Tuesday, January 31, 2012

Snort Sigs Made Easy w/ Security Onion

Following the April 2011 Epsilon hack, one of my legacy web-mail accounts started receiving a high volume of Spam/Phishing emails. My email address, along with millions of others, was exposed and added to a long distribution list of potential victims of commodity-based malware.
You know the flavor, email reports that you have an unpaid traffic ticket or package pending delivery and in order to take action you are to download the attached zip file. The zip file most often contains a compressed executable that presents itself as a PDF file when extracted. The malware is usually a Trojan dropper that when run, will download Fake Anti-virus software, Zeus, Spyeye, or another commodity based sample. That, or I have a lot of unpaid "uniform" traffic tickets in NY and a TON of FedEx, DHL, and USPS packages pending delivery.

These emails represent possible intelligence on the commodity based actors. Most organizations allow access to web-mail and regardless of the threat type, non-targeted/commodity-based, detecting the presence of the related indicators is necessary. 99% of the attachments aren't detected by the AV engine provided by the web-mail provider which allows me to download and perform quick dynamic analysis of the samples. From this I'm able to identify host-level and network-based indicators of commodity-based samples circulating in the wild. I'm able to provide this quicker than the vendors as I'm being provided the samples directly!

What I was missing was the ability to quickly create, deploy, and validate network based signatures to detect the presence of the indicators in a simple virtual lab environment. Enter Security Onion. Thanks Doug Burks. Discussing all the features that Security Onion distro provides is outside the scope of this article, but I highly encourage you to visit http://securityonion.blogspot.com/ for additional info.
Security Onion provides a working Snort, Sguil, and Snorby configuration (and many other NSM collection/analysis tools) for alert data and analysis. What's even better is that more and more people are starting to adopt and document some of the Security Onion capabilities. Following this Wiki article, https://code.google.com/p/security-onion/wiki/AddingLocalRules, I was able to quickly write, test, and deploy SNORT sigs to detect the presence of network based indicators pulled from a commodity based sample.

Prelim summary of sample acquired from web-mail account: 
  • Trojan dropper delivered via web-mail
  • Spam/Phishing email reporting recent "Uniform Traffic Ticket"
  • Email sender is spoofed
  • Email contains ZIP attachment containing nested/compressed exe
  • If exe is extracted and 'run', files are created on the volume within \LOCALS~1\Temp  
  • wuauclt.exe process is started and opens external connection out to downtraff[d]ru to download additional payload
  • Malware achieves persistence via HKLM run key
Malware communication out to the internet post user click through:
  • POST /and/image.php to downtraff[d]ru
  • GET /sol.exe to downtraff[d]ru
I then created and added the following Snort rules to the local.rules file and ran the pulled pork update:

  • alert tcp any any -> any 80 (msg: "Uniform Traffic Ticket C2"; reference: url, http://jphsecurity.blogspot.com; content: "and/image.php"; flow:to_server nocase; sid:1000001; rev:1)
  • alert tcp any any -> any 80 (msg: "Uniform Traffic Ticket Binary"; reference: url, http://jphsecurity.blogspot.com; content: "/sol.exe"; flow:to_server nocase; sid:1000002; rev:1)
(Helpful tip, if your SNORT sig syntax is wrong, the snort process won't restart. Simply cat the snortu.log stored within /var/log/nsm/~/, fix the syntax, and then run the pulled pork update again.)

I then used scapy to generate packets that met the conditions of the newly added local rules and monitored Snorby and Sguil for alert generation.

I really like the Snorby web interface. It's intuitive and allows for quick alert review and categorization. 

Alert review w/ Snorby

Event Details for Uniform Traffic Ticket Binary Alert. Request for /sol.exe over 80/TCP


Real Time Events view w/Sguil. Uniform Traffic Ticket Binary Alert. 

Uniform Traffic Ticket C2 Alert

By monitoring the exposed legacy web-mail account, performing analysis on Spam/Phishing messages, and then using Security Onion to create and test Snort signatures to identify the presence of network-based indicators, I am able to provide tested monitoring and network-based counter-measures for the latests TTPs these campaigns and commodity-based actors are using.

The emails provide possible counter-intel, dynamic analysis identifies indicators, and Security Onion provides a simple virtual environment to create content (custom Snort sigs) to detect the presence of the network-based indicators. 

There are so many other non-production scenarios where this TTP can be used:

  • Training junior level responders
    • Create and test Snort signature for samples being sent to client population
  • Classroom environments 
  • Testing Snort sigs created from open/closed source reporting
Happy hunting, or in this case, matching. 

No comments:

Post a Comment