and when I find something that works I get really excited. SQL is lovely and it ranks right up there with regex as one of the need-to-know skills in anyone's tool box.

The problem: tons of log files with multiple columns and thousands of rows, and you only need two or three of those columns.

So what do you do, open every single file, select the columns you want, copy and paste the columns into a new spreadsheet? No.

The solution: SQL, or more specifically Log Parser. It already comes with many queries and scripts you can use, and it also allows you to use SQL to sift through many different types of files. Don't know SQL? No problem, it's easy and the below command will start you off in the right direction (make sure you select the correct file type next to the Log Type option):

• SELECT hostname, ipaddress FROM '\Files\*.csv'

It may ask you to specify a folder when you attempt to run the query. SQL uses three basic commands to search for data; SELECT, FROM, and WHERE. The above command is basically asking to select the hostname and ipaddress columns from the following files (in this case the files are in the \Files folder), and returning the results.

After the query is finished the results will be displayed in the top window, which you can then export the to a new file. No more opening every single file and searching for columns; this simple tool and query can be used for many different purposes.

Further reading:

• Turn your logs into visual representations.
• Many examples you can use to help you sort through data.

Indicators - Houdini RAT

Threat Name: Houdini

Variants or Other Possible Names: njRAT, Iniduoh.

This RAT (Remote Access Trojan) has been around for a while, and was first posted by FireEye. It is a pretty nasty RAT, but is quite easy to find in log files. I will brush over the indicators on FireEye's website, as well as some other indicators not listed.

Remote Host Connections:

The author is fascinated with no-ip.info and zapto.org, so start your search with those domains. Below are several other domains used by the RAT:

• introworld.zapto.org
• j2w2d.no-ip.biz (31.186.179.230)
• qwqhack.no-ip.biz (37.239.116.223)
• paltalk.servequake.com
• terminator9.zapto.org
• basss.no-ip.info
• bg1337.zapto.org
• ronaldo-123.no-ip.biz

HTTP URI Indicators:

• /is-ready

HTTP Request Methods:

• POST

User-agent String Values:

This is an easy catch. The below value is used as a separator in the user-agent string field:

• <|>

Associated Snort Rule:

• alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; classtype:trojan-activity; sid:28817; rev:3;)

Regex:

Search in the user-agent string field.

• <\|>

Conclusion:

I was never able to find much information for this RAT and I hope it helps you out in your searches.

Indicators - Mudrop Malware

Threat Name: Mudrop

Mudrop has been around for awhile. There are plenty of Snort rules for it and I am pretty sure that many anti-virus applications can find and remove the infection. However, it is always good to know what to look for no matter how old the data. This information can be used for alerting, blocking, or digging through old logs.

Remote Host Connections:

• api.batbrowse.com (70.186.131.145)
• api.jotzey.net (70.186.131.34)
• api.kozaka.net (70.186.131.178)
• api.linkswift.co (70.186.131.183)
• api.luckyleap.net (70.186.131.184)
• api.myfindright.com (70.186.131.61)
• api.plurpush.net (70.186.131.198)
• api.secretsauce.biz (70.186.131.214)
• api.webconnect.co (70.186.131.230)
• api.whilokii.net (70.186.131.234)
• api.lemurleap.info (70.186.131.186)
• api.a-tu-zi.com (70.186.131.16)

HTTP URI Indicators:

The following can be found in the URI:

• /gdp?alpha=
• /gdi?alpha=
• /gcs?alpha=
• /gmi?alpha=
• /rs

The URI's containing "alpha" will be followed by Base64 values. The URI containing "/rs" will not be followed by other characters.

HTTP Request Methods:

• POST
• GET

POST methods will contact the host with the "/rs" in the URI, while GET methods will contact the other hosts with "alpha" in the URI.

Regex:

The following is a good start at locating Mudrop infections in log files:

• \/([a-z]{3})\?alpha=

Conclusion:

Feel free to ask questions or comment on the information. Thank you for reading!

Finding Malicious Activity

Prior to going crazy with tons of network indicators, we need to know how to search through many text based log files in order to find malicious activity. How do we doing this? Regular expressions (regex) are the answer. Knowing how to write a regex query is not required (so long as you already have a query you can use), but it is certainly helpful (seriously though, learn it). A trend with this blog is that most of my work will be done on a Windows machine, unless there is no Windows alternative to a piece of software.

In order to dig through thousands of lines of text we will use a tool called grepWin. As its name implies, it is a Windows based grep tool and will allow us to dig through files using regex or text based searches. As we know, finding threats is never a one-shot deal. We may find a new indicator and we will need to dig through old logs files (again, and again, and...) to see if there has been past activity that we may have missed.

So where do we find pre-made regex queries? There are a few sites, such as; MalwareSigs, CoffeeShopSecurity, and many Snort rules. Grab those expressions, toss them into grepWin and press the search button. Too easy right? OK, grepWin is pretty straight forward. Make sure you enter the location of the files in the "Search in" field (preferably these files should be in a comma separated format). In the "Search" section, choose "Regex search" and enter the regex query into the "Search for" field; if you click the / button it will allow for multiple lines of regex which comes in very useful. Under the "Limit search" section, select "All sizes" and "Include subfolders."

Before you press that search button, you want to make sure your regex will work. The grepWin application allows you to test the query, but I prefer something a bit more visual https://regex101.com. It tests your query against a text string and will also give you an explanation of the regex query, which is great when you are learning, and it will let you know if there is a match. Let's do a quick test run on that website and use the following information:

Regular Expression: \/([a-z]{3})\?alpha=
Test String: hXXp://api.browseburst.com/gdi?alpha=0/

The regex query will search for the Mudrop infection, and the test string is/was an actual host used by Mudrop (don't go to the site). Read through the explanation on the right if you are unfamiliar with regex. Also, notice how it matched on "/gdi?alpha=" in the URI. Now that we know the regex will work, go ahead and click the search button in grepWin and, depending on how many files you have, grab a cup of coffee.

If grepWin found any hits, it will display them in the "Search results" window. On the bottom right of the application you will see "Files" and "Content." Files will show all of individual files with content that matched the query, and Content will show each individual line within those files. You can open each file by right clicking the line and selecting Open. After digging through your search results you can grab any unique indicators to create new alerts and use those indicators to dig deeper to find more malicious activity.

That's it, pretty straight forward. There are, of course, many other tools that can be used to find malicious activity but this is a good start if you are fresh. When performing these kinds of searches, always keep notes of the regex strings you have used as well as any unique indicators. If you really want to have some fun, grab about 10 through 20 regex strings and run a multi-line search on your log files. You may be surprised, or saddened, by what you find.

11111011111

What a great year 2014 was for information security; spam campaigns, Home Depot, Sony, too many hits to list. One thing I enjoy doing around this time of year is checking the previous years predictions and trends, and seeing who got close.

What will 2015 bring for us? I am not certain but I feel that cloud security, spam (as always), and BYoD devices will continue to be major pain points for any company. As for the rise of retail hacking, I can only assume that the trend will continue this year. A few questions that any system/network/security administrator should ask themselves; "Are my printers secure?"; "How good is my spam filtering?"; "Do we use any clear-text passwords?"; "Do we have a plan when we have a breach?"

Read the SANS 2015 Predictions, as well as Verizon's Data Breach Investigations Report. Proactive monitoring is my mantra. Keep an eye out for the bad guys and have a great year!