A LARGE NUMBER OF SERVERS BY HFS ARE EXPLOITED TO SPREAD MALWARE
A large number of servers by HFS are exploited to spread malware
First publish time: 17:00, Sep 15, 2015.
Update time: 17:00, Sep 15, 2015.
Recently, the third generation Honeypot Wind-capture System of Antiy captured a downloader sample. After the samples being executed, it will access to an Http File Server built by hackers. Through a tracking and analysis by wind-capture system, analysts found that there are many servers built by HFS. With monitoring one of the downloading servers, the total hits reach to nearly 30 thousand during 6 online days, which can show that it has a wide spread. The extremely simple operation of this software is favored by primary attackers; meanwhile, it has been used by hackers many times because of its convenient construction and easy to spread, etc. Through an associated analysis, Antiy CERT researchers have found that this kind of lightweight server tools has been prevalent currently.
1.1 Sample label
|Original file name||non|
|Shell type||Unknown shell|
|Compiled language||Microsoft Visual C++ v6.0|
Graph 1 Sample label
Hackers use weak passwords to intrude MySQL database server, use MySQL commands to set up tables and new variable, write executable binary codes into the variable and insert into the table, then dump the binary executable file in the table to the database server and execute it finally, which is also commonly used by hackers to intrude database.
After being executed, it will access to its own code dynamically, and then elevate privileges with the main function of enumerating antivirus software Kingsoft guards process name “KSafeTray.exe”. If the process appears, end it.
Graph 2 End Kingsoft guards process
Malware connection server (IP: 118.193**.**:1010)
Graph 3 Network connected operation
When malware connects to the server port, the server port will be invalid. Antiy CERT analysts found a lightweight server with a malware (1010. Exe) when connected to the IP.
1.2 Server sample analysis
|Original file name||1010.exe|
|File size||80.0 KB (81,988 bytes)|
|Compiled language||Microsoft Visual C++ 6.0|
Graph 4 Sample label
Graph 5 Server sample flow
The hacker server is captured by Antiy CERT in less than 2 online hours. The sample will first decrypt the download server address, and then judge whether the sample runs with parameters and whether the parameters include the “Windows 7” string. If it does not include or runs without parameters, it will execute a thread with downloading function, judge if the transferred parameters are empty when executes thread. If not, it will execute thread creation process, as shown in the figure below.
Graph 6 Create threat flow
When malware enters into the thread, it will deliver the parameter string (address of connected server in fact) to the functions that connect to the server. The thread is responsible for downloading other malware.
If the malware with parameters and includes “Windows 7” string, it will skip the thread to create process, deliver file name and flag bit server functions, then re-connect to the server address, re-download 1011. exe file and store it in C: \ Windows \ AppPatch directory and names it as “mysqld. dll” to run.
Graph 7 Running process with parameters
The server has just launched on September 8 with infecting rate increasing gradually, as shown in the figure below:
IP address: 118.193. * *. * * (China Telecom ShaTian international data center, Hong Kong special administrative region)
Graph 8 Hits of online server in a day
2 Correlate similar server
Through a further correlation analysis, it can be found that another sample link address is the server built by Http File Server in another Antiy Honeypot System with the server domain name is qj0. * *. * *. By tracking a few days, they found that the domain names have changed IP four times (as shown in the figure below), and all the servers are provided by Aliyun Server. The combination of dynamic domain name and Aliyun Server make the malicious groups more concealed. Hackers have purchased multiple Aliyun Servers to spread malware, often change IP and expand malware spreading by binding IP with other domain names with a better hiding at the same time.
Graph 9 Change Aliyun Servers frequently
Graph 10 Hits of malicious servers
Malicious server regularly updates malware with an increasing infecting rate.
List of malware virus name is as below:
|Sample name||Uploading time||Hits||MD5||Virus name|
On September 7, Antiy CERT captures another address of similar malware downloading server whose hits reach to 10 thousand when being captured. Almost all the software in server is malware most of whom are backdoor and downloaders. Function list of malware is shown as below.
Graph 11 Malicious server
After tracking of this server a week, Antiy CERT analysts found that the total hits increase linearly with an adding of almost 3000 hits per day. As shown in the figure below:
Graph 12 Trend of server hits per day
Statistics of server malware virus name is shown as below:
|Sample name||Uploading time||Hits||MD5||Virus name|
Through a tracking and exploration, Antiy analysts found that this kind of hacker server is very common currently, as shown in the figure below:
Graph 13 Malicious server
Graph 14 Malicious server
At present, with the enormous economic benefit temptation of “Black Industry”, commercial hacker toolkit is becoming more and more prevalent. This kind of malware output can make newbies quickly learn the rudiments of malware, even a newbie without any experience can easily master the methods of invasion of computer snooping after a short time study. Not just hacking tools, even an ordinary tool with normal service can also be easily used by hackers, for example, lightweight Http Server (Http File Server) which is favored by users for its convenient construction, easy to operate and other characteristics. Meanwhile, hackers can use the method of combination of building lightweight server in cloud with dynamic DNS to spread malware broader and more concealed. The increasing use of this kind of lightweight and convenient server tool that is favored by hackers or novice will no doubt accelerate the spread of malware.
This kind of hacking tool techniques can make the production cycle of malware shorter. Relying on commercial tools to attack can reduce the attack cost and improve the testing difficulty and propagation velocity at the same time. This attack technique with less difficulty, low threshold and less cost will make the black industry chain of Internet become a mess and brings more challenges to Internet security.
4 Appendix 1: About Antiy
Starting from antivirus engine research and development team, Antiy now has developed into an advanced security product supplier with four research and development centers, nationwide detection and monitoring ability as well as products and services covering multiple countries. With a fifteen-year continual accumulation, Antiy has formed massive security knowledge and promoted advanced products and solutions against APT with integrated application of network detection, host defense, unknown threat identification, data analysis and security visual experiences. With the recognition of technical capacity by industry regulators, customers and partners, Antiy has consecutively awarded qualification of national security emergency support unit four times and one of the six of CNNVD first-level support units. Antiy detection engine for mobile is the first Chinese product that obtained the first AV – TEST (2013) annual awards and more than ten of the world’s famous security vendors choose Antiy as their detection partner.
More information about antivirus engine:
More information about anti-APT products: