M. Zach Lawrence - Attribution of Malware

Attribution of Malicous Code:

By MZL

I just spent the last couple of weeks spinning up (meaning developing curriculm) for class on Malicious Code. Up until until three weeks ago, I knew the basics. Having worked in the IT department of a public facing Organization, I have had much practice mitigating Malicous software. -Conficker was a mess.

In late 2010 and early 2011, the world found out about a new very serious threat. Code could be weaponized into a WMD derivative. Specifically, StuxNet targeted PLC (Programmable Logic Controllers) which run just about everyting humans rely on. Everything from elevators to water treatment plants. Stuxnet changed the world as we knew it. Until then, Malicious Code did things like:

steal your money
format your HDD (Hard Drive)
Just pull pranks, like the Monkey Virus - caused the screen to change shades. (Yes, I caught that one, maybe circa 1994 or 1995. -I might still have a copy on a floppy disk somewhere.)

Stuxnet set the stage and provided a blueprint to attack critical infrastructure. A true Asymetric warfare tool. What good is money if the lights don't come on for 18 months?

I wanted to look at Attribution of Malicious Code. There are many tools to aid in this hunt.

https://talosintelligence.com (It's possible to get a real time map by country of servers hosting Malicious code. Does this list all of them. Nope. With Bullet proof hosting, many sites are hidden or officated. But to learn and interact with some of the tools. Talos Intelligence by Cisco is brilliant. Simply Zoom into a region of interest, then click on a Red, Green or Blue circle. Talos will flag the site as:

Red Spam

Green Malware

Blue Legitimate

You can zero in and get either IP or Domain information.

Once you have IP or FQDN, you can drop the site into other tools for more analysis:

https://www.shodan.io

Shodan is a different kind of search engine. Instead of searching the WWW for Web Servers with HTML documents to Index. Shodan index's hosts, meaning computers connected to the Internet. Another Gradute school project that turned out brilliantly. Shodan uses basic networking commands to probe hosts for attributes and stores them in a Database. The product is subscription based, but I simply typed the Server in Japan hosting Malicious Code and enumerated a bunch of information.

A little wild, Shodan shows all kinds of information. Publicly available.

Open Ports
Running Software Versions
Geo-Location --> In this case: Osaka, Japan
Hosting Company Name. (NOTE: In some cases, companies are not aware they are hosting malicious code or software, meaning the organization was hacked.)
ASN

If Netcat is a networking Swiss Army Knife, then Shodan would be Angus MacGyver.

Want to reach out the the company or organization and tell them quit Spamming me for example. Who-is Databases, give contact information. Sometimes, it's possible to use privacy features to officate true Domain registraints idenity.

What's all this stuff above?

https://lookup.icann.org/en

Google's who-is lookup is on the left. Notice, there are phone numbers to call, if something is seriously wrong.

millenniumgroup.consulting is on the right. Notice, I have most of the information 'redacted for privacy.'

Finally, you can drop an IP adddress or FQDN into Virus Totals to scan for Malicious Code. Virus Totals uses many virus scanning engines to detect Malicous Code. It's not full proof, nothing is absolute. But it will give you a good idea if more research is warrented or not.

Only two engines out of maybe 80+ states the IP, 133.167.44.226, is Malicous. It's an excellect starting point.

v/r mzl

Page updated

Report abuse