Thursday, October 23, 2008

CWSandbox Offers Pcaps

Thanks to Thorsten Holz for pointing out that the latest online CWSandbox provides network traffic in Libpcap format for recently submitted malware samples.

I decided to give this feature a try, so I searched the Spam folder for one of my Gmail accounts. I found a suitable "Watch yourserlf in this video man)" email from 10 hours ago and followed the link. I was quickly reminded by Firefox 3 that visiting this site was a Bad Idea.



It took me a little while to navigate past my NoScript and Firefox 3 warnings to get to a point where I could actually hurt myself.



After downloading the "viewer.exe" file, I uploaded it to CWSandbox. That site told me:

The sample you have submitted has already been analysed. Please see the sample detail page for further information.

If you visit that page you'll find a PCAP link.

I took a quick look at the file with Argus and filtered out port 1900 traffic.

$ argus -r analysis_612050.pcap -w analysis_612050.pcap.arg

$ ra -n -r analysis_612050.pcap.arg - not port 1900
23:23:57.745266 e igmp 10.1.7.2 -> 0.0.0.1 2 108 INT
23:23:59.079832 e tcp 74.213.167.192.80 10.1.7.2.1361 2 114 RST
23:23:59.735571 e tcp 10.1.7.2.1037 -> 79.135.167.18.80 78 67219 RST
23:23:59.757777 e tcp 10.1.7.2.1038 -> 79.135.167.18.80 116 101525 RST
23:24:00.103663 e tcp 74.213.167.192.80 10.1.7.2.56963 2 319 RST
23:24:08.147828 e tcp 74.213.167.192.80 10.1.7.2.26155 2 319 RST
23:24:13.463815 e tcp 74.213.167.192.80 10.1.7.2.54775 4 427 RST
23:24:16.556555 e tcp 66.232.105.102.80 10.1.7.2.35029 3 168 RST
23:24:18.791427 e tcp 74.213.167.192.80 10.1.7.2.33765 5 481 RST
23:24:26.456790 e udp 10.1.7.2.61548 <-> 10.1.7.1.53 2 250 CON
23:24:26.458842 e tcp 10.1.7.2.1042 -> 91.203.93.49.80 26 17295 FIN
23:24:26.600712 e tcp 10.1.7.2.1044 -> 91.203.93.49.80 10 1544 FIN
23:24:26.743598 e tcp 10.1.7.2.1045 -> 91.203.93.49.80 10 2099 FIN
23:24:26.854732 e tcp 10.1.7.2.1046 -> 91.203.93.49.80 10 1284 FIN
23:24:26.965697 e tcp 10.1.7.2.1047 -> 91.203.93.49.80 10 1545 FIN
23:24:27.070573 e tcp 10.1.7.2.1048 -> 91.203.93.49.80 14 6828 FIN
23:24:27.180786 e tcp 10.1.7.2.1049 -> 91.203.93.49.80 26 18334 FIN
23:24:27.310872 e tcp 10.1.7.2.1050 -> 91.203.93.49.80 12 4822 FIN
23:24:27.422057 e tcp 10.1.7.2.1051 -> 91.203.93.49.80 14 7415 FIN
23:24:27.527325 e tcp 10.1.7.2.1052 -> 91.203.93.49.80 11 3078 FIN

Here's a list of HTTP requests as filtered by Tshark.

$ tshark -n -r analysis_612050.pcap -R 'http.request == true and tcp.dstport != 1900'
11 2.097490 10.1.7.2 -> 79.135.167.18 HTTP GET /scan.exe HTTP/1.1
12 2.097563 10.1.7.2 -> 79.135.167.18 HTTP GET /cgi-bin/index.cgi?test7 HTTP/1.1
29 2.212609 10.1.7.2 -> 79.135.167.18 HTTP GET /g.exe\330 HTTP/1.1
36 2.266404 10.1.7.2 -> 79.135.167.18 HTTP GET /l.exe HTTP/1.1
119 2.475539 10.1.7.2 -> 79.135.167.18 HTTP GET /g.exe\330 HTTP/1.1
186 3.308669 10.1.7.2 -> 79.135.167.18 HTTP GET /g.exe\330 HTTP/1.1
188 3.390001 10.1.7.2 -> 79.135.167.18 HTTP GET /g.exe\330 HTTP/1.1
230 28.765013 10.1.7.2 -> 91.203.93.49 HTTP GET /bild15_biz.php?NN=a119 HTTP/1.1
256 28.906713 10.1.7.2 -> 91.203.93.49 HTTP GET /adult.txt HTTP/1.1
266 29.049951 10.1.7.2 -> 91.203.93.49 HTTP GET /pharma.txt HTTP/1.1
276 29.160854 10.1.7.2 -> 91.203.93.49 HTTP GET /finance.txt HTTP/1.1
286 29.271530 10.1.7.2 -> 91.203.93.49 HTTP GET /other.txt HTTP/1.1
296 29.376465 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/aol.com-error.html HTTP/1.1
310 29.486416 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/gmail.com-error.html HTTP/1.1
336 29.616847 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/google.com-error.html HTTP/1.1
348 29.727475 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/live.com-error.html HTTP/1.1
362 29.832947 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/search.yahoo.com-error.html HTTP/1.1

Kudos to CWSandbox for adding this capability.

4 comments:

Anonymous said...

Nice post Richard, thanks.

Anyone know why the Argus output seems to have the source and destination mixed up with the early RST traffic? For example:

23:24:00.103663 e tcp 74.213.167.192.80 10.1.7.2.56963 2 319 RST

Wireshark seems to show 10.1.7.2 as the source, which makes sense.

Jesica said...

hi
u have a great work frnd.
keep it up

Erik said...

I ran the pcap through NetworkMiner, which automatically extracted all the files. The anti-virus on my computer immediately alerted that the file l.exe contained the Downloader-BKH trojan.

I'll add this pcap file link to my list of publicly available pcap files.

Thanks for the find Richard!

jbmoore said...

Thanks for the heads up! This is handy! I haven't visited his site in about a month, but this feature of CWSandbox will come in quite handy! They don't pay those guys enough. They write some great papers on IT Security.