Building Emerging Threats Filters in ArcSight using information from the SRI Malware Centre.

Most Prolific BotNet Command and Control Servers and Filters Wed Feb 22 08:41:10 2012

Link to the list which is updated daily

Lately, this blacklist has given me a great deal of success in finding infected end points beyond the reach of updated anti-virus. The advisories from the SRI are information rich and list key elements for writing rules and/or gathering other metrics. The main elements I gather from the advisories are:

  1. Target IPv4 Address
  2. Chatter Examples (if known) which can list some of the following elements, especially if mapped from Blue Coat Proxy SG File Connector:
    1. Request Client Application which is the cs(User-Agent) or User Agent String
    2. Request URL Port which is any client requested ports
    3. Request URL File Name
    4. Target Service Name used for additional communications. This is especially useful when involving protocols which use ephemeral ports such as the tftp protocol. Many protocols can be used over multiple ports.
  3. Transport Protocol
  4. Target Port
  5. Destination Geo Country (if known)
  6. Request URL which can be the Target Domain
  7. Which anti-virus vendors are estimated to have protection.
  8. Priority which helps assess the risk level.
  9. How many clients have been observed to assess the possible risk chance it might be on your network.


In the example screenshot above from the SRI Malware Threat Centre advisory website there are several suspect IPv4 Target Addresses. I made a summary table of some basic information from all the listed advisories and chatter. If the file names have additional advisories they are blue in the image and hyperlinked in the filter section.


*Notes:

  1. 83.133.119.197 / greatnet.de
    1. I ran tracert on the domain greatnet.de it resolved to 83.133.96.6.
    2. I ran tracert on the IPv4 address 83.133.119.197 it resolved to a host called srv201.cyberhost.name
  2. 94.63.149.150 / ipv4ilink.net
    1. No result when I ran tracert on the IP address but the host up, confirmed with filtered ports on 65520.
    2. NMap port test for live host verification: nmap -sS -p 65520 -Pn 94.63.149.150 Host is up 65520/tcp filtered unknown service.
  3. 91.226.212.159 / nacksystem.net
    1. I ran tracert on the IPv4 address 91.226.212.159 it resolved to vds159.xserver.ua
    2. I ran tracert on the domain nacksystem.net my DNS was unable to resolve. But Robtex showed it had 1 IPv4 address, 217.70.184.38 which actually resolves to Gandi.net, a legitimate provider. This suggests some spoofing or obfuscation might be used.
  4. 91.226.212.164 / nacksystem.net
    1. I ran tracert on the IPv4 address 91.226.212.164 it resolved to vds164.xserver.ua
  5. citi-bank.ru resolves to 213.155.14.161
  6. My DNS could not resolve ghyt54.com or vbnjhg.com. This could suggest only infected assets can resolve the IP to a name.
  7. largokal.net resolves to 184.82.183.29
  8. gamesnetforum.ru resolves to 195.208.185.84
  9. 1 92.168.1.153 is a private class C IPv4 address. This range is used by internal end points and/or servers so it will not be used in the filter.

Filters for finding end points possibly infected with something naughty:

All the filters can be downloaded so you could use them for Active Lists or could customize them. Personally, I separate the known malicious IPv4/URLs/File Names from the suspected traffic so I can fine tune rules and reports.

Most Prolific C&C SRI Malware Centre Target IPv4 Addresses (download CSV here)

213.155.14.161 

83.133.119.197 

83.133.96.6 

94.63.149.150 

190.96.181.218 

94.63.147.131 

91.226.212.159 

91.226.212.164 

114.112.255.81 

 

Most Prolific C&C SRI Malware Centre Request URLs (download CSV here)

srv201.cyberhost.name

greatnet.de

ipv4ilink.net

190-96-181-218.telebucaramanga.net.co

vds159.xserver.ua

nacksystem.net

vds164.xserver.ua

 

Most Prolific C&C File Names SRI Malware Centre Request URL File Name and/or Request URLs (download CSV here)

Where there are additional security advisories on the file names, they area hyperlinked to the advisory in the table

 

I chose files names that were not legitimate in my environment.

Most Prolific C&C SRI Malware Centre additional suspicious Target IPv4 Addresses (download CSV here)

95.75.158.158

110.12.70.106 

91.202.244.57

1.250.41.32

110.14.197.56

1.247.138.126 

188.247.135.95

70.184.126.54 

31.184.242.44 

 

Most Prolific C&C File Names SRI Malware Centre additional suspicious Request URLs (download CSV here)

citi-bank.ru

ghyt54.com

largokal.net

gamesnetforum.ru

 

I chose filter properties based on the technology field mappings in ArcSight I have available for the technologies I monitor. I chose very broad test filter properties which can be tuned down as required such as Contains and ignore case.

Event :

( Request Url
Contains
srv201.cyberhost.name [ignore case] OR
Request Url
Contains
greatnet.de [ignore case] OR Request Url
Contains
ipv4ilink.net [ignore case] OR
Request Url
Contains
555.exe [ignore case] OR
Request Url
Contains pac.txt [ignore case] OR
Request Url
Contains PreLoader_59fast.exe [ignore case] OR Request Url Contains
nacksystem.net [ignore case] OR Request Url
Contains
citi-bank.ru [ignore case] OR Request Url
Contains
ghyt54.com [ignore case] OR Request Url File Name
Contains
555.exe [ignore case] OR
Request Url
File Name
Contains
pac.txt [ignore case] OR Request Url
File Name
Contains
PreLoader_59fast.exe [ignore case] OR
Request Url File Name
Contains
loaderadv555.exe [ignore case] OR
Request Url File Name
Contains
pac33.txt
OR Target Address = 213.155.14.161
OR

Target Address = 83.133.119.197
OR
Target Address = 83.133.96.6
OR
Target Address = 94.63.149.150
OR
Target Address = 190.96.181.218
OR
Target Address = 94.63.147.131
OR
Target Address = 91.226.212.159
OR Target Address = 91.226.212.164
OR Target Address = 114.112.225.81 )

Please tell me if this blacklist proves successful or not. Also, please feel free to share any blacklists you use. I will be posting mine up shortly.

 

A friendly Factoid/Today I Learned (TIL) SRI International was originally part of the Stanford Research Institute, which was affiliated with the University. They received the second IMP device in October 1, 1969, part of the DARPA network which was the precursor of the modern internet. The site was chosen as the second connection because a scientist named Doug Englebart who worked there had impressed one of the project managers several years earlier due to his invention of the computer mouse (X-Y position indicator for a display system).

 

 

 

 

 

 

 

 

 

 

5 responses

  1. Good stuff! Thanks for the post. I just started looking at the SRI data a week or so ago. This is great food for thought.

  2. Great idea you had, thanks. I’ve now configured our ArcSight to do the same thing. One thing to add: You can use ArcOSI to automatically screen-scrape http://mtc.sri.com/live_data/cc_servers/ for the latest malicious hosts. Then setup a rule to look for that and send the data to an Active List of BotNet CNC Servers. From there you only have to compare your traffic with an active list as compared to an ever-growing condition set. My $.02

    1. I like your $.02! Once I’m back home I wil post some blacklists/other sources of information we use.

  3. Chris – One approach that is a little easier to manage is to use an Active List to store all of your IP addresses that you want to correlate your Target IP with. This can be done with a variable. You may also want to check out Arcosi (http://code.google.com/p/arcosi/).
    Best of luck!

    1. I didn’t want to get into Active Lists too much with this post. However, saying that I agree it is easier to use Active Lists with larger sets of IP addresses which can be quickly imported via CSV. Hopefully in a few weeks when I am back home I will post how to import information like this into an automatically updated Active List. It is the same method carnivorouz mentioned in post comment.

      I will check Arcosi today. I am always searching for better, easier methods. Thanks for the information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: