Decryption BBOSS organization: Underground controllers of over 0.12 million sites worldwide

Decryption BBOSS organization: Underground controllers of over 0.12 million sites worldwide

Every day, we are confused about the world we live in, and the things that the world presents constantly exceed our cognition. Every day, we are pleasantly surprised. What surprises us is the constant new cognition, which makes us think for a short time that we seem to understand the world better. The tangle of doubt and surprise seems to be the best temptation for mankind, driving us to explore all the time. The transition from unknown to known seems to be the only way we know the world. What is always fascinating is not the unknown, but the next unknown.

1. Report Wedge

Do you still remember the ransomware attack based on the TelsaCrypt variant (VVV virus) at the end of 2015? The Alibaba security threat intelligence center has detected a large number of such attacks from emails, and found that some customers have not received emails and have been attacked by ransomware. Further follow-up investigation found that the customer was infected by a website infected with Trojans.

The discovery-based Trojan fingerprints are used for fingerprint detection globally, and more than 0.12 million of websites with the same characteristics on the Internet are found. They thoroughly investigated the incident, we have noticed that the program architecture behind the incident has been very well-developed to the industrial level. Based on the information of the BASE layer and BOSS layer found in the code structure, name it BBOSS Organization (event ).

2. Global Impact

According to the network-wide monitoring data as of January 13, the BBOSS organization was active in the last three months, and the scale of the intrusion control website continued to expand. These controlled sites are mainly located in Europe and America. Currently, the number of sites in Asia and Africa is relatively small, but they are spreading.

 

Figure 1 BBOSS global threat situation

The most serious disaster was in the United States, with a ratio of 30%, followed by European countries. South Korea ranked first among Asian countries, accounting for 4%, while South America, Africa, and Australia accounted for the least.

 

Figure 2 Global distribution of BBOSS threats

2.1. Affected sites and software

More than 0.12 million infected websites worldwide, about 78% of which use the open-source CMS framework, dominated by Wordpress and Jommla, especially Wordpress, accounting for up to 57%.

 

Figure 3 ratio of BBOSS impact software (\ N indicates no CMS software)

3. BBOSS Technical System

With over 0.12 million of Websites under control, the technical system behind BBOSS is also extremely well-developed. We can see that the Organization uses a multi-layer architecture for more efficient control and hiding, at present, it has formed the ability to control super-large scale cluster broiler websites.

 

Figure 4 Technical System of BBOSS System

In the BBOSS technical system, there are roughly four layers: JS layer, BASE layer, KEEPER layer and BOSS layer. There is a clear division of labor for each layer of bots, and they work closely together. The JS layer directly accesses the user's site. js is embedded in the page to construct a request forwarding traffic to the BASE layer. The BASE layer requests commands from the BOSS layer. After the verification is completed, the BOSS layer returns the attack commands based on the current attacks, and then the BASE layer delivers them to users. At the same time, the KEEPER layer periodically detects survival, adds, deletes, and modifies JS and BASE-layer sites, and exploits vulnerabilities.

 

Figure 5 layer-based BBOSS relationship

3.1. JS Layer Analysis

About 0.1 million websites are infected on the JS layer worldwide. About 85% of these websites use the open-source CMS framework, with Wordpress accounting for 63% and Jommla accounting for 10%.

 

Figure 6 CMS ratio of the JS Layer Site (\ N indicates no CMS software)

Recently, we have also followed the report "Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised" released by PaloAlto Netwokrs to compare the published data, only 11863 domain names are found to match. These websites have weak passwords or general vulnerabilities and are vulnerable to intrusion. This is consistent with the evidence of various types of webshells found on these websites in this incident.

 

Figure 7 One Of The JS-layer webshells

The JS-layer website is infected with malicious js embedded in its head. php framework. This script is included when accessing all pages of the website. Wordpress-based websites mainly use webshell in the/wp-content/themes/twentyfourteen/header of their themes. insert in php, while Jommla is based mainly on/libraries/joomla/document/html/renderer/head. in php.

 

Figure 8 modify header. php

The malicious js Code is as follows. It extracts the title, referer, and host information of the current page, constructs a request, and sends it to the jquery. min. php file in the BASE-layer domain.

 

Figure 9 malicious code at the JS Layer

The KEEPER layer occasionally updates the header. php of the js layer site to implant js. The test shows that it has a certain confrontation capability. When a JS-layer site is simulated to perform a request test on the BASE-layer site, if it is detected to be a simulated test, the malicious JS implanted under the js-layer site will be temporarily cleared for several days.

3.2. BASE Layer Analysis

Similar to the JS layer, the BASE layer is still a large number of sites under intrusion control. The number of BASE layer infections is roughly with the number of JS layer infections. Different from the JS layer, the sites on this layer are no longer dominated by CMS, and no CMS is used for 85% sites, and there are very few sites in China. These sites use IIS and Apache, there are also a small number of Nginx sites.

 

Figure 10 BASE-Layer Site CMS Ratio

We can see that previous attacks directly began to implant malicious loads at this layer, but BBOSS is not. BASE layer is still just a stepping stone. BASE Layer Site performance features, after the intrusion will be placed in the site directory js/jquery. min. php and js/jquery-1.9.1.min.php two files. These two files use blind eye, let users mistakenly think jquery. min. js and jquery related jquery-1.9.1.min.js.

 

Figure 11 BASE-layer malicious Samples

As shown in the following figure, the jquery. min. php sample is taken to unveil its mysteries. The Code uses encryption and obfuscation. After decryption, we can see that it encapsulates the BossAPI class, which enables communication to C & C at the backend BOSS layer and parses the response result.

 

Figure 12 BossAPI class

The main program contains three processes. If the GET request parameter is blank, the system constructs a random page under the same domain name, accesses the page, and returns the result 404.

 

Figure 13 GET is empty

The c_utm process is used to receive requests constructed from the JS layer and randomly forward the requests to four C & C and C & C on the BOSS layer. malicious commands are issued based on the parameters in the request.

 

Figure 14 c_utm Process

The pi process is mainly used to receive traffic from the KEEPER layer and forward it to the BOSS layer C & C for verification to determine whether the BASE layer is alive and whether it is forged.

 

Figure 15 pi process

At the same time, it is found that the communication between the BASE layer and the BOSS layer also has a certain anti-investigation strategy. In addition, the Code also comes with the xor encryption and decryption class, but it is not currently used in the main program.

3.3. BOSS Layer Analysis

Unlike the previous two layers, the number of infected machines on the BOSS layer is much smaller. Up to now, by analyzing multiple jquery collected from the BASE layer. min. php and jquery.1.9.1.min. php sample, obtained 4 active BOSS layer C & c ip, and an idle IP. The recent traffic trends of these five IP addresses are as follows:

 

Figure 16 traffic trends at the BOSS Layer

Interestingly, these five ip addresses belong to different five countries, namely the United States, Russia, Lithuania, France and Indonesia. These independent IP addresses are also infiltrated. According to our data, in November 2015, the figure appeared in the VVV ransomware attack and some malicious promotions.

 

Figure 17 malicious js issued by the BOSS Layer

Only when an attack is required will the BOSS layer issue an attack command, and usually only send a redirect request to the Google homepage.

 

Figure 18 normal jump from the BOSS Layer

3.4. KEEPER Layer Analysis

In addition to the above layers, there is also a keeper layer in the bboss technical architecture. As of now, multiple KEEPER layer IP addresses have been found, which are also distributed in different countries. This layer of broilers is mainly used to explore the webshell on the JS layer, add, delete and modify the malicious JS content on the js layer; to explore the webshell, juqery. min. php and jquery-1.9.1.min.php on the BASE layer. At the same time, a series of intrusion behaviors will also be accompanied by brute force cracking on the JS-layer website background, weak password cracking, plug-in vulnerability exploitation, background upload with backdoor plug-ins, and so on. Analyze the most active KEEPER layer IP address 85. **. **. 78 from the UAE. The traffic trends are as follows:

 

Figure 19 traffic trend of a Zombie Keeper

It can be found that the Zombie Keeper does not work every day, it will take a periodic rest and the interval of each rest is different. Therefore, it is assumed that the Keeper is automatically started by the attacker rather than regularly. During the 1226-1229 period, the activity was even suspended for four days. At the same time, the request trend for the JS layer is basically the same as that for the BASE layer.

 

Figure 20 Analysis of a Zombie Keeper active time Matrix

The preceding time matrix is drawn based on the daily active time of the Zombie Keeper in the last month. The horizontal axis is the date and the vertical axis is the hour. Data from different days is overlapped to one day. The more times each hour appears on different days, the deeper the color, it can be inferred that the maximum daily active time of an attacker is around until the next day. Apparently, the attacker is not in the UTC/GMT + 8 time zone, after constantly changing the time zone to fit the data, and finally found that when using the UTC/GMT-5 time zone, not only the most active time conforms to the schedule, and all other data is surprisingly consistent.

 

Figure 21 UTC/GMT-5 Time Zone

This also confirms the above mentioned Zombie Keeper stop activities in 1226-1229, in fact, may be the attacker in UTC/GMT-5 Time Zone 1225-1228 during the Christmas vacation.

4. Self-Check Method

1. Check whether the front-end page is inserted with the following type or other abnormal JS Code;

??

 

2. Check whether the background source code is modified, especially the above framework file;

?? 3. Check whether abnormal source code files are added in the background, whether the js directory and jquery. min. php are added;

???? 4. Check whether the Website access record has abnormal access such as brute force cracking .??

5. Repair suggestions

1. check whether there are any suspicious new users and change the site password;

???? 2. Clear new or modified suspicious code;

???? 3. Clear unused plug-ins and upgrade CMS and third-party plug-ins to the latest version;

???? 4. added security protection measures such as brute force cracking prevention and WAF;

6. Summary

?? Based on the above analysis and data, we found that BBOSS has the following characteristics:

???? 1. over 0.12 million sites are controlled, affecting global radiation;

???? 2. The technical architecture is highly mature, with multi-level hierarchy, easier to control and hide, and a strong sense of attack and defense confrontation;

???? 3. Flexible business, highly configurable, and occasionally updated;

???? 4. The scope of hazards is extremely large, affecting tens of millions of Internet users.