A journey in the country of Winnie the malware

A couple of weeks ago I've deployed a honeypot in our network perimeter to have an idea of how aggressive the peoples scanning our network really are. I've decided to install kippo a medium interaction honeypot, medium interaction means you can log on and run a set of limited commands and it acts like a *real* machine, it traces everything you do, save everything you downloads ... To make sure the joke wasn't on me, I run kippo in a chroot as a non privileged user it listen on port 2222 and iptables does the forwarding to kippo for those not on my network, pretty neat.

1st catch:

After a few hours, the first connection starts to appears and the 1st users try to login. The funny thing is, they all use sftp and not the expected ssh ? The reason for that is kippo is a popular honeypot and it _doesn't_ support sftp yet, so the attackers use sftp to avoid falling into honeypot ! Luckily a patched version exist that support sftp, once I used that one people stick around a bit more but not that long, the next trick in the attacker sleeve is 'iptables', kippo doesn't implement the command soooo ... you get the idea. Good news again, kippo is easy to extend and simply adding a text file containing the output of the iptables command to "txtcmds/sbin/iptables" is enough to lure some automated scanner into the trap (until next week or so)

Passwords!:

One of the interesting intel to collect is what password do the attacker try ? Well here's a small sample of the most popular passwords you shouldn't use:

     18 [admin/123123]

     18 [admin/1234567890]

     18 [admin/12345678]

     18 [admin/1234]

     18 [admin/123qwe!@#]

     18 [admin/142536]

     18 [admin/1qaz2wsx]

     18 [admin/data]

     18 [admin/qweasd]

     18 [admin/rootme]

     19 [admin/123456]

     19 [admin/P@ssw0rd]

     19 [admin/admin123]

     19 [admin/passw0rd]

     19 [admin/qwe123]

     19 [admin/root123]

     19 [admin/root@123]

     21 [admin/12345]

     22 [admin/password]

     23 [admin/root]

     27 [admin/admin]

     32 [root/root]

    214 [root/admin]

Note the high score of the root/admin combo, the classics never dies or so it seems.

Malware collection:

Another cool feature of kippo, is that it will backup anything the attacker downloads by curl, wget and so on and again pretty quickly you get a few samples so far I have received:

822dd344bfa3ab37ebc968140f5f6296  http___mdb7_cn_8081_star 1.1M

5cdf87129e45d9a3132b7b4840237190 http___121_40_196_12_65533_wawa 834K

I'll try to reverse engineer those samples as time allows (not so much I'm afraid) but I can already provide a few info:

star:

by running 'string' on the 1st sample (star) I find a large list of ip addresses, likely compromised hosts used for C&C:

61.132.163.68

202.102.192.68

202.102.213.68

202.102.200.101

58.242.2.2

202.38.64.1

211.91.88.129

211.138.180.2

218.104.78.2

[...] 

The executable is not stripped and contains lots of mangled symbols indicating that it has been coded in C++, ldd show now external dependencies meaning that for portability it was statically linked, all in all it seems pretty neat !

wawa:

The seconds sample looks a bit more elaborate, like star it is statically linked but this times all symbols have been stripped and running strings on it reveals the following:

$Info: This file is packed with the UPX executable packer http://upx.sf.net $

$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

Which means  that it was packed to make the work of potential reverse engineers more difficult but not impossible since UPX is open source. 

I hope to give it a go one of these days and try out http://www.radare.org at the same time, in the mean time if you have details on those malware or want more info on them don't hesitate to drop me a note.