Defcon talk: Down the rabbit hole – Exposing a criminal server by Iftach Ian Amit
This talk described the investigation of a criminal server, but how do you start?
The speaker noticed that the same malware turned up on two compromised sites he investigated, so it seemed that there should be a relationship between the two sites. Both sites called back to a url with hostname gwtsdjeni.com. The name schema of the site seems to indicate that this is a torpig site, with one single deviation; the url contained an extra d before the word jeni. So this seemed to be a modified version of the torpig network.
The researchers investigated the command and control website and stumbled on the file en.php which turned out to be the a copy of a PHP shell. This just about gave then all the possibilities to break into the site and start a full investigation. Unfortunately this is the time to start “Dances with lawyers”.
Investigating a site/server for which you do not have permission is tricky business. Having the PHP shell posted the question if law wave been broken? If not, can you continue? What can and what can’t you do? Are we allowed to go any further? Don’t hack, don’t guess, don’t do privilege escalation. Any information not protected could be used. Luckily enough a plain text list of accounts and passwords was on the system.
The system was packed with all kinds of “interesting stuff”:
• Neosploit
• Automated FTP iframe injection
• PHPmyadmin
• Truck full of Trojans
• AWStats logs
• Setup instructions
• mail backend
• /mc366 – filled with openVPN certificates
• Huge list of CPanel credential
• Some more utilities and exploits
Lets look at these in more detail.
FTP IFramer is an automated web server attacker. A logfile pointed out that it was used in breakin attempts for over 200k users. Also there where multiple result logs from users of the system indicating that the server was leased to at least three separate criminal groups.
Neosploit is THE “Rock Star” of crimeware toolkits.
v1 – Offered a very solid platform for exploitation. Single user.
v2 – Build on version 1. It has multiple user support, run like a software as a service (SaaS) platform and has enhanced reporting
v3 – Full license model and enforcement, has ROI reporting on attach success and will only run through a very specific socks proxy.
The current Neosploit platform has a full featured installed that is nearly idiot proof. It auto updates and adapts to the demands of the criminal “market”. Attacks that have a low success rate get phased out while fresh, often 0-day attacks get pushed.
All in all you can see that malware is getting really advanced. There is a professional mature market for these types of programs.
The setup instruction found where in a word document. They contained very detailed and specific setup instructions. The document was in unfortunately in Russian and this is encountered very often. According the speaker you should “Always keep a Russian speaker handy in your research team”.
The research clearly yielded a lot of data, but what do you do with the data? The data was pushed to CERT-CC because of the international nature of the compromises. CERT-CC was highly responsive and very helpful. They took the task upon then to help notify infected people.
Some applications on the server where protected be means of an .htaccess file, this gave some real insight into the inner working of these criminal neworks. Using the IP addresses in the .htaccess files, the CERT was able to identify ties to criminal networks in DC, Newark, Denmark and Russia, a proof that H*Commerce really exists.
Cyber warefare does tie in as well. The FTP iFramer is also programmed to gather “other” interesting content like PDF’s, Word documents and Excel sheets. One of the screenshot found was of a map screen with positions of F16-Ds, Apaches and radio towers including a full log of their positions.
Did the research team get any closure?
Working with CERT was working well, it even registered on the Neosploit statistics on the server. Unformtunatly the results where only temporary, after they found out that a lot of hole where suddenly patched the cracked new credentials and moved on. In the end the business model was not broken so things turned back to normal pretty quitly.
Final words
What should we be looking for when we are looking for these networks? They mostly betray themselves by their communications.
We have learned that these programs are getting more and more advance, currently they are using “traditional” methods of communications like normal http calls, direct TCP connections and IRC, but what if these guys start (ab)using web 2.0 applications like blog sites, twitter, etc. Users will nota accept this.
If you have ever encountered a blog post that does not make sense at all? It looks like encrypted and encoded binary data? Well, that is probably just what it is.