Catch the Malware Snort terminal

Objective #9.1
Santa's Secret Room

Assist Alabaster by building a Snort filter to identify the malware plaguing Santa's Castle.

I started analyzing the ransomware on my host operating system, ran it by accident, and now my files are encrypted!
Unfortunately, the password database I keep on my computer was encrypted, so now I don't have access to any of our systems.
If only there were some way I could create some kind of traffic filter that could alert anytime ransomware was found!

For hints on achieving this objective, please visit Shinny Upatree and help him with the Sleigh Bell Lottery Cranberry Pi terminal challenge.

Shinny Upatree

Have you heard that Kringle Castle was hit by a new ransomware called Wannacookie?
Several elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by and their files were encrypted.
Many elves were affected, so Alabaster went to go see if he could help out.
I hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analyzing Wannacookie on his computer.
An elf I follow online said he analyzed Wannacookie and that it communicates over DNS.
He also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way.
Another recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie!
Of course, this all depends how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt.
Perhaps there is a flaw in the wannacookie author's DNS server that we can manipulate to retrieve what we need.
If so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files.

  _  __     _             _       _____          _   _      
 | |/ /    (_)           | |     / ____|        | | | |     
 | ' / _ __ _ _ __   __ _| | ___| |     __ _ ___| |_| | ___ 
 |  < | '__| | '_ \ / _` | |/ _ \ |    / _` / __| __| |/ _ \
 | . \| |  | | | | | (_| | |  __/ |___| (_| \__ \ |_| |  __/
 |_|\_\_|  |_|_|_|_|\__, |_|\___|\_____\__,_|___/\__|_|\___|
             / ____| __/ |          | |                     
            | (___  |___/  ___  _ __| |_                    
             \___ \| '_ \ / _ \| '__| __|                   
             ____) | | | | (_) | |  | |_                    
            |_____/|_|_|_|\___/|_|_  \__|                   
               |_   _|  __ \ / ____|                        
                 | | | |  | | (___                          
         _____   | | | |  | |\___ \        __               
        / ____| _| |_| |__| |____) |      /_ |              
       | (___  |_____|_____/|_____/ _ __   | |              
        \___ \ / _ \ '_ \/ __|/ _ \| '__|  | |              
        ____) |  __/ | | \__ \ (_) | |     | |              
       |_____/ \___|_| |_|___/\___/|_|     |_|              
 
============================================================
INTRO:
  Kringle Castle is currently under attacked by new piece of
  ransomware that is encrypting all the elves files. Your 
  job is to configure snort to alert on ONLY the bad 
  ransomware traffic.
 
GOAL:
  Create a snort rule that will alert ONLY on bad ransomware
  traffic by adding it to snorts /etc/snort/rules/local.rules
  file. DNS traffic is constantly updated to snort.log.pcap
 
COMPLETION:
  Successfully create a snort rule that matches ONLY
  bad DNS traffic and NOT legitimate user traffic and the 
  system will notify you of your success.
  
  Check out ~/more_info.txt for additional information.
MORE INFO:
  A full capture of DNS traffic for the last 30 seconds is
  constantly updated to:
 
  /home/elf/snort.log.pcap
 
  You can also test your snort rule by running:
 
  snort -A fast -r ~/snort.log.pcap -l ~/snort_logs -c /etc/snort/snort.conf
 
  This will create an alert file at ~/snort_logs/alert
 
  This sensor also hosts an nginx web server to access the
  last 5 minutes worth of pcaps for offline analysis. These
  can be viewed by logging into:
 
  http://snortsensor1.kringlecastle.com/
 
  Using the credentials:
  ----------------------
  Username | elf
  Password | onashelf
 
  tshark and tcpdump have also been provided on this sensor.
 
HINT:
  Malware authors often user dynamic domain names and
  IP addresses that change frequently within minutes or even
  seconds to make detecting and block malware more difficult.
  As such, its a good idea to analyze traffic to find patterns
  and match upon these patterns instead of just IP/domains.

Glancing over snort.log.pcap, it looks like it contains only UDP traffic with DNS packets.
Verify that it contains only UDP traffic (no output should be given). 

tcpdump -nr snort.log 'not udp'
tshark -r snort.log.pcap '!udp'

Verify that it contains only DNS traffic. 

tcpdump -nr snort.log 'not port 53'
tshark -r snort.log.pcap '!(udp.port == 53)'

Analyze DNS query requests with and query responses. 

tshark -r snort.log.pcap | grep -v ' query response ' | awk '{ print $NF }' | sort
tshark -r snort.log.pcap | grep ' query response ' | awk '{ print $(NF-1) }' | sort
Suspicious DNS requests are using different domains and hosts ... 
22.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
23.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
23.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
24.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
24.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
25.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
25.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
26.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
26.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
27.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
(..)
... but there is a common part, they all include 77616E6E61636F6F6B69652E6D696E2E707331 in subdomain. 
$ echo 77616E6E61636F6F6B69652E6D696E2E707331 | xxd -r -p
wannacookie.min.ps1
So the malware is using DNS to download a PowerShell script wannacookie.min.ps1. Let's catch it.

Let's prepare a content payload filter and verify it's catching all suspicious packets. 

$ echo 77616E6E61636F6F6B69652E6D696E2E707331 | xxd -p -u | fold -w2 | paste -sd':' -
37:37:36:31:36:45:36:45:36:31:36:33:36:46:36:46:36:42:36:39:36:35:32:45:36:44:36:39:36:45:32:45:37:30:37:33:33:31:0A
$ tshark -r snort.log.pcap 'udp contains 37:37:36:31:36:45:36:45:36:31:36:33:36:46:36:46:36:42:36:39:36:35:32:45:36:44:36:39:36:45:32:45:37:30:37:33:33:31:0A'
It is catching both DNS requests and queries, at the same time not touching normal DNS traffic.

Prepare and deploy snort rule. 

$ echo 77616E6E61636F6F6B69652E6D696E2E707331 | xxd -p -u | fold -w2 | paste -sd' ' -
37 37 36 31 36 45 36 45 36 31 36 33 36 46 36 46 36 42 36 39 36 35 32 45 36 44 36 39 36 45 32 45 37 30 37 33 33 31 0A
cat <<EOF > /etc/snort/rules/local.rules
alert udp any any -> any any ( msg:"wannacookie.min.ps1"; content:"|37 37 36 31 36 45 36 45 36 31 36 33 36 46 36 46 36 42 36 39 36 35 32 45 36 44 36 39 36 45 32 45 37 30 37 33 33 31 0A|"; sid: 987654321;)
EOF

After few seconds... 

[+] Congratulation! Snort is alerting on all ransomware and only the ransomware!

Thank you so much! Snort IDS is alerting on each new ransomware infection in our network.

details

  • /etc/motd
  • more_info.txt
  • /etc/snort/snort.conf

  • wannacookie.min.ps1 or wannacookie.min.ps1.zip (password protected: KringleCon2018)
    • This malware file can be extracted from snort.log.pcap file available in terminal or Snort Sensor #1. 
    tcpdump -nr snort.log.pcap | grep -oE '\"([0-9a-f]+)\"' | tr -d '"' | uniq | tail -n +2 | tr -d '\n' | xxd -r -p > wannacookie.min.ps1