HP Security Research Threat Intelligence Briefing - Episode 8

Thank you for subscribing to Episode 8 of the HP Security Research Threat Intelligence Briefing. In this briefing we explore the tools used by attackers. We have focused in previous episodes on various actors and their methods. Here we take a look at the arsenal faced by their targets and provide an in-depth analysis of a discovered PHP-based web shell labeled with “1n73ction v.3.1 special edition by the hacker x’1n73t.” The web shell was discovered on a server that was subjected to a zero day (0day) attack against a Joomla 1.5.26 web site protected by RSFirewall resulting in a successful compromise and defacement.

 

Tools such as this are routinely updated. Since this research was completed, the tool has been updated with the current version being 3.3. The current tool version is shown in Figure 1 and has grown to nearly 5,000 lines of code.

 

Figure 1 1n73ction 3.3 UI

pic1.jpg

 

Why study this attack?

Defacement of a single web site, especially of a small to medium sized business, may seem insignificant. However, thousands of web sites are defaced daily, resulting in tens of thousands of lost man-hours and millions of dollars each day. Most of these defacements are accomplished using mass defacement tools and rapidly discovered vulnerabilities, which are quickly converted into 0day exploits.

 

Studying an incident such as the one in this report is meant to help the reader to understand the entire process of a defacement attack and the potential deeper impact. In the single instance discussed in this paper, a few minutes of coordinated and automated work on the part of the attacker resulted in the defacement of 8 primary domains and 5 subdomains. A more substantial attack using the same methods could have resulted in the defacement of hundreds of primary domains.

 

The reader should keep in mind that the motivations behind defacement attacks as well as their modus operendi makes them more readily identifiable. Website defacement attacks are generally used to spread a message the actor or group wants to disseminate, or to increase notoriety. Thus, visible damage is readily and quickly identified and remediated.

If the groups in this particular incident had decided not to publicize their activities via defacement, the tool deployed by the attackers could have been used to turn the 13 domains into server “zombies” without the immediate knowledge of the impacted parties. The web shell discussed in this paper allows the attacker to control all of the affected domains as part of a collective infrastructure to be used in accomplishing whatever hacking activities are desired including Distributed Denial of Service (DDoS) attacks. DDoS has come back into vogue over the last couple years. On September 24, 2013, a DDoS attack reaching 100Gbps without leveraging DNS amplification was reported highlighting the massive scale of these attacks and the infrastructure behind them.[1]

 

This is staggering when one stops to contemplate the number of website defacements recorded by one of the largest repositories for hacking archives, Zone-H. The following annual statistics were recently posted by Zone-H:

zoneh_defacement_chart.png

Figure 2 Yearly Defacements Reported to Zone-H[2]

Note: 2013 total of 665.367 is as of June 5th, 2013

 

Fortunately, the defacement discussed in this briefing was caught and quickly remediated. However, many defacements are not addressed for weeks. This is startling when one considers that this web shell and others like it are now being loaded with code that can cause the resources of the server to be used in DDoS attacks presenting a significant threat, a threat which has already been used by groups like Izz ad-Din al-Qassam Cyber Fighters to attack the U.S. banking infrastructure during OpAbabil[3].

 

The Elements of a Mass Hack and Defacement
Reconnaisance

To launch an attack such as this, a hacker needs a web site to hack. When an attack is geared toward a specific company or group, the targets are obvious, and most commonly in the form of computer systems and networks. In this scenario, the attackers meticulously research the organization and then build one or more exploits based upon the vulnerabilities that they find in that particular infrastructure.

 

Mass hackers also do research. However, instead of focusing on the infrastructure and then finding vulnerabilities to exploit, the mass hacker finds an effective exploit and then finds all of the systems that have that vulnerability. The Internet itself aids the mass hackers in their efforts. Web crawlers for well-known search engines such as Google and Bing methodically and constantly probe the Internet for the attackers. The attackers utilize the power of these massive web crawlers to find massive lists of potential “victims” which contain telltale signs that they may be vulnerable to their exploit of choice. This is often referred to as Google Hacking.[4]

 

While mass hackers can query these search engines manually, they more typically develop automated tools that “scrape” the search engines and return the results of their queries back to the mass hackers. Many times these tools are deployed as bots, which return their results to a command and control server where the targets are then targeted for attempted exploitation.

 

While it may sound complicated, the truth is that it is a relatively simple thing for even a novice programmer to do. There is a proliferation of example code that any programmer with a modicum of skill can modify to search for one or more vulnerabilities. During the course of investigating this particular attack, the investigator discovered a small Internet Relay Chat (IRC) network that was dedicated to launching bots to search the Internet for vulnerabilities and report them back for exploitation.

 

The network associated with this attack was found via a referrer URL in the logs and is located at: http://client01.chat.mibbit.com/?server=77.92.72.102. The bots being used in this network were sophisticated enough that they were being loaded with fresh vulnerability search terms from innocuous looking blog pages. A simple command by the person who runs the bot net (the bot herder) would cause the search bots in the specific IRC channel to read the specified web page and begin looking for any of the vulnerabilities posted to it.

 

This is how the attack described in this paper began. The indicator that led to this discovery was the referring URL left by the attack tool, which received its information from one of these search bots.

 
0Day Exploit and Bootstrap

The web server involved in this attack was protected by a commercial web firewall tool. It was patched regularly and at the time of the attack it had successfully defended against a variety of known attacks. This is analogous to a personal computer that has commercial anti-virus software and a properly configured firewall. However, like its personal computer equivalent, the web site was susceptible to a previously unpublished exploit, or 0day.

 

The 0day vulnerability, which was exploited has now been published and is referred to CVE-2013-5576[5]. Literally tens of thousands of web sites contained this vulnerability. The vulnerability affects the last version of Joomla release 1.5, as well as versions of release 2, 2.5.13 and earlier, and release 3, versions 3.1.4 and earlier. Joomla has been a popular attack target of late.[6] The vulnerability, when exploited, allows anyone with access to the media manager to upload and execute arbitrary code simply by appending a period to the end of the file name they would like to run.

 

Analysis of the web logs shows that CVE-2013-5576 wasn’t immediately exploited. The attackers first posted an unrecovered PHP executable of 391 bytes in length named 3xp.php. This intermediate code was then invoked, resulting in the creation of another intermediate file, 0day.php. Finally, when this code was invoked a file fitting the filename pattern specified in CVE-2013-5576 was seen, temporary file named “imagesc053d7f69e151589d6b389a609a5be9a.php.”

 

This final file is referred to as a bootstrap as it is small and takes its arguments via the HTTP GET method. Such bootstrapping is typical. The bootstrap normally contains a very limited set of functionality due to the size constraints of the HTTP GET method.

 

In the case of this bootstrap we know that it responds to the command “clone”. Once the bootstrap was invoked with the argument “clone” the full web shell was in place on the system.

 

The Web Shell

Web shells are the persistence mechanisms used by hackers to maintain access to hacked web servers. There are a variety of these shells. Many have started out as conventional tools meant to allow a web site administrator to perform maintenance functions using a web browser. These shells, whether derived or written from scratch, when used by hackers, contain a variety of functions that allow the hacker to attempt privilege execution, retrieve the underlying system information and use the compromised server for illegitimate purposes.

 
The Bot Code

To have a web site defaced is traumatic enough. To discover that a web shell has been placed onto the server to allow the user to maintain access, escalate privileges and attack other servers is even more disturbing. But in the case of this shell there was an additional surprise. The web shell had a function that created a perl based shell script that connected the compromised server to an IRC command and control channel, turning the server into a bot. The primary functionality of this bot code is to participate in DDoS attacks.

 
The Defacer and the Defacement

The defacement took place in the form of a new index.php file being uploaded. The file was copied across into all directories one level down from the base directory, effectively defacing all servers on the virtual host. A screenshot of the original defacement is shown here:

 
Figure 3 - Biang Kerox Hacker Team Deface Page
pic3.jpg
 

The page html code was obfuscated to increase the difficulty of an investigator understanding its capabilities. To deobfuscate the page, it was initially run through an online utility (http://jsbeautifier.org/) that organizes the code within the page into a more easily understood structure. Once the html code was made readable, the meta-data section of the page was extensive. This is the section that is used by search engines as a part of their indexing algorithm. Keywords seen in the meta-data section were:

 

Hacked By UYAP BIANG KEROX HACKER TEAM, Cybercow, biang kerox hacker team, INDONESIA FIGHTER CYBER, Crow, Malaysia, malingsial, f**k Malaysia (redacted), indonesia, indonesian, Hacked, cyber dunia maya, penjahat dunia maya

 

Also noticeable are artifacts, which will help with tracking these actors in other places online. In this case there are several embedded links to online content related to the presumed perpetrators. It should be noted that the series of picture links that are embedded in the HTML are not displayed. This shows how important it is to do source code analysis of defaced pages. Many times there are artifacts and references in the HTML code that are either overtly or inadvertently hidden on the final web page.

 

A series of pictures, many of which are sourced from Facebook are also referenced. Many social media and other sites strip EXIF data from images. However, where the user is simply pointing to online storage or sites where EXIF data is not stripped can yield important information. By examining the HTML source code of the page it was also possible to identify the URL of the pictures displayed.

The full incident timeline explained in full detail is covered in the companion guide.

 

Web Shell Capabilities Analysis
Webshell – A brief overview

This web shell is a derivative from the widely publicized and readily available b374k-shell hosted at https://code.google.com/p/b374k-shell/. This code has already been seen modified in the wild by the author and by a hacker known as Chahid Inj3ct0r. A cursory write up of the web shell functionality was written by the author and posted to http://dc406.com/component/content/article/695-chahid-inj3t0r-shell-code-analysis.html.

 

A Google search on 23-JUL-2013 for the specific string associated with the web shell yielded approximately 70 valid sites that were either hosting this shell (either overtly or inadvertently) or offering it for download. The code is offered for download by a person using the name x_inject on the hacker discussion forum 3xp1r3.com as early as 21-FEB-2013[7].

 
General Content Overview of the Webshell

The hacker x’1n73t gives credit to the author of the original web shell code. Additionally, credits are kept in all non-original source code. This allows insight into the names of other standalone software that has been incorporated into this “one-stop” hacker console.

 

The code shows an intermediate level of sophistication. While obfuscation and password mechanisms can still be readily defeated, the code shows maturity and a desire to present “hacker” functionality not readily available in the original b374k-shell code. An example of this is the author’s use of the simple ROT-13 substitution cipher in conjunction with the base64_decode and gzinflate routines in the payload.

 

As with the original b374k-shell, this code uses techniques, which allows it to run in both a WAMP (Windows, Apache, MySQL, PHP) environment as well as LAMP (Linux, Apache, MySQL, PHP). Various global variables are set based upon the environment encountered to aid in proper function of routines on both operating systems.

 

While the code is modular to a certain degree, it is obvious that it has not been written from scratch and that pre-existing code has been “bolted on” to the framework. “Bolt-on” methods sometimes have redundant code that could have been modularized if the system were written from scratch. Additionally, obfuscation and deobfuscation techniques vary. Sometimes code is simply base64 encoded, sometimes it is gzip compressed after encoding. Probably one of the biggest indicators of this less than efficient code adaptation is the mixed use of language for variables and functions. Some routines and variable names are in Indonesian, at least one is in Malay, but the majority are in English.

The web shell itself is a considerably rewritten variation of an early version of b374k-shell that resides at: https://code.google.com/p/b374k-shell/. The b374k shell was originally written and is maintained by Jayalah Indonesiaku. While much of the functionality is inherent in the inj3cti0n shell is not in the b374k shell, there are new features in the newest release (version 2.7) of the shell that are not in the inj3cti0n shell. Particularly of note is the b374k shell’s support for reverse and forward port binding using python as well C and Perl. The b374k shell also has a control panel interface for displaying and controlling running processes. Additionally, the newest version of b374k has abandoned the use of GET as a control mechanism. It now uses only POST commands to manage the state of the application and internal parameters.

  
Boot_DDoS Detailed Analysis

Boot_DDoS is a perl script that is a botnet listener. The idea behind this code, which can be deployed from the web shell with the push of a button, is perhaps the most frightening aspect of this otherwise mundane shell. IT security has been dealing with botnets, networks of user computers, which are under someone else’s control for some time. The implications of server based botnet code presented here gives with a real world example of server botnet control software, an emerging trend.

 

What is a Bot?

A bot is generally a program that connects to some sort of command and control facility in order to receive commands and relay the results of the commands back to the controller, commonly referred to as a botherder. While bots can be controlled through a variety of mechanisms, one of the most common is the use of the Internet Relay Chat (IRC) protocol. IRC lends itself well to real time command and control because it is real-time, allows all connections to see information at the same time, and there are a variety of utilities, which can be used to programmatically interact with IRC.

 

An IRC server contains a variety of rooms or channels where people (or bots) can meet and share real-time text messages. Channels are typically denoted by the representation #CHANNELNAME.

 

About the Code Author

The code is written in Perl. Attribution is given to Antonkill, a member of the Biang Kerox Team[8]. The comments section of the code includes various references to Indonesia Fighter Cyber and Biang Kerox. Other indicators suggest that AntonKill is associated with these groups so, unlike other parts of the web shell, this code could represent an original work by Inodnesian Muslim hackers.

 

The base code is written in Spanish indicating that the user is either a Spanish speaker or that the base code was copied from another IRC server package and then repurposed for use by IFC.

 

Default IRC Bot Configuration for This Code

In the case of the bot software in question, the default irc server to connect to is irc.jatimcom.net on port 6667.

 

At the time of this writing irc.jatimcom.net resolved to the following cluster of servers:

 

203.172.220.83 – Thailand , Ministry of Education

208.98.42.199 – Las Vegas, NV (Sharktech)

209.236.75.45 – Providence UT (WestHost)

210.118.171.37 – Seoul South Korea

211.115.127.19 – Seol South Korea

85.214.46.96 – Berlin Germany

115.69.218.165 – Surabaya Indonesia

188.241.79.4 – Bucharest Romania

 

The channel that the bot is configured to connect to is #IFC (obviously Indonesia Fighter Cyber).

The bot connects with the name “INDONESIA-FIGHTER-nnnnnn” where nnnnnnn is a random number calculated at start of the program.

 

Remote Bot Reconfiguration

The bot code opens a remote file at:

 

http://h4ck3d.wsnw.net/mic22.txt

 

This URL is not currently active but may have represented a way for the botherder to change default configuration information on the fly.

 

 

Anti-Interruption Techniques

Very early in the code the program disables all signal handling. Signals are the way in which the operating system can restart, kill or otherwise influence a process. The code sets all such handling to IG.

 

$SIG{'INT'} = 'IGNORE';

$SIG{'HUP'} = 'IGNORE';

$SIG{'TERM'} = 'IGNORE';

$SIG{'CHLD'} = 'IGNORE';

$SIG{'PS'} = 'IGNORE';

 

Bot Capabilities

The code contains routines for the following general areas of functionality:

#-----[Hacking Based]-----

#-----[Advisory-New Based]-----

#-----[DDos Based]-----

#-----[IRC Based]-----

#-----[Flooding Based]-----

 

Each will be discussed in order.

 

Hacking Based Functions

These commands allow the botherder to use the resources of the bot to perform hacking activities.

 

  • multiscan
  • socks5
  • sql2
  • portscan
  • logcleaner
  • sendmail
  • system
  • cleartmp
  • rootable
  • nmap
  • back
  • linuxhelp
  • cd

 

Advisory- New Based Functions

These commands allow the botherder to have the bot access various information portals associated with vulnerabilities.

 

  • packetstorm
  • milw0rm

 

DDoS Based Functions

These commands allow the botherder to force the bot to use its resources in a Denial of Serrvice attack.

 

  • udpflood
  • tcpflood
  • httpflood
  • sqlflood

 

IRC Based Functions

These commands allow the botherder/bot to perform normal activities in the IRC channel.

 

  • killme
  • join
  • part
  • reset
  • voice
  • owner
  • deowner
  • devoice
  • halfop
  • dehalfop
  • op
  • deop

 

Flooding Based Functions

These commands allow the botherder to force the bot to attack the IRC server itself.

 

  • msgfllod
  • dccflood
  • ctcpflood
  • noticeflood
  • channelflood
  • maxiflood

 

Summary

In this report we dissect a tool that provides attackers with a full attack suite when launching a campaign targeting various web site platforms. Many indicators of compromise are provided along with a full analysis of the tools. This tool not only allows an attacker to use a compromised server as a platform to launch attacks but also leverages IRC to build a botnet so that these attacks can be distributed.

 

Through this analysis, the goal is to educate the reader on the capabilities of an adversary, or group of adversaries. Tools such as these are the arms used in the cyber conflict that IT security profresionals engage in every day.

 

The companion report attached supports Episode 8 of the HP Security Research Threat Intelligence Briefing podcast available on the Web and iTunes. The regular podcasts and the associated companion reports are published through the HP Security Research blog at hp.com/go/hpsrblog.
 

Labels: threatbriefings
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.