weekend malware research 2012
TRANSCRIPT
Weekend Malware Research
Andrew Morris
About
• Over the weekend I collected two different categories of malware
• Dionaea Honeypot malware (Conficker)– Windows– SMB-Based Exploits
• JBoss ZECMD worm– Cross platform/Java– JMX Console-based Exploits
Dionaea
Dionaea
• Dionaea is an open-source honeypot daemon used to catch malware samples
• Installed and run on Linux• Emulates a Windows 2000 Server
Protecting yourself
• Whenever you are doing any type of malware research, be sure to protect yourself
• Segment the honeypot/analysis machine from the rest of your network
Dionaea Log piped to “tail –f”
Tcpdump on port 445
Binaries collected
Commands
# tail -f dionaea.log# tcpdump -i eth0 –XX –vvv tcp port 445
(-w capture.pcap)# while [ 1 ]; do ls –lah ; ls | wc ; sleep 1 ; done
Results
• Over 24 hours, the Dionaea honeypot collected over 100 malware samples
• There were more attacks, but the honeypot failed to capture binaries for more sophisticated malware
• Over five attacks per minute
Anyone interested?
• I have over 100 malware samples directly from the wild
• If anyone is interested in setting up an offline lab with me for manual analysis, shoot me an email
• Makes good practice for reverse engineering
ZECMD
ZECMD
• Steve Nawoichik and I first encountered this during a penetration test one year ago
• Our client thought they would be cool and stand up an intentionally vulnerable server to test if we were doing our jobs
• They got hit with a Jboss worm
Worming Mechanism
• I did a bit of OSINT on the term “ZECMD.jsp” and found a couple writeups by Carnal0wnage, Kaspersky, and a few others
• The worm infects machines over the internet by attacking exposed Jboss JMX consoles
• Deploys it’s own custom malicious WAR file
So…
• I set up a Linux box and install Jboss• Exposed the JMX console, no username, no
password
Infected
• Jboss worm hit me within 24 hours• Again, ZECMD• Good part about this worm– Modular malware– Portions are in Perl, C, and Java– Drops the source code, relies on the machine to
compile– No reversing necessary!
Perl
C
Java
Nicks
Scanning
Digging Deeper
What I learned from the malware
• C2 (command and control) servers• Propagation mechanism• Able to identify compromised machines• Handles of botmaster• Methods of data exfiltration• How to tell if a machine is infected
Questions?
Thanks!