Montag, 20. Juli 2015

A two stage compromise attack

I am pretty sure you have read the blog post for the php code execution attack.

If you want to read the full data of my analyse I would like to point you to the pdf on this attack
https://drive.google.com/file/d/0B9asJlVwm-MObnluUUJoVzdQYkk/view?usp=sharing

But now to the other side of the story. By using my other/old honeypot I had not the feature of succesful attacks. Means, they always respond in two ways
  • Random Data (like artillery)
  • unsuccessful "40x" (like Beeswarm and Apache)
So, my software was designed to respond with "200 OK" for each data received. The basic idea was, well, I need to respond with something and "200 OK" made the most sense. So, as by this design I may have found a real benefit I was not aware of.

Two stage compromise attacks

 The attack described within the other post had two stages.
  1. PHP related encoded url
  2. PHP system() call to download and execute the malicous code
I am currently sure that the stage two would not had happen if I had not responded with "200 OK" to the first attack. So attack design is a very is IF...THAN attack.

Stage 1, is only used to find a target which is vulnerable. So I do not spread my code into the wild, or the hand of a researcher without being sure it would work.
 A good indicator for this theory is, that although the malware was written in 2008 and repacked in 2014, many Anti-Virus solutions does not detect it and even Virustotal does not report the download side as malicous.