So my first forray into this world, I fired up my VM and wireshark and headed over to 2 websites I was told were hosting malware. Lessons learned 1: Make a checklist. I had forgotten to prep my tools and I ended up opening wireshark in the middle of my session, and forgot to take a clean snapshot of my vm.
Luckily or not the sites appeared to be clean. No google alert on the sites, no alarm from my security software and no redirects I was expecting. Lessons learned 2: stuff changes, sites get cleaned up.
So I headed over to google and looked up "list of infected websites" I came upon an old list and headed to one ending in .ru, a good candidate I figured. My host's security software did alert on the site and claimed it had denied access to the site, this was not completely the case as I was seeing the site, or at least a placeholder. IAC I reverted and looked for something more... active. Luckily a friend had mentioned in an online post that GRC hosted some malware. I headed over and found that it was hosting cryptolocker and zeus. I figured I am not prepared for cryptolocker and downloaded and ran zeus. Success!
This particular form of zeus came as a file, I believe a doc, likely a double file extension, i'll check later, and once executed brings up an adobe flash player installer/upgrade window, with a UAC window. Noticeable is that the program is signed by adobe, if I remember correctly the software uses legitimate but now revoked keys from adobe. If you give the software permission to install, it fails out and you are owned.
Analysis notes: Host security software blocked access to several IP addresses. When I threw a few of these through Virus Total, they came back clean or low detection rates, so Lessons learned3: don't rely completely on reputation and online scanners! I looked at my installed tools, regshot was the most useful with its comparison indicating that a number of files had been deleted and firewall rule changes made. Windows Defender was uninstalled, and the Windows firewall appeared to be turned off, though it was likely running in some fashion I suspect. Snort did detect the zeus activity and the exe file download. Strangely enough, OSSEC did not appear to detect any activity that I could see, so I have to suspect either its capabilities, or my use of ELSA as a monitoring tool. Please leave any thoughts or comments below, and thank you.
No comments:
Post a Comment