Assist Alabaster by building a Snort filter to identify the malware plaguing Santa's Castle.
I started analyzing the ransomware on my host operating system, ran it by accident, and now my files are encrypted!
Unfortunately, the password database I keep on my computer was encrypted, so now I don't have access to any of our systems.
If only there were some way I could create some kind of traffic filter that could alert anytime ransomware was found!
For hints on achieving this objective, please visit Shinny Upatree and help him with the Sleigh Bell Lottery Cranberry Pi terminal challenge.
Have you heard that Kringle Castle was hit by a new ransomware called Wannacookie?
Several elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by and their files were encrypted.
Many elves were affected, so Alabaster went to go see if he could help out.
I hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analyzing Wannacookie on his computer.
An elf I follow online said he analyzed Wannacookie and that it communicates over DNS.
He also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way.
Another recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie!
Of course, this all depends how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt.
Perhaps there is a flaw in the wannacookie author's DNS server that we can manipulate to retrieve what we need.
If so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files.
_ __ _ _ _____ _ _ | |/ / (_) | | / ____| | | | | | ' / _ __ _ _ __ __ _| | ___| | __ _ ___| |_| | ___ | < | '__| | '_ \ / _` | |/ _ \ | / _` / __| __| |/ _ \ | . \| | | | | | | (_| | | __/ |___| (_| \__ \ |_| | __/ |_|\_\_| |_|_|_|_|\__, |_|\___|\_____\__,_|___/\__|_|\___| / ____| __/ | | | | (___ |___/ ___ _ __| |_ \___ \| '_ \ / _ \| '__| __| ____) | | | | (_) | | | |_ |_____/|_|_|_|\___/|_|_ \__| |_ _| __ \ / ____| | | | | | | (___ _____ | | | | | |\___ \ __ / ____| _| |_| |__| |____) | /_ | | (___ |_____|_____/|_____/ _ __ | | \___ \ / _ \ '_ \/ __|/ _ \| '__| | | ____) | __/ | | \__ \ (_) | | | | |_____/ \___|_| |_|___/\___/|_| |_| ============================================================ INTRO: Kringle Castle is currently under attacked by new piece of ransomware that is encrypting all the elves files. Your job is to configure snort to alert on ONLY the bad ransomware traffic. GOAL: Create a snort rule that will alert ONLY on bad ransomware traffic by adding it to snorts /etc/snort/rules/local.rules file. DNS traffic is constantly updated to snort.log.pcap COMPLETION: Successfully create a snort rule that matches ONLY bad DNS traffic and NOT legitimate user traffic and the system will notify you of your success. Check out ~/more_info.txt for additional information.
MORE INFO: A full capture of DNS traffic for the last 30 seconds is constantly updated to: /home/elf/snort.log.pcap You can also test your snort rule by running: snort -A fast -r ~/snort.log.pcap -l ~/snort_logs -c /etc/snort/snort.conf This will create an alert file at ~/snort_logs/alert This sensor also hosts an nginx web server to access the last 5 minutes worth of pcaps for offline analysis. These can be viewed by logging into: http://snortsensor1.kringlecastle.com/ Using the credentials: ---------------------- Username | elf Password | onashelf tshark and tcpdump have also been provided on this sensor. HINT: Malware authors often user dynamic domain names and IP addresses that change frequently within minutes or even seconds to make detecting and block malware more difficult. As such, its a good idea to analyze traffic to find patterns and match upon these patterns instead of just IP/domains.
Glancing over snort.log.pcap
, it looks like it contains only UDP
traffic with DNS
packets.
Verify that it contains only UDP traffic (no output should be given).
tcpdump -nr snort.log 'not udp'
tshark -r snort.log.pcap '!udp'
Verify that it contains only DNS traffic.
tcpdump -nr snort.log 'not port 53'
tshark -r snort.log.pcap '!(udp.port == 53)'
Analyze DNS query requests with and query responses.
tshark -r snort.log.pcap | grep -v ' query response ' | awk '{ print $NF }' | sort
tshark -r snort.log.pcap | grep ' query response ' | awk '{ print $(NF-1) }' | sort
Suspicious DNS requests are using different domains and hosts ...
22.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
23.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
23.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
24.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
24.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
25.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
25.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
26.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
26.77616E6E61636F6F6B69652E6D696E2E707331.nrsrgeubah.net
27.77616E6E61636F6F6B69652E6D696E2E707331.nbhurgrase.ru
(..)
... but there is a common part, they all include 77616E6E61636F6F6B69652E6D696E2E707331
in subdomain.
$ echo 77616E6E61636F6F6B69652E6D696E2E707331 | xxd -r -p
wannacookie.min.ps1
So the malware is using DNS to download a PowerShell script wannacookie.min.ps1
. Let's catch it.
Let's prepare a content payload filter and verify it's catching all suspicious packets.
$ echo 77616E6E61636F6F6B69652E6D696E2E707331 | xxd -p -u | fold -w2 | paste -sd':' -
37:37:36:31:36:45:36:45:36:31:36:33:36:46:36:46:36:42:36:39:36:35:32:45:36:44:36:39:36:45:32:45:37:30:37:33:33:31:0A
$ tshark -r snort.log.pcap 'udp contains 37:37:36:31:36:45:36:45:36:31:36:33:36:46:36:46:36:42:36:39:36:35:32:45:36:44:36:39:36:45:32:45:37:30:37:33:33:31:0A'
It is catching both DNS requests and queries, at the same time not touching normal DNS traffic.
Prepare and deploy snort
rule.
$ echo 77616E6E61636F6F6B69652E6D696E2E707331 | xxd -p -u | fold -w2 | paste -sd' ' -
37 37 36 31 36 45 36 45 36 31 36 33 36 46 36 46 36 42 36 39 36 35 32 45 36 44 36 39 36 45 32 45 37 30 37 33 33 31 0A
cat <<EOF > /etc/snort/rules/local.rules
alert udp any any -> any any ( msg:"wannacookie.min.ps1"; content:"|37 37 36 31 36 45 36 45 36 31 36 33 36 46 36 46 36 42 36 39 36 35 32 45 36 44 36 39 36 45 32 45 37 30 37 33 33 31 0A|"; sid: 987654321;)
EOF
After few seconds...
[+] Congratulation! Snort is alerting on all ransomware and only the ransomware!
Thank you so much! Snort IDS is alerting on each new ransomware infection in our network.
/etc/motd
more_info.txt
/etc/snort/snort.conf
wannacookie.min.ps1
or wannacookie.min.ps1.zip
(password protected: KringleCon2018
)snort.log.pcap
file available in terminal or Snort Sensor #1.
tcpdump -nr snort.log.pcap | grep -oE '\"([0-9a-f]+)\"' | tr -d '"' | uniq | tail -n +2 | tr -d '\n' | xxd -r -p > wannacookie.min.ps1