Speaking Waledac

27 Jan 2009 Felix Leder botnet-protocols encrypted-traffic encryption waledac

While it seems to be impossible to say whether waledac is the successor of storm or not, what we can do is take a look at the traffic encryption. They guys over at Shadowserver have already blogged some details about this. We at the Giraffe Chapter investigated waledac’s communication protocol further. Here are our results.

Waledac uses regular HTTP request to transmit command requests and to retrieve responses. It uses HTTP fast-flux proxies to hide the true origin of the command&control (C&C) server. Due to the fact that the regular Windows HTTP API (WinINet) is used, the traffic is hard to differentiate from regular HTTP traffic. Furthermore, it even allows Waledac to use proxy servers after the user has generally authenticated. The requests use POST and encrypted + encoded payload data:

Picviz 0.5 out

25 Jan 2009 Sebastien Tricaud picviz visualization

The new release 0.5 of Picviz is out. This version comes with real-time mode enabled (and adds the libevent dependency) among other things, such as new properties and variables.

Get it from the usual place.

What is Picviz?

When considering log files for security, usual applications available today
either look for patterns using signature databases or use a behavioral
approach. In both cases, information can be missed. The problem becomes
bigger with systems receiving a massive amount of logs.

Waledac is wishing merry christmas

02 Jan 2009 Felix Leder waledac

Waledac is wishing merry christmas

There is a new bot in town. It’s called Waledac. The way it is spreading reminds a lot of people of the good old storm botnet: An email is sent containing a “christmas card” in form of the executable “postcard.exe”.

A preliminary view on the binary has been given by the Shadowserver guys (Steve Adair).

I had the chance to have a first look at the binary (MD5 ccddda141a19d693ad9cb206f2ae0de9) and want to note down some of my few findings to let the hunt begin.

Annual Honeynet Project Workshop

18 Dec 2008 Lance Spitzner workshop

Once a year the Honeynet Project brings together members from around the world for a one week workshop on honeypot research, development and deployments.  We are excited that for this year’s event the workshop will be sponsored and hosted by the International Multilateral Partnership Against Cyber-Threats (IMPACT), a public-private alliance against cyber threats.  IMPACT is based in Cyberjaya, Malaysia.  We are very excited for this opportunity as it will be the first time we have hosted the event in Asia.  We would like to thank IMPACT for their sponsorship and their tremendous support both for this event and the Honeynet Project.

libemu: Detecting selfencrypted shellcode in network streams

10 Dec 2008 Markus Koetter libemu shellcode

As libemu had it’s second release (0.2.0) lately, I’ll try to introduce it to the audience who did not hear about it yet.

libemu is a small library written in c offering basic x86 emulation and shellcode detection using GetPC heuristics. Intended use is within network intrusion/prevention detections and honeypots.

This post is split into four parts:

  • Practical libemu usecase, showing how it executes shellcode and which information we get from it
  • Explanation of libemu and how it detects shellcode
  • High level shellcode profiling and pre-requirements for this step
  • API call hooking internals

Example

the input shellcode

The shellcode was created using metasploit 3, it is a windows bindshell decrypted with a xor chain. ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/countdown -t raw > msf_windows_shell_bind_tcp_countdown.bin In order to provide more realistic conditions, we added a 4k bytes long head as well as a 4k bytes long tail using random data. dd if=/dev/urandom of=4khead.bin count=4 ibs=1024 dd if=/dev/urandom of=4ktail.bin count=4 ibs=1024 And concatted the head, the shellcode, and the tail to our testing buffer. cat 4khead.bin msf_windows_shell_bind_tcp_countdown.bin 4ktail.bin > the_test_shellcode.bin

My usenix WASL 2008 slides are available

08 Dec 2008 Sebastien Tricaud

I gave a lecture on Picviz during the Usenix Workshop on the Analysis of System Logs (WASL 2008).

My slides ‘Picviz: finding a needle in a haystack’ are available right here.

I also ran for the Cray log analysis contest analysis. Slides of stuff I discovered are here.

I lost the contest by 1 vote only, but I was fighting against someone who knew a lot about Cray. He had in my opinion a better talk than mine, but I just started the contest after my morning lecture and I preferred talking with people during lunch than doing the contest ;-)

Welcome To The Honeynet Project Website!

07 Dec 2008 Lance Spitzner

Welcome to our new website as we enter the age of Web 2.0.  We have created a more dynamic website to allow our membes to create and publish their own content.  We have so many different activities going on with our various members that it can be challenging even for us to keep up.  The goal is that each member can now publish and share with the community whenever they like.  In addition we still have all the old content on the website.  We are still in the process of moving some content over, such as some of our KYE papers.  If you find content missing, a broken link or have any suggestions, please email us at [email protected].

MS08-067 exploitation in the wild

04 Nov 2008 Tillmann Werner

(This article was originally published at http://honeytrap.mwcollect.org/msexploit.)

If you followed IT security related blogs or mailinglists lately, you are aware that a critical server service vulnerability in Microsoft operating systems was published recently. I’m not going to talk about the details here, there are great resources available elsewhere (and the “reversing the ms08-067 patch” article isn’t the only advice about exploiting holes you get on that page).

OK, what have we got this time? One of our honeytrap sensors caught an MS08-067 exploitation attempt today which we take as an example to show how to perform a quick analysis and check what it does. If you want to play along, get the (sanitized) pcap from here.

ipv6 local-link scope is a mess

20 Oct 2008 Markus Koetter ipv6-d51 link-local

I’ve been looking on ipv6 lately, and even though I got a global /64 for free from he.net, I’m not that amused about ipv6 yet.

  • ipv6 link-local scope : if you have multiple interfaces with ipv6 link-local addresses, the operating system does not know which interface to use, so you have to append the interface to the hostname/ip when connecting hosts in link-local scope. If you do not use getaddrinfo, this information has to be passed to the bind/connect using
    struct sockaddr_in6.sin6_scope_id = if_nametoindex(devicename);
    This sounds weird, and it actually is:
    nc6 -6 -vv fe80::21f:d0ff:fe23:9b77%eth1 80
    may work for some people, but encoding the interface in url renders the whole url-idea useless
    http://[fe80::21f:d0ff:fe23:9b77%eth1]