One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 255710 |
| Date de publication | 2016-11-17 07:14:56 (vue: 2016-11-17 07:14:56) |
| Titre | Example of Getting Analysts & Researchers Away, (Wed, Nov 16th) |
| Texte | It is well-known that bad guys implement pieces of code to defeat security analysts and researchers. Modern malwareshave VM evasiontechniques to detect as soon as possible if they are executed in a sandboxenvironment. The same applies for web services like phishing pages or CC control panels. Yesterday, I found a website delivering a malicious PE file. The URL was http://www.[redacted].com/king/prince.exe. This PE file was downloaded and executed by a malicious Office document. Nothing special here, its a classic attack scenario. Usually, when I receive aURL like this one, Im always trying to access the upper directory indexes and also some usual filenames / directories (I built and maintain my own dictionary for this purpose). Playing active-defense" /> The file zz.php is less interesting, its a simple PHP mailer. The dbl directory contains interesting pages that providea fake" /> In this case, attackers made another mistake, the source code of the phishing site was left on the server in the dbl.zip file. Once downloaded and analyzed, it revealed a classic attack trying to lure visitors and collect credentials. Note that the attacker was identified via his gmail.com address present in the scripts. But the most interesting file is called blocker.php"> ...include(blocker.php... Lets have a look at this file. It performs several checks based on the visitors details (IP and browser). First of all, it performs a reverse lookup of the visitor"> $hostname = gethostbyaddr($_SERVER[REMOTE_ADDR$blocked_words = array(above,google,softlayer,amazonaws,cyveillance,phishtank,dreamhost,netpilot,calyxinstitute,tor-exit, paypalforeach($blocked_words as $word) { if (substr_count($hostname, $word) 0) { header(HTTP/1.0 404 Not Found }} Next, the visitorif(in_array($_SERVER[REMOTE_ADDR],$bannedIP)) { header(HTTP/1.0 404 Not Found} else { foreach($bannedIP as $ip) { if(preg_match(/ . $ip . /,$_SERVER[REMOTE_ADDR])){ header(HTTP/1.0 404 Not Found } }} Here is the list of more relevant banned network: Google Digital Ocean Cogent Internet Systems Consortium Amazon Datapipe DoD Network Information Center Omnico"> if(strpos($_SERVER[HTTP_USER_AGENT], google) or strpos($_SERVER[HTTP_USER_AGENT], msnbot) or strpos($_SERVER[HTTP_USER_AGENT], Yahoo! Slurp) or strpos($_SERVER[HTTP_USER_AGENT], YahooSeeker) or strpos($_SERVER[HTTP_USER_AGENT], Googlebot) or strpos($_SERVER[HTTP_USER_AGENT], bingbot) or strpos($_SERVER[HTTP_USER_AGENT], crawler) or strpos($_SERVER[HTTP_USER_AGENT], PycURL) or strpos($_SERVER[HTTP_USER_AGENT], facebookexternalhit) !== false) { header(HTTP/1.0 404 Not Found } Surprisingly, this last"> Wget/1.13.4 (linux-gnu)curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5python-requests/2.9.1Python-urllib/2.7Java/1.8.0_111... Many ranges of IP addresses belongs to hosting companies. Many researchers use VPS and servers located there, thats why they are banned. In the same way, interesting targets for the phishing page are residential customers of the bank, connected via classic big ISPs. Conclusion: if you are hunting for malicious code / sites, use an anonymous IP address (a residential DSL line or cable is top) and be sure to use the right User-Agents to mimic classic targets. Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
| Envoyé | Oui |
| Condensat | $bannedip $blocked $hostname $ip $word 111 16th 1python 404 5python 7java/1 @xme above access active addr addr$blocked address addresses agent agents all also always amazon amazonaws analysts analyzed anonymous another applies are array attack attacker attackers attribution aurl away bad bank banned based belongs big bingbot blocker browser built but cable called calyxinstitute case center checks classic code cogent collect com com/king/prince commons companies conclusion: connected consortium consultant contains control count crawler creative credentials curl/7 customers cyveillance datapipe dbl defeat defense delivering details detect dictionary digital directories directory document dod downloaded dreamhost dsl edu else evasiontechniques example exe executed exit facebookexternalhit fake false file filenames first foreach found freelance gethostbyaddr getting gmail gnu google googlebot guys handler have header here his hosting http http/1 http://www https://isc hunting identified implement include indexes information interesting internet isc isps its key known last left less lets libcurl/7 libidn/0 license like line linux list located look lookup lure made mailer maintain malicious malwareshave many match mertens mimic mistake modern more most msnbot netpilot network network: next noncommercial not note nothing nov ocean office omnico once one openssl/0 own page pages panels paypalforeach performs pgp phishing phishtank php pieces playing possible preg present providea purpose pycurl ranges receive redacted redhat relevant remote requests/2 researchers residential revealed reverse right same sandboxenvironment sans scenario scripts security server servers services several simple site sites slurp softlayer some soon source special states storm strpos substr sure surprisingly systems targets thats top tor trying united upper url urllib/2 use user usual usually visitor visitorif visitors vps way web website wed well wget/1 when why words x86 xavier yahoo yahooseeker yesterday zip zlib/1 |
| Tags | |
| Stories | Yahoo APT 32 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.