This two hours workshop will show how to analyze network traffic in order to decide if a computer was infected with malware. This is a very hard task since current malware tries to hide by mimicking normal traffic. We will present several cases where you will have to discover the true infected machine from a group. The goal of the workshop is to transmit the analysis skills necessary to differentiate the suspicious connections from the normal ones and to finally discover the malware behaviors.
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SEBASTIAN GARCIA [ATG GROUP OF CTU]
1.
Security Sessions 2016 Workshop
Getting your hands dirty: How to Analyze the
Behavior of Malware Traffic
1. Introduction
● About the teacher and attendants
● Intro to what is this workshop about.
○ It is not about tools
○ It Is about learning to analyze malware traffic and to separate it from normal
traffic.
● Start of notebooks with Kali, connection to Internet.
● What is an attack? What is the difference with normal?
● What is Malware? What is a botnet?
2. How network protocols work. A baseline reminder
● Current knowledge about networking?
● Network protocols, TCP/IP layers, how do they work?
● Horizontal and vertical communication
● Basic protocols. What are they for? Which ports do they use?
○ Ethernet, ARP, ICMP, IP, TCP, UDP, HTTP, DNS, SSH, SSL/TLS
3. Analysing network traffic, learning what to see.
● Wireshark
○ Start wireshark and capture some of your traffic.
○ Identify the hosts, ports and protocols used.
○ See the different layers of protocols and encapsulations.
○ Identify an HTTP connection, see its content.
■ Follow a TCP stream
○ See a HTTPs connection.
2. ○ Advanced wireshark:
■ filters
■ IO graphic
■ expert info
● Tcpdump
○ Use tcpdump to see information from your network
■ tcpdump n s0 i eth0
○ Use filters for tcpdump
■ host, port, ands and ors
○ Use A to see the ASCII text inside packets.
○ Use tttt to see a more useful timestamp.
○ Read packets
■ r output.pcap
○ Search with less (/)
■ Web connections:
1. GET|POST|Host:
● A little bit about reputation of IPs
○ This is actually more complex, but we can start with VirusTotal
■ https://www.virustotal.com/
■ Search for IPs, domains or URLs
■ See if you can infer something about the reputation of:
1. 89.108.101.61
2. 95.163.121.33
3. 93.184.220.29
4. 13.107.4.50
■ For domains, better www.passivetotal.com
● Analysis of capture3.pcap.bz2
○ Download from :
https://mega.nz/#!MkpgjTIR!_IIOQ4ra2CGh9JkZYfhkhwCCDJWy3IPIenkrlV5
AWqA
○ Uncompress it
■ bzip2 d file3.pcap.bz2
○ What can you say about it?? Malware or normal?
○ Some graphs with CapTipper tool
■ https://mcfp.felk.cvut.cz/publicDatasets/CTUMalwareCaptureBotnet
661/20140407_capturewin13.short.html
● Analysis of capture2.pcap.bz2
○ Goal: To analyze this file and conclude if the host was infected or not.
○ Download form:
https://mega.nz/#!p4xViQ7J!wenCMFUOPGLlfk5rKNcqCNan1rojY5myHjoc0c
R3KV8
○ What can you say about it?? malware or normal?
● Analysis of file1.small.pcap
○ Goal: To analyze this file and conclude if the host was infected or not.
3. ○ Download from
https://mega.nz/#!J4oyyYTB!_L5I5IAtid3YQ0ZT0MBnbKanB2qw3ZMh_t1qG
YiL5Q
○ What can you say about it?? is it malware or normal?
■ My conclusions:
1. The mac address of the machine is VirtualBox
2. Initial web connection without DNS.
3. Web connection with referer, but no previous web connection
done. Fake referer.
4. POST of a video? Without cookies? mp4 should have an ID3
header that is not there, so probably the content is not mp4.
5. The content of the POST looks strange. Like a substitution
cipher.
6. The reputation of 95.163.121.33 (and other IPs) is very bad
and tied to Dridex malware
7. Further POSTs are suspicious (long and without readable
data) with Host headers having a fake host names (looks like
DGA) and fake referrers again. Is it transmitting data on the
Host header? (like ZeroAccess?)
8. Only with Wireshark: The time difference between HTTP
connections is too short. Not a manual interaction.
9. Only with Wireshark: The graph shows a very suspicious
periodicity on the TCP web connections.
10. The Host header name: “5t9AR us” has a space! this is
forbidden in the standard.
11. You can also see that the same IP is used by several dozen
hosts and requested by one source IP very quickly.
Suspicious.
12. Seems malware
13. Actually is Dridex
● Other useful tools we are not covering too much
○ tshark: command line wireshark
■ tshark r file.pcap n Tfields e ip.src (example for getting the src ip in
the packets only)
4. Attacking each other and discovering the traffic
Goal: To attack others and get access, to recognize who is attacking you and to report it by
email.
● Start capturing traffic in your host using tcpdump
○ Goal: To know what happens in the network with the SSH protocol (port 22)
○ tcpdump n s0 i eth0 v w /root/malwarenightsclass1sshattack.pcap
● Download this list of passwords
4. ○ wget
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords
/best15.txt
● Change your root password
○ As root
■ passwd (and put a good password)
● Create another user (unprivileged). The name of the user is test
■ useradd test
● Start the SSH service
○ /etc/init.d/ssh restart
● Change the password of the test user
○ First get one password randomly from the file.
■ N=`shuf i 115 n 1`; head n $N best15.txt |tail n 1
○ Then change it with the command (put it twice):
■ passwd test
● Put here the password printed by the previous command.
● Find other hosts in the network with the SSH port open
○ nmap sS p 22 n v <youripaddress>/24 oN sshservers.txt
● Bruteforce the SSH password of the active hosts
○ Medusa tool
■ hydra s 22 l test P best15.txt <IPtocrack> ssh
● Analysis of the traffic
○ Analyze your capture file
○ If somebody found the password of your computer or not. And how do you
know.
○ Bonus question: Did they access your computer and type commands on it?
How do you know?