Basic information:
http://habrahabr.ru/post/213973/ (in Russian, if I could read it by Google tranlslate, so can you! It's good info)
http://securelist.com/analysis/publicat ... for-linux/
Sadly both articles not describing any samples.
Attached two samples:
1. Sample from MMD teammates blog article: http://digiforensics.blogspot.jp/2014/0 ... 1.html?m=1
Infection vector: hacked SSH
VT (4/53) : https://www.virustotal.com/en/file/1ac1 ... /analysis/
My snip of analysis reversed code, in order to recognize the threat (only):
2. Sample from aassddfFFxxx,
VT (7/52) : https://www.virustotal.com/en/file/0383 ... /analysis/
Infection vector: Exploitation of ElasticSearch flaw (base: Apache)
Snip of important point in his analysis (I asked him to post in here or to his blog to add information)
Sample (1) and (2) are attached.
Credit: Ken Pryor, Leon VDIjk, wirehack7, aassddffxxxx
#MalwareMustDie
http://habrahabr.ru/post/213973/ (in Russian, if I could read it by Google tranlslate, so can you! It's good info)
http://securelist.com/analysis/publicat ... for-linux/
Sadly both articles not describing any samples.
Attached two samples:
1. Sample from MMD teammates blog article: http://digiforensics.blogspot.jp/2014/0 ... 1.html?m=1
Infection vector: hacked SSH
VT (4/53) : https://www.virustotal.com/en/file/1ac1 ... /analysis/
My snip of analysis reversed code, in order to recognize the threat (only):
Code: Select all
Later on known as embedded object, in the the UPX packed, can be seen in .data parts:
;; Rick: Backdoor is formed from here
:: Rick: Section Header: .text
:: Rick: supose to open the TCP/10809
0x8057D40 public _Z12MainBackdoorv
0x8057D40 var_10 = dword ptr -10h
0x8057D40 var_C = dword ptr -0Ch
0x8057D40 var_8 = dword ptr -8
0x8057D40 var_4 = dword ptr -4
0x8057D40
0x8057D40 push ebp
0x8057D41 mov ebp, esp
0x8057D43 push ebx
0x8057D44 sub esp, 14h
0x8057D47 sub esp, 8
0x8057D4A push 0
0x8057D4C push 1
0x8057D4E call daemon ;; rik: It'sdaemonized, long function w/stdout to /dev/null
// Interesting hashes for further cracking ;-)))
0x8057D53 add esp, 10h
0x8057D56 shr eax, 1Fh
0x8057D59 test al, al
0x8057D5B jnz loc_8057EF0
0x8057D61 sub esp, 4
0x8057D64 push offset aB82b4cc4791409 ; offset contains = "B82B4CC4791409B3A7A71D9293700136DE2CD2A"...
0x8057D69 push offset aA9ea3ea8e500ae ; offset contains = "A9EA3EA8E500AEBAA810A4681FC2C6283E68290"...
0x8057D6E push offset a4d00a8e73e9622 ; offset contains = "4D00A8E73E96222FCF1044DA93C0270FD6FB6BF"...
// initiation, prep the /var/run (lock) & PID...
0x8057D73 call _ZN8CSysTool8SelfInitEPKcS1_S1_
0x8057D78 add esp, 10h
0x8057D7B lea eax, [ebp+var_8]
0x8057D7E sub esp, 8
0x8057D81 push offset aGetty ; contains string: "getty"
0x8057D86 push eax
0x8057D87 call _ZN8CSysTool19GetBackDoorLockFileEPKc ; file locked...
0x8057D8C add esp, 0Ch
0x8057D8F sub esp, 0Ch
0x8057D92 lea eax, [ebp+var_8]
0x8057D95 push eax
0x8057D96 call _ZNKSs5c_strEv
0x8057D9B add esp, 10h
0x8057D9E sub esp, 0Ch
0x8057DA1 push eax ; contains offset pathname (locking)
0x8057DA2 call _ZN8CSysTool10IsPidExistEPKc
0x8057DA7 add esp, 10h
0x8057DAA test al, al
0x8057DAC jz short loc_8057DB3
0x8057DAE jmp loc_8057EE1
// toying with lock PID still...
0x8057DB3 loc_8057DB3:
0x8057DB3 sub esp, 0Ch
0x8057DB6 lea eax, [ebp+var_8]
0x8057DB9 push eax
0x8057DBA call _ZNKSs5c_strEv
0x8057DBF add esp, 10h
0x8057DC2 sub esp, 8
0x8057DC5 push offset g_iBackdoorLock ; int
0x8057DCA push eax ; pathname
0x8057DCB call _ZN8CSysTool7MarkPidEPKcPi
0x8057DD0 add esp, 10h
0x8057DD3 sub esp, 8
// port...(MARKED THIS PORT NUM..)
0x8057DD6 push offset a10809 ; offset contains strings "10809"
;; Can't miss this --> .rodata:080E0B5D a10809 db '10809',0
;;
0x8057DDB push offset g_strBillPort
0x8057DE0 call _ZNSsaSEPKc
0x8057DE5 add esp, 10h
0x8057DE8 sub esp, 8
0x8057DEB push 63h
// Detect selinux and
0x8057DED push offset aSelinux ; "selinux"
0x8057DF2 call _ZN8CUtility12SetAutoStartEPKci
0x8057DF7 add esp, 10h
// This is the "Bill" system can start to be traced..
// Those leads to the mining fnction works.. loooong list to paste..(skip!)
// udevd was kicked to avoid fails..
0x8057DFA call _ZN8CSysTool11IsBillExistEv
0x8057DFF test al, al
0x8057E01 jz short loc_8057E5D
0x8057E03 lea eax, [ebp+var_10]
0x8057E06 sub esp, 8
0x8057E09 push offset aUdevd ; "udevd"
0x8057E0E push eax
// Condition to exit..
0x8057E0F call _ZN8CSysTool19GetBackDoorLockFileEPKc
0x8057E14 add esp, 0Ch
0x8057E17 sub esp, 0Ch
0x8057E1A lea eax, [ebp+var_10]
0x8057E1D push eax
0x8057E1E call _ZNKSs5c_strEv
0x8057E23 add esp, 10h
0x8057E26 sub esp, 0Ch
0x8057E29 push eax ; char *
0x8057E2A call _ZN8CSysTool7KillPidEPKc
0x8057E2F add esp, 10h
Code: Select all
.data:0814E19F 0000004F C $Info: This file is packed with the UPX executable packer http://upx.sf.net $\n
.data:0814E1EE 0000004C C $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $\n
.data:0814E242 0000001F C PROT_EXEC|PROT_WRITE failed.\nYj
2. Sample from aassddfFFxxx,
VT (7/52) : https://www.virustotal.com/en/file/0383 ... /analysis/
Infection vector: Exploitation of ElasticSearch flaw (base: Apache)
Snip of important point in his analysis (I asked him to post in here or to his blog to add information)
Sample (1) and (2) are attached.
Credit: Ken Pryor, Leon VDIjk, wirehack7, aassddffxxxx
#MalwareMustDie
Attachments
RAR5, pwd: infected
(1.3 MiB) Downloaded 131 times
(1.3 MiB) Downloaded 131 times
Last edited by unixfreaxjp on Mon Aug 11, 2014 6:25 pm, edited 2 times in total.