Saturday, June 2, 2012

Computer Herpes

The other day I came across a rather nice dissection of the HerpesNet malware agent (sometimes referred to as Mal/HerpBot-B) – carried out by the crew at malware.lu. Apart of the rather interesting name given to the malware and an associated remote C&C panel, there’s nothing particularly special about the functionality of the bot agent – it offers all the malicious features you’d expect the criminals to want.

What makes the malware.lu dissection so interesting is the enumeration of remotely exploitable vulnerabilities within the C&C tasked with controlling all the botnet victims. This in itself isn’t unexpected – since the majority of malware authors are pretty poor coders – priding themselves on the features they include rather than the integrity and security of their coding practices. In fact, bug hunting malware and botnet C&C has practically become its own commercial business – as many boutique security firms now reverse engineer the bad guy’s tools and sell the uncovered remotely exploitable flaws they find to various law enforcement and government intelligence agencies.

The 80kb crimeware agent for this small botnet (7000-8000 victims) attempts some level of obfuscation by encoding its control strings with 00406FC0h – revealing the following command related domains and URLs:
  • http://dd.zeroxcode.net/herpnet/
  • http://www.zeroxcode.net/herpnet/
  • http://frk7.mine.nu/herpnet/
  • ftp.zeroxcode.net
  • upload@zeroxcode.net
Armed with information about the location of the C&C server and the method of communication (HTTP POST commands) the crew at malware.lu performed a free security assessment of the www.zerocode.net server and uncovered a number of remotely exploitable SQL vulnerabilities which not only allowed them to enumerate the entire content of the botnet’s data (e.g. victim data) storage area, but to also uncover the criminals passwords for the server. Armed with that information, malwware.lu proceeded to gain full interactive control of the host – including the C&C management console for the botnet.

As is so typical for small “starter” botnets such as this, their criminal overlords tend to make a number of critical mistakes – such as using the server for other non-botnet-related tasks and infecting themselves with their crimeware agent and forgetting to remove their own stolen data from the C&C database. Easily half of the botnet’s C&C servers encountered by Damballa Labs contain key identifying information about the servers criminal overlord due to them testing their malware agents on themselves and forgetting to remove that data from the database. As you’ve already guessed, this Herpes botnet mastermind was no different… Say hello to “frk7″, aka “Francesco Pompo”.


Image courtesy of malware.lu.


I’m guessing life has suddenly become much more complicated for Francesco. His botnet has been hijacked, all of his aliases and online identities have been enumerated, both he and his girlfriend have had their personal photos accessed and plastered over the Internet, and his passwords to his accounts have been disclosed. I think his Twitter account has now been suspended too.

As someone who’s come from a penetration testing and vulnerability discovery background, it’s amusing to me how the malware.lu hack proceeded. There’s nothing groundbreaking in what they did – they followed a standard methodology that dates back a decade to the early editions of the Hacking Exposed books – tactics and methods many professionals use on a routine basis, with one exception… somehow I doubt that poor Francesco gave his permission for this unscheduled evaluation of his server. I’m hoping that the countries in which malware.lu crew members live are a little more flexible on their anti-hacking laws than they are in any of the countries I’ve lived in over the years. I suspect that while I’d get a pat on the shoulder with one hand if I was to have done this, I’d also be getting adorned with some unflattering steel bracelets and whisked off to a cold room with little in the way of scenery or comfort.

No comments:

Post a Comment