Catching Flies with Honey

Symantec often utilizes honeypots to acquire new samples and observe attacks in the wild. Many threats encountered on honeypots are related to botnets. However, on a rare occasion a honeypot may encounter a targeted attack. In these cases the attacker is after a specific entity, be it a person, corporation, government, or any other such body. When a computer is compromised by such a threat, the behavior can be similar to a bot, connecting to a command and control (C&C) server and awaiting commands. However, the commands received are usually not generic. They are interactive, with the attacker seeking some specific information in real-time.

 We recently encountered one of many such targeted threats on a basic honeypot and logged the activity. The attack was quite straightforward and did not utilize any new techniques. Nonetheless it is a good example of the processes such attackers use. This particular threat was targeting a corporate entity, using a tailored PDF document containing an exploit. The exploit dropped an executable from within the PDF, executed it, and the loaded a second PDF. This second PDF was non-malicious—a simple guise to convince the user that nothing is wrong.

The dropped executable created an entry for itself in the Run registry subkey, to ensure it was loaded when Windows started, and then attempted to report back to the C&C server. An HTTP GET request, sent to a potentially compromised Web server in Malaysia, contained an additional header value (figure 1). This GET request contained data about the compromised computer including the computer name. Yet there was no response to this GET request. The threat continued to send the same request consistently, waiting for a response. Finally, two hours later, a response was received—20 bytes of encrypted data. The remote attacker had become active.

Figure 1: HTTP GET request to C&C server

Figure 2 shows the encrypted data and figure 3 shows the corresponding decrypted text. The response was a command to obtain the local computer’s IP configuration data. The command was executed and the resulting data was encoded and uploaded in another HTTP GET request. There was no activity then for a several minutes, apart from the threat periodically polling the HTTP server for new commands. The attacker was clearly examining the IP data.

Figure 2: Encrypted response from C&C server

Figure 3: Plaintext command

A sequence of commands followed, as shown in figures 4 and 5. The attacker had uploaded an executable onto the compromised computer, storing it as c:\recycler\conime.exe. The attacker leaks some information here, giving away the path where the executable was stored on his or her Web server. (Horse.exe is not very subtle.)

Figure 4: Command to upload executable

Figure 5: Execute conime.exe

The second command then ran that executable, passing it an IP address and port. The conime.exe file connected to that IP and port, creating a remote shell for the attacker. The remote IP resolves to a DSL connection on a Taiwanese ISP network. As such connections are typically used by private individuals, this may have been the attacker’s personal computer, or it could also have been another compromised computer that the attacker was routing the connection through. An attacker will often have a number of compromised computers through which they can connect to targets in order to hide his or her true IP address.

The stolen IP information was obviously of enough interest to the attacker for them to investigate further. The HTTP C&C interface is cumbersome, so creating a remote shell makes the attacker's life easier. Once connected directly to the compromised honeypot, the attacker starts to explore. He or she runs the following commands:

This was an attempt to delete the running threat. The attacker was suspicious and may have realized that they had been caught in a honeypot. The delete command fails as the executable is running. To delete the sample, the attacker then lists all processes, terminates sample.exe and then deletes it. This is successful.

Now that the threat sample had been removed, the attacker tried to obtain more information about the network.

The net service was not active, so the commands fail and the attacker moves on. He or she investigated if there were any interesting files in the Documents & Settings folder.

There is nothing of interest. The next step was to check for a D drive and list files on the drive. The attacker appeared to conclude from some file names that the computer was a honeypot and panicked. They attempted to cover his or her tracks by destroying any data on the computer.

However, the delete command failed. Not happy with this, the attacker became more aggressive. He or she returned to the C drive and then attempted to format the D drive.

This command also failed and the attacker consulted the format command’s help to try and solve the problem. Another variation of the command is attempted, which also failed. A final delete command was run, ineffectively, and so the attacker exited.

The attack is very simple, and yet quite effective. The attacker gained access to the computer through a PDF exploit and received some basic information to aid him or her in the decision to investigate the compromised computer further. A remote shell was created to allow easy access and the attacker then proceeded to try and cover his or her tracks upon discovering the nature of the honeypot.  The PDF document used can be trivial to create using freely available information found on sites such as Metasploit. The attacker does not need to be technically adept, as was demonstrated in this particular instance.  Had the attacker been more sophisticated he or she could have destroyed the data on the computer. Unfortunately for the attacker, the systems logging traffic on the honeypot are all external to the computer, maintaining data integrity.

Such targeted attacks can be prevented by using good firewall rules, keeping applications updated and patched, having reliable IPS signatures, and updated virus definitions. Symantec detects the exploited PDF as Trojan.Pidief.J. The dropped executable and remote shell executable are detected as Backdoor.Trojan.