360 Security Guard · 2016/02/26 14:11
Author:360 Eye Safety Laboratory
0 x00 probe,
Man is doing, god is watching.
The underworld is an outlaw, governed by the law of the jungle. Without the security and supervision of a third party’s coercive force, we can see two extremes in that circle: those who want to do big business tend to value credibility, while those who just want to make a quick buck will cheat unscrupulously.
In mid-December 2015, 360 Dayeye laboratory released the “Network small black reveal series of black SEO preliminary exploration”, simply exposed the network of black SEO activities, but also mentioned a lot of hacking tools with back doors, including some very wide use of tools. Yes, this time our hero is the most popular Chinese kitchen knife.
0x01 Chinese Kitchen knife
Cleaver, kitchen chopping tool, can also be used to cut people. The same is true of China Chopper, a very good WebShell manager in multiple languages that can be used for normal website management as well as illegal control and management of other people’s websites. It is said that the author is a former soldier. Some people in China wrote a brief comment and published it through Guizai’s Blog [1], and FireEye [2] wrote a detailed analysis report abroad.
Caidao-20141213 caidao-20141213 (www.maicaidao.com/caidao-2014…) A few days after the release, it stopped downloading and shut down the site (the domain name IP was once referred to GOOGLE.COM). The closure may have been caused by the introduction of an article entitled “Powerful website management software — Chinese Cleifer 20141213 new release” on Freebuf [3]. Although China chopper’s website has already been closed, but the good thing has its vitality, in a sense the Chinese kitchen knife is already a brand even as we now of the most popular concept, has become an IP, official support is no longer important, since someone spread to maintain it, of course, also includes the entrained bootleg – that is, the back door.
0x02 Sample analysis
In fact, a lot of people have written before the Chinese kitchen knife back door, this article does not intend to repeat, the following is mainly to use the “db. TMP” mode back door to do a brief analysis.
Through the analysis of a large number of samples collected, it is found that these Chinese kitchen knives with back doors bypass the Web security protection software such as “Safety Dog” by modifying some features of the original version, and at the same time modify the PE import table to introduce a dynamic link back door module. In order to confuse the user without detection, the name of the backdoor was disguised as a temporary file for the database, namely “db.tmp”, since the default database file for “Chinese Kitchen Knife” was called “db.mdb”.
Caidao. Exe file MD5: baad97c73aee0207e608c46d0941d28b
TMP is summarized and analyzed. It is found that the PE file timestamp is forged, so it cannot be classified by this attribute. There are roughly two versions based on file size: an early 32K version and an improved 36K version. The actual function of the two versions are similar, written in VB6, through the binary comparison of these files to confirm that the same version of the file size is the same but the backdoor address is not the same, should be generated using template generator.
TMP disassembly analysis shows that the kitchen knife with a back door will hide the behavior of the packet capture software. When the following processes are found in the system, the back door action will not be executed, so that it can escape possible monitoring.
|WSockExpert_cn.exe|WSockExpert.exe|CHKenCap.exe|SmartSniff.exe|hookME.exe|NetworkTrafficView.exe|smsniff.exe|tcpmon.exe |HttpAnalyzerStdV6.exe|Csnas.exe|Wireshark.exe|
Through the cycle of MDB database SiteUrl value and judge, ruled out “http://www.maicaidao.com/” (the goal is to exclude Chinese kitchen knife sample information generated by default) continue to read after SitePass, nCodePage, Config field values, Finally and procedures in the configuration of the back door address “http://cd.myth321.com/index.asp | | | | | | | |” for Mosaic, sending data to complete Webshell upload information.
0x03 Means of Transmission
There is not much technically to say about the sample itself, but the real guarantee of effectiveness is its transmission method, which determines how much the backdoor trader can finally harvest. Here are some of the channels we identified:
1, SEO optimization
In the hands of a large number of Webshells, the backdoor kitchen knife operators can be very convenient use of these Webshells to their website SEO to a more ideal position. In the first page of the results of a search engine, we can see that in addition to the promotion link ranked the first, the second and third are SEO up the fake official website.
We listed the fake official website domain names as follows. Based on the big data of 360, we counted the PVUV traffic volume from December 07 to 16, 2015 for a total of ten days. From the data, SEO still had some effect.
2. Buy search engine keywords
Do you still remember that at the beginning of 2012, some people bought keywords of SSH tools such as putty, winscp and SSHSecure in a search engine, which caused many people to click the promotion link and jump to the so-called Chinese website and download and run the Chinese version of the tool including the back door. The back door will upload the IP address, port number, user name, and password of the server to the website “L.IP-163.com”. After this incident was exposed, White Hat found that the server had affected thousands of people, including employees of some international factories. “Chinese kitchen knife” such a popular tool, if the SEO effect is not good, the purchase of search engine keywords to promote is an ideal and efficient means of promotion. After a simple test, it was found that these backdoor “Chinese kitchen knife” in a search engine, bought at least the following three keywords “dog kitchen knife”, “Chinese kitchen knife” and “XISE” to promote.
3. Publish through hacker forums
There is a tradition in many forums and hacker groups of collecting and distributing hacking tools, which is a favorite of script boys. Tracing the origins of these backdoor Chinese cleavers, many of which were spread through hacker toolkits, we have compiled an incomplete list of those Chinese cleavers with backdoors that were added intentionally or accidentally to the collection of tools.
4. Spread through QQ groups, forums and other specific circles
Many hackers grow up either by watching other people’s tutorials and learning from them, or by having an old driver lead the way or even teach them by hand. In this process, this group of people will always form a circle somewhere, WHETHER QQ group, forum, charge or free. But these circles may not be pure, and older drivers may be half-baked, or have a backdoor in the process — we’ve found that many of the kits included in the tutorials also have backdoors. Here are a few examples:
0x04 Behind the Chinese Cleaver
Website Security Overview
Through the means of communication, we can see the popularity of “Chinese kitchen knife” in China. The popularity of kitchen knives in China is also linked to the security of domestic websites. Let’s take a look at the data in the 2015 China Website Security Report [4] :
Because so many websites have vulnerabilities, there are a number of automated vulnerability scanning and intrusion tools. Using Chinese kitchen knife to batch manage these Webshells, black people can very happily perform malicious SEO, hang black links, hang black pages and other activities.
- Malicious SEO malicious SEO back door is pointer to the site server to load malicious SEO code, so as to use the regular domain name to implement search engine optimization or induce fraud.
- Hang black chain hang black chain is to tamper with the relevant page data of the original website, implant visible or not page code elements, so as to achieve the purpose of malicious SEO (black hat SEO).
- Hanging a black page hanging a black page is the act of phishing on the page by tampering with or adding pages to the original site. The picture below shows a fraudulent page disguised as an “online game transaction portal” implanted in a regular website.
Through the reverse analysis of the back door of The Chinese kitchen knife, several typical back door box links were extracted from the sample, so it was quite simple to obtain these boxes, and the statistical findings were amazing. The data are as follows:
Take the backdoor address of “c.qsmyy.com” as an example, there are 639 backdoor boxes downloaded, in which there are 67864 Webshells in total. After weight elimination of these webshells, there are still 24111 results, 38 Webshells in each box on average, among which, The newer the box date is, the higher the probability of successful access.
The backdoor address of “www.cnxiseweb.com” is even more horrible. The data of the backdoor box will be processed daily every day, so we can only download the data of a few hours of the day, and the data of these hours is up to 321 Webshells, and there are still 317 webshells after the weight is eliminated. All these also basically reflect the security situation of domestic Web sites
Counterfeit website tracing
All students who have read previous articles of 360 Eye Lab should know that technical analysis and data statistics are mostly just appetizers, and dinner is often behind. Let’s chase after the traders of kitchen knife back door.
www.maicaidao.co fishing station trace
http://www.maicaidao.co is one of the sites on the Fake Kitchen Knife website (www.maicaidao.com), The chopper download link (http://www.maicaidao.co/FileRecv/20141018.zip) is provided with the TMP back door, in order to improve the difficulty of reverse analysis, also use VMProtect plus software shell and shell protection.
From the public WHOIS information, [email protected], the email address is also registered with the domain name “maicaidao.me”. Security circle friends a look at this mailbox, should not be unfamiliar, yes, the owner of this mailbox is one of the members of an SEC organization, the next we will not say, interested in their own digging.
www.maicaidao.cc fishing station trace
www.maicaidao.cc this phishing site can not be opened because the domain name has expired, but in the past year has not been less spread, through whoIS query can know the webmaster’s email is [email protected]
Through QQ group relationship social worker database, we can see the following information.
And in the QQ number space photo album, can also see its flaunting invasion site screenshots.
Of course, its QQ space still has individual life, study photo.
The photos show that he studied on the Guangzhou-based Transwisdom podcast. Through the QQ number search, found that it has the use of wechat, basically can confirm the QQ number as the main account.
More social workers stop there and post a graph from Visualize the link platform to summarize the fishing site www.maicaidao.cc.
Guogoucaidao.com Fishing site trace to the source
http://www.guogoucaidao.com this station’s main fishing is the “latest page dog chopper, the current latest edition V3.4.09060 security dog!” . The second article in the fishing have (http://www.guogoucaidao.com/?post=2), the so-called dog chopper download link (http://www.guogoucaidao.com/content/uploadfile/201509/1cae1 Rar), but this link to the Chinese kitchen knife is containing a back door, after analysis of the back door address is S.anylm.com.
Whois information, [email protected], 1296444813 this QQ number in the search engine has many records, including the shadow alliance webmaster identity, backdoor address s.anylm.com is also exactly the shadow alliance pinyin.
Through Baidu post Bar, we can see its ID of “Selling brush drilling platform OK”. Under this ID, there are a lot of attention to the post bar, several of which are independently created, and have done the card union supplier. In the search engine, you can also find the related information of shadow Card Union.
In a social worker database, we found the email address [email protected] and password behind the QQ number. This leads to more id information.
The order record of “Hacker attack and Defense entry and Advance (complimentary DVD-ROM)” was found in a mall.
You can find your real-name Alipay account through the phone number 132****5891.
Well, more stuff is no longer in depth, and those of you who are interested can continue to dig. Finish the trail with a diagram from Visualize’s association platform.
Tophack.net fishing station tracking and tracing
In the analysis of an IP server with a back door address of 43.249.11.189, the following three download addresses of Chinese kitchen knives with back doors are summarized:
- 1pl38.com/chopper.zip
- tophack.net/chopper.zip
- aspmuma.net/chopper.zip
Tophack.net whois information shows that the webmaster’s QQ number is 595845736, and its information is as follows:
Compare a high-profile small hacker, still have the screenshots that stay to invade a website in QQ space.
Through the search engine, can find a lot of negative comments about this QQ number.
The information shows that the QQ account owner has been engaged in illegal transactions related to black industry since 2011, and has a high-profile and bad reputation. In addition, QQ signature shows that it is currently doing “hongfa chess card” online gambling platform.
The promotion of chess and card games, is also inseparable from SEO, from the results of a search engine, “Hongfa chess” ranking is relatively high.
Through websiteinformer.com can be found as early as July 2012 fake kitchen knife official website.
Through WHOIS domain name query, other domain names corresponding to the QQ mailbox are shown below.
Reverse lookup of domain name registrants results in the following domain name.
Look through domain name, basically with black produce, hacker related.
www.caidaomei.com fishing station tracking and tracing
www.caidaomei.com the main site has “the latest Xise kitchen knife parasite crack version VIP version (dog)”, “the red version of Chinese kitchen knife (20141213) officially released the dog red kitchen knife”, “the latest power to avoid killing ASP Trojan, undead zombie Trojan” and “the latest dog kitchen knife download”, but after analysis, All Webshell management tools on the site have backdoors. For example, “Xise kitchen knife parasite cracking version”, there is a “jsc.dat” backdoor — because “Xise kitchen knife” default database file named “jsc.MDB”, and Chinese kitchen knife “db.tmp” backdoor similar.
File MD5:5 bb4f15f29c613eff7d8f86b7bcc94c1
Not only that, the number of boxes at the back door of the kitchen knife of the station is also considerable. We have extracted 194 boxes from the back door address, a total of 75,166 Webshells, and 18,613 webshells remain after weight elimination, with 96 webshells in each box.
On the analysis of the samples, they found a special sample (fe2a29ac3cae173916be42db7f2f91ef), suspected to do the test.
Through Whois query, demo.heimaoboke.com webmaster QQ is 408888540.
Through the search engine, you can find QQ408888540 blog space above NetEase Lofter, in this space, there are a large number of Xise kitchen knife and black hat SEO introduction.
The article is to introduce Webshell box (kitchen knife back door), can be customized according to demand, and provide the corresponding after-sales technical support, is not know this so-called back door will have a back door.
The QQ id information is shown below.
Enter its QQ space, you can see the black hat SEO case operation results screenshot.
Through the search engine, can find its share information in Baidu network disk.
There was private sharing, but no password extraction, no idea what file was being shared.
Since the QQ number is a small one, there is no more social worker information, so we stop here and use the relationship diagram in The visual association platform of Zhang Tianyan to finish the tracing.
0x05 is at the end
Speaking so many Chinese kitchen knife and its related back door, summed up, or a “benefit” word. Some people let their own website have more traffic, not hesitate to invade other websites to use illegal means to improve ranking and traffic. This article has been dug up, summarized, sorted out, dug up, reassembled and reorganized over a period of several months. Due to other priorities and the Lunar New Year, I am finally here today. Notice again, the next eye safety laboratory will put a more weighty report out, please pay attention to. In addition, 360 eye safety laboratory in hiring, require the solid basis of binary reverse analysis, there are malicious code analysis experience is best, at the same time we also need the background now development, familiar with big data platform, can use the existing framework to build the data flow quickly, [email protected] test chamber, the data will let you have different horizons.
0 x06 appendix
The collected data can be used as IOC.
Sample MD5 |
---|
0213fef968a77e5cd628aca6a269d9bd |
02ca1b36b652c582940e6ae6d94a6934 |
066f696d49ee8c67be0c3810af46faf1 |
0785ec81048ad5508956e97360ac322f |
0bbcae2af8499a1935f66e4f3cf0cb69 |
0cdcd9834be42a24feed91dc52b273c7 |
0de40d8e66b1c3bd12f1a68f9914b60b |
126bc9e60f0aaac0bf831dfee1be7326 |
16151ad243a6f3b9d2fae4a3d91e8007 |
19e3e3249dc3357ccfa6151049cd1854 |
1dac878c4a6bddd4194d627bb57d6d58 |
23940b1b3ff3509933a6fbd46e25c162 |
23d21fcef3ab3d690b2325979f44d150 |
2aef1877a28758ba3d78adc65d2ec3db |
33b858d1a17a34d7d9676ab80242ccc6 |
368539bfea931a616489df15e7c1d79c |
3923331de81cd5d4c5abe2f8448c25a9 |
3c40b58ac7eea158f2fa956545e4eee2 |
46a5e5c94cb5f5b39069cff4f9ba3843 |
5a6b933b5054efa25141e479be390a37 |
5ebc970c321b839aab5e2aac73039654 |
5f2623fecfa77dfca3f3336cee1732fe |
5f83eaae01aa1b138061b89aa5374478 |
63a2c5650b6babd2214e29a1d83e6f98 |
6c5290651f4b8b188037b2d357ea87cb |
8644b075c9de6749e5b3ce20c3348be3 |
87634adbbf10d6595845dc50ace9d672 |
88b9059aafa832f0d83b371a34a46506 |
892cacd515ce684fecf69983c87dbbf1 |
8fca2f54b4107df7b046c166ed42a3e6 |
91167748ef09c91cb0047ccd465e1370 |
918d90cd43bd8c121144e572b1542e21 |
a1f26b69cee65dfe1cb91a7be2aea6a2 |
a3e4b1f5661e51b3b5bdc4cae9de6921 |
aa613662fe3c8cd108c6f7a104e75826 |
b037871f8a69f5b094dcb6f3b3986bd0 |
b439239568da85104308fa5b0588eb31 |
b56b4507a1182356e607c433d9a3a5d9 |
c00456ba818d78132aaf576f7068e291 |
c72a397fcc273b272254bb1dea0fd045 |
cd37fba00631a4a91dfb1239235abe0c |
d7383f26d56e6a21a0334ac7eb4ccf8a |
d7f7411951e4d4f678f27424c0c21ecd |
e3fec98250cdd9cefa9c00b0d782775b |
e447b5b56c0caaa51cc623d64dc275d9 |
e81aa81815e94dff6de0cb1efe48383a |
ee39bf504cb66cd22a5c2ce96c922f12 |
f13c045a7a952e44877bf3f05f2faa8c |
f2156701935f78c0ca6d610f518f4f37 |
f54291227bec8fb1c7013efba8dc9906 |
f90abd7f720a95d2999f29dbc8d45409 |
fb5e9c43062a1528ea9cd801c4c6d0b3 |
fe0720b465fcde0af7ca0b8dc103bc47 |
fe2a29ac3cae173916be42db7f2f91ef |
Back door address |
---|
http://122.10.82.29/cc.asp |
http://1pl38.com/ |
http://9128.cc/update1111/index.asp |
http://aspmuma.net/ |
http://baidu.myth321.com/baidu/index.asp |
http://boos.my.to/caida |
http://caidao.guoanquangouma.com/xy.asp |
http://cd.myth321.com/index.asp |
http://cpin.g.xyz./db.asp |
http://dema.gjseo.net/db.asp |
http://demo.888p.org/inex.asp |
http://demo.asphxg.cn/xg.asp |
http://demo.gjseo.net/db.asp |
http://demo.gpzd8.com/xg.asp |
http://demo.heimaoboke.com/96cn.asp |
http://demo.heimaoboke.com/index.asp |
http://demo.hmseo.org/db.asp |
http://dns.haotianlong.com/index.asp |
http://jsc.i06.com.cn/www.asp |
http://pkpxs.com/index.asp |
http://s.anylm.com/anying/index.asp |
http://tophack.net/ |
http://www.0744m2.com/index1.asp |
http://www.668168.xyz/1index.asp |
http://www.gnrgs.cn/webshell.asp |
http://www.histtay.com/index.asp |
http://www.huaidan98.com/cd/index.asp |
http://www.jpwking.com/index.asp |
http://www.weblinux.xyz/ |
http://www.zgcaid.com/index.asp |
0x07 Related reading
- [1] : A brief review of hacker sharp weapon — Chinese kitchen knife
- [2] : Breaking Down the China Chopper Web Shell – Part I Breaking Down the China Chopper Web Shell – Part II
- [3] : Powerful website management software — Chinese Kitchen Knife 20141213 new version released
- [4] : 2015 China Website Security Report