Spambot Security Blog

MaMa CaSpEr and her clan of new hack-bots... and ZB Block's Response

Well, for months, ZB Block has been concentrating on the 'QUERY_STRING' that the hostile bots were sending websites. This used to be the only way that websites were hacked, and dare I say, we were effective enough to cause the attack bot script writers to jump to a new paradigm of attacks. The new attacks, come through the 'HTTP_POST' subsystem. However like a good general, my troops had in-place a system to help combat this new vector, it just wasn't needed till now.

The new threat comes from a new family of bots. The first one of this breed of breed of bots, as far as I've been able to discern is MaMa CaSpEr, followed by Casper, Dex, Kangen, kmccrew, Sasquia, Sledink, and plaNETWORK bots, plus many others yet to be found. The one defining factor is, they attempt to execute instructions through breaking the http_post variable input system. This is done with execution wedges, either through direct "<?php (code) ?>" , bbcode "[php] (code) [/php]", or oddly enough XML "<methodCall>" execution wedging. The one defining factor is, they try to slip it in through scripts that use the once unexploited HTTP_POST vector.

Well, I guess it's now the new frontier of malicious web robot exploitation, and I hope to be here to fight it. I could remind people that sanitization of variables is the most important way to fight this plague, but no matter how hard they try to make their scripts hardened, the skiddies always find a way around it. All I can say to them is, together, we may be able to effectively fight this. You might try suggesting to your users to add ZB Block to their scripts. And to you end-users out there, your script writer tried hard to avoid these problems, together, we can be much stronger.

And to the skript kiddies, and the hackers programming the scripts that are attacking us, just remember our motto...

“Evinco, est pergo bellum!”
"To conquer, is to continue the war!"

Zap :)

ZB Block Racks Up More Bot and Script Virus Kills!

Well, Avira has gotten back to me, and it looks like I have found some viral gold they can add to their arsenal for all of us.

Here's a run-down of the fresh kills I have added to ZB Block's (custom in-house version w/ probe trap) record. Please note that ZB Block caused "natural" immunity to all attacks attempting to install these. So do the wise thing and go to http://www.spambotsecurity.com/zbblock.php and get protected.

#1

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394824 Bildb 2.03 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result Bildb MALWARE

The file 'Bildb' has been determined to be 'MALWARE'. Our analysts named the threat BDS/PHP.ali.31. The term "BDS/" denotes a Backdoor-Server program. Backdoor-Server programs are used to spy out, modify or delete data.Detection is added to our virus definition file (VDF) starting with version 7.01.04.223.

#2

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394829 dudul3.txt 40.88 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result dudul3.txt MALWARE

The file 'dudul3.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.2. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#3

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394826 bot_ping.txt 100.52 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result bot_ping.txt MALWARE

The file 'bot_ping.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP.IrcBot.nad. Detection will be added to our virus definition file (VDF) with one of the next updates.

#4

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394836 spread.txt 19.34 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result spread.txt MALWARE

The file 'spread.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.A.6. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#5

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

We received the following archive files:

File ID Filename Size (Byte) Result

25395810 feelcomz 1.7 bot.zip 12.06 KB OK

A listing of files contained inside archives alongside their results can be found below:File ID Filename Size (Byte) Result

25395811 botphp.txt 48.89 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result botphp.txt MALWARE

The file 'botphp.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.A.7. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#6 & 7

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

We received the following archive files:

File ID Filename Size (Byte) Result

25395813 One attack from t...ts.zip 23.89 KB OK

A listing of files contained inside archives alongside their results can be found below:File ID Filename Size (Byte) Result

25395814 pbota.txt 27.42 KB MALWARE
25395815 pbotb.txt 27.39 KB MALWARE
25395816 pbotc.txt 27.72 KB MALWARE
25395817 pbotd.txt 27.73 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result pbota.txt MALWARE

The file 'pbota.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.3. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotb.txt MALWARE

The file 'pbotb.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotc.txt MALWARE

The file 'pbotc.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotd.txt MALWARE

The file 'pbotd.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Sweetness I tell you. Nothing feels better than being the shiv in the dark that takes some of this crap off the virtual streets. Real hackers don't use scripts... they may write them, but they don't use them. (Ever wonder if your pre-made script isn't designed to take away your toys eventually, eh skiddy?)

If you want to see the places these were injected, well, where they were attempted to be injected, just pour over the killed_log.txt files shared with the public on ZB Block's page.

Most will be there. Some won't.

Where are the others? Other servers!

Where are the other servers? Wouldn't you like to know!

Zap!

Booyeah! Nailed one to the wall! Scratch one bot variant.

I gots me a trophy!

*** BEGIN MESSAGE ***

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:

File ID	Filename	Size (Byte)	Result
25382358	mucil_idle.txt	39.07 KB	MALWARE

Please find a detailed report concerning each individual sample below:

The file 'mucil_idle.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.F. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Alternatively you can see the analysis result here:

http://analysis.avira.com/samples/details.php?uniqueid=(REMOVED)

An overview of all your submissions can be found here:

http://analysis.avira.com/samples/details.php?uniqueid=(REMOVED)

Please note: If you have specific questions please address them to support@avira.com

Kind regards

Avira Virus Lab

*** END OF MESSAGE ***

Interesting things happen when I modify a version of ZB Block on another site to return a false success to a scanning probe... like actually taking some scum off the streets, rather than just stopping the attack their probes were trying.

I hereby declare PHP/IrcBot.F to be my first kill, in what I hope to be a string of many! And to those who might not like this news, all I can say is, you knew it was coming.

Zap!  

P.S. I might also mention here, that those of you running ZB Block were naturally immune to this infection vector. My modification just had to do with modifying the output of ZB Block to cause the virus to think it had found an infectable machine, by returning the proper code to it.

Guess who?

Look who ignored robots.txt again after a couple of weeks.

#: 479 @: Mon, 30 Mar 2009 09:20:47 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/

So it's obviously not caching robots.txt, and having problems with it propogating to the scanners as they have claimed in an e-mail.

So now they are permanently §Hîtlisted as being part of the Russian Business Network. I have no doubts now... Oh wait, they might say that one was before they pulled robots.txt... but explain this one you a§§holes, over 2 hours later, and FAKING a http_referer from a protected page no less...

#: 482 @: Mon, 30 Mar 2009 11:42:48 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/zbblock.php

Oh, and btw, the same group of nogoodniks just slammed my friend's site for 100s of page pulls, in violation of robots.txt too. She's P.O.ed! Hell hath no wrath like a woman's robots.txt scorned.

Welcome to being labled as pure RBN trash in my blocklists.

EDIT: I might also mention here, that laycat, kyklo, aceleo, and dedibox are now all blocked by ZB Block which can be downloaded for free here.

Zaphod "Some Heads are Gonna Roll" Breeblebrox

Deffinate New MySQL attack through phpBB2 and possibly other CMS. ZB Block defends.

Well, just when you think life is boring, some aspiring skript kiddie tries a new attack! This one affects MySQL and was attempted against a phpBB2 board. I feel that this attack is probably damaging to any board, and perhaps even CMS systems.

This is a serious situation, and did require an update to the signatures in ZB Block. Here is what the new attack looked like...

#: 5437 @: Tue, 24 Mar 2009 21:10:16 -0600
Host: mail.tmanshost.com
IP: 207.44.178.47
Score: 2
Why blocked: MySQL attack. Mail server, usually infected. Please access from a regular domain name.
File: removed for security
Post:
Query: p=-1/**/AND/**/1=0/**/UNION/**/ALL/**/SELECT/**/0x30653763326137383538643038336566366365353233373433305317531753175317/*
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http://zaphodb777.dyndns.org/forum/viewtopic.php?p=-1/**/AND/**/1=0/**/UNION/**/ALL/**/SELECT/**/0x30653763326137383538643038336566366365353233373433305317531753175317/*

Don't worry, that version has been neutered. It appears to be a self propogating worm, with several attack sequences, most much longer, attempting multiple injections into your MySQL db. ZB Block caught it on just 1 variable, and in smarter hands, would have missed it, and I would have been exploited.

Things the new attack has in common...

1. Uses a negative page number (probably to pop execution at a specified/known/expected place in the script.)
2. Uses "/**/" for blind concatenation of strings. The older attacks used "+".
3. Has a "/*" trailing at the end of query.

ZB Block's signatures have been updated to adapt to this new threat, and updating them is critical!

Zap.

Laycat continues it's stupidity...

Well, first customer of Friday the 13th... GUESS WHO?!?

#: 292 @: Fri, 13 Mar 2009 01:42:01 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/forum/

GRRRRR! Now one of their ploys before was, they claim they don't pull robots .txt more than once in awhile, and it was desynchronized the first time. They claim this is to reduce load on the server, yeah whatever, it doesn't take any time at all to send a short robots.txt . It's been awhile. You didn't care, and started your crap again, getting into my site.

If this isn't a common 'sploit scanning probe with some fairly good sugar on top, I have no clue what it is. Every time it touches, the more I am sure of it.

Zap.

Laycat and it's ilk are finally machina non grata here.

Okay, a few months ago, I had some chit-chat with the people running this service, they actually seemed to be on the up and up about it, and claimed several things, that turned out not to be true. Here's some of what I found at fault with them.

1. Their robot does NOT pay attention to robots.txt and has caused what amounts to a DoS attack on a friend's website. (Site got shut down due to excessive use spike).
2. Their registrar is also a favorite of the RBN.
3. They claim they use 3 domain names, aceleo.com, laycat.com, and kyklo.com to supposedly detect if a site is masquerading as something different to them, but this is also a lie as they also probe from many points in the dedibox.fr domain!
4. They ignore 403 FORBIDDENs and continue to slam them. More on that in a bit.
5. It fakes http: referers to seem like it's allready "in session". (Where have we seen THAT before?)
6. Their bot masquerades as a browser. (Gee, ya reckon we've seen that too perhaps?)
7. No word outside of their own that anything will come of them.

Whoo, that's a lot of black to say about anyone online, but, I got logs to share with you!

#: 263 @: Wed, 11 Mar 2009 17:47:41 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://spambotsecurity.com/

That was the first rejection, Laycat has received it's first 403. It should not continue to try to go where it's not welcome, but...

#: 264 @: Wed, 11 Mar 2009 17:57:37 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://spambotsecurity.com/advice.php

Please note, it was never allowed to access the root in the first place, but somehow, it now has a referer saying it was sent to this page from the root! (BULLS**T!) It's scraping Google or some other search for these URLs.

#: 265 @: Wed, 11 Mar 2009 19:37:11 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/about.php

It tries 2 more URLs, both giving 403s, with the reason they were blocked. Then to be crafty, they pull the ace out of their sleeve, but I was waiting for it. (Remember, ZB Block doesn't like a lot of server farms, as they usually have no business surfing other sites.)

#: 266 @: Wed, 11 Mar 2009 19:44:56 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/anti-spyware.php

THROUGH

#: 271 @: Wed, 11 Mar 2009 20:24:13 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/contact.php

And then right back into laycat, and dedibox again for 10 more connects up to:

#: 281 @: Wed, 11 Mar 2009 22:00:24 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/tos.php

GAWD! How stupid can a bot be? Each connection resulted in a 403, each connection ignored robots.txt, each connection did not announce itself via user agent as a search engine robot.

My thoughts on this? Well, they aren't nice. To put it blunt and succinctly, I smell a rat.

To go into detail on my thoughts, I honestly think this is the "innocent" (cough) arm of the Russian Business Network.

One of the Ruskies favorite things to do is name their network something "<something>box.tld". Well, dedibox.fr fits the mold. Why would they have a scan-only network? Because, no one ever really catches the thief casing the joint he's going to rob. It's only during the burglary that they get noticed. Problem is, the burglar is locked up on the internet (blacklisted) and is not able to snoop elsewhere. If you split your surveillance, and attack portions, no one ever expects the snoop, well, no one who isn't into security at least. I will keep investigating. And as for now I am NOT SURE this is RBN, but it feels that way, and shall be blocked in ZB Block's signature update #21.

Zap.