InBoxRevenge KS Forum

Hi

Has anybody hear heard about this?

Anybody interested in what it does? I had a really interesting few weeks investigating a client's hijacked server. Nobody's written anything detailed publicly about this exploit and it's been interesting discovering how it all works.

Will post more hopefully very soon but wondered if anyone has already heard of this.

SiL

According to an FBI report it is "the botnet used by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters"

An update (April 2013) from the FBI noted some additional scripts in Brobot

More background on the bank attacks at this blog
http://blogs.csoonline.com/malwarecyber ... resilience

Hello at last.

I have a week off - staycation - during which I'm mostly just relaxing, organizing my apartment, doing social things, etc. So I'll be in and out.

Sadly: I left all my brobot research at work, so I will paraphrase my evidence.

The "brobot" botnet is really a collection of really stupidly configured websites operated by ISP's who do not put security in a very high priority.

The ISP who was hosting the compromised server I was asked to investigate wasn't performing any logging since that "ate up a lot of disk space" and they're running the "zeus" web server - not to be confused with the "zeus" malware.

Nutshell: Brobot consists of really non-secure web servers that allow a PHP script to execute pretty much ANY command a user wants it to execute.

Those commands include:

- Stop logging any errors.
- Allow my script to run indefinitely
- Allow my script to attempt to upload or check the status of malicious files on several dozen external web servers that I believe are similarly insecure.

That's bad.

The example I found uses a fairly benign file that looks like it's just setting a bunch of global parameters and not much else. But tucked away inside that is a single line that executes an "eval" of a base-64 decoded parameter.

That parameter can contain any PHP command, and does indeed include the above two examples. It's an extremely dangerous file but it doesn't look like it is because it's filled with so much simple, routine functionality.

The bigger problem is: when I found this out, and when I was able to put in some extra logging to determine this, I contacted the 30 most commonly implemented external hosting companies. Most of them replied with "our server isn't infected. You don't know what you're talking about." They didn't even look into any of what I was telling them. They didn't disallow really majorly bad commands from continuing to be run on their servers, and in many cases they felt it was a burden to start logging anything.

The Brobot Botnet is not this "highly organized" criminal organization. Any one of you could choose a server and get it to do whatever you want. That doesn't mean you're now part of an organized criminal operation.

The media is doing a terrible job of reporting about this exploit, and worse than that: all security firms are only treating brobot as if it were a desktop infection, completely ignoring the fact that it can run on servers.

I'll post examples of what I found most likely next week. If I can find anything sooner I will post that too.

fyi

SiL

Any chance you managed to get a copy of the files for this please?

Hi

In a way, yes I did.

The files are not that obscure.

All that the hackers did was exploit obvious holes in php and apache (very old versions) and were able to force a php file onto the server. It seems pretty innocuous on the surface. Can you guess which line is the real culprit for this "infection"?


SiL