// #MalwareMustDie! @unixfreaxjp
// Is a day off today, I gotta go, so is a half way work,
// To do TASK to our "crusaders":
// 1. Takedown all of the url stated below
// 2. Continue to PoC the payload fetch, the exploit urls are all extracted clearly now.
// Base on report from Gi0vann1 @Sug4r:)) (with thx & #w00t!): http://pastebin.com/2x1JinJd
// also thx to @shibumi for the comm! thx also to @node5 for recognizing LightsOut/Hello EK
// thx for the Set's database to compare the HelloEK's details.
/* The malware is Havex Rat, Bad stuff. ref: http://www.businessinsider.com/countries-targeted-by-russia-hack-2014-1
suspecting is watering scheme for wide range of hits.. */
// Exploitation Verdict Analysis
EK:
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php // Landing page EK
EK Details (HelloEK):
// Infection Checker:
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php
// Landing Page PD
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php?a=h1&f=51d0f9f5d6d2c5ff3ade4b38bb7c1ceb&u=Mozilla%2F5.0%20(Windows%3B%20U%3B%20MSIE%207.0%3B%20Windows%20NT%205.2)%20Java%2F1.5.0_08
// Exploit:
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php?a=h2 Non IE Java <= 1.7.17
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php?a=h3 IE 7 Java <= 1.7.17
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php?a=h4 IE 6 Win < 6
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php?a=h5 IE 7 Win/NT < 6 Java <= 1.7.17
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php?a=h6 IE 8 Win < 6
h00p://mahsms.ir/wp-includes/pomo/dtsrc.php?a=h7 Non IE Java <= 1.6.32
// HAVEX CNC CHECKED:
h00p://pekanin.freevar.com/include/template/isx.php // (null)
h00p://simpsons.freesexycomics.com/wp06/wp-includes/po.php // (encoded CNC hexcode)
h00p://toons.freesexycomics.com/wp08/wp-includes/dtcla.php // (encoded CNC hexcode)
h00p://www.pc-service-fm.de/modules/mod_search/src.php //
h00p://artem.sataev.com/blog/wp-includes/pomo/src.php // 404
h00p://swissitaly.com/includes/phpmailer/class.pop3.php // 404
// Chapter:
// Follow up details
// Exploit Kit part
//
// =================
// Follow up details:
// =================
// FIRST URL ONLY...
--- fetch header ----
Date: 2014-03-11 09:25:15
URL: http://pekanin.freevar.com/include/template/isx.php
Resolving pekanin.freevar.com (pekanin.freevar.com)... 5.9.82.27
Caching pekanin.freevar.com => 5.9.82.27
Connecting to pekanin.freevar.com (pekanin.freevar.com)|5.9.82.27|:80... connected.
---request begin---
GET /include/template/isx.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: pekanin.freevar.com
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2014 00:25:16 GMT
Server: Apache
X-Powered-By: PHP/5.4.17
Cache-Control: no-cache
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Saving to: 'isx.php'
2014-03-11 09:25:17 (5.27 MB/s) - 'isx.php' saved [723]
$ date
Tue Mar 11 09:29:14 JST 2014
$
$ cat isx.php
No data!
$
$ date
Tue Mar 11 09:29:46 JST 2014
$ wget -nv http://user99.freewebhostingarea.com/a/gfreeh.js
2014-03-11 09:29:56 URL:http://user99.freewebhostingarea.com/a/gfreeh.js [935/935] -> "gfreeh.js" [1]
$ wget -nv http://user99.freewebhostingarea.com/a/in300.js
2014-03-11 09:30:15 URL:http://user99.freewebhostingarea.com/a/in300.js [935/935] -> "in300.js" [1]
$ wget -nv http://user99.freewebhostingarea.com/a/specoff.js
2014-03-11 09:30:33 URL:http://user99.freewebhostingarea.com/a/specoff.js [935/935] -> "specoff.js" [1]
$
$ date
Tue Mar 11 09:30:38 JST 2014
$
$ cat gfreeh.js
var m3_u = (location.protocol=='https:'?'https://user99.freewebhostingarea.com/po/www/delivery/ajs.php':'http://user99.freewebhostingarea.com/po/www/delivery/ajs.php');
var m3_r = Math.floor(Math.random()*99999999999);
if (!document.MAX_used) document.MAX_used = ',';
document.write ("<\/scr"+"ipt>");
$
$
$
$ cat in300.js
var m3_u = (location.protocol=='https:'?'https://user99.freewebhostingarea.com/po/www/delivery/ajs.php':'http://user99.freewebhostingarea.com/po/www/delivery/ajs.php');
var m3_r = Math.floor(Math.random()*99999999999);
if (!document.MAX_used) document.MAX_used = ',';
document.write ("<\/scr"+"ipt>");$
$
$
$
$ cat specoff.js
var m3_u = (location.protocol=='https:'?'https://user99.freewebhostingarea.com/po/www/delivery/ajs.php':'http://user99.freewebhostingarea.com/po/www/delivery/ajs.php');
var m3_r = Math.floor(Math.random()*99999999999);
if (!document.MAX_used) document.MAX_used = ',';
document.write ("<\/scr"+"ipt>");$
$
// Target
-- Fetch header --
Date: 2014-03-11 09:37:24
URL: http://user99.freewebhostingarea.com/po/www/delivery/ajs.php
Resolving user99.freewebhostingarea.com (user99.freewebhostingarea.com)... 64.31.54.149
Caching user99.freewebhostingarea.com => 64.31.54.149
Connecting to user99.freewebhostingarea.com (user99.freewebhostingarea.com)|64.31.54.149|:80... connected.
---request begin---
GET /po/www/delivery/ajs.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: user99.freewebhostingarea.com
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2014 00:37:25 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAGEO=JP%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C; path=/
Set-Cookie: OAID=cb77d5dfd349d4c0a5c28a208693a25d; expires=Wed, 11-Mar-2015 00:37:25 GMT; path=/
Content-Length: 52
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Content-Type: text/javascript; charset=UTF-8
200 OK
Stored cookie user99.freewebhostingarea.com -1 (ANY) / [expiry none] OAGEO JP%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C
Stored cookie user99.freewebhostingarea.com -1 (ANY) / [expiry 2015-03-11 09:37:25] OAID cb77d5dfd349d4c0a5c28a208693a25d
URI content encoding = 'UTF-8'
Length: 52 [text/javascript]
Saving to: 'ajs.php'
2014-03-11 09:37:25 (1.01 MB/s) - 'ajs.php' saved [52/52]
// Details:
$
$ date
Tue Mar 11 09:40:22 JST 2014
$
$ cat ajs.php
var OX_031eb7b0 = '';
document.write(OX_031eb7b0);
$
// This should lead to a (new) null CVE??? #lol :-)
// SECOND URL ONLY..
-- Fetch Header --
Date: 2014-03-11 09:44:26
URL: http://simpsons.freesexycomics.com/wp06/wp-includes/po.php
Resolving simpsons.freesexycomics.com (simpsons.freesexycomics.com)... 198.63.208.206
Caching simpsons.freesexycomics.com => 198.63.208.206
Connecting to simpsons.freesexycomics.com (simpsons.freesexycomics.com)|198.63.208.206|:80... connected.
---request begin---
GET /wp06/wp-includes/po.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: simpsons.freesexycomics.com
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2014 00:44:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache
Content-Encoding: gzip
200 OK
Saving to: 'po.php'
2014-03-11 09:44:27 (468 KB/s) - 'po.php' saved [147]
// insides..
$ date
Tue Mar 11 09:45:49 JST 2014
$
$$
$ less po.php
"po.php" may be a binary file. See it anyway?
^_<8B>^H^@^@^@^@^@^@^C%A
0^P^E<8C>l^\@^Z<90> <90>^F^KD34^E<9B>i17l<8F>Q<86><91>|0zC^T^Y<91>_ESCeO
rF]^Ur^RJ^V)<8F>3<87>b<99>!^|3<^TA^K^CW<98>f9^]b+}<83>X
<9D>M<9F>/<83>m!<96>^@^@^@
$
$
$ bincat po.php
0000 1F 8B 08 00 00 00 00 00 00 03 25 CE 41 0A C2 30 ..........%.A..0
0010 10 05 D0 AB 8C AB 6C 1C BD 40 1A 90 20 B8 90 06 ......l..@.. ...
0020 D4 0B 44 33 34 05 9B B4 D3 69 31 B7 37 D6 CD 6C ..D34....i1.7..l
0030 FE FF 8F D1 51 86 B7 D1 91 7C 30 7A A0 CE 43 14 ....Q....|0z..C.
0040 19 91 A6 A5 5F 1B 65 4F F6 72 46 EB DA C7 CD 5D ...._.eO.rF....]
0050 15 BC 72 12 4A D2 A8 D6 E1 16 29 A3 8F FF E9 33 ..r.J.....)....3
0060 87 62 EE 99 B9 EC 21 65 08 5E 7C AD 33 D3 3C E6 .b....!e.^|.3.<.
0070 14 FA D4 41 C9 0B 03 57 98 66 39 E8 1D 62 F4 2B ...A...W.f9..b.+
0080 7D B6 83 58 9D 4D A8 DC EF 9F 2F 83 6D 21 C8 96 }..X.M..../.m!..
0090 00 00 00 ...
// encoded globs. No sample, can not do much yet, hang on...
// THIRD URL..
http://toons.freesexycomics.com/wp08/wp-includes/dtcla.php
$ date
Tue Mar 11 09:51:55 JST 2014
$
---Fetch header---
Date: 2014-03-11 09:52:11
URL: http://toons.freesexycomics.com/wp08/wp-includes/dtcla.php
Resolving toons.freesexycomics.com (toons.freesexycomics.com)... 198.63.208.206
Caching toons.freesexycomics.com => 198.63.208.206
Connecting to toons.freesexycomics.com (toons.freesexycomics.com)|198.63.208.206|:80... connected.
---request begin---
GET /wp08/wp-includes/dtcla.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: toons.freesexycomics.com
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2014 00:52:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache
Content-Encoding: gzip
200 OK
Length: unspecified [text/html]
Saving to: 'dtcla.php'
2014-03-11 09:52:12 (470 KB/s) - 'dtcla.php' saved [147]
$ date
Tue Mar 11 09:54:14 JST 2014
$ less dtcla.php
"dtcla.php" may be a binary file. See it anyway?
^_<8B>^H^@^@^@^@^@^@^C%A
0^P^E<8C>l^\@^Z<90> <90>^F^KD34^E<9B>i17l<8F>Q<86><91>|0zC^T^Y<91>_ESCeO
rF]^Ur^RJ^V)<8F>3<87>b<99>!^|3<^TA^K^CW<98>f9^]b+}<83>X
<9D>M<9F>/<83>m!<96>^@^@^@
$
$ bincat dtcla.php
0000 1F 8B 08 00 00 00 00 00 00 03 25 CE 41 0A C2 30 ..........%.A..0
0010 10 05 D0 AB 8C AB 6C 1C BD 40 1A 90 20 B8 90 06 ......l..@.. ...
0020 D4 0B 44 33 34 05 9B B4 D3 69 31 B7 37 D6 CD 6C ..D34....i1.7..l
0030 FE FF 8F D1 51 86 B7 D1 91 7C 30 7A A0 CE 43 14 ....Q....|0z..C.
0040 19 91 A6 A5 5F 1B 65 4F F6 72 46 EB DA C7 CD 5D ...._.eO.rF....]
0050 15 BC 72 12 4A D2 A8 D6 E1 16 29 A3 8F FF E9 33 ..r.J.....)....3
0060 87 62 EE 99 B9 EC 21 65 08 5E 7C AD 33 D3 3C E6 .b....!e.^|.3.<.
0070 14 FA D4 41 C9 0B 03 57 98 66 39 E8 1D 62 F4 2B ...A...W.f9..b.+
0080 7D B6 83 58 9D 4D A8 DC EF 9F 2F 83 6D 21 C8 96 }..X.M..../.m!..
0090 00 00 00 ...
// Exactly same CVE as previous one..
$ date
Tue Mar 11 09:56:11 JST 2014
$
$ vt check dtcla.php |less
-----------------------------------------------------------
VT-shell 1.1 FreeBSD version - by @unixfreaxjp
Usage is: /usr/local/bin/vt COMMAND(check | scan) and PATH(a correct full-path-to-sample)
-----------------------------------------------------------
Sample : dtcla.php
MD5 : 2d43b8539ee3aff06feab586191dc2a1
SHA256 : 37dedc60b1fbdf89160c7cb9258f87162725103fecf8b4b1d6b538ae7e4ec7fe
URL : https://www.virustotal.com/latest-scan/37dedc60b1fbdf89160c7cb9258f87162725103fecf8b4b1d6b538ae7e4ec7fe
-----------------------------------------------------------
VirusTotal
File not found
$
$
// I feel weird...Uploading this now..
// uploaded this to the VT here:
// https://www.virustotal.com/en/file/37dedc60b1fbdf89160c7cb9258f87162725103fecf8b4b1d6b538ae7e4ec7fe/analysis/1394499588/
// FORTH URL:
http://www.pc-service-fm.de/modules/mod_search/src.php
$ date
Tue Mar 11 10:08:23 JST 2014
$
-- Fetch header ---
Date: 2014-03-11 10:08:38
URL: http://www.pc-service-fm.de/modules/mod_search/src.php
Resolving www.pc-service-fm.de (www.pc-service-fm.de)... 81.169.145.163
Caching www.pc-service-fm.de => 81.169.145.163
Connecting to www.pc-service-fm.de (www.pc-service-fm.de)|81.169.145.163|:80... connected.
---request begin---
GET /modules/mod_search/src.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: www.pc-service-fm.de
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2014 01:08:44 GMT
Server: Apache/2.2.26 (Unix)
X-Powered-By: PHP/5.3.28
Cache-Control: no-cache
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
200 OK
Length: unspecified [text/html]
Saving to: 'src.php'
2014-03-11 10:08:45 (1.23 MB/s) - 'src.php' saved [150]
$ date
Tue Mar 11 10:10:25 JST 2014
$
$ cat src.php
Sorry, no data corresponding your request.$
$
// WE GOT THE VERDICT..
//this is a positive PoC of HAVEX-RAT CNC
// FIFTH URL..
http://artem.sataev.com/blog/wp-includes/pomo/src.php
2014-03-11 10:16:15 ERROR 404: Not Found.
// SIXTH URL:
http://swissitaly.com/includes/phpmailer/class.pop3.php
2014-03-11 10:19:59 ERROR 404: Not Found.
// ==============================
// JOURNEY TO THE EXPLOIT KIT...
// Say hello to series of jars via
// Old friend PluginDetect.
// ==============================
// SEVENTH URL..
http://mahsms.ir/wp-includes/pomo/dtsrc.php
// THis is a kind of ticket to the landing page...
// We'll see...
-- Fetch header --
Date: 2014-03-11 10:22:04--
URL: http://mahsms.ir/wp-includes/pomo/dtsrc.php
Resolving mahsms.ir (mahsms.ir)... 176.9.92.69
Caching mahsms.ir => 176.9.92.69
Connecting to mahsms.ir (mahsms.ir)|176.9.92.69|:80... connected.
---request begin---
GET /wp-includes/pomo/dtsrc.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: mahsms.ir
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Tue, 11 Mar 2014 01:22:06 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 8115
200 OK
Length: 8115 (7.9K) [text/html]
Saving to: 'dtsrc.php'
2014-03-11 10:22:06 (3.37 MB/s) - 'dtsrc.php' saved [8115/8115]
$
$ date && less dtsrc.php
Tue Mar 11 10:24:00 JST 2014
"dtsrc.php" may be a binary file. See it anyway?
^_<8B>^H^@^@^@^@^@^D^C<95>\rESC<91>^?
[...]
<87>W^V&<98><89>^_^O<8F>\F~<8C>M^@^@
$
$ bincat dtsrc.php
0000 1F 8B 08 00 00 00 00 00 04 03 95 5C FD 72 1B B9 .............r..
0010 91 FF 7F AB F6 1D E6 54 75 2B EA 6C C9 1C 7E 73 .......Tu+.l..~s
0020 B3 DE 94 44 7D DA 92 AC 13 29 3B 1B 67 73 05 92 ...D}....);.gs..
0030 20 39 E6 70 86 3B 1F 12 E9 75 F2 06 F7 20 79 81 9.p.;...u... y.
0040 7B 81 D4 BD D7 FD BA 1B C0 0C 29 AE 37 A7 4A 96 {.........).7.J.
0050 00 A6 D1 D3 68 F4 37 30 FE 61 96 2D 42 6F B5 08 ....h.70.a.-Bo..
[...]
1F20 A7 94 06 3E 46 DD 55 D1 57 47 F6 AB 15 42 ED 95 ...>F.U.WG...B..
1F30 D5 E8 37 10 57 F6 68 22 6C 89 9D E8 88 FA E1 55 ..7.W.h"l......U
1F40 CA 59 18 FD 33 66 AF 66 E6 DF 33 A3 2F DE 68 E0 .Y..3f.f..3./.h.
1F50 DD C9 9B B3 DE C0 0B C6 AF 4B DF BB 78 BD EB E3 .........K..x...
1F60 7E FF EA F4 F5 DE 08 17 6F C6 DF E3 DF 8A A9 4E ~.......o......N
1F70 F0 EF 81 1D 76 3B C3 E6 A1 EF 8F 26 87 C3 61 A7 ....v;.....&..a.
1F80 76 58 AD 2A 55 AD 0E C7 23 5D 1D EE 79 2C C9 AF vX.*U...#]..y,..
1F90 F7 AA CB D5 1E BE 33 A5 6B 29 D2 F9 F1 87 57 F2 ......3.k)....W.
1FA0 16 26 C0 BE 98 FF 89 B5 1F FF 0F 8F 5C 46 7E 8C .&...........F~.
1FB0 4D 00 00 M..
// Seeing the bits is the gunzip format. Unwrapped and see it..
$ date
Tue Mar 11 10:33:27 JST 2014
$
$ cp dtsrc.php dtsrc.gz
$ gunzip dtsrc.gz
$
$ ls dtsrc*
dtsrc dtsrc.php
$
$ bincat dtsrc
0000 3C 68 74 6D 6C 20 78 6D 6C 6E 73 3D 22 68 74 74 ....