Labels

dinsdag 21 augustus 2012

Source code of Management System used for Dorifel/Citadel

I stopped publicizing my findings on the Dorifel/Citadel servers because most of my goals have been achieved and because people started messing with my findings. (Logging in on people's bank accounts, spoiling their privacy etc)

But since other company's are still on the hunt I'd like to share some interesting information with them.

Here's the source code of the management system. It manages the donkey/money mules, exploits, sellers, infections and browser versions.. It gives you an insight of the database structure and file structure, which can be of great value in further investigation.



Source code can be downloaded here. 

vrijdag 10 augustus 2012

Complete details of the Dorifel servers, including its 'master' server in Austria


Below are my findings of the two servers used in the (targetted) attack mainly taking place in the Netherlands.

We have 2 server setups that are close to identical, their ip-adresses are:
184.22.103.202 (Domain: reslove-dns.com)
184.82.162.163 (Domains: 10ba.com, windows-update-server.com, wsef32asd1.org, dns-local.org)
Both are hosted within AS21788

From now on I consider both IP-adresses as one server. Or both IP-adresses as a proxy.

Both have the following ports open:
PORT      STATE    SERVICE              VERSION
22/tcp    open     ssh                  OpenSSH 5.5p1 Debian 6 (protocol 2.0)
80/tcp    open     http                 nginx 0.7.67
111/tcp   open     rpcbind (rpcbind V2) 2 (rpc #100000)
545/tcp   open     http                 Apache httpd 2.2.16
2407/tcp  open     http                 Apache httpd 2.2.3 ((CentOS))
2408/tcp  open     http                 Apache httpd 2.2.3
41666/tcp open     status (status V1)   1 (rpc #100024)

The SSH-keys are:
 | ssh-hostkey: 1024 c6:2f:e9:64:2c:ac:27:77:ed:da:60:a2:da:46:1f:fb (DSA)
 |_ 2048 e9:97:b5:d7:7d:01:f2:03:7b:9f:22:4c:a0:eb:a9:a5 (RSA)
Googling both of them brings up this page, prompting us with another IP-adres and domain name to investigate: 184.22.62.88 with the domain passget.com (date: 2011-10-26 04:22). This time SSH on port 222 is used instead of 22.

Directory listing of 184.22.103.202 and 184.82.162.163 (nginx/0.7.67 PHP/5.3.3-7+squeeze13):
/index/
/icons/
 |_/small/
/www/
 |_/images/
 |_/secure/ (Fragus login)
       |_/files/ (virus binaries)
               |_23 (Virustotal)
               |_24 (Virustotal)
               |_25 (Virustotal)
               |_26 (Virustotal)
               |_27 (Virustotal)
               |_28 (Virustotal)
               |_29 (Virustotal)
               |_30 (Virustotal)
               |_31 (Virustotal)
               |_32 (Virustotal)
       |_/templates/
               |_/english/ (Fragus login)
/web/
 |_/mak/
/doc/
/cgi-bin/
/img/
/uk/
/jump/
/ssl/
 |_ /milk/ (phpMyAdmin)
 |_/billk/
/bl/
/gl/
/ppp/ (password login)
 |_/css/
      |_/css/
      |_/ajax/
 |_/img/
 |_/data/
 |_/install/
      |_/install/
 |_/temp/
      |_/stat/
      |_/options/
      |_/temp/
      |_/config/
 |_/script/
      |_/script/
 |_/ppp/
      |_/bd/
      |_/card/
      |_/bot/
      |_/priv/
      |_/del/
      |_/c2txt2c/
      |_/virustxt/
      |_/govtxt/
      |_/xls/
      |_/searchform/
      |_/convertxtodvd/
      |_/intellitxt/
      |_/1txt1/
      |_/search_txt/
      |_/pictlogotxt110x60/
      |_/1txt2/
      |_/1txt3/
      |_/login_txt/
      |_/customnews_txt/
      |_/password_txt/
      |_/robots-txt/
/ver/
/vox/
/mak/
/server-status/

3 interesting finds here. Apparently Fragus is used for administratering the bots. Screenshot of the login:

phpMyAdmin is used with only 3 languages installed (en-US, en-UK, ru-RU), screenshot below:

And the last one is a login with only a password field, screenshot below:

A complete backup of the files can be found here: http://www.sendspace.com/file/ak8q2f
But please remember everything is full of virusses, so be carefull.

I will keep updating this blog.

Update 0:18:
Pretty fast after posting this blog both IP-adresses stopped displaying any html messages. Eventhough the servers themselves are still up. Which is an indiction of them just being proxies.

Update 2:12
Discovered that these 3 domains once pointed to this same server, google has some good cache pages:
handicaptaskprint.info (Registrated 10/7/2012) 149.154.154.47
intermediatedefragger.info (Registrated 26/7/2012) Undefined
onesizefitsallnik.info (Registrated 10/7/2012) 149.154.154.47

Here we have just one ip-adres 149.154.154.47 which once hosted the domain: lertionk13.be
This domain was registrated by: Elsakov Oleg using email adress thefirstweek@yandex.ru.
The name Elsakov Oleg points to yet another domain, bank-auth.org. Which has an A record pointing to: 158.255.211.28.
These 2 domains are connected to the "Police Trojan". More details here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf

If you look closely at the files and types of malware used by this gang, you'll see everything matches. They make the same directory listing mistakes over and over, and use exactly the same files. So this can be considered their fingerprint.

The gang registrated a certificate for https://bank-auth.org on the 1-8-2012. So they are probably planning to do something valuable with the website, which is running the default installation at the time being.
Update:
Oh well, I think we pretty close to the source now.
Lets get further into investigating this bank-auth.org domain. It resolves to: 158.255.211.28.
Once we investigate this machine further this is the first thing to pop-up: Apache/2.2.16 (Debian) Server at 158.255.211.28 Port 80.
That same Apache version with Debian again. I don't know why they use this version all the time, but one thing is for sure, they don't know nothing about directory listing, so I'm mirroring their site again....
And because this time I have ALL the logs, I'll make sure the right people receive them aswell!
I will upload a mirror of the site later. The admin passwords included.


I've made an online backup of the admin panel here, with all the original data.
This could be the IP-adress of the russian owner: 188.187.144.152. Not sure though. But this 'person' is also known as Ozgur Morkan and according to it's IBAN number he's from Turkey. If we look at this page we'll see the Russian IP-adres 188.187.144.152 involved in another kind of scam, this time the owner is known as Olga: http://www.anti-scam-forum.net/showFullThread_1288628426.htm

Further investigation reveals that the https://bank-auth.org domain with its valid certificate is used for the injection of malicious code within the victims browser. Several warning messages shows the criminals are no native speaking Dutchies:

Om technische redenen, het internet bankieren dienst is tijdelijk niet beschikbaar, gelieve in te loggen in 24 uur
Since the files found on the server are all in Dutch, the Dorifel compaign can be considered a targetted campaign against The Netherlands. Its a good example of the capabilities of Citadel, which was used to spread Dorifel.

Directory listing of https://bank-auth.org:

/
/index/
/cgi-bin/
/7/
/icons/
/www/
/p/
 |_dns.php
 |_ing.php
 |_ing2.php
 |_jys.php
/ca/
 |_/admin/
/javascript/
/inc/
/abc/
 |_inc.php
 |_sig1nl
 |_sig2nl
 |_sig3
 |_waitnl
/phpmyadmin/
 |_/themes/
/ing/
 |_inc.php
 |_tan1.txt
 |_wait
 |_wait.txt
/sns/
 |_WARNING.txt
 |_inc.php
 |_sig1
 |_sig1.txt.crypt
 |_sig2
 |_sig2.txt.crypt
 |_sig3
 |_sig3.txt.crypt
 |_wait
/abn/
 |_inc.php
 |_sig1
 |_sig2
 |_sig3
 |_wait

/rabo/
 |_WARNING.txt
 |_inc.php
 |_sig1
 |_sig1.txt.crypt
 |_sig2
 |_sig2.txt.crypt
 |_sig3
 |_sig3.txt.crypt
 |_wait

index.php
7.php
www.php
inc.php
sns.php
abn.php


ps.
I've been convicted for hacking already, never tried to steel a penny though. These guys have never been convicted. For me now it's very very hard in the security industry (Banks for example, is out of the question). Yet I stay on the right side. But thats probably because I'm such a bad bad boy!