lundi 27 février 2017

Spambot safari #2 - Online Mail System

Hey !
today I'll present some research around a spambot named "Onliner". This spambot is actually used for spreading Gozi.
I've already talk about Onliner in another blogpost but because the spambot quickly evolve, and the botmaster seems to tries to avoid pwning attempst, I'll try to explain everything here :].

Original sample

The first sample that I've grab come from email, dropped by JSDropper.
A quick dynamic analysis allow us to understand that it's a spambot (a lot of SMTP connections from the malicious process).
Before reversing it, let's look a the CNC communication.

Malware communicates over HTTP. An interesting thing is that the process doesn't contacts directly the CNC, it try to contact some proxy web page (PHP script uploaded on compromised websites).

Proxy - Good idea - Bad realization

Using proxy websites is a good idea only if you don't use poor pwned CMS. With poor pwned CMS it take around 3 minutes to anybody to retrieves your real CNC. Example:
I can make some supposition:
  • It's pretty sure that the bot master uses a script for updating all the proxies scripts
  • All the compromised websites are old: most probable infection vectors are FTP Bruteforce or CMS exploits
  • They have leave a php backdoor somewhere on the compromised website
I have try to found the PHP backdoor for using it to read the PHP proxy code. After some guessing I have saw that the PHP backdoor is a WSO webshell, uploaded always in the same locations:
  • /cgi-bin/terms.php
  • /cgi-bin/useterms.php
  • /css/terms.php
  • /css/useterms.php
the WSO webshell is protected by a poor password -> I can read the PHP proxy code :). The commented version below:

The real CNC is http://194.247.13.8/img/. I'll come back later on the $GET_['99'] / $_POST['99'] parameters, those parameters are really interesting in the pwning process :D.

Panel - Good idea - Bad realization


Funny, the authentication is not like in others panels.
I don't want to directly use brute force here because like in almost all panels it must have a vulnerability somewhere.
Come back to the malware communication. As you can see here, the malware download some dll (ssl and 7zip) from the CNC.

I'm not a good pentester but when you saw a full dll name ssleay32.dll in a GET parameter, it's smell something bad \o/.


Thanks to that LFI we have access to all the panel (click on image bellow for the full album)

After looking around, I've found a reference to another IP: 194.247.13.178. This server host another onliner web panel: hxxp://194.247.13.178/naomi/login.php (click on image bellow for the full album)



By looking at the IP addresses (194.247.13.18 and 194.247.13.178) it seems that those guys really like "DELTA-X" hoster (Ukraine).
You know, for science, I've try to scan 194.247.13.0-255 with Nmap on port 80 + some directory guessing with Patator.
And you know what? It works haha!

I've found another panel at hxxp://194.247.13.196/asus/login.php .

Panel V2 - Good idea - Bad realization

After releasing the first blogpost about onliner, the botmaster change some stuff. They start to use IP White listing for accessing the panel, they update some code, they don't patch the LFI, they add some others vulns x].

Now, due to IP White listing, when you try to access the web panel, you are kicked by the PHP script:

The LFI is still here so we can look at the code. We can see 4 IPs white listed (Please don't spoil yourself, ignore the 2 first foreach haha I'll discuss that below):

It looks bad. I can read the PHP code but I can't access the admin panel. It's time to understand the authentication process. Take a seat, it's wonderfull. This is a big picture of the process:

admin.php:

I cannot explain yet what the hell is that
if ($_GET['pass']=='Lm7%Dv)ko4q') {
include('login.php');
}
Anyway, the big picture show us that the situation looks bad, the IP White listing is done early. But the function for IP White listing is in fact... a backdoor \o/:

Remember the $_GET['99'] in the PHP proxy script ? Look at the script. For bypassing IP White listing when an infected bot try to contacts the CNC, they use this parameters $_GET['99'] and $_POST['99'].
I just need the code (in config.php) + set the POST and GET variables and I can access to the CNC from any IPs.

curl --data "code=70183619&99=backdoor" "http://194.247.13.178/naomi/admin.php?99=backdoor&mailer=true" > onliner.html



Bonus

To finish, I just want to show you without comment 2 security features used in the Onliner panel.
Anti-SQLi:

Anti-... I don't know what:


Malware binary

The malware himself is in fact a dropper. When you run it, it copy itself in C:\windows\ and re-run as services.

The dropper try to drop 2 dlls:
  • http://cnc.com/MailerSMTP/dll.dll : the Spam module
  • http://cnc.com/CheckerSMTP/dll.dll : the SMTP credentials checker module
Those 2 dll are xored with the key
[0x37, 0x32, 0x44, 0x45, 0x34, 0x45, 0x35, 0x33, 0x36, 0x46, 0x35, 0x42, 0x32, 0x37, 0x39, 0x36, 0x31, 0x43, 0x43, 0x44, 0x41, 0x37, 0x30, 0x43, 0x32, 0x30, 0x39, 0x37, 0x38, 0x32, 0x46, 0x44, 0x44, 0x35, 0x31, 0x34, 0x43, 0x34, 0x36, 0x37, 0x44, 0x37, 0x39, 0x44, 0x30, 0x39, 0x39, 0x33, 0x38, 0x30, 0x33, 0x35, 0x31, 0x39, 0x43, 0x33, 0x32, 0x41, 0x46, 0x37, 0x33, 0x30, 0x34, 0x30, 0x00]

A little schema of the malware communication initialization: (the communication is encoded with base64 with $_GET parameters)

All the modules needed are copied in c:\windows\ too.
After installation, the malware wait for command from the CNC. Here, an example with the CheckerSMTP Module:
  • The CNC send the "control account", this account (mail+password+smtpserver) is used to be sure that the spamming process works. Valid SMTP credentials can be sends to this control account to
  • The CNC send a file a list of SMTP server + a list of compromised account in 2 zip files. mask.zip and 3746000.zip
  • The CNC wait until the bot finish his job and send another list of SMTP+Credentials

The sample is pretty good detected by AV industry (maybe due to the lot of debug strings present in the binary).

Conclusion

As reminded, this spam bot is used to spread Gozi in Italy and Canada.
Onliner has around 1000 infected bots, they don't spread to much sample of the spambot.

I look forward the next update of the panel.

Annexe

Onliner known IPs:
  • 194.247.13.8
  • 194.247.13.178
  • 194.247.13.196
  • 91.210.165.163

Spambot sample:
Module samples:

17 commentaires:

  1. And another panel on hxxp://194.247.13.222/tess/login.php

    RépondreSupprimer
  2. Nice blog with Amazing information .. love to read about this.
    Yuz parvarishi For PC

    RépondreSupprimer
  3. Canon Pixma MX492 Wireless Printer, User Manual, Fax Setup , IJ Setup Download and Software Scanner Driver Download For Mac, Windows, ordinance mx492 investigating

    RépondreSupprimer
  4. It looks bad. I can read the PHP code but I can't access the admin panel. It's time to understand the authentication process. Take a seat, it's wonderfull. This is a big picture of the process pink dress for kids , little girl yellow dress , baby girl red dress , baby girl green dress

    RépondreSupprimer
  5. You did the a great work writing and revealing the hidden beneficial features of
    organic white rice

    RépondreSupprimer
  6. Very informative blog, and beautifully elaborating the complete information about the topic. We are from the same domain emerging as the top mobile app development company for versatile app creation services. You can email us at sales@appsquadz.com or Phone Number: +91-9717270746

    RépondreSupprimer
  7. Your Blog is just amazing and provides good knowledge do sharing such more blogs. I would also like to induce your attention to Landscape Services for consult, design, install and maintain indoor and outdoor gardens.

    RépondreSupprimer
  8. This is really great and useful information. I am glad that you shared this useful information with us. Keep sharing again.
    Windows Live Mail is one of the most popular email clients because it connects to your Windows Live Hotmail, Gmail, and Yahoo! accounts all in one place. It uses the same secret word regardless of whether the secret key is modified at the email provider stage. Often Windows Live Mail will not start; in this case, you will have the option to reinstall it. There's also a possibility that you'll need to change your Windows Live Mail password for a number of reasons. But you have no idea How does Windows Live Change Email Password?
    If this is a common issue, please contact our Technical Support team, who will be happy to assist you as soon as possible.

    RépondreSupprimer
  9. https://www.expresscouriercars.co.uk/

    RépondreSupprimer
  10. There are quite a number of factors that Brother Printer Driver may not install on your computer and you may face Brother Printer Driver Installation Problem. Brother drivers or software exist to perform an essential function within your printer. If not, then you can dial Brother Printer Support Toll-Free Number and tell them the issue, and surely, we’ll try to get back to you with the answer. You can also connect with one of our printer support experts via our chat support.

    RépondreSupprimer
  11. I would like to invite such an amazing writer like you to our website to see and know-how web and mobile app development company is leading the technological industry.

    RépondreSupprimer
  12. I am Bella From USA, These technical details had been of great help. Thanks for sharing!!Keep updating new posts on your blog!!

    Forgot AOL Mail Password
    Forgot AOL Email Password
    Forgot AOL Password
    AOL Email Forgot Password
    AOL Mail Forgot Password

    Awesome ! i really found very informative article here and bookmarked this blog. Thank you

    Change AOL Email Password
    Change AOL Mail Password
    Change AOL Password
    Reset AOL Change password
    AOL Mail Password Change

    RépondreSupprimer
  13. Enjoyed Reading The Blog. I love your blog. Thanks for sharing all of the useful info and will come back to read more. Myself joy, we will provide you windows firewall is blocking quickbooks accounting tool. It is used for accounts purpose.

    RépondreSupprimer