Wireshark Hack Discovery Tour (3)-bodisparking Malicious code

Wireshark Hack Discovery Tour (3)-bodisparking malicious code poly-Frontal Lab2015/07/21 10:41

Mr.right, Evancss, K0r4dji

Disclaimer: The attack method mentioned in this article is only to expose, attack the malicious network attacks, do not imitate, otherwise the consequences are at your own risk.

0x00 Discovery

Receive customer demand for its Internet office area Host Security analysis. The HTTP protocol is filtered when the communication data for a host computer is analyzed.

Look at the data, it found that the exception, the host HTTP data is not many, but a large number of HTTP requests are "Get heikewww/www.txt", the problem is not because of the discovery of Pinyin "Heike". Click "Info" to arrange, you can see more clearly, you can also see the request interval of about 50 seconds.

For more accurate analysis of its request URL address, select statistics in the menu, select HTTP, and then select requests. You can see that its request has only 1 URL addresses: "D.99081.com/heikewww/www.txt", which was requested 82 times in a short period of time.

This regular, long-term request for the same domain name HTTP communication behavior is generally "non-rape is stolen."

1. Rape: A lot of anti-virus software, apps, commercial software, in order to maintain a long connection status, the installed software will periodically through HTTP or other protocol to connect its server. The purpose of this is to provide online services, monitor the upgrade version, and so on, but also can monitor your computer, mobile phone, steal your information.
2. Theft: Trojan, virus and other malicious software to monitor whether the puppet host is online, there will be a heartbeat mechanism, that is, through HTTP or other protocol to connect its zombie server, once you are online, you can control you at any time.

Let's filter out the DNS protocol again.

As can be seen, the DNS request does not have the domain name "d.99081.com" the related request, Trojan Virus communication does not pass through the DNS parsing method and the technique many, the reader is interested in can inquire the study by oneself. Therefore, as a security monitoring device, only DNS-based monitoring is completely inadequate.

Next, let's look at the specifics of the HTTP request. Click on the HTTP Get packet of data, you can see the request for the full domain name "d.99081.com/heikewww/www.txt", and continue to obtain www.txt files.

Follow Tcpstream, you can see to get all the malicious code in Www.txt.

0X01 Association

Here, the basic confirmation host 10.190.16.143 run a malicious code, it will be fixed time with 199.59.243.120 this IP address (domain name is d.99081.com) through the HTTP protocol to communicate, and download run the above/heikewww/ Www.txt.

So, are there other hosts that have also been recruited?

This problem is very good to solve, the precondition is to have a period of time the entire network monitoring traffic, and then see which hosts and IP (199.59.243.120) to communicate, if the domain name is dynamic IP, then need to parse.

1. If the capture package file is only one pcap file, filter "ip.addr==199.59.243.120" directly.
2. The total network flow rate is generally high, it is unlikely to save as a package. If there are a large number of pcap files, the same can be achieved through Wireshark batch filtering.

In this case, we will learn about the usage of "Tshark.exe" in Wireshark and use it to implement batch filtering.

The use of Tshark requires a single filter command in the command-line environment as follows:

CD C:\Program files\wiresharktshark-r D:\DATA\1.cap-Y "ip.addr==199.59.243.120"-W E:\DATA\out\1.cap

Explanation: Advanced to the Wireshark directory, call the Tshark program, the-R immediately after the source directory address,-y followed by the filter command (as in WIRESHRK with the filter Rule),-W followed by the destination address.

With this command, you can write batches to filter a large number of PCAP packets within a folder.

In this way, the IP address 199.59.243.120 all communication data is filtered.

Statistic the communication IP situation.

According to statistical results, it can be found that 4 hosts in the entire network have been infected by the same malicious code, all communication content is the same, only slightly different request time interval, some 50 seconds, and some 4 minutes.

0x02 in depth

1 Source of malicious code

In the www.txt we found the "/zm9yy2vtug" This URL, opened the view, found that some of the sponsored ads and other spam information. Such as:

Through the WHOIS query, we learned that the 99081.com domain name server for ns1.bodis.com and Ns2.bodis.com,bodis.com is Bodis, LLC's assets, access to its home page found that this is a provision for domain name parking (domain Parking) Services, users leave idle domain names to their hosting, and they take advantage of the amount of ad traffic and clicks generated by the domain name to share with the user's respective interests.

2 Malicious Code behavior

Through the open channels of information to understand that bodis.com is a multi-year operating domain Park Service provider, mainly by the Internet advertising revenue, whether its own illegal network behavior has yet to be analyzed.

99081.com is a registered user of bodis.com, that is, the domain park user, it depends on the display of bodis.com ads and attract users to click to get their own profit share, we first The result of the step analysis is that 99081.com uses a system vulnerability or software bundle to install and run malicious code on a large number of victim computers to access its domain park site, resulting in a massive flow of traffic to 99081.com to gain Bodis.com's profit share. Usually this behavior will be identified as a cheat by the domain name parking service provider, once found to have a heavier punishment.

3 Attacker identity

Based on the code combined with other information, the attacker's identity information is basically locked. Information for which it is registered in a forum:

0X03 Conclusion

1. Attackers through illegal means to use the Domain name parking site ads, make some money of small black production, but not professional skills;
2. The attack method should be in the way of hanging horse or software bundle through the website, access to the linked horse website and download executed the bundled software is easy to become a victim;
3. Malicious code continues to access its domain parking site through the HTTP protocol, where attackers make money from traffic generated by malicious code.

Wireshark Hack Discovery Tour (3)-bodisparking Malicious code