Re: Running Malware Scripts

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 24 Dec 2008 13:06:44 -0800 or thereabouts "Rathbun, Dan"
<Dan.Rathbun () aecom com> wrote:

> Greetings all,
>
> I bought the 'NMAP Network Scanning' book from Amazon the other day
> and it's a GREAT read!  I have already learned many new tricks about
> how to leverage NMAP more fully, and I am fast at work thinking up
> new uses for it in our environment.
>
> Right now I am trying now to learn how best to use the
> '-script=malware' option to scan our substantial network for infected
> machines.  But I am finding that the resulting XML files are too
> large to review manually (over 50,000 hosts).  So I am looking for
> some guidance as far as what things to search the output file for.  I
> was originally thinking of IRC ports or SMTP ports, but that is not
> proving very fruitful.
>
> Has anyone developed a productive routine to accomplish this task?  If
> not can you suggest some ideas about how I could begin to develop one
> for our organization?
>
> Dan Rathbun
> Information Security Director   
> CISSP, GSLC, GSEC, GLEG and G7799 Certified

Hi Dan,

I don't have time for a full response right now.  You are describing my
primary use of Nmap.  I've had excellent success detecting compromised
machines at my organization and at others.

There are a few things to think about when using Nmap for malware
detection:

* The malware NSE scripts are targeted to specific malware variants

* The malware and backdoor service fingerprints are also targeted at
  specific malware variants

* Most malware isn't going to be automatically detected, it will leave
  a service fingerprint that you'll need to analyze later.

* Malware and backdoors are rarely on standard ports, you *MUST* scan
  with -PN, -sV, and -p- if you expect to find anything useful.

I developed a script to parse through hundreds of thousands of Nmap
scans searching for patterns indicative of compromised machines.

I discussed the script a little bit in this post:

http://seclists.org/nmap-dev/2008/q2/0781.html

I have attached a newer copy of the script.  Please note that it still
doesn't do XML.  My development version of the script handles XML but
there are still a lot of problems to work out with it.  It also doesn't
yet make NSE output available to the rules and heuristics.  My XML
version geared towards fixing this issue.

My goal with Npwn is to clean it up and make it release quality.  That
means creating a compromised host descriptor language similar to
procmail recipes so that rules and heuristics can be moved out of the
script and into a definition file.  It also means handling arbitrarily
large XML files (our network produces 60 gigabytes of XML).

To give you an idea of what format the exclude file takes, here in an
except of mine:

=======
a.b.0.0/17 WSD SSDP STCP NOPASSWD OLDTCPIP HTTP_PROXY SQUID SOHOHTTPD
FTP SMTP HTTP MYSQL MSSQL MULTI_RADMIN NNTP IPHONE OLD_MSFTP OLD_MSSMTP SYNERGY LOGMEIN OPENX11 MANYPORTS SOCKS 
MULTI_SSHPORTS

a.b.128.0/17 WSD SSDP HTTP IPHONE OLDTCPIP SOCKS

c.d.222.0/24 BADPORT

e.f.119.242 L33TSPEAK

e.f.1.47 SMTPFP
e.f.16.68 FTPUSERS
c.d.115.111 FTPFP
======


It will take a while to get up to speed using Nmap for compromised host
detection but it _is_the_right_tool_for_the_job_.  I'm currently
scanning an organization that has IDS/IPS boxes deployed everywhere.
The felt that these boxes were excellent compromise detectors and while
they are -- a single sweep (-PN, -sV, -p-, etc) with Nmap found more
compromised hosts than I care to mention here.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAklSrM0ACgkQqaGPzAsl94JRQgCgguCG2hs4NhG/BGiYXShk5Xd6
Q3AAnAravUAspCkj67jKnT8QrA1gkvVx
=YY2s
-----END PGP SIGNATURE-----

Attachment: npwn.pl
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org