Blog

Internet Systems Consortium’s ISC.org infected

Posted on December 23rd, 2014 by McEnroe Navaraj

Cyphort Labs detected an infection at the website of ISC (Internet Systems Consortium, Inc.). ISC is the organization behind the development and distribution of the widely used name server software, BIND. It also operates critical Internet infrastructure in the form of the F-root name server,  one of the 13 Internet root name servers that power the global Internet.

ISC was notified by email of the infection  on Dec 22, and on Dec 23 their website was cleaned up from infection and replaced by a static page below.

isc_screenshot2

 

Infection Details

ISC uses WordPress platform to host its website and blog. The main page has been modified to inject the root of the web infection chain. The initial injection redirects web browsers to a landing page of Angler Exploit Kit. Angler EK usually serves many different exploits.In this case we observed IE, Flash and Silverlight exploits. If exploitation is successful, the exploit will continue to download and execute a malicious binary in-memory.

The infection chain looks as depicted below:

image

The initial starting point for the infection is a web infection in the main page of www.isc.org.

image

The next stage is a series of HTTP redirects, the final one landing on the main page of the Angler Exploit kit (snail0compilacion.localamatuergolf.com/4ddlt97uyu.php).

The actors continuously shift their Exploit Kit domain name servers at regular intervals. We have seen several more websites serving the same web content:
– snail0compilacion.localamatuergolf.com   (5.196.41.3)
– symbolology-rumperis.prairievillage.info (5.196.41.3)
– zapalny.placerosemere-ideescadeaux.ca  (95.211.226.158)
– chambouler.mygiftback.com                  (5.196.41.3)

Cyphort Labs researchers are still in the process of analyzing the Silverlight and flash exploits which exploit a known IE vulnerability (CVE-2013-2551). Angler EK is known to perform file-less injection (memory-based malware where nothing is written to disk).

The initial IE exploit is obfuscated just like any other Angler EK initial infection page. After de-obfuscating the initial page, we can see some security/VM product detection code. After that the exploit enumerates plugin versions. If it finds a vulnerable IE, it will exploit it first.

image

After the vulnerability is exploited, the initial shellcode de-obfuscates the next stage of the shellcode using the following logic:

image

The second stage shellcode finds windows APIs using an API hash technique and downloads the binary from the server. After the download, it starts decrypting it using the logic below (the key is stored in variable ‘P2X20’ in the JS script):

image image

Once it decodes the downloaded binary, the decision to save and launch or continue executing the payload depends on the first few bytes of the downloaded binary:

image

In this particular incident, it is decided to continue executing the shellcode that is part of the downloaded binary. The shellcode that is part of the downloaded binary loads the binary in fileless mode. It has two different versions of the file: one for 32-bit and another for 64-bit OS. There is one clever trick used in this shellcode: even if you dump the file from the memory, the hash of the loaded binary will be different each time you load the exploit.

The reason behind this file hash difference is a few modified fields in the PE Optional Header. It stores the dynamically allocated buffer address as part of PE Optional Header. This trick modifies the file hash each time you load the exploit.

image

 

Both embedded binaries are DLL files. These are the hashes of these binaries before the modifications mentioned above. Both IE and Silverlight exploits drop the same binary.

MD5: 38f583da8bc6e3d09799c88213206f14 (32-bit)
MD5: deacb2e37746ec97ac199e28e445c123 (64-bit)

The 64-bit DLL has the following exports:
AtTwo
BothCase
IsAroundMustSyntax
LineNames
ThereForAboveColumnLearn
TruthFileIs
WithinFor

The 32-bit DLL has the following exports:
StartMustValueTrailing
ThatRecognisedOptionHeader
WithinShareMustTheFile
YouLeastBrokenIntoDefining

 

Special thanks to Alex Burt and the Cyphort Labs team for their help in the discovery and analysis of this compromise.

Update – Posted on Dec 30, 2014

As part of our ongoing investigation into the recent ISC web site compromise, and in collaboration with ISC, we have obtained and analyzed the following script files which were part of this compromise:

Filename MD5 Hash
class-wp-xmlrpc.php 00D1050E6BCFC507167DFD7D9A12BD96
frommshead.php 2E802CDF289E2FDA6ACED385B5F3B063
wpinstall – Copy.php 3319DE186EF43A33E88358F307D66A05
wp-options.php 26E68B9695CCC85F813FF954D5CD8E18
xmlrpc.php 865841ACB73EA8EDEBF10F761AF976E6
wp-admin\class-wp-index.php 787039CCC1F4A42248089F5188E7B6D2
wp-admin\ms-head.php 331A685915DEDE3D796DB9EDEAB8834E
wp-admin\options-admin.php 9863142B18DC65C5B85E5117C28A4351

 

 

The file “class-wp-xmlrpc.php” is of particular interest. It is heavily obfuscated as shown below:

obfuscatedcode

Executing this php script will display a login prompt asking for a ‘root’ password:

loginprompt

 

Once logged in, it will display the following interface:

consoleUI

 

This interface will effectively give the attacker control over your infected web server.

The attacker can:

  • Open a shell.
  • Upload and execute files.
  • Read and write files.
  • Create files and directories.
  • List files.
  • Open SQL databases.
  • Execute PHP code.
  • Kill Self (delete itself).
  • List security information of your server including:
    • user accounts.
    • account settings.
    • database versions.
    • php version.
    • server software.
    • drives and available space.

 

There is indication that this script is built using publicly available software as evidenced by the presence of comments like:

/*

Explaining the code: http://stackoverflow.com/questions/3328235/how-does-this-giant-regex-work

Pastebin code: http://pastie.org/1058996

 

Other files of interest include: “wpinstall – Copy.php” and “wp-admin\options-admin.php”.

Aside from being the installer which prepares and copies the component files, the following code was also found in the file wpinstall – Copy.php:

install

 

This script attempts to inject code into footer.php. The injected code accesses the external link wpcache-blogger.com and returns a malicious iframe link to be displayed for the user.

footer

The script wp-admin\options-admin.php acts as a proxy server. It accepts base64 encoded GET and POST requests and redirects the traffic to the following url:

Both transfer.activelyblogging.com and wpcache-blogger.com have the same IP address:

IP address 93.179.68.167
Description Ilyushenko Vladimir
Location United Kingdom (GB)
Registry ripe

This exploit is very dangerous as it affects both the web site and its visitors.  Given the backdoor’s capabilities, there is a high probability that sensitive information is exfiltrated, including your login accounts, database contents and other sensitive files stored on the server.

Others have reported that this malware campaign is exploiting a vulnerability in WordPress Slider Revolution plugin. The attacker is using a technique called Local File Inclusion (LFI) attack which allows them to download a local file from the server. For example, the attacker can download the file wp-config.php which contains database credentials.  In addition to ISC, this attack seems to be affecting thousands of websites. We recommend owners and admins of websites using wordpress or joomla to scan their web servers for the files mentioned above. The following YARA signatures can also be used to scan your system.

rule php_backdoor_shell : php

{

 strings:

$string1 = “FilesMan” nocase

$string2 = “preg_replace(“

$string3 = “5b19fxq30jD8d/wp5C3tQoMx4CQnxYY4cezEebFTvyRp4tx0gQW2Xli6u5i4qb/7PTN6WWlfME57r”

$string4 = “<?php”

 condition:

all of ($string*)

}

 

rule php_backdoor_install : php

{

 

strings:

$string1 = “code_inject_sape” nocase

$string2 = “eval(base64_decode(\”ZnVuY3Rpb24gZmlsZV9nZXRfY29udGVudHNfY3VybCgkdXJsKSB7CiAkY2ggPSBjdXJsX2luaXQoKTsKIGN1cmxfc2V0b3B0KCR”

$string3 = “<?php”

condition:

all of ($string*)

}

 

rule php_backdoor_proxy : php

{

 

strings:

$string1 = “transfer.activelyblogging.com/httpsproxy/index.php” nocase

$string3 = “<?php” 

condition:

all of ($string*)

}



When a site is found to be compromised, it is recommended to restore it to a clean state from a backup. It is also recommended to change passwords and make sure WordPress and its plugins are updated to the latest versions.

Tags: , ,

Recent Posts

Categories

By Authors

Monthly Archives