April 2008 Archives

Captured about an hours worth of pcap traffic and decided to pull out those notorious spam templates being sent to and from my infected bot.  Will write a quick parser to pick through based on From, To, subject, User-agent,  message-id - all of which are assembled within the spam template and then spoofed out using your infected bot as the spamming engine.    Listed below are those spam templates from my infected vm bot, here is just one to give you an idea of what it looks like:
template1.txt

I noticed a project I worked on published their code in CPAN located at:  http://search.cpan.org/~mitrehc/HoneyClient-Manager-0.99/.  To my knowledge the project integrated with Caputre-HPC to handle their real-time integrity check functionality.  Additionally, if you want to find our more with the status of the project, you can visit their main site at:  http://honeyclient.org/trac.  If you are curious and don't know what a honeyclient is, it is " a dedicated host that drives specially instrumented applications to access remote servers to see if those servers are behaving in a malicious manner. Specifically, honeyclients can proactively detect exploits against client applications without known signatures.".  Some of my work can be found here as well:  http://search.cpan.org/src/MITREHC/HoneyClient-Manager-0.99/lib/HoneyClient/Manager/FW.pm
or
http://honeyclient.org/trac/browser/honeyclient/trunk/lib/HoneyClient/Manager/FW.pm

I added some more functionality to my homemade sniffer which now grabs all the outbound DNS packets from my infected bot.  The variant I am running I grabbed from sudosecure.net, 681554faf60a96ad2fcebcee4a8e0b53  StormCodec8.exe.  Some quick stats, in thirty minutes of sniffing, I grabbed 6781 unique DNS hostnames and 12383 ip address ( unique 6748 unique) going across the wire.  Here is a file with the latest printout of IPs => GeoIP lookup: 
042808_latest_run.txt


Here is a snippet of what hostnames I found coming from my box once infected, the file lists the hostname => # of ips it resolves to and all the IP addresses: 
dnsoutputfile.txt

Wrote a a sniffer written in perl to pull out all the unique IP addresses from my infected honeypot based on the stormcodec.exe variant.  From there, I stuff them into a mysql table for later analysis.  Script checks for duplicates beforing adding a row to the table.  Will start parsing UDPObj and TCPObj ->{data} for URLS so I can start potentially keeping track of FF domains.  I need to add some more functionlity to log first and last seen which should not be that hard.  I am using the Net::Pcap package to do all the heavy lifting here as I don't have to substring through the packets picking through the  TCP/UDP/ICMP header structure.  For specific cases, that might be necessary but this works for me now.  The code is version 0.1 so that should speak for itself.  DB schema is not listed but can be figured out very easily.  Alas, here it is: 
pcaplistener_pl.txt

Captured unique IP addresses and which is listed below:
storm_sniffer_geo.txt

I run my own mailserver here at home using postfix and do a pretty good job at blocking most spam but every now and then get a few that sneak through.  Like this laugher:

-----------------

Dear Friend,

I am sorry for using this medium of communication in contacting you, but be informed that it is based on the urgent nature of this deal that I am about to present to you now for your consideration.

First, it will be my great pleasure to introduce myself to you. I am Mr. Richard Bright, native of United Kingdom and the executive fund Manager with Safeway Financial Services, BD15ZG,Bradford, UK. I handle all our Investors Capital Project Funds. I was able to divert 1.2% investors Excess Return Capital Funds to our Safeway Trust Funds Account whereby I can easily present anyone of my choice to claim the funds. On this note, the total sum of 5.745Milion GBP has been diverted representing the 1.2% Excess Return Capital Funds from the Investors Capital Project Funds for 2005/2006.And this said funds has been moved to a Security and Finance firm account in asia.I need a reliable and trustworthy person that can work this deal out with me so that we can claim the funds as mentioned above.

There is no risk attached and the funds in question can never be detected or traced. Our sharing ratio is 70:30. If you are interested, kindly reply back to my private email;richardbright77@yahoo.com. to enable me provide you with in further details on how we shall proceed to realize the transaction.Please if you are not interested don't use this form to betray me.

Sincerely,

Mr. Richard Bright

-------

Taking a look at the header info:

Return-Path: <wwwrun@servidorweb.gobernaciondecaldas.gov.co>
X-Original-To: xx@xxx.xx
Delivered-To: xx@xxx.xx
Received: from servidorweb.gobernaciondecaldas.gov.co (unknown [200.21.94.89])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mail.mailserver.net (Postfix) with ESMTPS id 87E17790049
        for <xx@xxx.xx>; Fri, 25 Apr 2008 01:16:36 -0400 (EDT)
Received: from wwwrun by servidorweb.gobernaciondecaldas.gov.co with local (Exim 4.44)
        id 1JpGKK-0005ak-GO
        for xx@xxx.xx; Fri, 25 Apr 2008 00:18:28 -0500
To: xx@xxx.xx
Subject: Get Back T o Me.
From: Richard Bright <richardbright77@yahoo.com>
Reply-To: richardbright77@yahoo.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Message-Id: <E1JpGKK-0005ak-GO@servidorweb.gobernaciondecaldas.gov.co>
Sender: WWW daemon apache <wwwrun@servidorweb.gobernaciondecaldas.gov.co>
Date: Fri, 25 Apr 2008 00:18:28 -0500

Doing a quick lookup on 200.21.94.89 gives me:
COLOMBIA TELECOMUNICACIONES S.A. ESP,5.06999999999999,-75.5206,,A

Doing a quick arin lookup, I get:
OrgName:    Latin American and Caribbean IP address Regional Registry 
OrgID:      LACNIC
Address:    Rambla Republica de Mexico 6125
City:       Montevideo
StateProv:  
PostalCode: 11400
Country:    UY

ReferralServer: whois://whois.lacnic.net

NetRange:   200.0.0.0 - 200.255.255.255 
CIDR:       200.0.0.0/8 
NetName:    LACNIC-200
NetHandle:  NET-200-0-0-0-1
Parent:     
NetType:    Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
NameServer: NS2.DNS.BR
NameServer: NS3.AFRINIC.NET
Comment:    This IP address range is under LACNIC responsibility for further
Comment:    allocations to users in LACNIC region.
Comment:    Please see http://www.lacnic.net/ for further details, or check the
Comment:    WHOIS server located at http://whois.lacnic.net
RegDate:    2002-07-27
Updated:    2007-12-17

OrgTechHandle: LACNIC-ARIN
OrgTechName:   LACNIC Whois Info 
OrgTechPhone:  
OrgTechEmail:  whois-contact@lacnic.net

its like chasing your tail, probably using a relay and been spoofed.  I love getting these and its way to amazing that people fall for this shit.

During a 25 minute network traffic capture of on of my infected storm bots, I grabbed hundreds of IP addresses, either from spam propagation or found within the payload of the pcap.  Listed below is the file of urls.
domains.txt

Of those 58 URLs that were parsed out, I noticed 7 that came back with 20 unique A records, those were the following:

Hostname => Number of A records
didstill.com => 20
enoughfraction.com => 20
gladgave.com => 20
motherdry.com => 20
thinbring.com => 20
verbcase.com => 20
winghit.com => 20

Listed below are the IP's associated with those hostnames:
042308_ffoutput.txt and the ugly ass script that produced it:
ffcheck_pl.txt

Below is a perl script I used to pull out all the URL and email addresses out of tcpflow results from network traffic of an infected storm bot.  The script can be run using the following:

perl stormextraction -dir /data/tcpflowresults/

Here is the script:

#!/usr/bin/perl

# simple little hack to pull URL's out of tcpflow results from captured storm data
# JD Durick <jd@labgeek.net>
# runs on a directory after you have run:  tcpflow -r <storm pcap file>, this mainly contains email header information
# email address, subjects, and html links that you are asked to visit.
# version 0.1

# format of data: (really can be anything with a URL in the file)
#----------------
#To: <sms5672@daum.net>
#Subject: Holidays are near, but u know how not to give hangover a chance
#Date: Sat, 19 Apr 2008 12:13:18 -0400
#MIME-Version: 1.0
#Content-Type: text/plain;
#        format=flowed;
#        charset="windows-1250";
#        reply-type=original
#Content-Transfer-Encoding: 7bit
#X-Priority: 3
#X-MSMail-Priority: Normal
#X-Mailer: Microsoft Outlook Express 5.50.4133.2499
#X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499
#
#Make your housewife happy with our original blue colored-tab!is http://starfoxguide.com

#TODO
# parse even more with URI to get just unique hostnames, something like $url->host()
# DNS resolver for each of URLS
# email domain breakdown

use Getopt::Long;
use MIME::Parser;                              # for later
use Digest::MD5 qw(md5 md5_hex md5_base64);    # for later
use URI::Find;
use warnings;
use strict;
my ( $dir, $output, $fullpathname,, $file, $fsize ) = "";
my ( @dir_contents, %url, %emails ) = ();
my $counter = 0;

GetOptions(
        "dir:s"    => \$dir,
        "output:s" => \$output
);

# get all the http:// urls that are found in all the emails sent out.
if ($dir) {
        opendir( DIR, $dir ) || die("Cannot open directory !\n");

        # Get contents of directory
        @dir_contents = readdir(DIR);

        # Close the directory
        closedir(DIR);
        foreach $file (@dir_contents) {
                if ( !( ( $file eq "." ) || ( $file eq ".." ) ) ) {
                        $counter++;
                        $fullpathname = $dir . $file;
                        open( FILE, "<$fullpathname" );

                        $fsize = ( stat($fullpathname) )[7];
                        #print "[$counter]:  Processing  $fullpathname and size = $fsize\n";
                        if ( $fsize < 90000 ) {
                                while (<FILE>) {
                                        find_uris(
                                                $_,
                                                sub {
                                                        my ( $uri, $orig_uri ) = @_;
                                                        $url{$orig_uri} = 1;
                                                }
                                        );
                                }
                                close FILE;
                        }
                        else {
                                next;
                        }

                        # lets get a list of all those email addresses we see

                        getEmail($fullpathname);
                }
        }
        open( OUT, ">httpfile.txt" );
        foreach my $u ( sort keys %url ) {

                # lets get rid of those http://
                        #       $u =~ s/http\:\/\///g;
                        #       $u =~ s/https\:\/\///g;
                print OUT "$u\n";
        }
        close OUT;
}

sub getEmail {
        my $filename = shift;

        open( FILE, "<$filename" );
        while (<FILE>) {
                next if ( $_ =~ /^\s*$/ );
                if ( $_ =~ /\b([A-Za-z_%+0-9]+@[A-Z0-9a-z._]+\.[A-Za-z]{2,4})\b/ ) {
                        $emails{$1} = 1;
                }
        }
        close FILE;
        open( EMAIL, ">email.txt" );
        foreach my $email ( keys %emails ) {
                print EMAIL "$email\n";
        }
        close(OUT);
}
__END__

Just like winghit.com, motherdry.com is a canadian pharmacy that resolves to many different IP addresses:

root@redbox:/data# nslookup motherdry.com

Non-authoritative answer:
Name:   motherdry.com
Address: 61.223.224.199
Name:   motherdry.com
Address: 67.166.150.21
Name:   motherdry.com
Address: 69.14.247.212
Name:   motherdry.com
Address: 70.224.192.172
Name:   motherdry.com
Address: 77.238.231.111
Name:   motherdry.com
Address: 78.94.107.58
Name:   motherdry.com
Address: 78.151.98.51
Name:   motherdry.com
Address: 82.83.192.46
Name:   motherdry.com
Address: 84.51.82.231
Name:   motherdry.com
Address: 84.62.229.251
Name:   motherdry.com
Address: 85.29.230.115
Name:   motherdry.com
Address: 85.30.194.164
Name:   motherdry.com
Address: 85.180.178.189
Name:   motherdry.com
Address: 88.66.199.9
Name:   motherdry.com
Address: 89.169.103.188
Name:   motherdry.com
Address: 89.173.21.202
Name:   motherdry.com
Address: 91.66.83.97
Name:   motherdry.com
Address: 125.232.100.18
Name:   motherdry.com
Address: 220.75.199.72
Name:   motherdry.com
Address: 220.208.7.115

Breaking down the IP's once again gives me the following:
61.10.122.23,HK,Hong Kong,00,Central District,22.2833,114.15,,,HK Cable TV Ltd,hkcable.com.hk
61.223.224.199,TW,Taiwan,04,Kaohsiung,22.6333,120.35,,,Chunghwa Telecom Data communication Business Group,hinet.net
62.24.81.195,CZ,Czech Republic,52,Prague,50.0833,14.4667,,,UPC Internet CATV,upc.cz
67.166.150.21,US,United States,CA,Sacramento,38.5765,-121.4445,916,,Comcast Cable,comcast.net
69.14.247.212,US,United States,MI,Sterling Heights,42.5829,-83.0341,586,,WideOpenWest,wideopenwest.com
70.224.192.172,US,United States,MI,Ralph,46.1085,-87.7844,906,,SBC Internet Services,ameritech.net
77.238.231.111,RU,Russian Federation,48,Moscow,55.7522,37.6156,,,P2P block,teleru.net
78.94.107.58,DE,Germany,07,N�rvenich,50.8,6.65000000000001,,,ISH GMBH & CO. KG,
78.151.98.51,GB,United Kingdom,,,54,-2,,,Opal Telecom,
84.62.229.251,DE,Germany,07,Korschenbroich,51.1833,6.51669999999999,,,Arcor AG,arcor-ip.net
85.29.230.115,EE,Estonia,08,Tudu,59.1772,26.8581,,,VIRUNET,vnet.ee
85.180.178.189,DE,Germany,05,Frankfurt Am Main,50.1167,8.6833,,,Alice DSL,alicedsl.de
89.169.103.188,RU,Russian Federation,48,Moscow,55.7522,37.6156,,,ZAO Infoline,
89.173.21.202,SK,Slovakia,02,Bratislava,48.15,17.1167,,,UPC Slovakia s.r.o,chello.sk
91.66.83.97,DE,Germany,09,Marpingen,49.45,7.05000000000001,,,Kabel Deutschland,
118.167.174.98,TW,Taiwan,03,Taipei,25.0392,121.525,,,CHTD, Chunghwa Telecom Co., Ltd.,hinet.net
212.15.149.153,JSK DCS,9.153,UA,Ukraine,17,Odessa,46.4667,30.7333,,A
220.75.199.72,Korea Telecom,R,Korea, Republic of,11,Seoul,37.5664,126.9997,,A
220.208.7.115,CATV tokushima Co.,Inc.,tcn.ne.jpa,34.0667,134.5666,,A
221.127.232.41,Hutchison Global Communications,ntral District,22.2833,114.15,,A

Seeing this puppy more and more when looking at my storm infected network traffic:

root@honeybot:/data/tmp# nslookup winghit.com
Server:         x.x.x.x
Address:        x.x.x.x#53

Non-authoritative answer:
Name:   winghit.com
Address: 70.224.192.172
Name:   winghit.com
Address: 79.165.178.14
Name:   winghit.com
Address: 82.83.191.144
Name:   winghit.com
Address: 84.51.81.163
Name:   winghit.com
Address: 87.122.179.188
Name:   winghit.com
Address: 88.134.64.90
Name:   winghit.com
Address: 89.208.204.25
Name:   winghit.com
Address: 89.235.8.21
Name:   winghit.com
Address: 89.252.10.154
Name:   winghit.com
Address: 91.66.83.97
Name:   winghit.com
Address: 99.165.15.89
Name:   winghit.com
Address: 118.167.174.98
Name:   winghit.com
Address: 123.203.138.59
Name:   winghit.com
Address: 220.75.199.72
Name:   winghit.com
Address: 220.143.59.129
Name:   winghit.com
Address: 221.126.156.226
Name:   winghit.com
Address: 222.93.161.44
Name:   winghit.com
Address: 61.10.122.23
Name:   winghit.com
Address: 61.18.221.154
Name:   winghit.com
Address: 67.166.150.21

Taking each of the IPs and doing a geoip lookup yields the following:

70.224.192.172,US,United States,MI,Ralph,46.1085,-87.7844,906,,SBC Internet Services,ameritech.net
79.165.178.14,RU,Russian Federation,48,Moscow,55.7522,37.6156,,,Russian Central Telegraph, Moscow,
82.83.191.144,DE,Germany,06,Kirchlinteln,52.95,9.3167,,,Arcor AG,arcor-ip.net
84.51.81.163,RU,Russian Federation,47,Marfino,55.7047,37.3644,,,TRC Odintsovo,
87.122.179.188,DE,Germany,10,Neum�nster,54.0667,9.98320000000001,,,Versatel Deutschland Dynamic Pool,versanet.de
88.134.64.90,DE,Germany,09,Bexbach,49.3333,7.26669999999999,,,Kabel Deutschland Breitband Services GmbH,superkabel.de
89.208.204.25,RU,Russian Federation,48,Moscow,55.7522,37.6156,,,Hosting and Colocation Services,thatcondensed.net
89.235.8.21,CZ,Czech Republic,88,Rudn�,50.0333,14.2167,,,Brunet o.s.,
89.252.10.154,UA,Ukraine,13,Kiev,50.4333,30.5167,,,for Freenet customers and infrastructure,freenet.com.ua
91.66.83.97,DE,Germany,09,Marpingen,49.45,7.05000000000001,,,Kabel Deutschland,
99.165.15.89,US,United States,CA,Los Angeles,34.0416,-118.2988,323,,SBC Internet Services,
118.167.174.98,TW,Taiwan,03,Taipei,25.0392,121.525,,,CHTD, Chunghwa Telecom Co., Ltd.,hinet.net
123.203.138.59,HK,Hong Kong,00,Central District,22.2833,114.15,,,City Telecom (H.K.) Ltd.,ctinets.com
,Korea Telecom,R,Korea, Republic of,11,Seoul,37.5664,126.9997,,A
,Chunghwa Telecom Data communication Business Group,hinet.net
,Hutchison Global Communications,entral District,22.2833,114.15,,A
,CHINANET jiangsu province network,163data.com.cn3,,A
61.10.122.23,HK,Hong Kong,00,Central District,22.2833,114.15,,,HK Cable TV Ltd,hkcable.com.hk
61.18.221.154,HK,Hong Kong,00,Central District,22.2833,114.15,,,HK Cable TV Ltd,hkcable.com.hk
67.166.150.21,US,United States,CA,Sacramento,38.5765,-121.4445,916,,Comcast Cable,comcast.net

Gee, maybe part of the fastflux network???

Ran stormcodec.exe for about 25 minutes and grabbed all the traffic via tcpdump (of course used -s 1514 for full packet size).  Ran my tflow_analyzer script and pulled out all the emails and domain links found from my tcpflow results (tcpflow -r stormcodec.pcap 'dst port 25') and got the following email file:

email.txt

After running StormCode.exe for about an hour, the nivavir.config file shrunk in size from 44k bytes to about 29bytes, removing those suspected dead peers from the list, running the config parser again yielded the latest peer list with geographic locations, here is the file:
nivavir_geo_091400_041708.txt

Lets try this again, so my first attempt at decoding the peerlist that comes with the StormCodec.exe variant was inaccurate at best which was pointed out by jeremy at sudosecure.net.  So after harvesting his hex_to_dec() function, I wrote something similar to his but added the GEOIP functionality since I have a copy of the maxmind DB at my disposal.   Littered with hard-coded paths, I don't expect anyone but me to use this.  Here are the files:

nivavir.config
nivavir_geo.txt

I have attached a full listing (875 IPs) and was able to resolve them with geoip, here is the file for viewing:

geo_peer_list.txt

I pulled down foolsday.exe from one of the many locations around the web, trustedsource.org is always helpful.  Running foolsday.exe allows automatically creates "aromis.exe" to start running on your box and comes with a nice size peer list.  The peer list is called aromis.config, the peer list is in the format of:

0000A879942D0240C52B9F523E5DD75C=44E68F07228D00

Each line is a single hex-encoded peer in this format:
<128 bit hash>=<32 bit IP><16 bit port><8 bit peer type>

The md5 of the foolsday.exe was:

efbda0041a443a38154d80ffddd5bcf3  foolsday.exe

The aromis.config is exactly 42k bytes in size....With this set of IP:Ports, I get 875 unique IP address/Port combinations.