MMD-0053-2016:ELF/STD IRC Bot恶意软件分析
4000.png近日,谷歌的安全专家称,谷歌云网络中发现了ELF恶意软件:
{
"ip": "130.211.127.186",
"hostname":"186.127.211.130.bc.googleusercontent.com",
"prefix":"130.211.0.0/16",
"org": "AS15169 GoogleInc.",
"city": "Mountain View",
"region": "California",
"country": "USA",
"loc":"37.4192,-122.0574",
"postal": "94043"
}
通过安全的方式下载这些文件如下:
ELF僵尸网络感染路由器不是一件好事,但是在谷歌云中发现的却是另一种恶意软件。很多被入侵的服务器用作CNC,并且滥用其功能。
0×01 概述对ELF恶意软件的样本进行分析:
其二进制结构和视图:
使用readelf命令获取其头部摘要:
ELFHeader:
Magic: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 0000
Class: ELF32
Data: 2's complement,little endian
Version: 1 (current)
OS/ABI: UNIX - Linux
ABI Version: 0
Type: EXEC (Executablefile)
Machine: Intel 80386
Version: 0x1
Entry pointaddress: 0xc086b8
Start of programheaders: 52 (bytes into file)
Start of sectionheaders: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of programheaders: 32 (bytes)
' Number of program headers: 2 '
Size of sectionheaders: 40 (bytes)
Number of sectionheaders: 0
Section header stringtable index: 0
'Program Headers:'
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
' LOAD 0x0000000x00c01000 0x00c01000 0x08828 0x08828 R E 0x1000 '
' LOAD 0x0004480x0805f448 0x0805f448 0x00000 0x00000 RW 0x1000 '
There are no sections in this file.
There are no sections in this file.
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.
其中需要重点注意的地方可以使用objdump命令解析:
pty: file formatelf32-i386
pty
architecture: i386, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x00c086b8
Program Header:
' LOAD off 0x00000000 vaddr 0x00c01000 paddr0x00c01000 align 2**12'
filesz 0x00008828memsz 0x00008828 flags r-x
' LOAD off 0x00000448 vaddr 0x0805f448 paddr0x0805f448 align 2**12'
filesz 0x00000000memsz 0x00000000 flags rw-
Sections:
Idx Name Size VMA LMA File off Algn
SYMBOL TABLE:
no symbols
使用文本分析器可以发现该样本的第一个标识,引自“bakemonogatari anime iinchou character”,并且使用roumaji(日语,ASCII)进行硬编码:
0×02 封装器
首先,该样本为UPX压缩的封装的二进制库。再次回头看程序头部分:
LOADoff 0×00000000 vaddr 0x00c01000 paddr0x00c01000 align 2**12
filesz 0×00008840 memsz 0×00008840 flagsr-x
LOADoff 0x000003a8 vaddr 0x0805f3a8 paddr0x0805f3a8 align 2**12
filesz 0×00000000 memsz 0×00000000 flagsrw-
0x00c01000中存储封装的ELF头的副本,0x0805f3a8是封装数据的起始地址。PoC如下:
> x 0xaa@0;x 0xaa@0x00c01000
- offset - 0 1 2 3 4 5 67 8 9 A B C D E F 0123456789ABCDEF
0x00000000 7f45 4c46 0101 0103 0000 0000 0000 0000 .ELF............
0x00000010 0200 0300 0100 0000 d086 c000 3400 0000 ............4...
0x00000020 0000 0000 0000 0000 3400 2000 0200 2800 ........4. ...(.
0x00000030 0000 0000 0100 0000 0000 0000 0010 c000 ................
0x00000040 0010 c000 4088 0000 4088 0000 0500 0000 ....@...@.......
0x00000050 0010 0000 0100 0000 a803 0000 a8f3 0508 ................
0x00000060 a8f3 0508 0000 0000 0000 0000 0600 0000 ................
0x00000070 0010 0000 2efa 01da 0a00 0000 7811 0d0c ............x...
0x00000080 0000 0000 139a 0100 139a 0100 9400 0000 ................
0x00000090 5400 0000 0e00 0000 1803 003f 91d0 6b8f T..........?..k.
0x000000a0 492f fa6a e407 9a89 5c84 I/.j....\.
- offset - 0 1 2 3 4 5 67 8 9 A B C D E F 0123456789ABCDEF
0x00c01000 7f45 4c46 0101 0103 0000 0000 0000 0000 .ELF............
0x00c01010 0200 0300 0100 0000 d086 c000 3400 0000 ............4...
0x00c01020 0000 0000 0000 0000 3400 2000 0200 2800 ........4. ...(.
0x00c01030 0000 0000 0100 0000 0000 0000 0010 c000 ................
0x00c01040 0010 c000 4088 0000 4088 0000 0500 0000 ....@...@.......
0x00c01050 0010 0000 0100 0000 a803 0000 a8f3 0508 ................
0x00c01060 a8f3 0508 0000 0000 0000 0000 0600 0000 ................
0x00c01070 0010 0000 2efa 01da 0a00 0000 7811 0d0c ............x...
0x00c01080 0000 0000 139a 0100 139a 0100 9400 0000 ................
0x00c01090 5400 0000 0e00 0000 1803 003f 91d0 6b8f T..........?..k.
0x00c010a0 492f fa6a e407 9a89 5c84 I/.j....\.
>[0x00c086d0]> x @0x0805f3a8
- offset - 0 1 2 3 4 5 67 8 9 A B C D E F 0123456789ABCDEF
0x0805f3a8 6507 7c7e 31e5 29e8 ad2e 4cd4 b883 c761 e.|~1.)...L....a
0x0805f3b8 709c 6090 b540 bb85 7ede a550 cce0 b146 p.`..@..~..P...F
0x0805f3c8 8211 fa50 5e82 d55e 2227 b678 e121 fa00 ...P^..^"'.x.!..
0x0805f3d8 f595 a5e7 5654 b02b 6c2e 4daa de34 103f ....VT.+l.M..4.?
0x0805f3e8 d119 ab5b 7c26 20e7 dd69 9df4 822b a118 ...[|& ..i...+..
0x0805f3f8 7277 8b6c fd4d ac58 49ea f06d 6611 e239 rw.l.M.XI..mf..9
但是如果使用该POC提取该二进制库会报错:
File size Ratio Format Name
-------------------- ------ ----------- -----------
'upx: pty: NotPackedException: not packed by UPX'
原因是一旦UPX封装该二进制库,就会做出一定的修改,解封时则会找不到起始点:
图一 正常情况下UPX会查找封装器指示符
图二 该恶意软件的POC未能成功找到封装器指示符
也就是说,该二进制库只能自己解封,或者我们使用某种方法将其初始头放回指定的位置后使用UPX解封。但是别担心,已经有很多方法可以处理这种情况。一种方法就是使用CTF方法处理自定义的封装UPX。
0x03 感染标识1、恶意软件安装
该恶意软件通过execve("/bin/sh")函数,使用不同的linux命令行执行shell命令来进行安装,详情如下:
恶意软件禁用了linux版本的调试器和包捕获软件,DNS解析模块被设置为“8.8.8.8”,停止或删除特定服务(大多是路由器的特定服务)的运行时文件,将防火墙规则更改为“开启telnet (tcp/23)、httpproxy (tcp/8080)和http (tcp/80)”服务,当攻击者拥有rwx permission (chmod700)权限时,恶意软件自动执行,并使用用户定时器进行自启动,开始收集信息。
因此,下列类似的运行时库在恶意软件的总体执行过程中时必须的:
/etc/ld.so.cache // theelf runtime
/lib/i386-linux-gnu/i686/cmov/libc.so.6 // the elf runtime
/lib/i386-linux-gnu/libpam.so.0 // some user related calls made
/lib/i386-linux-gnu/libselinux.so.1 // selinux
/lib/i386-linux-gnu/i686/cmov/libdl.so.2
/lib/i386-linux-gnu/i686/cmov/libnss_compat.so.2
/lib/i386-linux-gnu/i686/cmov/libnsl.so.1 // malwre use these libs to resolve
/lib/i386-linux-gnu/i686/cmov/libnss_nis.so.2
/lib/i386-linux-gnu/i686/cmov/libnss_files.so.2
/usr/share/locale/locale.alias // accompany the info harverst
/usr/share/locale/en_US/LC_MESSAGES/libc.mo
/usr/share/locale/en/LC_MESSAGES/libc.mo
usr/share/locale/en_US/LC_MESSAGES/psmisc.mo
/usr/share/locale/en/LC_MESSAGES/psmisc.mo",
/usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
并且,以下配置文件将会被访问:
/etc/rc.conf [READ]
/etc/resolv.conf [MODIFIED!]
/etc/nsswitch.conf [READ]
通过执行下列命令收集信息:
/bin/uname
/bin/nvram
/usr/sbin/nvram
/etc/ISP_name
/etc/Model_name
并删除下列文件:
/tmp/udevd0.pid
/var/lock/.x001804289383
/var/spool/cron/crontabs/$USER[modification of crontab -e]
用户定时器包括:
* * * * * /PATH/MALWAREFILE > /dev/null2>&1 &
根据安装状态,恶意软件可以发送以下消息:
[+] Welcome to x00's cback shell %s
echo [+] you logged in at `date`
echo [+] `uname -a || cat /proc/version`
[+] you got root rights, enjoy!.
[+] Running on%s/bin/crontab./usr/bin/crontab.chmod 700 %s > /dev/null 2>&1 \
&.touch -acmr /bin/ls %s(crontab -l | grep -v "%s" | grep-v "no cron" | \
grep-v "lesshts/run.sh" > %s/.x00%u) > /dev/null2>&1.echo "* * * * * %s > \
/dev/null 2>&1 &" >> %s/.x00%u.crontab%s/.x00%u.rm -rf %s/.x00%u.
[+] no cronnie.
[+] forget it. .
[+] you are root tho../etc/rc.d/rc.local./etc/rc.conf./."%s%s"a.irq.#x86.777
2、IRC僵尸网络
该恶意软件会将感染的节点连接到xxx.pokemon.inc:8080,反向分析该样本,发现其在以下DNS数据中进行转换:
;; QUESTION SECTION:
;xxx.pokemoninc.com. IN A
;; ANSWER SECTION:
xxx.pokemoninc.com. 845 IN CNAME bnet.pokemoninc.com.
bnet.pokemoninc.com. 845 IN A 88.198.71.83
bnet.pokemoninc.com. 845 IN A 83.143.80.227
bnet.pokemoninc.com. 845 IN A 211.103.199.98
bnet.pokemoninc.com. 845 IN A 49.231.211.193
bnet.pokemoninc.com. 845 IN A 61.156.43.106
bnet.pokemoninc.com. 845 IN A 203.141.196.145
bnet.pokemoninc.com. 845 IN A 202.103.224.85
;; AUTHORITY SECTION:
pokemoninc.com. 2644 IN NS dns1.name-services.com.
pokemoninc.com. 2644 IN NS dns2.name-services.com.
pokemoninc.com. 2644 IN NS dns3.name-services.com.
pokemoninc.com. 2644 IN NS dns5.name-services.com.
pokemoninc.com. 2644 IN NS dns4.name-services.com.
感染的节点接收到PONG指令后会进入IRC服务器:
......PONG #[Arch] :[RangeIP]|[HOSTNAME]-xi.
.x00 localhost localhost :[DATE,i.e.:feb012016]...
通过执行JOIN命令并使用ID格式,如下:
JOIN :#[Arch]
BotID:[Arch]:|x|1|[ID]|[hostname]|[youtubeURL][date]
NICK [BotID] USER x00 localhost localhost:%s <--- $DATE
以YouTube URL为例,https://www.youtube.com/watch?v=Jzqy6UJXpcQ本身是安全的,但是点击进入后会自动执行IRC !MALICIOUS! bot命令,将这些命令转储成文本列表如下:
3、关于攻击
所有的攻击命令可以从上图中看到,其中有两个在DDoS攻击中常见的命令:SUDP和UNKNOWN。将其拆分解码成源码后,如下:
4、“User Agent”组合用于L7 DoS攻击
该恶意软件在实施L7 DoS攻击时,会使用多个用户代理的组合。其组合形式多变,针对该样本的组合方式如下如:
显然过滤文件头并不是阻止此类攻击的推荐方法。
0×04 ELF/STD bot这是一个STD bot,结合修改的kaiten代码。人们一般认为STD bot来源于kaiten/ktx或tsunami,其实不然。原始的STD bot是一段独立的代码,其名称来源于编码者名称“stackd”,他编写了STD bot开始的48行代码:
该代码后来受IRC基础代码(如kaiten/tsunami)影响,并对“copypasta”内容进行了一些修改,形成了现在的STD bot。
在该变体中,编码者检查了最新的STD IRC Bot源代码,并加入自己的签名,并使用了UPX来防止系统管理员、扫描仪或分析人员在静态分析时发现这一威胁。
0×05 网络威胁标识IP地址
130.211.127.186
88.198.71.83
83.143.80.227
211.103.199.98
49.231.211.193
61.156.43.106
203.141.196.145
202.103.224.85
GeoIP信息(清除目的)
IP Address, City, Region, Country Name
130.211.127.186, Mountain View, CA, United States
88.198.71.83, , , Germany
83.143.80.227, , , Norway
211.103.199.98, Beijing, 22, China
49.231.211.193, , , Thailand
61.156.43.106, Jinan, 25, China
203.141.196.145, , , Japan
202.103.224.85, Nanning, 16, China
IP address | Reversed | ASN|Prefix|ASN|CN|ISP
130.211.127.186 | 186.127.211.130.bc.googleusercontent.com.|15169 | 130.211.0.0/16 | GOOGLE | US | google.com | Google Inc.
88.198.71.83 | static.88-198-71-83.clients.your-server.de.|24940 | 88.198.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
83.143.80.227 | kdb.servetheworld.net. |34989 | 83.143.80.0/21 |SERVETHEWORLD | NO | servetheworld.net | ServeTheWorld AS
211.103.199.98 | |4808 |211.103.192.0/18 | CHINA169 | CN | gintong.com | Beijing Huaxia UnipowerNetwork Co. Ltd
49.231.211.193 | |45458 |49.231.211.0/24 | SBN-AWN-AS-02 | TH | sbn.co.th | 408/60 PHP Bld. 15th FlPhaholyothin Rd Samsen Nai Phayathai
61.156.43.106 | |4837 |61.156.0.0/16 | CHINA169 | CN | chinaunicom.com | China Unicom ShandongProvince Network
203.141.196.145 | html.city.shiojiri.lg.jp. /html.city.shiojiri.nagano.jp. |17518 | 203.141.192.0/19 | SHIOJIRI | JP |city.shiojiri.nagano.jp | Shiojiri City
202.103.224.85 | |4134 |202.103.192.0/18 | CHINANET | CN | chinatelecom.com.cn | ChinaNet GuangxiProvince Network
使用的端口号
tcp/22 (remote cnc)
tcp/80 (DoS attack)
tcp/8080 (IRC connection CNC)
tcp/23 (telnet scanning)
域名和主机名:
pokemoninc.com (domain)
bnet.pokemoninc.com (cname)
xxx.pokemoninc.com (hostname for round robin access)
186.127.211.130.bc.googleusercontent.com (one of payloadinfection server)
哈希值
0×06 保护和缓解MD5 (pty) = fa856be9e8018c3a7d4d2351398192d8
MD5 (tty0) = 7980ffb3ad788b73397ce84b1aadf99b
MD5 (tty1) = d47a5da273175a5971638995146e8056
MD5 (tty2) = 2c1b9924092130f5c241afcedfb1b198
MD5 (tty3) = f6fc2dc7e6fa584186a3ed8bc96932ca
MD5 (tty4) = b629686b475eeec7c47daa72ec5dffc0
MD5 (tty5) = c97f99cdafcef0ac7b484e79ca7ed503
很多路由器和Wifi/WiMax服务都被该恶意软件入侵,用户可以采取以下几步预防:
1、更改默认的管理员和根证书,并修改密码
2、禁用远程登录服务,或启用安全的防火墙保护该服务
3、禁用root,保护SSH访问,使用最新的协议/版本,限制访问权限,如果可以,更换端口
4、部署防火墙规则,避免端口被扫描
5、通过检查xxx.pokemon.inc:8080/80/23的进站/出站流量监测入侵
6、推送更新
对于已感染的服务:
1、向CERT/CSIRT报告入侵事件
2、联系设备所有者,重置设备
3、根据合同协议,设备返厂
- 文章
- 推荐
- 热门新闻