Saturday, June 1, 2013

DeepEnd Research: Under this rock... Vulnerable Wordpress/Joomla sites... Overview of the RFI botnet malware arsenal

Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

Read more at DeepEnd Research>>>

Download files (see below)

Download the nalware files (Email me if you need the password)
Download the pcap files (Email me if you need the password)

Wordpress_PHP_1FFD37807740EBCB7DAD044ACF866100_up.php 1ffd37807740ebcb7dad044acf866100
Wordpress_PHP_5F0BB0851B3A2838C34CF21400F22A7E_copy.php 5f0bb0851b3a2838c34cf21400f22a7e
Wordpress_PHP_7CCDCC3FF09262CAFE5DC953C0552254_seek.cgi 7ccdcc3ff09262cafe5dc953c0552254
Wordpress_PHP_9B6D87C50B58104E204481C580E630F1_sm14e.php 9b6d87c50b58104e204481c580e630f1
Wordpress_PHP_35DBB397351622B86E421EE8ABA095DE_fu.php 35dbb397351622b86e421ee8aba095de
Wordpress_PHP_45B02538063124A0FECC0987410B1A65_ru.php 45b02538063124a0fecc0987410b1a65
Wordpress_PHP_821BB092136A73EAA2CA803E6DBB658A_del.php 821bb092136a73eaa2ca803e6dbb658a

Wordpress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe_ 20a6ebf61243b760dd65f897236b6ad3
Wordpress_DroppedbyMutopy_93F2D4ED74F7CCBF8E41F4D9D0B3BF98_Twain002.Mtx_ 93f2d4ed74f7ccbf8e41f4d9d0b3bf98
Wordpress_SDbot_AAEE52BFB589F6534C4B51E3B144DC08_svchost.exe_ aaee52bfb589f6534c4b51e3b144dc08
Worpress_Symmi_7958F73DAF4B84E3B00E008258EA2E7A_conhost.exe_ 7958f73daf4b84e3b00e008258ea2e7a

No comments:

Post a Comment