Skip to content

Instantly share code, notes, and snippets.

@1aN0rmus

1aN0rmus/DFIR_IT_Contest_Submission.md

Created October 5, 2016 15:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 1aN0rmus/f59de12be167536f013461debef5a474 to your computer and use it in GitHub Desktop.
Save 1aN0rmus/f59de12be167536f013461debef5a474 to your computer and use it in GitHub Desktop.
Download ZIP
DFIR_IT Contest Submission
Raw
DFIR_IT_Contest_Submission.md

The below report attempts to provide answers to the objectives set in the "NETWORK CHALLENGE - 001 - LINUX":

  1. Determine what likely occurred based on the evidence from the PCAP.
  2. Identify any network and/or host artifacts that could be used to scope this incident further.
  3. If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity.

The report comprises of multiple sections:

  • Findings - Describes main findings and provides an overview of malicious activity.
  • Analysis - Provides technical analysis of captured traffic and extracted artifacts.
  • Timeline - Provides chronologically ordered list of events.
  • Indicators - Provides a list of network and host indicators related with observed malicious activity.
  • References - Contains a list of external publications, indicators and resources used during analysis.

Findings

  • The Linux system behind the IP address 104.236.210.97 was compromised at approximately 2016-09-07T22:14:48Z when attacker successfully connected and authenticated to the system using SSH protocol.
  • At 2016-09-07T22:16:16Z attacker downloaded an instance of the BillGates trojan (java.log) from the remote IP address 120.210.129.29 running HFS server on TCP port 5198.
  • At 2016-09-07T22:19:03Z the compromised system sent first DNS Type A query for the domain top.t7ux.com. This event designates approximate time when attacker executed malicious file java.log. At the same time first "Hello" packet was sent by compromised system to the C&C domain top.t7ux.com.
  • At approximately 2016-09-07T23:43:06Z attacker likely initiated installation of the Apache httpd server by executing the following command: apt-get install apache2.
  • Between 2016-09-07T23:47:06Z and 2016-09-07T23:50:42Z attacker downloaded additional malware and tools from the remote IP address 120.210.129.29. The files comprised of multiple versions of BillGates trojan, reverse shell scrip, Netcat utility and backdoored version of OpenSSH.
  • Between 2016-09-07T23:52:18Z and 2016-09-07T23:53:05Z remote IP address 104.236.59.209 connected to the compromised system over TCP port 80 and downloaded two files: nc.exe and back.pl. Observed connections likely indicate that attacker successfully installed and ran Apache httpd server.
  • At 2016-09-08T01:22:06Z the attacker terminated SSH session from the remote IP address 46.101.128.129.
  • Packet capture contained additional SSH packets from the remote IP address 71.171.119.98 between 2016-09-08T01:22:09Z and 2016-09-08T01:22:25Z. Based on the time of event the connection was likely also initiated by the attacker.
  • At 2016-09-08T10:18:13Z the compromised host attempted to connect to the IP address 222.174.168.234 - resolution of C&C domain top.t7ux.com at that time.
  • At 2016-09-08T10:54:44Z last packet to the C&C IP address 118.192.137.245 was captured.
  • At 2016-09-09T13:46:05Z the compromised host sent 32038 UDP Flood packets to the IP address 23.83.106.115 over port 80.
  • At 2016-09-09T13:46:21Z last packet to the C&C IP address 222.174.168.234 was captured.

Analysis

Analysis of the captured network traffic around the time (2016-09-07T22:16:16Z) when first alert for the "HFS [File Download]" Snort signature occurred revealed download of suspicious files java.log from the remote IP address 120.210.129.29 by the host 104.236.210.97. Initial analysis showed that the file was an instance of the BillGates trojan compiled for x86 Linux system and set with two C&C servers: top.t7ux.com and www.vnc8.com.

Review of network connections to the system behind the IP address 104.236.210.97 around the time when malicious file was downloaded showed only one active SSH connection from the IP address 46.101.128.129. Based on this evidence and lack of other connections it was determined that attacker managed to successfully authenticate himself and establish interactive SSH connection to the system. System was likely initially compromised at approximately 2016-09-07T22:14:48Z. The SSH session was active for 3 hours and approximately one megabyte of data was exchanged between endpoint during that time.

At 2016-09-07T22:19:03Z the compromised system issued first observed DNS Type A query for the domain top.t7ux.com. At the same time system established connection with the IP address 118.192.137.245 (resolution of top.t7ux.com at that time) over TCP port 16081 and sent data which has been identified as "Hello" packet generated by the BillGates trojan. The "Hello" packet contained kernel version of the compromised Linux system (Linux 4.4.0.0-36-generic) and version of the malware (G2.40).

Between 2016-09-07T23:43:06Z and 2016-09-07T23:43:07 the compromised system established multiple HTTP connections to two legitimate domains mirrors.digitalocean.com and nyc2.mirrors.digitalocean.com and downloaded multiple .deb files. The files were determined to be legitimate software packages of Apache httpd server and its dependencies. In the absence of additional interactive connections to the compromised system it's likely that it was attacker who initiated installation of the Apache httpd server by executing the following command apt-get install apache2.

Between 2016-09-07T23:47:06Z and 2016-09-07T23:50:42Z the attacker downloaded additional malware and tools from the remote IP address 120.210.129.29. The below table summarizes files downloaded by the attacker:

Filename Md5 Type Architecture VT Detection C&C Description
java.log f4b3ec28a7b92de2821c221ef0faed5b ELF x86 Linux/BillGates top.t7ux.com, www.vnc8.com BillGates trojan Linux binary
16081 c3a59d53af7571b0689e5c059311dbbe ELF x86 Linux/BillGates top.t7ux.com, www.vnc8.com BillGates trojan Linux binary
2.6.32 ff1e9d1fc459dd83333fd94dbe36229a ELF x64 CVE-2013-2094 - CVE-2013-2094 privilege escalation exploit (Source code)
back.pl fbaeef2b329b8c0427064eb883e3b999 Perl - - - Reverse shell script written in Perl
nc.exe 1c207af4a791c5e87dcd209f2dc62bb8 PE x86 Tool.Netcat - Windows Netcat tool (UPX packed)
or.bin 09b62916547477cc44121e39e1d6cc26 Bash - - - Bash script. Contained compressed and DES-encrypted backdoored version of OpenSSH (openssh-5.9p1.tgz)
SYN/Trustr cd291abe2f5f9bc9bc63a189a68cac82 ELF x86 Linux/BillGates top.t7ux.com, www.vnc8.com BillGates trojan Linux binary
SYN_1902 3e9a55d507d6707ab32bc1e0ba37a01a ELF x86 Linux/BillGates liv.t7ux.com, www.vnc8.com BillGates trojan Linux binary
winappes.exe/Windows_1902 a91261551c31a5d9eec87a8435d5d337 PE x86 BackDoor.Gates.8 liv.t7ux.com BillGates trojan Windows binary
xmapp c5593d522903e15a7ef02323543db14c ELF x86 - liv.t7ux.com, www.t7ux.com BillGates trojan Linux binary

Provided packet capture did not contain traces of traffic to C&C domains identified during initial analysis of the extracted files and this likely indicates that attacker did not execute additional instances of the BillGates trojan. One of the extracted files or.bin contained installation script that extracted, decrypted and installed likely backdoored version of OpenSSH daemon (openssh-5.9p1.tgz). Analysis of SSH server versions sent by the compromised host during negotiation of subsequent SSH connections did not reveal presence of OpenSSH-5.9p1 string.

Between 2016-09-07T23:52:18Z and 2016-09-07T23:53:05Z the remote IP address 104.236.59.209 connected to the compromised system over TCP port 80 and downloaded two files: nc.exe and back.pl. The HTTP server on the compromised system identified itself as Apache/2.4.18 (Ubuntu) which suggests that the attacker successfully managed to install and ran Apache httpd server. The system behind the IP address 104.236.59.209 may indicate another host compromised by the same attacker.

At 2016-09-08T01:22:06Z the attacker terminated SSH session from the remote IP address 46.101.128.129. Analysis of the traffic showed additional SSH session to be active around the same time and initiated from the IP address 71.171.119.98. The packet capture contained only small fragment of data exchanged between 2016-09-08T01:22:09Z and 2016-09-08T01:22:25Z.

At approximately 2016-09-08T10:18:13Z the C&C domain top.t7ux.com started resolving to the new IP address 222.174.168.234. At the same time the compromised host attempted to connect to the new C&C IP address over TCP port 16081. At 2016-09-08T12:08:12Z the compromised host managed to successfully connect to the C&C address and sent "Hello" packet.

At 2016-09-09T13:46:05Z the compromised host sent 32038 UDP Flood packets to the IP address 23.83.106.115 over port 80. Analysis of provided PCAP did not reveal any packets sent by the C&C server instructing BillGates trojan running on the compromised host to initiate Denial of Service attack against IP address 23.83.106.115. Between 2016-09-09T13:46:05Z and 2016-09-09T13:46:21Z the compromised host sent multiple packets containing string "23.83.106.115" to the C&C server, likely as a confirmation of performed UDP Flood attack.

Last packet to the C&C server was captured at 2016-09-09T13:46:21Z.

Timeline

Timestamp Source IP Address Destination IP Address Protocol/Destination Port Event Description
2016-09-07T22:14:48Z 46.101.128.129 104.236.210.97 TCP/22 Initial SSH connection from the remote IP address 46.101.128.129. Duration: approximately 1m.
2016-09-07T22:16:07Z 46.101.128.129 104.236.210.97 TCP/22 Second SSH connection from the remote IP address 46.101.128.129. Duration: approximately 3h.
2016-09-07T22:16:16Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary java.log to the compromised host.
2016-09-07T22:16:16Z 120.210.129.29 104.236.210.97 TCP/47520 Initial alert on the HFS [File Download] Snort signature.
2016-09-07T22:19:03Z 104.236.210.97 8.8.8.8 UDP/53 First observed DNS Type A query for the domain top.t7ux.com. Resolution: 118.192.137.245.
2016-09-07T22:19:03Z 104.236.210.97 118.192.137.245 TCP/16081 First observed Hello beacon to the C&C IP address 118.192.137.245
2016-09-07T23:43:06Z 104.236.210.97 198.199.99.226 TCP/80 Initiated transfer of multiple legitimate Ubuntu packages from the remote host mirrors.digitalocean.com.
2016-09-07T23:43:06Z 104.236.210.97 192.241.164.26 TCP/80 Initiated transfer of multiple legitimate Ubuntu packages from the remote host nyc2.mirrors.digitalocean.com.
2016-09-07T23:47:06Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary 16081 to the compromised host.
2016-09-07T23:47:24Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the CVE-2013-2094 exploit file 2.6.32 to the compromised host.
2016-09-07T23:47:32Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the reverse shell script back.pl to the compromised host.
2016-09-07T23:47:41Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the Netcat PE binary nc.exe to the compromised host.
2016-09-07T23:47:50Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the Bash script or.bin to the compromised host.
2016-09-07T23:49:07Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary SYN to the compromised host.
2016-09-07T23:49:18Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary SYN_1902 to the compromised host.
2016-09-07T23:49:40Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary Trustr to the compromised host.
2016-09-07T23:50:06Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan PE binary winappes.exe to the compromised host.
2016-09-07T23:50:24Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan PE binary Windows_1902 to the compromised host.
2016-09-07T23:50:42Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary xmapp to the compromised host.
2016-09-07T23:52:18Z 104.236.59.209 104.236.210.97 TCP/80 Download of the Netcat PE binary nc.exe from the compromised host.
2016-09-07T23:53:05Z 104.236.59.209 104.236.210.97 TCP/80 Download of the reverse shell script back.pl from the compromised host.
2016-09-08T01:22:06Z 46.101.128.129 104.236.210.97 TCP/22 End of the second SSH connection from the remote IP address 46.101.128.129.
2016-09-08T01:22:09Z 71.171.119.98 104.236.210.97 TCP/22 First captured packet of SSH connection to the compromised host from the IP address 71.171.119.98.
2016-09-08T01:22:25Z 71.171.119.98 104.236.210.97 TCP/22 Last captured packet of SSH connection to the compromised host from the IP address 71.171.119.98.
2016-09-08T10:18:13Z 8.8.8.8 104.236.210.97 UDP/55022 First observed DNS response pointing top.t7ux.com domain to the new IP address 222.174.168.234.
2016-09-08T10:18:13Z 104.236.210.97 222.174.168.234 TCP/16081 First observed attempted connection to to the C&C IP address 222.174.168.234.
2016-09-08T10:54:44Z 104.236.210.97 118.192.137.245 TCP/16081 Last observed TCP packet sent to the C&C IP address 118.192.137.245.
2016-09-09T13:46:05Z 104.236.210.97 23.83.106.115 UDP/80 32038 UDP Flood packets sent to the remote IP address 23.83.106.115.
2016-09-09T13:46:21Z 104.236.210.97 222.174.168.234 TCP/16081 Last observed TCP packet sent to the C&C IP address 222.174.168.234.

Indicators

IP Addresses and Domains

The below list of network indicators is based solely on network traffic observed in the provided PCAP and analysis of extracted artifacts:

IP Address/Domain Description
46.101.128.129 Source of suspicious SSH connection to the compromised host.
71.171.119.98 Source of suspicious SSH connection to the compromised host.
120.210.129.29 HFS server hosting attacker's malware and tools.
118.192.137.245 Resolution of top.t7ux.com. BillGates Trojan C&C.
222.174.168.234 Resolution of top.t7ux.com. BillGates Trojan C&C.
104.236.59.209 Downloaded nc.exe and back.pl from the compromised host.
top.t7ux.com C&C of BillGates Trojan
www.vnc8.com C&C of BillGates Trojan
liv.t7ux.com C&C of BillGates Trojan
www.t7ux.com C&C of BillGates Trojan
Snort Signatures
  • BillGates Trojan - "Hello" packet
alert tcp any any -> any any (msg:"BillGates Trojan [Hello]"; content:"|01 00 00 00|"; content:"|00 00 00 00 f4 01 00 00 32 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:5; pcre:"/(Linux|Windows)/"; byte_test:1,>,96,4; byte_test:1,<,160,4; dsize:<160; threshold:type limit, track by_src, count 1, seconds 3600; sid:999998; rev:1;)
  • BillGates Trojan - Transfer of Linux binary
alert tcp any any -> any any (msg:"BillGates Trojan [Linux - Transfer]"; content:"GatesType"; content:"AttackBase"; distance:5; within:20; content:"ThreadShell"; distance:10; within:20; threshold:type limit, track by_src, count 1, seconds 60; sid:999997; rev:1;)
  • BillGates Trojan - Transfer of Windows binary
alert tcp any any -> any any (msg:"BillGates Trojan [Windows - Transfer]"; content:"FakeDetectPayload"; content:"FakeDetectInfo"; distance:15 ;within:20 ; content:"ShellCmd"; distance:15; within:20;  track by_src, count 1, seconds 60; sid:999996; rev:1;)
  • back.pl - Successfull reverse shell connection
alert tcp any any -> any any (msg:"Reverse Shell [back.pl]"; flow: from_client, established; content:"Enjoy the shell.|0a|"; depth:17; dsize:<256; sid:999995; rev:1;)
  • 2.6.32 CVE-2013-2094 exploit - Transfer of the binary
alert tcp any any -> any any (msg:"Exploit [CVE-2013-2094 - Transfer]"; content:"!close(fd)|00|map[i+1]|00|i<0x010000000/4"; sid:999994; rev:1;)
  • BillGates Trojan - UDP Flood packet
alert udp any any -> any any (msg:"BillGates Trojan [UDP Flood]"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; pcre:"/\x00{900}/"; dsize:>900; threshold:type limit, track by_src, count 1, seconds 3600; sid:999993; rev:1;)
Yara Rules
  • BillGates Trojan (Windows and Linux binaries)
rule BillGates
{
	strings:
		$elf = "\x7fELF"
		$mz = "MZ"
		$b1 = "ThreadShell"
		$b2 = "CheckGatesType"
		$b3 = "AttackBase"
		$b4 = "PacketAttack"
		$b5 = "agony.pdb"
		$b6 = "Gates.pdb"
		$b7 = "Beikong"
	condition:
		($elf at 0 or $mz at 0) and 2 of ($b*)
}
  • Reverse shell script back.pl
rule Back
{
	strings:
		$s1 = "Remote_IP Remote_Port \\n\";"
		$s2 = "\"Enjoy the shell.\\n\";"
	condition:
		2 of ($s*)
}
  • UPX-packed Netcat tool nc.exe
import "pe"

rule Netcat_UPX
{
        condition:
                pe.characteristics and pe.sections[0].name == "UPX0" and pe.sections[1].name == "UPX1" and pe.sections[2].name == "UPX2" and pe.imports("WSOCK32.dll") and filesize == 28160
}
  • Bash script or.bin
rule or_bin
{
	strings:
		$o1 = "mkdir /tmp/.tmp123 -p && tail -n $line $0 |tar zx -C /tmp/.tmp123"
		$o2 = { 0a 1f 8b 08 00}
	condition:
		2 of ($o*)
}
  • CVE-2013-2094 exploit ELF binary 2.6.32
rule CVE_2013_2094_Exploit
{
	strings:
		$elf = "\x7fELF"
		$s1 = "semtex.c"
		$s2 = "!close(fd)"
		$s3 = "map[i+1]"
		$s4 = "i<0x010000000/4"
		$s5 = "!setuid(0)"
		$s6 = "/bin/bash"
		$s7 = "2.6.37-3.x x86_64"
		$s8 = "sd@fucksheep.org 2010"
	condition:
		$elf at 0 and 3 of ($s*)
}
Host Indicators

Existence of the following files on a filesystem can indicate that BillGates Trojan was executed on a host. The list is based on execution of java.log file on a sandbox system:

/tmp/gates.lod
/tmp/moni.lod
/usr/bin/.sshd
/usr/bin/dpkgd/lsof
/usr/bin/dpkgd/netstat
/usr/bin/dpkgd/ps
/usr/bin/dpkgd/ss
/usr/bin/bsd-port/getty
/usr/bin/bsd-port/getty.lock
/etc/rc2.d/S97DbSecuritySpt
/etc/rc3.d/S97DbSecuritySpt
/etc/rc5.d/S97DbSecuritySpt
/etc/rc4.d/S97DbSecuritySpt
/etc/rc1.d/S97DbSecuritySpt
/etc/rc2.d/S99selinux
/etc/rc3.d/S99selinux
/etc/rc5.d/S99selinux
/etc/rc4.d/S99selinux
/etc/rc1.d/S99selinux
/etc/init.d/selinux

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment