Lab 2: Boleto Malware Snort Rule Writing and PCAP Analysis

This video will show you how to create custom snort rules based on malicious traffic. The signatures we will focus upon are related to network traffic, which was derived from malware traffic analysis net involving Balletto themed malicious spam. First step open a web browser. Type in malware hyphen traffic hyphen analysis dot net. Click here for the training exercises. The pcap we're going to use for this exercise is your holiday present. Click to download the Pcap. Go to the download folder. Right click extract here. The password is infected and all lowercase. Open the pcap. Next, I'm going to make some changes to the default column display. This is optional, but it's much more convenient if you set up this way for analysis. So first step, go to edit. Go to preferences. Columns. I'm going to uncheck number. Protocol and length. Add two new columns. Rename this source port and dest port. Fuel type. Source port unresolved. Desk. Port unresolved. Go ahead and type in httprequest to filter for http traffic. Click apply. Now drill down in the hypertext transfer protocol section here. Click on any one of the host http headers. Right click. Apply as column. Good. Go back to preferences. Columns. Make sure to check source port and dest port. Click apply. Okay. Click view. Time display format. Choose the top selection. Click view again. Time Display Format. Change from automatic two seconds. All right, that's it. We're all good to go now. This network traffic is from a user named Matthew Frogman that clicked on a malicious link in an email and had their system infected as a result. So let's go over the chain of events. Let's make this a little bit bigger here. All right. So this right here is the host name, the top, top level domain here. And this looks like a domain generated algorithm created this this name here. But this get request is the root cause of the infection. They clicked on a link from an email. Let me just go ahead and follow the TCP stream. And as a result of that. There was a redirection to a VB file, so I'll show you that as well. This is this is just the initial get request from clicking the link in the email. So clear that. Okay. Here's the next step. So just follow the TCP stream here. So this follow TCP stream here. We'll show you the file, which was the cause of the infection. They downloaded this file here. It's a visual basic script. So that's the cause of the infection? Okay, so the post-infection http traffic are these git requests, these byebye and these texts tiff zip and DLL files. That is indicative of the post infection as well. As we scroll down a little bit here. There it is. Git BSB infects from this this Russian host right here. This is another indicator of post infection. Let's keep going down. Oh, right here. This top domain here. Another indicator of post infection. So we're going to go ahead and use these indicators in snort rules. First snort rule is going to be. An indicator which will detect the phishing email link, click. And then the other four rules are going to show post-infection. Let's go ahead and open up a terminal. Let's just minimize this for now. Type in sudo VI for slash forward slash nsm forward slash roles forward slash local rules. Okay. The first rule here, alert on TCP traffic coming from any IP in the home net variable and any port going to any IP address in the external net variable over Http ports, prompting a message. Probable successful phishing attack flow will be established to the server. The content match of get limited to Http method. Okay, so let's just go back to Wireshark. All right. As you recall, this right here indicates the click of the link on the phishing email. So let's just follow TCP stream and I am going to copy that. All the way to. PHP question mark because the rest of it can be random. This is this is a static indicator that will always occur as a result of this boleto malware. So let's go back to our. Terminal. All right. And I'm going to limit that to the Uri. So. If that occurs anywhere in the payload, we will not get a content match, just just limited to the Uri. Give it a class type Trojan activity. Give it a Ssid. Give it a revision. All right. That rule is good to go. Next rule is going to focus on post infection. So we're going to alert on TCP traffic. Same thing. Any IP from the home net variable going to any IP in the external net variable with Http ports prompting a message. Probable post infection Balletto themed malicious spam. First indicator flow is established to server again content of get. Limited to the Http method. Now, let's go back to Wireshark. Close out of this. We need to take a look at the other indicators here. Http method. Sorry about that HDP request. All right, back up here. Okay, so here's a bunch of post infection traffic. We have a string of forward slash bye bye, forward slash, and then we have a bunch of file extensions so we can combine those two to create a rule that will detect if any one of these occur. So let's go back to the terminal. I'm going to use. A content match. Forward slash baby. Forward Slash. Limit that to the Uri. And now I'm going to use Perl compatible regular expressions. So this will match on any of the aforementioned file extensions. The dot txt dot tiff, dot zip dll and dot exe. So get started on that first pcre colon. We're going to go ahead and. Group these together? So this right here escapes the dots. So it's a literal dot and we'll match on TXT. Then the pipe means or so it's going to be. Dot text or dot tiff or dot zip or dot dll or dot exe. That's it. We're going to have a class type. Same thing. Trojan activity. Give it a sit in a revision. Good. On to the next rule. All right. To save us some time, I'm going to copy portion of this rule because it's going to be pretty similar. So just copy that. I'm going to go ahead and change that part because it's the second indicator. Everything else is going to be the same. All right. So same thing as the previous rule, except for obviously the content match is going to be different because we have a different indicator that we're going to use so content and go back to Wireshark. The indicator we're going to want to use here is BSB effects. So let's take a look right here. Okay. Just. Follow TCP stream. And this has the other indicator that we're going to use as well. So. Its first off. Copy this to the PHP question mark. Limited to Http Uri. And we can give it a class type, give it a Sid revision. Okay. That rule looks good to go. Same thing here. We can go ahead and copy it all the way to Http method. Paste that in. Just doing a string search for second because I want to change that to third. So we have all the same stuff here, except we're going to change the content match back to our TCP stream because we have the other content match here as well, which is going to be this BSP debug and also index.php question mark. Limit that to Http Uri. Give it a class type CID and give it a revision. It's good to go. All right. I'm going to do the same thing as before. Copy a portion of this rule. Save us some time. I'm going to make a couple changes here, though. First off, obviously, I'm going to change third to fourth. And the content get needs to be changed as well because this is going to be a post request, not a get request. So with those two changes, I can move on to the content match. Let's go back to Wireshark. We're going to have to close that out. Http request just filter for that. Now our fourth indicator is Mr. E Admin XRP, XRP. There it is. So just right click it and follow TCP stream to get it easily content match that's going to be limited to Http Uri as well of the class type of Trojan activity. Give it a CID number revision. Okay, let's take a little while to carefully look through each one of your rules, make sure that you have. A semicolon separating each statement. That's very important. Make sure you have a colon after each keyword. It's very important. If you miss any one of those, the rule will not function. So you've got to be very careful. Make sure that your SIDs are different from one another. If they're the same, it causes issues as well. So let's go ahead and give these a shot. Let's test them out. Go ahead and save and quit out of that. I want to type sudo rule hyphen update. Next. Let's go to the downloads folder. We have this pcap here that we got all the indicators from. We want to run that through our sniffing interface, which is eth1. To do that, we can use TCP replay. So pseudo tcp replay. Hyphen hyphen. I eth1 the name of the pcap. She's going to run it a couple of times. You can use the L switch or you can just run it a bunch of times, run it through the interface five times with hyphen L five. All right. All right. We can get rid of that. Open up, squirt. So go ahead and sort it by signature. All right. Looks like we have all of our rules here. The probable successful phishing attack. The first, second, third and fourth indicator. Okay. So looks like our rules are functioning properly. Just take a quick look at them. Yep. Here's the get request. See pattern match we have in the content keyword here. Here's the third indicator. It's working properly. Second indicator here. There it is. Fourth indicator post infection. Okay, here's the PCR rule. As a DLL. The X. The txt. Tiff. Very good. So. This rule here. Is going to match on a content match of forward slash VB and any one of these file extensions. So that's also working properly. If you don't see these alerts right away, just wait a few minutes. Sometimes it takes a little while to actually generate the alerts. As always, if you have any questions or issues running this lab, please let me know via message or the Q&A section.