Tuesday, July 28, 2015

Learn What Milw0rm Backdoor Malware Can Do With Your System


Background

Like the majority of our posts, this one is based on the recent malware investigation and clean-up of the infected website. It shows which tools can a backdoor, in this case milw0rm, give hackers once it is planted on the compromised website.

Hard to find due to thorough encryption and indirect connection to the affected website, backdoor easily bypasses the authentication and establishes remote access to the server. From that moment on, an attacker can use your system without being detected. If you think you've been infected by backdoor or any other malware, feel free to reach out to us at https://helpdesk.quttera.com

Milw0rm Backdoor Capabilities

Below is a list of actions that attackers can perform without your consent.

  • Server information gathering
    • OS
    • PHP version
    • Harddisk
    • Server IP
    • Client IP
Milw0rm backdoor. View the security information 

  • File tools
    • Change directory
    • Make directory
    • Execute file
    • Upload file
    • Compress/ un-compress file (zip)
Milw0rm backdoor. File tools/ Compress/ un-compress file

  • Console
    • List directory
    • Show active connections
    • IP configuration
    • ARP table
Milw0rm backdoor. Console.

Milw0rm backdoor. Console.

  • SQL browser
  • Execute PHP code
  • Safe mode bypass
    • Read file
    • List directory
    • Curl
    • Ini restore
  • String tools
    • String conversion
Milw0rm backdoor. String tools/ conversion.
    • Search text in files
    • Search for hash
  • FTP bruteforce
  • Network tools
    • Bind port to /bin /sh
    • Back-connect
  • Self remove
    • Remove the backdoor shell
  • View all the security information of the server
    • Server software
    • Disabled PHP funtions
    • cURL support
    • User account names
Needless to say, that with this level of access and control over the website and server the hacker can upload other malicious codes. At this stage the choice is very broad: email spammers, Distributed Denial of Service (DDOS) tools, fake logins and etc.

Attack origin and prevention

Avoid FTP (and any other actually) usernames that can be found in your website. As it happen in this case, you give hackers a way to brute force your FTP site credentials.

Resolution

As a part of anti-malware services for websites, the backdoor was removed and a re-consideration request has been submitted to remove website from Google and other vendors blacklists.