Skip navigation.
Home

Pedro's Malware Quiz #6

| |

Don't know how many of you follow the Malware Quiz series that comes out of ISC@SANS but Pedro Bueno has released #6 in the series, and this time it's on the Linux platform.

Checkout all the details here.. http://handlers.sans.org/pbueno/ma6.html

EDIT BY VALSMITH;

NOTES:
UPDATE: Apparently there has been some new stuff going on related to this post. A "variant" seems to have come out recently. Information can be found on the DailyDave mailing list in a post by Gadi Evron. If someone comes across a copy of this new varient I'd love to see it.

thanks.

V.

shell is backdoor.kaitex
cmd.gif is php.backdoor.trojan

Some graphs of the tsunami Denial of Service function.


SECTION I - MALWARE ANALYSIS - PART 6 - Feb 2006
Valsmith : mvalsmith isat gmail.com

1. Are these files packed? If so, which packer?

- No, the files are not packed. (Scanned with protection_id, peid, pescan, kapersky and disassembled)

2 (a & b). (a) Without running the applications, identify what the malware can/will do, then (b)run the applications and identify additional details evident when the applications are run.

a) STATIC ANALYSIS:

cmd.gif
--------------------------------

- Using a Hex editor one can examine cmd.gif and see that its source code is available and that it is a PHP script. NOTE: The code to cmd.gif has been modified by quiz people, to make it less dangerous.

- cmd.gif Is a PHP script which provides remote command capabilities with the primary purpose of defacing the website. Also provides the attacker with access to commands such as WGET and NETCAT.

Evidence:

Defacing Tool 2.0 by r3v3ng4ns
revengans@gmail.com

if (@file_exists("/usr/X11R6/bin/xterm")) $pro1="xterm at /usr/X11R6/bin/xterm, ";
if (@file_exists("/usr/bin/nc")) $pro2="nc at /usr/bin/nc, ";
if (@file_exists("/usr/bin/wget")) $pro3="wget at /usr/bin/wget, ";
if (@file_exists("/usr/bin/lynx")) $pro4="lynx at /usr/bin/lynx, ";
if (@file_exists("/usr/bin/gcc")) $pro5="gcc at /usr/bin/gcc, ";
if (@file_exists("/usr/bin/cc")) $pro6="cc at /usr/bin/cc ";

if(strpos($cmd, 'ls --') !==false) $cmd = str_replace('ls --', 'ls -F --', $cmd);
else if(strpos($cmd, 'ls -') !==false) $cmd = str_replace('ls -', 'ls -F', $cmd);
else if(strpos($cmd, ';ls') !==false) $cmd = str_replace(';ls', ';ls -F', $cmd);
else if(strpos($cmd, '; ls') !==false) $cmd = str_replace('; ls', ';ls -F', $cmd);
else if($cmd=='ls') $cmd = "ls -F";

shelll
-------------------------------

- shell" is an IRC botnet client with DOS capabilities that will run a hidden zombie process and open a connection to an IRC server.

- Using a disassembler such as IDA pro one can get useful strings, assembly and imports/exports of shelll.

Evidence:

.rodata:0804C008 aIrc_ircnet_net db 'irc.ircnet.net',0

This client has authentication capabilities:

Evidence:
.rodata:0804C39C ; char aNoticeSPasswor[]
.rodata:0804C39C aNoticeSPasswor db 'NOTICE %s :Password too long! > 254',0Ah,0
.rodata:0804C39C ; DATA XREF: disable+97 o

.rodata:0804C3E3 ; char aNoticeSEnableP[]
.rodata:0804C3E3 aNoticeSEnableP db 'NOTICE %s :ENABLE
',0Ah,0 ; DATA XREF: enable+12 o

The client has an extensive usage/help system and also provides DOS capabilities.

Evidence:

.rodata:0804C660 ; char aNoticeSTsuna_1[]
.rodata:0804C660 aNoticeSTsuna_1 db 'NOTICE %s :TSUNAMI '
.rodata:0804C660 ; DATA XREF: help+23 o
.rodata:0804C660 db '= Special packeter that wont be blocked by most firewalls',0Ah
.rodata:0804C660 db 0
.rodata:0804C6D7 align 4
.rodata:0804C6D8 ; char aNoticeSPanTa_0[]
.rodata:0804C6D8 aNoticeSPanTa_0 db 'NOTICE %s :PAN
'
.rodata:0804C6D8 ; DATA XREF: help+46 o
.rodata:0804C6D8 db '= An advanced syn flooder that will kill most network driver'

The main capability of shelll that needs to be examined is its DOS functions. One of these are what was used in the DOS attack described in the initial quiz background. The XREFS graph from the tsunami DOS function is very clear and helps visualize what’s going on.

One can see in the graph calls to very standard network functions like GETHOSTBYNAME and INET_ADDR. It also appears that TSUNAMI has the ability to spoof addresses. TSUNAMI takes an argument for the target IP and an argument for the number of seconds/interval for sending packets.

The PAN DOS function has essentially the same XREF graph as TSUNAMI with the addition of a checksum. PAN takes the same arguments with the addition of a target port.

The UDP DOS function looks almost exactly the same as PAN. All of the DOS functions point to another function called Send which appears to be the main network code for the DOSing. Send is a hub function for several of the functions in shelll. A call graph illustrates this point more clearly:

A disassembly of the Help() function which provides usage information sheds quite a bit of light on how the botnet client operates and what its capabilities are:

.text:0804AC00 loc_804AC00: ; CODE XREF: help+16 j

NOTE: The repetitious assembly before and after the NOTICE information has been trimmed for brevity. All of the following sections by:

add esp, 10h
.text:0804ADEA sub esp, 4
.text:0804ADED push [ebp+arg_4] ; int

And followed by

push [ebp+fildes] ; fildes
.text:0804ADD5 call Send
.text:0804ADDA add esp, 10h
.text:0804ADDD sub esp, 0Ch
.text:0804ADE0 push 2 ; seconds
.text:0804ADE2 call _sleep

.text:0804AC06 push offset aNoticeSTsuna_1 ; "NOTICE %s :TSUNAMI
.text:0804AC29 push offset aNoticeSPanTa_0 ; "NOTICE %s :PAN

.text:0804AC4C push offset aNoticeSUdpTa_0 ; "NOTICE %s :UDP
"...
.text:0804AC6F push offset aNoticeSUnkno_1 ; "NOTICE %s :UNKNOWN "...
.text:0804AC92 push offset aNoticeSNickN_0 ; "NOTICE %s :NICK "...

b) DYNAMIC ANALYSIS:

shelll
-------------------------------------------

- shelll first makes a TCP SYN connection on port 6667 to 216.115.95.70 (irc.ircnet.net). Here we can see the traditional IRC banner:

0000 00 13 ce 56 8d 9a 00 06 25 62 de 56 08 00 45 00 ...V....%b.V..E.
0010 00 83 f4 5b 40 00 35 06 57 4c d8 73 5f 46 c0 a8 ...[@.5.WL.s_F..
0020 01 6b 1a 0b aa 5a fb e3 27 6b 5c 9e e5 48 80 18 .k...Z..'k\..H..
0030 20 00 5f fe 00 00 01 01 08 0a 60 96 c6 6b 00 37 ._.......`..k.7
0040 56 dc 3a 69 72 63 31 2e 75 73 2e 6f 70 65 6e 2d V.:irc1.us.open-
0050 69 72 63 6e 65 74 2e 6e 65 74 20 30 32 30 20 2a ircnet.net 020 *
0060 20 3a 50 6c 65 61 73 65 20 77 61 69 74 20 77 68 :Please wait wh
0070 69 6c 65 20 77 65 20 70 72 6f 63 65 73 73 20 79 ile we process y
0080 6f 75 72 20 63 6f 6e 6e 65 63 74 69 6f 6e 2e 0d our connection..
0090 0a .

And also the nick name the IRC bot client tries to use:

0000 00 06 25 62 de 56 00 13 ce 56 8d 9a 08 00 45 00 ..%b.V...V....E.
0010 00 67 81 f9 40 00 40 06 be ca c0 a8 01 6b d8 73 .g..@.@......k.s
0020 5f 46 aa 5b 1a 0b 5e f3 e2 83 a4 c5 e1 0d 80 18 _F.[..^.........
0030 16 d0 9b 10 00 00 01 01 08 0a 00 37 63 da 60 96 ...........7c.`.
0040 d2 d9 4e 49 43 4b 20 5a 54 41 4d 43 0a 55 53 45 ..NICK ZTAMC.USE
0050 52 20 49 54 4b 5a 4e 57 20 6c 6f 63 61 6c 68 6f R ITKZNW localho
0060 73 74 20 6c 6f 63 61 6c 68 6f 73 74 20 3a 4d 52 st localhost :MR
0070 56 4c 59 55 0a VLYU.

LSOF shows the related process information as well as the network connection tied to the shelll process:

kryptos# lsof |grep shelll

shelll 17763 root cwd DIR 3,3 4096 210497 /tmp
shelll 17763 root rtd DIR 3,3 4096 2 /
shelll 17763 root txt REG 3,3 29662 213876 /tmp/shelll
shelll 17763 root mem REG 3,3 89547 437210 /lib/ld-2.2.5.so
shelll 17763 root mem REG 3,3 45415 437243 /lib/libnss_files-2.2.5.so
shelll 17763 root mem REG 3,3 46117 437251 /lib/libnss_nisplus-2.2.5.so
shelll 17763 root mem REG 3,3 89424 437227 /lib/libnsl-2.2.5.so
shelll 17763 root mem REG 3,3 44746 437248 /lib/libnss_nis-2.2.5.so
shelll 17763 root mem REG 3,3 16051 437240 /lib/libnss_dns-2.2.5.so
shelll 17763 root mem REG 3,3 68925 437255 /lib/libresolv-2.2.5.so
shelll 17763 root mem REG 3,3 1401027 437204 /lib/i686/libc-2.2.5.so
shelll 17763 root 0u CHR 136,0 2 /dev/pts/0
shelll 17763 root 1u CHR 136,0 2 /dev/pts/0
shelll 17763 root 2u CHR 136,0 2 /dev/pts/0
shelll 17763 root 3u IPv4 103942 TCP 192.168.1.107:43610->216.115.95.70:ircd (ESTABLISHED)

STRACE shows the calls made by the shelll program when run:

kryptos# strace ./shelll

execve("./shelll", ["./shelll"], [/* 30 vars */]) = 0
uname({sys="Linux", node="kryptos", ...}) = 0
brk(0) = 0x804d970
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=113103, ...}) = 0
old_mmap(NULL, 113103, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40014000
close(3) = 0
open("/lib/i686/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`u\1B4\0"..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=1401027, ...}) = 0
old_mmap(0x42000000, 1264928, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000
mprotect(0x4212c000, 36128, PROT_NONE) = 0
old_mmap(0x4212c000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x12c000) = 0x4212c000
old_mmap(0x42131000, 15648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42131000
close(3) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40030000
munmap(0x40014000, 113103) = 0
brk(0) = 0x804d970
brk(0x804d9a0) = 0x804d9a0
brk(0x804e000) = 0x804e000
fork() = 12684
_exit(0) = ?

The last two lines marked in red are important to note because this demonstrates how the process is invisible to a standard ps –aux. The fork and exit cause shelll to be a zombie process. The fork() line outputted from strace shows the PID shelll is running under which matches the output from ls -A:

12684 ? 00:00:00 shelll

cmd.gif
-----------------------------

When executed his program creates a web page leveraging the PHP include remote file bug/feature.

[root@kryptos cgi-bin]# php test.php > /usr/local/apache/htdocs/boom.html

This then allows a very simple command shell like interface to run commands. This also provides an interface for defacing the website, editing PHP and gives information about the web server’s configuration. There is also a file upload / download option. This program could easily be used to download other files malware such as the IRC botnet client shell.

3. Now, using any methods available to you, which changes, if any, will the malware make on the system ?

NOTE: Details covered in the previous answers
- Shelll starts a process and makes a connection to an IRC server
- Cmd.gif drops a new html file on the system.

4. Now, what are the purpose of the malware? Are they related?

- The purpose of cmd.gif is to provide remote command capabilities and to deface websites
- The purpose of shelll is to provide control of the system via an IRC botnet in order to use the system as part of a denial of service attack
- They are not necessarily related. They can be used separately and were not written by the same author. However cmd.gif can be used in order to get shelll onto the system.

5. Why didnt the 'shelll' or the 'cmd' applications show up at the ps aux ?

- cmd.gif did not show up because it is a script and not an executable binary and so runs and exits without staying persistent in the process table. The file output by script is html and so also not a resident process.

- shelll did now show up secause it is a zombie process (forked child with exited parent) it doesn't show up in normal ps. shelll is detaching after fork from child process 29229.

However LSOF finds shelll :

shelll 29112 valsmith 3u IPv4 102608548 TCP 192.168.1.3:35945->216.115.95.70:ircd (ESTABLISHED)

As does ls -A

29342 pts/7 00:00:00 shelll

6. Do you have any clues of how the machine was compromised?

The machine was probably compromised using a SSH brute force attack which tries a bunch of usernames and passwords until one works. Most likely the "backup" user account was compromised.
The backup user account had a very week password:

Loaded 1 password hash (OpenBSD Blowfish [32/32])
backup (backup)
guesses: 1 time: 0:00:00:00 100% (1) c/s: 5.26 trying: backup

Evidence of this can be seen in the syslog "secure.txt":

Feb 13 10:29:26 linux sshd[1446]: Failed password for backup from xxx.60.116.10 port 45854 ssh2
Feb 13 10:29:26 linux sshd[1446]: Received disconnect from xxx.60.116.10: 11: Bye Bye
Feb 13 11:05:50 linux sshd[1446]: Accepted password for backup from xxx.60.116.10 port 20577 ssh2

7. About the 'shelll' and cmd.gif file, what useful information could you get?

The files are recognized by antivirus. Source code is included in the appendix:

#################################
FILENAME: shelll
FILE TYPE: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
MD5SUM: f14af1cbb8e203f0254ad5f21b313e28
SHA1SUM: cb4d8382074db5a9245b638fe5d5f921b308ee1b
SHA256SUM: 10b8dab51d6b91e8dcf223d586d2c22c3d38a7ea0a8c7090c2068c7b0af7c637
A/V SCAN: backdoor.kaitex
#################################

#################################
FILENAME: cmd.gif
FILE TYPE: exported SGML document text
MD5SUM: 1a85f538fc3f9c17bf8d4be90d5f5060
SHA1SUM: 6486b8ebe4807d354ea84fbbd5f2d408ffff5621
SHA256SUM: fcfb0b9195a7d7624ea257ca3e9e179abc327152ba16d3895f2d9e980c1f8f81
A/V SCAN: PHP.Defash.A or php.backdoor.trojan
#################################

Bonus Questions:

8. Using all your creative mind, please, describe the possible attack scenario... :-)

I believe the attacker used a SSH brute force attack. Once an account was compromised (backup username) the attacker used SFTP to upload cmd.gif which provides a command shell like environment. Evidence of the SFTP upload can be seen in the syslog "secure.txt":

Feb 13 19:35:23 linux sshd[1446]: subsystem request for sftp
Feb 13 19:51:44 linux sshd[1446]: Accepted password for backup from xxx.60.116.10 port 3635 ssh2

After that they probably used cmd.gif in conjunction with WGET or LYNX in order to upload shelll. Once shelll was uploaded and installed it was used to connect to an IRC server. The machine was then part of a botnet controlled via IRC. IRC commands are then issues to cause the server to DDOS a 2nd victim IP by using TSUNAMI or PAN or one of the other flooders built into shelll.

The system does not appear to be running a web server based on the ps output so no webpage was defaced.

9. Based on this attack, which security measures would you recommend to this linux box owner?

The following security measures are advisable to help protect against this type of attack:

1.) use strong passwords
2.) implement TCP wrappers on ssh to prevent unauthorized external connections
3.) firewall all outgoing and incoming ports that are not needed (6667 for example)oming ports that are not needed (6667 for example)

Re:Malware Zoo

Hi tebo :)

First off ... Thanx for letting us know...

With what I saw from the netstat text it seems to be a IRC Controlled thing because port for irc is 6667

tcp 0 0 192.168.0.52:1418 216.115.95.70:6667 ESTABLISHED
tcp 1 0 192.168.0.52:1353 216.115.95.70:6667 CLOSE_WAIT
tcp 0 0 192.168.0.52:1288 216.115.95.70:6667 CLOSE_WAIT
tcp 1 0 192.168.0.52:1225 216.115.95.70:6667 CLOSE_WAIT
tcp 1 0 192.168.0.52:1161 216.115.95.70:6667 CLOSE_WAIT

Regards

--
Remember there is alwayz someone who knows more than us out there

Can't download the first file

Try to pack the PHP file, as it can't be downloaded. The site's engine tries to parse it as a part of the site.

already posted?? UPDATE: Apparently


NOTES:
UPDATE: Apparently there has been some new stuff going on related to this post. A "variant" seems to have come out recently. Information can be found on the DailyDave mailing list in a post by Gadi Evron. If someone comes across a copy of this new varient I'd love to see it.

Val,

The md5 checksums for those listed on DailyDave are the same as for those samples posted by lys about 3-4 posts down (New Linux Malware)

tahts hilarious

I cant believe I didnt use my own sites search for checksums bwhahah.

that will teach me.

V.

Indeed :D Would be nice if

Indeed :D

Would be nice if you could do/post an analysis :)

check out the pdf

tahts attached to the post. Thats pretty close. Ill work on the new files that lys posted this weekend.

V.