Your security, networking, programming, and application news source.
Google

Sunday, October 2, 2011

Payload Anatomy of InMotion Hosting Defacements

The Attack


<InMotion Hosting> was hacked leaving more than 70,000 websites compromised on the weekend of September 23, 2011. One of many news articles that covered the attack:

(Article by Jack Phillips Sep 29, 2011)
<The Epoch Times: Hosting Firm InMotion Hacked, Thousands of Websites Defaced>

The Defacement


This attack appears to be a host-wide defacement. The defaced websites had hacked-by pages added to their site which credited "TiGER-M@TE":

(This is a screen shot of the defacement page, index.php )

From the perspective of the customer, there were no access, web, or ftp log entries. A file named hacked_page was dropped in to the root www directory and was propagated to all the immediate sub-directories as index.php.

<index.php contents>(pastebin.org)

Encoding


This PHP page contains only HTML and JavaScript. A close look at its contents shows that it uses some cleaver encoding in an attempt to avoid security fingerprinting, which could later allow for easy automated detection.

A common technique is to represent malicious JavaScript code in escaped hexadecimal character format, then pass that through JavaScript's unescape function at run time. First, this obscures the malicious code. With some small adjustments, the same encoded contents can be generated in many copies all uniquely different. But, with a little time one can decode the page's contents.

The unescape function decodes the URL escape character syntax as well as the JavaScript escape character syntax. The defacement page used both, one over top of the other:

found in index.php
(JavaScript escaped hexadecimal characters)

\x25\x33\x43\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34

unescape's to...
(URL escaped hexadecimal characters)

%3C%73%63%72%69%70%74

unescape's to...
(The start of an HTML tag that will contain the malicious JavaScript)

<script

This is not a new technique and is easily decoded after the fact. After coding up a quick tool I was able to decode the page:

<index.php decoded>(pastebin.org)
(The decoded contents are noted in JavaScript comments.)

I've created an open source tool for decoding escaped hex, <Unescape>, so you can follow along.

Analyzing this shows that this page has five parts of interest:
  • Connection to statistics tracking service
  • Window animation and color cycling
  • A base64 embedded GIF image (not hex-coded)
  • "Hacked" image
  • Playing of an embedded Flash file (apparently for auto playing audio)

Statistics tracking


Line #33 of the <decoded page> (line #11 originally) defines the function details. This function is set as an onclick event for the "TiGER-M@TE" text. The function open three web pages when triggered, two different statistics tracking service links at <zone-h> and one Google search of "Hacked by TiGER-M@TE" through <LMGTFY (Let Me Google That For You)> The statistics at zone-h can be viewed here:

<zone-h notifier: TIGER-M@TE>

<zone-h notifier: TIGER-M@TE special=1>

Window animation


Line #40 through #133 of the <decoded page> (also line #11 originally) defines a timed script of moving and resizing the browser window in some sort of animated show while cycling colors.

Embedded base64 GIF image


Line #148 of the <decoded page> (the end of line #11 originally) contains a GIF image embedded in the page using <base64(wiki)> encoding. This appears to merely be a faded line. As we'll seen next, maintaining image hosting seems like a challenge for the defacers.


"Hacked" image


Line #183 of the <decoded page> (then end of line #15 originally) is some encoded JavaScript to add an image tag to a small image of the word "Hacked". This <image is hosted on Fotonons.ru> but the tag is crafted to fall back on <the same image hosted at BayImg.com>. This seems to highlight the perceived difficulty of maintaining image hosting during the peak of the defacement activity.

Embedded flash audio


The code inside the "mp3 code starts from here" HTML comments turned out to be the most complicated. This part was encoded in multiple layers and revealed a custom character transformation function. First the contents had some key characters escaped with JavaScript hex characters, the entire resulting contents was escaped with URL escaped hexadecimal characters, then the resulting contents was additionally escaped with JavaScript hex characters. Pealing this away reveals a dF function which provided a custom transformation decoder for decoding the accompanying section of escaped data:

<index.php decoded dF function>(pastebin.org)

This decoder merely did some basic arithmetic to each character's value. The final results start at line 200 of the <decoded page>. This resulting code adds the following flash file to the page for auto-play:

http://77.247.69.68/.../By_TiGER-M@TE.swf

The host 77.247.69.68 <resolves> to <Rackhosting.com> in Denmark. The link, with its peculiar "..." directory, seemed dead as as soon as tested.

Variable Names


The "_0x9355" style of JavaScript variable names imply that many documents where intended to be generated with unique variable names. This technique would act as an obfustication while attempting to evade fingerprinting by security applications such as anti-virus and intrusion detection services.

Summary


The index.php defacement page propagated nearly one hundred thousand times in recently compromised <InMotion Hosting> web sites display a decorative brand promotion while loading a flash file that appeared to be for audio, but was unrecovered. A statistics tracking service was used and a couple of mostly common techniques where used to obfusticate the JavaScript code in an apparent attempt to evade filtering and detection by security services.

UPDATES:

10/2/2011 - Added decoded dF function pastebin
10/8/2011 - Added open source Unescape tool.

No comments:

Post a Comment