MMD-0011-2013 - Let's be more serious about (mitigating) DNS Amp ELF hack attack
29 Dec 2013Background
Consider this as "another" MalwareMustDie's New Year Security Awareness.
We detected an increasing in attack in hacking for implementing DNS-Amp specially in implementation on ELF part of tools, not necessarily with the automation hacktool, but with video below as evidence showing the manual hack effort.
We bumped to this threat in early November, 2013, when our friend @lvdeijk found the set of binaries below in his honeypot:
This turned out as a set of the DNS Amp attack binaries for PE and ELF (see the "ms20" one in the above set).
We investigated the ELF and posted in our paste bin here-->>[MMD PASTEBIN].
Reversing shows that the ELF binary has codes for DNS Amplification, sensitive information stealing effort & encryption for the data, but in behavior testing was not showing any amplification instead beaconing mothership which suggesting that the linux binary is not working as per expected by the amateur-wannabe-linux-developer moronz. So we left the case for monitoring status.
After that time there were other good security people investigating the case as per below URL references explaining the threat very good, please take a look of the below good posts before continuing reading this post:
http://www.cert.pl/news/7849/langswitch_lang/en
http://remchp.com/blog/?p=52
http://securehoney.net/blog/trojan-horse-uploaded.html#.Ur7xeqX_TZs
https://isc.sans.edu/diary/Unfriendly+crontab+additions/17282
The Bad News is...
However today we face the fact that not only @lvdeijk which is still get hit by the same attacker, but one of our OTHER friend's (Thx to: @wirehack7) honeypot also got hit by the same threat, so we made precautions as PoC of attack, and this time everything was well recorded down to their shell commands used during attack in progress, as per recorded in below video:
So the BAD NEWS is..The threat is active as per Dec 27, 2013 when I write this post! And this threat lives happily ever after in infecting and hacking some UNIX environment in many networks in internet. As most of us in MMD are unixmen we couldn't stand watching this so hopefully this post will raise MORE awareness of the threat, as we also started the OP for this. I was wondering IF the ELF download source is up today so just made a quick check and found positive confirmation, I just grabbed iPad to make this video as evidence:
Host w/TCP/22 Serving DNS Amp ELF #malware hxxp://198,2,192,204:22/disknyp <#Block+regex this!
PoC: https://t.co/g58fr1IQrN
#MalwareMustDie
— MalwareMustDie, NPO (@MalwareMustDie) December 28, 2013To make it merrier..as per all people know that the VT show low detection too for these ELF (read: Linux executable binaries) scanning, as per shown in the AV result. It never reach more than 5 points so far, I am starting to wonder why there are so many Linux scanner AV product that can not detect this? A fact that users must swallow when they expect to detect this in their server by using some products.
#MalwareMustDie! #Linux #ELF #Backdoor #Trojan with low detection: VT 1/36 https://t.co/DsoEYPauKM Refer to: https://t.co/l7LX5a8inB #ITW
— MalwareMustDie, NPO (@MalwareMustDie) December 28, 2013@MalwareMustDie agreed, first seen late nov, still no detection: https://t.co/oVMW28MViQ cnc IP: 61[.]153.104.208
— thedude13 (@thedude13) December 31, 2013Moving on. Just to be sure, I made a quick re-analysing the new / recent ELF with the details below with my poor home-brew tool called fileelf, is actually bash script helping me for quick analyzing ELF binaries fast, and resulted that all functions are so equal and modification was detected only in the IP addresses destination (of the CnC). The logic is all the same, once it started the daemon it grabs all the info from environment, and then the series of "communication" begin, noted that the config created was having its initial values in the first writing, and nothing more than that, so (maybe) one should let this evil tool runs longer to monitor and record all of the CnC communication to make a better record of what this tool is actually can do.
(! ELF Analysis )So we see what the binary is all about. Below are some dis-assembly traces, which is confirming previous analysis made by many good people, so I won't make more unnecessary comments just paste my codes below:
$ fileelf ./disknyp
./disknyp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 20 81 04 08 34 00 00 00 |........ ...4...|
00000020 f4 27 12 00 00 00 00 00 34 00 20 00 05 00 28 00 |........4. ...(.|
00000030 1c 00 19 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
00000040
(ELF Header: )
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2s complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048120
Start of program headers: 52 (bytes into file)
Start of section headers: 1189876 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 5
Size of section headers: 40 (bytes)
Number of section headers: 28
Section header string table index: 25
(Section Headers: )
(i [Nr] Name Type Addr Off Size ES Flg Lk Inf Al )
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .note.ABI-tag NOTE 080480d4 0000d4 000020 00 A 0 0 4
[ 2] .init PROGBITS 080480f4 0000f4 000017 00 AX 0 0 4
[ 3] .text PROGBITS 08048120 000120 0e2200 00 AX 0 0 32
[ 4] __libc_freeres_fn PROGBITS 0812a320 0e2320 000f6e 00 AX 0 0 4
[ 5] __libc_thread_fre PROGBITS 0812b290 0e3290 0000e2 00 AX 0 0 4
[ 6] .fini PROGBITS 0812b374 0e3374 00001a 00 AX 0 0 4
[ 7] .rodata PROGBITS 0812b3a0 0e33a0 020c2e 00 A 0 0 32
[ 8] __libc_subfreeres PROGBITS 0814bfd0 103fd0 00003c 00 A 0 0 4
[ 9] __libc_atexit PROGBITS 0814c00c 10400c 000004 00 A 0 0 4
[10] __libc_thread_sub PROGBITS 0814c010 104010 000004 00 A 0 0 4
[11] .eh_frame PROGBITS 0814c014 104014 016a58 00 A 0 0 4
[12] .gcc_except_table PROGBITS 08162a6c 11aa6c 004f65 00 A 0 0 4
[13] .tdata PROGBITS 08168000 120000 000014 00 WAT 0 0 4
[14] .tbss NOBITS 08168014 120014 00001c 00 WAT 0 0 4
[15] .ctors PROGBITS 08168014 120014 00002c 00 WA 0 0 4
[16] .dtors PROGBITS 08168040 120040 00000c 00 WA 0 0 4
[17] .jcr PROGBITS 0816804c 12004c 000004 00 WA 0 0 4
[18] .data.rel.ro PROGBITS 08168060 120060 00063c 00 WA 0 0 32
[19] .got PROGBITS 0816869c 12069c 00005c 04 WA 0 0 4
[20] .got.plt PROGBITS 081686f8 1206f8 00000c 04 WA 0 0 4
[21] .data PROGBITS 08168720 120720 001034 00 WA 0 0 32
[22] .bss NOBITS 08169760 121754 0091d8 00 WA 0 0 32
[23] __libc_freeres_pt NOBITS 08172938 121754 000020 00 WA 0 0 4
[24] .comment PROGBITS 00000000 121754 000f78 00 0 0 1
[25] .shstrtab STRTAB 00000000 1226cc 000126 00 0 0 1
[26] .symtab SYMTAB 00000000 122c54 017d80 10 27 1221 4
[27] .strtab STRTAB 00000000 13a9d4 0319db 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
There are no section groups in this file.
(Program Headers:)
(I Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align)
LOAD 0x000000 0x08048000 0x08048000 0x11f9d1 0x11f9d1 R E 0x1000
LOAD 0x120000 0x08168000 0x08168000 0x01754 0x0a958 RW 0x1000
NOTE 0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R 0x4
TLS 0x120000 0x08168000 0x08168000 0x00014 0x00030 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
(Section to Segment mapping:)
Segment Sections...
00 .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata
__libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
01 .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
02 .note.ABI-tag
03 .tdata .tbss
04
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
(Sections:)
(a Idx Name Size VMA LMA File off Algn)
0 .note.ABI-tag 00000020 080480d4 080480d4 000000d4 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .init 00000017 080480f4 080480f4 000000f4 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
2 .text 000e2200 08048120 08048120 00000120 2**5
CONTENTS, ALLOC, LOAD, READONLY, CODE
3 __libc_freeres_fn 00000f6e 0812a320 0812a320 000e2320 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
4 __libc_thread_freeres_fn 000000e2 0812b290 0812b290 000e3290 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
5 .fini 0000001a 0812b374 0812b374 000e3374 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
6 .rodata 00020c2e 0812b3a0 0812b3a0 000e33a0 2**5
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 __libc_subfreeres 0000003c 0814bfd0 0814bfd0 00103fd0 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 __libc_atexit 00000004 0814c00c 0814c00c 0010400c 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 __libc_thread_subfreeres 00000004 0814c010 0814c010 00104010 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .eh_frame 00016a58 0814c014 0814c014 00104014 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
11 .gcc_except_table 00004f65 08162a6c 08162a6c 0011aa6c 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
12 .tdata 00000014 08168000 08168000 00120000 2**2
CONTENTS, ALLOC, LOAD, DATA, THREAD_LOCAL
13 .tbss 0000001c 08168014 08168014 00120014 2**2
ALLOC, THREAD_LOCAL
14 .ctors 0000002c 08168014 08168014 00120014 2**2
CONTENTS, ALLOC, LOAD, DATA
15 .dtors 0000000c 08168040 08168040 00120040 2**2
CONTENTS, ALLOC, LOAD, DATA
16 .jcr 00000004 0816804c 0816804c 0012004c 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .data.rel.ro 0000063c 08168060 08168060 00120060 2**5
CONTENTS, ALLOC, LOAD, DATA
18 .got 0000005c 0816869c 0816869c 0012069c 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .got.plt 0000000c 081686f8 081686f8 001206f8 2**2
CONTENTS, ALLOC, LOAD, DATA
20 .data 00001034 08168720 08168720 00120720 2**5
CONTENTS, ALLOC, LOAD, DATA
21 .bss 000091d8 08169760 08169760 00121754 2**5
ALLOC
22 __libc_freeres_ptrs 00000020 08172938 08172938 00121754 2**2
ALLOC
23 .comment 00000f78 00000000 00000000 00121754 2**0
CONTENTS, READONLY
(Tables)
Symbol table '.symtab' contains 6104 entries:
(i Num: Value Size Type Bind Vis Ndx Name)
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 080480d4 0 SECTION LOCAL DEFAULT 1
2: 080480f4 0 SECTION LOCAL DEFAULT 2
3: 08048120 0 SECTION LOCAL DEFAULT 3
4: 0812a320 0 SECTION LOCAL DEFAULT 4
5: 0812b290 0 SECTION LOCAL DEFAULT 5
6: 0812b374 0 SECTION LOCAL DEFAULT 6
7: 0812b3a0 0 SECTION LOCAL DEFAULT 7
8: 0814bfd0 0 SECTION LOCAL DEFAULT 8
9: 0814c00c 0 SECTION LOCAL DEFAULT 9
10: 0814c010 0 SECTION LOCAL DEFAULT 10
[...]
(!DIR / FILES ACCESSED)
/proc/cpuinfo
/proc/stat
/proc/net/dev
/proc/%d/exe
/proc/sys/kernel/version
/proc/sys/kernel/osrelease
/proc/self/maps
/proc/sys/kernel/ngroups_max
/proc/sys/kernel/rtsig-max
/proc/self/exe
/proc/net
/proc/net/dev
/dev/null
/dev/tty
/dev/log
/dev/console
/usr/lib/locale
/usr/lib/locale/locale-archive
/usr/share/locale
/usr/share/locale
/usr/share/zoneinfo
/usr/libexec/getconf
/usr/lib/gconv
/usr/lib/gconv/gconv-modules.cache
/usr/lib/
/etc/localtime
/etc/mtab
/etc/fstab
/etc/suid-debug
/etc/resolv.conf
/etc/host.conf
/etc/nsswitch.conf
/etc/ld.so.cache
(!Daemon was initialized here)These are the templates where they put the data in variables after being grabbed:
$ cat dump |grep _ZN9CStatBase10InitializeEv
80498e3: e8 f0 a9 00 00 call 80542d8 (_ZN9CStatBase10InitializeEv)
080542d8 (_ZN9CStatBase10InitializeEv):
80542d8: 55 push %ebp
80542d9: 89 e5 mov %esp,%ebp
80542db: 83 ec 08 sub $0x8,%esp
80542de: 83 ec 0c sub $0xc,%esp
80542e1: ff 75 08 pushl 0x8(%ebp)
80542e4: e8 cb f8 ff ff call 8053bb4 (_ZN9CStatBase13GetSysVersionEv)
80542e9: 83 c4 10 add $0x10,%esp
80542ec: 83 ec 0c sub $0xc,%esp
80542ef: ff 75 08 pushl 0x8(%ebp)
80542f2: e8 1f f9 ff ff call 8053c16 (_ZN9CStatBase9GetCpuSpdEv)
80542f7: 83 c4 10 add $0x10,%esp
80542fa: 83 ec 0c sub $0xc,%esp
80542fd: ff 75 08 pushl 0x8(%ebp)
8054300: e8 49 fa ff ff call 8053d4e (_ZN9CStatBase13InitGetCPUUseEv)
8054305: 83 c4 10 add $0x10,%esp
8054308: 83 ec 0c sub $0xc,%esp
805430b: ff 75 08 pushl 0x8(%ebp)
805430e: e8 a1 ff ff ff call 80542b4 (_ZN9CStatBase13InitGetNetUseEv)
8054313: 83 c4 10 add $0x10,%esp
8054316: c9 leave
8054317: c3 ret
(!System call grabs listed)
80498e3: e8 f0 a9 00 00 call 80542d8 (_ZN9CStatBase10InitializeEv)
804abf9: e8 ea 0b 00 00 call 804b7e8 (_ZN9CStatBase10SysVersionEv)
804ac1c: e8 df 0b 00 00 call 804b800 (_ZN9CStatBase6CpuSpdEv)
0804b7e8 (_ZN9CStatBase10SysVersionEv):
0804b800 (_ZN9CStatBase6CpuSpdEv):
08053b40 (_ZN9CStatBaseC1Ev):
08053b62 (_ZN9CStatBaseC2Ev):
08053b84 (_ZN9CStatBaseD2Ev):
08053b9c (_ZN9CStatBaseD1Ev):
08053bb4 (_ZN9CStatBase13GetSysVersionEv):
08053c16 (_ZN9CStatBase9GetCpuSpdEv):
8053c65: e9 b3 00 00 00 jmp 8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107)
8053ce6: 75 35 jne 8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107)
8053d1b: eb 29 jmp 8053d46 (_ZN9CStatBase9GetCpuSpdEv+0x130)
8053d32: 0f 85 32 ff ff ff jne 8053c6a (_ZN9CStatBase9GetCpuSpdEv+0x54)
08053d4e (_ZN9CStatBase13InitGetCPUUseEv):
08053db0 (_ZN9CStatBase9GetCPUUseEv):
8053e91: 75 22 jne 8053eb5 (_ZN9CStatBase9GetCPUUseEv+0x105)
8053eb0: e9 8b 01 00 00 jmp 8054040 (_ZN9CStatBase9GetCPUUseEv+0x290)
080542b4 (_ZN9CStatBase13InitGetNetUseEv):
080542d8 (_ZN9CStatBase10InitializeEv):
80542e4: e8 cb f8 ff ff call 8053bb4 (_ZN9CStatBase13GetSysVersionEv)
80542f2: e8 1f f9 ff ff call 8053c16 (_ZN9CStatBase9GetCpuSpdEv)
8054300: e8 49 fa ff ff call 8053d4e (_ZN9CStatBase13InitGetCPUUseEv)
805430e: e8 a1 ff ff ff call 80542b4 (_ZN9CStatBase13InitGetNetUseEv)
08054318 (_ZN9CStatBase9GetNetUseEv):
8054353: 75 09 jne 805435e (_ZN9CStatBase9GetNetUseEv+0x46)
805435c: eb 75 jmp 80543d3 (_ZN9CStatBase9GetNetUseEv+0xbb)
80543ec: e8 ab f7 ff ff call 8053b9c (_ZN9CStatBaseD1Ev)
8054419: e8 22 f7 ff ff call 8053b40 (_ZN9CStatBaseC1Ev)
805cbba: e8 59 77 ff ff call 8054318 (_ZN9CStatBase9GetNetUseEv)
805cbcd: e8 de 71 ff ff call 8053db0 (_ZN9CStatBase9GetCPUUseEv)
(!Total SysGrabsCalls)
$ cat dump |grep ZN9C
8048523: e8 e2 4d 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
8048550: e8 15 4e 01 00 call 805d36a (_ZN9CAutoLockD1Ev)
804856d: e8 f8 4d 01 00 call 805d36a (_ZN9CAutoLockD1Ev)
8048913: e8 f2 49 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
804893b: e8 2a 4a 01 00 call 805d36a (_ZN9CAutoLockD1Ev)
8048958: e8 0d 4a 01 00 call 805d36a (_ZN9CAutoLockD1Ev)
80498e3: e8 f0 a9 00 00 call 80542d8 (_ZN9CStatBase10InitializeEv)
80498f3: e8 92 97 00 00 call 805308a (_ZN9CServerIP10InitializeEv)
804997e: e8 87 39 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
8049a02: e8 63 39 01 00 call 805d36a (_ZN9CAutoLockD1Ev)
8049a25: e8 e0 38 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
8049bcc: e8 99 37 01 00 call 805d36a (_ZN9CAutoLockD1Ev)
8049be9: e8 7c 37 01 00 call 805d36a (_ZN9CAutoLockD1Ev)
804a0a8: e8 d1 16 00 00 call 804b77e (_ZN9CTaskInfoD1Ev)
804a0c6: e8 b3 16 00 00 call 804b77e (_ZN9CTaskInfoD1Ev)
804a242: e8 37 15 00 00 call 804b77e (_ZN9CTaskInfoD1Ev)
804a260: e8 19 15 00 00 call 804b77e (_ZN9CTaskInfoD1Ev)
804a465: e8 5c 34 00 00 call 804d8c6 (_ZN9CLoopTaskC1Ev)
804a908: e8 55 5a 00 00 call 8050362 (_ZN9CServerIP7ServersEv)
804abf9: e8 ea 0b 00 00 call 804b7e8 (_ZN9CStatBase10SysVersionEv)
804ac1c: e8 df 0b 00 00 call 804b800 (_ZN9CStatBase6CpuSpdEv)
804b20d: e8 1c 05 00 00 call 804b72e (_ZN9CTaskInfoC1Ev)
804b2dd: e8 9c 04 00 00 call 804b77e (_ZN9CTaskInfoD1Ev)
804b42f: e8 fa 02 00 00 call 804b72e (_ZN9CTaskInfoC1Ev)
804b4ff: e8 7a 02 00 00 call 804b77e (_ZN9CTaskInfoD1Ev)
0804b72e (_ZN9CTaskInfoC1Ev):
0804b77e (_ZN9CTaskInfoD1Ev):
0804b7e8 (_ZN9CStatBase10SysVersionEv):
0804b800 (_ZN9CStatBase6CpuSpdEv):
804c145: e8 c0 11 01 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
804c161: e8 04 12 01 00 call 805d36a (_ZN9CAutoLockD1Ev)
0804d854 (_ZN9CLoopTaskD1Ev):
804d893: e8 bc ff ff ff call 804d854 (_ZN9CLoopTaskD1Ev)
0804d8c6 (_ZN9CLoopTaskC1Ev):
804ec61: e8 a4 e6 00 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
804ecc9: e8 9c e6 00 00 call 805d36a (_ZN9CAutoLockD1Ev)
804ece6: e8 7f e6 00 00 call 805d36a (_ZN9CAutoLockD1Ev)
08050362 (_ZN9CServerIP7ServersEv):
8050d39: e8 cc c5 00 00 call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
8050d98: e8 cd c5 00 00 call 805d36a (_ZN9CAutoLockD1Ev)
8050db5: e8 b0 c5 00 00 call 805d36a (_ZN9CAutoLockD1Ev)
0805302a (_ZN9CServerIPD1Ev):
08053042 (_ZN9CServerIPD2Ev):
0805305a (_ZN9CServerIPC1Ev):
08053072 (_ZN9CServerIPC2Ev):
0805308a (_ZN9CServerIP10InitializeEv):
8053168: eb 52 jmp 80531bc (_ZN9CServerIP10InitializeEv+0x132)
805318b: eb 06 jmp 8053193 (_ZN9CServerIP10InitializeEv+0x109)
80531de: e8 47 fe ff ff call 805302a (_ZN9CServerIPD1Ev)
805320b: e8 4a fe ff ff call 805305a (_ZN9CServerIPC1Ev)
08053b40 (_ZN9CStatBaseC1Ev):
08053b62 (_ZN9CStatBaseC2Ev):
08053b84 (_ZN9CStatBaseD2Ev):
08053b9c (_ZN9CStatBaseD1Ev):
08053bb4 (_ZN9CStatBase13GetSysVersionEv):
08053c16 (_ZN9CStatBase9GetCpuSpdEv):
8053c65: e9 b3 00 00 00 jmp 8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107)
8053ce6: 75 35 jne 8053d1d (_ZN9CStatBase9GetCpuSpdEv+0x107)
8053d1b: eb 29 jmp 8053d46 (_ZN9CStatBase9GetCpuSpdEv+0x130)
8053d32: 0f 85 32 ff ff ff jne 8053c6a (_ZN9CStatBase9GetCpuSpdEv+0x54)
08053d4e (_ZN9CStatBase13InitGetCPUUseEv):
08053db0 (_ZN9CStatBase9GetCPUUseEv):
8053e91: 75 22 jne 8053eb5 (_ZN9CStatBase9GetCPUUseEv+0x105)
8053eb0: e9 8b 01 00 00 jmp 8054040 (_ZN9CStatBase9GetCPUUseEv+0x290)
080542b4 (_ZN9CStatBase13InitGetNetUseEv):
080542d8 (_ZN9CStatBase10InitializeEv):
80542e4: e8 cb f8 ff ff call 8053bb4 (_ZN9CStatBase13GetSysVersionEv)
80542f2: e8 1f f9 ff ff call 8053c16 (_ZN9CStatBase9GetCpuSpdEv)
8054300: e8 49 fa ff ff call 8053d4e (_ZN9CStatBase13InitGetCPUUseEv)
805430e: e8 a1 ff ff ff call 80542b4 (_ZN9CStatBase13InitGetNetUseEv)
08054318 (_ZN9CStatBase9GetNetUseEv):
8054353: 75 09 jne 805435e (_ZN9CStatBase9GetNetUseEv+0x46)
805435c: eb 75 jmp 80543d3 (_ZN9CStatBase9GetNetUseEv+0xbb)
80543ec: e8 ab f7 ff ff call 8053b9c (_ZN9CStatBaseD1Ev)
8054419: e8 22 f7 ff ff call 8053b40 (_ZN9CStatBaseC1Ev)
805558a: e8 05 2e 00 00 call 8058394 (_ZN9CCrossPktC1Ev)
8055704: e8 c7 2c 00 00 call 80583d0 (_ZN9CCrossPktD1Ev)
8055727: e8 a4 2c 00 00 call 80583d0 (_ZN9CCrossPktD1Ev)
08058394 (_ZN9CCrossPktC1Ev):
080583d0 (_ZN9CCrossPktD1Ev):
80583f6: e8 d5 ff ff ff call 80583d0 (_ZN9CCrossPktD1Ev)
80587e0: e8 6f 50 ff ff call 804d854 (_ZN9CLoopTaskD1Ev)
08059b3c (_ZN9CCrossPktaSERKS_):
8059bd9: e8 5e ff ff ff call 8059b3c (_ZN9CCrossPktaSERKS_)
8059e5d: e8 da fc ff ff call 8059b3c (_ZN9CCrossPktaSERKS_)
0805a028 (_ZN9CCrossPktC1ERKS_):
805a0a3: e8 80 ff ff ff call 805a028 (_ZN9CCrossPktC1ERKS_)
805a101: e8 22 ff ff ff call 805a028 (_ZN9CCrossPktC1ERKS_)
805a1ee: e8 61 36 ff ff call 804d854 (_ZN9CLoopTaskD1Ev)
805a37a: e8 51 e0 ff ff call 80583d0 (_ZN9CCrossPktD1Ev)
805a583: e8 a0 fa ff ff call 805a028 (_ZN9CCrossPktC1ERKS_)
805a5f8: e8 3f f5 ff ff call 8059b3c (_ZN9CCrossPktaSERKS_)
805a615: e8 b6 dd ff ff call 80583d0 (_ZN9CCrossPktD1Ev)
805a638: e8 93 dd ff ff call 80583d0 (_ZN9CCrossPktD1Ev)
0805b086 (_ZN9CLoopTaskaSERKS_):
805b121: e8 60 ff ff ff call 805b086 (_ZN9CLoopTaskaSERKS_)
805b3a5: e8 dc fc ff ff call 805b086 (_ZN9CLoopTaskaSERKS_)
0805b5a8 (_ZN9CLoopTaskC1ERKS_):
805b621: e8 82 ff ff ff call 805b5a8 (_ZN9CLoopTaskC1ERKS_)
805b67f: e8 24 ff ff ff call 805b5a8 (_ZN9CLoopTaskC1ERKS_)
805b843: e8 60 fd ff ff call 805b5a8 (_ZN9CLoopTaskC1ERKS_)
805b8b8: e8 c9 f7 ff ff call 805b086 (_ZN9CLoopTaskaSERKS_)
805b8d5: e8 7a 1f ff ff call 804d854 (_ZN9CLoopTaskD1Ev)
805b8f8: e8 57 1f ff ff call 804d854 (_ZN9CLoopTaskD1Ev)
805cbba: e8 59 77 ff ff call 8054318 (_ZN9CStatBase9GetNetUseEv)
805cbcd: e8 de 71 ff ff call 8053db0 (_ZN9CStatBase9GetCPUUseEv)
0805d2d4 (_ZN9CAutoLockC2EP12CThreadMutexb):
805d2f5: 74 11 je 805d308 (_ZN9CAutoLockC2EP12CThreadMutexb+0x34)
0805d30a (_ZN9CAutoLockC1EP12CThreadMutexb):
805d32b: 74 11 je 805d33e (_ZN9CAutoLockC1EP12CThreadMutexb+0x34)
0805d340 (_ZN9CAutoLock6UnlockEv):
805d34e: 74 18 je 805d368 (_ZN9CAutoLock6UnlockEv+0x28)
0805d36a (_ZN9CAutoLockD1Ev):
805d376: e8 c5 ff ff ff call 805d340 (_ZN9CAutoLock6UnlockEv)
0805d380 (_ZN9CAutoLockD2Ev):
805d38c: e8 af ff ff ff call 805d340 (_ZN9CAutoLock6UnlockEv)
805dc03: e8 02 f7 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
805dc4d: e8 18 f7 ff ff call 805d36a (_ZN9CAutoLockD1Ev)
805dc6c: e8 99 f6 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
805dc84: e8 e1 f6 ff ff call 805d36a (_ZN9CAutoLockD1Ev)
805dca7: e8 5e f6 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
805dcdc: e8 89 f6 ff ff call 805d36a (_ZN9CAutoLockD1Ev)
805dcfa: e8 0b f6 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
805dd12: e8 53 f6 ff ff call 805d36a (_ZN9CAutoLockD1Ev)
805e05d: e8 a8 f2 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
805e3da: e8 8b ef ff ff call 805d36a (_ZN9CAutoLockD1Ev)
805e3fd: e8 68 ef ff ff call 805d36a (_ZN9CAutoLockD1Ev)
8061161: e8 a4 c1 ff ff call 805d30a (_ZN9CAutoLockC1EP12CThreadMutexb)
80611b7: e8 ae c1 ff ff call 805d36a (_ZN9CAutoLockD1Ev)
80611d4: e8 91 c1 ff ff call 805d36a (_ZN9CAutoLockD1Ev)
(!DECRYPTOR CALLS)
0806199c (_ZN8CUtility7DeCryptEPciPKci):
80619a9: eb 37 jmp 80619e2 (_ZN8CUtility7DeCryptEPciPKci+0x46)
80619b3: 74 15 je 80619ca (_ZN8CUtility7DeCryptEPciPKci+0x2e)
80619c8: eb 13 jmp 80619dd (_ZN8CUtility7DeCryptEPciPKci+0x41)
80619e8: 7d 14 jge 80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62)
80619f0: 7d 0c jge 80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62)
80619fc: 75 ad jne 80619ab (_ZN8CUtility7DeCryptEPciPKci+0xf)
(Func_Details:)
0806199c (_ZN8CUtility7DeCryptEPciPKci):
806199c: 55 push %ebp
806199d: 89 e5 mov %esp,%ebp
806199f: 83 ec 10 sub $0x10,%esp
80619a2: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp)
80619a9: eb 37 jmp 80619e2 (_ZN8CUtility7DeCryptEPciPKci+0x46)
80619ab: 8b 45 fc mov -0x4(%ebp),%eax
80619ae: 83 e0 01 and $0x1,%eax
80619b1: 84 c0 test %al,%al
80619b3: 74 15 je 80619ca (_ZN8CUtility7DeCryptEPciPKci+0x2e)
80619b5: 8b 45 fc mov -0x4(%ebp),%eax
80619b8: 89 c2 mov %eax,%edx
80619ba: 03 55 08 add 0x8(%ebp),%edx
80619bd: 8b 45 fc mov -0x4(%ebp),%eax
80619c0: 03 45 10 add 0x10(%ebp),%eax
80619c3: 8a 00 mov (%eax),%al
80619c5: 40 inc %eax
80619c6: 88 02 mov %al,(%edx)
80619c8: eb 13 jmp 80619dd (_ZN8CUtility7DeCryptEPciPKci+0x41)
80619ca: 8b 45 fc mov -0x4(%ebp),%eax
80619cd: 89 c2 mov %eax,%edx
80619cf: 03 55 08 add 0x8(%ebp),%edx
80619d2: 8b 45 fc mov -0x4(%ebp),%eax
80619d5: 03 45 10 add 0x10(%ebp),%eax
80619d8: 8a 00 mov (%eax),%al
80619da: 48 dec %eax
80619db: 88 02 mov %al,(%edx)
80619dd: 8d 45 fc lea -0x4(%ebp),%eax
80619e0: ff 00 incl (%eax)
80619e2: 8b 45 fc mov -0x4(%ebp),%eax
80619e5: 3b 45 14 cmp 0x14(%ebp),%eax
80619e8: 7d 14 jge 80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62)
80619ea: 8b 45 fc mov -0x4(%ebp),%eax
80619ed: 3b 45 0c cmp 0xc(%ebp),%eax
80619f0: 7d 0c jge 80619fe (_ZN8CUtility7DeCryptEPciPKci+0x62)
80619f2: 8b 45 fc mov -0x4(%ebp),%eax
80619f5: 03 45 10 add 0x10(%ebp),%eax
80619f8: 8a 00 mov (%eax),%al
80619fa: 84 c0 test %al,%al
80619fc: 75 ad jne 80619ab (_ZN8CUtility7DeCryptEPciPKci+0xf)
80619fe: c9 leave
80619ff: c3 ret
(i IP ADDRESSES:PORT)Moving along, I used my previous test bed, I am a BSD guy, so if I have to use linux is going to be slackware (read: Linux) with adding to its environment with some lib & patches to make some evil binary run as in heaven, so I ran it to PoC some functions, and the below is officially some notes that I took, this shows great deal of source of CNC:
%s:%s
%d:%d
(i CPU Information)
cpu MHz : %d.%d
cpu %llu %llu %llu %llu
(i System Variables)
%s %llu %llu %llu %llu
%7s %llu %lu %lu %lu %lu %lu %lu %lu %llu %lu %lu %lu %lu %lu %lu %lu
(%d)
[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s
%02x
%lld
%d.%d.%d.%d
/proc/%d/exe
%m/%d/%y
%H:%M
%H:%M:%S
(i Memory matters, Syslog, files, etc)
Arena %d:
system bytes = %10u
in use bytes = %10u
max mmap regions = %10u
max mmap bytes = %10lu
log: unknown facility/priority: %x
MemTotal: %ld kB
MemFree: %ld kB
%d.%d.%d.%d
opening file=%s [%lu]; direct_opencount=%u
calling fini: %s [%lu]
closing file=%s; direct_opencount=%u
file=%s [%lu]; destroying link map
%a %b %e %H:%M:%S %Y
*) NOTED: with dumping a very long disasm codes..
all show the match previous analysis by
us and by others.
(!BEHAV)So, as per shown above. The CNC is "ddos-guard.net" at 190.115.20.27:59870.. sounds spooky isn't it? for the domain name of DNS Amp's CnC.. Things are starting to smell stink indeed..go figure.
// Without permission....fail1 ** SELINUX **
[001a57a2] execve("./disknyp", ["./disknyp"], [/* 21 vars */]) = -1 EACCES (Permission denied)
[001a57a2] dup(2) = 3
[001a57a2] fcntl64(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE)
[001a57a2] fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
[001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fb8000
[001a57a2] _llseek(3, 0, 0xbff64900, SEEK_CUR) = -1 ESPIPE (Illegal seek)
[001a57a2] write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied) = 32
[001a57a2] close(3) = 0
[001a57a2] munmap(0xb7fb8000, 4096) = 0
[001a57a2] exit_group(1) = ?
// Without permission....fail2 ** $ENV matters, no biggies.. **
[001a57a2] execve("./disknyp", ["./disknyp"], [/* 20 vars */]) = -1 EACCES (Permission denied)
[001a57a2] dup(2) = 3
[001a57a2] fcntl64(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE)
[001a57a2] fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
[001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f64000
[001a57a2] _llseek(3, 0, 0xbff40920, SEEK_CUR) = -1 ESPIPE (Illegal seek)
[001a57a2] write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied) = 32
[001a57a2] close(3) = 0
[001a57a2] munmap(0xb7f64000, 4096) = 0
[001a57a2] exit_group(1) = ?
// With permission... :-))
[001a57a2] execve("./disknyp", ["./disknyp"], [/* 21 vars */]) = 0
[080f30cd] uname({sys="Linux", node="diemoronz.mmd.org", ...}) = 0
[08114ece] brk(0) = 0x906e000
[08114ece] brk(0x906ec90) = 0x906ec90
[080caaef] set_thread_area({entry_number:-1 -) 6, base_addr:0x906e830, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
[0806500d] set_tid_address(0x906e878) = 7390
[080652c9] rt_sigaction(SIGRTMIN, {0x8064f18, [], SA_RESTORER|SA_SIGINFO, 0x8065240}, NULL, 8) = 0
[080652c9] rt_sigaction(SIGRT_1, {0x8064f80, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x8065240}, NULL, 8) = 0
[080650c5] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
[080f4045] getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
[080f5b37] _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfecb0d0, 30, (nil), 0}) = 0
[08114ece] brk(0x908fc90) = 0x908fc90
[08114ece] brk(0x9090000) = 0x9090000
[0806377e] open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
[080f3b7d] fstat64(3, {st_mode=S_IFREG|0644, st_size=48524976, ...}) = 0
[080f4d8a] mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7dd7000
[080f4d8a] mmap2(NULL, 888832, PROT_READ, MAP_PRIVATE, 3, 0x162) = 0xb7cfe000
[080f4d8a] mmap2(NULL, 208896, PROT_READ, MAP_PRIVATE, 3, 0x2b2) = 0xb7ccb000
[080f4d8a] mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0x21fd) = 0xb7cca000
[080cc3e9] close(3) = 0
[08114ece] brk(0x90b4000) = 0x90b4000
[08064ebc] futex(0x816980c, FUTEX_WAKE, 2147483647) = 0
[08114ece] brk(0x90d5000) = 0x90d5000
[08114b6c] clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x906e878) = 7391
[080f30e7] exit_group(0) = ?
(!PS blah..)
7297 ? S 0:00 /bin/sh
7391 ? Ssl 0:00 ./disknyp <== See its PID (point of this ps buff)
7434 pts/0 R+ 0:00 ps ax
(!NETSTAT)
$ netstat -napt
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
----------------------------------------------------------------------------------------------------------
tcp 0 0 127.0.0.1:xxx 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:xxx 0.0.0.0:* LISTEN -
tcp 0 27 diemoronz.mmd.org:39445 190.115.20.27:59870 ESTABLISHED 7391/disknyp
(!LSOF)
disknyp 7391 cwd DIR 3,3 4096 343393 /home/%USER%/TRANSIT/TMP/markusELF
disknyp 7391 rtd DIR 3,3 4096 2 /
disknyp 7391 txt REG 3,3 1491887 343395 /home/%USER%/TRANSIT/TMP/markusELF/disknyp
disknyp 7391 mem REG 3,3 112260 1537133 /lib/ld-2.3.4.so
disknyp 7391 mem REG 3,3 1547732 1537211 /lib/tls/libc-2.3.4.so
disknyp 7391 mem REG 3,3 47468 1537158 /lib/libnss_files-2.3.4.so
disknyp 7391 mem REG 3,3 48524976 2068507 /usr/lib/locale/locale-archive
disknyp 7391 0u CHR 1,3 2034 /dev/null
disknyp 7391 1u CHR 1,3 2034 /dev/null
disknyp 7391 2u CHR 1,3 2034 /dev/null
disknyp 7391 3u IPv4 905808 TCP diemoronz:39445->ddos-guard.net:59870 (ESTABLISHED)
$
(!CONFIGS)
// This is where they put default port range and bind IP for the overall process:
$ cat fake.cfg
0
127.0.0.1:127.0.0.1
10000:60000
DNS-Amp CNC Traffic
Below is the CnC (corrected after internal discussion w/ @sempersecurus) traffic recorded, noted the PUSH-ACK with the certain length in the sent packet. The globes of packet of 0x00 looks poking the mothership. For the LE, is an important note here: If there is a transmitter there should be a receiver to dig at the 190.115.20.27, and you can get the full set of crime evidence.
Conclusion and Mitigation
Again. The point of this post is: Download source is ALIVE Currently:
$ wget h00p://198.2.192.204:22/disknyp -O ./samplexxxAnd the CnC is running too:
--2013-12-29 00:54:56-- h00p://198.2.192.204:22/disknyp
Connecting to 198.2.192.204:22... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1491887 (1.4M) [application/octet-stream]
Saving to: './samplexxx'
100%[================>)] 1,491,887 174KB/s in 7.7s
2013-12-29 00:55:04 (190 KB/s) - './samplexxx' saved [1491887/1491887]
PROT LOCAL REMOTE STATUS PID / BINARY NAMETo be blocked/mitigated, PLEASE COLLECT THESE THREE SETS OF INFORMATION IN EVERY I.R FOR THIS CASE:
---------------------------------------------------------------------------------
tcp diemoronz.mmd.org:39445 190.115.20.27:59870 ESTABLISHED 7391/disknyp
198.2.192.204:22 (Download SourceIP = Hacked Site)At least this is the third time we see it downloading the ELF ones via x.x.x.x:TCP/22, and connecting to the CNC into this IP:PORT --> x.x.x.x:TCP/59870. So I really hope the regex blocking for downloading these binaries & CnC connection can be produced by IDS products sigs (i.e.: Emerging Threat, Squid ACL filter, Snort/VRT or Nessus) ASAP.
190.115.20.27:59870 (CnC, Could be Proxied)
218.28.116.227 (Hack source IP)
#ELF #malware spread out: http://t.co/viwD4X8cpw, http://t.co/FHGLpflxem, http://t.co/VTexFiNuDx 260533ebd353c3075c9dddf7784e86f9
— Markus R. (@wirehack7) December 28, 2013@MalwareMustDie we had a win32 (6c159f614b51bcd670d29006a9e15467) communicate with win[.]http://t.co/ZJI4zzFo1j /190[.]115.20.14:3306 in Nov
— thedude13 (@thedude13) December 28, 2013@thedude13 @MalwareMustDie @CERT_Polska_en yup, he recompiled it. Checksums differ every time. A persistent bugger for sure
— Leon van der Eijk (@lvdeijk) December 28, 2013@MalwareMustDie @lvdeijk @thedude13 used source IP: "root pts/0 218.28.116.227 Fri Dec 27 11:02 - 11:02 (00:08) " #MalwareMustDie
— Markus R. (@wirehack7) December 28, 2013@MalwareMustDie pushed yara to tag both, calling “Chicken Dos” due to win32 pdb paths having “\Chicken\” in them https://t.co/fm9gBCCyFc
— thedude13 (@thedude13) December 28, 2013#MalwareMustDie friends. Please inform us if you see DNS-Amp ELF threat, kindly check the download & C2 source IP for takedown @thedude13
— MalwareMustDie, NPO (@MalwareMustDie) December 28, 2013New blog post: "Another look at a cross-platform DDoS botnet" - http://t.co/zE5WEyF1zb - cc: @MalwareMustDie
— Andre M. DiMino (@sempersecurus) December 30, 2013Suspect Information of DNS-Amp Coder
As per written above we raised OP for this threat, and now is p to the LE to move, below is the ID of the coder. Is positive, you ca find him in the below snipped moronz forum or in DK and he is bragging of this "amplification" tool. As per this intelligence information added to this post, our moronz is so busy deleting his trails and thread posted in many forums ;-)) so below is some of many snapshot we took. 
Since this prick is starting deleting his thread activities..
ps: Don't make us paste the DK posts here..
Suspect of DNS Amp info added in #MalwareMustDie blog http://t.co/9zdyr892qa Go for it LE folks! Positive catch w/tons of damage reports!
— MalwareMustDie, NPO (@MalwareMustDie) December 30, 2013We really hope LE will mark the guy and this crime into his sin-list, and believe me this attack is a positive hack effort, so is not that difficult to link all of the data gathered in this post to the moronz which ID we spotted above.
So, is the hacker coming back after that?
The answer is YES and below is his action in "implementing" more shits in our team's trap-box. Some moronz just won't learn to stop. Is a moronz sickness..
Stay safe during the new year, check your logs for similar ssh hack pattern.
#MalwareMustDie!