Objective 9: Catch the malware

Objective 9 wants us to catch the malware, “please visit Shinny Upatree and help him with the Sleigh Bell Lottery Cranberry Pi terminal challenge.” however, this time we don’t get any hints! (Well we do but not for this challenge) Mainly because it’s pretty straight forward, find the malware and set up a snort rule.

When we access the Objective 9 terminal, we see this screen.

Also, “Create a snort rule that alerts ONLY on bad ransomware traffic by adding it to snorts /etc/snort/rules/local.rules file. DNS traffic is constantly updated to snort.log.pcap” and “Successfully create a snort rule that matches ONLY bad DNS traffic and NOT legitimate user traffic, and the system notify you of your success.”

We also get a kinda hint which is at “~/more_info.txt” (Check out ~/more_info.txt for additional information.) when we cat the file this is what we get.

So we need to log in at http://snortsensor1.kringlecastle.com/ with “elf:onashelf” and grab one of the many .pcap files!

(You can grab the file here if you want to look at it)

Next, let’s load it up within Wireshark (or something else you choose to use!). So yeh, there are many data here

As we look at the many packets we can notice one thing, that it’s always on port 53 using UDP, so let’s filter Wireshark to show only this “!(udp.dstport == 53). (You can find a cheat sheet on Wireshark at the end of this!

Right so we need to create a snort rule that matches ONLY bad DNS traffic and NOT legitimate user traffic, we need to find something that makes the malware stand out and unique, so snort only be triggered on that set.

Look at the same image again, you can see one thing that the malware always does. And that is this string “77616E6E61636F6F6B69652E6D696E2E707331”, do you see how it’s always popping up? That’s how we can tell snort this is bad DNS traffic as it all links up to “77616E6E61636F6F6B69652E6D696E2E707331”

Now we need to create the snort rule. Sounds simple.
The command you need to issue within the terminal is:

echo 'alert udp any any <> any any (msg:"Bad DNS"; content:"77616E6E61636F6F6B69652E6D696E2E707331"; sid:9000001;)' > /etc/snort/rules/local.rules

Echo write to the file /etc/snort/rules/local.rules for you!, alert udp any any <> any any this for snort it’s telling snort to inform on udp or any ports and any address (IP address), msg is just whatever you want it to be when snort detects the malware you could have it saying anything to tell you back, i.e. “Malware is coming”, “Malware, more like software” or even “Haha, what is this tiny malware”… You get the idea!
Content (depending on how you set up your snort rule) in this case set to the string we found in Wireshark. So Snort will alert you with “Bad DNS” if it detects “77616E6E61636F6F6B69652E6D696E2E707331” on any port and or any address.
Also, sid “SID, Displays the SNORT-assigned identification of the rule.”

Anyway! So we run the command ( echo ‘alert udp any any <> any any (msg:”Bad DNS”; content:”77616E6E61636F6F6B69652E6D696E2E707331″; sid:1;)’ > /etc/snort/rules/local.rules ) and we get this.

Moreover, that’s it; another one has done!



Leave a Comment

Your email address will not be published. Required fields are marked *