What's in the honeypot? Shellshock to Remote Control / DDoS Bot

Today in searching through what is gathered in the honeypots we found yet another attempt attempt at executing commands through the Shellshock vulnerability.  Below is the log that we are going to look at closer.

Looking at the information provided in the log above we gather the following 2 IP Addresses. - Using APNIC.net the below information is returned about the IP Address
descr:CHINANET shanghai province network
descr:China Telecom
descr:No1,jin-rong Street
descr:Beijing 100032
country:CN - Using APNIC.net the below information is returned about the IP Address
descr:CHINANET jiangsu province network
descr:China Telecom
descr:A12,Xin-Jie-Kou-Wai Street
descr:Beijing 100088
Inside the User Agent where they are executing the command through the shellshock vulnerability is the download of a file called java. After downloading this file you can see that it is a "ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped"

If we look at the strings of this file we are able to pull out a few artifacts of interest.  The first is an email address of "keld@dkuug.dk".  This email is probably not related to the malware, possibly is referenced in a library that they use inside of the malware.

Then looking at the strings you can identify what the malware after it is executed is being used for:

It appears that this is being used on a Linux server to play a part in DDoS attacks.  You can see the Attack on UDP (Possilby NTP), SYN attack, ICMP Attack, DNS, DNS Amplification attacks, and others.  Then in the strings you come across a list of IP Addresses.  As I looked at a few of these addresses they appeared to be in Asia.

Looking at the IP Addresses I am not sure if these are targets of the DDoS, IP Addresses to avoid, or just a list of IP Addresses they decided to place in the malware.

Upon executing the malware it makes a static connection over port 25000 back to the IP Address that the malware came from.

The malware also copies itself into /usr/bin and creates a hidden file called .sshd.

After uploading the malware to virustotal its initial detection went back to early March.  It confirmed my theory of it being a tool used in DDoS and to remotely control the server.  If you would like to go to the information on virustotal.com click here.

Also in the research I found that it was trying to do a DNS lookup for the following domain lzj.passwd1.com
This domain on virustotal is flagged and you can see the results here.

Looking at the parent domain of passwd1.com you identify that it is related to other activity that is flagged by virustotal.

You also learn that it is registered at godaddy.com.  The above information can be found here.  Looking at the history of this domain it has an interesting past going back to June 6, 2014.


Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

VBA - Script to Download a file from a URL

Python - Vega Conflict Script to Maximize Fleet Sizes based on Fleet Mass

IoT Malware Analysis - CnC Server - Part 3