SGNET web interface demo
1. A security incident
In order to evaluate SGNET's potential and its ability to retrieve information about attack threats, let's look at a real world "incident" observed on one of our platforms. We provide access to our partners to a query interface that automatically generates SQL queries. The query interface looks like this.
In the period between the 19th and the 31st of March 2008, environment 15 is target of an anomalous activity. This plot shows the evolution of the number of sources hitting the different environments monitored by the SGNET in the previously mentioned period. Click on the plot for the interactive version.
Exploit information
We can take advantage of the additional code injection information provided by SGNET to filter out from our data the "background noise": this includes scanning activities, but also exploits towards closed ports or exploits failing under the particular host configuration of our sample factories.
You can see from the underneath graph that indeed something happened, with a big number of code injections targeting that single environment in the previously defined period. The activity peak seems to correspond to the 25th of March 2008.
The ScriptGen approach models the protocol interaction under the form of FSMs. We can use the web interface to know which FSM path led to the code injections observed in that period for the environment 15. This allows to understand whether the activity is composed of many different exploitation vectors or if the curve seen before always corresponds to a repetition of exactly the same exploit.
We can see that the path with ID 1050, associated to a traversal of the FSM for port 135 TCP, is responsible for the anomalous increase of code injections. Also, it is interesting to see that the path is specific to this event: at the moment, it was never observed on any other platform nor on any other period. We are thus facing a very specific activity, somehow different from the normal exploits observed daily on that same port, and that was only observed on a very specific platform for a period of only one week.
Information on the attackers
We can try to know more about the attackers involved in this set of exploits by looking at where they come from. It is possible to see here that most of the attackers seem to be located in a single country, germany.
We can take advantage of the Horasis library, explained more in detail in the last part of this demo, to know more about the source IP blocks taking part to this activity.
> d=db.connect()
> res=d.query("select distinct injection_id from injection_attack,scriptgen_session
where injection_attack.session_id=scriptgen_session.session_id and path_id=1050")
> injections=[Injection(line[0],d) for line in res]
> addrs=[inj.session.saddr for inj in injections]
> horasis.netmisc.get_netblocks(addrs,8)
{
AA.0.0.0 : 359
BB.0.0.0 : 3
CC.0.0.0 : 3
DD.0.0.0 : 2
EE.0.0.0 : 1
FF.0.0.0 : 1
GG.0.0.0 : 1
HH.0.0.0 : 1
II.0.0.0 : 1
}
It is quite interesting to see that the majority of the exploits is coming from a very specific class A network. The honeypot platform observing the activity belongs to that same class A. We are thus probably observing a botnet, or some other kind of self-propagating malware, that has been instructed to propagate within a specific class A block.
2. Some generic trends
We can see in this plot the trends of the exploitation paths observed by the SGNET deployment for the month of March. It is clear that we are observing in most cases very stable activities.
It is interesting to observe here the relationship between the malware samples (as recognized by the AV vendor Symantec) and the exploit paths seen within SGNET.
Here, we can see the relationship between the malware samples and their country of origin.
3. Going in depth
While the previous examples showed a high level overview of the collected data, we give full access to our partner to the content of the database, that goes beyond the aggregated data seen before. In order to easily access the data without being SQL experts, we provide a python API called Horasis.
$ python shell.py 888 888 d8b 888 888 Y8P 888 888 8888888888 .d88b. 888d888 8888b. .d8888b 888 .d8888b 888 888 d88""88b 888P" "88b 88K 888 88K 888 888 888 888 888 .d888888 "Y8888b. 888 "Y8888b. 888 888 Y88..88P 888 888 888 X88 888 X88 888 888 "Y88P" 888 "Y888888 88888P' 888 88888P' version 1.0 beta ---------------------------------------------------------- Horasis library - interactive shell >
Let's see how it is possible to use Horasis to retrieve information about a given IP, anonymized here to comply with the restrictions of the Non-Disclosure Agreement. The Horasis library provides some high-level primitives to retrieve information about the observed activity.
>activity=whois_ip("1.2.3.4")
>activity_os(act)
{
unknown : 38.8129638699
cpe://microsoft:windows:xp:sp1 : 27.0964644744
cpe://microsoft:windows:2000:sp4 : 22.1884112273
cpe://microsoft:windows:2000:sp3 : 22.0250912292
cpe://microsoft:windows:xp:pro:sp1 : 18.8040741189
cpe://microsoft:windows:2000:sp2 : 6.41158237982
cpe://microsoft:windows:98 : 1.79827615908
cpe://microsoft:windows:2000 : 0.601249731886
cpe://microsoft:windows:xp : 0.582191780822
}
> activity_dstnetblocks(act)
{
[anonymized]
}
> activity_srcnetblocks(act)
{
[anonymized]
}
We can go "deeper" in analyzing the characteristics of this activity, retrieving one of the code injections belonging to this class of activities.
>tiny_sessions=get_tss(act) >len(tiny_sessions) 402 >example=tiny_sessions[0] > tss[0].getinjections() [<horasis.dbstructure.Injection instance at 0xd7fbd8>] > injection=_[0]
The code injection object allows us to retrieve information about the exploit.
> injection.session.saddr '[anonymized]' > injection.session.daddr '[anonymized]' > injection.session.sport 3911 > injection.session.dport 139 > injection.session.start datetime.datetime(2007, 7, 29, 4, 1, 32) > injection.session.end datetime.datetime(2007, 7, 29, 4, 1, 52)
We store in the database the full packet content of the network conversation of our honeypots. We take advantage of Impacket to parse the packets and allow to store their binary content in files easily convertible to pcap format.
> pkts=i.session.getpackets() > for p in pkts: ... print str(p) ... CID: 3805017 TS: 1185674492.000000 IP 82.243.64.208 -> 193.55.112.61 TCP syn 3911 -> 139 CID: 3805018 TS: 1185674492.000000 IP 193.55.112.61 -> 82.243.64.208 TCP ack syn 139 -> 3911 CID: 3805019 TS: 1185674492.000000 IP 82.243.64.208 -> 193.55.112.61 TCP ack 3911 -> 139 CID: 3805020 TS: 1185674492.000000 IP 82.243.64.208 -> 193.55.112.61 TCP ack push 3911 -> 139 8100 0048 2043 4b46 4445 4e45 4346 4445 ...H CKFDENECFDE 4646 4346 4745 4646 4343 4143 4143 4143 FFCFGEFFCCACACAC 4143 4143 4100 2045 4d45 5045 4445 4245 ACACA. EMEPEDEBE 4d45 4945 5046 4446 4543 4143 4143 4143 MEIEPFDFECACACAC 4143 4143 4141 4100 0000 0000 ACACAAA..... CID: 3805021 TS: 1185674492.000000 IP 193.55.112.61 -> 82.243.64.208 TCP ack 139 -> 3911 CID: 3805022 TS: 1185674492.000000 IP 193.55.112.61 -> 82.243.64.208 TCP ack push 139 -> 3911 8200 0000 .... CID: 3805023 TS: 1185674492.000000 IP 82.243.64.208 -> 193.55.112.61 TCP ack push 3911 -> 139 0000 007a ff53 4d42 7200 0000 0018 53c8 ...z.SMBr.....S. 0000 0000 0000 0000 0000 0000 0000 0039 ...............9 0000 0000 0057 0002 5043 204e 4554 574f .....W..PC NETWO 524b 2050 524f 4752 414d 2031 2e30 0002 RK PROGRAM 1.0.. 4c41 4e4d 414e 312e 3000 0257 696e 646f LANMAN1.0..Windo 7773 2066 6f72 2057 6f72 6b67 726f 7570 ws for Workgroup 7320 332e 3161 0002 4c4d 312e 3258 3030 s 3.1a..LM1.2X00 3200 024e 5420 4c4d 2030 2e31 3200 2..NT LM 0.12. CID: 3805024 TS: 1185674492.000000 IP 193.55.112.61 -> 82.243.64.208 TCP ack push 139 -> 3911 0000 0055 ff53 4d42 7200 0000 0098 53c8 ...U.SMBr.....S. 0000 0000 0000 0000 0000 0000 0000 0039 ...............9 0000 0000 1104 0003 0a00 0100 0411 0000 ................ 0000 0100 0000 0000 fde3 0080 a0b0 1445 ...............E d7c7 c601 a401 0010 0033 9557 b7d2 a48e .........3.W.... 4093 9708 5d13 785b 2a @...].x[* ... [truncated]
It is possible to retrieve information about the shellcode and its behavior.
> injection.shellcode '\xeb\x02\xebk\xe8\xf9\xff\xff\xff... [truncated]' > injection.download_strategy > injection.download_protocol creceive > injection_download_port 9988Finally, we store the information provided by VirusTotal and Anubis to retrieve information about the nature and the behavior of the malware sample.
> i.malware.md5
'3875b6257d4d21d51ec13247ee4c1cdb'
> i.malware.signatures["F-Secure"][-1]
(datetime.datetime(2008, 4, 2, 4, 28, 46), 'found [Allaple.gen10]')
> i.malware.signatures["Symantec"][-1]
(datetime.datetime(2008, 4, 2, 4, 28, 46), 'found [Backdoor.Trojan]')
> i.malware.signatures["Panda"][-1]
(datetime.datetime(2008, 4, 2, 4, 28, 46), 'found [W32/Gaobot.PBJ.worm]')
> i.malware.signatures["ClamAV"][-1]
(datetime.datetime(2008, 4, 2, 4, 28, 46), 'found [Worm.Allaple-2]')
> i.malware.signatures["Symantec"]
[(datetime.datetime(2007, 6, 20, 19, 27, 10), 'found [Backdoor.Trojan]'),
(datetime.datetime(2007, 6, 21, 11, 3, 52), 'found [Backdoor.Trojan]'),
(datetime.datetime(2007, 6, 8, 0, 34, 4), 'found [Backdoor.Trojan]'),
(datetime.datetime(2007, 6, 9, 11, 27), 'found [Backdoor.Trojan]'),
(datetime.datetime(2007, 6, 9, 3, 46, 3), 'found [Backdoor.Trojan]'),
(datetime.datetime(2007, 6, 22, 4, 38, 59), 'found [Backdoor.Trojan]'),
(datetime.datetime(2007, 6, 23, 13, 38, 56), 'found [Backdoor.Trojan]'),
(datetime.datetime(2007, 6, 27, 2, 37, 31), 'found [Backdoor.Trojan]')]
> i.malware.created_mutexes
set(['jhdgcjhasgdc09890gjasgcjhg2763876uyg3fhg'])
> i.malware.tcp_aggregate
{139: (46, ('203.254.0.0', 16)), 445: (19, ('203.254.0.0', 16))}