00:03
>> Today, our demo will be working with the IllusionBot,
00:03
and you can download it from this URL from
00:03
the same GitHub that we got the direct sample.
00:03
We're going to take our Windows VMs that we made
00:03
previously and reset it.
00:03
You can reset your Linux VM as well.
00:03
A common trick for a Linux VM, particularly Kali,
00:03
is to change the settings for
00:03
the display if the VMware Tools
00:03
doesn't automatically resize the interface.
00:03
That's much better. Let me confirm our IP address.
00:03
On this one we have 10.0.0.1,
00:03
the same little network as our Windows box.
00:03
It should be able to ping each other and just
00:03
make sure before I begin infecting things,
00:03
I always like to double-check my network to make
00:03
sure it's not going out to the Internet,
00:03
it's not added like this option.
00:03
It is indeed on our own custom VNet.
00:03
I'll select to run Wireshark
00:03
>> on my Linux routing machine.
00:03
>> Since we are going to start running services
00:03
analyze network traffic and other things,
00:03
I should warn you that it is very dumb
00:03
to do it as root like I'm doing right now.
00:03
Don't do that. But I'm going to do it anyway.
00:03
Because if the program like Wireshark gets compromised,
00:03
which is completely possible because it has
00:03
lots and lots of different plugins modules
00:03
for protocols contributed by
00:03
lots of people and they haven't fully been vetted,
00:03
it can be a very bad thing.
00:03
We're going to just look at what
00:03
IP address the different interfaces have on Wireshark,
00:03
and we are going to watch the 10.0.0.1
00:03
interface because that is where
00:03
the traffic from the infected machine will be going.
00:03
There's no traffic right now and we're going to just do
00:03
a full ping on 10.0.0.1.
00:03
We are getting something back.
00:03
We see these echo ping requests
00:03
and then we have these ARP requests.
00:03
Completely normal traffic.
00:03
This time we're going to be working with
00:03
the IllusionBot downloaded from
00:03
the same place as the dire
00:03
>> example we were working with.
00:03
>> The industry-standard password is infected.
00:03
Antivirus companies usually know better than to try
00:03
to open zip files with that password.
00:03
We're going to simply do
00:03
some dynamic analysis on this malware.
00:03
We're going to, what I typically do,
00:03
cert capture that and start the binary.
00:03
Then watch the traffic.
00:03
We see from this IP address is
00:03
trying to reach out to this internet
00:03
trying to go over port.
00:03
Its origin port is not a big deal,
00:03
but its destination port is 6667.
00:03
What we want is the malware to act normally,
00:03
to think it's in a safe environment.
00:03
What we're going to use is a few tools,
00:03
particularly a tool called INetSim.
00:03
INetSim is a tool that basically emulates
00:03
many different services listing
00:03
on standard default ports.
00:03
INetSim is all we need to type in.
00:03
It starts listening on all these ports.
00:03
It'll tell you the process ID's.
00:03
It'll tell you where it's storing the logs,
00:03
where it's getting its data from,
00:03
and where it's producing its report.
00:03
Here, in particular, we want to see
00:03
where the config file is coming from.
00:03
I can highlight this in the terminal and do
00:03
Control Shift C to copy within the terminal,
00:03
and I'm going to kill these processes
00:03
>> by hitting "Control C".
00:03
>> The simulation has stopped,
00:03
>> nothing is listed on those ports anymore.
00:03
We can verify this by doing
00:03
netstat -untap is what I usually go with.
00:03
You can look up for yourself what the options are,
00:03
and we can see DHCP client
00:03
is running on those ports
00:03
which are standard DHCP client ports.
00:03
I'm going to use Vim space Control Shift V
00:03
to paste what I copied before,
00:03
which is the INetSim config file.
00:03
It's the my default text editor,
00:03
command-line text editor.
00:03
There are friendlier ones like Nano, but I like vim.
00:03
The first thing we're going to do when we're
00:03
editing our config file is I want to
00:03
do a slash and then 10.0.0.1,
00:03
It's basically searching the document for 10.
00:03
Here, the first line is where
00:03
we see a service bind address parameter.
00:03
We're going to uncomment this line,
00:03
which means to start paying attention to it,
00:03
which tells INetSim that it should start paying
00:03
attention to this parameter that we're
00:03
giving it and serve whatever default it has.
00:03
I'm going to change the address
00:03
that it should bind to 10.0.0.1.
00:03
The reason is if we were to pull up
00:03
another terminal and do
00:03
an IF config to see our IP address,
00:03
we'll have one Internet behind the Net.
00:03
It goes out to the Internet and it has
00:03
this IP address and then
00:03
our other interface has this IP address.
00:03
By default, it would probably go
00:03
with zero and it would emulate
00:03
all the services on the ports
00:03
on this IP address, this interface.
00:03
We want to guarantee that it's
00:03
>> running on this interface.
00:03
>> I'm going to hit "Escape"
00:03
>> because them syntax is a little
00:03
>> weird and do another search for DNS.
00:03
The first option is a DNS bind port.
00:03
We're going to keep it as default.
00:03
DNS default IP, "N" for next,
00:03
"N" for next, and "I" for insert.
00:03
I'm going to delete the comment on this line.
00:03
I'm going to specify that the address,
00:03
it should return for
00:03
all DNS queries will be this one, a 10.0.0.1.
00:03
I'm specifying that not only am
00:03
I everything it's ever looking for,
00:03
but I am also all these things.
00:03
There's a fixed time server on here.
00:03
There's a fake HTTP server and all sorts of good stuff.
00:03
Now we've configured INetSim to how we
00:03
want it. Execute again.
00:03
Again, we probably shouldn't be running this as root.
00:03
our Windows computer just open up Internet Explorer.
00:03
It goes to Microsoft.com
00:03
but it's intercepted by our INetSim program.
00:03
The DNS server says, "Oh,
00:03
Microsoft.com has this IP address, 10.0.0.1."
00:03
It goes there and the web server that
00:03
INetSim has set up will
00:03
>> return this page for everything.
00:03
>> Google.com will return this page anything I want.
00:03
You can also specify particular files.
00:03
All PHP files will return something,
00:03
or all EXE files will return a file that
00:03
>> I have pre-specified for INetSim.
00:03
>> Here we are, and we see all this traffic.
00:03
This was from the browser that I just opened.
00:03
I'm going to reset it and
00:03
our malware should still be active.
00:03
It doesn't look like it's calling out
00:03
anymore. There it is.
00:03
You'll see that it's not using
00:03
DNS to resolve an IP address,
00:03
it's trying to contact that IP address directly.
00:03
That might tell us one of a few things.
00:03
One, it might be clumsily written piece of malware
00:03
because it's not taking
00:03
into account machines that are behind proxies.
00:03
But that's not our problem.
00:03
Our problem is, we want to know
00:03
what traffic is being sent out.
00:03
We want to know what it's doing.
00:03
There is something cool we can do,
00:03
in that we can redirect not only all domains,
00:03
but all IP addresses.
00:03
We can do that pretty simply.
00:03
I'm going to stop capture about for money.
00:03
I will try to grab hosts indicators later,
00:03
but now I'm trying to collect more network indicators.
00:03
In order to capture all the IP addresses,
00:03
instead of just domain names,
00:03
I'm going to add a route.
00:03
This syntaxes route add.
00:03
I'm going to give it a base address,
00:03
0.0.0.0 mask, what it should ignore, 255.255.255.255,
00:03
and then the IP address of
00:03
where I want all this traffic to go.
00:03
Let find the all traffic should be funneled to
00:03
this IP address, which is 10.0.0.0.1.
00:03
Over on the Linux side,
00:03
I'm going to have to open another terminal
00:03
and I'm going to add an IP tables route.
00:03
Iptables -t nat -A PREROUTING -i
00:03
eth1 because that's where we want to
00:03
direct all of our traffic to,
00:03
and then -j for redirect.
00:03
Now suddenly, it made a successful connection.
00:03
We can look at the successful TCP connection,
00:03
and we can see that it's IRC.
00:03
In the red, we can see
00:03
the victim network traffic first since pass 2580,
00:03
and its nickname it's username pretty much is this.
00:03
The server responded with notice authentication.
00:03
Welcome to irc.inetsim.org because
00:03
IRC is also emulated here.
00:03
Then it tries to join
00:03
the channel skaters underscored 1990.
00:03
If we were security researchers,
00:03
we could hop onto that IP address,
00:03
the IRC channel skaters 1990 on that IP address,
00:03
and we could find other bots there.
00:03
That's happened before,
00:03
>> I've had numerous people tell me
00:03
>> that they were working on hosting
00:03
provider and someone notified them
00:03
that they're hosting some malicious content
00:03
and they look at it and it's an IRC chatroom,
00:03
and a lot of old malware use
00:03
that as command and control mechanism,
00:03
because they could still say relatively anonymous.
00:03
But the problem is that
00:03
they usually didn't have good authentication.
00:03
The password we can see to this channel was 2580,
00:03
so we can hop on this channel now.
00:03
Maybe I want to interact with this bot.
00:03
Maybe I want to send it commands.
00:03
Maybe I want to try to control
00:03
it. Well, how can I do that?
00:03
Well, luckily for us,
00:03
we can simply change the config again for INetSim.
00:03
Go to IRC, see where it's starting that service,
00:03
for pound sign to comment it out,
00:03
Escape Colon W Q for write to then quit,
00:03
and then rerun INetSim.
00:03
It's doing everything it did before except now
00:03
the IRC port and process are no longer listening.
00:03
We can see that there's
00:03
an attempted connection and it's rejected.
00:03
The attempt in connection came
00:03
>> from 10.0.0.2 from vector to
00:03
>> machine tried to go to this IP address
00:03
is a synchronized packet,
00:03
and then our machine said reset.
00:03
I would really like to introduce if
00:03
you don't already know about a program called Netcat.
00:03
Of course, like INetSim,
00:03
you can just say man,
00:03
and then the command nc,
00:03
and it'll tell you all about it and how to use it.
00:03
I'm going to use nc - l for listen,
00:03
and then -p and specify a port.
00:03
I'm going to say nc -l and then -p for 6667,
00:03
so now listening on that port.
00:03
It looks like our malware isn't calling back anymore.
00:03
I wonder why, they did call back.
00:03
Let me just wait in a second.
00:03
We're listening on this port
00:03
and we see it gave the same password.
00:03
It's using the same the name,
00:03
which is that looks like the host name of the machine.
00:03
Certainly, when you right-click on my computer.
00:03
That's the host name.
00:03
Using the host name of the infected computer.
00:03
I'd be willing to bet that's a time stamp.
00:03
Maybe something else, I don't know.
00:03
We could do more analysis.
00:03
It is the same number,
00:03
it might be some identifier,
00:03
like a campaign code built-in to the malware.
00:03
Further reverse engineering would
00:03
reveal exactly what it is.
00:03
But I'm not sure if it's important right now,
00:03
but I can guess is maybe not.
00:03
Here with Netcat, I can also send commands back.
00:03
It's not responding to some commands here,
00:03
so maybe it needs some
00:03
>> specific string before it reacts.
00:03
>> I'm going to just play with things
00:03
because I like poking at things and send a lot of As,
00:03
and then Control C will kill the connection.
00:03
Let me see if that did anything.
00:03
But binary.exe has crashed.
00:03
Apparently the malware author,
00:03
didn't write this malware very well.
00:03
This interesting to me.
00:03
If we were vigilantes,
00:03
we could get on to this IP address using this password,
00:03
and we could jump on there using some host name,
00:03
maybe even this and this user,
00:03
join this channel and then send all these
00:03
A's to everything that is listening on that channel.
00:03
Crash all of the malware on all those computers,
00:03
and let's see if it calls back.
00:03
and it doesn't look like it's calling back.
00:03
I will say it is a reckless endeavor
00:03
and it may not be appropriate.
00:03
In fact, I'm pretty sure it is illegal
00:03
because you are executing code,
00:03
or actually you're stopping code
00:03
from executing on other people's machines.
00:03
Those are not your computers,
00:03
even if they're compromise.
00:03
The appropriate thing might be
00:03
>> to notify law enforcement.
00:03
>> They probably wouldn't do anything though,
00:03
because they're even bound more
00:03
tightly about what they can and can't do.
00:03
They probably would shut
00:03
down the command and control server,
00:03
in an expert to come
00:03
in and dismantle the botnet, if you will.
00:03
Microsoft has done that with law enforcement
00:03
to take down large botnets.
00:03
Sometimes it's been very successful,
00:03
sometimes it has not been.
00:03
But if you interfere like that,
00:03
I'm not a lawyer, so I'm not going to say
00:03
that is legal or not.
00:03
If we wanted to play with this and more,
00:03
I would suggest using this build.exe.
00:03
Here we have some interesting options, binary.
00:03
It says open 1.1 bot binary.
00:03
I'm just going to go with this.
00:03
Here it looks like this was
00:03
the IP address that it was picking out to,
00:03
this port, the channel,
00:03
the password it was using.
00:03
Let's test our DNS resolving
00:03
manipulation capabilities like freenode.net.
00:03
>> Usually malware has this backup command
00:03
and control server functionality.
00:03
I'm just going to go to Google.com.
00:03
I'm going to change this to, I don't know,
00:03
555 and 111 just to see what happens.
00:03
It looks like there's a web panel that would open,
00:03
refresh every five seconds.
00:03
It looks like that Socks4 and Socks5 proxy setting
00:03
that we see here, can be verified.
00:03
It looks like it will open up FTP server.
00:03
It looks like on the IRC,
00:03
the bot password is this.
00:03
I don't know what this does.
00:03
It looks like there's a firewall bypass,
00:03
and we can see that in here.
00:03
Authorized applications.
00:03
white-listed itself in the location
00:03
that it was executed,
00:03
so an attacker would
00:03
probably compromise a machine drawn into
00:03
a directory somewhere that a user's not likely
00:03
>> to access and then execute the malware.
00:03
>> It looks like it has a kernel driver as well,
00:03
so save services state in the registry.
00:03
These are all interesting options
00:03
that I would suggest that you play with.
00:03
I'm going to say save, and that is saved.
00:03
Also going to show another tool here.
00:03
it's basically Task Manager on steroids,
00:03
it is incredibly powerful.
00:03
A Process Hacker is very similar
00:03
in interface and very similar in function.
00:03
But it lets us watch processes very
00:03
closely and identify the DLLs
00:03
that are injected into them.
00:03
I would also like to run autoruns;
00:03
bit of a screen, autoruns.exe and autorunsc.exe,
00:03
is this one will produce a console output,
00:03
and this one will produce a GUI.
00:03
The console output is useful
00:03
for if you want to chunk all of
00:03
the current autorun entries into a file,
00:03
and then compare that file
00:03
the autorun entries after the malware has been run,
00:03
so you can see if anything's been added.
00:03
It looks like autorun is having some trouble.
00:03
It's okay, it happens.
00:03
It maybe the malware, probably not.
00:03
It's highlighted some things here.
00:03
In the configuration for
00:03
the malware it mentioned kernel driver.
00:03
We might want to check drivers and see where this it,
00:03
we might like to look at the host log and
00:03
see one of these files.
00:03
See if there's any mention of them,
00:03
it doesn't look like it.
00:03
We could look through all of these individually and we
00:03
can take a before and after snapshot,
00:03
because remember, we've already
00:03
executed this binary before,
00:03
be sure is to keep running over and over again.
00:03
But it may not have a persistence mechanism.
00:03
Now on my wall it does.
00:03
Autoruns usually finds when malware is doing something.
00:03
Let's see what's going on here.
00:03
It looks like our victim machine is trying
00:03
to connect to this port,
00:03
but it's closed, so I'm
00:03
going to start listening within that cat again.
00:03
There was our DNS query, freenode.net.
00:03
Let's see if it made another query.
00:03
We can do that just by typing DNS.
00:03
I tried to resolve crl.microsoft.com
00:03
and we gave it our own IP address.
00:03
Again, it was probably some internal Microsoft tool,
00:03
and here it was asking for freenode.net,
00:03
and it's connected in given us
00:03
the same configuration data.
00:03
It's given us the password of 2580
00:03
so not the other value
00:03
that we had before that
00:03
we entered into the configuration.
00:03
That is interesting.
00:03
This did not change.
00:03
But let's see if the other value did.
00:03
tried to join was one that we had defined.
00:03
It looks like this malware is configurable.
00:03
I like to crash things,
00:03
so I'm going to send it a bunch
00:03
of data and see if it crashed it.
00:03
It did indeed crash it. I hope
00:03
that you play with us and enjoy it.