Sunday, December 13, 2015

Network forensics is something we should practice as much as possible to become faster at detecting supicious activies in our networks. This website shares network traffic captures where we can find different kinds of infections and malicious activies. I find these examples quite good to improve our skills to find evil behaviours... Also, we could be witness of new vectors attack and new evasion techniques...

Today, we are going to do the last exercise: 

Malware infection

In the post mentioned before, it was said that a malware was found in a corporate computer. We can get more information about that sample from diferent malware analysis.


Network traffic analysis

To figure out what happend, we have to work with the traffic capture published at such blog post: 2015-11-24-traffic-analysis-exercise.pcap. The first thing I´m going to do is to use tcpreplay in order to replicate the same traffic that was captured in an interface where my Suricata is listening with the latest ETPRO ruleset loaded.

After all the traffic has been replicated and analyzed, we can see on our alerts Dashboard that a computer could be affected by an Exploit Kit. Also, there are some CnC alerts...

The first Angler EK alerts came from the website neuhaus-hourakus.avelinoortiz[.]com

The order of the visits for that specific domain were:

  1. neuhaus-hourakus.avelinoortiz[.]com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29
  2. neuhaus-hourakus.avelinoortiz[.]com/who.olp?save=&effect=VFv9cHM&you=LmzXy&picture=J0sYyqN&why=Dv0ZsHPosOWnZsEC9KJ9myAYKZSGT
  3. neuhaus-hourakus.avelinoortiz[.]com/literature.disco?audience=5Hr&trip=&election=txK1BgKFW&piece=aRLmxzX&normal=QGOT&understand=IWOBe&theory=so8bghs&discover=y47E5&tell=gSIQ&opportunity=ZWe&available=z
  4. neuhaus-hourakus.avelinoortiz[.]com/yes.wbxml?unite=tXu9a5tJI&writer=J7y8dCR8F&describe=LzQOS9&for=&note=C26Z8129ea&number=gcsXv8v&next=2unI-c8
We can see that this domain has been rated as malicious by some webfiltering vendors. 

I´ve also uploaded the PCAP to Virustotal (look at Details section). Virustotal is awesome because the traffic is inspected by Snort-VTR and Suricata-ETPRO ruleset. Also Virustotal analizes all the requests and if something is detected by some Antivirus, Virustotal will warn us... We can see from the Virustotal report, that one of the first Suricata alerts related to the EK corresponds to a flash file which is related to an Exploit.

It seems we´ve found where the user could have been infected, but... Why did the user end up at that website? If we look at the first Suricata event and we look closely at the Referer field, we can see that the web page that was visited before the landing page, had a Javascript.

Digging into that Javascript, we can find an iframe which loads the EK landing page (1) and the website which loaded the Javascript (2).

If we keep analyzing back with Wireshark, we can locate the URI which called the Javascript. It seems that it could be an advertisement (1) which loaded the Javascript (2).

And... Why did this user visit www.shotgunworld[.]com? If we look at the Referer field in the follow TCP Stream, we can see that the user was redirected to that website by Google. The user could have been doing Google searches...

If we dig a little bit deeper into the connections which were made before the Google redirection, we can see that the user was interested in guns.  He did two searches in Google:


which redirects to which seems not to be infected.


which loads the EK landing page: neuhaus-hourakus.avelinoortiz[.]com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29

And... What  about the landing page? I´ve followed with the analysis and I´ve found that it had code heavily obfuscated inside the HTML code.

I´ve extracted it from the PCAP by using Wireshark and we can see the results at Virustotal.  I´ve also uploaded it to Pastebin.  As it was said, this Javascript has been heavily obfuscated and trying to deobfuscate it would be time comsuming, but if you want to try yourself, you are really welcome. I would like to share some good blog posts where you can find more info about the Angler Exploit obfuscation: Websense, Fuzzysecurity

Since we´ve not deobfuscated the Angler landing page code, we can not be 100% sure that it is related to the malware found in the computer, but I think we could assume that... After the host visited such URL, the computer started requesting suspicious URL related to botnet 

Even the computer started requesting domain names that didn't get resolved...

Those domains could have been tried to be created by some domain generation algorithm (DGA). This could be a indicator that this computer had started to belong to a Botnet.


After being notified that a piece of malware has been detected on a corporate computer, we´ve analyzed the traffic capture provided and we´ve detected the following:

  1. The user was doing Google searches related to guns.
  2. After visiting some guns shops, he ended up in that web site: www.shotgunworld[.]com
  3. This one had an advertisment which loaded a Javascript.
  4. That Javascript had a iframe which loaded the Angler EK landing page.
  5. It seems the EK was successfull and the computer began to be part of a botnet.

Posted on Sunday, December 13, 2015 by Javier Nieto

1 comment

Tuesday, September 01, 2015

In this blog post I would like to share some tricks to detect suspicious activities that could end with finding compromised hosts inside a network. I´ve noticed (I guess you too) that there are some malware out there and the first things they do, when a computer is infected, is to check the public IP address in order to let the malware developer know, where the infected host is located. We can see this behavior in a lot of malware like Cryptowall 2.0KriptovoZeroAccess and many more...

I use to work with Suricata as IDS (by the way, really happy with its performance) and Emerging Threats rules in order to detect computers trying to get its public IP address. You know... it´s weird that someone from the Human Resources department is interested in getting their computer´s public IP address...

You can find some free Suricata signatures here that are focused on that task. You can filter by "IP Check" or "External IP Lookup".

If you are using Suricata or Snort as IDS, they are good for starting an investigation when these alerts are triggered but I would like to go a little bit further without allowing the malware to get the public IP address, just to make things more difficult for the malware developer...

I´m not using Suricata as IPS but I do have an IPS and an Application Control with a Fortinet Fortigate firewall. There are many ways to achieve this goal, but this time I think my best bet is Fortinet App Control. Also, a NGFW allows us to perform a man in the middle "attack" and see what´s going on inside a SSL tunnel which makes our signatures more effective, just in case the connection goes to a SSL service...

Creating a custom App Control signature with Fortinet

I've decided to create custom signatures to detect if someone or something is trying to get the public IP address. I would like to share  three options that you could work with.

It is not a big deal to create custom signatures with Fortinet App Control to detect these connections, so for me, it worth some of my time to deal with them not only to detect them but drop them.

Example 1 - Easy mode

If we get access to we can see that the public IP address is returned.

If we look at the pcap capture we can see (obviously) that the host reached is We can see the domain in the Host line in the HTTP header, so here is where we will look and it will be defined thanks to the signature Context.

If we want to detect if someone is getting access to we just need to create the rule bellow via CLI.

config application custom
    edit ""
        set comment ''
        set signature "F-SBID( --attack_id 4467; --name \"\"; --app_cat 25; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_client; --pattern \"\"; --context host; --no_case; )"
        set category 25

You can find more APP controls example of rules in my Github account.

This rule doesn´t have a lot to explain, it´s really easy and "similar" to Snort/Suricata rules. This is a brief description of our rule:

  • -- attack_id 4467; if you don´t specify an attack_id, it will automatically assigned
  • --name; signature name
  • --app_cat 25; correspond to Web.Ohters category
  • --pattern; the string we are going to look for in the packet traffic
  • --parsed_type HTTP_GET; is the HTTP method used to retrieve the public IP address
  • --flow from_client; Match packets sent from the client to the server
  • --no_case; by default, patterns are case sensitive so --no_case makes the pattern matching case insensitive
  • --context host; context to match the pattern. There are several ones: HOST, URI, HEADER, BODY, BANNER...

Once the rules are created, you just need to add them to your AppControl sensor and set the Action.

When the changes are applied and we try to get access to again, the connection will be blocked and we will get that message: "Application Blocked". That is because "Replacement Messages for HTTP-based Applications" is checked.

If you don´t want to inform the users/malware you just need to unset "Replacement Messages for HTTP-based Applications"

and there will not be any messages, the session will be just dropped.

Example 2 - Medium mode

Sometimes we need to specify not just the hostname we want to monitor/block but we also need to specify the HTTP URI. Imagine we need to block "" but we want to let our users still to get access to "".

We will need to check two condition:
  1. Host:
  2. URI: xml
So we will need to set two patterns and two context:
  1. --pattern \"\"; --context host;
  2. --pattern \"xml\"; --context uri;
This is the rule we need to configure.

config application custom
    edit "External.IP.Lookup.-ip-api-.Custom"
        set comment ''
        set signature "F-SBID( --attack_id 5188; --name \"External.IP.Lookup.-ip-api-.Custom\"; --app_cat 25; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_client; --pattern \"\"; --context host; --no_case; --pattern \"xml\"; --context uri; --no_case; )"
        set category 25

Example 3 - Paranoid mode

As you have noticed, if the malware retrieves the public IP address from a domain which has not been included in our signatures, we will not be aware of it and the session will not be monitored/dropped.

There is a possible solution. When the malware requests the public IP address from a web server, it responds with the IP address in the HTTP body.

What we can do is to look at the responses looking for our public IP addresses. Of course, we usually have more than one, in my case, a complete class B network. In order to check if our class B network ( is included in the server response, we will use PCRE.

To achieve our goal, we need to set the following parameters:
  1. --flow from_server; Match packets sent from the server to the client
  2. --pcre /88.11.[0-9]{1,3}.[0-9]{1,3}/; That regular expression matches from to 88.11.999.999
  3. --context body; we will look at the server response in the HTTP body
So that is the rule.

config application custom
    edit "External.IP.Lookup.Detected.Custom"
        set comment ''
        set signature "F-SBID( --name \"External.IP.Lookup.Detected.Custom\"; --app_cat 25; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_server; --pcre /88.11.[0-9]{1,3}.[0-9]{1,3}/; --context body; )"
        set category 25

*** Think about possible false positives before setting this rule to Block. You should monitor before blocking because some web pages like, returns your public IP address in the commented source code...


Posted on Tuesday, September 01, 2015 by Javier Nieto

No comments