Forensic Investigation - Network. 0x02

Developing Ransomware Malware. 0x07

Writing Our Own Ransomware Malware for understand how the Cyber criminal write it.

In previous Chapters we learnt :

• We learned how to investigate emails to check if they are genuine or spam. When we get an email from someone, we can look at a few key points to figure out if it's real or not. By doing this, we can prevent users from accidentally downloading ransomware from spam emails.

In this chapter we will learn?

• How we can analyze the network to identify when an .exe file is downloaded and send the alert to the user.?

?

Whenever we surf the internet the data is sent through your browser? to the server. If we keep monitoring these packets with the help of some tool we can minimize the infection of malware Ransomware .

Why Network analysis is important ??

Network analysis or Network Monitoring is very important because, we can understand the behavior of the network, in our case the ransomware, we can know how it connects to the external world , where it connects and what command it receives and what payload has been downloaded. In short, we can know the push and pull of data, just by monitoring the traffic.?

Once you know from where the ransomware is downloading the payload, we can always block those websites / IP’s on the firewall.?

In network forensics analysis monitoring the packets in real time is very important, we can figure out which computers are getting connected to an identified URL.

For example , If our Rcoky_Ramsomeware is downloading files from "https://www.yah00.com/payload.com" . Then we will block those IP/URL. Stopping the unnecessary traffic flow.

Creating Fake DNS

Once an IP/URL is identified we can create, our own Fake-DNS server and monitoring the Fake-DNS application for suspicious activity on the network for further malware analysis.?

When infected machines tries to connect to there command center, they will automatically connect to our Fake-DNS server.? Once we identify the IP's from the Fake-DNS app , we can take those machines OFF from the network for Formatting or for further analysis.??

If you follow these steps? definitely you are stopping data which is being stolen.?

For doing network analysis I prefer Mitmproxy , Wireshark , Tcpdump, Scapy? and some custom python scripts. For Fake DNS you can create with netcat the Swiss knife ??.

In this chapter we will learn how Wireshark and mitmproxy help us to decode the traffic for malware analysiss.?

Wireshark ??

Wireshark is an awesome tool that lets you see what’s happening on our network in great detail. We can see inside the packets moving between our computer or device. Wireshark captures these data packets and shows us the raw information in a human readable way for further analysis.

Key Features of Wireshark:

• Packet Capture: It sniff data packets as they are getting transferred? through your network.
• Packet Analysis: It breaks down these packets so you can understand what’s being sent and received.
• Protocol Support: It handles a wide variety of protocols.
• Live Capture: Real-time data flow for troubleshooting network issues or analyzing security threats.

Mitmproxy ??

Mitmproxy, which stands for "Man-in-the-Middle Proxy," is a tool that lets you intercept, inspect, modify, and replay traffic in real-time. It's great for developers and security experts who need to understand how their apps communicate over the internet.

Key Features of mitmproxy:

• Proxy Interception: It sits between your device and the internet, letting you see and modify web traffic.
• HTTPS Decryption: It decrypts HTTPS traffic so we can analyze encrypted communication.
• Request Modification: It allows us to change outgoing requests or incoming responses for debugging.
• Scriptable Interface: You can automate and customize interception and analysis tasks, by writing python script.

Why They Matter

• Network Troubleshooting: Both Wireshark and mitmproxy help you diagnose issues by showing you what’s going on behind the scenes.
• Security Analysis: These tools? are essential for finding potential vulnerabilities and threats.
• Development and Testing: Developers use them to debug apps and ensure they work well under different network environments.

Whether you’re into networking, development, or security, knowing how to use Wireshark and mitmproxy helps you manage, secure, and optimize your digital life.?

Now it time to rock ????

First we will see how a simple HTTP packet is getting transferred and then we will see how HTTPS packet gets transferred.?

HTTP is a textbase protocol meaning , when we run tools like wireshark we can actually see what data is floating on the network in human readable format.?

When HTTPS is used , we cannot identify what data is getting transferred on the wire, because it is encrypted. This is where all things become complicated.?

Malware writers take advantage of the HTTPS protocol to encrypt the virus or the payloads. The Network security devices , such as Web Application Firewall , Network Firewall , IDS IPS , fails some time. Because , most of them work on a signature basis. If the data is encrypted it's really difficult to decrypt and to know what the malware payload is all about ??. However, today's? devices can decode the network flow using a CA valid certificate.?

HTTP Protocol ??

Lets Download a sample , In this sample , we will check HTTP packet to download a virus.exe file.

The case study :?

I received an email from NeeRav Mobi ?? saying he wants to share his Swiss bank account number and password so i can transfer money to my bank. The only thing I need to do is to download the Swiss bank proprietary application. So I downloaded the application and executed it . That is how my whole organization got infected with ransomware and all the data got encrypted ,? because of? my greed.

Below Image shows the email which? I received from NeeRav Mobi ??

Once the link is clicked the “virus.exe” (this file could be swissapp.exe”) is downloaded on my desktop , executing the ransomware in the organization.?

?Now lets see the Wireshark traffic on my desktop.?

Note : I am using virtualbox on my desktop and using apache2 as my webserver, as this is Local server, I need to attach my wireshark to localloop-back to sniff the HTTP packets. Network administrators can sniff the packets on their gateways or on the sub net main desktop / server where all packets can be sniffed and be analyzed.

Below Image show wireshark in action , the application is run as administrator so it can sniff the packets.

You can see the protocol is HTTP , if a local user runs a promiscuous mode sniffer tool on the network they can see the traffic floating on the network for the complete sub-net ??, it's called ARP spoofing different tools are used for it.? With the plain text , it was easy for firewalls , IDS software like Snort to sniff the network and generate alerts comparatively very fast.

To avoid this plain text sniffing organization started using SSL/TLS Certificate. Which encrypts the packets using SSL/TLS certificates.

However this was a boon for cyber criminals ??.?There was less need to encrypt malware , all hard work for encryption was done by SSL / TLS automatically.

Lets see the second test case which uses the HTTPS protocol .

HTTPS protocol main work is to encrypt all the traffic between client and server in encryption format. So for that , people started a new business called legal “CA Certificate” , where you need to buy an SSL/TLS certificate from a verified CA vendor as a trusted partner, all big words.

Just for information ?? with only 3 to 4 commands you can generate your own SSL/ TLS certificate on Linux box, Commands in the previous chapter are shared on how to generate your own SSL/TLS certificate.??

The web browser also supports these organizations, if the web browser finds a self signed certificate it generates an alert saying “Not authorized , pls add exceptions” green and Red color , all crap ??.

Due to this error many people gets scared. However self signed certificates can be? safe too??if properly configured.?

Anyway let's continue with our HTTPS protocol??

Note :? I am using https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html to download an .exe file . As I have not configured my Apache2 server for HTTPS. Please assume the above URL is https ://192.168.43.175:8080/virus.exe

The idea here is to demonstrate that when downloading? .exe file with HTTP, we can see the data , while using HTTPS we can’t

The below image shows that the? chiark.greenend.org.uk is using HTTPS protocol . we can see the browser also shows it certificate is authenticated one and good to go.

Now when we downloaded the putty.exe (our virus.exe) file from the web site, we have started our wireshark tool too. Now from the below image you can see all the traffic is encrypted with the help of installed SSL/TLS certificate on the server.?

In an earlier image we saw that if it is HTTP protocol we can see the data and know what is floating on the network , however if it's HTTPS protocol? all the data from our browser to server is encrypted.?

The main Question.

Now that everyone is using HTTPS, how can we protect our network if viruses and malicious links are encrypted and we can't see the information in plain text?

There are ways to decrypt network traffic on the network, we can use tools like wireshark or mitmproxy. These tools have their own valid CA-Certificate to fool the server.?

In this case we will use mitmproxy, it's a proxy server which intercepts all traffic by providing its valid CA-Certificate to the HTTPS server.

Lets understand how its done ??

SSL/TLS Handshake with mitmproxy

mitmproxy acts as a primary server between the client (e.g., a web browser) and the HTTPS server. It sniff and decrypts HTTPS traffic by generating dynamic certificates in real time. Lets understand how mitmproxy handles the SSL/TLS handshake:

• Client Initiates Connection:The client Web browser tries to connect to HTTPS server as we type the URL in the browser e.g. https://www.chiark.greenend.org.uk/putty.exe .
• mitmproxy Intercepts the Connection:
• Create a Fake Certificate for the server , for which the client is trying to reach. This certificate is signed by mitmproxy's own root CA certificate.
• Client Trusts mitmproxy Certificate

SSL/TLS Handshake Between Client and mitmproxy:

• The client initiates an SSL/TLS handshake with mitmproxy, believing it is the actual server.
• SSL/TLS Handshake Between mitmproxy and Real Server: Simultaneously, mitmproxy initiates its own SSL/TLS handshake with the real server.
• Encrypted Traffic Relay: Once the data is received to mitmproxy it decrypts the client’s traffic, inspects or modifies it, and then re-encrypts it before sending it to the real server. The same process happens in reverse for responses from the server to the client.

Below image shows basic data flow between client and server with mitmproxy and without mitmproxy .

Now with this basic understanding we will try to sniff the data and print it in simple plain text.?

First, we need to start mitmproxy. By default, mitmproxy listens on port 8080. Then, in our web browser, we need to set the proxy to "localhost " and port "8080". The image below shows how Firefox is set to use a proxy server on localhost port 8080, which is how we configure it for mitmproxy.

Below image shows FireFox Web browser Proxy setting

With this setting we are ready to send data to the mitmproxy server. Meaning whenever we type something Firefox , it will send data to “localhost on port 8080” . In short , the browser will send data to mitmproxy ??, which will intercept the traffic from client side as well as server side. In return we will see all the traffic in plain text.?

We will use the same URL which we used for downloading putty.exe which is : https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Below image shows mitmproxy in action , the Firefox web browser is asking for permission to add the certificate to exception, we should accept it. Once accepted, we can browse any HTTPS URL for decoding. We will go and download the same putty.exe .

Once you accept the security exception, we're ready to start sniffing. Let's download putty.exe. Before, Wireshark showed us encrypted packets because we didn't have a valid SSL certificate. But with mitmproxy, we'll see the encrypted information in plain text. This will help us understand what's happening behind the scenes.

The image below shows how we can now see all the encrypted packets in plain text. This helps us detect if any malicious files are being downloaded. Our intrusion detection system (IDS) like Snort and other packet sniffing tools will work more effectively and give us better insights into the network.

Great, we can see HTTPS traffic in plain text , now what ?

Mimtproxy can run scripts when it identifies a given string and sends alerts to the administrator. Mitmproxy is a very powerful tool, because it can integrate easily into python.??

Let's alert our? Administrator , when someone in the sub-net tries to download a .exe file.?

Lets create a python script that will alert administrator for an executable that is getting downloaded in real time, just for simplicity we are not using socket or sending email to administrator. As a demo we just want to display it on screen.?

Here is the code which we will integrate in mitproxy server ??

Alert_executable_download.py
—-------------------

from mitmproxy import http

def response(flow: http.HTTPFlow) -> None:
    if flow.request.pretty_host and flow.request.pretty_url.endswith(".exe"):
        client_ip = flow.client_conn.ip_address[0]
        url = flow.request.pretty_url
        filename = flow.request.path.split("/")[-1]
        print(f"Alert !!! -> IP {client_ip} is downloading Executable file called as {filename} from this source {url}")
        

To run the code use the following command ??

mitmdump -s alert_executable_download.py        

After this lets run the putty URL again and see if we can get any alerts ??

Below image shows that when we download any “.exe” file which is using HTTPS protocol, Our life saver mitmproxy decode the encrypted packets , check if there is “.exe'' file , if it is found it will send an alert to the configured server and display it on screen. This is how we can use mitmproxy in our network or for malware analysis.? Mitmproxy will check for all the packets until it is not quit by any user.?

Using these kinds of tools in our network is really a boon for administrators. One should use equivalent tools like this in the network to detect the encrypted protocol and see if it is good for the network or not.

With this we will end here. In the next chapter we will learn how cybercriminals send Microsoft Word Document, Excel sheets and PDF files to end users which have an embedded micro-enable VBS virus in it.

We will do digital forensics on these files. Till then stay tuned.?

Thanks for your time ??

See you next week.?