Cyphort Labs detected an infection at the website of ISC (Internet Systems Consortium, Inc.). ISC is the organization behind the development and distribution of the widely used name server software, BIND. It also operates critical Internet infrastructure in the form of the F-root name server, one of the 13 Internet root name servers that power the global Internet.
ISC was notified by email of the infection on Dec 22, and on Dec 23 their website was cleaned up from infection and replaced by a static page below.
ISC uses WordPress platform to host its website and blog. The main page has been modified to inject the root of the web infection chain. The initial injection redirects web browsers to a landing page of Angler Exploit Kit. Angler EK usually serves many different exploits.In this case we observed IE, Flash and Silverlight exploits. If exploitation is successful, the exploit will continue to download and execute a malicious binary in-memory.
The infection chain looks as depicted below:
The initial starting point for the infection is a web infection in the main page of www.isc.org.
The next stage is a series of HTTP redirects, the final one landing on the main page of the Angler Exploit kit (snail0compilacion.localamatuergolf.com/4ddlt97uyu.php).
The actors continuously shift their Exploit Kit domain name servers at regular intervals. We have seen several more websites serving the same web content:
– snail0compilacion.localamatuergolf.com (18.104.22.168)
– symbolology-rumperis.prairievillage.info (22.214.171.124)
– zapalny.placerosemere-ideescadeaux.ca (126.96.36.199)
– chambouler.mygiftback.com (188.8.131.52)
Cyphort Labs researchers are still in the process of analyzing the Silverlight and flash exploits which exploit a known IE vulnerability (CVE-2013-2551). Angler EK is known to perform file-less injection (memory-based malware where nothing is written to disk).
The initial IE exploit is obfuscated just like any other Angler EK initial infection page. After de-obfuscating the initial page, we can see some security/VM product detection code. After that the exploit enumerates plugin versions. If it finds a vulnerable IE, it will exploit it first.
After the vulnerability is exploited, the initial shellcode de-obfuscates the next stage of the shellcode using the following logic:
The second stage shellcode finds windows APIs using an API hash technique and downloads the binary from the server. After the download, it starts decrypting it using the logic below (the key is stored in variable ‘P2X20’ in the JS script):
Once it decodes the downloaded binary, the decision to save and launch or continue executing the payload depends on the first few bytes of the downloaded binary:
In this particular incident, it is decided to continue executing the shellcode that is part of the downloaded binary. The shellcode that is part of the downloaded binary loads the binary in fileless mode. It has two different versions of the file: one for 32-bit and another for 64-bit OS. There is one clever trick used in this shellcode: even if you dump the file from the memory, the hash of the loaded binary will be different each time you load the exploit.
The reason behind this file hash difference is a few modified fields in the PE Optional Header. It stores the dynamically allocated buffer address as part of PE Optional Header. This trick modifies the file hash each time you load the exploit.
Both embedded binaries are DLL files. These are the hashes of these binaries before the modifications mentioned above. Both IE and Silverlight exploits drop the same binary.
MD5: 38f583da8bc6e3d09799c88213206f14 (32-bit)
MD5: deacb2e37746ec97ac199e28e445c123 (64-bit)
The 64-bit DLL has the following exports:
The 32-bit DLL has the following exports:
Special thanks to Alex Burt and the Cyphort Labs team for their help in the discovery and analysis of this compromise.
Update – Posted on Dec 30, 2014
As part of our ongoing investigation into the recent ISC web site compromise, and in collaboration with ISC, we have obtained and analyzed the following script files which were part of this compromise:
|wpinstall – Copy.php||3319DE186EF43A33E88358F307D66A05|
The file “class-wp-xmlrpc.php” is of particular interest. It is heavily obfuscated as shown below:
Executing this php script will display a login prompt asking for a ‘root’ password:
Once logged in, it will display the following interface:
This interface will effectively give the attacker control over your infected web server.
The attacker can:
- Open a shell.
- Upload and execute files.
- Read and write files.
- Create files and directories.
- List files.
- Open SQL databases.
- Execute PHP code.
- Kill Self (delete itself).
- List security information of your server including:
- user accounts.
- account settings.
- database versions.
- php version.
- server software.
- drives and available space.
There is indication that this script is built using publicly available software as evidenced by the presence of comments like:
Explaining the code: http://stackoverflow.com/questions/3328235/how-does-this-giant-regex-work
Pastebin code: http://pastie.org/1058996
Other files of interest include: “wpinstall – Copy.php” and “wp-admin\options-admin.php”.
Aside from being the installer which prepares and copies the component files, the following code was also found in the file wpinstall – Copy.php:
This script attempts to inject code into footer.php. The injected code accesses the external link wpcache-blogger.com and returns a malicious iframe link to be displayed for the user.
The script wp-admin\options-admin.php acts as a proxy server. It accepts base64 encoded GET and POST requests and redirects the traffic to the following url:
Both transfer.activelyblogging.com and wpcache-blogger.com have the same IP address:
|Location||United Kingdom (GB)|
This exploit is very dangerous as it affects both the web site and its visitors. Given the backdoor’s capabilities, there is a high probability that sensitive information is exfiltrated, including your login accounts, database contents and other sensitive files stored on the server.
Others have reported that this malware campaign is exploiting a vulnerability in WordPress Slider Revolution plugin. The attacker is using a technique called Local File Inclusion (LFI) attack which allows them to download a local file from the server. For example, the attacker can download the file wp-config.php which contains database credentials. In addition to ISC, this attack seems to be affecting thousands of websites. We recommend owners and admins of websites using wordpress or joomla to scan their web servers for the files mentioned above. The following YARA signatures can also be used to scan your system.
rule php_backdoor_shell : php
$string1 = “FilesMan” nocase
$string2 = “preg_replace(“
$string3 = “5b19fxq30jD8d/wp5C3tQoMx4CQnxYY4cezEebFTvyRp4tx0gQW2Xli6u5i4qb/7PTN6WWlfME57r”
$string4 = “<?php”
all of ($string*)
rule php_backdoor_install : php
$string1 = “code_inject_sape” nocase
$string2 = “eval(base64_decode(\”ZnVuY3Rpb24gZmlsZV9nZXRfY29udGVudHNfY3VybCgkdXJsKSB7CiAkY2ggPSBjdXJsX2luaXQoKTsKIGN1cmxfc2V0b3B0KCR”
$string3 = “<?php”
all of ($string*)
rule php_backdoor_proxy : php
$string1 = “transfer.activelyblogging.com/httpsproxy/index.php” nocase
$string3 = “<?php”
all of ($string*)
When a site is found to be compromised, it is recommended to restore it to a clean state from a backup. It is also recommended to change passwords and make sure WordPress and its plugins are updated to the latest versions.