Category Archives: ArcSight

NBC.com Attackers & ArcSight ESM

Detecting compromised hosts affected by Droppers on compromised NBC.com with a correlation engine

I was alerted the NBC.com by a really proactive collogue via a whitelist. Further digging lead me to an excellent dissection up by Dancho Danchev. This might be a watering hole or just a nice money making opportunity. Recently journalism websites have been targeted for Watering Holes, however money is usually the bigger reason.

How can ArcSight ESM or similar correlation engines for detection if any of your organization’s assets have been affected?

Proxy and DNS and some IPS/IDS & Firewalls monitoring can report domain names and IPv4 addresses. In most cases both domain name lists and IP address lists are helpful for basic proactive detection.

IP4 & Domain watch list from my collogue and the Dancho Danchev blog and two additional domains I found for a Filter.
Detection Ratio is
how many URL Scanners in Virus Total detected any malicious code:

IPv4

Domain Name

Detection Ratio

Reference1

Refence2

97.79.236.200

myauditionsite.com         

0/33

Virus Total Report

 

74.53.9.162

toplineops.com             

2/32

Virus Total Report

URLQuery.net

66.96.145.104

beautiesofcanada.com       

2/34

Virus Total Report

 

66.77.124.26

jaylenosgarage.com         

1/34

Virus Total Report

 

62.75.204.12

netbridgesolutions.net     

1/34

Virus Total Report

URLQuery.net

50.63.202.10

gotina.net                

0/34

Virus Total Report

URLQuery.net

173.254.28.49

shutterstars.com          

0/33

Virus Total Report

URLQuery.net

173.201.92.1

dedirt.com                 

0/33

Virus Total Report

 

173.201.92.1

madamerufus.com            

0/33

Virus Total Report

URLQuery.net

173.201.92.1

electricianfortwayne.info  

2/33

Virus Total Report

 

173.201.92.1

injurylawyercolumbus.info  

4/33

Virus Total Report

URLQuery.net

173.201.92.1

injurylawyercleveland.info 

3/34

Virus Total Report

 
 

dogsrit.com                

1/33

Virus Total Report

 

68.178.232.100

spiritualspice.us          

0/34

Virus Total Report

 

68.178.232.100

herbalstatelegal.com       

1/33

Virus Total Report

 

173.201.92.1

injurylawyerspringfieldmo.info

3/33

Virus Total Report

 

173.201.92.1

injurylawyerindianapolis.info

4/33

Virus Total Report

 

 

A list for Filters & or Active Lists to help verify infection or issue. Redirection or secondary related information after the infected, compromised website is visited and your organizations asset is possibly redirected to further mayhem.

IPv4

Domain Name

Reference1

Refence2

 

instantmoneymethod.net/1105/optin.html

URLQuery.net

Website Screen Shot

173.201.92.1

bvkdigital.us

URLQuery.net

 
 

methuenedge.com

URLQuery.net

Last Scanned 31/12/12

72.167.37.11

divergentinfosoft.com/images/logos.gif?1b761=1012329

URLQuery.net

 

173.201.92.1

bedbugsbyte.com

Contact

 

 

The attack is carried through the HTTP protocol.

How to detect via ArcSight ESM

  • Setup your Filter (s) “NBC-Com Suspect Attackers” which includes both the IP and the Domain Name information
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_IP” if you only have IP logged data
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_DN” if you only have IP logged data
  • Open a new Channel with log data from a Firewall, Web Proxy Server, DNS Server or any Connector which contains IPv4 or Domain Names
  • Set the dates of the Channel back to at least 21/02/2013
  • Add Protocol = HTTP & OR Port = 80 as a condition of the Channel
  • Add in the Filter(s) as a condition of the Channel
    • Protocol = HTTP & OR Port = 80
    • Filter = “NBC-Com Suspect Attackers”
  • Give the Channel time to load, adjusting the sliding timeline as required for performance and monitoring
  • Investigate hosts communicating with the suspect external actors
    • Assign higher priority to those end points which are most critical, try to communicate the most externally, behave in a strange manner or breach the perimeter.
    • I commonly add these suspect hosts to an Active List to observe as Potentially Compromised Hosts if they are not re-imaged or otherwise cleaned.
    • Use the data to build out a report showing how many compromised assets your department caught that anti-virus or anti-malware could not J

 

 


 

Blacklists and other Internet resources – please share your favourites

Last month I had promised some commenters and readers I would publish some of my blacklists when I got home. In my defence I’m still not home but I organised some of my blacklists and other resources anyway. The list published below is a small collection from people I have met (CL merci) who have shared their lists with me. Chris’ list is not a comprehensive list but a good starter point for organising with examples. The document can be easily changed around for you or your organisation.

The list can be a basis for scraping data into ArcSight via a Flex Connector to update suspect or blacklists (active lists, metrics for reports, trends. They can also be used for built-in tools for ArcSight or similar with a small amount of scripting. ArcSight has a built in Who Is search tool, using similar parameters you can build a Google Safe Search Diagnostics too based on IP or Domain or perhaps search Virus Total. The information can also be added to intelligent web proxy servers. This is ideal since about 80% of traffic now goes over web HTTP/HTTPS. Web proxy servers are a major egress point in the perimeter.

This type of list can be helpful in operations when analysts need to find, use and reference resources quickly. The list can be used to build a department favourites list/internet based tools list. Also, many times information security websites will be marked and filtered by web proxy servers or anti-virus software. For example, I spoke at the 28C3 CCC last year and my anti-virus was Comodo on my laptop. The anti-virus software blocked the 28C3 CCC and affiliated Chaos Computer Club websites even after I disabled the DNS feature, physically pointed my DNS elsewhere and examined my hosts file. I had to reinstall a fresh OS to access the Chaos Computer Club websites. This type of list can be used to add exclusions to anti-virus or filters as legitimate resources for the security team or other similar departments.

Screenshot of example form below.

Chris’ Internet resource list

SHA256: a411c88cd1c5b02fa0a7a95a9c26e5335b15e73db94f8f16edeaf1c251de2e4f

Blank Internet resource list

MD5: 46553f361006335927aa12849b83464c

SHA-1: 51a26581dccc50eede954b82736799fb7ad6b3a5

SHA256: 24dc6625118799bfa7041ef72d3542f883b73d620afbd6a7ab673643be34a7dc

If you need this form in a different format please ask and I will try to accommodate for Open Office.

Please add to the form and comment. My list is Europe and North American centric, we would love other regional lists. Any other associated information is welcome.

Building Emerging Threats Filters in ArcSight using information from the SRI Malware Centre.

Most Prolific BotNet Command and Control Servers and Filters Wed Feb 22 08:41:10 2012

Link to the list which is updated daily

Lately, this blacklist has given me a great deal of success in finding infected end points beyond the reach of updated anti-virus. The advisories from the SRI are information rich and list key elements for writing rules and/or gathering other metrics. The main elements I gather from the advisories are:

  1. Target IPv4 Address
  2. Chatter Examples (if known) which can list some of the following elements, especially if mapped from Blue Coat Proxy SG File Connector:
    1. Request Client Application which is the cs(User-Agent) or User Agent String
    2. Request URL Port which is any client requested ports
    3. Request URL File Name
    4. Target Service Name used for additional communications. This is especially useful when involving protocols which use ephemeral ports such as the tftp protocol. Many protocols can be used over multiple ports.
  3. Transport Protocol
  4. Target Port
  5. Destination Geo Country (if known)
  6. Request URL which can be the Target Domain
  7. Which anti-virus vendors are estimated to have protection.
  8. Priority which helps assess the risk level.
  9. How many clients have been observed to assess the possible risk chance it might be on your network.


In the example screenshot above from the SRI Malware Threat Centre advisory website there are several suspect IPv4 Target Addresses. I made a summary table of some basic information from all the listed advisories and chatter. If the file names have additional advisories they are blue in the image and hyperlinked in the filter section.


*Notes:

  1. 83.133.119.197 / greatnet.de
    1. I ran tracert on the domain greatnet.de it resolved to 83.133.96.6.
    2. I ran tracert on the IPv4 address 83.133.119.197 it resolved to a host called srv201.cyberhost.name
  2. 94.63.149.150 / ipv4ilink.net
    1. No result when I ran tracert on the IP address but the host up, confirmed with filtered ports on 65520.
    2. NMap port test for live host verification: nmap -sS -p 65520 -Pn 94.63.149.150 Host is up 65520/tcp filtered unknown service.
  3. 91.226.212.159 / nacksystem.net
    1. I ran tracert on the IPv4 address 91.226.212.159 it resolved to vds159.xserver.ua
    2. I ran tracert on the domain nacksystem.net my DNS was unable to resolve. But Robtex showed it had 1 IPv4 address, 217.70.184.38 which actually resolves to Gandi.net, a legitimate provider. This suggests some spoofing or obfuscation might be used.
  4. 91.226.212.164 / nacksystem.net
    1. I ran tracert on the IPv4 address 91.226.212.164 it resolved to vds164.xserver.ua
  5. citi-bank.ru resolves to 213.155.14.161
  6. My DNS could not resolve ghyt54.com or vbnjhg.com. This could suggest only infected assets can resolve the IP to a name.
  7. largokal.net resolves to 184.82.183.29
  8. gamesnetforum.ru resolves to 195.208.185.84
  9. 1 92.168.1.153 is a private class C IPv4 address. This range is used by internal end points and/or servers so it will not be used in the filter.

Filters for finding end points possibly infected with something naughty:

All the filters can be downloaded so you could use them for Active Lists or could customize them. Personally, I separate the known malicious IPv4/URLs/File Names from the suspected traffic so I can fine tune rules and reports.

Most Prolific C&C SRI Malware Centre Target IPv4 Addresses (download CSV here)

213.155.14.161 

83.133.119.197 

83.133.96.6 

94.63.149.150 

190.96.181.218 

94.63.147.131 

91.226.212.159 

91.226.212.164 

114.112.255.81 

 

Most Prolific C&C SRI Malware Centre Request URLs (download CSV here)

srv201.cyberhost.name

greatnet.de

ipv4ilink.net

190-96-181-218.telebucaramanga.net.co

vds159.xserver.ua

nacksystem.net

vds164.xserver.ua

 

Most Prolific C&C File Names SRI Malware Centre Request URL File Name and/or Request URLs (download CSV here)

Where there are additional security advisories on the file names, they area hyperlinked to the advisory in the table

 

I chose files names that were not legitimate in my environment.

Most Prolific C&C SRI Malware Centre additional suspicious Target IPv4 Addresses (download CSV here)

95.75.158.158

110.12.70.106 

91.202.244.57

1.250.41.32

110.14.197.56

1.247.138.126 

188.247.135.95

70.184.126.54 

31.184.242.44 

 

Most Prolific C&C File Names SRI Malware Centre additional suspicious Request URLs (download CSV here)

citi-bank.ru

ghyt54.com

largokal.net

gamesnetforum.ru

 

I chose filter properties based on the technology field mappings in ArcSight I have available for the technologies I monitor. I chose very broad test filter properties which can be tuned down as required such as Contains and ignore case.

Event :

( Request Url
Contains
srv201.cyberhost.name [ignore case] OR
Request Url
Contains
greatnet.de [ignore case] OR Request Url
Contains
ipv4ilink.net [ignore case] OR
Request Url
Contains
555.exe [ignore case] OR
Request Url
Contains pac.txt [ignore case] OR
Request Url
Contains PreLoader_59fast.exe [ignore case] OR Request Url Contains
nacksystem.net [ignore case] OR Request Url
Contains
citi-bank.ru [ignore case] OR Request Url
Contains
ghyt54.com [ignore case] OR Request Url File Name
Contains
555.exe [ignore case] OR
Request Url
File Name
Contains
pac.txt [ignore case] OR Request Url
File Name
Contains
PreLoader_59fast.exe [ignore case] OR
Request Url File Name
Contains
loaderadv555.exe [ignore case] OR
Request Url File Name
Contains
pac33.txt
OR Target Address = 213.155.14.161
OR

Target Address = 83.133.119.197
OR
Target Address = 83.133.96.6
OR
Target Address = 94.63.149.150
OR
Target Address = 190.96.181.218
OR
Target Address = 94.63.147.131
OR
Target Address = 91.226.212.159
OR Target Address = 91.226.212.164
OR Target Address = 114.112.225.81 )

Please tell me if this blacklist proves successful or not. Also, please feel free to share any blacklists you use. I will be posting mine up shortly.

 

A friendly Factoid/Today I Learned (TIL) SRI International was originally part of the Stanford Research Institute, which was affiliated with the University. They received the second IMP device in October 1, 1969, part of the DARPA network which was the precursor of the modern internet. The site was chosen as the second connection because a scientist named Doug Englebart who worked there had impressed one of the project managers several years earlier due to his invention of the computer mouse (X-Y position indicator for a display system).

 

 

 

 

 

 

 

 

 

 

Using ArcSight to find affected DNS Changer Virus Assets – Deadline 8 March 2012

Technology Requirements: ArcSight ESM Log from any technology which records the Target IPv4 Address, Target Port and events can be Categorized with an Outcome

The goal is to detect assets which could be infected with the DNS Changer virus. The DNS servers have been under FBI control temporarily via a court order. This was to allow infected computers time to get the worm off their systems. But on 8 March, 2012 the court order expires, which could potentially leave millions of infected computers unable to make valid or trusted DNS requests. If you use ArcSight or a similar SIEM here are some ways you can find any possible infected assets before the DNS addresses revert back.

To detect this threat I created four ArcSight resources:

  1. Filters
  2. Case
  3. Active List
  4. Rule

There are six IP ranges listed for suspect DNS traffic. The FBI has had control of the DNS servers after the take down operation and is about the shut the project down. Any computers making DNS requests to these IP ranges should be considered suspect and possibly infected:

Regular Format

ArcSight Format

77.67.83.0-77.67.83.255

77.67.83.0,77.67.83.255

213.109.64.0-213.109.79.255

213.109.64.0,213.109.79.255

85.255.112.0-85.255.127.255

85.255.112.0,85.255.127.255

67.210.0.0-67.210.15.255

67.210.0.0,67.210.15.255

64.28.176.0-64.28.191.255

64.28.176.0,64.28.191.255

93.188.160.0-93.188.167.255

93.188.160.0,93.188.167.255

ArcSight broad filter

The goal is to create a filter of the is to list the suspect Target IPv4 Address and the Target Port which is DNS

event1: ( ( Target Address
Between (77.67.83.0,77.67.83.255) OR
Target Address
Between (85.255.112.0,85.255.127.255) OR
Target Address
Between (67.210.0.0,67.210.15.255) OR
Target Address
Between (93.188.160.1,93.188.167.255) OR
Target Address
Between (213.109.64.0,213.109.79.255) OR
Target Address
Between (64.28.176.0,64.28.191.255) ) AND Target Port = 53 )  


ArcSight communications successful filter

The goal is to create a filter for the suspect Target IPv4 Address and the Target Port which is DNS where the outbound communications were successful

event1 : ( ( Target Address
Between (77.67.83.1,77.67.83.255) OR
Target Address
Between (85.255.112.0,85.255.127.255) OR
Target Address
Between (67.210.0.0,67.210.15.255) OR
Target Address
Between (93.188.160.0,93.188.167.255) OR
Target Address
Between (213.109.64.0,213.109.79.255) OR
Target Address
Between (64.28.176.0,64.28.191.255) ) AND
Target Port = 53 AND
Category Outcome = /Success )

 

ArcSight Active List

The goal of the Active List is to record any assets which are suspected of being infected with the DNS Changer virus by the Attacker IPv4 Address. The Active List attributes are as follows: Name = DNS Changer Assets Optimize Data TTL = 90 Days Data = Fields-based Name = SuspectAssets Type = Address Sub-type = IP Address


 ArcSight Case

The goal of the Case is to record any activity associated with assets which are suspected of being infected with the DNS Changer virus


ArcSight Rule – Any outbound communications

The goal of the Case is to record any activity associated with rules or assets which are suspected of being infected with the DNS Changer virus



Basic aggregation conditions:


Rule Actions:

1. On the first matching event the message in the message field will be “DNS Changer Virus FBI Warning”

2. The name in the name field will list the attacker address

3. The priority is set to 0 because the rule is in testing phase

4. The activity will be added to an existing case called DNS Changer Virus FBI. This will aid in testing and tuning the rule.

5. On every event the attacker IPv4 address is added to an Active List called DNS Changer Assets. This will help pinpoint if it is more of a one-off series of events or if DNS requests are frequent can pinpoint an infected computer.



ArcSight Rule – Any outbound communications

The goal of the Case is to record any activity associated with rules or assets which are suspected of being infected with the DNS Changer virus Use the same settings as above but use the filter called DNS Changer Virus Successful and alert on a higher priority if outbound communications are successful

Visual graph outcome:


 
 

To read more about this topic from other sources:

[PDF] http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

http://gizmodo.com/5885716/the-fbi-might-cut-off-the-internet-for-millions-of-people-on-march-8th

http://upload.democraticunderground.com/10951119