Objective 9.1: Catch the malware

Difficulty: 3/5

Alabaster Snowball is in dire need of your help. Santa's file server has been hit with malware. Help Alabaster Snowball deal with the malware on Santa's server by completing several tasks.
For hints on achieving this objective, please visit Shinny Upatree and help him with the Sleigh Bell Lottery Cranberry Pi terminal challenge.

Objective 9.1: Assist Alabaster by building a Snort filter to identify the malware plaguing Santa's Castle.

Note: Shinny Upatree can be found on Floor 1, on the South Eastern side of the lobby area

Hints given:
Shinny Upatree:
Have you heard that Kringle Castle was hit by a new ransomware called Wannacookie? Several elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by and their files were encrypted. Many elves were affected, so Alabaster went to go see if he could help out. I hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analyzing Wannacookie on his computer. An elf I follow online said he analyzed Wannacookie and that it communicates over DNS. He also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way. Another recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie! Of course, this all depends how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt. Perhaps there is a flaw in the wannacookie author's DNS server that we can manipulate to retrieve what we need. If so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files.


The objective can be accessed directly via this link:
https://docker.kringlecon.com/?challenge=snort&id=7cd0c47e-7c7f-4983-95fe-d3ea9f752877


Connect to the Snort Challenge console or navigate to:
https://docker.kringlecon.com/?challenge=snort&id=7cd0c47e-7c7f-4983-95fe-d3ea9f752877

 _  __     _             _       _____          _   _      
 | |/ /    (_)           | |     / ____|        | | | |     
 | ' / _ __ _ _ __   __ _| | ___| |     __ _ ___| |_| | ___ 
 |  < | '__| | '_ \ / _` | |/ _ \ |    / _` / __| __| |/ _ \
 | . \| |  | | | | | (_| | |  __/ |___| (_| \__ \ |_| |  __/
 |_|\_\_|  |_|_|_|_|\__, |_|\___|\_____\__,_|___/\__|_|\___|
             / ____| __/ |          | |                     
            | (___  |___/  ___  _ __| |_                    
             \___ \| '_ \ / _ \| '__| __|                   
             ____) | | | | (_) | |  | |_                    
            |_____/|_|_|_|\___/|_|_  \__|                   
               |_   _|  __ \ / ____|                        
                 | | | |  | | (___                          
         _____   | | | |  | |\___ \        __               
        / ____| _| |_| |__| |____) |      /_ |              
       | (___  |_____|_____/|_____/ _ __   | |              
        \___ \ / _ \ '_ \/ __|/ _ \| '__|  | |              
        ____) |  __/ | | \__ \ (_) | |     | |              
       |_____/ \___|_| |_|___/\___/|_|     |_|              

============================================================
INTRO:
  Kringle Castle is currently under attacked by new piece of
  ransomware that is encrypting all the elves files. Your 
  job is to configure snort to alert on ONLY the bad 
  ransomware traffic.

GOAL:
  Create a snort rule that will alert ONLY on bad ransomware
  traffic by adding it to snorts /etc/snort/rules/local.rules
  file. DNS traffic is constantly updated to snort.log.pcap

COMPLETION:
  Successfully create a snort rule that matches ONLY
  bad DNS traffic and NOT legitimate user traffic and the 
  system will notify you of your success.
  
  Check out ~/more_info.txt for additional information.

Check the contents of the file ~/more_info.txt

elf@59f9a5f70ada:~$ cat more_info.txt 
MORE INFO:
  A full capture of DNS traffic for the last 30 seconds is 
  constantly updated to:

  /home/elf/snort.log.pcap

  You can also test your snort rule by running:

  snort -A fast -r ~/snort.log.pcap -l ~/snort_logs -c /etc/snort/snort.conf

  This will create an alert file at ~/snort_logs/alert

  This sensor also hosts an nginx web server to access the 
  last 5 minutes worth of pcaps for offline analysis. These 
  can be viewed by logging into:

  http://snortsensor1.kringlecastle.com/

  Using the credentials:
  ----------------------
  Username | elf
  Password | onashelf

  tshark and tcpdump have also been provided on this sensor.

HINT: 
  Malware authors often user dynamic domain names and 
  IP addresses that change frequently within minutes or even 
  seconds to make detecting and block malware more difficult.
  As such, its a good idea to analyze traffic to find patterns
  and match upon these patterns instead of just IP/domains.
elf@59f9a5f70ada:~$

Login to http://snortsensor1.kringlecastle.com/
username: elf
password: onashelf

Download one or more of the .pcap files

Open the .pcap file in Wireshark. Notice that some DNS requests are sent to non-standard DNS ports. Exclude the good traffic using this filter

!(udp.dstport == 53)

The packets to non-standard DNS ports all contain the string "77616E6E61636F6F6B69652E6D696E2E707331"

356    3.606484    212.43.18.229   10.126.0.26 Standard query response 0xedf0 TXT 58.77616E6E61636F6F6B69652E6D696E2E707331.rehrugnbsa.org TXT 57608   DNS 425
 2    0.010593    233.12.59.19    10.126.0.19 Standard query response 0xa4b6 TXT    77616E6E61636F6F6B69652E6D696E2E707331.nsaehrgrub.org TXT 38663   DNS 167

The string "77616E6E61636F6F6B69652E6D696E2E707331" is a unique identifier that can be used to create the Snort rule. Add a snort rule as follows:

elf@524792a816b4:~$ echo 'alert udp any any -> any any (msg:"Bad DNS"; sid:10000001; rev:001; content:"77616E6E61636F6F6B69652E6D696E2E707331";)' > /etc/snort/rules/local.rules

Shortly after the line is added, the Congratulation message appears

elf@524792a816b4:~$ echo 'alert udp any any -> any any (msg:"Bad DNS"; sid:10000001; rev:001; content:"77616E6E61636F6F6B69652E6D696E2E707331";)' > /etc/snort/rules/local.rules
elf@524792a816b4:~$ 
[+] Congratulation! Snort is alerting on all ransomware and only the ransomware!