Extracting Malware Transmitted Via Telnet
Last Updated: 2016-11-03 17:14:37 UTC
by Johannes Ullrich (Version: 1)
One charactersitcs of many of the telnet explois we have seen over the last few years has been the transmission of malware using "echo" commands. Even the recent versions of Mirai used this trick. Reconstruction the malware from packet captures can be a little bit tricky, in particular if you are trying to automate the process. So here is what I have been doing for my "honeypot DVR":
First of all, the DVR is connected to a remote controlled power outlet, to make it easy to reboot it as needed. I do use a shell script to reboot the DVR after it gets infected.
Next, I run snort to alert me that the honeypot got infected again. I don't trigger on the initial compromise, but on the outbound telnet scans. They usually start once the exploit completes. The signature I am using:
alert tcp $HONEYPOTIP any -> any 23 (msg: "MIRAI end"; sid: 1; flow: stateless; flags: S; threshold: type threshold, track by_src, count 10, seconds 1;)
I just run snort like: snort -c ./snort.conf -A console -N -q -i eth0 and once it starts flooding the terminal with alerts, it is time to reboot (I haven't automated that part yet... soon). In addition I run a full packet capture of all traffic going to/from the DVR.
Once the honeypot is compromised (usually every 15 minutes or less), I take the packet capture and run it through tcpflow.
tcpflow will extract all TCP sessions, and reassemble the payloads. The only step that is left is to extract the transmitted files. To do this, I wrote a little perl script. Just pipe the telnet session files to it, and it will extract the malware. You can find it, and other tools/samples here: https://github.com/jullrich/dvrxploits .
The current script is in a "works for me" state. It will not work if multiple files are transmitted at the same time . For example:
echo -en "\x...." > file1
echo -en "\x..." > file2
echo -en "\x..." > file1
"interleaving" of echo statements like this is something I haven't seen so far, but it wouldn't be hard to adjust the script to deal with it.