Thursday, July 29, 2010

Analysis of 12fb...c640

After commit several changes for the SMB RPC struct to Dionaea project, I found this capture yesterday and it adopted the struct that I committed. From Dionaea blog, I guess I meet the variant of the piecework.

Part 1 :
With the logfile as here, the attacking process can be analysed as below:

1. [>90.183.XX.XXX:2548] state: none->established
2. SMB Negociate Protocol Request
3. SMB_Negociate_Protocol_Response
4. SMB Sessionsetup ESEC AndX Request, with NTLMSSP security blob
5. SMB Sessionsetup ESEC AndX Response, with NTLMSSP security blob
6. SMB Sessionsetup ESEC AndX Request ( NTLM Authenticate )
7. SMB Sessionsetup ESEC AndX Response
8. SMB Treeconnect AndX Request
- Make connection to \\60.51.XX.XX\IPC$
9. SMB_Treeconnect_AndX_Response
10.SMB NTcreate AndX Request
- pipe samr
12.SMB Trans Request / DCERPC_Header / DCERPC_Bind
- TransferSyntax = 8a885d04-1ceb-11c9-9fe8-08002b104860
- UUID = 12345778-1234-abcd-ef00-0123456789ac
- Accepting Bind for samr
13.SMB Trans Request
- Calling samr Connect4 (3e)
- opnum: (int) 62
15.SMB Trans Request
- Calling samr EnumDomains (6)
- opnum: (int) 6
16.SMB Trans Response
17.SMB Trans Request
-Calling samr LookupDomain (5)
-opnum: (int) 5
19.SMB Trans Request
-Calling samr OpenDomain (7)
-opnum: (int) 7
20.SMB Trans Response
21.SMB Trans Request
-Calling samr EnumDomainUsers (d)
-opnum: (int) 13
22.SMB Trans Response
23.SMB Trans Request
-Calling samr Close (1)
-opnum: (int) 1
24.SMB Trans Response
25.SMB Trans Request
-Calling samr Close (1) (I not sure why the attacker repeat the samr Close process twice)
-opnum: (int) 1
26.SMB Trans Response
27.SMB Close
28.SMB Close
29.SMB Tree Disconnect
30.SMB Tree Disconnect

Until now, another line that catch my eye:
[28072010 22:11:01] logsql dionaea/ reject connection from 90.183.XX.XX:3171 to (id=104279)
The connection rejected since Dionaea is not support the Netbios protocol which run on port 139.

Again, the attacker tried to connect to port 445 again, after the failure on port 139.
[28072010 22:11:02] connection connection.c:3654-message: connection 0x983a8e0 accept/tcp/none [>90.183.XX.XX:3170] state: none->established

Part 2 :
The attacker continue the process :
1.SMB Negociate_Protocol_Request
2.SMB Negociate Protocol Response
3.SMB Sessionsetup ESEC AndX Request, with NTLMSSP security blob
4.SMB Sessionsetup ESEC AndX Response, with NTLMSSP security blob
5.SMB Sessionsetup ESEC AndX Request (NTLM Authenticate)
6.SMB Sessionsetup ESEC AndX Response
7.SMB Treeconnect AndX Request
8.SMB Treeconnect AndX Response
9.SMB NTcreate AndX Request
10.SMB NTcreate AndX Response
-pipe \svcctl
11.SMB NTcreate AndX Response
12.SMB Trans Request
-Accepting Bind for SVCCTL
-uuid: (string) 367abb81-9844-35f1-ad32-98f038001003
-transfersyntax: (string) 8a885d04-1ceb-11c9-9fe8-08002b104860
13.SMB Trans Response
14.SMB Trans Request
-Calling SVCCTL OpenSCManagerA (1b)
-opnum: (int) 27
15.SMB Trans Response
16.SMB Trans Request
-Calling SVCCTL CloseServiceHandle (0)
-opnum: (int) 0
17.SMB Trans Response
18.SMB Trans Request
-Calling SVCCTL OpenSCManagerA (1b)
-opnum: (int) 27
19.SMB Trans Response
20.SMB Trans Request
-Calling SVCCTL CreateServiceA (18)
-opnum: (int) 24
-From the StubData, it try to create a service "Windows Genuine Logon Manager" that link to cmd.exe /c "net share admin$"
21.SMB Trans Response
22.SMB Trans Request
-Calling SVCCTL CloseServiceHandle (0)
-opnum: (int) 0
23.SMB Trans Response
24.SMB Treeconnect AndX Request
25.SMB Treeconnect AndX Response
26.SMB NTcreate AndX Request
-FileName : \csrss.exe

Til this stage, Dionaea has reported the download link for the pieces
[28072010 22:11:07] incident incident.c:203-debug: url: (string) smb://90.183.XX.XX/csrss.exe
[28072010 22:11:07] SMB dionaea/smb/ OPEN FILE! csrss.exe

27.SMB NTcreate AndX Response
28.SMB Trans2 Request
29.SMB Trans2 Response
30. 2 alert triggered as below:
[28072010 22:11:08] SMB dionaea/smb/ === SMB did not get enough data
31.SMB Write AndX Request
- The file has started download
- Remaining = 57344
- ByteCount = 4033
- From the Data field, it show the file start with b'MZ\x90\x00\x03\x00\x00\x00\...This program cannot be run in DOS mode.\r\r\n$\x00\x00\x00\......x00\x00\x00\x00\x00'"
- We can conclude that it is a PE file, and the filesize is 57344bytes.
31. [28072010 22:11:08] SMB dionaea/smb/ WRITE FILE!
32.SMB Write AndX Response
33. 2 alert triggered as below:
[28072010 22:11:08] SMB dionaea/smb/ === SMB did not get enough data
34.SMB Write AndX Request and SMB Write AndX Response has until the file transfer finish
- It totally transfer 57344 bytes, which is 4030 bytes at the 1st attempt, following by 13 attempt of 4032 and the last attempt is 898 bytes.

Part 3

After the file transfer is completely done :
1.SMB Trans2 Request
2.SMB Trans2 Response
3.SMB Close
4 The bistream has recorded in path: (string) /opt/dionaea/var/dionaea/binaries/smb-QsOzHt.tmp
5.Here the file that downloaded
[28072010 22:11:14] incident incident.c:203-debug: file: (string) var/dionaea/binaries/12fb7332920a7797c2d02df29b57c640
[28072010 22:11:14] incident incident.c:203-debug: md5hash: (string) 12fb7332920a7797c2d02df29b57c640
6. The file has uploaded to Anubis,Norman and for analysis
7. SMB Close

Part 4

The attacker continue after the file has downloaded by Dionaea,
1.SMB Trans Request
-Calling SVCCTL OpenSCManagerA
-opnum: (int) 27
2.SMB Trans Response
3.SMB Tree Disconnect
4.SMB Tree Disconnect
5.SMB Trans Request
-Calling SVCCTL CreateServiceA (18)
-opnum: (int) 24
-The attacker hope to create a new service as "Microsoft Windows Genuine Updater" with the path "%SystemRoot%\\csrss.exe\"
6.SMB Trans Response
7.SMB Trans Request
-Calling SVCCTL CloseServiceHandle (0)
-opnum: (int) 0
-SMB Trans Response
8. Upload to 3 Sandbox has completed.

There are a few SMB_Echo packet along the way, I decided to drop it off and only focus to these several connection. The attack first seen from [28072010 22:10:55], end at [28072010 22:11:24], overall duration is 29 seconds

Analysis done :)

Note: I found that my dionaea has showed this message and it halt after the overall process, is a bug or random error?
[28072010 22:11:25] thread threads.c:90-critical: Threadpool is crowded 4/2, suspending *all* activity

No comments:

Post a Comment