Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-12-31 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC StormCast for Thursday, December 31st 2015 http://isc.sans.edu/podcastdetail.html?id=4805

Hunting for Juicy Information

Published: 2015-12-31
Last Updated: 2015-12-31 10:37:03 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

Today, we must be proactive in protecting our assets. The huge mass of information available online requires us to have tools to stay aware. If collecting IOC's is important to detect malicious activities as quick as possible, searching for our own data is also a big advantage for early detection and protection. The information that are interesting to track are:

  • Domain names
  • Public IP addresses
  • Windows domains
  • Email addresses
  • Key person names (all C-level people)
  • Company/organization names
  • Brands

In short: All PII ("Personally Identifiable Information")

A first classic and easy way to hunt for such data is to use Google Alerts. Easy but not very reliable to search for technical stuff like IP addresses. Pastie websites are often used to exchange information and contain plenty of information. If pastebin.com is the most known, they are plenty of others. I'm monitoring some of them for years via tools like pastemon or pystemon.

Another source of information to add to your OSINT toolbox is the Hunting feature provided by VirusTotal. Combined with the power of YARA rules, you can define very targeted filters to search for uploaded samples. If most of the files submitted to Virustotal are binaries, it is also possible to find juicy files like lists of passwords (sample). You can upload your sets of YARA rules to match your PII. In the following examples, I'm looking for SANS domains and personal domains:

rule MyDomains
{
    strings:
        $domain1 = "sans.org" nocase wide ascii
        $domain2 = "sans.edu" nocase wide ascii
        $domain3 = "rootshell.be" nocase wide ascii
        $domain4 = "truesec.be" nocase wide ascii
    condition:
        any of them
}

By default, when a YARA rule matches, notifications are sent by emails. But it's much more powerful to use the VirusTotal API to collect the samples and details and automate the notification process. A friend wrote a Python script to collect the information from VirusTotal:

$ ./vt_hunting.py -api <redacted> -cleanup -json /var/log/vt_hunting.json -dl --samples_directory /var/tmp/samples
# of detection,YARA rule,SHA1,Binary type,First seen,Last seen
44,MyDomains,<redacted>,2015-12-30 19:33:47,2015-12-30 19:33:47,RAR,<redacted>

By running this script from a crontab, I'm collecting samples and store the detection details in a JSON file (that I'm injecting into a Splunk "osint" index for later reporting). Note that YARA is a powerful tool but some of it's features are not allowed by VirusTotal (like some regular expressions) for performance reasons.

​Happy hunting and I wish you already a Happy (and safe!) new Year!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

Keywords:
2 comment(s)

Poetry attack?

Published: 2015-12-31
Last Updated: 2015-12-31 04:57:30 UTC
by Mark Hofman (Version: 1)
4 comment(s)

If like me you spend a fair amount of time looking at network traffic and logs there are generally things that make you frown, groan and utter noises of dismay.  It isn't often that you get a little chuckle (other than coding errors that are copied between pieces of malware by the various people creating it).  Today though, definitely chuckle time.  

If you have a look in your web server logs for "Request Method DELETE"  or "DELETE your logs"  or IP address 151.217.177.200 (Possibly others in that range it is a /16). You may find the following: 

DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0
User-Agent: masspoem4u/1.0 
Accept: */*

The IP address/range belongs to the Chaos Computer Club based in Germany. 

Not seeing anything else being delivered, but gave a number of us a nice chuckle to end the year with. 

Happy New Year. 

Mark H.

Keywords:
4 comment(s)
Diary Archives