Background
Consider this as "another" MalwareMustDie's New Year Security Awareness.
We detected an increasing in attack in hacking for implementing DNS-Amp specially in implementation on ELF part of tools, not necessarily with the automation hacktool, but with video below as evidence showing the manual hack effort.
We bumped to this threat in early November, 2013, when our friend @lvdeijk found the set of binaries below in his honeypot:
This turned out as a set of the DNS Amp attack binaries for PE and ELF (see the "ms20" one in the above set).
We investigated the ELF and posted in our paste bin here-->>[MMD PASTEBIN].
Reversing shows that the ELF binary has codes for DNS Amplification, sensitive information stealing effort & encryption for the data, but in behavior testing was not showing any amplification instead beaconing mothership which suggesting that the linux binary is not working as per expected by the amateur-wannabe-linux-developer moronz. So we left the case for monitoring status.
After that time there were other good security people investigating the case as per below URL references explaining the threat very good, please take a look of the below good posts before continuing reading this post:
http://www.cert.pl/news/7849/langswitch_lang/en http://remchp.com/blog/?p=52 http://securehoney.net/blog/trojan-horse-uploaded.html#.Ur7xeqX_TZs https://isc.sans.edu/diary/Unfriendly+crontab+additions/17282
The Bad News is...
However today we face the fact that not only @lvdeijk which is still get hit by the same attacker, but one of our OTHER friend's (Thx to: @wirehack7) honeypot also got hit by the same threat, so we made precautions as PoC of attack, and this time everything was well recorded down to their shell commands used during attack in progress, as per recorded in below video:
So the BAD NEWS is..The threat is active as per Dec 27, 2013 when I write this post! And this threat lives happily ever after in infecting and hacking some UNIX environment in many networks in internet. As most of us in MMD are unixmen we couldn't stand watching this so hopefully this post will raise MORE awareness of the threat, as we also started the OP for this. I was wondering IF the ELF download source is up today so just made a quick check and found positive confirmation, I just grabbed iPad to make this video as evidence:
Host w/TCP/22 Serving DNS Amp ELF #malware hxxp://198,2,192,204:22/disknyp <#Block+regex this!
PoC: https://t.co/g58fr1IQrN
#MalwareMustDie
— MalwareMustDie, NPO (@MalwareMustDie) December 28, 2013
Yes the source is still there.
To make it merrier..as per all people know that the VT show low detection too for these ELF (read: Linux executable binaries) scanning, as per shown in the AV result. It never reach more than 5 points so far, I am starting to wonder why there are so many Linux scanner AV product that can not detect this? A fact that users must swallow when they expect to detect this in their server by using some products.
#MalwareMustDie! #Linux #ELF #Backdoor #Trojan with low detection: VT 1/36 https://t.co/DsoEYPauKM Refer to: https://t.co/l7LX5a8inB #ITW
— MalwareMustDie, NPO (@MalwareMustDie) December 28, 2013
@MalwareMustDie agreed, first seen late nov, still no detection: https://t.co/oVMW28MViQ cnc IP: 61[.]153.104.208
— thedude13 (@thedude13) December 31, 2013
OK. I don't want to argue about any of sigs matter that AV industry provides, but I must say that ELF is a serious threat that needs to be more prioritize, specially in the hack session like this. Please think about big amount of users are actually buying license per year to make their server protected for threat like this, they deserve BETTER service, so please make more effort to publish your sigs.
Moving on. Just to be sure, I made a quick re-analysing the new / recent ELF with the details below with my poor home-brew tool called fileelf, is actually bash script helping me for quick analyzing ELF binaries fast, and resulted that all functions are so equal and modification was detected only in the IP addresses destination (of the CnC). The logic is all the same, once it started the daemon it grabs all the info from environment, and then the series of "communication" begin, noted that the config created was having its initial values in the first writing, and nothing more than that, so (maybe) one should let this evil tool runs longer to monitor and record all of the CnC communication to make a better record of what this tool is actually can do.
(! ELF Analysis ) $ fileelf ./disknyp ./disknyp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 20 81 04 08 34 00 00 00 |........ ...4...| 00000020 f4 27 12 00 00 00 00 00 34 00 20 00 05 00 28 00 |........4. ...(.| 00000030 1c 00 19 00 01 00 00 00 00 00 00 00 00 80 04 08 |................| 00000040 (ELF Header: ) Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2s complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048120 Start of program headers: 52 (bytes into file) Start of section headers: 1189876 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 5 Size of section headers: 40 (bytes) Number of section headers: 28 Section header string table index: 25 (Section Headers: ) (i [Nr] Name Type Addr Off Size ES Flg Lk Inf Al ) [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .note.ABI-tag NOTE 080480d4 0000d4 000020 00 A 0 0 4 [ 2] .init PROGBITS 080480f4 0000f4 000017 00 AX 0 0 4 [ 3] .text PROGBITS 08048120 000120 0e2200 00 AX 0 0 32 [ 4] __libc_freeres_fn PROGBITS 0812a320 0e2320 000f6e 00 AX 0 0 4 [ 5] __libc_thread_fre PROGBITS 0812b290 0e3290 0000e2 00 AX 0 0 4 [ 6] .fini PROGBITS 0812b374 0e3374 00001a 00 AX 0 0 4 [ 7] .rodata PROGBITS 0812b3a0 0e33a0 020c2e 00 A 0 0 32 [ 8] __libc_subfreeres PROGBITS 0814bfd0 103fd0 00003c 00 A 0 0 4 [ 9] __libc_atexit PROGBITS 0814c00c 10400c 000004 00 A 0 0 4 [10] __libc_thread_sub PROGBITS 0814c010 104010 000004 00 A 0 0 4 [11] .eh_frame PROGBITS 0814c014 104014 016a58 00 A 0 0 4 [12] .gcc_except_table PROGBITS 08162a6c 11aa6c 004f65 00 A 0 0 4 [13] .tdata PROGBITS 08168000 120000 000014 00 WAT 0 0 4 [14] .tbss NOBITS 08168014 120014 00001c 00 WAT 0 0 4 [15] .ctors PROGBITS 08168014 120014 00002c 00 WA 0 0 4 [16] .dtors PROGBITS 08168040 120040 00000c 00 WA 0 0 4 [17] .jcr PROGBITS 0816804c 12004c 000004 00 WA 0 0 4 [18] .data.rel.ro PROGBITS 08168060 120060 00063c 00 WA 0 0 32 [19] .got PROGBITS 0816869c 12069c 00005c 04 WA 0 0 4 [20] .got.plt PROGBITS 081686f8 1206f8 00000c 04 WA 0 0 4 [21] .data PROGBITS 08168720 120720 001034 00 WA 0 0 32 [22] .bss NOBITS 08169760 121754 0091d8 00 WA 0 0 32 [23] __libc_freeres_pt NOBITS 08172938 121754 000020 00 WA 0 0 4 [24] .comment PROGBITS 00000000 121754 000f78 00 0 0 1 [25] .shstrtab STRTAB 00000000 1226cc 000126 00 0 0 1 [26] .symtab SYMTAB 00000000 122c54 017d80 10 27 1221 4 [27] .strtab STRTAB 00000000 13a9d4 0319db 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. (Program Headers:) (I Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align) LOAD 0x000000 0x08048000 0x08048000 0x11f9d1 0x11f9d1 R E 0x1000 LOAD 0x120000 0x08168000 0x08168000 0x01754 0x0a958 RW 0x1000 NOTE 0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R 0x4 TLS 0x120000 0x08168000 0x08168000 0x00014 0x00030 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 (Section to Segment mapping:) Segment Sections... 00 .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table 01 .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs 02 .note.ABI-tag 03 .tdata .tbss 04 There is no dynamic section in this file. There are no relocations in this file. There are no unwind sections in this file. (Sections:) (a Idx Name Size VMA LMA File off Algn) 0 .note.ABI-tag 00000020 080480d4 080480d4 000000d4 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .init 00000017 080480f4 080480f4 000000f4 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .text 000e2200 08048120 08048120 00000120 2**5 CONTENTS, ALLOC, LOAD, READONLY, CODE 3 __libc_freeres_fn 00000f6e 0812a320 0812a320 000e2320 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 4 __libc_thread_freeres_fn 000000e2 0812b290 0812b290 000e3290 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 5 .fini 0000001a 0812b374 0812b374 000e3374 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 6 .rodata 00020c2e 0812b3a0 0812b3a0 000e33a0 2**5 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 __libc_subfreeres 0000003c 0814bfd0 0814bfd0 00103fd0 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 8 __libc_atexit 00000004 0814c00c 0814c00c 0010400c 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 9 __libc_thread_subfreeres 00000004 0814c010 0814c010 00104010 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 10 .eh_frame 00016a58 0814c014 0814c014 00104014 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 11 .gcc_except_table 00004f65 08162a6c 08162a6c 0011aa6c 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 12 .tdata 00000014 08168000 08168000 00120000 2**2 CONTENTS, ALLOC, LOAD, DATA, THREAD_LOCAL 13 .tbss 0000001c 08168014 08168014 00120014 2**2 ALLOC, THREAD_LOCAL 14 .ctors 0000002c 08168014 08168014 00120014 2**2 CONTENTS, ALLOC, LOAD, DATA 15 .dtors 0000000c 08168040 08168040 00120040 2**2 CONTENTS, ALLOC, LOAD, DATA 16 .jcr 00000004 0816804c 0816804c 0012004c 2**2 CONTENTS, ALLOC, LOAD, DATA 17 .data.rel.ro 0000063c 08168060 08168060 00120060 2**5 CONTENTS, ALLOC, LOAD, DATA 18 .got 0000005c 0816869c 0816869c 0012069c 2**2 CONTENTS, ALLOC, LOAD, DATA 19 .got.plt 0000000c 081686f8 081686f8 001206f8 2**2 CONTENTS, ALLOC, LOAD, DATA 20 .data 00001034 08168720 08168720 00120720 2**5 CONTENTS, ALLOC, LOAD, DATA 21 .bss 000091d8 08169760 08169760 00121754 2**5 ALLOC 22 __libc_freeres_ptrs 00000020 08172938 08172938 00121754 2**2 ALLOC 23 .comment 00000f78 00000000 00000000 00121754 2**0 CONTENTS, READONLY (Tables) Symbol table '.symtab' contains 6104 entries: (i Num: Value Size Type Bind Vis Ndx Name) 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 080480d4 0 SECTION LOCAL DEFAULT 1 2: 080480f4 0 SECTION LOCAL DEFAULT 2 3: 08048120 0 SECTION LOCAL DEFAULT 3 4: 0812a320 0 SECTION LOCAL DEFAULT 4 5: 0812b290 0 SECTION LOCAL DEFAULT 5 6: 0812b374 0 SECTION LOCAL DEFAULT 6 7: 0812b3a0 0 SECTION LOCAL DEFAULT 7 8: 0814bfd0 0 SECTION LOCAL DEFAULT 8 9: 0814c00c 0 SECTION LOCAL DEFAULT 9 10: 0814c010 0 SECTION LOCAL DEFAULT 10 [...] (!DIR / FILES ACCESSED) /proc/cpuinfo /proc/stat /proc/net/dev /proc/%d/exe /proc/sys/kernel/version /proc/sys/kernel/osrelease /proc/self/maps /proc/sys/kernel/ngroups_max /proc/sys/kernel/rtsig-max /proc/self/exe /proc/net /proc/net/dev /dev/null /dev/tty /dev/log /dev/console /usr/lib/locale /usr/lib/locale/locale-archive /usr/share/locale /usr/share/locale /usr/share/zoneinfo /usr/libexec/getconf /usr/lib/gconv /usr/lib/gconv/gconv-modules.cache /usr/lib/ /etc/localtime /etc/mtab /etc/fstab /etc/suid-debug /etc/resolv.conf /etc/host.conf /etc/nsswitch.conf /etc/ld.so.cacheSo we see what the binary is all about. Below are some dis-assembly traces, which is confirming previous analysis made by many good people, so I won't make more unnecessary comments just paste my codes below:
(!Daemon was initialized here) $ cat dump |grep _ZN9CStatBase10InitializeEv 80498e3: e8 f0 a9 00 00 call 80542d8 (_ZN9CStatBase10InitializeEv) 080542d8 (_ZN9CStatBase10InitializeEv): 80542d8: 55 push %ebp 80542d9: 89 e5 mov %esp,%ebp 80542db: 83 ec 08 sub $0x8,%esp 80542de: 83 ec 0c sub $0xc,%esp 80542e1: ff 75 08 pushl 0x8(%ebp) 80542e4: e8 cb f8 ff ff call 8053bb4 (_ZN9CStatBase13GetSysVersionEv) 80542e9: 83 c4 10 add $0x10,%esp 80542ec: 83 ec 0c sub $0xc,%esp 80542ef: ff 75 08 pushl 0x8(%ebp) 80542f2: e8 1f f9 ff ff call 8053c16 (_ZN9CStatBase9GetCpuSpdEv) 80542f7: 83 c4 10 add $0x10,%esp 80542fa: 83 ec 0c sub $0xc,%esp 80542fd: ff 75 08 pushl 0x8(%ebp) 8054300: e8 49 fa ff ff call 8053d4e (_ZN9CStatBase13InitGetCPUUseEv) 8054305: 83 c4 10 add $0x10,%esp 8054308: 83 ec 0c sub $0xc,%esp 805430b: ff 75 08 pushl 0x8(%ebp) 805430e: e8 a1 ff ff ff call 80542b4 (_ZN9CStatBase13InitGetNetUseEv) 8054313: 83 c4 10 add $0x10,%esp 8054316: c9 leave 8054317: c3 ret (!System call grabs listed) 80498e3: e8 f0 a9 00 00 call 80542d8 (_ZN9CStatBase10InitializeEv) 804abf9: e8 ea 0b 00 00 call 804b7e8 (_ZN9CStatBase10SysVersionEv) 804ac1c: e8 df 0b 00 00 call 804b800 (_ZN9CStatBase6CpuSpdEv) 0804b7e8 (_ZN9CStatBase10SysVersionEv): 0804b800 (_ZN9CStatBase6CpuSpdEv): 08053b40 (_ZN9CStatBaseC1Ev): 08053b62 (_ZN9CStatBaseC2Ev): 08053b84 (_ZN9CStatBaseD2Ev): 08053b9c (_ZN9CStatBaseD1Ev): 08053bb4 (_ZN9CStatBase13GetSysVersionEv): 08053c16 (_ZN9CStatBase9GetCpuSpdEv): 8053c65: e9 b3 00 00 00 jmp 8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107) 8053ce6: 75 35 jne 8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107) 8053d1b: eb 29 jmp 8053d46 (_ZN9CStatBase9GetCpuSpdEv+0x130) 8053d32: 0f 85 32 ff ff ff jne 8053c6a (_ZN9CStatBase9GetCpuSpdEv+0x54) 08053d4e (_ZN9CStatBase13InitGetCPUUseEv): 08053db0 (_ZN9CStatBase9GetCPUUseEv): 8053e91: 75 22 jne 8053eb5 (_ZN9CStatBase9GetCPUUseEv+0x105) 8053eb0: e9 8b 01 00 00 jmp 8054040 (_ZN9CStatBase9GetCPUUseEv+0x290) 080542b4 (_ZN9CStatBase13InitGetNetUseEv): 080542d8 (_ZN9CStatBase10InitializeEv): 80542e4: e8 cb f8 ff ff call 8053bb4 (_ZN9CStatBase13GetSysVersionEv) 80542f2: e8 1f f9 ff ff call 8053c16 (_ZN9CStatBase9GetCpuSpdEv) 8054300: e8 49 fa ff ff call 8053d4e (_ZN9CStatBase13InitGetCPUUseEv) 805430e: e8 a1 ff ff ff call 80542b4 (_ZN9CStatBase13InitGetNetUseEv) 08054318 (_ZN9CStatBase9GetNetUseEv): 8054353: 75 09 jne 805435e (_ZN9CStatBase9GetNetUseEv+0x46) 805435c: eb 75 jmp 80543d3 (_ZN9CStatBase9GetNetUseEv+0xbb) 80543ec: e8 ab f7 ff ff call 8053b9c (_ZN9CStatBaseD1Ev) 8054419: e8 22 f7 ff ff call 8053b40 (_ZN9CStatBaseC1Ev) 805cbba: e8 59 77 ff ff call 8054318 (_ZN9CStatBase9GetNetUseEv) 805cbcd: e8 de 71 ff ff call 8053db0 (_ZN9CStatBase9GetCPUUseEv) (!Total SysGrabsCalls) $ cat dump |grep ZN9C 8048523: e8 e2 4d 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 8048550: e8 15 4e 01 00 call 805d36a (_ZN9CAutoLockD1Ev) 804856d: e8 f8 4d 01 00 call 805d36a (_ZN9CAutoLockD1Ev) 8048913: e8 f2 49 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 804893b: e8 2a 4a 01 00 call 805d36a (_ZN9CAutoLockD1Ev) 8048958: e8 0d 4a 01 00 call 805d36a (_ZN9CAutoLockD1Ev) 80498e3: e8 f0 a9 00 00 call 80542d8 (_ZN9CStatBase10InitializeEv) 80498f3: e8 92 97 00 00 call 805308a (_ZN9CServerIP10InitializeEv) 804997e: e8 87 39 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 8049a02: e8 63 39 01 00 call 805d36a (_ZN9CAutoLockD1Ev) 8049a25: e8 e0 38 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 8049bcc: e8 99 37 01 00 call 805d36a (_ZN9CAutoLockD1Ev) 8049be9: e8 7c 37 01 00 call 805d36a (_ZN9CAutoLockD1Ev) 804a0a8: e8 d1 16 00 00 call 804b77e (_ZN9CTaskInfoD1Ev) 804a0c6: e8 b3 16 00 00 call 804b77e (_ZN9CTaskInfoD1Ev) 804a242: e8 37 15 00 00 call 804b77e (_ZN9CTaskInfoD1Ev) 804a260: e8 19 15 00 00 call 804b77e (_ZN9CTaskInfoD1Ev) 804a465: e8 5c 34 00 00 call 804d8c6 (_ZN9CLoopTaskC1Ev) 804a908: e8 55 5a 00 00 call 8050362 (_ZN9CServerIP7ServersEv) 804abf9: e8 ea 0b 00 00 call 804b7e8 (_ZN9CStatBase10SysVersionEv) 804ac1c: e8 df 0b 00 00 call 804b800 (_ZN9CStatBase6CpuSpdEv) 804b20d: e8 1c 05 00 00 call 804b72e (_ZN9CTaskInfoC1Ev) 804b2dd: e8 9c 04 00 00 call 804b77e (_ZN9CTaskInfoD1Ev) 804b42f: e8 fa 02 00 00 call 804b72e (_ZN9CTaskInfoC1Ev) 804b4ff: e8 7a 02 00 00 call 804b77e (_ZN9CTaskInfoD1Ev) 0804b72e (_ZN9CTaskInfoC1Ev): 0804b77e (_ZN9CTaskInfoD1Ev): 0804b7e8 (_ZN9CStatBase10SysVersionEv): 0804b800 (_ZN9CStatBase6CpuSpdEv): 804c145: e8 c0 11 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 804c161: e8 04 12 01 00 call 805d36a (_ZN9CAutoLockD1Ev) 0804d854 (_ZN9CLoopTaskD1Ev): 804d893: e8 bc ff ff ff call 804d854 (_ZN9CLoopTaskD1Ev) 0804d8c6 (_ZN9CLoopTaskC1Ev): 804ec61: e8 a4 e6 00 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 804ecc9: e8 9c e6 00 00 call 805d36a (_ZN9CAutoLockD1Ev) 804ece6: e8 7f e6 00 00 call 805d36a (_ZN9CAutoLockD1Ev) 08050362 (_ZN9CServerIP7ServersEv): 8050d39: e8 cc c5 00 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 8050d98: e8 cd c5 00 00 call 805d36a (_ZN9CAutoLockD1Ev) 8050db5: e8 b0 c5 00 00 call 805d36a (_ZN9CAutoLockD1Ev) 0805302a (_ZN9CServerIPD1Ev): 08053042 (_ZN9CServerIPD2Ev): 0805305a (_ZN9CServerIPC1Ev): 08053072 (_ZN9CServerIPC2Ev): 0805308a (_ZN9CServerIP10InitializeEv): 8053168: eb 52 jmp 80531bc (_ZN9CServerIP10InitializeEv+0x132) 805318b: eb 06 jmp 8053193 (_ZN9CServerIP10InitializeEv+0x109) 80531de: e8 47 fe ff ff call 805302a (_ZN9CServerIPD1Ev) 805320b: e8 4a fe ff ff call 805305a (_ZN9CServerIPC1Ev) 08053b40 (_ZN9CStatBaseC1Ev): 08053b62 (_ZN9CStatBaseC2Ev): 08053b84 (_ZN9CStatBaseD2Ev): 08053b9c (_ZN9CStatBaseD1Ev): 08053bb4 (_ZN9CStatBase13GetSysVersionEv): 08053c16 (_ZN9CStatBase9GetCpuSpdEv): 8053c65: e9 b3 00 00 00 jmp 8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107) 8053ce6: 75 35 jne 8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107) 8053d1b: eb 29 jmp 8053d46 (_ZN9CStatBase9GetCpuSpdEv+0x130) 8053d32: 0f 85 32 ff ff ff jne 8053c6a (_ZN9CStatBase9GetCpuSpdEv+0x54) 08053d4e (_ZN9CStatBase13InitGetCPUUseEv): 08053db0 (_ZN9CStatBase9GetCPUUseEv): 8053e91: 75 22 jne 8053eb5 (_ZN9CStatBase9GetCPUUseEv+0x105) 8053eb0: e9 8b 01 00 00 jmp 8054040 (_ZN9CStatBase9GetCPUUseEv+0x290) 080542b4 (_ZN9CStatBase13InitGetNetUseEv): 080542d8 (_ZN9CStatBase10InitializeEv): 80542e4: e8 cb f8 ff ff call 8053bb4 (_ZN9CStatBase13GetSysVersionEv) 80542f2: e8 1f f9 ff ff call 8053c16 (_ZN9CStatBase9GetCpuSpdEv) 8054300: e8 49 fa ff ff call 8053d4e (_ZN9CStatBase13InitGetCPUUseEv) 805430e: e8 a1 ff ff ff call 80542b4 (_ZN9CStatBase13InitGetNetUseEv) 08054318 (_ZN9CStatBase9GetNetUseEv): 8054353: 75 09 jne 805435e (_ZN9CStatBase9GetNetUseEv+0x46) 805435c: eb 75 jmp 80543d3 (_ZN9CStatBase9GetNetUseEv+0xbb) 80543ec: e8 ab f7 ff ff call 8053b9c (_ZN9CStatBaseD1Ev) 8054419: e8 22 f7 ff ff call 8053b40 (_ZN9CStatBaseC1Ev) 805558a: e8 05 2e 00 00 call 8058394 (_ZN9CCrossPktC1Ev) 8055704: e8 c7 2c 00 00 call 80583d0 (_ZN9CCrossPktD1Ev) 8055727: e8 a4 2c 00 00 call 80583d0 (_ZN9CCrossPktD1Ev) 08058394 (_ZN9CCrossPktC1Ev): 080583d0 (_ZN9CCrossPktD1Ev): 80583f6: e8 d5 ff ff ff call 80583d0 (_ZN9CCrossPktD1Ev) 80587e0: e8 6f 50 ff ff call 804d854 (_ZN9CLoopTaskD1Ev) 08059b3c (_ZN9CCrossPktaSERKS_): 8059bd9: e8 5e ff ff ff call 8059b3c (_ZN9CCrossPktaSERKS_) 8059e5d: e8 da fc ff ff call 8059b3c (_ZN9CCrossPktaSERKS_) 0805a028 (_ZN9CCrossPktC1ERKS_): 805a0a3: e8 80 ff ff ff call 805a028 (_ZN9CCrossPktC1ERKS_) 805a101: e8 22 ff ff ff call 805a028 (_ZN9CCrossPktC1ERKS_) 805a1ee: e8 61 36 ff ff call 804d854 (_ZN9CLoopTaskD1Ev) 805a37a: e8 51 e0 ff ff call 80583d0 (_ZN9CCrossPktD1Ev) 805a583: e8 a0 fa ff ff call 805a028 (_ZN9CCrossPktC1ERKS_) 805a5f8: e8 3f f5 ff ff call 8059b3c (_ZN9CCrossPktaSERKS_) 805a615: e8 b6 dd ff ff call 80583d0 (_ZN9CCrossPktD1Ev) 805a638: e8 93 dd ff ff call 80583d0 (_ZN9CCrossPktD1Ev) 0805b086 (_ZN9CLoopTaskaSERKS_): 805b121: e8 60 ff ff ff call 805b086 (_ZN9CLoopTaskaSERKS_) 805b3a5: e8 dc fc ff ff call 805b086 (_ZN9CLoopTaskaSERKS_) 0805b5a8 (_ZN9CLoopTaskC1ERKS_): 805b621: e8 82 ff ff ff call 805b5a8 (_ZN9CLoopTaskC1ERKS_) 805b67f: e8 24 ff ff ff call 805b5a8 (_ZN9CLoopTaskC1ERKS_) 805b843: e8 60 fd ff ff call 805b5a8 (_ZN9CLoopTaskC1ERKS_) 805b8b8: e8 c9 f7 ff ff call 805b086 (_ZN9CLoopTaskaSERKS_) 805b8d5: e8 7a 1f ff ff call 804d854 (_ZN9CLoopTaskD1Ev) 805b8f8: e8 57 1f ff ff call 804d854 (_ZN9CLoopTaskD1Ev) 805cbba: e8 59 77 ff ff call 8054318 (_ZN9CStatBase9GetNetUseEv) 805cbcd: e8 de 71 ff ff call 8053db0 (_ZN9CStatBase9GetCPUUseEv) 0805d2d4 (_ZN9CAutoLockC2EP12CThreadMutexb): 805d2f5: 74 11 je 805d308 (_ZN9CAutoLockC2EP12CThreadMutexb+0x34) 0805d30a (_ZN9CAutoLockC1EP12CThreadMutexb): 805d32b: 74 11 je 805d33e (_ZN9CAutoLockC1EP12CThreadMutexb+0x34) 0805d340 (_ZN9CAutoLock6UnlockEv): 805d34e: 74 18 je 805d368 (_ZN9CAutoLock6UnlockEv+0x28) 0805d36a (_ZN9CAutoLockD1Ev): 805d376: e8 c5 ff ff ff call 805d340 (_ZN9CAutoLock6UnlockEv) 0805d380 (_ZN9CAutoLockD2Ev): 805d38c: e8 af ff ff ff call 805d340 (_ZN9CAutoLock6UnlockEv) 805dc03: e8 02 f7 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 805dc4d: e8 18 f7 ff ff call 805d36a (_ZN9CAutoLockD1Ev) 805dc6c: e8 99 f6 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 805dc84: e8 e1 f6 ff ff call 805d36a (_ZN9CAutoLockD1Ev) 805dca7: e8 5e f6 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 805dcdc: e8 89 f6 ff ff call 805d36a (_ZN9CAutoLockD1Ev) 805dcfa: e8 0b f6 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 805dd12: e8 53 f6 ff ff call 805d36a (_ZN9CAutoLockD1Ev) 805e05d: e8 a8 f2 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 805e3da: e8 8b ef ff ff call 805d36a (_ZN9CAutoLockD1Ev) 805e3fd: e8 68 ef ff ff call 805d36a (_ZN9CAutoLockD1Ev) 8061161: e8 a4 c1 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb) 80611b7: e8 ae c1 ff ff call 805d36a (_ZN9CAutoLockD1Ev) 80611d4: e8 91 c1 ff ff call 805d36a (_ZN9CAutoLockD1Ev) (!DECRYPTOR CALLS) 0806199c (_ZN8CUtility7DeCryptEPciPKci): 80619a9: eb 37 jmp 80619e2 (_ZN8CUtility7DeCryptEPciPKci+0x46) 80619b3: 74 15 je 80619ca (_ZN8CUtility7DeCryptEPciPKci+0x2e) 80619c8: eb 13 jmp 80619dd (_ZN8CUtility7DeCryptEPciPKci+0x41) 80619e8: 7d 14 jge 80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62) 80619f0: 7d 0c jge 80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62) 80619fc: 75 ad jne 80619ab (_ZN8CUtility7DeCryptEPciPKci+0xf) (Func_Details:) 0806199c (_ZN8CUtility7DeCryptEPciPKci): 806199c: 55 push %ebp 806199d: 89 e5 mov %esp,%ebp 806199f: 83 ec 10 sub $0x10,%esp 80619a2: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp) 80619a9: eb 37 jmp 80619e2 (_ZN8CUtility7DeCryptEPciPKci+0x46) 80619ab: 8b 45 fc mov -0x4(%ebp),%eax 80619ae: 83 e0 01 and $0x1,%eax 80619b1: 84 c0 test %al,%al 80619b3: 74 15 je 80619ca (_ZN8CUtility7DeCryptEPciPKci+0x2e) 80619b5: 8b 45 fc mov -0x4(%ebp),%eax 80619b8: 89 c2 mov %eax,%edx 80619ba: 03 55 08 add 0x8(%ebp),%edx 80619bd: 8b 45 fc mov -0x4(%ebp),%eax 80619c0: 03 45 10 add 0x10(%ebp),%eax 80619c3: 8a 00 mov (%eax),%al 80619c5: 40 inc %eax 80619c6: 88 02 mov %al,(%edx) 80619c8: eb 13 jmp 80619dd (_ZN8CUtility7DeCryptEPciPKci+0x41) 80619ca: 8b 45 fc mov -0x4(%ebp),%eax 80619cd: 89 c2 mov %eax,%edx 80619cf: 03 55 08 add 0x8(%ebp),%edx 80619d2: 8b 45 fc mov -0x4(%ebp),%eax 80619d5: 03 45 10 add 0x10(%ebp),%eax 80619d8: 8a 00 mov (%eax),%al 80619da: 48 dec %eax 80619db: 88 02 mov %al,(%edx) 80619dd: 8d 45 fc lea -0x4(%ebp),%eax 80619e0: ff 00 incl (%eax) 80619e2: 8b 45 fc mov -0x4(%ebp),%eax 80619e5: 3b 45 14 cmp 0x14(%ebp),%eax 80619e8: 7d 14 jge 80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62) 80619ea: 8b 45 fc mov -0x4(%ebp),%eax 80619ed: 3b 45 0c cmp 0xc(%ebp),%eax 80619f0: 7d 0c jge 80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62) 80619f2: 8b 45 fc mov -0x4(%ebp),%eax 80619f5: 03 45 10 add 0x10(%ebp),%eax 80619f8: 8a 00 mov (%eax),%al 80619fa: 84 c0 test %al,%al 80619fc: 75 ad jne 80619ab (_ZN8CUtility7DeCryptEPciPKci+0xf) 80619fe: c9 leave 80619ff: c3 retThese are the templates where they put the data in variables after being grabbed:
(i IP ADDRESSES:PORT) %s:%s %d:%d (i CPU Information) cpu MHz : %d.%d cpu %llu %llu %llu %llu (i System Variables) %s %llu %llu %llu %llu %7s %llu %lu %lu %lu %lu %lu %lu %lu %llu %lu %lu %lu %lu %lu %lu %lu (%d) [ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s %02x %lld %d.%d.%d.%d /proc/%d/exe %m/%d/%y %H:%M %H:%M:%S (i Memory matters, Syslog, files, etc) Arena %d: system bytes = %10u in use bytes = %10u max mmap regions = %10u max mmap bytes = %10lu log: unknown facility/priority: %x MemTotal: %ld kB MemFree: %ld kB %d.%d.%d.%d opening file=%s [%lu]; direct_opencount=%u calling fini: %s [%lu] closing file=%s; direct_opencount=%u file=%s [%lu]; destroying link map %a %b %e %H:%M:%S %Y *) NOTED: with dumping a very long disasm codes.. all show the match previous analysis by us and by others.Moving along, I used my previous test bed, I am a BSD guy, so if I have to use linux is going to be slackware (read: Linux) with adding to its environment with some lib & patches to make some evil binary run as in heaven, so I ran it to PoC some functions, and the below is officially some notes that I took, this shows great deal of source of CNC:
(!BEHAV) // Without permission....fail1 ** SELINUX ** [001a57a2] execve("./disknyp", ["./disknyp"], [/* 21 vars */]) = -1 EACCES (Permission denied) [001a57a2] dup(2) = 3 [001a57a2] fcntl64(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE) [001a57a2] fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 [001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fb8000 [001a57a2] _llseek(3, 0, 0xbff64900, SEEK_CUR) = -1 ESPIPE (Illegal seek) [001a57a2] write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied) = 32 [001a57a2] close(3) = 0 [001a57a2] munmap(0xb7fb8000, 4096) = 0 [001a57a2] exit_group(1) = ? // Without permission....fail2 ** $ENV matters, no biggies.. ** [001a57a2] execve("./disknyp", ["./disknyp"], [/* 20 vars */]) = -1 EACCES (Permission denied) [001a57a2] dup(2) = 3 [001a57a2] fcntl64(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE) [001a57a2] fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 [001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f64000 [001a57a2] _llseek(3, 0, 0xbff40920, SEEK_CUR) = -1 ESPIPE (Illegal seek) [001a57a2] write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied) = 32 [001a57a2] close(3) = 0 [001a57a2] munmap(0xb7f64000, 4096) = 0 [001a57a2] exit_group(1) = ? // With permission... :-)) [001a57a2] execve("./disknyp", ["./disknyp"], [/* 21 vars */]) = 0 [080f30cd] uname({sys="Linux", node="diemoronz.mmd.org", ...}) = 0 [08114ece] brk(0) = 0x906e000 [08114ece] brk(0x906ec90) = 0x906ec90 [080caaef] set_thread_area({entry_number:-1 -) 6, base_addr:0x906e830, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 [0806500d] set_tid_address(0x906e878) = 7390 [080652c9] rt_sigaction(SIGRTMIN, {0x8064f18, [], SA_RESTORER|SA_SIGINFO, 0x8065240}, NULL, 8) = 0 [080652c9] rt_sigaction(SIGRT_1, {0x8064f80, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x8065240}, NULL, 8) = 0 [080650c5] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [080f4045] getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0 [080f5b37] _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfecb0d0, 30, (nil), 0}) = 0 [08114ece] brk(0x908fc90) = 0x908fc90 [08114ece] brk(0x9090000) = 0x9090000 [0806377e] open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 [080f3b7d] fstat64(3, {st_mode=S_IFREG|0644, st_size=48524976, ...}) = 0 [080f4d8a] mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7dd7000 [080f4d8a] mmap2(NULL, 888832, PROT_READ, MAP_PRIVATE, 3, 0x162) = 0xb7cfe000 [080f4d8a] mmap2(NULL, 208896, PROT_READ, MAP_PRIVATE, 3, 0x2b2) = 0xb7ccb000 [080f4d8a] mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0x21fd) = 0xb7cca000 [080cc3e9] close(3) = 0 [08114ece] brk(0x90b4000) = 0x90b4000 [08064ebc] futex(0x816980c, FUTEX_WAKE, 2147483647) = 0 [08114ece] brk(0x90d5000) = 0x90d5000 [08114b6c] clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x906e878) = 7391 [080f30e7] exit_group(0) = ? (!PS blah..) 7297 ? S 0:00 /bin/sh 7391 ? Ssl 0:00 ./disknyp <== See its PID (point of this ps buff) 7434 pts/0 R+ 0:00 ps ax (!NETSTAT) $ netstat -napt (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name ---------------------------------------------------------------------------------------------------------- tcp 0 0 127.0.0.1:xxx 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:xxx 0.0.0.0:* LISTEN - tcp 0 27 diemoronz.mmd.org:39445 190.115.20.27:59870 ESTABLISHED 7391/disknyp (!LSOF) disknyp 7391 cwd DIR 3,3 4096 343393 /home/%USER%/TRANSIT/TMP/markusELF disknyp 7391 rtd DIR 3,3 4096 2 / disknyp 7391 txt REG 3,3 1491887 343395 /home/%USER%/TRANSIT/TMP/markusELF/disknyp disknyp 7391 mem REG 3,3 112260 1537133 /lib/ld-2.3.4.so disknyp 7391 mem REG 3,3 1547732 1537211 /lib/tls/libc-2.3.4.so disknyp 7391 mem REG 3,3 47468 1537158 /lib/libnss_files-2.3.4.so disknyp 7391 mem REG 3,3 48524976 2068507 /usr/lib/locale/locale-archive disknyp 7391 0u CHR 1,3 2034 /dev/null disknyp 7391 1u CHR 1,3 2034 /dev/null disknyp 7391 2u CHR 1,3 2034 /dev/null disknyp 7391 3u IPv4 905808 TCP diemoronz:39445->ddos-guard.net:59870 (ESTABLISHED) $ (!CONFIGS) // This is where they put default port range and bind IP for the overall process: $ cat fake.cfg 0 127.0.0.1:127.0.0.1 10000:60000So, as per shown above. The CNC is "ddos-guard.net" at 190.115.20.27:59870.. sounds spooky isn't it? for the domain name of DNS Amp's CnC.. Things are starting to smell stink indeed..go figure.
DNS-Amp CNC Traffic
Below is the CnC (corrected after internal discussion w/ @sempersecurus) traffic recorded, noted the PUSH-ACK with the certain length in the sent packet. The globes of packet of 0x00 looks poking the mothership. For the LE, is an important note here: If there is a transmitter there should be a receiver to dig at the 190.115.20.27, and you can get the full set of crime evidence.
Conclusion and Mitigation
Again. The point of this post is: Download source is ALIVE Currently:
$ wget h00p://198.2.192.204:22/disknyp -O ./samplexxx --2013-12-29 00:54:56-- h00p://198.2.192.204:22/disknyp Connecting to 198.2.192.204:22... connected. HTTP request sent, awaiting response... 200 OK Length: 1491887 (1.4M) [application/octet-stream] Saving to: './samplexxx' 100%[================>)] 1,491,887 174KB/s in 7.7s 2013-12-29 00:55:04 (190 KB/s) - './samplexxx' saved [1491887/1491887]And the CnC is running too:
PROT LOCAL REMOTE STATUS PID / BINARY NAME --------------------------------------------------------------------------------- tcp diemoronz.mmd.org:39445 190.115.20.27:59870 ESTABLISHED 7391/disknypTo be blocked/mitigated, PLEASE COLLECT THESE THREE SETS OF INFORMATION IN EVERY I.R FOR THIS CASE:
198.2.192.204:22 (Download SourceIP = Hacked Site) 190.115.20.27:59870 (CnC, Could be Proxied) 218.28.116.227 (Hack source IP)At least this is the third time we see it downloading the ELF ones via x.x.x.x:TCP/22, and connecting to the CNC into this IP:PORT --> x.x.x.x:TCP/59870. So I really hope the regex blocking for downloading these binaries & CnC connection can be produced by IDS products sigs (i.e.: Emerging Threat, Squid ACL filter, Snort/VRT or Nessus) ASAP.
#ELF #malware spread out: http://t.co/viwD4X8cpw, http://t.co/FHGLpflxem, http://t.co/VTexFiNuDx 260533ebd353c3075c9dddf7784e86f9
— Markus R. (@wirehack7) December 28, 2013
@MalwareMustDie we had a win32 (6c159f614b51bcd670d29006a9e15467) communicate with win[.]http://t.co/ZJI4zzFo1j /190[.]115.20.14:3306 in Nov
— thedude13 (@thedude13) December 28, 2013
@thedude13 @MalwareMustDie @CERT_Polska_en yup, he recompiled it. Checksums differ every time. A persistent bugger for sure
— Leon van der Eijk (@lvdeijk) December 28, 2013
@MalwareMustDie @lvdeijk @thedude13 used source IP: "root pts/0 218.28.116.227 Fri Dec 27 11:02 - 11:02 (00:08) " #MalwareMustDie
— Markus R. (@wirehack7) December 28, 2013
@MalwareMustDie pushed yara to tag both, calling “Chicken Dos” due to win32 pdb paths having “\Chicken\” in them https://t.co/fm9gBCCyFc
— thedude13 (@thedude13) December 28, 2013
#MalwareMustDie friends. Please inform us if you see DNS-Amp ELF threat, kindly check the download & C2 source IP for takedown @thedude13
— MalwareMustDie, NPO (@MalwareMustDie) December 28, 2013
New blog post: "Another look at a cross-platform DDoS botnet" - http://t.co/zE5WEyF1zb - cc: @MalwareMustDie
— Andre M. DiMino (@sempersecurus) December 30, 2013
Suspect Information of DNS-Amp Coder
As per written above we raised OP for this threat, and now is p to the LE to move, below is the ID of the coder. Is positive, you ca find him in the below snipped moronz forum or in DK and he is bragging of this "amplification" tool. As per this intelligence information added to this post, our moronz is so busy deleting his trails and thread posted in many forums ;-)) so below is some of many snapshot we took.
Since this prick is starting deleting his thread activities..
ps: Don't make us paste the DK posts here..
Suspect of DNS Amp info added in #MalwareMustDie blog http://t.co/9zdyr892qa Go for it LE folks! Positive catch w/tons of damage reports!
— MalwareMustDie, NPO (@MalwareMustDie) December 30, 2013
We really hope LE will mark the guy and this crime into his sin-list, and believe me this attack is a positive hack effort, so is not that difficult to link all of the data gathered in this post to the moronz which ID we spotted above.
So, is the hacker coming back after that?
The answer is YES and below is his action in "implementing" more shits in our team's trap-box. Some moronz just won't learn to stop. Is a moronz sickness..
Stay safe during the new year, check your logs for similar ssh hack pattern.
#MalwareMustDie!