Sunday, December 29, 2013

MMD-0011-2013 - Let's be more serious about (mitigating) DNS Amp ELF hack attack

Background

Consider this as "another" MalwareMustDie's New Year Security Awareness.
We detected an increasing in attack in hacking for implementing DNS-Amp specially in implementation on ELF part of tools, not necessarily with the automation hacktool, but with video below as evidence showing the manual hack effort.
We bumped to this threat in early November, 2013, when our friend @lvdeijk found the set of binaries below in his honeypot:

This turned out as a set of the DNS Amp attack binaries for PE and ELF (see the "ms20" one in the above set).
We investigated the ELF and posted in our paste bin here-->>[MMD PASTEBIN].

Reversing shows that the ELF binary has codes for DNS Amplification, sensitive information stealing effort & encryption for the data, but in behavior testing was not showing any amplification instead beaconing mothership which suggesting that the linux binary is not working as per expected by the amateur-wannabe-linux-developer moronz. So we left the case for monitoring status.

After that time there were other good security people investigating the case as per below URL references explaining the threat very good, please take a look of the below good posts before continuing reading this post:

http://www.cert.pl/news/7849/langswitch_lang/en
http://remchp.com/blog/?p=52
http://securehoney.net/blog/trojan-horse-uploaded.html#.Ur7xeqX_TZs
https://isc.sans.edu/diary/Unfriendly+crontab+additions/17282

The Bad News is...

However today we face the fact that not only @lvdeijk which is still get hit by the same attacker, but one of our OTHER friend's (Thx to: @wirehack7) honeypot also got hit by the same threat, so we made precautions as PoC of attack, and this time everything was well recorded down to their shell commands used during attack in progress, as per recorded in below video:

So the BAD NEWS is..The threat is active as per Dec 27, 2013 when I write this post! And this threat lives happily ever after in infecting and hacking some UNIX environment in many networks in internet. As most of us in MMD are unixmen we couldn't stand watching this so hopefully this post will raise MORE awareness of the threat, as we also started the OP for this. I was wondering IF the ELF download source is up today so just made a quick check and found positive confirmation, I just grabbed iPad to make this video as evidence:

Yes the source is still there.

To make it merrier..as per all people know that the VT show low detection too for these ELF (read: Linux executable binaries) scanning, as per shown in the AV result. It never reach more than 5 points so far, I am starting to wonder why there are so many Linux scanner AV product that can not detect this? A fact that users must swallow when they expect to detect this in their server by using some products.

OK. I don't want to argue about any of sigs matter that AV industry provides, but I must say that ELF is a serious threat that needs to be more prioritize, specially in the hack session like this. Please think about big amount of users are actually buying license per year to make their server protected for threat like this, they deserve BETTER service, so please make more effort to publish your sigs.

Moving on. Just to be sure, I made a quick re-analysing the new / recent ELF with the details below with my poor home-brew tool called fileelf, is actually bash script helping me for quick analyzing ELF binaries fast, and resulted that all functions are so equal and modification was detected only in the IP addresses destination (of the CnC). The logic is all the same, once it started the daemon it grabs all the info from environment, and then the series of "communication" begin, noted that the config created was having its initial values in the first writing, and nothing more than that, so (maybe) one should let this evil tool runs longer to monitor and record all of the CnC communication to make a better record of what this tool is actually can do.

(! ELF Analysis )

$ fileelf ./disknyp 
./disknyp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped

00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 03 00 01 00 00 00  20 81 04 08 34 00 00 00  |........ ...4...|
00000020  f4 27 12 00 00 00 00 00  34 00 20 00 05 00 28 00  |........4. ...(.|
00000030  1c 00 19 00 01 00 00 00  00 00 00 00 00 80 04 08  |................|
00000040

(ELF Header: )
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2s complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048120
  Start of program headers:          52 (bytes into file)
  Start of section headers:          1189876 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         5
  Size of section headers:           40 (bytes)
  Number of section headers:         28
  Section header string table index: 25

(Section Headers: )  
(i  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al )
    [ 0]                   NULL            00000000 000000 000000 00      0   0  0
    [ 1] .note.ABI-tag     NOTE            080480d4 0000d4 000020 00   A  0   0  4
    [ 2] .init             PROGBITS        080480f4 0000f4 000017 00  AX  0   0  4
    [ 3] .text             PROGBITS        08048120 000120 0e2200 00  AX  0   0 32
    [ 4] __libc_freeres_fn PROGBITS        0812a320 0e2320 000f6e 00  AX  0   0  4
    [ 5] __libc_thread_fre PROGBITS        0812b290 0e3290 0000e2 00  AX  0   0  4
    [ 6] .fini             PROGBITS        0812b374 0e3374 00001a 00  AX  0   0  4
    [ 7] .rodata           PROGBITS        0812b3a0 0e33a0 020c2e 00   A  0   0 32
    [ 8] __libc_subfreeres PROGBITS        0814bfd0 103fd0 00003c 00   A  0   0  4
    [ 9] __libc_atexit     PROGBITS        0814c00c 10400c 000004 00   A  0   0  4
    [10] __libc_thread_sub PROGBITS        0814c010 104010 000004 00   A  0   0  4
    [11] .eh_frame         PROGBITS        0814c014 104014 016a58 00   A  0   0  4
    [12] .gcc_except_table PROGBITS        08162a6c 11aa6c 004f65 00   A  0   0  4
    [13] .tdata            PROGBITS        08168000 120000 000014 00 WAT  0   0  4
    [14] .tbss             NOBITS          08168014 120014 00001c 00 WAT  0   0  4
    [15] .ctors            PROGBITS        08168014 120014 00002c 00  WA  0   0  4
    [16] .dtors            PROGBITS        08168040 120040 00000c 00  WA  0   0  4
    [17] .jcr              PROGBITS        0816804c 12004c 000004 00  WA  0   0  4
    [18] .data.rel.ro      PROGBITS        08168060 120060 00063c 00  WA  0   0 32
    [19] .got              PROGBITS        0816869c 12069c 00005c 04  WA  0   0  4
    [20] .got.plt          PROGBITS        081686f8 1206f8 00000c 04  WA  0   0  4
    [21] .data             PROGBITS        08168720 120720 001034 00  WA  0   0 32
    [22] .bss              NOBITS          08169760 121754 0091d8 00  WA  0   0 32
    [23] __libc_freeres_pt NOBITS          08172938 121754 000020 00  WA  0   0  4
    [24] .comment          PROGBITS        00000000 121754 000f78 00      0   0  1
    [25] .shstrtab         STRTAB          00000000 1226cc 000126 00      0   0  1
    [26] .symtab           SYMTAB          00000000 122c54 017d80 10     27 1221  4
    [27] .strtab           STRTAB          00000000 13a9d4 0319db 00      0   0  1
  Key to Flags:
    W (write), A (alloc), X (execute), M (merge), S (strings)
    I (info), L (link order), G (group), x (unknown)
    O (extra OS processing required) o (OS specific), p (processor specific)

  There are no section groups in this file.
  
(Program Headers:)
    
(I  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align)
    LOAD           0x000000 0x08048000 0x08048000 0x11f9d1 0x11f9d1 R E 0x1000
    LOAD           0x120000 0x08168000 0x08168000 0x01754 0x0a958 RW  0x1000
    NOTE           0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R   0x4
    TLS            0x120000 0x08168000 0x08168000 0x00014 0x00030 R   0x4
    GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

(Section to Segment mapping:)

Segment Sections...
    00     .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata 
           __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table 
    01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs 
    02     .note.ABI-tag 
    03     .tdata .tbss 
    04     

 There is no dynamic section in this file.
 There are no relocations in this file.
 There are no unwind sections in this file.
 
(Sections:)
(a Idx Name          Size      VMA       LMA       File off  Algn)
   0 .note.ABI-tag 00000020  080480d4  080480d4  000000d4  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, DATA
   1 .init         00000017  080480f4  080480f4  000000f4  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, CODE
   2 .text         000e2200  08048120  08048120  00000120  2**5
                   CONTENTS, ALLOC, LOAD, READONLY, CODE
   3 __libc_freeres_fn 00000f6e  0812a320  0812a320  000e2320  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, CODE
   4 __libc_thread_freeres_fn 000000e2  0812b290  0812b290  000e3290  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, CODE
   5 .fini         0000001a  0812b374  0812b374  000e3374  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, CODE
   6 .rodata       00020c2e  0812b3a0  0812b3a0  000e33a0  2**5
                   CONTENTS, ALLOC, LOAD, READONLY, DATA
   7 __libc_subfreeres 0000003c  0814bfd0  0814bfd0  00103fd0  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, DATA
   8 __libc_atexit 00000004  0814c00c  0814c00c  0010400c  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, DATA
   9 __libc_thread_subfreeres 00000004  0814c010  0814c010  00104010  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, DATA
  10 .eh_frame     00016a58  0814c014  0814c014  00104014  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, DATA
  11 .gcc_except_table 00004f65  08162a6c  08162a6c  0011aa6c  2**2
                   CONTENTS, ALLOC, LOAD, READONLY, DATA
  12 .tdata        00000014  08168000  08168000  00120000  2**2
                   CONTENTS, ALLOC, LOAD, DATA, THREAD_LOCAL
  13 .tbss         0000001c  08168014  08168014  00120014  2**2
                   ALLOC, THREAD_LOCAL
  14 .ctors        0000002c  08168014  08168014  00120014  2**2
                   CONTENTS, ALLOC, LOAD, DATA
  15 .dtors        0000000c  08168040  08168040  00120040  2**2
                   CONTENTS, ALLOC, LOAD, DATA
  16 .jcr          00000004  0816804c  0816804c  0012004c  2**2
                   CONTENTS, ALLOC, LOAD, DATA
  17 .data.rel.ro  0000063c  08168060  08168060  00120060  2**5
                   CONTENTS, ALLOC, LOAD, DATA
  18 .got          0000005c  0816869c  0816869c  0012069c  2**2
                   CONTENTS, ALLOC, LOAD, DATA
  19 .got.plt      0000000c  081686f8  081686f8  001206f8  2**2
                   CONTENTS, ALLOC, LOAD, DATA
  20 .data         00001034  08168720  08168720  00120720  2**5
                   CONTENTS, ALLOC, LOAD, DATA
  21 .bss          000091d8  08169760  08169760  00121754  2**5
                   ALLOC
  22 __libc_freeres_ptrs 00000020  08172938  08172938  00121754  2**2
                   ALLOC
  23 .comment      00000f78  00000000  00000000  00121754  2**0
                   CONTENTS, READONLY
       
(Tables)

 Symbol table '.symtab' contains 6104 entries:
(i    Num:    Value  Size Type    Bind   Vis      Ndx Name)
      0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND 
      1: 080480d4     0 SECTION LOCAL  DEFAULT    1 
      2: 080480f4     0 SECTION LOCAL  DEFAULT    2 
      3: 08048120     0 SECTION LOCAL  DEFAULT    3 
      4: 0812a320     0 SECTION LOCAL  DEFAULT    4 
      5: 0812b290     0 SECTION LOCAL  DEFAULT    5 
      6: 0812b374     0 SECTION LOCAL  DEFAULT    6 
      7: 0812b3a0     0 SECTION LOCAL  DEFAULT    7 
      8: 0814bfd0     0 SECTION LOCAL  DEFAULT    8 
      9: 0814c00c     0 SECTION LOCAL  DEFAULT    9 
     10: 0814c010     0 SECTION LOCAL  DEFAULT   10 
  [...]


     (!DIR / FILES ACCESSED)

      /proc/cpuinfo
      /proc/stat
      /proc/net/dev
      /proc/%d/exe
      /proc/sys/kernel/version
      /proc/sys/kernel/osrelease
      /proc/self/maps
      /proc/sys/kernel/ngroups_max
      /proc/sys/kernel/rtsig-max
      /proc/self/exe
      /proc/net

      /proc/net/dev
      /dev/null
      /dev/tty
      /dev/log
      /dev/console
  
      /usr/lib/locale
      /usr/lib/locale/locale-archive
      /usr/share/locale
      /usr/share/locale
      /usr/share/zoneinfo
      /usr/libexec/getconf
      /usr/lib/gconv
      /usr/lib/gconv/gconv-modules.cache
      /usr/lib/

      /etc/localtime
      /etc/mtab
      /etc/fstab
      /etc/suid-debug
      /etc/resolv.conf
      /etc/host.conf
      /etc/nsswitch.conf
      /etc/ld.so.cache
So we see what the binary is all about. Below are some dis-assembly traces, which is confirming previous analysis made by many good people, so I won't make more unnecessary comments just paste my codes below:
(!Daemon was initialized here)

$ cat dump |grep _ZN9CStatBase10InitializeEv
   80498e3: e8 f0 a9 00 00        call   80542d8 (_ZN9CStatBase10InitializeEv)

   080542d8 (_ZN9CStatBase10InitializeEv):
    80542d8:       55                      push   %ebp
    80542d9:       89 e5                   mov    %esp,%ebp
    80542db:       83 ec 08                sub    $0x8,%esp
    80542de:       83 ec 0c                sub    $0xc,%esp
    80542e1:       ff 75 08                pushl  0x8(%ebp)
    80542e4:       e8 cb f8 ff ff          call   8053bb4 (_ZN9CStatBase13GetSysVersionEv)
    80542e9:       83 c4 10                add    $0x10,%esp
    80542ec:       83 ec 0c                sub    $0xc,%esp
    80542ef:       ff 75 08                pushl  0x8(%ebp)
    80542f2:       e8 1f f9 ff ff          call   8053c16 (_ZN9CStatBase9GetCpuSpdEv)
    80542f7:       83 c4 10                add    $0x10,%esp
    80542fa:       83 ec 0c                sub    $0xc,%esp
    80542fd:       ff 75 08                pushl  0x8(%ebp)
    8054300:       e8 49 fa ff ff          call   8053d4e (_ZN9CStatBase13InitGetCPUUseEv)
    8054305:       83 c4 10                add    $0x10,%esp
    8054308:       83 ec 0c                sub    $0xc,%esp
    805430b:       ff 75 08                pushl  0x8(%ebp)
    805430e:       e8 a1 ff ff ff          call   80542b4 (_ZN9CStatBase13InitGetNetUseEv)
    8054313:       83 c4 10                add    $0x10,%esp
    8054316:       c9                      leave  
    8054317:       c3                      ret    

(!System call grabs listed)

 80498e3: e8 f0 a9 00 00        call   80542d8 (_ZN9CStatBase10InitializeEv)
 804abf9: e8 ea 0b 00 00        call   804b7e8 (_ZN9CStatBase10SysVersionEv)
 804ac1c: e8 df 0b 00 00        call   804b800 (_ZN9CStatBase6CpuSpdEv)
0804b7e8 (_ZN9CStatBase10SysVersionEv):
0804b800 (_ZN9CStatBase6CpuSpdEv):
08053b40 (_ZN9CStatBaseC1Ev):
08053b62 (_ZN9CStatBaseC2Ev):
08053b84 (_ZN9CStatBaseD2Ev):
08053b9c (_ZN9CStatBaseD1Ev):
08053bb4 (_ZN9CStatBase13GetSysVersionEv):
08053c16 (_ZN9CStatBase9GetCpuSpdEv):
 8053c65: e9 b3 00 00 00        jmp    8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107)
 8053ce6: 75 35                 jne    8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107)
 8053d1b: eb 29                 jmp    8053d46 (_ZN9CStatBase9GetCpuSpdEv+0x130)
 8053d32: 0f 85 32 ff ff ff     jne    8053c6a (_ZN9CStatBase9GetCpuSpdEv+0x54)
08053d4e (_ZN9CStatBase13InitGetCPUUseEv):
08053db0 (_ZN9CStatBase9GetCPUUseEv):
 8053e91: 75 22                 jne    8053eb5 (_ZN9CStatBase9GetCPUUseEv+0x105)
 8053eb0: e9 8b 01 00 00        jmp    8054040 (_ZN9CStatBase9GetCPUUseEv+0x290)
080542b4 (_ZN9CStatBase13InitGetNetUseEv):
080542d8 (_ZN9CStatBase10InitializeEv):
 80542e4: e8 cb f8 ff ff        call   8053bb4 (_ZN9CStatBase13GetSysVersionEv)
 80542f2: e8 1f f9 ff ff        call   8053c16 (_ZN9CStatBase9GetCpuSpdEv)
 8054300: e8 49 fa ff ff        call   8053d4e (_ZN9CStatBase13InitGetCPUUseEv)
 805430e: e8 a1 ff ff ff        call   80542b4 (_ZN9CStatBase13InitGetNetUseEv)
08054318 (_ZN9CStatBase9GetNetUseEv):
 8054353: 75 09                 jne    805435e (_ZN9CStatBase9GetNetUseEv+0x46)
 805435c: eb 75                 jmp    80543d3 (_ZN9CStatBase9GetNetUseEv+0xbb)
 80543ec: e8 ab f7 ff ff        call   8053b9c (_ZN9CStatBaseD1Ev)
 8054419: e8 22 f7 ff ff        call   8053b40 (_ZN9CStatBaseC1Ev)
 805cbba: e8 59 77 ff ff        call   8054318 (_ZN9CStatBase9GetNetUseEv)
 805cbcd: e8 de 71 ff ff        call   8053db0 (_ZN9CStatBase9GetCPUUseEv)

 (!Total SysGrabsCalls)

 $ cat dump |grep ZN9C     
  8048523: e8 e2 4d 01 00        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
  8048550: e8 15 4e 01 00        call   805d36a (_ZN9CAutoLockD1Ev)
  804856d: e8 f8 4d 01 00        call   805d36a (_ZN9CAutoLockD1Ev)
  8048913: e8 f2 49 01 00        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
  804893b: e8 2a 4a 01 00        call   805d36a (_ZN9CAutoLockD1Ev)
  8048958: e8 0d 4a 01 00        call   805d36a (_ZN9CAutoLockD1Ev)
  80498e3: e8 f0 a9 00 00        call   80542d8 (_ZN9CStatBase10InitializeEv)
  80498f3: e8 92 97 00 00        call   805308a (_ZN9CServerIP10InitializeEv)
  804997e: e8 87 39 01 00        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
  8049a02: e8 63 39 01 00        call   805d36a (_ZN9CAutoLockD1Ev)
  8049a25: e8 e0 38 01 00        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
  8049bcc: e8 99 37 01 00        call   805d36a (_ZN9CAutoLockD1Ev)
  8049be9: e8 7c 37 01 00        call   805d36a (_ZN9CAutoLockD1Ev)
  804a0a8: e8 d1 16 00 00        call   804b77e (_ZN9CTaskInfoD1Ev)
  804a0c6: e8 b3 16 00 00        call   804b77e (_ZN9CTaskInfoD1Ev)
  804a242: e8 37 15 00 00        call   804b77e (_ZN9CTaskInfoD1Ev)
  804a260: e8 19 15 00 00        call   804b77e (_ZN9CTaskInfoD1Ev)
  804a465: e8 5c 34 00 00        call   804d8c6 (_ZN9CLoopTaskC1Ev)
  804a908: e8 55 5a 00 00        call   8050362 (_ZN9CServerIP7ServersEv)
  804abf9: e8 ea 0b 00 00        call   804b7e8 (_ZN9CStatBase10SysVersionEv)
  804ac1c: e8 df 0b 00 00        call   804b800 (_ZN9CStatBase6CpuSpdEv)
  804b20d: e8 1c 05 00 00        call   804b72e (_ZN9CTaskInfoC1Ev)
  804b2dd: e8 9c 04 00 00        call   804b77e (_ZN9CTaskInfoD1Ev)
  804b42f: e8 fa 02 00 00        call   804b72e (_ZN9CTaskInfoC1Ev)
  804b4ff: e8 7a 02 00 00        call   804b77e (_ZN9CTaskInfoD1Ev)
 0804b72e (_ZN9CTaskInfoC1Ev):
 0804b77e (_ZN9CTaskInfoD1Ev):
 0804b7e8 (_ZN9CStatBase10SysVersionEv):
 0804b800 (_ZN9CStatBase6CpuSpdEv):
  804c145: e8 c0 11 01 00        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
  804c161: e8 04 12 01 00        call   805d36a (_ZN9CAutoLockD1Ev)
 0804d854 (_ZN9CLoopTaskD1Ev):
  804d893: e8 bc ff ff ff        call   804d854 (_ZN9CLoopTaskD1Ev)
 0804d8c6 (_ZN9CLoopTaskC1Ev):
  804ec61: e8 a4 e6 00 00        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
  804ecc9: e8 9c e6 00 00        call   805d36a (_ZN9CAutoLockD1Ev)
  804ece6: e8 7f e6 00 00        call   805d36a (_ZN9CAutoLockD1Ev)
 08050362 (_ZN9CServerIP7ServersEv):
  8050d39: e8 cc c5 00 00        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
  8050d98: e8 cd c5 00 00        call   805d36a (_ZN9CAutoLockD1Ev)
  8050db5: e8 b0 c5 00 00        call   805d36a (_ZN9CAutoLockD1Ev)
 0805302a (_ZN9CServerIPD1Ev):
 08053042 (_ZN9CServerIPD2Ev):
 0805305a (_ZN9CServerIPC1Ev):
 08053072 (_ZN9CServerIPC2Ev):
 
 0805308a (_ZN9CServerIP10InitializeEv):
  8053168: eb 52                 jmp    80531bc (_ZN9CServerIP10InitializeEv+0x132)
  805318b: eb 06                 jmp    8053193 (_ZN9CServerIP10InitializeEv+0x109)
  80531de: e8 47 fe ff ff        call   805302a (_ZN9CServerIPD1Ev)
  805320b: e8 4a fe ff ff        call   805305a (_ZN9CServerIPC1Ev)
 08053b40 (_ZN9CStatBaseC1Ev):
 08053b62 (_ZN9CStatBaseC2Ev):
 08053b84 (_ZN9CStatBaseD2Ev):
 08053b9c (_ZN9CStatBaseD1Ev):
 08053bb4 (_ZN9CStatBase13GetSysVersionEv):
 08053c16 (_ZN9CStatBase9GetCpuSpdEv):
  8053c65: e9 b3 00 00 00        jmp    8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107)
  8053ce6: 75 35                 jne    8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107)
  8053d1b: eb 29                 jmp    8053d46 (_ZN9CStatBase9GetCpuSpdEv+0x130)
  8053d32: 0f 85 32 ff ff ff     jne    8053c6a (_ZN9CStatBase9GetCpuSpdEv+0x54)
 08053d4e (_ZN9CStatBase13InitGetCPUUseEv):
 08053db0 (_ZN9CStatBase9GetCPUUseEv):
  8053e91: 75 22                 jne    8053eb5 (_ZN9CStatBase9GetCPUUseEv+0x105)
  8053eb0: e9 8b 01 00 00        jmp    8054040 (_ZN9CStatBase9GetCPUUseEv+0x290)
 080542b4 (_ZN9CStatBase13InitGetNetUseEv):
 080542d8 (_ZN9CStatBase10InitializeEv):
  80542e4: e8 cb f8 ff ff        call   8053bb4 (_ZN9CStatBase13GetSysVersionEv)
  80542f2: e8 1f f9 ff ff        call   8053c16 (_ZN9CStatBase9GetCpuSpdEv)
  8054300: e8 49 fa ff ff        call   8053d4e (_ZN9CStatBase13InitGetCPUUseEv)
  805430e: e8 a1 ff ff ff        call   80542b4 (_ZN9CStatBase13InitGetNetUseEv)
 08054318 (_ZN9CStatBase9GetNetUseEv):
  8054353: 75 09                 jne    805435e (_ZN9CStatBase9GetNetUseEv+0x46)
  805435c: eb 75                 jmp    80543d3 (_ZN9CStatBase9GetNetUseEv+0xbb)
  80543ec: e8 ab f7 ff ff        call   8053b9c (_ZN9CStatBaseD1Ev)
  8054419: e8 22 f7 ff ff        call   8053b40 (_ZN9CStatBaseC1Ev)
  805558a: e8 05 2e 00 00        call   8058394 (_ZN9CCrossPktC1Ev)
  8055704: e8 c7 2c 00 00        call   80583d0 (_ZN9CCrossPktD1Ev)
  8055727: e8 a4 2c 00 00        call   80583d0 (_ZN9CCrossPktD1Ev)
 08058394 (_ZN9CCrossPktC1Ev):
 080583d0 (_ZN9CCrossPktD1Ev):
  80583f6: e8 d5 ff ff ff        call   80583d0 (_ZN9CCrossPktD1Ev)
  80587e0: e8 6f 50 ff ff        call   804d854 (_ZN9CLoopTaskD1Ev)
 08059b3c (_ZN9CCrossPktaSERKS_):
  8059bd9: e8 5e ff ff ff        call   8059b3c (_ZN9CCrossPktaSERKS_)
  8059e5d: e8 da fc ff ff        call   8059b3c (_ZN9CCrossPktaSERKS_)

  0805a028 (_ZN9CCrossPktC1ERKS_):
   805a0a3: e8 80 ff ff ff        call   805a028 (_ZN9CCrossPktC1ERKS_)
   805a101: e8 22 ff ff ff        call   805a028 (_ZN9CCrossPktC1ERKS_)
   805a1ee: e8 61 36 ff ff        call   804d854 (_ZN9CLoopTaskD1Ev)
   805a37a: e8 51 e0 ff ff        call   80583d0 (_ZN9CCrossPktD1Ev)
   805a583: e8 a0 fa ff ff        call   805a028 (_ZN9CCrossPktC1ERKS_)
   805a5f8: e8 3f f5 ff ff        call   8059b3c (_ZN9CCrossPktaSERKS_)
   805a615: e8 b6 dd ff ff        call   80583d0 (_ZN9CCrossPktD1Ev)
   805a638: e8 93 dd ff ff        call   80583d0 (_ZN9CCrossPktD1Ev)
  0805b086 (_ZN9CLoopTaskaSERKS_):
   805b121: e8 60 ff ff ff        call   805b086 (_ZN9CLoopTaskaSERKS_)
   805b3a5: e8 dc fc ff ff        call   805b086 (_ZN9CLoopTaskaSERKS_)
  0805b5a8 (_ZN9CLoopTaskC1ERKS_):
   805b621: e8 82 ff ff ff        call   805b5a8 (_ZN9CLoopTaskC1ERKS_)
   805b67f: e8 24 ff ff ff        call   805b5a8 (_ZN9CLoopTaskC1ERKS_)
   805b843: e8 60 fd ff ff        call   805b5a8 (_ZN9CLoopTaskC1ERKS_)
   805b8b8: e8 c9 f7 ff ff        call   805b086 (_ZN9CLoopTaskaSERKS_)
   805b8d5: e8 7a 1f ff ff        call   804d854 (_ZN9CLoopTaskD1Ev)
   805b8f8: e8 57 1f ff ff        call   804d854 (_ZN9CLoopTaskD1Ev)
   805cbba: e8 59 77 ff ff        call   8054318 (_ZN9CStatBase9GetNetUseEv)
   805cbcd: e8 de 71 ff ff        call   8053db0 (_ZN9CStatBase9GetCPUUseEv)
  0805d2d4 (_ZN9CAutoLockC2EP12CThreadMutexb):
   805d2f5: 74 11                 je     805d308 (_ZN9CAutoLockC2EP12CThreadMutexb+0x34)
  0805d30a (_ZN9CAutoLockC1EP12CThreadMutexb):
   805d32b: 74 11                 je     805d33e (_ZN9CAutoLockC1EP12CThreadMutexb+0x34)
  0805d340 (_ZN9CAutoLock6UnlockEv):
   805d34e: 74 18                 je     805d368 (_ZN9CAutoLock6UnlockEv+0x28)
  0805d36a (_ZN9CAutoLockD1Ev):
   805d376: e8 c5 ff ff ff        call   805d340 (_ZN9CAutoLock6UnlockEv)
  0805d380 (_ZN9CAutoLockD2Ev):
   805d38c: e8 af ff ff ff        call   805d340 (_ZN9CAutoLock6UnlockEv)
   805dc03: e8 02 f7 ff ff        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
   805dc4d: e8 18 f7 ff ff        call   805d36a (_ZN9CAutoLockD1Ev)
   805dc6c: e8 99 f6 ff ff        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
   805dc84: e8 e1 f6 ff ff        call   805d36a (_ZN9CAutoLockD1Ev)
   805dca7: e8 5e f6 ff ff        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
   805dcdc: e8 89 f6 ff ff        call   805d36a (_ZN9CAutoLockD1Ev)
   805dcfa: e8 0b f6 ff ff        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
   805dd12: e8 53 f6 ff ff        call   805d36a (_ZN9CAutoLockD1Ev)
   805e05d: e8 a8 f2 ff ff        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
   805e3da: e8 8b ef ff ff        call   805d36a (_ZN9CAutoLockD1Ev)
   805e3fd: e8 68 ef ff ff        call   805d36a (_ZN9CAutoLockD1Ev)
   8061161: e8 a4 c1 ff ff        call   805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
   80611b7: e8 ae c1 ff ff        call   805d36a (_ZN9CAutoLockD1Ev)
   80611d4: e8 91 c1 ff ff        call   805d36a (_ZN9CAutoLockD1Ev)

(!DECRYPTOR CALLS)

0806199c (_ZN8CUtility7DeCryptEPciPKci):
 80619a9: eb 37                 jmp    80619e2 (_ZN8CUtility7DeCryptEPciPKci+0x46)
 80619b3: 74 15                 je     80619ca (_ZN8CUtility7DeCryptEPciPKci+0x2e)
 80619c8: eb 13                 jmp    80619dd (_ZN8CUtility7DeCryptEPciPKci+0x41)
 80619e8: 7d 14                 jge    80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62)
 80619f0: 7d 0c                 jge    80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62)
 80619fc: 75 ad                 jne    80619ab (_ZN8CUtility7DeCryptEPciPKci+0xf)

 (Func_Details:)

0806199c (_ZN8CUtility7DeCryptEPciPKci):
 806199c:       55                      push   %ebp
 806199d:       89 e5                   mov    %esp,%ebp
 806199f:       83 ec 10                sub    $0x10,%esp
 80619a2:       c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%ebp)
 80619a9:       eb 37                   jmp    80619e2 (_ZN8CUtility7DeCryptEPciPKci+0x46)
 80619ab:       8b 45 fc                mov    -0x4(%ebp),%eax
 80619ae:       83 e0 01                and    $0x1,%eax
 80619b1:       84 c0                   test   %al,%al
 80619b3:       74 15                   je     80619ca (_ZN8CUtility7DeCryptEPciPKci+0x2e)
 80619b5:       8b 45 fc                mov    -0x4(%ebp),%eax
 80619b8:       89 c2                   mov    %eax,%edx
 80619ba:       03 55 08                add    0x8(%ebp),%edx
 80619bd:       8b 45 fc                mov    -0x4(%ebp),%eax
 80619c0:       03 45 10                add    0x10(%ebp),%eax
 80619c3:       8a 00                   mov    (%eax),%al
 80619c5:       40                      inc    %eax
 80619c6:       88 02                   mov    %al,(%edx)
 80619c8:       eb 13                   jmp    80619dd (_ZN8CUtility7DeCryptEPciPKci+0x41)
 80619ca:       8b 45 fc                mov    -0x4(%ebp),%eax
 80619cd:       89 c2                   mov    %eax,%edx
 80619cf:       03 55 08                add    0x8(%ebp),%edx
 80619d2:       8b 45 fc                mov    -0x4(%ebp),%eax
 80619d5:       03 45 10                add    0x10(%ebp),%eax
 80619d8:       8a 00                   mov    (%eax),%al
 80619da:       48                      dec    %eax
 80619db:       88 02                   mov    %al,(%edx)
 80619dd:       8d 45 fc                lea    -0x4(%ebp),%eax
 80619e0:       ff 00                   incl   (%eax)
 80619e2:       8b 45 fc                mov    -0x4(%ebp),%eax
 80619e5:       3b 45 14                cmp    0x14(%ebp),%eax
 80619e8:       7d 14                   jge    80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62)
 80619ea:       8b 45 fc                mov    -0x4(%ebp),%eax
 80619ed:       3b 45 0c                cmp    0xc(%ebp),%eax
 80619f0:       7d 0c                   jge    80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62)
 80619f2:       8b 45 fc                mov    -0x4(%ebp),%eax
 80619f5:       03 45 10                add    0x10(%ebp),%eax
 80619f8:       8a 00                   mov    (%eax),%al
 80619fa:       84 c0                   test   %al,%al
 80619fc:       75 ad                   jne    80619ab (_ZN8CUtility7DeCryptEPciPKci+0xf)
 80619fe:       c9                      leave  
 80619ff:       c3                      ret    
These are the templates where they put the data in variables after being grabbed:
(i IP ADDRESSES:PORT)
 %s:%s
 %d:%d
 
(i CPU Information)

 cpu MHz         : %d.%d
 cpu %llu %llu %llu %llu

(i System Variables)

 %s %llu %llu %llu %llu
 %7s %llu %lu %lu %lu %lu %lu %lu %lu %llu %lu %lu %lu %lu %lu %lu %lu
 (%d)
 [ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s
 %02x
 %lld
 %d.%d.%d.%d
 /proc/%d/exe
 %m/%d/%y
 %H:%M
 %H:%M:%S

(i Memory matters, Syslog, files, etc)

 Arena %d:
 system bytes     = %10u
 in use bytes     = %10u
 max mmap regions = %10u
 max mmap bytes   = %10lu

 log: unknown facility/priority: %x
 MemTotal: %ld kB
 MemFree: %ld kB
 %d.%d.%d.%d
 opening file=%s [%lu]; direct_opencount=%u
 calling fini: %s [%lu]
 closing file=%s; direct_opencount=%u
 file=%s [%lu];  destroying link map
 %a %b %e %H:%M:%S %Y

*) NOTED: with dumping a very long disasm codes.. 
   all show the match previous analysis by 
   us and by others.
Moving along, I used my previous test bed, I am a BSD guy, so if I have to use linux is going to be slackware (read: Linux) with adding to its environment with some lib & patches to make some evil binary run as in heaven, so I ran it to PoC some functions, and the below is officially some notes that I took, this shows great deal of source of CNC:
 (!BEHAV)
 // Without permission....fail1 ** SELINUX **

 [001a57a2] execve("./disknyp", ["./disknyp"], [/* 21 vars */]) = -1 EACCES (Permission denied)
 [001a57a2] dup(2)                       = 3
 [001a57a2] fcntl64(3, F_GETFL)          = 0x8002 (flags O_RDWR|O_LARGEFILE)
 [001a57a2] fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
 [001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fb8000
 [001a57a2] _llseek(3, 0, 0xbff64900, SEEK_CUR) = -1 ESPIPE (Illegal seek)
 [001a57a2] write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied) = 32
 [001a57a2] close(3)                     = 0
 [001a57a2] munmap(0xb7fb8000, 4096)     = 0
 [001a57a2] exit_group(1)                = ?

 // Without permission....fail2 ** $ENV matters, no biggies.. **

 [001a57a2] execve("./disknyp", ["./disknyp"], [/* 20 vars */]) = -1 EACCES (Permission denied)
 [001a57a2] dup(2)                       = 3
 [001a57a2] fcntl64(3, F_GETFL)          = 0x8002 (flags O_RDWR|O_LARGEFILE)
 [001a57a2] fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
 [001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f64000
 [001a57a2] _llseek(3, 0, 0xbff40920, SEEK_CUR) = -1 ESPIPE (Illegal seek)
 [001a57a2] write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied) = 32
 [001a57a2] close(3)                     = 0
 [001a57a2] munmap(0xb7f64000, 4096)     = 0
 [001a57a2] exit_group(1)                = ?

 // With permission... :-))
 
 [001a57a2] execve("./disknyp", ["./disknyp"], [/* 21 vars */]) = 0
 [080f30cd] uname({sys="Linux", node="diemoronz.mmd.org", ...}) = 0
 [08114ece] brk(0)                       = 0x906e000
 [08114ece] brk(0x906ec90)               = 0x906ec90
 [080caaef] set_thread_area({entry_number:-1 -) 6, base_addr:0x906e830, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
 [0806500d] set_tid_address(0x906e878)   = 7390
 [080652c9] rt_sigaction(SIGRTMIN, {0x8064f18, [], SA_RESTORER|SA_SIGINFO, 0x8065240}, NULL, 8) = 0
 [080652c9] rt_sigaction(SIGRT_1, {0x8064f80, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x8065240}, NULL, 8) = 0
 [080650c5] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
 [080f4045] getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
 [080f5b37] _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfecb0d0, 30, (nil), 0}) = 0
 [08114ece] brk(0x908fc90)               = 0x908fc90
 [08114ece] brk(0x9090000)               = 0x9090000
 [0806377e] open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
 [080f3b7d] fstat64(3, {st_mode=S_IFREG|0644, st_size=48524976, ...}) = 0
 [080f4d8a] mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7dd7000
 [080f4d8a] mmap2(NULL, 888832, PROT_READ, MAP_PRIVATE, 3, 0x162) = 0xb7cfe000
 [080f4d8a] mmap2(NULL, 208896, PROT_READ, MAP_PRIVATE, 3, 0x2b2) = 0xb7ccb000
 [080f4d8a] mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0x21fd) = 0xb7cca000
 [080cc3e9] close(3)                     = 0
 [08114ece] brk(0x90b4000)               = 0x90b4000
 [08064ebc] futex(0x816980c, FUTEX_WAKE, 2147483647) = 0
 [08114ece] brk(0x90d5000)               = 0x90d5000
 [08114b6c] clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x906e878) = 7391
 [080f30e7] exit_group(0)                = ?

 (!PS blah..)

  7297 ?        S      0:00 /bin/sh
  7391 ?        Ssl    0:00 ./disknyp  <== See its PID (point of this ps buff)
  7434 pts/0    R+     0:00 ps ax
 
 (!NETSTAT)
 
 $ netstat -napt
 (Not all processes could be identified, non-owned process info
  will not be shown, you would have to be root to see it all.)
 Active Internet connections (servers and established)

 Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name 
----------------------------------------------------------------------------------------------------------  
 tcp        0      0 127.0.0.1:xxx                0.0.0.0:*                   LISTEN      -                   
 tcp        0      0 127.0.0.1:xxx                0.0.0.0:*                   LISTEN      -                   
 tcp        0     27 diemoronz.mmd.org:39445     190.115.20.27:59870         ESTABLISHED 7391/disknyp        

 (!LSOF)

 disknyp    7391    cwd       DIR        3,3     4096     343393 /home/%USER%/TRANSIT/TMP/markusELF
 disknyp    7391    rtd       DIR        3,3     4096          2 /
 disknyp    7391    txt       REG        3,3  1491887     343395 /home/%USER%/TRANSIT/TMP/markusELF/disknyp
 disknyp    7391    mem       REG        3,3   112260    1537133 /lib/ld-2.3.4.so
 disknyp    7391    mem       REG        3,3  1547732    1537211 /lib/tls/libc-2.3.4.so
 disknyp    7391    mem       REG        3,3    47468    1537158 /lib/libnss_files-2.3.4.so
 disknyp    7391    mem       REG        3,3 48524976    2068507 /usr/lib/locale/locale-archive
 disknyp    7391    0u      CHR        1,3                2034 /dev/null
 disknyp    7391    1u      CHR        1,3                2034 /dev/null
 disknyp    7391    2u      CHR        1,3                2034 /dev/null
 disknyp    7391    3u     IPv4     905808                 TCP diemoronz:39445->ddos-guard.net:59870 (ESTABLISHED)
 $ 

(!CONFIGS)
// This is where they put default port range and bind IP for the overall process:

$ cat fake.cfg 
 0
 127.0.0.1:127.0.0.1
 10000:60000
So, as per shown above. The CNC is "ddos-guard.net" at 190.115.20.27:59870.. sounds spooky isn't it? for the domain name of DNS Amp's CnC.. Things are starting to smell stink indeed..go figure.

DNS-Amp CNC Traffic

Below is the CnC (corrected after internal discussion w/ @sempersecurus) traffic recorded, noted the PUSH-ACK with the certain length in the sent packet. The globes of packet of 0x00 looks poking the mothership. For the LE, is an important note here: If there is a transmitter there should be a receiver to dig at the 190.115.20.27, and you can get the full set of crime evidence.

Conclusion and Mitigation

Again. The point of this post is: Download source is ALIVE Currently:

$ wget h00p://198.2.192.204:22/disknyp -O ./samplexxx
--2013-12-29 00:54:56--  h00p://198.2.192.204:22/disknyp
Connecting to 198.2.192.204:22... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1491887 (1.4M) [application/octet-stream]
Saving to: './samplexxx'
100%[================>)] 1,491,887    174KB/s   in 7.7s   
2013-12-29 00:55:04 (190 KB/s) - './samplexxx' saved [1491887/1491887]
And the CnC is running too:
PROT LOCAL                      REMOTE                  STATUS PID / BINARY NAME
---------------------------------------------------------------------------------
tcp diemoronz.mmd.org:39445     190.115.20.27:59870     ESTABLISHED 7391/disknyp
To be blocked/mitigated, PLEASE COLLECT THESE THREE SETS OF INFORMATION IN EVERY I.R FOR THIS CASE:
198.2.192.204:22 (Download SourceIP = Hacked Site)
190.115.20.27:59870 (CnC, Could be Proxied)
218.28.116.227 (Hack source IP)
At least this is the third time we see it downloading the ELF ones via x.x.x.x:TCP/22, and connecting to the CNC into this IP:PORT --> x.x.x.x:TCP/59870. So I really hope the regex blocking for downloading these binaries & CnC connection can be produced by IDS products sigs (i.e.: Emerging Threat, Squid ACL filter, Snort/VRT or Nessus) ASAP.

Suspect Information of DNS-Amp Coder

As per written above we raised OP for this threat, and now is p to the LE to move, below is the ID of the coder. Is positive, you ca find him in the below snipped moronz forum or in DK and he is bragging of this "amplification" tool. As per this intelligence information added to this post, our moronz is so busy deleting his trails and thread posted in many forums ;-)) so below is some of many snapshot we took.
Since this prick is starting deleting his thread activities..

ps: Don't make us paste the DK posts here..

We really hope LE will mark the guy and this crime into his sin-list, and believe me this attack is a positive hack effort, so is not that difficult to link all of the data gathered in this post to the moronz which ID we spotted above.

So, is the hacker coming back after that?

The answer is YES and below is his action in "implementing" more shits in our team's trap-box. Some moronz just won't learn to stop. Is a moronz sickness..

Stay safe during the new year, check your logs for similar ssh hack pattern.

#MalwareMustDie!

1 comment:

  1. I will release fileelf in MalwareMustDie Google Code Project upon more stable.
    bash platform is not enough and currently code C program for it now.
    Stay tune.

    ReplyDelete