bwall Posted June 15, 2012 Share Posted June 15, 2012 Hey, A few of us have been working on a project for a while now working on making knowledge about the botnets building themselves up with servers infected via RFI vulnerabilities more public, as well as finding and exposing their vulnerabilities themselves. Here is the first paper: http://www.exploit-db.com/wp-content/themes/exploit/docs/19032.pdf Here is a blog post with the first paper in non-pdf form: http://ballastsec.blogspot.com/2012/06/insecurity-of-poorly-designed-remote.html Here is where you can submit RFI payloads you have found for analysis and automated decoding: https://www.firebwall.com/decoding/index.php The second paper is in the works, this time with coauthors. This paper can be more complete with more samples of bots. I can also make the auto-decoder better with more examples of encoding. One of the coauthors is the one and only DigiP! Quote Link to comment Share on other sites More sharing options...
digip Posted June 15, 2012 Share Posted June 15, 2012 (edited) Just wanted to add, the decoder now, works based on what we have used as samples so far, but every so often we find one that won't decode completely, and we'll have to do it manually, then add those methods to the script. In doing so, if you find one you have decoded, post here in the forums using the CODE tags what you found or did to decode, and Bwall will add it to the decoder script. The more samples we have, the easier they will be to decode down the road. Know this, if you put the code in manually, it returns the code to you via copy and paste. If you don't feel comfortable visiting any of the attacker sites you may have found on your access/error logs (for risk of secondary infection or if it was only a total phish to lead you there and scan you directly), you can copy the URL from your access logs, and paste it into bwalls page and it will grab it for you, without ever letting the attackers know your true IP! This is an ongoing project, partly based on attacks I have been monitoring for over a year, and I figured as Hak5'ers, we probably see a TON of things over the course of our days we don't understand, or find scripts that are obfuscated we don't know what to do with. If you ever wanted to run a honeypot, this is sort of the reverse. As bees in the hive, you can bring back the pollen, throw it in bwalls script, and reap the honey! More on all this at a later time when the second paper is released. User and community contribution welcomed and encouraged! :) edit: Just wanted to note, the decoder works on deobfuscating PHP only at the moment. If you need Javascript eval or packed JavaScript deobfuscation, try http://jsbeautifier.org/ (not owned or related to this project, but good to bookmark for your own research and might sometimes be embedded in some of the reverse shell codes). Edited June 16, 2012 by digip Quote Link to comment Share on other sites More sharing options...
digip Posted June 23, 2012 Share Posted June 23, 2012 (edited) Bwall setup a lab using the scripts we downloaded from the attackers, simulating an actual botnet using the same scripts the attackers used, only changing all the attack commands in the bot, to return dummy data, or static entries to whatever you want them to be. This video, is merely a demonstration though, of how the bots operate(some of them anyway), what to look for, and how to take them down. Edited June 23, 2012 by digip Quote Link to comment Share on other sites More sharing options...
bwall Posted June 23, 2012 Author Share Posted June 23, 2012 Bwall setup a lab using the scripts we downloaded from the attackers, simulating an actual botnet using the same scripts the attackers used, only changing all the attack commands in the bot, to return dummy data, or static entries to whatever you want them to be. This video, is merely a demonstration though, of how the bots operate(some of them anyway), what to look for, and hot to take them down. Oh yeah, its hot to take them down. :P Sorry DigiP, had to play on your typo there. *how Quote Link to comment Share on other sites More sharing options...
digip Posted June 23, 2012 Share Posted June 23, 2012 Oh yeah, its hot to take them down. :P Sorry DigiP, had to play on your typo there. *how Damn auto correct spell checker..lol Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted June 24, 2012 Share Posted June 24, 2012 (edited) Hi Digip, Just out of curiosity when you contributed for this project, did you have to do any coding at all or you simply assisted by researching on RFI attacks? I am just finding the whole project very interesting to be honest!. Thanks. Edited June 24, 2012 by Infiltrator Quote Link to comment Share on other sites More sharing options...
digip Posted June 24, 2012 Share Posted June 24, 2012 (edited) I'm not a coder, but its still a learning experience because I find the RFI scripts and BOT scripts, but also get into the servers running the bots on the victim machines, not so much on the IRC bot networks as bwall demonstrated in his test lab(which is based on real bots we've collected and disected), but I've tried to get on the actual victims server itself if its been compromised by someone, and if possible, remove all running instances of the reverse shell scripts and their running bots, their RFI scripts, as well as all found instances of backdoors and other bot scripts, document all of it, backup the owners files for them so they can investigate, and I contact the site owners when possible. In many case I get the host companies abuse department involved, or the group who owns the actual IP range involved and they help the customer migrate to new hardware and move their files in a safe manner but in many cases, these attacks root everything and can pivot into the host companies servers for "mass defacements" and infections of shared hosts on the server. They use various techniques to hide their running bots, for example the one I found yesterday, started itself as a perlscript, but named itself "sendmail". I could see this in the bot scripts startup section, and through netstat -apn, match the established connections with "ps -Af" for the matching PID id's, then killed them all off. The sendmail one was rather easy because a 1 liner script, killed all instances of it at the same time via: ps -Af | grep sendmail | awk '{print $2}' | xargs kill Last night was very interesting, because I found multiple different types of bots, some started in perl(as mentioned above), and some via PHP which even after you delete the script, will still be running processes in memory until either the bot kill command is given, or you terminate the connection to the IRC network, and I think, I managed to kill all of them off, as well as prevent the site owners vulnerable TimThumb from being attacked again. The exploit to get in is still there in TimThumb, something I can not edit nor change(nor want to, not my files or server), but I implemented a few security things for them that should for the most part, make anything the attackers re-upload via TimThumb, be inaccessible and return 404 errors no matter how they try to access the files, while leaving the site owners files in tact and working so they can continue to use their wordpress theme, even with the vuln in place. Its been a learning experience, and bwall has really helped me to understand better how the bots work, showing me logs of the bot in the channels, what to look for in them, and I think overall its been a great collaboration and learning experience for all involved. Not all bots are created equal, and not all bots have kill commands, so you often need to have control of the victims machine to terminate their connections. We hope to have part two of the paper out as soon as possible to answer more questions on how this all came to be, but right now, we're waiting on one of the people we brought in on the project to see what is going to happen with his written part, due to legal issues and association, he may not be able to write anything of his own in the paper due to work restraints. He has been somewhat of a consultant for us though, a guru of info if you will, and helped give us a place to collaborate on his servers in a private forum, which I think helped to foster brainstorming and ideas that allowed us to speak freely, and focus more on the tasks we were tackling. Either way, he will be duly noted in the paper, even if he does not write anything in the paper itself, he has been a great help to us. Edited June 24, 2012 by digip Quote Link to comment Share on other sites More sharing options...
digip Posted June 25, 2012 Share Posted June 25, 2012 Hi Digip, Just out of curiosity when you contributed for this project, did you have to do any coding at all or you simply assisted by researching on RFI attacks? I am just finding the whole project very interesting to be honest!. Thanks. Part TWO is up - http://ballastsec.blogspot.com/2012/06/insecurity-of-poorly-designed-remote_24.html Quote Link to comment Share on other sites More sharing options...
bwall Posted June 25, 2012 Author Share Posted June 25, 2012 Part TWO is up - http://ballastsec.bl...-remote_24.html Here's a video related to the paper. Enjoy :) Quote Link to comment Share on other sites More sharing options...
Dazzle Posted June 25, 2012 Share Posted June 25, 2012 Very interesting project, I'm going to look into this some more when I get the chance! Thanks bwall and digip! :) Quote Link to comment Share on other sites More sharing options...
bwall Posted July 21, 2012 Author Share Posted July 21, 2012 I'm planning on open sourcing every part of the project, but I want to see how many people actually want that. So retweet this https://twitter.com/bwallHatesTwits/status/226490924686000128 if you want it open sourced. You can always mention it here, but retweeting does also show it to more people who may want it open sourced. Quote Link to comment Share on other sites More sharing options...
bwall Posted July 28, 2012 Author Share Posted July 28, 2012 https://github.com/bwall/PHP-RFI-Payload-Decoder The source code for anyone still looking into this project. Probably should have an area for people to post where they have their's up so people know where to decode payloads. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.