The other day, I was blindly looking at transactions to uncategorized URLs in which there were GET parameters that appeared to be related to passing information about the client. Needless to say, I found a number of controllers/infections using this method - but I also found things like surveillance system communication. I thought it was interesting, so I wanted to list some of patterns that seemed successful. Here are some of the examples that I used for pulling out some of these "interesting" transactions from a dumped logfile using grep (easily converted to a PCRE signature if you're willing to handle possible false-positives related to the pattern):
Looking for a client's MAC address passed in a parameter:
$ grep "=\([A-Fa-f0-9][A-Fa-f0-9][\:\-]\)\{5\}[A-Fa-f0-9][A-Fa-f0-9][^A-Fa-f0-9]" logfile
Several legitimate services pass the client's MAC address as a parameter, but what I was finding was that these too were pretty interesting transactions.
mywizton.com (soft-phone software) passes the client's MAC address as a parameter. I also noticed what appeared to be some mobile applications pass this information back to the server over HTTP.
When you use KFC's Free Wifi hotspots, your MAC address is passed as a parameter:
/kfc_login.php?cmd=login&mac=xx:xx:xx:xx:xx:xx&ip=192.168.xxx.xxx&essid=KFC-FREE-WIFI&url=http://www.apple.com/library/test/success.html
It was also interesting to see the Apple "wispr" request used when connecting to the hotspot.
But most interestingly, I noticed traffic related to what appears to be a company's surveillance system from vctvision.com that appears have embedded web-clients, using WinHTTP to beaconing back over HTTP to its controller / storage array. It is beaconing back the hardware/MAC address, camera status, IP, DVRName, and VNCPort. Making a mental note to go back and look at the security of these types of surveillance systems (note: these transactions are not SSL encrypted).
Here is a redacted snippet of the GET request:
/xxxxxx_xxxxxx.php?UUID=xx-xx-xx-xx-xx-xx
&dwCameraStatus=xxxxx&version=x.x&local_ip=192.168.xxx.xxx:xxxx
&global_ip=:xxxx
&DVRName=xxxxxxxxxx
&VNCPort=xxxx
&send_notify=0
However, I also did see several malicious requests using this MAC address filter.
One example I'll list here is:
down.92rmm.com/shell.asp?id=xxxxxx&mac=xx-xx-xx-xx-xx-xx&os=Windows+XP&ver=xxxxxxxx
It's an older (2009), QQ password stealing trojan (V/T report). However, because it is so old and the site has since been taken down, it does not show up in a number of blacklists.
We can see that other parameters, such as "os" (operating system) are passed by this trojan.
Looking for client's OS passed in a parameter:
$ grep "[^A-Za-z0-9\-\_]\(OS\|os\)=" logfile
There were even more log results in my data-set having an "OS" parameter - it helped me to count-sort and get the top replayed transactions that had this parameter.
The top ones were all TDSS trojan related which we were already blocking:
Path:
/m.php?subid=x&pr=x&os=13&id=[removed]&ver=x
Also at the top were Gabpath Adware/Spyware transactions to:
secured-networks.com/gpupd.php?VER=xxxxxx&SubId=xx&OS=Windows NT Workstation 5.1 Buildnumber : 2600 Service Pack 3&mac=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
But among other things, I also discovered a controller for a new (April 19) AutoRun worm:
yma.stripthere.com/mars/remote.php?os=W7&version=508&build=508&[removed]
txdad.stripthere.com/mars/remote.php?os=W7&version=508&build=508&[removed]
ttl.stripthere.com/mars/settings.cfg?build=508&os=W7&new=1
Needless to say, this is a successful approach at pulling out suspicious transactions- but there still is a lot of noise that you have to filter out.
Here are a handful of other filters that I built and played around with:
MAC Address without a separator:
$ grep "=\([A-Fa-f0-9][A-Fa-f0-9]\)\{6\}[^A-Fa-f0-9]" logfile
IP Address in parameter:
$ grep -i "=\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}" logfile
Hardware UUID:
$ grep "=[A-Fa-f0-9]\{8\}\-\([A-Fa-f0-9]\{4\}\-\)\{3\}[A-Fa-f0-9]\{12\}" logfile
without separator:
$ grep "=[A-Fa-f0-9]\{8\}\([A-Fa-f0-9]\{4\}\)\{3\}[A-Fa-f0-9]\{12\}" logfile
CPU info:
$ grep -i "=\(x86\|I32\|I64\|Pentium\|Xeon\|Intel\)" logfile
Windows OS terms:
$ grep -i "=\(win\|xp\|w7\|5.1\|vista\)" logfile
Cheap and easy Base64 encoding:
$ grep "[^A-Za-z0-9\+\/][A-Za-z0-9\+\/]\{6,\}\=\=" logfile
Country code:
grep -i "=\(US\|UK\|IN\|AU\|FR\|CA\|MX\|DE\|CN\|CA\)&" logfile
(switch out with whatever are common locations of your hosts in your organization)
Proven, common botnet/malicious parameters:
Looking at an EmergingThreats (ET) ruleset, I pulled out signatures that look for specific parameters.
Here is the regex that I used if you want to replay for yourself / track this over time:
$ grep -o "content:\"[^\"]*\"" emerging-all.rules | grep -o "[A-Za-z0-9\-\_]*=" | sort | uniq -c | sort -n -r
Using this method, the top / most frequently seen parameters within ET at present are (the leading number is the number of times the parameter was seen in the ruleset):
Posts
