[e-nsp] Howto track malware drops in your network.. the Extreme Networks XoS way ...

Erik Bais erik at bais.name
Thu Aug 9 05:27:20 EDT 2012 

Hi guys,

This morning the following blog post was posted by the Dutch security firm about a malware dropper that is causing issues at a couple Dutch municipalities ICT departments:
http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/

http://webwereld.nl/nieuws/111424/nieuwe-trojan-grijpt-wild-om-zich-heen-in-nederland.html  (Dutch article about the trojan)

The general expectation is that other companies will be infected by it as well, soon ...

In order to see if customers of us in our ISP network are infected and trying to contact the specified IP addresses from the blogpost I created the following ACL and placed it in the network:

Be aware, the IP's used in the example below are real malware drop IP's. It is not recommended to visit them with a browser. Use wget on a linux or mac instead to test !!

Recommended:

-        Having a central syslog server if you want to have it logged centrally.

-        Test this on a test environment for your own safety and protection before you want to do this in production :)

On a switch do the following:

Create a policy file:

edit policy filter_cybercrime

entry xdocdoc_cc1 {
if {
    protocol tcp ;
    destination-address 184.82.162.163/32 ;
}
then {
    mirror-cpu ;
    log  ;
    count xdocdoc_cc1 ;
    deny  ;
}
}
entry xdocdoc_cc2 {
if {
    protocol tcp ;
    destination-address 184.22.103.202/32 ;
}
then {
    mirror-cpu ;
    log  ;
    count xdocdoc_cc2 ;
    deny  ;
}
}

Save the file and check it for syntax errors.

check policy filter_cybercrime                                    # if you copied the above file correctly, it should pass the syntax without problems..

and add the following commands :

configure log filter DefaultFilter add event kern.info                                         # this is to make sure that you are seeing the kernel messages in the syslog ..
conf access-list filter_cybercrime port 27 ingress                                               # add any ports that you feel might pass the traffic within the network.

Now if you test this using a wget to one of the following IP addresses you will get the following on the switch log and/or syslog:

Aug  9 10:28:39 core3-nikhef.a2b-internet.com Kern: 78-byte packet from 1:25 (vlanId=101) matches rule xdocdoc_cc1
Aug  9 10:28:39 core3-nikhef.a2b-internet.com Kern: 00:04:96:52:06:1f -> 00:04:96:51:80:66 IP
Aug  9 10:28:39 core3-nikhef.a2b-internet.com Kern: 178.249.153.19:50546 -> 184.82.162.163:80 TCP v4 hLen: 20 ttl: 63 tos: 0x0 tLen: 60
Aug  9 10:28:39 core3-nikhef.a2b-internet.com Kern: seq: 0xbf4a576a ackSeq: 0x0 win: 0x3908 urgPtr: 0x0 syn
Aug  9 10:28:40 core3-nikhef.a2b-internet.com Kern: 78-byte packet from 1:25 (vlanId=101) matches rule xdocdoc_cc1
Aug  9 10:28:40 core3-nikhef.a2b-internet.com Kern: 00:04:96:52:06:1f -> 00:04:96:51:80:66 IP
Aug  9 10:28:40 core3-nikhef.a2b-internet.com Kern: 178.249.153.19:50546 -> 184.82.162.163:80 TCP v4 hLen: 20 ttl: 63 tos: 0x0 tLen: 60
Aug  9 10:28:40 core3-nikhef.a2b-internet.com Kern: seq: 0xbf4a576a ackSeq: 0x0 win: 0x3908 urgPtr: 0x0 syn
Aug  9 10:28:42 core3-nikhef.a2b-internet.com Kern: 78-byte packet from 1:25 (vlanId=101) matches rule xdocdoc_cc1
Aug  9 10:28:42 core3-nikhef.a2b-internet.com Kern: 00:04:96:52:06:1f -> 00:04:96:51:80:66 IP
Aug  9 10:28:42 core3-nikhef.a2b-internet.com Kern: 178.249.153.19:50546 -> 184.82.162.163:80 TCP v4 hLen: 20 ttl: 63 tos: 0x0 tLen: 60
Aug  9 10:28:42 core3-nikhef.a2b-internet.com Kern: seq: 0xbf4a576a ackSeq: 0x0 win: 0x3908 urgPtr: 0x0 syn
Aug  9 10:28:46 core3-nikhef.a2b-internet.com Kern: 78-byte packet from 1:25 (vlanId=101) matches rule xdocdoc_cc1
Aug  9 10:28:46 core3-nikhef.a2b-internet.com Kern: 00:04:96:52:06:1f -> 00:04:96:51:80:66 IP
Aug  9 10:28:46 core3-nikhef.a2b-internet.com Kern: 178.249.153.19:50546 -> 184.82.162.163:80 TCP v4 hLen: 20 ttl: 63 tos: 0x0 tLen: 60
Aug  9 10:28:46 core3-nikhef.a2b-internet.com Kern: seq: 0xbf4a576a ackSeq: 0x0 win: 0x3908 urgPtr: 0x0 syn

With the result you can easily spot which IP in your network is trying to download or contact the malware servers.  (178.249.153.19 in the above example as my test server for wget.)

You can also use show access-list counter to see if you have had hits on your ACL.

filter_cybercrime *                27     ingress
    xdocdoc_cc1                    194                                # this means that the switch had 194 hits on the ACL
    xdocdoc_cc2                    0

Happy hunting :)

Regards,
Erik Bais
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/extreme-nsp/attachments/20120809/080e96ec/attachment-0001.html>

More information about the extreme-nsp mailing list