A large number of servers by HFS are exploited to spread malware

Antiy CERT

Download

First publish time: 17:00, Sep 15, 2015.

Update time: 17:00, Sep 15, 2015.

 

1      Production

---

Recently, the third generation Honeypot Wind-capture System of Antiy captured a downloader sample. After the samples being executed, it will access to an Http File Server built by hackers. Through a tracking and analysis by wind-capture system, analysts found that there are many servers built by HFS. With monitoring one of the downloading servers, the total hits reach to nearly 30 thousand during 6 online days, which can show that it has a wide spread. The extremely simple operation of this software is favored by primary attackers; meanwhile, it has been used by hackers many times because of its convenient construction and easy to spread, etc. Through an associated analysis, Antiy CERT researchers have found that this kind of lightweight server tools has been prevalent currently.

1.1     Sample label

Virus name	Trojan[Downloader]/Win32.Agent
Original file name	non
MD5	A52B473888FA975D37048D5959533001
Processor Architecture	X86-32
File size	180KB(184427Bytes)
File format	BinExecute/Microsoft.EXE[:X86]
Timestamp	2015-08-29
Digital signature	non
Shell type	Unknown shell
Compiled language	Microsoft Visual C++ v6.0

Graph 1 Sample label

 

 

Hackers use weak passwords to intrude MySQL database server, use MySQL commands to set up tables and new variable, write executable binary codes into the variable and insert into the table, then dump the binary executable file in the table to the database server and execute it finally, which is also commonly used by hackers to intrude database.

After being executed, it will access to its own code dynamically, and then elevate privileges with the main function of enumerating antivirus software Kingsoft guards process name “KSafeTray.exe”. If the process appears, end it.

Graph 2 End Kingsoft guards process

Malware connection server (IP: 118.193**.**:1010)

Graph 3 Network connected operation

 

 

When malware connects to the server port, the server port will be invalid. Antiy CERT analysts found a lightweight server with a malware (1010. Exe) when connected to the IP.

1.2 Server sample analysis

Virus name	Trojan[Downloader]/Win32.Agent
Original file name	1010.exe
MD5	FF5ED4E0F8A968643F49E1FDF1D76338
Processor Architecture	X86-32
File size	80.0 KB (81,988 bytes)
File format	BinExecute/Microsoft.EXE[:X86]
Timestamp	2015-08-29
Digital signature	non
Shell type	non
Compiled language	Microsoft Visual C++ 6.0

Graph 4 Sample label

 

Graph 5 Server sample flow

The hacker server is captured by Antiy CERT in less than 2 online hours. The sample will first decrypt the download server address, and then judge whether the sample runs with parameters and whether the parameters include the “Windows 7” string. If it does not include or runs without parameters, it will execute a thread with downloading function, judge if the transferred parameters are empty when executes thread. If not, it will execute thread creation process, as shown in the figure below.

Graph 6 Create threat flow

 

When malware enters into the thread, it will deliver the parameter string (address of connected server in fact) to the functions that connect to the server. The thread is responsible for downloading other malware.

If the malware with parameters and includes “Windows 7” string, it will skip the thread to create process, deliver file name and flag bit server functions, then re-connect to the server address, re-download 1011. exe file and store it in C: \ Windows \ AppPatch directory and names it as “mysqld. dll” to run.

Graph 7 Running process with parameters

The server has just launched on September 8 with infecting rate increasing gradually, as shown in the figure below:

IP address: 118.193. * *. * * (China Telecom ShaTian international data center, Hong Kong special administrative region)

Graph 8 Hits of online server in a day

2      Correlate similar server

---

Through a further correlation analysis, it can be found that another sample link address is the server built by Http File Server in another Antiy Honeypot System with the server domain name is qj0. * *. * *.  By tracking a few days, they found that the domain names have changed IP four times (as shown in the figure below), and all the servers are provided by Aliyun Server. The combination of dynamic domain name and Aliyun Server make the malicious groups more concealed. Hackers have purchased multiple Aliyun Servers to spread malware, often change IP and expand malware spreading by binding IP with other domain names with a better hiding at the same time.

Graph 9 Change Aliyun Servers frequently

Graph 10  Hits of malicious servers

Malicious server regularly updates malware with an increasing infecting rate.

List of malware virus name is as below:

Sample name	Uploading time	Hits	MD5	Virus name
is.war	2015-8-15 10:27:48	291	5F0926A42D2F1042013F45A2B755699E	Trojan[Backdoor]/Java.JSP.l
syn20160	2015-8-18 19:53:40	926	1D3C681B99B98F0D8DDE23758DD98C07	Trojan[Backdoor]/Linux.Ganiw
win.exe	2015-8-18 19:58:16	88	28ACC38A08B44B76EA85A0853961EBC9	Trojan/Win32.Reconyc.esql
xxa.exe	2015-8-28 18:24:56	272	31ED5DBFF8EFB9D61C68084FC3F20E22	Trojan[Backdoor]/Win32.Farfli
Zesr68f4.dll	2015-9-3 0:12:34	573	8A65DB08D158060F60DF68732FB34D84	Trojan/Win32.Generic

 

On September 7, Antiy CERT captures another address of similar malware downloading server whose hits reach to 10 thousand when being captured. Almost all the software in server is malware most of whom are backdoor and downloaders. Function list of malware is shown as below.

Graph 11 Malicious server

After tracking of this server a week, Antiy CERT analysts found that the total hits increase linearly with an adding of almost 3000 hits per day. As shown in the figure below:

Graph 12 Trend of server hits per day

 

Statistics of server malware virus name is shown as below:

Sample name	Uploading time	Hits	MD5	Virus name
1433.exe	2015-8-1 17:16:43	218	cc2b9684dc95ea70f052eb8a3902b0ad	Trojan[Downloader]/Win32.Agent
3306.exe	2015-8-3 15:22:57	229	40d70745cfcdc0574d0a6982362f1c7d	Trojan[Downloader]/Win32.Agent
arp.exe	2015-8-8 10:27:54	536	6ff1142bb5b0dc40f1a37dd1cbf53e80	Trojan[Downloader]/Win32.Agent
bc12345.exe	2015-8-6 17:46:38	2572	ab34251ccfcc60005c7b3a294040e4cd	Trojan[Downloader]/Win32.Agent
cr.exe	2015-8-7 16:30:55	143	303ff8794e5c6f32870ed55c33573e7b	Trojan[Downloader]/Win32.Agent
gott.exe	2015-7-30 19:20:31	23	c7e9e5566cf3428e25e07868f44fd19c	Trojan[Backdoor]/Win32.Farfli
mogujie.exe	2015-8-14 9:18:53	19525	25c72c1e994f3efec4a1b555d36ef4a4	Trojan[Downloader]/Win32.Agent
moke8.exe	2015-8-8 9:29:24	1018	67b2dbedd5a258258baab0094e278f96	Trojan[Downloader]/Win32.Agent
mp4fixtool.exe	2015-8-10 16:30:59	351	f005589add550804017349d7a21aa633	Trojan[Downloader]/Win32.Agent
NetSyst81.dll	2014-10-25 13:48:02	214	0b156ec492ea45d282cf823415ecaf12	Trojan/Win32.Agent
scvhost.exe	2015-7-30 19:20:31	373	c7e9e5566cf3428e25e07868f44fd19c	Trojan[Backdoor]/Win32.Farfli
win2003.exe	2015-8-28 16:23:44	34	e8aa9941e88fb172d9a470973834b4c0	Trojan[Downloader]/Win32.Agent
windowsupdate.exe	2015-8-6 9:34:48	28	fc8ee42d829dcc9a12cbe528b6a5f7f4	Trojan[Downloader]/Win32.Agent
yiqig.exe	2015-8-8 10:25:28	313	f1fbf62e7f04f9e7e223c64e78ff9a99	Trojan[Downloader]/Win32.Agent
yymp4.exe	2015-8-14 9:18:53	509	25c72c1e994f3efec4a1b555d36ef4a4	Trojan[Downloader]/Win32.Agent

Through a tracking and exploration, Antiy analysts found that this kind of hacker server is very common currently, as shown in the figure below:

Graph 13 Malicious server

Graph 14 Malicious server

3      Summary

---

At present, with the enormous economic benefit temptation of “Black Industry”, commercial hacker toolkit is becoming more and more prevalent. This kind of malware output can make newbies quickly learn the rudiments of malware, even a newbie without any experience can easily master the methods of invasion of computer snooping after a short time study. Not just hacking tools, even an ordinary tool with normal service can also be easily used by hackers, for example, lightweight Http Server (Http File Server) which is favored by users for its convenient construction, easy to operate and other characteristics. Meanwhile, hackers can use the method of combination of building lightweight server in cloud with dynamic DNS to spread malware broader and more concealed. The increasing use of this kind of lightweight and convenient server tool that is favored by hackers or novice will no doubt accelerate the spread of malware.

This kind of hacking tool techniques can make the production cycle of malware shorter. Relying on commercial tools to attack can reduce the attack cost and improve the testing difficulty and propagation velocity at the same time. This attack technique with less difficulty, low threshold and less cost will make the black industry chain of Internet become a mess and brings more challenges to Internet security.

4      Appendix 1: About Antiy

Starting from antivirus engine research and development team, Antiy now has developed into an advanced security product supplier with four research and development centers, nationwide detection and monitoring ability as well as products and services covering multiple countries. With a fifteen-year continual accumulation, Antiy has formed massive security knowledge and promoted advanced products and solutions against APT with integrated application of network detection, host defense, unknown threat identification, data analysis and security visual experiences. With the recognition of technical capacity by industry regulators, customers and partners, Antiy has consecutively awarded qualification of national security emergency support unit four times and one of the six of CNNVD first-level support units. Antiy detection engine for mobile is the first Chinese product that obtained the first AV – TEST (2013) annual awards and more than ten of the world’s famous security vendors choose Antiy as their detection partner.

More information about antivirus engine:

http://www.Antiy.net (English)

More information about anti-APT products:

http://www.Antiy.cn