Sunday, March 26, 2006

Monkey tricks: Extracting Viruses/Worms

It's all start from here, browsing through the internet with my internet browser, I visited a forum based web page, and something hits my curiosity. I guess you may find it interesting as well with the screenshot below. This is totally not right since normal web page shouldn't be look like a corrupted chunk datas.

I decide to understand what is the actual contents of this data, but how can I do it? I decide to sniff my own connection and browse the same URL again. Quick launching my tcpdump to log full content data with

shell>tcpdump -qeXX -tttt -n -s 1550 -w malicious_pcap

After finished browsing the URL, I killed my tcpdump quickly with Ctrl+c, then I start my packet analysis with ethereal, one of the interesting packet is in the packet bytes pane(the lowest pane) with the string kernel32. This is most prolly Windows thingy.

I have heard about how people able to reconstruct or extract the binary(executable file) from pcap, however I haven't seen one that actually demonstrating you how to do it, most to most are the one that extracting file with jpeg, gif and such. Those are not what I need because I smell Windows EXE in this network stream. Tcpxtract maybe able to do it but need tweaking, and it is based on foremost. Foremost is a console program to recover files based on their headers, footers, and internal data structures, hence I guess I can use foremost to recover all the possible files that I need since pcap is actually in binary format.

Since I'm lazy to type, here's how I extract and recover files in pcap using foremost, I have renamed malicious_pcap to brontok_pcap. Check out the screenshot .....

You may find a file called audit.txt in the extract directory which is actually a report that generated by foremost. Here's the content of it.

Foremost version 1.1 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sun Mar 26 13:17:03 2006
Invocation: foremost -i brontok_pcap -o /nsm/IR_20050326/extract/
Output directory: /nsm/IR_20050326/extract
Configuration file: /usr/local/etc/foremost.conf
File: brontok_pcap
Start: Sun Mar 26 13:17:03 2006
Length: 188 KB (192512 bytes)

Num Name (bs=512) Size File Offset Comment

0: 133.jpg 1 KB 68134
1: 102.gif 497 B 52662 (20 x 20)
2: 111.gif 589 B 57195 (13 x 13)
3: 162.gif 2 KB 83314 (48 x 47)
4: 197.gif 2 KB 101333 (48 x 47)
5: 205.gif 2 KB 105152 (48 x 51)
6: 211.gif 2 KB 108098 (48 x 47)
7: 219.gif 2 KB 112196 (51 x 48)
8: 226.gif 3 KB 115742 (48 x 47)
9: 239.gif 2 KB 122553 (48 x 49)
10: 245.gif 1 KB 125504 (48 x 49)
11: 250.gif 2 KB 128453 (48 x 47)
12: 256.gif 2 KB 131419 (48 x 47)
13: 264.gif 2 KB 135561 (49 x 50)
14: 272.gif 2 KB 139375 (48 x 47)
15: 279.gif 2 KB 143205 (48 x 49)
16: 287.gif 2 KB 146982 (48 x 49)
17: 293.gif 3 KB 150488 (48 x 47)
18: 301.gif 2 KB 154478 (48 x 47)
19: 308.gif 2 KB 157943 (48 x 48)
20: 315.gif 2 KB 161438 (48 x 47)
21: 321.gif 2 KB 164781 (49 x 48)
22: 328.gif 1 KB 167942 (48 x 48)
23: 332.gif 2 KB 170202 (48 x 47)
24: 338.gif 2 KB 173370 (48 x 49)
25: 344.gif 2 KB 176608 (48 x 47)
26: 353.gif 2 KB 180947 (48 x 48)
27: 360.gif 2 KB 184442 (48 x 47)
28: 365.gif 2 KB 187154 (48 x 48)
29: 5.htm 95 KB 2944
30: 372.htm 339 B 190890
31: 65.exe 41 KB 33483 01/01/1970 00:00:00
Finish: Sun Mar 26 13:17:03 2006


jpg:= 1
gif:= 28
htm:= 2
exe:= 1

Foremost finished at Sun Mar 26 13:17:03 2006

Notice the green color text in the screenshot above is actually MS-DOS executable file, I have performed behavioural analysis by running this executable files in a sandbox Windows VM. As well as I have launched Richard's Sguil VM to see if Sguil smells anything. That's where I found that it is actually brontok worms that trying to pinging the host to see if it is alive and try to connect to the netbios(port 139) open share and upload the brontok worms to another victims.

However one thing I found weird that never posted in any AntiVirus Resource info is that the infected host is trying to locate all the nodes with port 21 openned too, I doubted it is maybe trying to find one and download certain binaries or files from the ftp server or something. However I'm not too assured of it yet unless disaseembling binaries is done.

The reason why I blog about it is that I can't find any good info regarding recovering EXE files from the pcap file, and this time what make it interesting is that I'm using Forensic acquisition tool which used to acquire data from hd images that generated by dd, Safeback, Encase but this time on pcap that generated by tcpdump, snort or maybe tethereal and it is actually Virus/Worm binary that recovered in the process.

I guess people who visiting the forum of whom mostly are M$ Windows users infected by that so called "Mass Mailing Worms" if they don't have AntiVirus installed with latest signatures and updates.

To M$ Windows users, good luck!!!!!

P/S: Uploading worms to forum seems to be right idea since forum used to have mass users and that totally fits the term "WORM".


Anonymous said...

I get the junk IE from my one of the test LAN pc if homepage set as "" not sure whether that is worms attack or not.

Anonymous said...

Very nice article, thanks!

Joel Esler said...


Loved the use of foremost there.

Anonymous said...

First and foremost hehe, someone mentioned the tool to me today. Ran it against brontok dump i captured about a month ago. 3000++ exes :-). All positive with clamav. Ealier i tried reconcstructing them with tcpflow, tcpxtract, snort and even ethereal but to no avail. :-) then again maybe i wasn't using them tools correctly.

foremost roxen!

C.S.Lee said...

Hey adli,

Hope you find this useful :]

Anonymous said...

Huh? Foremost looks for the MZ header, which it will find in a packet somewhere. But then after that it just carves, so you must be assuming the entire exe is contained in a single packet? Otherwise you will end up carving out all the packet headers etc? Plus what about re transmissions or out of order packets? Does the EXE you extracted actually work? What about zipped/chunked/encoded http transfers? Foremost will not work on them.

C.S.Lee said...

hi anonymous,

Yes, that's true, and for that reason you should use tcpxtract.