Monday, June 2, 2014

A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 2

This writing is dedicated to fellow sysadmins all over the networks in this globe, who work hard keeping internet services running smoothly and help to clean the bad stuff, you rocks! Respect! This is the second part of the previously posted analysis here-->>[Part 1]

Observation

In this part I will discuss the FTP hacked sites reported as per below snapshots, I will call them as Case 4, 5, 6, and 7 (bonus case), and NEW! Case 8 (additional)


Case #4: IRC Bot PHP Pbot(s) - The evolution begins..

As per explained in the first part, there were some IRC bots detected in the abused FTP sites reported, one of the bots called pbot(s), and in this part we will explain how the IRC Bot PHP Pbot evolved. In all of the cases 4, 5, 6 and 7 there are pbots found. I guess the IDS scanner can detect some significant strings to filter this contents of these bot's codes, good job!

I made some writings of pbot we cracked in there links: [1] and [2], with or without encoding or obfuscation in its codes. I think those cases was spotted around 2012 and January 2013. Back then the pbot was having so limited "weapon" functions in attacking, which were:

- TCP Flood
- UDP Flood
- Port Scanning
Yes, that's it for the aggressive attack they had, TCP Flood & UDP Flood is the only DoS scheme they had back then. There are some IRC & networking related functions like "backconnect" to poke the master in some #hacker-paradise ircd waiting for the compromised sites popping up in their channels & etc IRC communication commands for the operational purpose of the bot.

Now let's we take a peek to the Case #4, in each directory "a/" or "b/" injected in the root directory of this FTP service you can find the script called li.php, and this files looks was last updated in June 1 & May 31, 2014.

This"version" of pbot is having improvement in UDP Flood attack function, as per below codes, which is supporting to the multiple scanning:

..and also the downgrade of the TCP Flood function into a TCP Connecting function:

The operation method used as a "bot" is focusing in utilizing Windows shell command execution by multiple methods in executing it, with additional a option for execution via the Perl method. Below are the snippet methods used to execute Windows shell:

..and this is how the Perl is used to perform shell execution:

The shell execution methods above are then linked to the PHP "evil" functions to be used for the further operations by this pbot:

The IRC connection method used is similar as previous version, a classic method used some other bots too, with the an array as per below, containing the IRC server IP, port number, password, channel, and host's auth, with additional components to be used for forming a specific format of NICK, and USER (with using the $ident):

By simulating the above information, forming a fake NICK using the stated logic, following the forming of USER name below, we can start to pretend as a bot to connect their IRC server:

A simple test like below will confirm the actor's server status:

It seems like China network is under abused to be utilized as IRC's CNC for this case's attacker:

Check Date: Tue Jun  3 01:21:20 JST 2014
IP: 222.216.30.28
ASN: 4134
Network Prefix: 222.216.0.0/15
AS Name: CHINANET
Country: CN
ISP: CHINATELECOM.COM.CN
Company: CHINANET GUANGXI PROVINCE NETWORK

There are other very generic functions commonly used in IRC bots like: making PING PONG pokes, sending email using the PHP mail function, get the system environment via PHP uname, downloading stuffs to the compromised server by utilizing safe area in /tmp, etc.. which I don't explain in here since you'll see it in the samples shared too, as a very self explanatory codes.

The sample in VT is here-->>[VT]
Let's move on to the next cases...

Case #5: A bummer pbot (no comment)

In this case we are dealing with the file named as bot.php . Well.. wow.. it must be a crook with a very high self-confidence or very stupid or a greenhorn skids to hack an FTP with uploading such straight forward file name. Protip: If you find this kind of file in your watched servers just please delete it without asking, or send it to Virus Total first and delete it, OK? :-) Don't worry, it must be bad, either the file or the person who named it that way.

OK, the bot.php is also a pbot with the same version as we discussed in Case #4. The difference with the previous case is the IRC connection (below pic) and the way it slices packet size for UDP Flood:

A test drive...

13:12 -!- Irssi: Looking up 120.43.64.62
13:12 -!- Irssi: Connecting to 120.43.64.62 [120.43.64.62] port 10000
13:12 -!- Irssi: Unable to connect server 120.43.64.62 port 10000 [Connection refused]
oh mai...what a bummer..

The sample in VT is here-->>[VT]
OK, let's move on!

Case #6 & # 7: BTC miners & PWS PE payloads + Behold.. New fully weaponized Pbots..

This is the case where I found the Cloudflare DDoS mitigation code, as I tweeted below:

Yes, I found the function in Pbot codes, was dated, in the earliest as from March 28th and 30th, 2014.

These two FTP cases are so identical in its injected payloads, gesturing the same actors are behind these two compromised FTP incident, we'll see it later..
While both site's root directories are filled by the WinPE binaries that was shown in above screenshots in Observation part. Later on we know those as Bitcoin Miners & PWS, old stuff mostly made by VB or .NET, known malware with good detection rates, you can get the samples and feel free to analyze yourself but I must skip these analysis for having not much time to write.

And the "pub/" directories of both sites are filled with bots, just like the WinPE in the root directories, the pattern of both sites are the same, as per shown below:

What I marked with the yellow color are the pbot(s) with the version that has been discussed in the Case #4, and looks like we have the evolution in version which was marked in the red color. The rest of the files will be explained separately.

Since we know the characteristic of pbot by peeking closely to their code, we can quick analyze the source of attacker in mass injection files like this with a simple grep command, to see straight to the source, in my case I grep the bellow strings:

array("server"=>"
And getting these answers for the "not so new" pbots:

With extracting these IRC channel used as CNC and their channels:
89.248.171.42 "chan"=>"#rhd" 
89.248.171.43 "chan"=>"#rhd" 
89.248.171.44 "chan"=>"#rhd" 
89.248.171.45 "chan"=>"#rhd" 
93.174.88.124 "chan"=>"#Xtreme"
94.102.63.134 "chan"=>"#Xtreme"
94.102.63.135 "chan"=>"#Xtreme"
94.102.63.136 "chan"=>"#Xtreme"
94.102.63.137 "chan"=>"#Xtreme"
And for the new/latest pbot I extarcted the below data:
124.php(3):    "server" => "93.174.88.124", "chan"=>"#lsass"
newbot.php(3): "server" => "89.248.171.54", "chan"=>"#lsass"
15.php(11):    "server" => "89.248.171.54", "chan"=>"#news"
bot15.php(11): "server" => "89.248.171.54", "chan"=>"#news"
So we have 4 channels in 10 IRC servers are herdering these pbots in two FTP cases, and shortly speaking, most of the IRC servers and channels are up and alive (checked & doing some investigation now..)

The ECATEL, Netherlands network in ASN: 29073 and network of 89.248.170.0/23 and 94.102.48.0/20 are completely being abused by these attacker for the IRC network CNC on these bots:

89.248.171.42|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
89.248.171.43|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
89.248.171.44|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
89.248.171.45|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
89.248.171.54|hosted-by.ecatel.net.|29073 | 89.248.170.0/23 | ECATEL | NL | ECATEL.NET | ECATEL LTD
93.174.88.124|hosted-by.ecatel.net.|29073 | 93.174.88.0/21 | ECATEL | NL | WEBHOST.COM.AU | DEDICATED SERVERS
94.102.63.134||29073 | 94.102.48.0/20 | ECATEL | NL | ECATEL.NET | ECATEL LTD
94.102.63.135||29073 | 94.102.48.0/20 | ECATEL | NL | ECATEL.NET | ECATEL LTD
94.102.63.136||29073 | 94.102.48.0/20 | ECATEL | NL | ECATEL.NET | ECATEL LTD
94.102.63.137||29073 | 94.102.48.0/20 | ECATEL | NL | ECATEL.NET | ECATEL LTD

On June 3rd, 2014. Some of previous version of pbot (with only had udp/tcp attack) was upgraded into the fully weaponized (with multiple L7 DDoS attack functionalities). There is no new IP for IRCd (CNC) used, but now we know precisely the meaning of the fikename is the last block of the IP address that is being used as CNC < this is a PoC that these crook is really using the segment of network described in the above list and utilizing it for the attack, No one will name an attack bot as IP address 42,43,44,45 which matched to the IP addresses used unless owning that network. Owning by the meaning maybe by hack, or.. more like by rent. Below is my tweet answering MR. Rik van Duijn's question about this matter, with the sample share:


Samples is in Virus Total ;-)) here --> [-1-] [-2-] [-3-] [-4-] [-5-] [-6-]

Well, we know the source of attacker. Now what is inside of the recent version of pbot and what is its difference with the previous version? Below are the explanation with the screenshots:

Basic function improved

The way they use the channel and connection are very specific:

This pbot version is having a set of User Agent for HTTP purpose (DDoS), as per listed below:

In this version, in forming the NICK the GeoIP codes is implemented:

There are some messages in Portuguese language, advising the coder's is from country that is speaking that language.

..and a lot of etc new bot functions which is improving the quality of the previous version pretty much, you can see it in the source code that will be shared later on.

Heavily armed and dangerous..

For the attack functionality this recent new pbot version has:

- udpflood
- httpflood (NEW!)
- synflood (IMPRPOVED!)
- slowlorrisflood (NEW!)
- rudyflood (NEW!)
- armeflood (NEW!)
- cloudflareflood (NEW!)
- tcpflood (IMPROVED)
- Data Cha0s Connect Back Backdoor (NEW)
I will snippet the NEW! attack function source code for the mitigation purpose with the quick explanation.

httpflood ; OK, at least now we know how user-agent is used :-)

synflood ; I personally not thinking SYN attack is new, but it is in a pbot..(at least for me) so here's the snips:

tcpflood ; Well.. this attack is not a dummy attack anymore.. Finally they figured a way to code this section :)

slowlorrisflood ; This is a DDoS method in sending packet without a haste to flood by using GET or POST, the logic is very interesting as per detailed below, the DDoS guard industries must review this code and start to make mitigation of this logic. Ref-->[link]

armeflood ; It's an attack focusing the HEAD flood request to the victims :

rudyflood ; I have no idea why this were named as "rudy" :-) But it is flooding victims with randomizing packet size and toying with the combination request Content-Length looks like the main purpose to DoS the victim's server:

cloudflareflood ; This is as per it sounds, a nasty code meant to evade Cloudflare. I tweeted this mentioning to Cloudflare to mitigate this code as soon as possible. Below is the attack logic:

If you see the CURL command used in above functions, is the homemade function actually:

"Data Cha0s Connect Back Backdoor" ; Wow..what a name! :D This evil code is actually hidden in conback($ip, $port) function here:

The logic is simply decoding & save the base64 blob into a .pl file, and executing it by perl. What was decoded is actually a SHELL in Perl:

I think that's it for the recent Pbot. For mitigation purpose, please learn the full code that can be seen in the samples (shared to the security community only).
The virus Total detection is as following result in each samples spotted: [-1-] [-2-] [-3-] [-4-]

The last mistery to solve is HOW the WinPE binary got into the root of this FTP server. It is answered by the rest of scripts located in "/pub", which are win.php. test.php and wink.php. These scripts looks like a helper of the pbot, to be executed for downloading the other files as per commanded by the bot herder. Well, the codes says thousand words, please see below snippets:

You can see the multiple method used to download those binaries. Mistery is solved :-)

Conclusion, infected IP, VT and samples

So now we see how much we can get by investigating only several URLs. Every alert is worth to investigate as deep as this (or I may say I expect deeper since I do this after day work only). You will never know what you will find unless you dive-in to it. Thank's again to "Yin" for allowing me to write this to raise awareness.

The PHP IRC pbot itself evolved from the to be a dangerous threat since the first time we covered 2 years ago. However the nature of itself is the same, like using PHP ..yet using Perl also, the way it connects the channel, and so on.. So it is very good to know each bots characteristic.
Pbot is now weaponized with many L7 DDoS attack pattern.

If you take a look into the www.digitalattackmap.com link-->(here) to view the current on going DDoS attack traffic to USA and it sources. I snapshot the map as per shown below, you will see that the countries related to the source of attackers disclosed in this series of posts is matched and I marked them in red circles in the map below:
I have no doubt that this findings is actually disclosing groups of DDoS attacker "skids".

I must urge to investigate deeper the IRC channels and the individuals who are running this L7 DDoS show, the ID is all there and is not a hard thing to infiltrate, so if you are familiar enough with IRC you can join our mission in visiting these servers to gain more intel that can get into a cyber crime cases to teach these skids a lesson.

Samples are shared in this URL with the secure code-->>[Secure Code: 110369]

The overall Part 1 and 2 mentioned compromised FTP information we announced as per below FTP url, IP addresses, Network Information and GeoIP. For the purpose to ask your help to clean up these infection;

ftp:// agunsa .cl/
ftp:// 192.210.235 .101/
ftp:// 37.187.99 .73/
ftp:// 188.165.74 .149/pub/
ftp:// 37.59.68 .30/pub/
ftp:// 204.44.81 .9/
ftp:// edge.leet .la/

200.72.244.167 
200.27.146.162
192.210.235.101
37.187.99.73
188.165.74.149
37.59.68.30
204.44.81.9
79.114.113.196

200.72.244.167||6471 | 200.72.224.0/19 | ENTEL | CL | ENTEL.CL | ENTEL CHILE S.A.
200.27.146.162||6429 | 200.27.128.0/19 | Telmex | CL | AGUNSA.CL | TELMEX CHILE INTERNETS.A.
192.210.235.101||36352 | 192.210.232.0/22 | AS-COLOCROSSING | US | COLOCROSSING.COM | VPS6.NET LP
37.187.99.73|cpe-92-37-48-248.dynamic.bluedesign.si.|16276 | 37.187.0.0/16 | OVH | FR | OVH.COM | OVH SAS
188.165.74.149||16276 | 188.165.0.0/16 | OVH | NL | OVH.COM | OVH SAS
37.59.68.30||16276 | 37.59.0.0/16 | OVH | FR | OVH.COM | OVH SAS
204.44.81.9|204.44.81.9.static.virtuaclub.com.|29761 | 204.44.64.0/18 | AS-QUADRANET | US | QUADRANET.COM | QUADRANET INC
79.114.113.196|79-114-113-196.rdsnet.ro.|8708 | 79.112.0.0/13 | RCS | RO | RDSNET.RO | RCS & RDS RESIDENTIALI

200.72.244.167, Santiago, Chile, SA
200.27.146.162, Santiago, Chile, SA
192.210.235.101, New York, United States, NA
37.187.99.73, , France, EU
188.165.74.149, , France, EU
37.59.68.30, , France, EU
204.44.81.9, , United States, NA
79.114.113.196, Timisoara, Romania, EU

Case 8: The hack scheme for BitCoin Mining using Perl Bot RFI scanner

This case is an additional, the last one, I received the report afterwards. The case is interesting so I decided to add this post's contents. It is about the hack attempt using many bots for spreading BitCoin Miners. The actor is hacking webapp RFI vulnerable services, injecting the bots and installing the bitcoin mining servers and applications in the compromised system, and then using the exploited system as a base to infect other services too.

The overall file list can be viewed in the snapshot above (the last one)-->>here. and the diagram below is the summary that I made to explain the legend of components that had been spotted in this act:

The classification of the files above "if" we want to see it by firing "file" is as per below:

But there are some mis detect also, for those let's do the manual check.

How the hack scheme is working

Before jump into details I will explain how the hack was done by the components above. The circle of this hack attempt was started by scanning using the Perl Bot/IRC called "perlb0t" (too obvious name..), and scanning for the RFI vulnerable sites and attack them to gain exploit. When shell was gained, what they do is injecting the site with file of "update" (or "c) which contains the code below to download the installer "a", and executed it:

The installer will run the below codes to preparing evil, installation to download miners and bots, and then running them without leaving any trace:

This is the initiation setup that was made by hacker after gaining this site, and preparing some remote executable scripts to download from this site and install to another machine like the "bot" script in PHP below:

The ELF files are UPX packer software, but "clamav" and "sh" are minerd, a known bitcoin miner daemon:

.rodata:0x06C318  Usage: minerd [OPTIONS]
.rodata:0x06C330  Options:
.rodata:0x06C339    -a, --algo=ALGO       specify the algorithm to use
.rodata:0x06C36E                            scrypt    scrypt(1024, 1, 1) (default)
.rodata:0x06C3AF                            sha256d   SHA-256d
.rodata:0x06C3DC    -o, --url=URL         URL of mining server (default: http://127.0.0.1:9332/)
.rodata:0x06C42B    -O, --userpass=U:P    username:password pair for mining server
.rodata:0x06C46C    -u, --user=USERNAME   username for mining server
.rodata:0x06C49F    -p, --pass=PASSWORD   password for mining server
.rodata:0x06C4D2        --cert=FILE       certificate for mining server using SSL
.rodata:0x06C512    -x, --proxy=[PROTOCOL://]HOST[:PORT]  connect through a proxy
.rodata:0x06C552    -t, --threads=N       number of miner threads (default: number of processors)
.rodata:0x06C5A2    -r, --retries=N       number of times to retry if a network call fails
.rodata:0x06C5EB                            (default: retry indefinitely)
.rodata:0x06C623    -R, --retry-pause=N   time to pause between retries, in seconds (default: 30)
.rodata:0x06C673    -T, --timeout=N       network timeout, in seconds (default: 270)
.rodata:0x06C6B6    -s, --scantime=N      upper bound on time spent scanning current work when
.rodata:0x06C703                            long polling is unavailable, in seconds (default: 5)
.rodata:0x06C752        --no-longpoll     disable X-Long-Polling support
.rodata:0x06C789        --no-stratum      disable X-Stratum support
.rodata:0x06C7BB    -q, --quiet           disable per-thread hashmeter output
.rodata:0x06C7F7    -D, --debug           enable debug output
.rodata:0x06C823    -P, --protocol-dump   verbose dump of protocol-level activities
.rodata:0x06C865    -S, --syslog          use system log for output messages
.rodata:0x06C8A0    -B, --background      run the miner in the background
.rodata:0x06C8D8        --benchmark       run in offline benchmark mode
.rodata:0x06C90E    -c, --config=FILE     load a JSON-format configuration file
.rodata:0x06C94C    -V, --version         display version information and exit
.rodata:0x06C989    -h, --help            display this help text and exit
.rodata:0x06C9C8  accepted: %lu/%lu (%.2f%%), %s khash/s %s
.rodata:0x06C9F8  DEBUG: job_id=^%s^ extranonce2=%s ntime=%08x
.rodata:0x06CA28  Stratum connection interrupted
.rodata:0x06CA48  {^method^: ^getwork^, ^params^: [], ^id^:0}
.rodata:0x06CA78  DEBUG: stale work detected, discarding
.rodata:0x06CAA0  {^method^: ^mining.submit^, ^params^: [^%s^, ^%s^, ^%s^, ^%s^, ^%s^], ^id^:4}
.rodata:0x06CAF0  submit_upstream_work stratum_send_line failed
.rodata:0x06CB20  {^method^: ^getwork^, ^params^: [ ^%s^ ], ^id^:1}
And the WinPE are all bitcoin mining application, although some AV stated these as "Not A Virus" I assure you that you never want these files to get into your system. VT report: [-1-] [-2-] [-3-]

Perl IRC/Bot "perlb0t"

This bot is nasty, and responsible for the RFI scanning and exploiting vulnerable hosts for being used to install bitcoin mining. "lol" and "plm" are these bot files. The highlights of this bot I'll paste it in images snipped below.

The IRC connection (CNC):

The host's port scanner
And this is how it scans the RFI vulnerability:
As you can see the path of "/SQuery/lib/gore.php?libpath=" is aiming the exploit shown in-->>here with more reference in-->>here
There is an interesting function called "Spreader" which actually searching for specific query of site via Google search engine, first they are preparing domains in an array:

And excute the search by Google API as per below:

And the HTTP query is formed here:

The other Perl bot (file: s0nia, php) called "Power Bot" is not that interesting at all and contains the basic bots as usual portscanner & basic HTTP flood attacks, with remote IRC connect, backconnect, and so on.., and the pbot (botphp file) found is the older version. So it is faster if you see the shared sample directly.

The CNC of this case are:
All of downloads are linked to OVH IP addess:

Req time: Wed Jun  4 22:50:59 JST 2014
UP: 176.31.255.138
Result: ns388807.ovh.net.|16276 | 176.31.0.0/16 | OVH | FR | OVH.COM | OVH SAS
And the IRCd used are listed below:
myircd.wha.la port: 3303 Nick: LINUX
oakleyharrod.mooo.com port: 3303 Nick: Bot
topsrv.us.to port: 3303 Nick Pma
topsrv.us.to port: 3303 Nick JSP
located in Turkey, Germany and France:
77.92.147.142|static-142-147-92-77.sadecehosting.net.|42910 | 77.92.147.0/24 | SADECEHOSTING | TR | SADECEHOSTING.COM | HOSTING INTERNET HIZMETLERI SANAYI VE TICARET ANONIM SIRKETI
85.214.70.175||6724 | 85.214.0.0/15 | STRATO | DE | STRATO.DE | STRATO AG
213.152.3.19|eleves.dev.advoo.fr.|8218 | 213.152.0.0/19 | NEO | FR | NEOTELECOMS.COM | NEO TELECOMS S.A.S.

The Case #8 samples can be download here after you fill the secure code-->>[Secure Code: 54349398].

And the VT links for these bot files are: [-1-] [-2-] [-3-] [-4-] [-5-]

Following the CNC network information gathered from this post's investigation, leading us to the DDoS're or Booter (or Stresser) services that are involved in using hacked FTP sites/accounts and utilizing the hacked server for performing DDoS activity. The DDoS'er services that is proven connected to this hack attack is posted in the next report, together with some popular DDoS'er tools covered, in here -->>[MMD Next Blog]

It's been a long writing, if you think it is useful and can help others, do not keep this information to your self but spread it out, it is good to make more sysadmins aware of these details. Stay safe, folks!

#MalwareMustDie!