800+ IT
News
als RSS Feed abonnieren๐ MMD-0055-2016 - Linux/PnScan ; the ELF worm that circled around
๐ก Newskategorie: Malware / Trojaner / Viren
๐ Quelle: blog.malwaremustdie.org
Background
Just checked around internet and found an interesting ELF worm distribution that may help raising awareness for fellow sysadmins. As per shown in title, it's a known ELF malware threat, could be a latest variant of "Linux/PnScan", found in platform x86-32 that it seems run around the web within infected nodes before it came to my our hand. This worm is more aiming embed platform and I am a bit surprised to find i86 binary is hitting some Linux boxes.
This threat came to MalwareMustDie ELF team task before and I posted analysis in Mon Sep 28, 2015 on kernelmode [link] along with its details and threat, I thought the threat is becoming inactive now and it looks like I'm wrong, as the malware works still in infection now as worm functions and is hardcoded to aim 183.83.0.0 / 16 segment (located in network area of Telangana and Kashmir region of India), where it was just spotted. Since I never write this in this MMD blog as post (except kernelmode), this might be good to add the data to keep up an active working worm threat.
Threat Indicators
For some reason we can't inform infection source, but the source is in the targeted network mentioned above.
The file is having below indicator:
Filename: 'stdin'(.pnscan.x86-32.mmd)
Type: 'ELF 32-bit LSB executable, Intel 80386' (GNU/Linux) statically linked, stripped
Packer: 'UPX (header bit tweak) packed,'
Spotted: 'Tue Aug 23 12:27:21 UTC 2016'
md5: '6fb6f95546d5bdf4db11655249ee5288'
sha1: '2d3e2ce680de6c13ab3236429efd4bca3bfaa79d'
According to VirusTotal it's firstly spotted months ago:
'First submission 2016-01-27 05:26:45 UTC'
Static check will find the packed and tweaked UPX was used.
This worm is using customized UPX form of header to avoid decodingโ
ELF Header: 'โtypical packed one'
Magic: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - GNU
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0xcfce38
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Program Headers: โ'Typical UPX'
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x00c01000 0x00c01000 0xfc661 0xfc661 R E 0x1000
LOAD 0x000d68 0x08290d68 0x08290d68 0x00000 0x00000 RW 0x1000
Well, I wrote some howto decode this packer, I am sorry I don't expose it in here.
0x00000000 7f45 4c46 0101 0103 0000 0000 0000 0000 .ELF............
0x00000010 0200 0300 0100 0000 38ce cf00 3400 0000 ........8...4...
0x00000020 0000 0000 0000 0000 3400 2000 0200 2800 ........4. ...(.
0x00000030 0000 0000 0100 0000 0000 0000 0010 c000 ................
0x00000040 0010 c000 61c6 0f00 61c6 0f00 0500 0000 ....a...a.......
0x00000050 0010 0000 0100 0000'680d 0000 680d 2908' ........h...h.).
0x00000060 680d 2908 0000 0000 0000 0000 0600 0000 h.).............
0x00000070 0010 0000 22c0 e4b8 5550 5821 3408 0d0c ...."...UPX!4...
0x00000080 0000 0000 783f 2400 783f 2400 9400 0000 ....x?$.x?$.....
0x00000090 5d00 0000 0800 0000 771f a4f9 7f45 4c46 ].......w....ELF
0x000000a0 0100 0200 0300 1b68 8104 fbaf bddf 0834 .......h.......4
0x000000b0 0ef8 3c24 2f16 2032 2800 1000 0f00 5b5c ..0x000000c0 e59d 1d80 4607 c807 2200 0527 db76 7fcf ....F..."..'.v..
This ELF is having below dependencies..
..and was compiled on compatibility of GCC(GNU) 4.1.x via the compiler tool Toolchains [link] with cross compiler option for i686 using the SSL enabled configuration. It seems the coder is using working desktop with the crypted disk "/media/truecrypt1" with workpath "/my/framework/" for compiling this :) ouch!
libc-2.13.so
ld-2.13.so
A summary of how it works
To fellow reverser, there's specific no new stuff used, except the x86-32 platform are specifically aimed and India network is the target. It is weird a bit on why toolchains is used for i686, but that also shows x86 is not the only aim too.
Nelow is a summary on how it works:
1. It forked 4 times (with its main process = 5)
2. Created files with the below functionality in the work (executed) directory:
permission size date filename function
----------------------------------------------------------------
-rw-r--r-- 387 Aug 23 12:06 list2 -rw-r--r-- 4 Aug 23 12:02 MalwareFile.pid -rw-r--r-- 0 Aug 23 12:02 daemon.log -rw-r--r-- 35 Aug 23 12:02 login2 drwxr-xr-x 4096 Aug 23 12:02 files/
3. Daemonizing and listening to these 2 TCP ports:
IPv4 TCP/๏ผ:9000 (for /check command and /upload command's remote access)
IPv4 TCP/๏ผ:1337 (remote uptime or ping quick check)
4. Attacking initially to target IPs in: 183.83.0.0 / 16 (hard coded)
Country: 'India (Telangana, Kashmit region network in India)'
For 'SSH services' in port: 'TCP/22' (ssh)
5. Having function to brute force login with the below auth:
root:root
admin:admin
ubnt:ubnt
6. Confusing traffic by sending HTTP/1.1 request via SSL to twitter.com on port 443โ
well this is also known too.
write(113, "\26\3\1\2\0\1\0\1\374\3\3%\254\231\25\346\263EuU\vI\26\10bc\0I_\246\262g\273\267
\342C\24\33l\327\214R\215\0\0\240\3000\300,\300(\300$\300\24\300\n\0\245\0\243\0\241\0\237\0
k\0j\0i\0h\0009\0008\0007\0006\0\210\0\207\0\206\0\205\3002\300.\300*\300&\300\17\300\5\0\23
5\0=\0005\0\204\300/\300+\300'\300#\300\23\300\t\0\244\0\242\0\240\0\236\0g\0@\0?\0>\0003\00
02\0001\0000\0\232\0\231\0\230\0\227\0E\0D\0C\0B\3001\300-\300)\300%\300\16\300\4\0\234\0/\0\226\0A\0\7\300\22\300\10\0\26\0\23\0\20\0\r\300\r\300\3\0\n\0\377\1\0\0013\0\0\0\20\0\16
\0\0'\vtwitter.com'\0\v\0\4\3\0\1\2\0\n\0\34\0\32\0\27\0\31\0\34\0\33\0\30\0\32\0\26\0\16\0\r
\v\0\f\0\t\0\n\0\r\0 \0\36\6\1\6\2\6\3\5\1\5\2\5\3\4\1\4\2\4\3\3\1\3\2\3\3\2\1\2\2\2\3\0\17
\0\1\0013t\0\0\0\20\0\v\0\t'\10http/1.1'\0\25\0\267\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
:
0\0\0\0\0\0\0", 517)
Infection Symtomps
Infected node will have traces of these process running made during the initial infection:
stdin 2712 root cwd DIR 8,1 4096 131126 /test/
stdin 2712 root rtd DIR 8,1 4096 2 /
stdin 2712 root txt REG 8,1 1034309 131146 /test/stdin
stdin 2712 root 0u REG 8,1 0 131171 /test/daemon.log
stdin 2712 root 1u REG 8,1 0 131171 /test/daemon.log
stdin 2712 root 2u CHR 136,0 0t0 3 /dev/pts/0
stdin 2712 root 3r FIFO 0,8 0t0 6188 pipe
stdin 2712 root 4w FIFO 0,8 0t0 6188 pipe
stdin 2712 root 5u 0000 0,9 0 1185 anon_inode
stdin 2712 root 6u unix 0xcda07300 0t0 6191 socket
stdin 2712 root 7u unix 0xce020d40 0t0 6192 socket
stdin 2712 root 8u IPv4 6193 0t0 TCP *:9000 (LISTEN)
stdin 2712 root 9u 0000 0,9 0 1185 anon_inode
stdin 2712 root 10u unix 0xce020ac0 0t0 6194 socket
stdin 2712 root 11u unix 0xce020840 0t0 6195 socket
stdin 2712 root 12u IPv4 6196 0t0 TCP *:1337 (LISTEN)
And the launched attack can be seen in the network connectivity like:
stdin 2712 root 13u IPv4 6197 0t0 TCP x.x.x.x:40709->183.83.0.0:22 (SYN_SENT)
stdin 2712 root 14u IPv4 6198 0t0 TCP x.x.x.x:37944->183.83.0.1:22 (SYN_SENT)
stdin 2712 root 15u IPv4 6199 0t0 TCP x.x.x.x:35576->183.83.0.2:22 (SYN_SENT)
stdin 2712 root 16u IPv4 6200 0t0 TCP x.x.x.x:41811->183.83.0.3:22 (SYN_SENT)
stdin 2712 root 17u IPv4 6201 0t0 TCP x.x.x.x:43278->183.83.0.4:22 (SYN_SENT)
stdin 2712 root 18u IPv4 6202 0t0 TCP x.x.x.x:37969->183.83.0.5:22 (SYN_SENT)
stdin 2712 root 19u IPv4 6203 0t0 TCP x.x.x.x:39383->183.83.0.6:22 (SYN_SENT)
stdin 2712 root 20u IPv4 6204 0t0 TCP x.x.x.x:38038->183.83.0.7:22 (SYN_SENT)
stdin 2712 root 21u IPv4 6205 0t0 TCP x.x.x.x:35040->183.83.0.8:22 (SYN_SENT)
stdin 2712 root 22u IPv4 6206 0t0 TCP x.x.x.x:59569->183.83.0.9:22 (SYN_SENT)
stdin 2712 root 23u IPv4 6207 0t0 TCP x.x.x.x:50921->183.83.0.10:22 (SYN_SENT)
stdin 2712 root 24u IPv4 6208 0t0 TCP x.x.x.x:36079->183.83.0.11:22 (SYN_SENT)
stdin 2712 root 25u IPv4 6209 0t0 TCP x.x.x.x:35134->183.83.0.12:22 (SYN_SENT)
stdin 2712 root 26u IPv4 6210 0t0 TCP x.x.x.x:59932->183.83.0.13:22 (SYN_SENT)
stdin 2712 root 27u IPv4 6211 0t0 TCP x.x.x.x:35682->183.83.0.14:22 (SYN_SENT)
stdin 2712 root 28u IPv4 6212 0t0 TCP x.x.x.x:57709->183.83.0.15:22 (SYN_SENT)
: :
Each connected target is logged in the "list2" file:
0000 31 38 33 2e 38 33 2e 30 2e 33 33 3b 32 32 3b 0a |183.83.0.33;22;.|
0010 31 38 33 2e 38 33 2e 30 2e 38 30 3b 32 32 3b 0a |183.83.0.80;22;.|
0020 31 38 33 2e 38 33 2e 32 2e 32 36 3b 32 32 3b 0a |183.83.2.26;22;.|
0030 31 38 33 2e 38 33 2e 32 2e 34 31 3b 32 32 3b 0a |183.83.2.41;22;.|
0040 31 38 33 2e 38 33 2e 32 2e 31 31 30 3b 32 32 3b |183.83.2.110;22;|
0050 0a 31 38 33 2e 38 33 2e 32 2e 32 31 30 3b 32 32 |.183.83.2.210;22|
0060 3b 0a 31 38 33 2e 38 33 2e 33 2e 32 32 3b 32 32 |;.183.83.3.22;22|
0070 3b 0a 31 38 33 2e 38 33 2e 33 2e 31 34 38 3b 32 |;.183.83.3.148;2|
0080 32 3b 0a 31 38 33 2e 38 33 2e 34 2e 39 33 3b 32 |2;.183.83.4.93;2|
0090 32 3b 0a 31 38 33 2e 38 33 2e 34 2e 31 35 36 3b |2;.183.83.4.156;|
00a0 32 32 3b 0a 31 38 33 2e 38 33 2e 35 2e 31 36 3b |22;.183.83.5.16;|
00b0 32 32 3b 0a 31 38 33 2e 38 33 2e 35 2e 32 30 36 |22;.183.83.5.206|
00c0 3b 32 32 3b 0a 31 38 33 2e 38 33 2e 36 2e 31 32 |;22;.183.83.6.12|
00d0 37 3b 32 32 3b 0a 31 38 33 2e 38 33 2e 37 2e 34 |7;22;.183.83.7.4|
00e0 33 3b 32 32 3b 0a 31 38 33 2e 38 33 2e 37 2e 31 |3;22;.183.83.7.1|
00f0 32 33 3b 32 32 3b 0a 31 38 33 2e 38 33 2e 37 2e |23;22;.183.83.7.|
0100 31 38 37 3b 32 32 3b 0a 31 38 33 2e 38 33 2e 31 |187;22;.183.83.1|
0110 31 2e 35 31 3b 32 32 3b 0a 31 38 33 2e 38 33 2e |1.51;22;.183.83.|
0120 31 31 2e 38 34 3b 32 32 3b 0a 31 38 33 2e 38 33 |11.84;22;.183.83|
0130 2e 31 31 2e 31 36 38 3b 32 32 3b 0a 31 38 33 2e |.11.168;22;.183.|
0140 38 33 2e 31 32 2e 31 34 35 3b 32 32 3b 0a 31 38 |83.12.145;22;.18|
0150 33 2e 38 33 2e 31 32 2e 32 34 30 3b 32 32 3b 0a |3.83.12.240;22;.|
0160 31 38 33 2e 38 33 2e 31 33 2e 31 36 32 3b 32 32 |183.83.13.162;22|
0170 3b 0a 31 38 33 2e 38 33 2e 31 34 2e 39 32 3b 32 |;.183.83.14.92;2|
0180 32 3b 0a |2;.|
And you may find the brute list trace in file "login2"
0000 72 6f 6f 74 3b 72 6f 6f 74 3b 0a 61 64 6d 69 6e |root;root;.admin|
0010 3b 61 64 6d 69 6e 3b 0a 75 62 6e 74 3b 75 62 6e |;admin;.ubnt;ubn|
0020 74 3b 0a |t;.|
0023
Noted: the PID of main process is saved in [MalwareFile].pid
0000 32 37 31 32 |2712|
0004
Conclusion, Samples & Reference
This worm is re-infecting i86 Linux machines in the target mentioned above and all of the data posted above is important hazard to block its distribution. The worm is hitting a box, scan for more and hitting some more too, I guess this happened from 6 months ago until now, and the hacker is sitting there in Russia network for accessing any accessible infected nodes. If you take a look closer to the explained auth data then you may guess which distribution of boxes that are actually aimed.
You'll see deeper detail in previous writing & thread here -->[link] Sample is in VirusTotal [link]
Dr. Web wrote about this threat [link]
PS: The warning of this threat was sent to regional CERT.