1.2.1 - Hacktivity

Journey to the bottom of a black hole
Gabor Szappanos
Malware Researcher
Sophos
Traffic Direction System
Traffic Direction System
GET http://www.google.com/ig/cp/get?hl=en&gl=&authuser=0&bundleJs=0
HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML,
like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.google.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
If-None-Match: 4507273103833835255
If-Modified-Since: Tue, 11 Oct 2011 08:30:50 GMT
Browser agent
IP address
Operating system
Version history
Version
2.0
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.0
1.0.2
1.0.0 (beta)
Release date
09/2012
30/07/2012
11/07/2012
28/03/2012
26/02/2012
09/12/2011
11/09/2011
26/06/2011
20/11/2010
08/2010
Pricing
Annual license: $ 1500
Half-year license: $ 1000
3-month license: $ 700
Update cryptor $ 50
Changing domain $ 20 multidomain $ 200 to license.
During the term of the license all the updates are free.
Rent on our server:
1 week (7 full days): $ 200
2 weeks (14 full days): $ 300
3 weeks (21 full day): $ 400
4 weeks (31 full day): $ 500
24-hour test: $ 50
There is restriction on the volume of incoming traffic to a leasehold system,
depending on the time of the contract.
Providing our proper domain included. The subsequent change of the domain: $ 35
No longer any hidden fees, rental includes full support for the duration of the contract.
Source code leak
Source code of version 1.0.2
appeared on underground
sites 22th May 2010
Offspring of new kits based on
the source was expected
… but it didn’t happen
How was it stolen?
C99Shell in the upload directory
•Blackhole can deliver only binary payloads
•Not referenced in the server code
•Coding style is different
•Not protected with ionCube
It was used to hack into the server
Get admin
Source code steal step-by-step
 Attacker identified a Blackhole attack, traced to the C&C server.
 Gained access to the admin interface in about 5 to 50 tries.
 Uploaded C99Shell file
 Opened it in a browser
 Grabbed the files from the Blackhole home directory.
Origins
• The default time zone of the installation is hardcoded to
Europe/Moscow.
• The user interface supports two languages, English and
Russian, the default being set to Russian.
• The English user interface texts and the variable names
are noticeably incorrect at places; the Russian interface
texts are grammatically more correct.
• There are two character encodings supported in the code
with conversion functions: UTF-8 and Windows-1251.
• The date format in the code in all places is set to Little
Endian date which excludes the other two usual suspects;
USA uses Middle Endian while China Big Endian.
ionCube protection
ionCube features
• Encoding PHP scripts with compiled byte codes
for accelerated runtime performance and
maximum security.
• Obfuscation of byte codes after compilation for
extra security.
• Selectable ASCII or Binary encoded file format.
• Prevention of file tampering through use of digital
signatures.
• Prevention of unauthorized files from including
encoded files.
• Generating files to expire on a given date or after
a time period.
• Restricting files to run on any combination of IP
addresses and/or server names.
• Restricting files to run on specific MAC
addresses.
• Customized messages.
Exploit kit
Cryptor
Adrenalin
Zend
Blackhole
ionCube
Bleeding life ionCube
Crimepack
ionCube
Intoxicated
ionCube
Liberty
Php Express
Pay0c
ionCube
Tornado
Zend
Yes
ionCube
Origins
Minimum Loader Version: 00.00.00 (for ex. ioncube_loader_win_4.3.dll requires >0301010)
VerData 0x00000003
ObfuFlags 00000003 00000000
0x0001 Obfuscate Vars
0x0002 Obfuscate Funcs
ObfuFuncHashSeed: FF 29 24 50 76 F6 A4 13 77 0D 5E 38 79 9F 8F C2
Bytecode_XorKey: 01806081
IncludeXorKey[should be 0xE9FC23B1]: E9FC23B1
DisableCheckingOfLicenseRestrictions: 0
CustomErrCallbackHandler: 'ioncube_event_handler'
Enable_auto_prepend_Append_file: 0
Customised error messages entries: 0x00
Include file protection entries: 0x00
Server restrictions entries: 0x1C
#1 Domains: ajaxstat.net |
#2 IPs: 195.80.151.98_NetMask(255.255.255.255), |
…
#27 Domains: xccr.co.cc |
#28 IPs: 195.80.151.59_NetMask(255.255.255.255), |
Adler32_CRC for '<?php //... ?>' and calculated MATCH. CRC: EB60391D
IC_HeaderEx start: 01E7
IC_HeaderEx end: 020F IC_Header HeaderSize: 021F
ionCube protection
ionCube protection
<?php //0035e
if(!extension_loaded('ionCube
Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='/ioncube/ioncube_loader_
<?php
'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');$__oid=$__id=rea
### This file is part of the dictionaries-common package.
lpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id
### It has been automatically generated.
[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',
substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__
### DO NOT EDIT!
i=strlen($__rd);while($__i-$SQSPELL_APP = array (
){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp
'American English (aspell)' => 'aspell
-a -d en_US
',
)){$__ln=$__lp;break;}}}@dl($__ln);}else{die('The
file '.__FILE__."
is
corrupted.\n");}if(function_exists('_il_exec')){return
'British English (aspell)' => 'aspell _il_exec();}echo('Site
-a -d en_GB
',
error: 'Canadian
the file <b>'.__FILE__.'</b>
requires
ionCube -a
PHP -d
Loader
English (aspell)'
=>the
'aspell
en_CA
',
'.basename($__ln).' to be installed by the site administrator.');exit(199);
'English (aspell)' => 'aspell -a -d en
'
?>
);
4+oV584oGn8W1xWbEOlMCSe7+5xpGsdDr0UqMyicg6oxyLZb16BluFQpCr+D7yMqMhqOmkX4yABG
UKwVZfc7Fa33Xop85AWlurw0+VnDpnXgCG9sXDOnOC9ZY839Z9t1rQ5tDwpUkxvO388zFwJnhL8t
HFJiu3BxAvnoJ7SbPDuE/J0jq1PvzQJubQ00n2i0qucXQWp4DqGIIdbqP1GoaFrwVjVK80KM9uCO
4VYWKfNPrKgeOzYLfqROaektFtx8m/TYNAwAyABKV374GJ7NzOTcbJengE6+2vmu83PjyIDH/7Y1
fAtoE+RRFefDKlnBdZzPrvtowt/281w8ZQQaFaBK/P9IqxFIg/IXH8kXIuXtPAMNPNNVhKMoiLhO
Zi3scRC8k2Ez3KQZUb5LSOjjM+hQNyrRVhjOaOstjGTYbV6DvNoQkkMZDusxcYe/I3fXTw58+nCb
w+7W5H32VXXm3juUR1SovZOqejy7Vs/DqhdL1r/+SIOSGHlw7BKZUc+Y8g9NtInkpUWBaf5r3CZF
Sq0XitNW/EZopkHyT6SNoFSXnLmEtvEINqJBrkR5zNeDutXgcZ4sp3rPZ8kTiDEQ9mgjiDleJcXp
Dfw/c6/vNnjwAcSLzzYQUwLrvC55FREiVksS
Decoding ionCube
<?php
### This file is part of the dictionaries-common package.
### It has been automatically generated.
### DO NOT EDIT!
$SQSPELL_APP = array (
'American English (aspell)' => 'aspell -a -d en_US
',
'British English (aspell)' => 'aspell -a -d en_GB
',
'Canadian English (aspell)' => 'aspell -a -d en_CA
',
'English (aspell)' => 'aspell -a -d en
'
);
<?php
$SQSPELL_APP=array("aspell -a -d en_US
", "aspell -a -d en_GB
", "aspell -a
-d en_CA
", "aspell -a -d en
");
Return (1);
?>
<?php
/*********************/
/*
*/
/* Dezend for PHP5 */
/*
NWS
*/
/*
Nulled.WS
*/
/*
*/
/*********************/
$SQSPELL_APP = array( "American English
(aspell)" => "aspell -a -d en_US
",
"British English (aspell)" => "aspell -a -d
en_GB
", "Canadian English (aspell)" =>
"aspell -a -d en_CA
", "English (aspell)"
=> "aspell -a -d en
" );
?>
Decoding ionCube
_obfuscate_DVwqWwoiNxQrDDcnLgE0MgkuDREiWxEÿ(
"display_errors", 1 );
_obfuscate_DTAWFiwpFRcvMSo8LSEJDQc7JS44DwEÿ( E_ALL );
$configFileName = "config.php";
_obfuscate_DS0eLQw1WwE0Ly4nPiopNzgiCyENEiIÿ( );
[Obfuscated]0D 5C 2A 5B 0A 22 37 14 2B 0C 37 27 2E 01 34 32 09 2E
0D 11 22 5B 11 ("display_errors",1);
[Obfuscated]0D 30 16 16 2C 29 15 17 2F 31 2A 3C 2D 21 09 0D 07 3B
25 2E 38 0F 01 (1);
$configFileName="config.php";
[Obfuscated]0D 2D 1E 2D 0C 35 5B 01 34 2F 2E 27 3E 2A 29 37 38 22
0B 21 0D 12 22 ();
Decoding ionCube – cookbook examples
@!_obfuscate_DQgSFjcQI1w8Wxo7GjUTMhwUJhc1BiIÿ(
@( "MysqlHost"
), @(
ifif( (@!mysql_connect(
@( "MysqlHost" ), @( "MysqlUsername"
), @( "MysqlPassword"
), @( "MysqlPassword" ) ) )
) "MysqlUsername"
) )
{{
thrownew
newexception(
exception(mysql_connect_error(
_obfuscate_DRgQDxsMHjgbHQcLKBgoNiQXCgYnGREÿ(
) );
throw
) );
}}
@!_obfuscate_DQsfFxgOEDw_MhIiDiRbORcpFiQqWwEÿ(
@( "MysqlDatabase" ) )
ifif( (@!mysql_select_db(
@( "MysqlDatabase" ) ) )
) {
{ throw new exception( "unable to select database" );
throw new exception( "unable to select database" );
}
}
mysql_query(
"UPDATE Logs SET ExploitID=".mysql_real_escape_string(
_obfuscate_DQIuEgQHBzM_MTQkFD4YCjILNzcvCCIÿ(
Logs).",
SET IPStatus=1
$_GET['e']
).", FileID=".mysql_real_escape_string( "UPDATE
$_GET['f']
ExploitID="._obfuscate_DRkHJz41OylAAiEOLBQJXAMvJgUnIhEÿ(
$_GET['e'] ).",
WHERE
(IP = inet_aton('".$_SERVER['REMOTE_ADDR']."')) and (Redirect=0)
and
FileID="._obfuscate_DRkHJz41OylAAiEOLBQJXAMvJgUnIhEÿ(
$_GET['f'] ).",
(IPStatus=0)
order by DateTime desc limit 1" );
IPStatus=1
WHERE (IP )= ==
inet_aton('".$_SERVER['REMOTE_ADDR']."'))
and
if ( mysql_error(
0 )
(Redirect=0)
and (IPStatus=0) order by DateTime desc limit 1" );
{
if exit(
( _obfuscate_DQUzJRIPGzAQDgM3EwM5CzEUJgMWKSIÿ(
) == 0 )
);
}{
exit( );
}
Decoding ionCube – orientating constants
_obfuscate_DTg5Dh0xBTxbFg4MARciKw88CwI4FDIÿ( "LastLanguage",
$AuthLanguage, _obfuscate_DSElGBkPOTMkCgoSJD0WDTIyKB0LFiIÿ( )
+ 3600 * 24 * 30, "/" );
setcookie( "LastLanguage", $AuthLanguage, time() + 3600 * 24 * 30, "/" );
Decoding ionCube – code functionality
$good = true;
$i = 0;
while ( $i < _obfuscate_DRAxBQwdBxskCygsEhQtIzAOJBUtNAEÿ( $arr ) )
{
if ( $arr2[$i] != "*" && $arr2[$i] != $arr[$i] )
{
$good = false;
break;
}
$good = true;
$i = 0;
while ( $i < count( $arr ) )
{
if ( $arr2[$i] != "*" && $arr2[$i] != $arr[$i] )
{
$good = false;
break;
}
Decoding ionCube – compare with output
echo ( "Size" );
echo ":</div> ";
echo _obfuscate_DQkmBwc9GR0BMSMUPCQRJTgaHzcGCxEÿ(
_obfuscate_DREhMjIUKiQPLx0kHA0pAw4qDjs• DzIÿ( ( "FilesDir" )."/".(
$file['ID'], $file['Title'] ) ) );
Typical attack scenario
Initial vector
Redirections
mainfile
downloadfile
Typical attack scenario
http://bridgetblonde.info/KKkxkeBx/index.html
http://casinos-mangas.com/wp-includes/company.html
http://3d-cam.com/jiQ9VFzm/index.html
http://juleimages.com/Scripts/company.html
http://armovies.com.ar/e2fSCR2G/index.html
http://losugen.com/phpThumb/company.html
http://armovies.com.ar/x12RsWiw/index.html
http://copyaccess.com/wp-content/company.html
http://chomikuj24.pl/KKkxkeBx/index.html
http://holr.net/wp-content/company.html
->
http://66.165.125.19/1fTeeHMA/js.js
->
http://74.119.235.211/114oTzgs/js.js
http://freac.net/main.php?page=6d63cba62f5eb9a0
http://akdegirmen.com/xLwjDW7S/js.js
-->
http://bragan.net/cwM8EscN/js.js
http://freac.net/w.php?f=59&e=6
http://casodisneyludico.ehost.com.ar/e1vU1o8J/js.js
-->
http://72.14.187.169/showthread.php?t=73a07bcb51f4be71
--->
http://72.14.187.169/content/GPlugin.jar
http://72.14.187.169/q.php?f=e4a98&e=1
Main exploit dispatcher
insert = “end_redirect{}”
if exploit_1 is selected {
insert += “exploit1() {exploit1_code; call
exploit2()}”
}
else {
insert += “exploit1() { call exploit2()}”
}
if exploit_2 is selected {
insert += “exploit2() {exploit2_code; call
exploit3()}”
}
else {
insert += “exploit2() { call exploit3()}”
}
…
insert += “call end_redirect{}; call exploit1()”
write NO_JS_html + JS_crypt(insert)
Exploit
Exploit
function ID
Exploit
delivered
NOJS
Java (CVE2010-084,CVE2012-0507)
0
spl0
spl1
WinVista
: IE7,IE8
Win7:
IE9, IE10
Win7:
Mozilla22 +
Opera12:
Safari5
Android:
Safari5
+
+
-
Win7:
Firefox14
WinVista
: IE6
iPad : Safari6
iPhone:Safari5
iPod:Safari5
Linux:
Chrome17,Firefox14,Mozi
lla19,Opera11
OSX106:
Mozilla19,Opera11
OSX107:
Chrom17,Firefox4,Safari5
SymbOS: Opera10
Wii: Opera10
WinNT90
: IE9
Win8:Chro
me17
OSX:
IE5
WinCE:
IE4
Win2K:
Firefox5
WinXP:IE
9
+
+
-
+
+
-
+
+
-
-
+
-
-
-
+
-
WinXP:
Chrome17
Win95: IE4
Win98:
IE4,IE5,IE6
WinNT: IE5
WinNT351:
IE5
WinNT40: IE5
Win2K:
IE4,IE5,IE6
Win2K3:
IE7
Win2K:
IE8
WinXP:
AOL96
+
+
+
+
-
-
+
-
-
spl2
2
XMLHTTP+AD
ODBSTREAM
downloader
spl3
3,4
+
(IFRA
ME)
+
(object)
+(object +
IFRAME)
+
(IFRA
ME)
-
+
(IFRA
ME)
+
(object)
-
+ (object
+
IFRMAE)
+
(IFRA
ME)
+ (object)
+
(IFRAME)
+
(IFRA
ME)
+
(object
)
spl4
5
3: (CVE-20090927, CVE2008-2992,
CVE-20094324)
4: CVE-20100188
Hcp (CVE2010-1885)
XMLHTTP+AD
ODB
-
-
-
-
-
-
-
-
-
+ (link)
+ (link)
-
+
(embed
ded)
+
(embe
dded)
spl5
1
Flash (CVE2011-0611)
-
-
-
-
+
+
+
+
+
+
+
+
+
+
Flash
(Troj/SWFExpBC )
+
+
+
+
+
+
+
+
+
+
+
+
+
+
CVE-20121889
-
-
-
-
-
-
-
-
-
-
-
-
-
-
spl6
spl7
7