our demo will be working with the illusion bought
and you can delegate from this. You're all from the same get hub that we got the dire sample.
So we're gonna take our windows VM that we made previously and
You can reset your Lennox be Emma's. Well,
Change the settings for the display.
If the VM where tools doesn't automatically resize the interface.
Confirm our I p address
on East One. We have turned out
which should be on the same little network, is our Windows box.
It should be able to pee each other. And just to make sure before we begin infecting things, I always like to double check my network
to make sure it's not
going out to the Internet. And it's not an added,
like this option. It is indeed on our own custom v net.
I also like to run wire shark
and since we are going to start running, service is here.
Ah, that catch and analyze network traffic and other things. I should warn you that it is very dumb to do it as root like I'm doing right now,
But I'm gonna do it anyway.
the program, like wire short gets compromised, which is completely possible because it has lots and lots of different
plug ins Modules for
contributed by lots of people. And I haven't fully been vetted. It could be a very bad thing.
So we're going toe, Just look at
Well, I p address the different interfaces have on wire shark.
And we are gonna watch the 10.0 dot one interface because that is where the traffic from the infected machine
So there's no traffic right now, and we're going to
just do us full ping
We are getting something back,
we see these coping requests,
and then we have these AARP
completely normal traffic.
So this time we're going to be working with the illusion baht
downloaded from the same
place as Thea. Dire example. We're working with
the standard industry standard password is infected.
Antivirus companies usually know better than to try to open.
Is it files with that password?
So we're going to simply,
uh, do some dynamic analysis
or excuse me on this malware.
We're going to what I typically do,
on, start the binary,
then watch the traffic.
Okay, we see from this I p addresses trying to reach out to this Internet
trying to go over port
its origin. Port is not a big deal,
but its destination port
So what we want is the malware to act normally to think it's an AA safe environment. So what, we're gonna uses a few tools, particularly a tool called Annette's SIM.
is a tool. It basically emulates a many different service is
listening on standard default ports.
is all we need to type in,
and it starts listening on all these ports.
And I'll tell you that process I d. S will tell you where it's storing
where it's getting its data from
and where is producing its report.
And here in particular. We want to see where the CONFIG files coming from.
So I can highlight this in the terminal and do control shift C to copy within the terminal.
And I'm going to kill
these processes by hitting control. See?
So the simulations stopped. Nothing is listening on those sports anymore. We can verify this by doing Net Stat
Net stat Stash Untapped is where I usually go with.
You can see You can look up for yourself what the options are.
And we could just see DCP Client is is running on those ports which were standard a secret client force.
I'm gonna use them and then
space control shift be to paste What I copied before, which is the i Net Sim config file
and them is V. I improved.
text editor, Command line text editor. There are friendlier ones like Nano
So the first thing we're gonna do when we're at a teen are config file is I'm gonna do a slash
on 10.0 dot zero doubt one or a 10 dot
is fine and it's basically searching the document for 10 dot
where we see a service bind address parameter.
We're gonna uncommon this line,
which means to start paying attention to it,
which means which tells the which sells I net sim that it should start
paying attention to this problem that we're giving it and some of whatever default it has. I'm gonna change the
and dress. It should find 2 to 10.0 not one.
if we were to pull up a another terminal
and you and I have a convict to see our I p address will have one That's our Internet votes behind in that.
And it goes out to the Internet and has this I p address and then our other interface has this I p address. So by default, it would probably go with zero, and it would
emulate all the service is on the on the ports on this I p address this interface. Uh, and we want to guarantee that it's running on this interface,
escape, cause them some tax is a little weird and do another search
first option is a D n s buying port. We're gonna keep it as default hit in for next hit in for next
Deena's default i p.
And for next and for next,
and I for inserts. I'm gonna delete the comment on this line,
and I'm going to specify that the address it should return for all d. N s queries will be this one a 10.0 as you're not one. So I'm specifying that not only am I
everything it's ever looking for, but
I am also all these things. There's a thick time server on here. There's a fake
http server and all sorts of good stuff.
So now we've configured
I know it's him to how we want it
Again, we probably shouldn't be running. This is route,
over our Windows computer
Just open up Internet Explorer.
It goes to Microsoft dot com,
but it's intercepted by our dinette SIM program
and the D. N s server says, Oh, Microsoft dot com has this I p. Address 10.0 not one. And it goes there, and the Web server. That's, uh, uh, fine. It's fine. It's, um, has set up. Will return this page for everything.
we'll return this page anything I want.
and you can also specify a particular files eso all PHP files will return something or all
e x e files will return a file that I've pre specified for I net seven.
and we see all this traffic.
This was from the browser
that I just opened. I'm gonna reset it,
and our malware should still be
It doesn't look like it's calling out anymore.
So you'll see that it's not using d. N s to resolve an I. P. Address is trying to contact that I p address directly,
So that might tell us one of a few things. One. It might be clumsily written piece of malware because
it's not take into account machines that are behind proxies.
But that's not our problem. Our problem is we want to know what kind of traffic is being sent out.
We want to know what it's doing.
there is something cool. We can d'oh
in that we can redirect not only all domains, but all I P addresses.
We could do that pretty simply. I'm gonna stop capture back for money. I will try to grab host indicators later. But now I am trying to
collect Maur network indicators.
in order to capture all the I P addresses
instead of just domain names,
I'm gonna add a wrote.
So the syntax is route ad
I'm gonna get Give it a base address
mask. Like what should
To which they ignore. Just found out 55 to 35 to 35
and then the i p. Address
of where I want all this traffic to go. Let's just find that all traffic
should be funneled to this I p address,
which is 10.0 dot zero doubt one
and over on the Lenox side,
I'm gonna have to open another terminal
and I'm gonna add an i p tables route.
So I p tables Dash T
Matt Dash capital, a
for East one. Because that's where we want to direct all of our traffic too.
Now, suddenly it made a successful connection.
So we can look at the successful TCP connection,
we can see the victim
and it's Nick. It's, ah, nickname. It's it's user name. Pretty much
and the server responded with notice authentication. Welcome to Eire. See dinette Simba or because IRC is also emulated here
and then it tries to join
the channel skaters underscore 1990.
So if we were security researchers, we could hop on to
that I p address the IRC channel
on that I p address and we could find other bots there. Um
and that's happened before. I've had numerous people tell me that you know, they
we're working at, ah, hosting provider and someone notify them that, uh,
they're hosting some malicious contents and they look at it. It's an IRC chat room, and a lot of old malware used that as a command and control mechanism
because they could still say relatively anonymous. But the problem is that they usually didn't have good authentication. So
the password we can see to this channel was 2580 So we can hop on this channel now.
So maybe I want to interact with this pot. Maybe I want to send it commands.
Maybe I want to try to control it.
Well, how can I do that?
changed the convict again
good. I R C C. Words starting that service. Put a pound sign to commented out
colon escape colon W Q For right. Then quit
and then rerun Dinette sim.
So it's doing everything it did before. Except now that I R C
port and process are no longer listening,
we can see that there is an attempted connection and it's rejected.
The attempt in connection came from Tenn 0.0 dot two from our victim machine. Tried to go to this I p address. Ah,
it's a sink packet synchronized packet.
I would really like to introduce if you don't already know about a program called Net Cat. Of course, like I nets him, you can just say man
and then the command
And it will tell you all about it and how to use it.
And I'm gonna use in C dash l for listen and then dash p and specify a port. So I'm gonna say
and then dash p for 6667
So now, listening on that port
that looks like our malware isn't calling back anymore.
What do I owe? Did call back? It was just waiting a second. So we're listening on this port,
we see you gave the same password.
It's using the same user name. Which is?
host name of the machine that can verify that.
Certainly. You click on my computer?
Yep. So that's the host name.
Using the host name of the infected computer.
I'd be willing to bet that's a time stamp.
Maybe something else. I don't know. We could do more analysis.
this is the same number.
It is the same number. It might be some kind of identify WR,
like a campaign code built into them. Our,
further reverse engineering would reveal exactly what it is.
I'm not sure if it's important right now, but I can guess this Maybe not
So here with Net cat, I can also send commands back
it's not responding to
some commands here, so maybe it needs some specific string
Uh, I'm going to just play with things because I like poking things and send a lot of A's.
And then control C will kill the connection.
We'll see if that did anything
but binary dot t x c has crashed.
So apparently the bought the Mauer author didn't write this malware very well.
That's interesting to me.
using this password,
and we could jump on. They're using some,
host name, maybe even this, uh, this user
thing that is listening on that channel
malware on all those computers.
let's see if it calls back,
And it doesn't look like it's going back.
I will say, is a reckless,
And it may not be appropriate,
and in fact, I'm pretty sure it is illegal
you are executing code Or actually you're stopping code from executing on other people's machines. Is those air not your computers?
Even if they're compromise, Thea appropriate thing might be to notify law enforcement. They probably would do anything, though, because they're even bound more tightly about what they can and can't do. They probably would shut down the command and control server
or someone some security expert and see Colin back. Nope, This is just normal operation.
Or they would bring in a expert, too.
Come in and dismantle the botnet, if you will.
So Microsoft has done that with law enforcement to take down large
pot nets. Sometimes it's been very successful. Sometimes it has not been.
I am not a lawyer. So I'm not gonna say that that is legal or not.
So if we wanted to play with this some more,
using this build dot dxc
Here we have some interesting options
open 1.1 bought binary.
I'm just gonna go with this,
and here it looks like this was the I. P address that it was beginning out, too.
the password it was using.
let's test our d. N s. Resolving manipulation capabilities
usually malware has this kind of backup commanding control server functionality. I'm just gonna go with google dot com
and I'm gonna change this too.
just to see what happens.
It looks like there's a web panel
refresh every five seconds. It looks like that sucks for and sucks. Five proxy setting that we saw
It looks like it will open up FTP server.
It looks like on the I. R. C.
The bought password is this. I don't know what this does.
Looks like there's a fire wall bypass
and we can see that in here.
White Listen itself in the location that it was executed,
so an attacker would probably compromise machine going toe a directory
somewhere the user's not likely to access and then execute the malware.
It looks like it has a colonel driver as well,
So save service is state in the registry.
These are all interesting options
that I would suggest that you play with.
I'm also going to show another tool here.
It's basically task manager
on steroids. It is incredibly powerful.
Process Hacker is very similar
in interface and very similar in function,
but it lets us watch process is very closely and identify the deals that are injected into them. And I would also like to run
The difference between auto runs don t x C and auto runs see
dot Xing is this one will produce a
Output in this one will produce a gooey
the council output is useful for
if you wanna chunk all of the current
and trees oughta run entries into a file
and then compare that before.
to another file of the auto run entries. After the mountain has been runs, he can see if anything's been added.
It looks like auto runs is having some trouble.
It's okay. It happens.
That may be the malware. Probably not.
So it's highlighted some things here.
So in the configuration for the malware,
it mentioned drivers.
Oh, it mentioned Colonel Driver,
we might want to check drivers
and see where the souse
we might like to look at the host log and see
maybe one of these files
see if there's any mention of them.
It doesn't look like it.
we could look through all of these individually, and we can take a before and after snapshot. Because, remember, uh, we've already executed this binary before.
Well, a similar one.
But the best way to be sure is to keep running it over and over again. But it may not have a persistence mechanism.
Not all my work does.
water runs usually finds
when malware is doing something.
Okay, let's see what's going on here.
to this port, but it's closed. So I'm gonna start listening with that cat again.
So there was our d N s quarry free no dot net.
Let's see if it made another quarry so we can do that.
Just my type in Deanna's.
I tried to resolve c r l that Microsoft dot com and we gave it our own I p address. Again. It was probably some internal Microsoft tool,
it was asking for free, no dot net
and is connected and given us the same configuration data.
It's given us the password
that we had before that we entered into the configuration.
That is interesting.
Okay, so this did not change.
But let's see if the other value did.
the channel try to join
was one that we had to find.
So it looks like this malware is configurable.
I like to crash things, so I'm gonna send it
a bunch of data. Don't see if it crashed.
It did indeed crash it.
I hope that you play with us and enjoy it.