Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
324 lines (193 sloc) 13.5 KB

================================ Bro Exchange 2013 Malware Analysis

Bro is an incredibly flexible platform that offers incident responders a wide variety of detection mechanisms coupled with a powerful domain specific language. In this session we will examine common exploit kits and implement a variety of signature and heuristical based detection methods.

The military has developed a process called the OODA loop- Observe, Orient, Decide, & Act.

This is a useful approach to anlyzing problems in Bro; in this exercise we will be looking at traffic samples offline- which is instructive as all of the traffic in the pcaps is related to the specific sample. In production, the task is complicated by the inclusion of "normal" traffic.

Everyone develops their own approach to looking at logs, however I think it makes sense to begin with the meta information first.

If you have enabled it, check capture_loss- not only can you see the loss however you also can quickly tell over what time period the capture took place. By default the log is written every 15 minutes.

Then start at the tunnel layer- what is the complexity of this network?

Move up to the conn.log; group hosts by id.orig_h & id.resp_h- then by service, port and protocol. Are there any uncommon pairs or unanalyzed traffic.


For all of these exercises we'll be using the files hosted on my github; all malware samples are courtesy of

First lets get all of the appropriate samples and solutions down to your VM; perform one of the following:

Download the zipfile directly down to your VM:

Or if you'd like to use the git repo..

If you need the cheatsheet, you can find it here:

    git clone

Ok, so let us orient ourselves a little bit; we have eight traffic samples and handful of solutions. As a reminder, we can replay traffic through Bro from the command line with:

    bro -r exercise.pcap scriptfile-to-load.bro

It is quite common to launch bro with "local" at the end; this will tell bro to load the local file used at normal start; in this case stored in /opt/bro/share/bro/site/local.bro

The two techniques may be combined.

bro -r exercise.pcap local scriptfile-to-load.bro

Ok, one last tip before we get started... you know how to use bro-cut right? Pass it a column name(s) and quickly generate power summary statistics

    less http.log | bro-cut user_agent resp_mime_types | sort | uniq -c | sort -n


If you are new to malware analysis or Bro, there are some wonderful resources out there to help get you up to speed. Beyond the usual suspects, it is helpful to understand that there are common exploit kits that lead to malware deployments. Understanding the exploits available in the various exploit kits can help to cover a lot of ground:




Let's get started with a couple of warm up exercises. Blackhole is one of the most common and frequently updated exploit kits around. Let's see what they look like with Bro's new File Analysis Framework.

How many executable files were downloaded to the host?

bro -r EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04.pcap 

How many executable files were downloaded?

less files.log | grep "application" | wc -l

What notices were fired?

    less notice.log

Ok, that was a pretty easy one; let's do another warm up. Did you see the unanalyzed traffic in conn.log? Doesn't match any protocol that Bro can speak; let's look at a couple more and we'll come back to that.

Contagio has posted an analysis of this one:


For time purposes skip this one for now; it is quite similar to the first. If we have time we can come back to it.


The hardest part about Bro is wrapping your head around all of the various use cases- there are just an incredible number of tools at your disposal. Did you know that Bro has a signature framework?

Let's take a look at somethings we've got incldued right out of the box. Don't look at any logs yet; just look at the logs.

    bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap

Run it again, although this time include the "local", on the end.

    bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local

What's the difference?

Ok, let's use the OODA loop on this one.

    bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local

What protocols are being spoken on which ports?

	less conn.log | bro-cut id.orig_h id.resp_h proto service id.resp_p | sort | uniq -c | sort -n

	1	tcp	-	443
	4	udp	dns	53
	6	tcp	http	443

Well, http on port 443? That's atypical. Let's dig a little further. What does the http traffic look like?

Now let's check the notice.log? What is Bro trying to tell you?

Now let's check the signature.log. Wow, a Windows shell tunneled over HTTP on port 443.


We have Bro identifying signatures in ports and protocols that it understands; in this example, we are going to have Bro key on a specific protocol related feature.

Let's replay the sample with Bro:

	bro -r EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local

Explore the log files; I see a number of potential canidates for items we could fire on. Let's look a little deeper. Take a look at the specified .bro file; what are we doing here?

	bro -r EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local ../solutions/extract-header-names-and-values.bro

Now let's investigate the http.log a little further. Lets look a little closer at those http header values:

	less http.log | bro-cut server_header_names server_header_values 

This content type looks a little weird to me..

		text/html; charset=win-1251

What is that?

Windows-1251 (a.k.a. code page CP1251) is a popular 8-bit character encoding, designed to cover languages that use the Cyrillic script such as Russian, Bulgarian, Serbian Cyrillic and other languages. It is the most widely used for encoding the Bulgarian, Serbian and Macedonian languages

Is that normal for our environment? Let's see if we can match on that.

@load base/protocols/http/main
@load base/frameworks/notice

module HTTP;
export {
	redef enum Notice::Type += {
		## raised once per host per 10 min

	global bad_header: set[addr] &create_expire = 10 min;
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
     if ( name == "CONTENT-TYPE" && value == "text/html; charset=win-1251" )
	 if ( c$id$orig_h !in bad_header )
		add bad_header[c$id$orig_h];
		 $msg=fmt("Bad header \"%s\" seen in %s", value,c$uid),
		 $identifier=fmt("%s", c$id$orig_h)]);

		print fmt("%s :name:value:  %s:%s",c$uid,name,value);

This code is overly simple; every time we see an http header key pair this event fires. We simply look the event and are checking specifically for the Cyrillic language.

Did you count how many times this header pair was transmitted in the sample? Here we are thresholding the notice with a global variable called "bad header"; and we time hosts out using the &create_expire = 10 . global bad_header: set[addr] &create_expire = 10 min;

Let's go ahead and replay the sample using our new detector.

bro -r EK_Smokekt150\(Malwaredontneedcoffee\)_2012-09.pcap local  ../solutions/match-headers.bro 

You should now see a thresholded alert in the notice.log.


Malware has a purpose; many times that purpose is to generate revenue for their malware authors.

In this sample we're going to be looking at a bot whose aim is to deliver bitcoin mining traffic.

bro -r BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap 

Do you see anything that stands out? What appears to be going on in the http log?

Take a look at the directory ../solutions/; we've got two relative files.

json-rpc.sig  mining.bro

Let's run this detection routine:

bro -r BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap  ../solutions/mining.bro

What do you see in your notice.log


Zeroaccess is a dangerous rootkit and has been circulating for quite some time.

You can read more about the malware here:

The zeroaccess C2 Protocol has some static elements we can examine:

Please look at the solution located in: ../solutions/zeroaccess

What does the load.bro file do?

What is in the zeroaccess.sig file? What are we firing on?

Let's go ahead and replay the traffic using our detection script: bro -r BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap ../solutions/zeroaccess/


We're going to need another traffic sample for this one; download the pcap here:

There was a time when TDL4 was the most dangerous and pervasive malware around.

TDL4 reloaded: Purple haze all in my brain:

TDL4 - Purple Haze (Pihar) Variant- sample and analysis

After downloading the large tracefile from above; lets look at the traffic.

bro -r purplehaze.pcap 

Expore the logs; what do you see?

One of the many things performed by this rootkit is clickfraud; let's look at some stats: less http.log | bro-cut referrer | sort | uniq -c | sort -n

What is going on here?

How many and what kind of files were downloaded in that signature?

There are lots of approaches to this problem. Let's consider some?

Of the files downloaded, how many of them are executables?

What was the user agent used to download these files?

That might be something useful to detect: less http.log | grep Java | grep dosexec 1327980103.698008 gBTc8KYVwek 1645 80 1 GET /?d4a7a142560899e60103f46d24e78e0c - Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_26 0 246320 200 OK - - - (empty) - - - - - ByTyrcQjC23 application/x-dosexec 1327980104.201588 tMuiraGxK7j 1649 80 1 GET /?8dd2a80721cae71c5964639bd7c8c55b - Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_26 0 101936 200 OK - - - (empty) - - - - - 9EcIAELxt16 application/x-dosexec 1327980464.846200 aIWL3aRExv2 3219 80 2 GET /a.exe?s=0nir& - Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_26 0 245808 200 OK - - - (empty) - - - - - Iu9fonpuCxb application/x-dosexec

Let's see if we can detect Windows executable downloads by Java. Take a look at the download-by-java.bro file.

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
#Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_26

if ( c$http?$user_agent && c$http?$resp_mime_types && /.*Java.*/ in c$http$user_agent )
	# resp_mime_types is a vector; multiple files can be returned
	for ( m in c$http$resp_mime_types )
  	if ( /.*dosexec*./ in c$http$resp_mime_types[m]  )
	  	print fmt("c: %s",c$http);

Let's go ahead and run it now: bro -r purplehaze.pcap ../solutions/download-by-java.bro

There is certaintly a lot of room for improvement, but lets take a look at the output:

c: [ts=1327980464.8462, uid=5BBeVczaR7g, id=[orig_h=, orig_p=3219/tcp, resp_h=, resp_p=80/tcp], trans_depth=2, method=GET,, uri=/a.exe?s=0nir&, referrer=<uninitialized>, user_agent=Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_26, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={^J^J}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[Iu9fonpuCxb], resp_mime_types=[application/x-dosexec], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]

In this case we are just printing the entire connection record to the console when we locate what we are looking for- this is a great canidate signature for a Notice log though.
Can you create it?


Ok, by now you should be an old hat at this. LURK0 aka GH0ST has reared its ugly head a couple of times now. What is going on here?

bro -r BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10.pcap ../solutions/lurk0/

Check your notice.log.


Eith every detection technique comes a range of consequences; I hope you have enjoyed learning more about what is possible with the Bro Platform.