Weekend Malware Research

Andrew Morris

About

• Over the weekend I collected two different categories of malware

• Dionaea Honeypot malware (Conficker)– Windows– SMB-Based Exploits

• JBoss ZECMD worm– Cross platform/Java– JMX Console-based Exploits

Dionaea

Dionaea

• Dionaea is an open-source honeypot daemon used to catch malware samples

• Installed and run on Linux• Emulates a Windows 2000 Server

Protecting yourself

• Whenever you are doing any type of malware research, be sure to protect yourself

• Segment the honeypot/analysis machine from the rest of your network

Dionaea Log piped to “tail –f”

Tcpdump on port 445

Binaries collected

Commands

# tail -f dionaea.log# tcpdump -i eth0 –XX –vvv tcp port 445

(-w capture.pcap)# while [ 1 ]; do ls –lah ; ls | wc ; sleep 1 ; done

Results

• Over 24 hours, the Dionaea honeypot collected over 100 malware samples

• There were more attacks, but the honeypot failed to capture binaries for more sophisticated malware

• Over five attacks per minute

Anyone interested?

• I have over 100 malware samples directly from the wild

• If anyone is interested in setting up an offline lab with me for manual analysis, shoot me an email

• Makes good practice for reverse engineering

ZECMD

ZECMD

• Steve Nawoichik and I first encountered this during a penetration test one year ago

• Our client thought they would be cool and stand up an intentionally vulnerable server to test if we were doing our jobs

• They got hit with a Jboss worm

Worming Mechanism

• I did a bit of OSINT on the term “ZECMD.jsp” and found a couple writeups by Carnal0wnage, Kaspersky, and a few others

• The worm infects machines over the internet by attacking exposed Jboss JMX consoles

• Deploys it’s own custom malicious WAR file

So…

• I set up a Linux box and install Jboss• Exposed the JMX console, no username, no

password

Infected

• Jboss worm hit me within 24 hours• Again, ZECMD• Good part about this worm– Modular malware– Portions are in Perl, C, and Java– Drops the source code, relies on the machine to

compile– No reversing necessary!

Perl

C

Java

Nicks

Scanning

Digging Deeper

What I learned from the malware

• C2 (command and control) servers• Propagation mechanism• Able to identify compromised machines• Handles of botmaster• Methods of data exfiltration• How to tell if a machine is infected

Questions?

Thanks!

andrew.morris@knowledgecg.com