Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2013
    S M T W T F S
    « Jul   Sep »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for August 5th, 2013




    For a few months now, we have been actively monitoring a spambot named Stealrat, which primarily uses compromised websites and systems in its operations. We have continuously monitored its operations and identified about 195,000 thousand domains and IPs that have been compromised. The common denominator among these compromised sites is that they are running vulnerable CMS software such as WordPress, Joomla and Drupal.

    In this entry, we will discuss how website administrators can check if their website is compromised and part of the Stealrat botnet.

    The first step is to check for the spammer scripts that are commonly found namely sm13e.php or sm14e.php. But note that these scripts may change in terms of file name, so it would be better to check for any unfamiliar PHP file.

    screenshot-phpfile-stealrat
    Spamming scripts inside a compromised website

    Another way to check for the presence of the malicious PHP file is to search for any of the following strings in the codes:

    • die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)
    • die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321)

    For those running on Linux, you can search for the string using the grep command grep “die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321″ /path/to/www/folder/, while for Windows it’s content:”die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321″.

    script-Stealrat-howto
    The mentioned strings in the PHP file

    These strings are part of the “die” code of the PHP file (e.g. when certain parameters are not met). Our colleagues at DeepEnd Research have already posted a copy of sm14e.php. As far as we know, this is the latest version of the script in the wild and compared to sm13e.php, sm14e.php now supports multiple email addresses to send spam to. Other than that, it is still the same PHP file that accepts the following parameters:

    • l → email address (to send spam to)
    • e → nine randomly generated characters
    • m → mail server (ie. googlemail)
    • d → mail template

    Its response varies depending on the parameters supplied, as well as the result of the spamming routine:

    parameters
    Script responses based on results

    For website admins, we recommend the deletion of the files resembling those described above, and the updating of their content management systems – especially WordPress, Joomla or Drupal. More information on this threat, as well as the other components that need to be taken note of are available in our paper, Stealrat: An In-Depth Look at an Emerging Spambot.

     
    Posted in Botnets, Malware, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice