ISC Stormcast For Wednesday, September 7th 2016 https://isc.sans.edu/podcastdetail.html?id=5155

How to Set Up Your Own Malware Trap

Published: 2016-09-06
Last Updated: 2016-09-06 20:23:43 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware. Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular, if they receive e-mail from sources other than your corporate e-mail system.

Sadly, many corporations these days switch to cloud providers for e-mail. But it can still be useful to setup a relay to pre-filter your e-mail before it hits the cloud provider to get more insight into e-mail that your cloud providers limited logs do not provide.

Personally, I am using postfix, so what I am going to talk about, will be postfix specific (and some procmail... which may be used with other mail servers). If you have similar tricks for other mail servers, then please comment.

(1) improved logging

Quite often, a user (or maybe even an AV system) may flag an e-mail as suspect. If this turns out to be a real malicious e-mail (phishing, malware...), then it is nice to be quickly able to look for other e-mails with the same subject or the same "From" address. In order to make this easier, I like to have Postfix log "From", "To" and "Subject" headers. You can easily accomplish this by adding "header check". In postfix, "header checks" can be used to filter e-mail with specific headers. But if you flag them just as a "Warning", then the header will be logged. I added the following lines to my "header_check" file to log the Subject, To, and From:

/^subject:/      WARN
/^to:/           WARN
/^from:/         WARN
/^Subject:/      WARN
/^To:/           WARN
/^From:/         WARN

 You then need to add the following line to your main.cf to use these header checks:

header_checks = regexp:/etc/postfix/header_checks 

(/etc/postfix/header_checks is the name of the file. Your's may be different)

you will now see lines like this in your maillog:

Sep  6 15:26:50 mail postfix/cleanup[24158]: 39B0D7FFA9: warning: 
 header Subject: August invoice from unknown[39.46.85.64]; 
 from=Burnett.84@corporate-change.com to=list@dshield.org proto=ESMTP helo=<[39.46.86.81]>

Next, a little procmail trick that will get rid of most of current malicious e-mail: A simple check to see if any compressed attachments include known bad extensions:

:0 B
* ^Content-Type: (application/zip|application/x-zip-compressed);
{
        :0 fbhw
        | /usr/local/bin/mime-zip-trojan.pl
}

"mime-zip-trojan.pl" is an amazingly simple perl script. You can very easily modify it to extend the extension blocklist. (I can't bring up the site for this script right now. so please trust the Google to find it for you)

The script doesn't block anything, but instead, it just adds a header to the e-mail (X-Zip-Trojan: Yes) that you can then use to filter the e-mail with additional procmail rules.

Finally, you should of course send all e-mail (including e-mail found by mime-zip-trojan.pl) through an AV scanner so you don't waste your time analyzing old malware.

One thing you SHOULD NEVER do: Send all attachments to Virustotal. Virustotal is a great service, and they offer some tools to automate submissions. But do not send anything beyond a hash, unless you are pretty sure it is malicious, and absolutely sure it is not confidential. Any files send to Virustotal are made available to researchers and others.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
2 comment(s)
ISC Stormcast For Tuesday, September 6th 2016 https://isc.sans.edu/podcastdetail.html?id=5153

Comments


Diary Archives