Monday, December 9, 2013

Like shooting phish in a barrel

So, I got sent yet another phishing email to look into to. Let's just say everything about this one had me laughing. Here is the email as it appeared:

The world's least obvious phishing email
Of course, me, being the curious guy I am, decide to click on it. I was presented with a "[redacted]redirect.php" page, which took me to a new page that did all of the "phishing".
Boy, that's sure not obvious
Right off the bat, it's pretty obvious we are dealing with an "Advanced Persistent Threat". This is not your normal script kiddie, they even included a tiled and watermarked map of the world! Impressive. In all seriousness, this was uploaded to a WordPress server under the wp-admin page, indicating that the server was compromised. The comprised server is riddled with vulnerabilities due to having an outdated version of WordPress (3.4.2) and a number of vulnerable plugins.

Clicking one of the services brings up the following:
Foolproof!
 If you notice the url, the page is running under xxxxxxxxx.com/wp-admin/css/sw/. So, if you go back a folder, you are able to list the contents of the /css directory.
Did someone say "source code"?


MFW:
Yep, download the zip and voila, source code of everything relating to the attack page.

Open up one of the $webmail_service.php pages and we are greeted by comedy gold.




MFW:


Plug the email or name into Google and you get his twitter page. Which includes the city our ub3r1337 hacker lives in:
Everything seems to match up
Alright, so now we have a twitter, full name, email, and city... I stopped at this point because it was getting pretty ridiculous, but you can easily see where some one could have gone with this.

Let this serve as an open letter to aspiring phishermen out there:

1. Don't do it. It's not worth it.
2. If you compromise a web server, don't be stupid enough to send emails from it to your personal email address.
3. Don't put your name in your source code.
4. Don't let people access your source code.
5. Don't do it. It's not worth it.

This goes to show that if you do not keep your WordPress server updated and patched, you are opening the gates to all kind of persons with malicious intent. Including (highly skilled) hackers like this...

Posted by at No comments:
Labels: , , , ,

Friday, August 16, 2013

Quick analysis of a Zeus Bot

At work, I got a few reports from users regarding a suspicious email. After looking at it, I had to admit, it was pretty convincing. They spoofed the sender to be [administrator@ourdomainname.tld] and they targeted very specific users within our organization. The actual text was well done as well, describing that we have received a fax titled our "June Payroll", and providing a link to "View this file online".

I did some checking into the headers and noticed that they were using a compromised mail server of a manufacturing company out in Illinois. After notifying the company, I span up a VM and decided to check out the link for my self.

The webpage it linked to wasn't anything impressive, pretty much just a standard "you have to update your flash player to view this document" then linked to a totally-not-malicious executable called "update_flash_player.exe". I ran it through VirusTotal and surprisingly enough, got no hits back. So I launched it in the VM and watched the traffic as it called out. Right away, I noticed it pulling down 5 seperate executables.

I didn't want to blank the ip addresses, but its for the best


After pulling them down and launching them, the VM started to make DNS quieres to what tried to look like a webmail server. From there, the VM kept talking to it, so I assumed that this was the C&C.

Blocking out my DNS server


Recently, I came across an interesting site called urlquery.net. From the website:
"urlQuery is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites. The main focus of urlQuery is to find and detect suspicious and malicious content on webpages, to help improve the security industry and make the internet a safer place."

So I ran the URL through urlQuery, and it gave me an interesting hit.

Seriously, urlQuery is awesome. Give it a try.


The fact that there was a webserver running on 8080 did not surprise me, but what caught my eye was "gate.php". I remembered that "gate.php" is the name of the php page that Zeus bots use to talk to their C&C. Curious to see of I could get access to the control panel, I took a look at the default Zeus pages.



cp.php is the control panel for Zeus, but trying that failed.



Of course, even cyber-criminals are predictable, so after trying admin.php, I was presented with a lovely Russian login page.

Bingo!


BK Rios had written a tool for Zeus C&C takeovers, but I had no way of verifying the version number of this C&C. If anyone has any way of identifying this, please let me know in the comments below. Either way, it was at least worth a peek, only problem is, I would have to extract the RC4 encrpytion key from the bot. I'm not very good (read: never attempted before) at memory forensics, so this presented a challenge. Thankfully, there's a lovely framework called Volatlity that makes memory forensics really easy.

First, I did a connection scan to look at outgoing connections from my VM's memory dump.




Then I cross referenced the PID to the running processes.



Finally, I pulled additional details on that process.



Unfortunately, the C&C page went back to normal, and now looks like a legitimate website. The control panel is no longer accessible.


MD5 hashes of the binaries that were pulled down:
f2kr.exe:7F87B186C01BA3B107864604B967395B
DH8xSJxy.exe:DAFBE310C26ED5EC1EF5FCD0A0A3FECE
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)