Monthly Archives: February, 2012

Building Emerging Threats Filters in ArcSight using information from the SRI Malware Centre.

Most Prolific BotNet Command and Control Servers and Filters Wed Feb 22 08:41:10 2012

Link to the list which is updated daily

Lately, this blacklist has given me a great deal of success in finding infected end points beyond the reach of updated anti-virus. The advisories from the SRI are information rich and list key elements for writing rules and/or gathering other metrics. The main elements I gather from the advisories are:

  1. Target IPv4 Address
  2. Chatter Examples (if known) which can list some of the following elements, especially if mapped from Blue Coat Proxy SG File Connector:
    1. Request Client Application which is the cs(User-Agent) or User Agent String
    2. Request URL Port which is any client requested ports
    3. Request URL File Name
    4. Target Service Name used for additional communications. This is especially useful when involving protocols which use ephemeral ports such as the tftp protocol. Many protocols can be used over multiple ports.
  3. Transport Protocol
  4. Target Port
  5. Destination Geo Country (if known)
  6. Request URL which can be the Target Domain
  7. Which anti-virus vendors are estimated to have protection.
  8. Priority which helps assess the risk level.
  9. How many clients have been observed to assess the possible risk chance it might be on your network.


In the example screenshot above from the SRI Malware Threat Centre advisory website there are several suspect IPv4 Target Addresses. I made a summary table of some basic information from all the listed advisories and chatter. If the file names have additional advisories they are blue in the image and hyperlinked in the filter section.


*Notes:

  1. 83.133.119.197 / greatnet.de
    1. I ran tracert on the domain greatnet.de it resolved to 83.133.96.6.
    2. I ran tracert on the IPv4 address 83.133.119.197 it resolved to a host called srv201.cyberhost.name
  2. 94.63.149.150 / ipv4ilink.net
    1. No result when I ran tracert on the IP address but the host up, confirmed with filtered ports on 65520.
    2. NMap port test for live host verification: nmap -sS -p 65520 -Pn 94.63.149.150 Host is up 65520/tcp filtered unknown service.
  3. 91.226.212.159 / nacksystem.net
    1. I ran tracert on the IPv4 address 91.226.212.159 it resolved to vds159.xserver.ua
    2. I ran tracert on the domain nacksystem.net my DNS was unable to resolve. But Robtex showed it had 1 IPv4 address, 217.70.184.38 which actually resolves to Gandi.net, a legitimate provider. This suggests some spoofing or obfuscation might be used.
  4. 91.226.212.164 / nacksystem.net
    1. I ran tracert on the IPv4 address 91.226.212.164 it resolved to vds164.xserver.ua
  5. citi-bank.ru resolves to 213.155.14.161
  6. My DNS could not resolve ghyt54.com or vbnjhg.com. This could suggest only infected assets can resolve the IP to a name.
  7. largokal.net resolves to 184.82.183.29
  8. gamesnetforum.ru resolves to 195.208.185.84
  9. 1 92.168.1.153 is a private class C IPv4 address. This range is used by internal end points and/or servers so it will not be used in the filter.

Filters for finding end points possibly infected with something naughty:

All the filters can be downloaded so you could use them for Active Lists or could customize them. Personally, I separate the known malicious IPv4/URLs/File Names from the suspected traffic so I can fine tune rules and reports.

Most Prolific C&C SRI Malware Centre Target IPv4 Addresses (download CSV here)

213.155.14.161 

83.133.119.197 

83.133.96.6 

94.63.149.150 

190.96.181.218 

94.63.147.131 

91.226.212.159 

91.226.212.164 

114.112.255.81 

 

Most Prolific C&C SRI Malware Centre Request URLs (download CSV here)

srv201.cyberhost.name

greatnet.de

ipv4ilink.net

190-96-181-218.telebucaramanga.net.co

vds159.xserver.ua

nacksystem.net

vds164.xserver.ua

 

Most Prolific C&C File Names SRI Malware Centre Request URL File Name and/or Request URLs (download CSV here)

Where there are additional security advisories on the file names, they area hyperlinked to the advisory in the table

 

I chose files names that were not legitimate in my environment.

Most Prolific C&C SRI Malware Centre additional suspicious Target IPv4 Addresses (download CSV here)

95.75.158.158

110.12.70.106 

91.202.244.57

1.250.41.32

110.14.197.56

1.247.138.126 

188.247.135.95

70.184.126.54 

31.184.242.44 

 

Most Prolific C&C File Names SRI Malware Centre additional suspicious Request URLs (download CSV here)

citi-bank.ru

ghyt54.com

largokal.net

gamesnetforum.ru

 

I chose filter properties based on the technology field mappings in ArcSight I have available for the technologies I monitor. I chose very broad test filter properties which can be tuned down as required such as Contains and ignore case.

Event :

( Request Url
Contains
srv201.cyberhost.name [ignore case] OR
Request Url
Contains
greatnet.de [ignore case] OR Request Url
Contains
ipv4ilink.net [ignore case] OR
Request Url
Contains
555.exe [ignore case] OR
Request Url
Contains pac.txt [ignore case] OR
Request Url
Contains PreLoader_59fast.exe [ignore case] OR Request Url Contains
nacksystem.net [ignore case] OR Request Url
Contains
citi-bank.ru [ignore case] OR Request Url
Contains
ghyt54.com [ignore case] OR Request Url File Name
Contains
555.exe [ignore case] OR
Request Url
File Name
Contains
pac.txt [ignore case] OR Request Url
File Name
Contains
PreLoader_59fast.exe [ignore case] OR
Request Url File Name
Contains
loaderadv555.exe [ignore case] OR
Request Url File Name
Contains
pac33.txt
OR Target Address = 213.155.14.161
OR

Target Address = 83.133.119.197
OR
Target Address = 83.133.96.6
OR
Target Address = 94.63.149.150
OR
Target Address = 190.96.181.218
OR
Target Address = 94.63.147.131
OR
Target Address = 91.226.212.159
OR Target Address = 91.226.212.164
OR Target Address = 114.112.225.81 )

Please tell me if this blacklist proves successful or not. Also, please feel free to share any blacklists you use. I will be posting mine up shortly.

 

A friendly Factoid/Today I Learned (TIL) SRI International was originally part of the Stanford Research Institute, which was affiliated with the University. They received the second IMP device in October 1, 1969, part of the DARPA network which was the precursor of the modern internet. The site was chosen as the second connection because a scientist named Doug Englebart who worked there had impressed one of the project managers several years earlier due to his invention of the computer mouse (X-Y position indicator for a display system).

 

 

 

 

 

 

 

 

 

 

Using ArcSight to find affected DNS Changer Virus Assets – Deadline 8 March 2012

Technology Requirements: ArcSight ESM Log from any technology which records the Target IPv4 Address, Target Port and events can be Categorized with an Outcome

The goal is to detect assets which could be infected with the DNS Changer virus. The DNS servers have been under FBI control temporarily via a court order. This was to allow infected computers time to get the worm off their systems. But on 8 March, 2012 the court order expires, which could potentially leave millions of infected computers unable to make valid or trusted DNS requests. If you use ArcSight or a similar SIEM here are some ways you can find any possible infected assets before the DNS addresses revert back.

To detect this threat I created four ArcSight resources:

  1. Filters
  2. Case
  3. Active List
  4. Rule

There are six IP ranges listed for suspect DNS traffic. The FBI has had control of the DNS servers after the take down operation and is about the shut the project down. Any computers making DNS requests to these IP ranges should be considered suspect and possibly infected:

Regular Format

ArcSight Format

77.67.83.0-77.67.83.255

77.67.83.0,77.67.83.255

213.109.64.0-213.109.79.255

213.109.64.0,213.109.79.255

85.255.112.0-85.255.127.255

85.255.112.0,85.255.127.255

67.210.0.0-67.210.15.255

67.210.0.0,67.210.15.255

64.28.176.0-64.28.191.255

64.28.176.0,64.28.191.255

93.188.160.0-93.188.167.255

93.188.160.0,93.188.167.255

ArcSight broad filter

The goal is to create a filter of the is to list the suspect Target IPv4 Address and the Target Port which is DNS

event1: ( ( Target Address
Between (77.67.83.0,77.67.83.255) OR
Target Address
Between (85.255.112.0,85.255.127.255) OR
Target Address
Between (67.210.0.0,67.210.15.255) OR
Target Address
Between (93.188.160.1,93.188.167.255) OR
Target Address
Between (213.109.64.0,213.109.79.255) OR
Target Address
Between (64.28.176.0,64.28.191.255) ) AND Target Port = 53 )  


ArcSight communications successful filter

The goal is to create a filter for the suspect Target IPv4 Address and the Target Port which is DNS where the outbound communications were successful

event1 : ( ( Target Address
Between (77.67.83.1,77.67.83.255) OR
Target Address
Between (85.255.112.0,85.255.127.255) OR
Target Address
Between (67.210.0.0,67.210.15.255) OR
Target Address
Between (93.188.160.0,93.188.167.255) OR
Target Address
Between (213.109.64.0,213.109.79.255) OR
Target Address
Between (64.28.176.0,64.28.191.255) ) AND
Target Port = 53 AND
Category Outcome = /Success )

 

ArcSight Active List

The goal of the Active List is to record any assets which are suspected of being infected with the DNS Changer virus by the Attacker IPv4 Address. The Active List attributes are as follows: Name = DNS Changer Assets Optimize Data TTL = 90 Days Data = Fields-based Name = SuspectAssets Type = Address Sub-type = IP Address


 ArcSight Case

The goal of the Case is to record any activity associated with assets which are suspected of being infected with the DNS Changer virus


ArcSight Rule – Any outbound communications

The goal of the Case is to record any activity associated with rules or assets which are suspected of being infected with the DNS Changer virus



Basic aggregation conditions:


Rule Actions:

1. On the first matching event the message in the message field will be “DNS Changer Virus FBI Warning”

2. The name in the name field will list the attacker address

3. The priority is set to 0 because the rule is in testing phase

4. The activity will be added to an existing case called DNS Changer Virus FBI. This will aid in testing and tuning the rule.

5. On every event the attacker IPv4 address is added to an Active List called DNS Changer Assets. This will help pinpoint if it is more of a one-off series of events or if DNS requests are frequent can pinpoint an infected computer.



ArcSight Rule – Any outbound communications

The goal of the Case is to record any activity associated with rules or assets which are suspected of being infected with the DNS Changer virus Use the same settings as above but use the filter called DNS Changer Virus Successful and alert on a higher priority if outbound communications are successful

Visual graph outcome:


 
 

To read more about this topic from other sources:

[PDF] http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

http://gizmodo.com/5885716/the-fbi-might-cut-off-the-internet-for-millions-of-people-on-march-8th

http://upload.democraticunderground.com/10951119