☆ WildPackets Free Filters for Detecting Malicious Worms/Viruses 本节Public。 在www.netexpert.cn上有人贴了一个CAP文件,用WildPackets提供的Sasser Filter ([15])捕获到的部分报文,找人给分析一下,我就简单看了看,记录在此,备忘。 首先,他提供的CAP文件是高版本的,当时手头的台式机上没有装相应版本的软件, 好在有Ethereal 0.10.13,照看不误,因此下面的的某些字段,以Ethereal显示为例。 其次,这个Sasser Filter也是高版本的,直接用xml编写的,我没法在原软件中导入 过滤器并查看,只好用UltraEdit打开,当成文本看。 这样很可能绕了一个大弯,高版本软件本身应该带有文档介绍xml格式的过滤器吧, 笔记本又不在手边,不管了,硬看吧。如果做了无用功,也无所谓,此类分析本就要 做好这个思想准备。 Sasser Worm利用的是MS04-011/KB835732,关于漏洞本身不在此重复。参看: <> 为完成攻击,肯定有一个针对"3919286a-b10c-11d0-9ba8-00c04fd92ef5 0.0"的BIND 操作。可以就此设计单包过滤器。这次是"BIND Over SMB",不涉及动态RPC端口,目 标端口只可能是139/TCP或445/TCP。 漏洞对应的是9号调用lsasrv!DsRolerUpgradeDownlevelServer(),但客户端实现 netapi32!DsRoleUpgradeDownlevelServer()时不允许远程调用Opnum 9,只能向本机 请求调用Opnum 9,这意味着Opnum 9对应的报文正常情况下永远不会出现在网络上。 而蠕虫必然会发出Opnum 9对应的报文,可以就此设计另一个单包过滤器。 如果所用软件支持多包过滤器,应该设计多包过滤器,以减少误报。 那位同学提供的CAP文件全是误报,简化后有两类误报,见SMB_37_11.cap: -------------------------------------------------------------------------- Transmission Control Protocol, Src Port: 4409, Dst Port: 445, Len: 1312 NetBIOS Session Service Message Type: Session message Length: 1308 SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: Trans (0x25) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2048 Process ID: 432 User ID: 2048 Multiplex ID: 448 Trans Request (0x25) Word Count (WCT): 16 Total Parameter Count: 0 Total Data Count: 1224 Max Parameter Count: 0 Max Data Count: 1024 Max Setup Count: 0 Reserved: 00 Flags: 0x0000 .... .... .... ..0. = One Way Transaction: Two way transaction .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID Timeout: Return immediately (0) Reserved: 0000 Parameter Count: 0 Parameter Offset: 84 Data Count: 1224 Data Offset: 84 Setup Count: 2 Reserved: 00 Byte Count (BCC): 1241 Transaction Name: \PIPE\ Padding: 0000 SMB Pipe Protocol Function: TransactNmPipe (0x0026) FID: 0x4000 DCE RPC Request, Fragment: Single, FragLen: 1224, Call: 2 Ctx: 0 Version: 5 Version (minor): 0 Packet type: Request (0) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 1224 Auth Length: 0 Call ID: 2 Alloc hint: 1200 Context ID: 0 Opnum: 8 Stub data (1200 bytes) 0030 00 00 05 1c ff 53 4d 42 25 00 .....SMB%. 0040 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 08 b0 01 00 08 c0 01 10 00 00 c8 04 00 ................ 0060 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 54 ...............T 0070 00 c8 04 54 00 02 00 26 00 00 40 d9 04 00 5c 00 ...T...&..@...\. 0080 50 00 49 00 50 00 45 00 5c 00 00 00 00 00 05 00 P.I.P.E.\....... 0090 00 03 10 00 00 00 c8 04 00 00 02 00 00 00 b0 04 ................ 00a0 00 00 00 00 08 00 ...... [snip] Transmission Control Protocol, Src Port: 1089, Dst Port: 445, Len: 158 NetBIOS Session Service Message Type: Session message Length: 154 SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: NT Create AndX (0xa2) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 26625 Process ID: 304 User ID: 51201 Multiplex ID: 32704 NT Create AndX Request (0xa2) Word Count (WCT): 24 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 Reserved: 00 File Name Len: 68 Create Flags: 0x00000016 .... .... .... .... .... .... ...1 .... = Extended Response: Extended responses required .... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file .... .... .... .... .... .... .... .1.. = Batch Oplock: Requesting BATCH OPLOCK .... .... .... .... .... .... .... ..1. = Exclusive Oplock: Requesting OPLOCK Root FID: 0x00000000 Access Mask: 0x0002019f 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... .... ...0 .... .... .... .... .... = Synchronize: Can NOT wait on handle to synchronize on completion of I/O .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... ..0. .... = Execute: NO execute access .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... .1.. = Append: APPEND access .... .... .... .... .... .... .... ..1. = Write: WRITE access .... .... .... .... .... .... .... ...1 = Read: READ access Allocation Size: 0 File Attributes: 0x00000080 .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file .... .... .... .... ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service .... .... .... .... ...0 .... .... .... = Offline: This file is NOT offline .... .... .... .... .... 0... .... .... = Compressed: This is NOT a compressed file .... .... .... .... .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point .... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file .... .... .... .... .... ...0 .... .... = Temporary: This is NOT a temporary file .... .... .... .... .... .... 1... .... = Normal: This file is an ordinary file .... .... .... .... .... .... .0.. .... = Device: This is NOT a device .... .... .... .... .... .... ..0. .... = Archive: This file has NOT been modified since last archive .... .... .... .... .... .... ...0 .... = Directory: This is NOT a directory .... .... .... .... .... .... .... 0... = Volume ID: This is NOT a volume ID .... .... .... .... .... .... .... .0.. = System: This is NOT a system file .... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file .... .... .... .... .... .... .... ...0 = Read Only: This file is NOT read only Share Access: 0x00000003 .... .... .... .... .... .... .... .0.. = Delete: Object can NOT be shared for delete .... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ Disposition: Create (if file exists fail, else create it) (2) Create Options: 0x00000040 .... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous .... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous .... .... .... .... .... .... .1.. .... = Non-Directory: File being created/opened must not be a directory .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed Impersonation: Impersonation (2) Security Flags: 0x03 .... ...1 = Context Tracking: Security tracking mode is DYNAMIC .... ..1. = Effective Only: ONLY ENABLED aspects of the client's security context are available Byte Count (BCC): 71 File Name: \panda\adidas\05Dec\12.30\D7AA6100 0030 00 00 00 9a ff 53 4d 42 a2 00 .....SMB.. 0040 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 01 68 30 01 01 c8 c0 7f 18 ff 00 de de 00 ...h0........... 0060 44 00 16 00 00 00 00 00 00 00 9f 01 02 00 00 00 D............... 0070 00 00 00 00 00 00 80 00 00 00 03 00 00 00 02 00 ................ 0080 00 00 40 00 00 00 02 00 00 00 03 47 00 00 5c 00 ..@........G..\. 0090 70 00 61 00 6e 00 64 00 61 00 5c 00 61 00 64 00 p.a.n.d.a.\.a.d. 00a0 69 00 64 00 61 00 73 00 5c 00 30 00 35 00 44 00 i.d.a.s.\.0.5.D. 00b0 65 00 63 00 5c 00 31 00 32 00 2e 00 33 00 30 00 e.c.\.1.2...3.0. 00c0 5c 00 44 00 37 00 41 00 41 00 36 00 31 00 30 00 \.D.7.A.A.6.1.0. 00d0 30 00 00 00 0... -------------------------------------------------------------------------- 第一个报文,从Ethereal的显示中可以看到Opnum 8。那位同学没有捕获BIND操作, 这个Opnum 8究竟对应哪个接口UUID不得而知,但只要不是9,从原理上就可以判定是 误报了。本节关心的是为什么会产生这个误报。 用UltraEdit打开sasser1.flt,这是个xml文件(感谢watercloud对行号显示的支持): -------------------------------------------------------------------------- 1: 显然这里才是过滤器开始的地方。 2: 3: 4: 5: 2-5行想必是说物理帧总长位于[200,1518]区间,从1518判断,WildPackets是将结尾 的四字节CRC检验和算进去了。 6: 表示前面那个filternode与后续规则是逻辑与的关系。 7: 8: 9: 这个协议规则是什么,我也没看明白。 10: 继续逻辑与。注意缩进的意义。 11: 12: 13: 14: 15: 16: 目标端口139。不要源端口139的。这里type="34"不是说物理帧偏移+0x022,而是说 data="008B"是用16进制表示的unsigned short int。我是怎么知道的?靠,结合上 下文大胆假设、小心求证出来的呗,还能怎么知道。 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 我们不想分析整个xml文件,只关心误报起因,忽略17-34行。再次提醒,注意缩进。 35: 逻辑或。 36: 37: 38: 39: 40: 41: 目标端口445。不要源端口445的。目标与源的关系靠accept1to2、accept2to1体现。 42: 逻辑与。注意and、or的优先级。 43: 44: 45: 46: 一个弱智的冗余,可以删除。 47: 48: 49: 50: 51: 52: 53: 54: type="0"表示一个字节的10进制数据。offset等于62,即物理帧偏移+0x03E。看看两 个引起误报的报文,这个位置是SMB Command字段。 117即SMB_COM_TREE_CONNECT_ANDX(0x75)。 55: 56: 57: 58: 59: 60: 61: 62: 63: 我们这次不关心SMB_COM_TREE_CONNECT_ANDX(0x75),略过55-63行。 64: 65: 66: 67: 68: 69: 70: 71: type="4"表示四个字节的10进制数据。524744即0x000801C8,这是按网络字节序取上 来的值。实际是在检查Flags、Flags2字段。略过。 72: 73: 74: 75: 76: 77: 78: 79: 80: 略过72-80行。 81: 82: 83: 84: 85: 86: 87: 88: SMB_COM_SESSION_SETUP_ANDX(0x73)。略过。 89: 90: 91: 92: 93: 94: 95: 96: 97: 略过89-97行。 98: 99: 100: 101: 102: 103: 104: 105: SMB_COM_NT_CREATE_ANDX(0xA2)。注意看引起误报的第二个报文。 106: 107: 108: 109: 110: 111: 112: 113: type="2"表示两个字节的10进制数据。57054即0xDEDE,实际是在检查AndXOffset字 段。 114: 115: 116: 117: 118: 119: 120: 121: 122: 在[+0x064,+0x078]上搜索"Access Mask: 0x0002019f"。patterntype data="2"表示 patterndata data="9F010200"指定的是16进制字节流,注意是字节流。大小写敏感 搜索。我觉得这里没必要用搜索,因为检查AndXOffset字段时已经假设了固定偏移, 而Access Mask字段与AndXOffset字段之间的偏移也是固定的。 引起误报的第二个报文正是在此被抠住的。这完全是一个扯淡的过滤规则。 123: 124: 125: 126: 127: 128: 129: 130: 131: 从未见过SMB Command字段等于0x3F,不清楚WildPackets想干什么。略过。 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 略过132-149行。 150: 151: 152: 153: 154: 155: 156: 157: SMB_COM_TRANSACTION(0x25)。注意看引起误报的第一个报文。 158: 逻辑与。 159: 160: 161: 162: 163: 164: 165: mask type="4" data="65535"表示掩码是0x0000FFFF。637534272即0x26000040,对 应Function: TransactNmPipe (0x0026)、FID: 0x4000。显然FID不固定,不能用作 检查点,这点靠掩码保证。 应该是先将掩码按little-endian序展开成字节流"FF FF 00 00",然后对字节流"26 00 00 40"应用掩码,对物理帧偏移+0x077处的四字节流应用掩码,比较二者是否相 等。 166: 167: 168: 169: 170: 171: 172: 173: 83886083即0x05000003,这是在检查如下几个字段(+0x08E): Version: 5 Version (minor): 0 Packet type: Request (0) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set 遗憾的是,WildPackets只检查了是DCE Request(0)报文,却未检查Opnum。Opnum字 段与Version字段之间的偏移是固定的,完全可以检查Opnum。 174: 175: 176: 177: 178: 179: 180: 181: 182: Frag Length字段(+0x096)大于(可能包含等于关系)1024。在GUI中应该可以看到是否 包含等于关系,我这是硬搞xml文件,所以不确定。 op data="2"与flags data="0"这两个中肯定有一个表示逻辑运算关系,比如>、<、 >=、<=、==、!=。另一个表示按什么字节序取报文中的数据或者是按什么字节序解释 xml文件中指定的特征值。仅从本xml文件无法判断出对应关系,不过只要取样够多, 很容易判断出来的。 引起误报的第一个报文在此被抠住。这条过滤规则的中心思想是说超大的"Request Over Transaction"报文出现时报警。问题在于阈值1024很容易在正常报文中出现, 不误报才怪。 183: 184: 185: 整个过滤器未检查SMB_COM_WRITE_ANDX(0x2F),因为该过滤器是抠Sasser Worm,不 是抠MS04-011/KB835732 Exploit,后者是前者的超集。该过滤器会漏报非蠕虫的攻 击,当然WildPackets没有义务理会这一点。 略过后续行。 186: 187: 188: 189: 190: 191: 因为与本节主旨无关,192行后面的不再继续分析,忽略。 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: -------------------------------------------------------------------------- 现在流行用xml写过滤器?我是跟不上这形势,也很少折腾这些东西。WildPackets提 供了另外几个蠕虫的过滤器([15]),看完本节后,有兴趣的话可以自己去分析一下。 不过,不建议做这种无谓的分析,能从GUI上看的时候何苦来看xml文件呢。记录于此, 仅作备忘。 ☆ 参考资源 [15] Sasser Filter - detect multiple varients of W32/Sasser worm. http://www.wildpackets.com/elements/antivirus/sasserv1.zip W32.Mydoom.OandM http://www.wildpackets.com/elements/antivirus/mydoom_om.zip W32.Mydoom.A@mm http://www.wildpackets.com/elements/antivirus/w32_novarg_a.zip "MSBlast," "Lovesan" or "Blaster" worm http://www.wildpackets.com/elements/antivirus/msblastv1.zip SQL Slammer (aka Sapphire) virus http://www.wildpackets.com/elements/antivirus/Sapphire.zip Windows Local Security Authority Service Remote Buffer Overflow http://www.eeye.com/html/Research/Advisories/AD20040413C.html