Showing posts with label hacked website. Show all posts
Showing posts with label hacked website. Show all posts

Saturday, 28 April 2018

Ransomnix ransomware variant encrypts websites



Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.

This ransomware was discovered in the second half of 2018, and there's a brief write-up by Amigo-A here as well: Ransomnix ransomware

In this blog post, we'll discuss a newer variant.


Analysis

Several encrypted websites were discovered, which display the following message:

Figure 1 - Ransom message, part 1

Figure 2 - Ransom message, part 2

The full message is as follows:


JIGSAW RANSOMNIX 2018
I WANT TO PLAY A GAME!
Now Pay 0.2 BTC
OR
Payment will increase by
0.1
BTC each day after
00:00:00
Your Key Will Be Deleted
Your Bill till now 2.4000000000000004 BTC
Dear manager, on
Fri Apr 06 2018 02:08:34 GMT+0100 (GMT Summer Time)
your database server has been locked, your databases files are encrypted
and you have unfortunately "lost" all your data, Encryption was produced using
unique public key RSA-2048 generated for this server.
To decrypt files you need to obtain the private key.
All encrypted files ends with .Crypt
Your reference number: 4027
To obtain the program for this server, which will decrypt all files,
you need to pay 0.2 bitcoin on our bitcoin address 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o (today 1 bitcoin was around 15000 $).
After payment send us your number on our mail crypter@cyberservices.com and we will send you decryption tool (you need only run it and all files will be decrypted during a few hours depending on your content size).
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it!
It's your guarantee that we have decryption tool. (use your reference number as a subject to your message)
We don't know who are you, All what we need is some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.
You can use one of that bitcoin exchangers for transfering bitcoin.
https://localbitcoins.com
https://www.kraken.com
You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.
Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.
You do not have enough time to think each day payment will increase by
0.1 BTC and after one week your privite key will be deleted and your files will be locked for ever.

People use cryptocurrency for bad choices,
 but today you will have to use it to pay for your files!
 It's your choice!

The following JavaScript is responsible for keeping track of the price, and increasing it:

Figure 3 - JS function

The starting price is set at 0.2 BTC, but will increase every day with 0.1 BTC thanks to two functions: inprice and startTimer.
The function for calculating the time and date, startTimer, is a copy/paste from the following StackOverflow answer: The simplest possible JavaScript countdown timer?

Note that the start_date variable, 1522976914000, is the epoch timestamp in milliseconds, which converted is indeed Friday 6 April 2018 01:08:34, as mentioned in the ransom note.

Ransomware message details:

BTC Wallet: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o
Email: crypter@cyberservices.com 
Extension: .Crypt

Files will be encrypted, as claimed by the cybercriminals, with RSA-2048.

Unfortunately, it appears several people have already paid for decryption: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o


Disinfection

If possible, restore the website from a backup, and consequently patch your website, this means: install all relevant and security patches for your CMS, and plugins where applicable.

Then, change all your passwords. Better be safe than sorry.

It is currently unknown if decryption is possible. If you have an example of an encrypted file, please do upload it to ID Ransomware and NoMoreRansom, to see if decryption is possible, or if a decryptor can be developed.


Prevention

For preventing ransomware that attacks your websites, you can follow my prevention tips here.

General ransomware prevention tips can be found here.


Conclusion

Ransomware can in theory be installed on everything; whether it's your machine, your website, or your IoT device. Follow the prevention tips above to stay safe.

Remember: create backups, regularly, and test them as well.



IOCs

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , , ,

Tuesday, 3 March 2015

C99Shell not dead


In today's blog post, we'll talk about C99shell - a powerful PHP backdoor.

Introduction
Analysis
Disinfection
Prevention
Conclusion



Introduction


I recently got contacted on Twitter in regards to a hacked webpage:



After I received the files two things became apparent:

  • the webserver (and thus the website) was infected with C99shell;
  • the webserver was infected with other PHP backdoors.


Analysis

PHP/c99shell or simply c99shell should be well known by now - it is a PHP backdoor that provides a lot of functionality, for example:


  • run shell commands;
  • download/upload files from and to the server (FTP functionality);
  • full access to all files on the hard disk;
  • self-delete functionality.
  • ...


In short, it can pretty much do everything you want, which results in end-users getting malware onto their systems and/or data getting stolen and/or personal information compromised.

There's an excellent blog post over at Malwaremustdie in regards to C99shell, you can read it here:
How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?


Now, here's one of the files gathered from the webserver:




It's heavily obfuscated as one would expect; after some deobfuscating/decoding we get:




It also has a nice web interface:









Seems like we are dealing with a slightly updated version of C99shell, version 2.1:








And last but not least, some functionality:














You can find the decoded C99shell backdoor on Pastebin:
Decoded PHP/c99shell

Detections aren't too great for this PHP backdoor, but it surely has improved since Malwaremustdie started blogging about it, some VirusTotal results: 0, 1, 2.


As I mentioned before, other PHP backdoors were present, for example:








After some manual decoding, we turn up with the following interesting line:
getenv(HTTP_X_UP_CALLING_LINE_ID);

Another example:
getenv(HTTP_X_NOKIA_ALIAS);

The "x-headers" HTTP_X_UP_CALLING_LINE_ID and HTTP_X_NOKIA_ALIAS are actually part of WML, the Wireless Markup Language.

Thus, this PHP backdoor seems specifically designed to target mobile users. I've put a copy of the script in screenshot above on Pastebin as well:
Unknown PHP backdoor

Darryl from Kahu Security has written an excellent post on how to manually decode this kind of PHP obfuscation: Deobfuscating a Wicked-Looking Script

If you have any information on what kind of PHP backdoor this might be (if not generic), feel free to let me know.



Disinfection

What if your website's already been hacked and serving up malware to the unknowing visitor? Best practice is to simply take your website offline and restore from an earlier back-up. (don't forget to verify if your back-up isn't infected as well!)

If that's not a possibility for whatever reason, you'll first need to find where any malicious code was injected (or created) on your website, or how it was infected in the first place.

An easy way would be to simply check all recently changed files on your web server. However, those dates can be altered. So what's a better alternative? You can comb over the files one by one, or you can use an online tool to check your website.

A short overview:

http://sitecheck.sucuri.net/
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.

http://aw-snap.info/file-viewer/
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).

http://www.rexswain.com/httpview.html
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.

http://jsunpack.jeek.org/
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.

http://urlquery.net/
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.

https://www.virustotal.com/
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.

https://hackertarget.com/wordpress-security-scan/
Online WordPress Security Scanner to test vulnerabilities of a WordPress installation. Checks include application security, WordPress plugins, hosting environment and web server.

https://github.com/nbs-system/php-malware-finder
NBS System's PHP Malware Finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

https://github.com/sullo/nikto
Nikto web server scanner.

If nothing is found using any of these tools, but you are still receiving reports from either blacklists (eg. Google) or users, you'll have to manually go over all your files to see if any code was attached.

If you're hosting a web server yourself, you obviously know where you've installed it, so be sure to check in there. If you're not sure where it's installed, may want to look in any of these default locations, if they exist:

Linux:
  • /var/www/
  • /var/www/html
  • var/lib/tomcat7/webapps
Windows:
  • C:\inetpub
  • C:\inetpub\wwwroot\
  • ...


 Another method (and obviously not foolproof) is to copy over all your files to a Windows system and scan them with an antivirus. An example of such antivirus, which works on both Linux and Windows, is ClamAV. I think you're starting to realize why back-ups are important.

If you had any outdated plugins running, chances are very high the backdoor or script was created/added in that specific directory. For example for WordPress this is typically:
/www/wp-content/plugins/

You can also install a plugin for your CMS which can scan your web server for any infected files. (Which is ironic, but might still do the trick should you not be able to find anything manually.)

Last but not least: check your access logs! See any unauthorized (FTP) logins for example? Take a look in any of these locations:

  • /var/log/httpd 
  • var/log/nginx  
  • /var/log/apache
  • /var/log/apache2


You may also want to take a peek in:
/var/log

Contact your hosting provider - they might be able to provide you with assistance.

If you're still stuck, feel free to shoot me an email or contact me on Twitter. Otherwise, contact one of X companies which can help you assist in clean-up.

Don't forget: after clean-up, reset all your passwords (and don't use the same for everything) and follow the prevention tips above, or you'll simply get infected again.
Additionally, always install relevant security patches or updates for your operating system if you are hosting the web server yourself.




Prevention

This shouldn't be repeated normally, but I will again just for good measure:

  • Create back-ups regularly! Yes, even for your website.
  • Keep your CMS up-to-date; whether you use WordPress, Joomla, Drupal, ... 
  • Keep your installed plugins up-to-date. Remove any unnecessary plugins.
  • Use strong passwords for your FTP account(s), as well as for your CMS/admin panel login.
  • Use appropriate file permissions - meaning don't use 777 everywhere. (seriously, don't)
  • Depending on how you manage your website - keep your operating system up-to-date and, if applicable, install and update antivirus software.
  • Consider using a tool like Splunk to monitor your access logs. 
  • Consider installing a security plugin. For WordPress, you have a plugin called All In One WordPress Security which has a ton of options to better secure your website.Don't forget to keep this one up-to-date as well.

More (extended) tips can be found over at StopBadware:
Preventing badware: Basics

There are also guides available on how to harden your specific CMS installation, for example:

WordPress: Hardening WordPress
Joomla: Security Checklist/Joomla! Setup
Drupal: Writing secure code




Conclusion

C99shell is obviously not dead and neither are other PHP backdoors - or any other malware for that matter. Securing your website is not only beneficial for you, but also for your customers and other visitors. This blog post should have provided you with the essentials on securing your website and cleaning it up should it ever be infected

Repeating: best practice is to take your website offline and restore from a back-up.




Resources

For webmasters:
StopBadware - My site has badware
Google - If your site is infected
Redleg - If you're having redirects ("Google says my site is redirecting to a malicious or spam site.")

For researchers:
Online JavaScript Beautifier - http://jsbeautifier.org/
PHP Formatter - http://beta.phpformatter.com/
Kahu Security tools - http://www.kahusecurity.com/tools/
(for this specific blog post, PHP Converter is a must-use and very effective tool)
Base 64 Decoder - http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

Above list is obviously my own personal flavor, feel free to leave a comment with your favorite tool.

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , ,
Subscribe to: Posts (Atom)