360 Security Guard · 2016/02/26 14:11

Author:360 Eye Safety Laboratory

0 x00 probe,

Man is doing, god is watching.

The underworld is an outlaw, governed by the law of the jungle. Without the security and supervision of a third party’s coercive force, we can see two extremes in that circle: those who want to do big business tend to value credibility, while those who just want to make a quick buck will cheat unscrupulously.

In mid-December 2015, 360 Dayeye laboratory released the “Network small black reveal series of black SEO preliminary exploration”, simply exposed the network of black SEO activities, but also mentioned a lot of hacking tools with back doors, including some very wide use of tools. Yes, this time our hero is the most popular Chinese kitchen knife.

0x01 Chinese Kitchen knife

Cleaver, kitchen chopping tool, can also be used to cut people. The same is true of China Chopper, a very good WebShell manager in multiple languages that can be used for normal website management as well as illegal control and management of other people’s websites. It is said that the author is a former soldier. Some people in China wrote a brief comment and published it through Guizai’s Blog [1], and FireEye [2] wrote a detailed analysis report abroad.

Caidao-20141213 caidao-20141213 (www.maicaidao.com/caidao-2014…) A few days after the release, it stopped downloading and shut down the site (the domain name IP was once referred to GOOGLE.COM). The closure may have been caused by the introduction of an article entitled “Powerful website management software — Chinese Cleifer 20141213 new release” on Freebuf [3]. Although China chopper’s website has already been closed, but the good thing has its vitality, in a sense the Chinese kitchen knife is already a brand even as we now of the most popular concept, has become an IP, official support is no longer important, since someone spread to maintain it, of course, also includes the entrained bootleg – that is, the back door.

0x02 Sample analysis

In fact, a lot of people have written before the Chinese kitchen knife back door, this article does not intend to repeat, the following is mainly to use the “db. TMP” mode back door to do a brief analysis.

Through the analysis of a large number of samples collected, it is found that these Chinese kitchen knives with back doors bypass the Web security protection software such as “Safety Dog” by modifying some features of the original version, and at the same time modify the PE import table to introduce a dynamic link back door module. In order to confuse the user without detection, the name of the backdoor was disguised as a temporary file for the database, namely “db.tmp”, since the default database file for “Chinese Kitchen Knife” was called “db.mdb”.

Caidao. Exe file MD5: baad97c73aee0207e608c46d0941d28b

TMP is summarized and analyzed. It is found that the PE file timestamp is forged, so it cannot be classified by this attribute. There are roughly two versions based on file size: an early 32K version and an improved 36K version. The actual function of the two versions are similar, written in VB6, through the binary comparison of these files to confirm that the same version of the file size is the same but the backdoor address is not the same, should be generated using template generator.

TMP disassembly analysis shows that the kitchen knife with a back door will hide the behavior of the packet capture software. When the following processes are found in the system, the back door action will not be executed, so that it can escape possible monitoring.

|WSockExpert_cn.exe|WSockExpert.exe|CHKenCap.exe|SmartSniff.exe|hookME.exe|NetworkTrafficView.exe|smsniff.exe|tcpmon.exe |HttpAnalyzerStdV6.exe|Csnas.exe|Wireshark.exe|

Through the cycle of MDB database SiteUrl value and judge, ruled out “http://www.maicaidao.com/” (the goal is to exclude Chinese kitchen knife sample information generated by default) continue to read after SitePass, nCodePage, Config field values, Finally and procedures in the configuration of the back door address “http://cd.myth321.com/index.asp | | | | | | | |” for Mosaic, sending data to complete Webshell upload information.

0x03 Means of Transmission

There is not much technically to say about the sample itself, but the real guarantee of effectiveness is its transmission method, which determines how much the backdoor trader can finally harvest. Here are some of the channels we identified:

1, SEO optimization

In the hands of a large number of Webshells, the backdoor kitchen knife operators can be very convenient use of these Webshells to their website SEO to a more ideal position. In the first page of the results of a search engine, we can see that in addition to the promotion link ranked the first, the second and third are SEO up the fake official website.

We listed the fake official website domain names as follows. Based on the big data of 360, we counted the PVUV traffic volume from December 07 to 16, 2015 for a total of ten days. From the data, SEO still had some effect.

2. Buy search engine keywords

Do you still remember that at the beginning of 2012, some people bought keywords of SSH tools such as putty, winscp and SSHSecure in a search engine, which caused many people to click the promotion link and jump to the so-called Chinese website and download and run the Chinese version of the tool including the back door. The back door will upload the IP address, port number, user name, and password of the server to the website “L.IP-163.com”. After this incident was exposed, White Hat found that the server had affected thousands of people, including employees of some international factories. “Chinese kitchen knife” such a popular tool, if the SEO effect is not good, the purchase of search engine keywords to promote is an ideal and efficient means of promotion. After a simple test, it was found that these backdoor “Chinese kitchen knife” in a search engine, bought at least the following three keywords “dog kitchen knife”, “Chinese kitchen knife” and “XISE” to promote.

3. Publish through hacker forums

There is a tradition in many forums and hacker groups of collecting and distributing hacking tools, which is a favorite of script boys. Tracing the origins of these backdoor Chinese cleavers, many of which were spread through hacker toolkits, we have compiled an incomplete list of those Chinese cleavers with backdoors that were added intentionally or accidentally to the collection of tools.

4. Spread through QQ groups, forums and other specific circles

Many hackers grow up either by watching other people’s tutorials and learning from them, or by having an old driver lead the way or even teach them by hand. In this process, this group of people will always form a circle somewhere, WHETHER QQ group, forum, charge or free. But these circles may not be pure, and older drivers may be half-baked, or have a backdoor in the process — we’ve found that many of the kits included in the tutorials also have backdoors. Here are a few examples:

0x04 Behind the Chinese Cleaver

Website Security Overview

Through the means of communication, we can see the popularity of “Chinese kitchen knife” in China. The popularity of kitchen knives in China is also linked to the security of domestic websites. Let’s take a look at the data in the 2015 China Website Security Report [4] :

Because so many websites have vulnerabilities, there are a number of automated vulnerability scanning and intrusion tools. Using Chinese kitchen knife to batch manage these Webshells, black people can very happily perform malicious SEO, hang black links, hang black pages and other activities.

Malicious SEO malicious SEO back door is pointer to the site server to load malicious SEO code, so as to use the regular domain name to implement search engine optimization or induce fraud.
Hang black chain hang black chain is to tamper with the relevant page data of the original website, implant visible or not page code elements, so as to achieve the purpose of malicious SEO (black hat SEO).
Hanging a black page hanging a black page is the act of phishing on the page by tampering with or adding pages to the original site. The picture below shows a fraudulent page disguised as an “online game transaction portal” implanted in a regular website.

Through the reverse analysis of the back door of The Chinese kitchen knife, several typical back door box links were extracted from the sample, so it was quite simple to obtain these boxes, and the statistical findings were amazing. The data are as follows:

Take the backdoor address of “c.qsmyy.com” as an example, there are 639 backdoor boxes downloaded, in which there are 67864 Webshells in total. After weight elimination of these webshells, there are still 24111 results, 38 Webshells in each box on average, among which, The newer the box date is, the higher the probability of successful access.

The backdoor address of “www.cnxiseweb.com” is even more horrible. The data of the backdoor box will be processed daily every day, so we can only download the data of a few hours of the day, and the data of these hours is up to 321 Webshells, and there are still 317 webshells after the weight is eliminated. All these also basically reflect the security situation of domestic Web sites

Counterfeit website tracing

All students who have read previous articles of 360 Eye Lab should know that technical analysis and data statistics are mostly just appetizers, and dinner is often behind. Let’s chase after the traders of kitchen knife back door.

www.maicaidao.co fishing station trace

http://www.maicaidao.co is one of the sites on the Fake Kitchen Knife website (www.maicaidao.com), The chopper download link (http://www.maicaidao.co/FileRecv/20141018.zip) is provided with the TMP back door, in order to improve the difficulty of reverse analysis, also use VMProtect plus software shell and shell protection.

From the public WHOIS information, [email protected], the email address is also registered with the domain name “maicaidao.me”. Security circle friends a look at this mailbox, should not be unfamiliar, yes, the owner of this mailbox is one of the members of an SEC organization, the next we will not say, interested in their own digging.

www.maicaidao.cc fishing station trace

www.maicaidao.cc this phishing site can not be opened because the domain name has expired, but in the past year has not been less spread, through whoIS query can know the webmaster’s email is [email protected]

Through QQ group relationship social worker database, we can see the following information.

And in the QQ number space photo album, can also see its flaunting invasion site screenshots.

Of course, its QQ space still has individual life, study photo.

The photos show that he studied on the Guangzhou-based Transwisdom podcast. Through the QQ number search, found that it has the use of wechat, basically can confirm the QQ number as the main account.

More social workers stop there and post a graph from Visualize the link platform to summarize the fishing site www.maicaidao.cc.

Guogoucaidao.com Fishing site trace to the source

http://www.guogoucaidao.com this station’s main fishing is the “latest page dog chopper, the current latest edition V3.4.09060 security dog!” . The second article in the fishing have (http://www.guogoucaidao.com/?post=2), the so-called dog chopper download link (http://www.guogoucaidao.com/content/uploadfile/201509/1cae1 Rar), but this link to the Chinese kitchen knife is containing a back door, after analysis of the back door address is S.anylm.com.

Whois information, [email protected], 1296444813 this QQ number in the search engine has many records, including the shadow alliance webmaster identity, backdoor address s.anylm.com is also exactly the shadow alliance pinyin.

Through Baidu post Bar, we can see its ID of “Selling brush drilling platform OK”. Under this ID, there are a lot of attention to the post bar, several of which are independently created, and have done the card union supplier. In the search engine, you can also find the related information of shadow Card Union.

In a social worker database, we found the email address [email protected] and password behind the QQ number. This leads to more id information.

The order record of “Hacker attack and Defense entry and Advance (complimentary DVD-ROM)” was found in a mall.

You can find your real-name Alipay account through the phone number 132****5891.

Well, more stuff is no longer in depth, and those of you who are interested can continue to dig. Finish the trail with a diagram from Visualize’s association platform.

Tophack.net fishing station tracking and tracing

In the analysis of an IP server with a back door address of 43.249.11.189, the following three download addresses of Chinese kitchen knives with back doors are summarized:

1pl38.com/chopper.zip
tophack.net/chopper.zip
aspmuma.net/chopper.zip

Tophack.net whois information shows that the webmaster’s QQ number is 595845736, and its information is as follows:

Compare a high-profile small hacker, still have the screenshots that stay to invade a website in QQ space.

Through the search engine, can find a lot of negative comments about this QQ number.

The information shows that the QQ account owner has been engaged in illegal transactions related to black industry since 2011, and has a high-profile and bad reputation. In addition, QQ signature shows that it is currently doing “hongfa chess card” online gambling platform.

The promotion of chess and card games, is also inseparable from SEO, from the results of a search engine, “Hongfa chess” ranking is relatively high.

Through websiteinformer.com can be found as early as July 2012 fake kitchen knife official website.

Through WHOIS domain name query, other domain names corresponding to the QQ mailbox are shown below.

Reverse lookup of domain name registrants results in the following domain name.

Look through domain name, basically with black produce, hacker related.

www.caidaomei.com fishing station tracking and tracing

www.caidaomei.com the main site has “the latest Xise kitchen knife parasite crack version VIP version (dog)”, “the red version of Chinese kitchen knife (20141213) officially released the dog red kitchen knife”, “the latest power to avoid killing ASP Trojan, undead zombie Trojan” and “the latest dog kitchen knife download”, but after analysis, All Webshell management tools on the site have backdoors. For example, “Xise kitchen knife parasite cracking version”, there is a “jsc.dat” backdoor — because “Xise kitchen knife” default database file named “jsc.MDB”, and Chinese kitchen knife “db.tmp” backdoor similar.

File MD5:5 bb4f15f29c613eff7d8f86b7bcc94c1

Not only that, the number of boxes at the back door of the kitchen knife of the station is also considerable. We have extracted 194 boxes from the back door address, a total of 75,166 Webshells, and 18,613 webshells remain after weight elimination, with 96 webshells in each box.

On the analysis of the samples, they found a special sample (fe2a29ac3cae173916be42db7f2f91ef), suspected to do the test.

Through Whois query, demo.heimaoboke.com webmaster QQ is 408888540.

Through the search engine, you can find QQ408888540 blog space above NetEase Lofter, in this space, there are a large number of Xise kitchen knife and black hat SEO introduction.

The article is to introduce Webshell box (kitchen knife back door), can be customized according to demand, and provide the corresponding after-sales technical support, is not know this so-called back door will have a back door.

The QQ id information is shown below.

Enter its QQ space, you can see the black hat SEO case operation results screenshot.

Through the search engine, can find its share information in Baidu network disk.

There was private sharing, but no password extraction, no idea what file was being shared.

Since the QQ number is a small one, there is no more social worker information, so we stop here and use the relationship diagram in The visual association platform of Zhang Tianyan to finish the tracing.

0x05 is at the end

Speaking so many Chinese kitchen knife and its related back door, summed up, or a “benefit” word. Some people let their own website have more traffic, not hesitate to invade other websites to use illegal means to improve ranking and traffic. This article has been dug up, summarized, sorted out, dug up, reassembled and reorganized over a period of several months. Due to other priorities and the Lunar New Year, I am finally here today. Notice again, the next eye safety laboratory will put a more weighty report out, please pay attention to. In addition, 360 eye safety laboratory in hiring, require the solid basis of binary reverse analysis, there are malicious code analysis experience is best, at the same time we also need the background now development, familiar with big data platform, can use the existing framework to build the data flow quickly, [email protected] test chamber, the data will let you have different horizons.

0 x06 appendix

The collected data can be used as IOC.

Sample MD5
0213fef968a77e5cd628aca6a269d9bd
02ca1b36b652c582940e6ae6d94a6934
066f696d49ee8c67be0c3810af46faf1
0785ec81048ad5508956e97360ac322f
0bbcae2af8499a1935f66e4f3cf0cb69
0cdcd9834be42a24feed91dc52b273c7
0de40d8e66b1c3bd12f1a68f9914b60b
126bc9e60f0aaac0bf831dfee1be7326
16151ad243a6f3b9d2fae4a3d91e8007
19e3e3249dc3357ccfa6151049cd1854
1dac878c4a6bddd4194d627bb57d6d58
23940b1b3ff3509933a6fbd46e25c162
23d21fcef3ab3d690b2325979f44d150
2aef1877a28758ba3d78adc65d2ec3db
33b858d1a17a34d7d9676ab80242ccc6
368539bfea931a616489df15e7c1d79c
3923331de81cd5d4c5abe2f8448c25a9
3c40b58ac7eea158f2fa956545e4eee2
46a5e5c94cb5f5b39069cff4f9ba3843
5a6b933b5054efa25141e479be390a37
5ebc970c321b839aab5e2aac73039654
5f2623fecfa77dfca3f3336cee1732fe
5f83eaae01aa1b138061b89aa5374478
63a2c5650b6babd2214e29a1d83e6f98
6c5290651f4b8b188037b2d357ea87cb
8644b075c9de6749e5b3ce20c3348be3
87634adbbf10d6595845dc50ace9d672
88b9059aafa832f0d83b371a34a46506
892cacd515ce684fecf69983c87dbbf1
8fca2f54b4107df7b046c166ed42a3e6
91167748ef09c91cb0047ccd465e1370
918d90cd43bd8c121144e572b1542e21
a1f26b69cee65dfe1cb91a7be2aea6a2
a3e4b1f5661e51b3b5bdc4cae9de6921
aa613662fe3c8cd108c6f7a104e75826
b037871f8a69f5b094dcb6f3b3986bd0
b439239568da85104308fa5b0588eb31
b56b4507a1182356e607c433d9a3a5d9
c00456ba818d78132aaf576f7068e291
c72a397fcc273b272254bb1dea0fd045
cd37fba00631a4a91dfb1239235abe0c
d7383f26d56e6a21a0334ac7eb4ccf8a
d7f7411951e4d4f678f27424c0c21ecd
e3fec98250cdd9cefa9c00b0d782775b
e447b5b56c0caaa51cc623d64dc275d9
e81aa81815e94dff6de0cb1efe48383a
ee39bf504cb66cd22a5c2ce96c922f12
f13c045a7a952e44877bf3f05f2faa8c
f2156701935f78c0ca6d610f518f4f37
f54291227bec8fb1c7013efba8dc9906
f90abd7f720a95d2999f29dbc8d45409
fb5e9c43062a1528ea9cd801c4c6d0b3
fe0720b465fcde0af7ca0b8dc103bc47
fe2a29ac3cae173916be42db7f2f91ef

Back door address
http://122.10.82.29/cc.asp
http://1pl38.com/
http://9128.cc/update1111/index.asp
http://aspmuma.net/
http://baidu.myth321.com/baidu/index.asp
http://boos.my.to/caida
http://caidao.guoanquangouma.com/xy.asp
http://cd.myth321.com/index.asp
http://cpin.g.xyz./db.asp
http://dema.gjseo.net/db.asp
http://demo.888p.org/inex.asp
http://demo.asphxg.cn/xg.asp
http://demo.gjseo.net/db.asp
http://demo.gpzd8.com/xg.asp
http://demo.heimaoboke.com/96cn.asp
http://demo.heimaoboke.com/index.asp
http://demo.hmseo.org/db.asp
http://dns.haotianlong.com/index.asp
http://jsc.i06.com.cn/www.asp
http://pkpxs.com/index.asp
http://s.anylm.com/anying/index.asp
http://tophack.net/
http://www.0744m2.com/index1.asp
http://www.668168.xyz/1index.asp
http://www.gnrgs.cn/webshell.asp
http://www.histtay.com/index.asp
http://www.huaidan98.com/cd/index.asp
http://www.jpwking.com/index.asp
http://www.weblinux.xyz/
http://www.zgcaid.com/index.asp

0x07 Related reading

[1] : A brief review of hacker sharp weapon — Chinese kitchen knife
[2] : Breaking Down the China Chopper Web Shell – Part I Breaking Down the China Chopper Web Shell – Part II
[3] : Powerful website management software — Chinese Kitchen Knife 20141213 new version released
[4] : 2015 China Website Security Report

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

The network little black reveals the secret series of black produce black lake black eat black – Chinese kitchen knife invisible handle

0 x00 probe,

0x01 Chinese Kitchen knife

0x02 Sample analysis