Some months ago I had the feeling that, probably, some social networks like Facebook or Twitter would be a good source to find both malware & spam and, as so, I decided to write a quick honeypot to try to catch as much malware & spam as possible as soon as they become available on the internet. You can find the daily updated files of URLs gathered by this tool here, under the section “Malicious URLs”.
It’s been a while since I started writing, as a personal ‘research’ project, a tool to automatically find bugs (that could lead to vulnerabilities) performing static code analysis and, even when it will take a very long while until I have something decent to release to the general public, I have some -I hope interesting- thoughts about the tool I’m writing: Fugue.
This tool uses CLang as the parser (as I do not have a rich uncle to get a license for EDG) and everything else is being written in Python: the translator to convert the CLang AST to my internal representation, the translator to convert other tools generated ASTs to that internal representation, the builder of the CFG, the SSA code generator, etc… Its in the very early stages at the moment but, more or less, it works for writing very simple scanners, as in the following example.
Some time ago a friend asked in a private mailing list about possible ways to embed a shellcode in one executable file (PE) and ways to bypass AV detection. I recommended him to use any Windows supplied PE file (or any other ‘goodware’ PE file) and patching some “always called function” with the shellcode. It turned out to be one of the many possible AV evasion techniques that seems to work in many cases. The unique problem was that there is no tool to do this, so I decided to write one tool (based on Pyew) for doing this task.
Some time ago a friend and I were talking about how to create a tool to compare a set of malware samples and extract the binary patterns matched in all or most of the samples. Searching for diffing algorithms I found out some very interesting books on the matter like “O(ND) Difference Algorithm and its Variations” and many utility libraries for diffing like Google Diff Match Patch. Finally, I decided to write a test tool using this library and ended up with an automatic Yara signatures generator.
Today I received a notification about an automated attack against this blog. Nothing new, however, I was curious about how it exactly works and decided to take a brief look to the attack to answer various questions:
- What vulnerability is this exploiting? Am I vulnerable?
- What does the payload?
- Is this an automated attack or a manually launched one?
The attack in the logs
Since I installed mute screamer plugin for WordPress I receive regularly attack alerts (mainly about spamming). The one I received today was a bit different. In the generated log file the following line appears:
So, this is an exploit for a PHP code injection vulnerability in “engine.php”. A quick search of the vulnerability revealed this: WordPress is_human() Plugin Remote Command Injection Vulnerability. Fortunately, I don’t have this plugin installed so I already answered the first 2 questions. Time to answer the next one: what the payload does?