The execution of malicious code via scripting attacks are part of the folklore of the current malware. However, behind this whole battery of methods of infection, are involved applications designed to fully commit such malicious acts.
Usually, this is as crimeware applications zeus, barracuda, chamaleon, YES, etc., or remote shells written in PHP, as in this case, known r57shell.
There are many applications of this style (c99shell, c100shell, locus NetShell, etc.) that are implanted, usually in a vulnerable server via RFI (Remote File Inclusion) and used for mass-defacement that is say mass defacement of web pages.
However, while it's customary for the purpose of this, are fully employed to attacks via the Web through malicious code such as DDoS, SQL Injection and recruitment of zombie computers, among others.
As we can see through this second capture, the features it offers are many r57shell, and don't respond to a casual or trivial, the intention is to fully control the server where it's implanted. Ie, it's a backdoor from which an attacker to take complete control of the server, and each node in the same accommodation.
In this case, the PHP shell was being used to spread malware by exploiting the following vulnerabilities:
Decoder to the script, you get the following URL's:
Usually, this is as crimeware applications zeus, barracuda, chamaleon, YES, etc., or remote shells written in PHP, as in this case, known r57shell.
There are many applications of this style (c99shell, c100shell, locus NetShell, etc.) that are implanted, usually in a vulnerable server via RFI (Remote File Inclusion) and used for mass-defacement that is say mass defacement of web pages.
However, while it's customary for the purpose of this, are fully employed to attacks via the Web through malicious code such as DDoS, SQL Injection and recruitment of zombie computers, among others.
As we can see through this second capture, the features it offers are many r57shell, and don't respond to a casual or trivial, the intention is to fully control the server where it's implanted. Ie, it's a backdoor from which an attacker to take complete control of the server, and each node in the same accommodation.
In this case, the PHP shell was being used to spread malware by exploiting the following vulnerabilities:
- SuperBuddy LinkSBIcons. (CVE-2006-5820)
- Office Snapshot Viewer. (CVE-2008-2463)
- WksPictureInterface. (CVE-2008-1898)
- OurGame various errors. (SA30469)
- GomPlayer OpenURL. (CVE-2007-5779)
- QuickTime RTSP. (CVE-2007-0015)
- NCTAudioFile2 SetFormatLikeSample. (CVE-2007-0018)
- Creative CacheFolder. (CVE-2008-0955)
- Windows Media Encoder. (CVE-2008-3008)
- Yahoo! Webcam Uploader. (CVE-2007-3147)
- Aurigma Photo Uploader. (CVE-2008-0660)
- Yahoo! Webcam Viewer. (CVE-2007-3148)
- Adobe Collab overflow. (CVE-2007-5659)
- Adobe util.printf overflow. (CVE-2008-2992)
Decoder to the script, you get the following URL's:
- http://vsedlysna.ru/img/site/2/load.php?id=83 --> Download the file load.exe (MD5: 22027b5c4394c7095c4310e2ec605808) packed whith ASPack v2.12.
- http://vsedlysna.ru/img/site/2/pdf.php?id=83 --> Download the file 9040.pdf (MD5: 3b9e76642e96f3626cf25b7f3f9d6c3a) where filename is a random value that changes for each download adopatando names like 8795.pdf, 7436.pdf, 6100.pdf, etc.
- http://vsedlysna.ru/img/site/2/pdf.php?id=83&vis=1 --> Download pdf file with the extension whose name varies in each accessible following the same methodology as the previous case. In this case, the file is called 4099.pdf (MD5: 5caf548ff3e6ae0c9101ae647757a099).
Related information
YES Exploit System. Another crimeware made in Russia
Russian prices of crimeware - Spanish version
Barracuda Bot. Botnet activamente explotada
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
# Jorge MieresYES Exploit System. Another crimeware made in Russia
Russian prices of crimeware - Spanish version
Barracuda Bot. Botnet activamente explotada
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
No comments:
Post a Comment