OC client update

ownCloud logo square

After having upgraded the owncloud server, older clients are no longer compatible. If you are running a version of Ubuntu or Debian/GNU Linux, upgrading is straightforward. For Ubuntu 14.04 LTS, it is as simple as:

wget http://download.opensuse.org/repositories/isv:ownCloud:desktop/Ubuntu_14.04/Release.key
sudo apt-key add - < Release.key
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_14.04/ /' >> /etc/apt/sources.list.d/owncloud-client.list"
sudo apt-get update
sudo apt-get install owncloud-client

The current version of the owncloud-client is 2.0.1. Server Admins might also want to read this.

Malware Deobfuscation

logo

Recently, a customers outdated WordPress installation started misbehaving by sending out lots of typical spam mails.

 

1. Correlation

At first, some correlation of what exactly was going on was required. Tailing the webservers logfiles together w/ running ngrep shows a clear connection: When a certain URL is called, a new spike in the mailqueue happens. Also, ngrep data reveals an interesting string:

YToxOntzOjE6InIiO2E6NDp7czoxOiJ0IjtpOjE7czoxOiJlIjtpOjA7czoxOiJnIjtpOjMwO3M6MToiYiI7aTowO319

This looks like some base64 to me. Decoding this results in

a:1:{s:1:"r";a:4:{s:1:"t";i:1;s:1:"e";i:0;s:1:"g";i:30;s:1:"b";i:0;}

which potentially looks like some c&c data. Facts so far: An attacker uploads a php file, and regularly calls that file to send out spam mails.

 

2. Code Analysis

When checking out the php code of the malicious file – only two scanners @ virustotal detect CPR17F2.Webshell respectively PHP.Packed.11 – it becomes clear that the code is obfuscated not only by base64, but also in some proprietary way. Most of the files content consists of lines like:

'aAwukaYdS7yQ0b9uFTYCvTpuSJyX7B97oGwuJ7z5D04QK8QK2lpYPqyX7jpvoswuJayQ0DV'.

Function names are random, and code seems to be stuffed in obfuscated and encoded manners. However, in the beginning of the file, we got some hints, and at the end there is something like a key scheme for all this:

$felhrwy = Array('1'=>'m', '0'=>'g', '3'=>'Y', '2'=>'B', '5'=>'y', '4'=>'M', '7'=>'l', '6'=>'Q', '9'=>'b', '8'=>'7', 'A'=>'A', 'C'=>'2', 'B'=>'v', 'E'=>'j', 'D'=>'w', 'G'=>'0', 'F'=>'F', 'I'=>'O', 'H'=>'H', 'K'=>'k', 'J'=>'1', 'M'=>'T', 'L'=>'U', 'O'=>'x', 'N'=>'q', 'Q'=>'C', 'P'=>'R', 'S'=>'N', 'R'=>'o', 'U'=>'6', 'T'=>'4', 'W'=>'P', 'V'=>'K', 'Y'=>'X', 'X'=>'G', 'Z'=>'8', 'a'=>'p', 'c'=>'S', 'b'=>'n', 'e'=>'L', 'd'=>'3', 'g'=>'E', 'f'=>'r', 'i'=>'i', 'h'=>'I', 'k'=>'5', 'j'=>'t', 'm'=>'h', 'l'=>'z', 'o'=>'9', 'n'=>'e', 'q'=>'f', 'p'=>'Z', 's'=>'s', 'r'=>'u', 'u'=>'W', 't'=>'c', 'w'=>'a', 'v'=>'V', 'y'=>'d', 'x'=>'D', 'z'=>'J');

 

3. Code Deobfuscation  Рpartial only

Okay, we got that list, so we can use tools like sed to change the data by the rules of the author. After having compiled a list that looks like

s/1/m/g

and so on, a small shellscript (that I call BRAINFUCK.sh intentionally)  is needed to do what we want, containing:

j=1
k=2
for i in `cat ARRAY `
 do
  echo $i $j $k
  sed $i FILE$j > FILE$k
  j=`expr $j + 1`
  k=`expr $k + 1`
 done

Later on, it becomes clear that this is not the quick and dirty way, as that would rather have been

sed -f ARRAY $1 > $2

Output in both cases becomes a lot clearer, but is still heavily obfuscated, and fiddling around w/ all the textmanipulation utilities is a very abstract thing for sure. Also, the techniques used so far do not deal w/ things like CRLF or “\r\n” and so on.

 

4. Code Deobfuscation – SUCCESS

It looks a lot more reasonable to use the code that the attacker already gave us to deobfuscate and decode the whole php file. So we take a closer look to the very last function that does all that:

eval(xlvgapr($wufa, $felhrwy));?

In short, this runs the deobfuscated and decoded code directly on the machine the file is executed on. All we gotta do is not run the code, but print it, so all it takes is

print(xlvgapr($wufa, $felhrwy));?>

and a command like

php MODIFIED_inc.php > DECODED.php

The resulting DECODED.php file is ~ 108kb in size (vs. ~ 152kb originally), and seems to heavily borrow code from phpmailer. What we got now, is the source code to some sort of complete framework to send mails featuring things like DKIM as well.