A Compilation of Web Backdoors

The other day I came across to a nice compilation of web backdoors only, and decided to verify how well are various AVs performing when detecting them :

"I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities and others. I think a library like this may be useful in a variety of situations. Understanding how these backdoors work can help security administrators implement firewalling and security policies to mitigate obvious attacks."

Here are some results listing the AVs that detected them -- as they should :

* name: cfexec.cfm
* size: 1328
* md5.: cce2f90563cb33ce32b6439e57839492
* sha1: 01c50c39e41c6e95262a1141dbfcbf9e8f14fc19

_No AV detects this one

* name : cmdasp.asp
* size: 1581 bytes
* md5: d0ef359225f9416dcf29bb274ab76c4b
* sha1: 9df3e72df372c41fe0a4d4f1e940f98829b752e1

Authentium 4.93.8 04.14.2007 ASP/Ace.G@bd
Avast 4.7.981.0 04.16.2007 VBS:Malware
BitDefender 7.2 04.16.2007 Backdoor.ASP.Ace.C
ClamAV devel-20070312 04.16.2007 ASP.Ace.C
DrWeb 4.33 04.16.2007 BackDoor.AspShell
Ewido 4.0 04.16.2007 Backdoor.Rootkit.10.a
F-Prot 4.3.2.48 04.13.2007 ASP/Ace.G@bd
F-Secure 6.70.13030.0 04.16.2007 ASP/Ace.G@bd
Kaspersky 4.0.2.24 04.16.2007 Backdoor.ASP.Ace.q
Microsoft 1.2405 04.16.2007 Backdoor:VBS/Ace.C
Symantec 10 04.16.2007 Backdoor.Trojan
VBA32 3.11.3 04.14.2007 Backdoor.ASP.Rootkit.10.a#1
Webwasher-Gateway 6.0.1 04.16.2007 VBScript.Unwanted.gen!FR:M-FW:H-RR:M-RW:M-N:H-CL:H (suspicious)

* name: cmdasp.aspx
* size: 1442
* md5.: 27072d0700c9f1db93eb9566738787bd
* sha1: 2c43d5f92ad855c25400ee27067fd15d92d1f6de

_No AV detects this one

* name: simple-backdoor.php
* size: 345
* md5.: fcd01740ca9d0303094378248fdeaea9
* sha1: 186c9394e22e91ff68502d7c1a71e67c5ded67cc

_No AV detects this one

* name: php-backdoor.php
* size: 2871
* md5.: 9ca0489e5d8a820ef84c4af8938005d5
* sha1: 89db6dc499130458597fe15f8592f332fb61607e

AhnLab-V3 2007.4.19.1/20070419 found [BAT/Zonie]
AntiVir 7.3.1.53/20070419 found [PHP/Zonie]
Authentium 4.93.8/20070418 found [PHP/Zackdoor.A]
AVG 7.5.0.464/20070419 found [PHP/Zonie.A]
BitDefender 7.2/20070419 found [Backdoor.Php.Zonie.B]
F-Prot 4.3.2.48/20070418 found [PHP/Zackdoor.A]
F-Secure 6.70.13030.0/20070419 found [PHP/Zackdoor.A]
Ikarus T3.1.1.5/20070419 found [Backdoor.PHP.Zonie]
Kaspersky 4.0.2.24/20070420 found [Backdoor.PHP.Zonie]
McAfee 5013/20070419 found [PWS-Zombie]
Microsoft 1.2405/20070419 found [Backdoor:PHP/Zonie.A]
NOD32v2 2205/20070419 found [PHP/Zonie]
Norman 5.80.02/20070419 found [PHP/Zonie.A]
VBA32 3.11.3/20070419 found [Backdoor.PHP.Zonie#1]
Webwasher-Gateway 6.0.1/20070419 found [Script.Zonie]

* name: jsp-reverse.jsp
* size: 2542
* md5.: ebf87108c908eddaef6f30f6785d6118
* sha1: 24621d45f7164aad34f79298bcae8f7825f25f30

_No AV detects this one

* name: perlcmd.cgi
* size: 619
* md5.: c7ac0d320464a9dee560e87d2fdbdb0c
* sha1: 6cd84b993dcc29dfd845bd688320b12bfd219922

_No AV detects this one

* name: cmdjsp.jsp
* size: 757
* md5.: 3405a7f7fc9fa8090223a7669a26f25a
* sha1: 1d4d1cc154f792dea194695f47e17f5f0ca90696

_No AV detects this one

* name: cmd-asp-5.1.asp
* size: 1241
* md5.: eba86b79c73195630fb1d8b58da13d53
* sha1: 22d67b7f5f92198d9c083e140ba64ad9d04d4ebc

Webwasher-Gateway 6.0.1/20070419 found [VBScript.Unwanted.gen!FR:M-FW:M-RR:M-RW:M-N:H-CL:H (suspicious)]

Rather interesting, there have been recent targeted attacks aiming at gullible admins who'd put such web shells at their servers, thus opening a reverse shell to the attackers. As always, this compilation is just the tip of the iceberg, as Jose Nazario points out having variables means a different checksum, and considering the countless number of ASP, PHP and PERL based reverse backdoors, the threat is here to remain as silent and effective as possible. Grep this viruslist, especially the ASP, PHP and PERL backdoor families to come up with more variants in case you want to know what's already spotted in the wild. Here's a very well written paper by Gadi Evron on Web Server Botnets and Server Farms as Attack Platforms discussing the economies of scale of these attacks.

Mujahideen Secrets Encryption Tool

Remember Mujahideen Secrets, the jihadist themed encryption tool released by the Global Islamic Media Front (GIMF) to aid cyber jihadists about to convert to cyber terrorists in encrypting their communications? See the attached screenshot -- if only could jihadists see through the eyes of the multilingual crawler or knew I violate their OPSEC on a daily basis. The interesting part from a PSYOPS perspective is how they've realized that using PGP no longer means improved and sustained self-esteem for the average jihadists, so coming up with their very own encryption tool and file shredder is a logical step. Encryption, even steganography has been used by terrorists for years, and despite that no one is feeling comfortable with the idea, it's an unspoken fact. There's also something else to keep in mind, terrorists are putting more efforts into recruiting knowledgeable individuals than trying to educate them from day one. And while coding the mujahideen secrets software requires nothing more than a simple GUI and publicly obtained encryption libraries, I wonder did the people behind it on purposely knew who they're compiling the tool for, or was it a part time project on a "need to know basis"?

Encryption algorithms' sophistication in respect to the key's size shouldn't really be of any concern in this case, but how come? Simple, the lack of quality passphrases, even implementation of the algorithms into the software, combined with client side attacks seeking to obtain the passphrase compared to perhaps futile bruteforcing, speak for themselves. One thing remains for sure - they're encrypting and generating more noise than originally thought. Go through an analysis of the Technical Mujahid Issue One as well.

Shots from the Malicious Wild West - Sample Four

My previous "shots" related to various pieces of malware, packers, or on the fly malicious URL analysis will continue to expand with the idea to provide you with screenshots of things you only read about, but never get the chance to actually see. In the first shot I discussed ms-counter.com, in the second the Pohernah crypter, and in the third The Rat! Keylogger. You may also find a recent post related to the dynamics of the underground's economy, as well as the related screenshots very informative.

In this virtual shot I'll discuss the High Speed Verifier, a commercial application spammers use to filter out the fake and non-existent emails in their spam databases in order to not only achieve a faster speed while sending their message out, but also improve the quality of their databases which I love poisoning so much. What the High Speed Verifier all about? As its authors state :

"HSV detects about 20-30% of invalid addresses in a mailing list, though theoretically it is possible to detect up to 60-70% using a software product. This figure seems relatively small, but actually it might make 10% of a list. Besides, HSV provides for optimal checking mode in terms of time and data traffic. More thorough checking (with which the rest 40% of invalid addresses could be detected) takes 10 times longer and requires 5 times greater traffic for each address, hence it's not that advisable with huge lists."

So once emails are harvested, they have to be verified and then abused for anything starting from phishing attacks to good old fashioned social engineering tricks decepting users into executing malware or visiting a site for them to do so. Don't get too excited, the advanced version has even more interesting features :

"The program works on the same algorithm as ISP mail systems do. Mail servers addresses for specified address are extracted from DNS. The program tries to connect with found SMTP-servers and simulates the sending of message. It does not come to the message sending — AMV disconnect as soon as mail server informs does this address exist or not."

The old dillema is still place - direct online marketing VS spam or what's the difference these days if any? Marketed as tools to assist online marketers these programs are logically abused by spammers, phishers and everyone in between.

Month of Malware Bugs Coming

This will prove to be interesting as it's directly related with a previous discussion on hijacking or shutting down someone else's botnet through exploiting vulnerabilities in their code :

"During each day of the Month of Bug Bugs McAfee Avert Labs will provide analysis of flawed malicious code (aka bugs). These are viruses that don’t spread, password stealing Trojans that can’t leave the stable, drive-by attacks that crash and burn, phishing attacks that phlop, denial of service attacks that are denied, etc. Our analysis will highlight the errors made by authors, and show how these threats can be fixed and in most cases optimized for maximum potency."

Have you ever imagined that as a pen tester or security consultant you'll have to exploit XSS vulnerabilities in a botnet's web C&C in order to take a peek inside? Botnet polymorphism in order for the botnet to limit the possibility of establishing a communication pattern -- an easily detectable one -- is just as important as is the constant diversification towards different communication platforms. Despite that malware authors are consistently creative, and efficiently excelling at being a step ahead of the security measures in place, they're anything but outstanding programmers, or at least don't put as much efforts into Q&A as they could. Aren't malware coders logically interested in benchmarking and optimizing their "releases", do they have the test bed in terms of a virtual playground to evaluate the effectiveness of their code, or are they actually enjoying a "release it and improve it on the fly" mentality? It's all a question of who the coders are, and how serious are their intentions.

In a very well structured paper courtesy of Symantec, the author John Canavan looks are various bugs in popular malware such as the Morris worm, Sobig, Nyxem, OSx.Leap, as well as Code Red Worm, W32.Lovgate.A@mm, W32.Logitall.A@mm, VBS.SST@mm, VBS.Pet_Tick.N, W32.Beagle.BH@mm, W32.Mytob.MK@mm. Rather interesting fact about the much hyped Nyxem :

"However something that was overlooked in a lot of reports at the time was this bug in the code, which meant that the worm would not overwrite files on the first available drive found. For example if the first available drive is the C drive, the worm will overwrite files in available drives from D to Z."

Looking forward to seeing the bugs due to be highlighted in the MoBB.

Lie Detecting Software for Text Communications

The art of money wasting when there's a surplus of research grants and no one to pick them, or a product concept myopia? $680,000 have been awarded by the U.S National Science Foundation to software developers to come up with a lie detecting software for email, IM and SMS messages :

"There's still an open question of whether that is actually possible or not," said Jeff Hancock, a communications professor and information science faculty member at Cornell. "Our research suggests that it is." Passive voice, verb tense changes, and even noun or verb selection can suggest a person is lying, he said. Hancock said another indicator of written deception is the decreased use of the word "I," which is most likely an attempt to create distance. "One of the reasons we think that works as an indicator is that pronoun use is subconscious," he said. In interactive speech, like instant messaging and some dialogues, liars go into a "persuasive mode" and increase the length of their message by 30% to describe and explain situations, he said. Other factors -- such as individual beliefs about behavior, whether someone is accused of something or interacting with an accuser -- can complicate the proces."

Lies are creative even in a written form compared to the favorable body jestures that speak for themselves. And I don't really think an alert such as "the suspect's talking too much on a one sentence question" would do any good. It's all about doing your homework, having experience, not being naive and the power to remain silent when someone's lying to you -- lying pattern intelligence gathering. On the other hand, the product concept myopia is a situation where a company falls in love with their product or service and establish the "build it and they'll come" mentality even without bothering to assess whether or not the market's environment is willing to embrace it, can afford it, or actually need it. The less market transparency, the better for the company, the better the market transprancy the better the puchasing decision of the customer who'll realize that the solution doesn't have to be in the form of the offered product. My point is that, despite the need for the detection of lies of text communications, the solution may not come in the form of talk pattern detection, for instance, your overhyped lover tells you he's in Paris, but geolocating your communicating with him you see he's in Frankfurt, and what a coincidence that is since his ex also lives there.

Using Enron, the infamous case study that'll be discussed in business school for years to come is a good analogy. But just because you think you've established a pattern of communication -- lies -- in conversations that are fake by default, doesn't mean you'll be able to build the dynamics of lying into a detectable pattern. Detecting lies on the fly remains futile for the time being, and you really don't need a program to tell you if someone's lying to you especially in a written form. Outsmart them, act like you don't know to get intelligence on their lying pattern, remain silent for a short timeframe, they'll lie again, be prepared and hopefully you'll recognize a new pattern. Enron's past communication shouldn't be the benchmark in this case, try some Fool's day press releases like this PirateBay announcement for finding a permanent hosting solution - in North Korea! Average people's patterns are the same, therefore pretend to be a moron when you're most knowledgeable, and pretend to be weak when you're most strong and I guarantee you a quick reboot of your relationships.

The lines between sarcasm and a lie are getting even more blurred these days.

Hijacking Your Fear

Have no fear, the toxoplasma gondii parasite is here. Just like a decent piece of malware exploiting a zero day vulnerability in an anti virus software, shutting it down or making sure it cannot obtain the latest signatures while totally ignoring the host's firewall, this parasite controls the fate of rats and mice in a targeted nature :

"by hijacking the part of the brain that makes the rodents naturally fear cats, a new study show. The exquisite precision leaves intact all other neurological mechanisms for learning to avoid danger, so the rodents learn to survive all hazards except being eaten by cats – the only form of death beneficial to the parasite."

Very interesting example of targeted attacks on a rat's brain courtesy of mother Nature's ghost-hacking capabilities. Just a whisper in my ghost - hope the parasite doesn't become cats-compatible and have them fear the mice.