CSAM: My servers started speaking IRC, and that is when I started to listen!

Published: 2014-10-09
Last Updated: 2014-10-09 17:57:19 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Hassan submitted this story:

While reviewing our IDS logs, we noticed an alert for IRC botnet traffic coming from multiple servers in a specific VLAN.

Ouch! One thing I keep saying in our IDS Class: If your servers all for sudden start joining IRC channels, then they are either very bored, or very compromised. But lets see how it went for Hassan. Hassan had what every analyst wants: pcaps! So he looked at the full packet capture of the traffic:

The traffic wasn't 100% IRC. But it looked suspect

Further analysis showed that the traffic originated from servers that were currently in the process of being moved between hosts via vMotion. The content of the memory / disk being transferred included IRC traffic like strings! Oops. We may not have active IRC traffic, but why are these strings present? Maybe malware lingering on the system? Hassan went all in and used volatility to examine the memory dump.

Using volatility we took a vaddump of the memory dump and searched the individual process dumps for the string pattern to identify the infected process. we found out that this part of the memory belongs to the AV process :). Apparently part of its signatures expanded in the memory during the scan.

Great work Hassan! This one was a good one and yes, anti-virus patterns will often contain "malicious strings" and can trigger an IDS if it spots these strings in transfer. The signatures as downloaded from the vendor are often encrypted, compressed or otherwise obfuscated, so your IDS usually doesn't recognize these patterns. But once loaded into memory on the host, the signatures are in the clear.

Johannes B. Ullrich, Ph.D.

Keywords: botnet CSAM14 irc
0 comment(s)
ISC StormCast for Thursday, October 9th 2014 http://isc.sans.edu/podcastdetail.html?id=4185


Diary Archives