Spam and All Things Salty: Spambot v2013

Transcription

1 Spam and All Things Salty: Spambot v2013 Jessa dela Torre 1 and Sabrina Lei Sioting 2 1 Forward-Looking Threat Research Team 2 Threat Cleanup and Analysis Team Trend Micro, Inc., Philippines Abstract. This paper will discuss our research on a threat that involves the massive attacks on Wordpress, Joomla and Drupal sites and where they attempt to test the waters on a new spamming cycle. This routine involves different forms of web threats working independently of each other and has posed a challenge when it comes to authentication. We will look into the (1) compromised website, (2) compromised machine, (3) command and control server, the (4) payloads and/or affiliates involved, (5) the telemetry of the data we collected, and(6) how we emulated the threat to milk the server. 1 Introduction In a paper we have previously released, we detailed the malware and spamming routines of Stealrat 3, a new botnet that we have been monitoring. In this paper we will look at the various Content Management Systems (CMS) that are used extensively by the botnet operators as well as the other components that are part of this operation that we have yet to discuss. However, for continuity, we will still include some key points that we have already mentioned before. Stealrat introduced a new spamming technique wherein the communication between the spamming websites and the actual spam server is mediated by a compromised machine. This makes it difficult for spam filters to authenticate s since they come from legitimate sites. While porn still remains to be the primary theme in the spam s they send, we have also seen a spike in s that take excerpts from The Stainless Steel Rat 4 science fiction series, albeit, the subject is still porn-related Stainless Steel Rat

2 Fig. 1. samples One of the ways Stealrat is unique from the other spam botnets is how they have set up their model: there are 2 compromised websites (one does the spamming and the other contains the payload) and a compromised machine. The compromised machine (end-user) will connect to a server to collect spam data and send it over to a compromised website where the will be constructed and sent to the recipient. The contains a link to another compromised website.

3 Fig. 2. Stealrat model In a nutshell, the binary component in the compromised machine connects to several URLs to gather the following data needed to construct the spam Mail server (backup) Sender name Recipient s address template (subject and body) It then sends a POST request to a compromised website where a PHP script builds the actual spam and sends it to the recipient. Detailed descriptions of the malware (binary and PHP) components is in the previous paper under the sections Modules and PHP Scripts 5 and a summary of each component is briefly mentioned below. 2 Content Management Systems During the course of our research, we have found the compromised websites to be running Content Management Systems (CMS). While only a small fraction of Drupal sites are affected, Joomla! and Wordpress comprise of 51% and 19% of the infection, respectively based on our data and may vary with the actual statistics

4 Fig. 3. CMS infection breakdown While we have not determined most of the exploits and vulnerabilities used to gain access to the websites, we looked at these sites and plugins that are commonly compromised and enumerated some of the popular and interesting ones. On some instances, we have also seen some of the exploits used to gain root privilege to webservers running on Linux. One of them is the Abacus exploit which affects Linux kernel versions to and involves a poisoned perf swevent enabled array in a perf event open system call. Fig. 4. Sample abacus exploit snippet and files

5 Once successfully exploited, the other websites hosted in that webserver will be accessible and vulnerable as well. Using the WSO web shell, the attackers can create, view, upload and execute files in all the hosted sites (see image). Fig. 5. Other websites hosted in a webserver 2.1 Joomla! Joomla! is an open source Content Management System coded in PHP and can be modified or expanded functionally by using extensions. Officially, there are 5 different kinds of extensions: Component Plugin Template Modules Languages In Joomla! sites, we found most of the malicious scripts inside the following components directory: com virtuemart com jce com weblinks Com virtuemart Virtuemart 7 is an e-commerce component for Joomla!. It acts as a shopping cart, catalog and payment system for online merchandise. A normal installation contains the following files in the /components/com virtuemart folder: fetchscript.php show image in imgtag.php virtuemart.php 7

6 virtuemart parser.php Fig. 6. Sample compromised com virtuemart directory content Com weblinks Weblinks 8 is Joomla! s component for adding links to a webpage. A normal installation contains the following files in the /components/- com weblinks folder: controller.php router.php weblinks.php Fig. 7. Sample of a compromised com weblinks directory content 8 Weblinks Links

7 Com jce Joomla Content Editor (JCE) 9 is Joomla! s component for editing pages which includes styling and other WYSIWYG tools. A normal installation has the following files in the /components/com jce folder: jce.php popup.php Fig. 8. Sample of a compromised com jce directory content 2.2 Wordpress Similar to Joomla!, Wordpress 10 is also coded in PHP and is a popular blogging tool as well as a Content Management System. In Wordpress sites, we found most of the malicious scripts inside the directory of the following plugins: ˆ tell-a-friend ˆ akismet ˆ tv1/tv1mod Tell-a-friend Tell-a-friend is a Wordpress plugin that allows website visitors to tell their friends about the site by clicking on a button (see image) and sending an to their contact list. A normal installation only has the tell-a-friend PHP file in the /plugins/tella-friend folder plus several image files

8 Fig. 9. Sample of a compromised tell-a-friend directory content Interestingly, with the tell-a-friend plugin, all of the compromised sites we have seen have the tell-a-friend.php file modified and appended with the WSO 2.5 web shell. Fig. 10. Modified tell-a-friend.php Fig. 11. Original tell-a-friend.php

9 Akismet Ironically, Akismet 11 is a Wordpress plug-in for spam filtering, although it is for the comments section only. A normal installation has the following files in the /plugins/akismet folder: admin.php akismet.css akismet.gif akismet.js akismet.php widget.php Fig. 12. Sample of a compromised Akismet directory content TV1 The most intriguing plugin we have seen is TV1. According to the Wordpress site, there is no plugin named TV1. In most of the sites we checked, aside from the malicious files, there are always the following PHP scripts in the /plugins/tv1 folder: class-wp-importer-cron.php tumblr-importer.php These scripts (see image below) are part of the tumblr-importer plugin which imports a Tumblr blog to a Wordpress blog. 11

10 Fig. 13. Tv1 directory content 3 The Malware Aside from exploiting CMS-run websites, another important aspect of Stealrat is the array of malware in its arsenal. While we have seen other components associated with this campaign, we will only look at those directly involved in its spamming routine. This section will briefly describe these components. A more detailed analysis of each component is discussed in our previous paper. 3.1 The Downloader (Mutator/Rodecap) Rodecap, or Mutator (according to its PDB debug string) downloads the SmMgr component from a specified URL. What has made Mutator interesting is its method of connecting to the C&C server to get its download instructions. One of its variants would connect to the mail servers of what seems like innocently named sites (eg. lyrics-db.org) and after a connection has been established, it would modify the hostname in the HTTP header to google.com. Its initial check-in to the C&C follows the format below: protocol.php?p=[volume serial number]&d=[b64 encoded string] 3.2 The Collector (SmMgr/Symmi) Symmi, or SmMgr (according to its PDB debug string), is the component that downloads the spam data (which includes the sender name, subject and body) and the list of addresses to send the spam to. It then encrypts this information and sends it to the compromised websites. One interesting aspect about SmMgr (at least for the versions that we analyzed) is that it for every successful or failed function, it will send a debug string via UDP to what we call the Testing or Debug server.

11 Recently, we have also seen a Linux version of SmMgr (ELF file). It checks for some Linux environment variables if present in the system. The values found in these variables are used as parameters to the link where this malware will connect to. It will connect to a URL (spam server) which contains the addresses where the spam mails are sent. Similar to its Windows counterpart, the URL has the following format: It also possibly connects to other URL where the configuration, spam mail data, format and compromised page is given. It will send the spam mail which is B64 encoded to a compromised page via POST request. If all parameters in the POST request are correct the site replies the string OKe807f1fcf82d132f9bb018ca6738a19f+0. Then it is up to the compromised page to send the spam mail. 3.3 The Spammer (PHP script) Downloaded as Sm[number]e.php, this PHP script receives the spam template from SmMgr and constructs the spam that will be sent to the recipients. By default, the script uses the compromised site s mail server, but has a backup server included in the spam data which is typically Google (Gmail). 12 This script comes in multiple and different file names and the number of scripts usually vary in each site. 4 Command and Control Over time, the operators have moved the C&C to several domains scattered across several IP addresses. It seems that they are using a single domain structure and just copy the entire thing when moving to different domains (see image) current domains are circled in RED

12 Fig. 14. Domains and IPs associated with Stealrat Communications with the C&C vary among the components and done via TCP or UDP. Though implemented, the various encryption methods are simple and not overly complicated. Detailed description of each method is discussed in the Malware and Network Communication section of the previous paper. 5 Payloads and Affiliations The links embedded in the s are compromised sites injected with several HTML pages that are frequently updated. These pages range from pornography to online pharmacy. 5.1 Porn Pornography is still the main theme of Stealrat s payload. Fig. 15. Sample payload page Once the page loads, it will redirect to another compromised webpage that has been planted with pornographic links and images.

13 Fig. 16. Sample compromised webpage injected with porn 5.2 Online Pharmacy Another common landing page is an online pharmacy site, particularly doctorpied.com (previous sites were doctorpot.com and doctoregpg.com). Fig. 17. Online pharmacy site Interestingly, doctorpied.com is registered by the address which also registered several other online pharmaceutical sites that we have attributed to a certain actor. While we have not yet determined their exact rela-

14 tionship, we are not discounting the possibility that the same actor is involved here. Fig. 18. Pharma domains and IPs associated with 6 Telemetry We have been monitoring this botnet intermittently since mid-april of 2013 and so far we have recorded about 215,000 websites that have been, at one point or another, compromised. Some of these websites had not denied directory listings, so we were able to view their files and contents. Using the access logs and data available from 3 random sites, we compiled and averaged some of the information we know about this threat. Although 3 out of 215,000 may not glean a good representation of the entirety of this operation, at the very least, we hope to get a glimpse and estimate its size. Fig. 19. Geographic distribution of the IP addresses that connected to the 3 compromised websites

15 Table 1. Average content of the 3 random compromised websites Description Average Number Spam mailer scripts (PHP) 4 Spam s sent on a single date (Sep 21, 2013) 1, Unique IPs (end-users) that sent spam data on a single date (Sep 21, 2013) 1, Currently, there are about 17 million addresses that get periodic spam s from these sites. 7 Emulation To uncover a significant part of this operation, we emulated the binary (SmMgr) responsible for collecting the spam data and sending it over to a compromised website. Every 10 seconds, this binary spawns a thread that will perform these processes. We created several scripts to download and decode (see appendix) the following: recipients spam template website to post the spam data to 8 Conclusion While it is relatively small compared to the more established botnets such as Asprox 14 and Pushdo 15, its spam cycle is one of the ways that makes Stealrat unique. Its operators used compromised sites to send out spam. They also used compromised machines but only as mediators between the compromised sites and the spam server. This allowed them, in a way, to cover their tracks, as they left no clear evidence of a connection between the sites and their server. Another interesting characteristic is that they also attempted to mask their network traffic by modifying its HTTP header to make it seem like they are accessing normal domains. This shows the operators resiliency in adapting to the security enforced in networks and their attempt to stay under the radar for as long as possible. While compromising websites to send out spam is not a new technique, we believe that this particular botnet is worth a look not just because of the volume of spam it has managed to send out but because of the subtle and gradual

16 improvement of their methods. The StealRat botnet is a perfect example of determined operators who will try anything to thwart the security defenses. A Appendix A.1 MD5 of Hashes Mutator/Rodecap Symmi/SmMgr ELF PHP scripts MD bb4957d552dec81c2c288c f5e93efec7c87b97e bb 60acc7b343e51e61f240e66ca9a c689488d9f7e6ddb7de45dd4e2bb1 6d478471ed054e5d2f9436ba8c770f06 49a7ef24fd ee7d1b8b 10ce473a1d7acd67e15a798f5f495c1e 19e26ea780139c92691d372a3ac9c663 a3bcbf239b15262f5a7e8fe264d5edd1 9faf609654db710587c40542f181bdf6 79f bbf88f9fd137fe e831f73b7f20e3e0e ce095ab289e7dbc aab1b 3c039993b98103a1c974e6cd64d3bbef 59b b5ad8b98f696c0f4eee c06ac0e77f889ab4d11cf1659e95 95d565d d9db f1bd556eb165a3ae0f887e7e1831d00 345b4a2f59aeb6e50c00fbaa7aa8130b 1c5a24297a6631b95afadc39b84e dce7e1309dd09df0998f7c5be8219 bedbb698bf2fb05394fd831efab2d091 44f200ad1e561ec6a533521c4cb865b6 d098b b08b7c4a27d0769b6079 aa e1a8008a61cbf01b5df2 11dfd5daa3359fe6967fe69e2413e59d c6c5886b685d2d33f7be0704ba5da951 e a82beb775faa e0 a6752df85f35e6adcfa724eb5e15f6d0 9b6d87c50b58104e204481c580e630f1 d3c35d2fe48d8767fbb32c6ef974e26a 6fdd4a5f517b0faead39a681e62c86f1 A.2 Sample Decryption Script (decrypt.py) #! / usr / bin /env python import s t r i n g

17 import base64 import b i n a s c i i import sys import ctypes import o p e r a t o r i f ( l e n ( sys. argv ) < 3 ) : #Usage : #dec. py <type> <f i l e > # #Type : #1 Config f i l e #2 UDP t r a f f i c #3 address l i s t #4 Spam template # #Output : <f i l e >. dec sys. e x i t else : encrypted = sys. argv [ 2 ] source = open ( encrypted, rb ) s1 = source. read ( ) source. c l o s e ( ) s r c l e n = l e n ( s1 ) i f ( sys. argv [ 1 ] == 1 ) : DecConfig ( s1, s r c l e n ) i f ( sys. argv [ 1 ] == 2 ) : DecUDPTraffic ( s1, s r c l e n ) i f ( sys. argv [ 1 ] == 3 ) : Dec List ( s1, s r c l e n ) i f ( sys. argv [ 1 ] == 4 ) : Dec Template ( s1, s r c l e n ) i f ( s1 ) : out = open ( encrypted+. dec, wb ) out. w r i t e ( b i n a s c i i. u n h e x l i f y ( s1 ) ) out. c l o s e ( ) def DecConfig ( s1, s r c l e n ) : c t r = 0 ptr = 0

18 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr ]. encode ( hex ) val = hex ( i n t ( d1, 16) 1) ab = val [ + 2 : ] i f ( l e n ( ab ) == 1 ) : ab = 0 + ab s1 = s1 [ : ptr ] + ab + s1 [ ptr +1:] ptr = ptr + 2 c t r = c t r + 1 else : break def DecUDPTraffic ( s1, s r c l e n ) : c t r = 0 ptr = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr ]. encode ( hex ) val = hex ( i n t ( d1, 16) ˆ 12) ab = val [ + 2 : ] i f ( l e n ( ab ) == 1 ) : ab = 0 + ab s1 = s1 [ : ptr ] + ab + s1 [ ptr +1:] ptr = ptr + 2 c t r = c t r + 1 else : break def Dec List ( s1, s r c l e n ) : ptr = s r c l e n 1 c t r = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr 1]. encode ( hex ) d2 = s1 [ ptr ]. encode ( hex ) i f ( ptr == 0 ) : val = hex (18 ˆ i n t ( d2, 16)) else : val = hex ( i n t ( d1, 16) ˆ i n t ( d2, 16)) ab = val [ + 2 : ] i f ( l e n ( ab ) == 1 ) : ab = 0 + ab s1 = s1 [ : ptr ] + ab + s1 [ ptr +1:] ptr = ptr 1

19 c t r = c t r + 1 else : break def Dec Template ( s1, s r c l e n ) : s1 = base64. b64decode ( s1 ) s r c l e n = l e n ( s1 ) ptr = 0 c t r = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr ]. encode ( hex ) val = hex ( i n t ( d1, 16) ˆ 2) ab = val [ + 2 : ] i f ( l e n ( ab ) == 1 ) : ab = 0 + ab s1 = s1 [ : ptr ] + ab + s1 [ ptr +1:] ptr = ptr + 2 c t r = c t r + 1 else : break