Rfi Payload Insecurities And Analysis

[bwall]

Hey,

A few of us have been working on a project for a while now working on making knowledge about the botnets building themselves up with servers infected via RFI vulnerabilities more public, as well as finding and exposing their vulnerabilities themselves.

Here is the first paper: http://www.exploit-db.com/wp-content/themes/exploit/docs/19032.pdf

Here is a blog post with the first paper in non-pdf form: http://ballastsec.blogspot.com/2012/06/insecurity-of-poorly-designed-remote.html

Here is where you can submit RFI payloads you have found for analysis and automated decoding: https://www.firebwall.com/decoding/index.php

The second paper is in the works, this time with coauthors. This paper can be more complete with more samples of bots. I can also make the auto-decoder better with more examples of encoding.

One of the coauthors is the one and only DigiP!

[digip]

Just wanted to add, the decoder now, works based on what we have used as samples so far, but every so often we find one that won't decode completely, and we'll have to do it manually, then add those methods to the script. In doing so, if you find one you have decoded, post here in the forums using the CODE tags what you found or did to decode, and Bwall will add it to the decoder script. The more samples we have, the easier they will be to decode down the road.

Know this, if you put the code in manually, it returns the code to you via copy and paste. If you don't feel comfortable visiting any of the attacker sites you may have found on your access/error logs (for risk of secondary infection or if it was only a total phish to lead you there and scan you directly), you can copy the URL from your access logs, and paste it into bwalls page and it will grab it for you, without ever letting the attackers know your true IP!

This is an ongoing project, partly based on attacks I have been monitoring for over a year, and I figured as Hak5'ers, we probably see a TON of things over the course of our days we don't understand, or find scripts that are obfuscated we don't know what to do with.

If you ever wanted to run a honeypot, this is sort of the reverse. As bees in the hive, you can bring back the pollen, throw it in bwalls script, and reap the honey! More on all this at a later time when the second paper is released. User and community contribution welcomed and encouraged!

:)

edit: Just wanted to note, the decoder works on deobfuscating PHP only at the moment. If you need Javascript eval or packed JavaScript deobfuscation, try http://jsbeautifier.org/ (not owned or related to this project, but good to bookmark for your own research and might sometimes be embedded in some of the reverse shell codes).

Edited June 16, 2012 by digip

[digip]

Bwall setup a lab using the scripts we downloaded from the attackers, simulating an actual botnet using the same scripts the attackers used, only changing all the attack commands in the bot, to return dummy data, or static entries to whatever you want them to be. This video, is merely a demonstration though, of how the bots operate(some of them anyway), what to look for, and how to take them down.

Edited June 23, 2012 by digip

[bwall]

Bwall setup a lab using the scripts we downloaded from the attackers, simulating an actual botnet using the same scripts the attackers used, only changing all the attack commands in the bot, to return dummy data, or static entries to whatever you want them to be. This video, is merely a demonstration though, of how the bots operate(some of them anyway), what to look for, and hot to take them down.

Oh yeah, its hot to take them down. :P

Sorry DigiP, had to play on your typo there. *how

[digip]

Oh yeah, its hot to take them down. :P

Sorry DigiP, had to play on your typo there. *how

Damn auto correct spell checker..lol

[Infiltrator]

Hi Digip,

Just out of curiosity when you contributed for this project, did you have to do any coding at all or you simply assisted by researching on RFI attacks?

I am just finding the whole project very interesting to be honest!.

Thanks.

Edited June 24, 2012 by Infiltrator

[digip]

I'm not a coder, but its still a learning experience because I find the RFI scripts and BOT scripts, but also get into the servers running the bots on the victim machines, not so much on the IRC bot networks as bwall demonstrated in his test lab(which is based on real bots we've collected and disected), but I've tried to get on the actual victims server itself if its been compromised by someone, and if possible, remove all running instances of the reverse shell scripts and their running bots, their RFI scripts, as well as all found instances of backdoors and other bot scripts, document all of it, backup the owners files for them so they can investigate, and I contact the site owners when possible. In many case I get the host companies abuse department involved, or the group who owns the actual IP range involved and they help the customer migrate to new hardware and move their files in a safe manner but in many cases, these attacks root everything and can pivot into the host companies servers for "mass defacements" and infections of shared hosts on the server. They use various techniques to hide their running bots, for example the one I found yesterday, started itself as a perlscript, but named itself "sendmail". I could see this in the bot scripts startup section, and through netstat -apn, match the established connections with "ps -Af" for the matching PID id's, then killed them all off. The sendmail one was rather easy because a 1 liner script, killed all instances of it at the same time via:

ps -Af | grep sendmail | awk '{print $2}' | xargs kill

Last night was very interesting, because I found multiple different types of bots, some started in perl(as mentioned above), and some via PHP which even after you delete the script, will still be running processes in memory until either the bot kill command is given, or you terminate the connection to the IRC network, and I think, I managed to kill all of them off, as well as prevent the site owners vulnerable TimThumb from being attacked again. The exploit to get in is still there in TimThumb, something I can not edit nor change(nor want to, not my files or server), but I implemented a few security things for them that should for the most part, make anything the attackers re-upload via TimThumb, be inaccessible and return 404 errors no matter how they try to access the files, while leaving the site owners files in tact and working so they can continue to use their wordpress theme, even with the vuln in place.

Its been a learning experience, and bwall has really helped me to understand better how the bots work, showing me logs of the bot in the channels, what to look for in them, and I think overall its been a great collaboration and learning experience for all involved. Not all bots are created equal, and not all bots have kill commands, so you often need to have control of the victims machine to terminate their connections.

We hope to have part two of the paper out as soon as possible to answer more questions on how this all came to be, but right now, we're waiting on one of the people we brought in on the project to see what is going to happen with his written part, due to legal issues and association, he may not be able to write anything of his own in the paper due to work restraints. He has been somewhat of a consultant for us though, a guru of info if you will, and helped give us a place to collaborate on his servers in a private forum, which I think helped to foster brainstorming and ideas that allowed us to speak freely, and focus more on the tasks we were tackling. Either way, he will be duly noted in the paper, even if he does not write anything in the paper itself, he has been a great help to us.

Edited June 24, 2012 by digip

[digip]

Hi Digip,

Just out of curiosity when you contributed for this project, did you have to do any coding at all or you simply assisted by researching on RFI attacks?

I am just finding the whole project very interesting to be honest!.

Thanks.

Part TWO is up - http://ballastsec.blogspot.com/2012/06/insecurity-of-poorly-designed-remote_24.html

[bwall]

Part TWO is up - http://ballastsec.bl...-remote_24.html

Here's a video related to the paper. Enjoy :)

[Dazzle]

Very interesting project, I'm going to look into this some more when I get the chance!

Thanks bwall and digip! :)

[bwall]

I'm planning on open sourcing every part of the project, but I want to see how many people actually want that. So retweet this https://twitter.com/bwallHatesTwits/status/226490924686000128 if you want it open sourced. You can always mention it here, but retweeting does also show it to more people who may want it open sourced.

[bwall]

https://github.com/bwall/PHP-RFI-Payload-Decoder

The source code for anyone still looking into this project. Probably should have an area for people to post where they have their's up so people know where to decode payloads.