Saturday, March 28, 2015

What's in the honeypot? Shellshock to Remote Control / DDoS Bot

Today in searching through what is gathered in the honeypots we found yet another attempt attempt at executing commands through the Shellshock vulnerability.  Below is the log that we are going to look at closer.


Looking at the information provided in the log above we gather the following 2 IP Addresses.

222.66.95.253 - Using APNIC.net the below information is returned about the IP Address


descr:CHINANET shanghai province network


descr:China Telecom


descr:No1,jin-rong Street


descr:Beijing 100032


country:CN


61.160.212.172 - Using APNIC.net the below information is returned about the IP Address


descr:CHINANET jiangsu province network


descr:China Telecom


descr:A12,Xin-Jie-Kou-Wai Street


descr:Beijing 100088


country:CN
Inside the User Agent where they are executing the command through the shellshock vulnerability is the download of a file called java. After downloading this file you can see that it is a "ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped"

If we look at the strings of this file we are able to pull out a few artifacts of interest.  The first is an email address of "keld@dkuug.dk".  This email is probably not related to the malware, possibly is referenced in a library that they use inside of the malware.

Then looking at the strings you can identify what the malware after it is executed is being used for:

It appears that this is being used on a Linux server to play a part in DDoS attacks.  You can see the Attack on UDP (Possilby NTP), SYN attack, ICMP Attack, DNS, DNS Amplification attacks, and others.  Then in the strings you come across a list of IP Addresses.  As I looked at a few of these addresses they appeared to be in Asia.

58.22.96.6658.240.57.3358.241.208.4658.242.2.259.51.78.210
60.191.244.561.10.0.13061.10.1.13061.128.114.13361.128.114.166
61.128.128.6861.128.192.6861.130.254.3461.132.163.6861.134.1.4
61.139.2.6961.139.39.7361.139.54.6661.147.37.161.166.150.101
61.166.150.12361.166.150.13961.166.25.12961.177.7.161.187.98.3
61.187.98.661.233.9.6161.233.9.961.234.254.561.235.164.13
61.235.164.1861.235.70.9861.236.93.3361.31.1.161.31.233.1
61.60.224.361.60.224.5101.47.189.10101.47.189.18112.100.100.100
112.4.0.55113.111.211.22114.114.114.114114.114.115.115116.228.111.118
118.29.249.50118.29.249.54119.233.255.228119.6.6.6122.72.33.240
124.161.97.234124.161.97.238124.161.97.242124.207.160.110139.175.10.20
139.175.150.20139.175.252.16139.175.55.244168.95.1.1168.95.192.1
168.95.192.174180.168.255.18202.100.192.68202.100.199.8202.100.96.68
202.101.107.85202.101.224.68202.101.226.68202.101.6.2202.101.98.55
202.102.128.68202.102.134.68202.102.152.3202.102.154.3202.102.192.68
202.102.199.68202.102.200.101202.102.213.68202.102.224.68202.102.227.68
202.102.24.34202.102.3.141202.102.3.144202.102.7.90202.102.8.141
202.102.9.141202.103.0.117202.103.0.68202.103.176.22202.103.224.68
202.103.225.68202.103.243.112202.103.24.68202.103.44.150202.103.96.112
202.106.0.20202.106.195.68202.106.196.115202.106.196.212202.106.196.228
202.106.196.230202.106.196.232202.106.196.237202.106.46.151202.112.112.10
202.112.144.30202.113.16.10202.113.16.11202.114.0.242202.114.240.6
202.115.32.36202.115.32.39202.117.96.10202.117.96.5202.118.1.29
202.118.1.53202.14.67.14202.14.67.4202.175.3.3202.175.3.8
202.193.64.33202.196.64.1202.203.128.33202.203.144.33202.203.160.33
202.203.192.33202.203.208.33202.203.224.33202.38.64.1202.45.84.58
202.45.84.67202.60.252.8202.85.128.32202.96.103.36202.96.104.15
202.96.104.26202.96.107.27202.96.128.166202.96.128.68202.96.128.86
202.96.134.133202.96.134.33202.96.144.47202.96.154.15202.96.209.133
202.96.209.5202.96.64.68202.96.69.38202.96.75.68202.96.86.18
202.96.96.68202.97.224.68202.97.7.17202.97.7.6202.98.0.68
202.98.192.67202.98.198.167202.98.224.68202.98.5.68202.98.96.68
202.99.104.68202.99.160.68202.99.166.4202.99.168.8202.99.192.66
202.99.192.68202.99.224.67202.99.224.8202.99.96.68203.142.100.18
203.142.100.21203.186.94.20203.186.94.241203.80.96.9210.200.211.193
210.200.211.225210.21.196.6210.21.3.140210.21.4.130210.38.192.33
210.42.241.1211.103.13.101211.136.112.50211.136.150.66211.136.17.107
211.136.28.231211.136.28.234211.136.28.237211.137.160.185211.137.160.5
211.137.241.34211.137.32.178211.138.106.19211.138.145.194211.138.151.161
211.138.156.66211.138.164.6211.138.180.2211.138.200.69211.138.240.100
211.138.242.18211.138.245.180211.138.75.123211.138.91.1211.139.1.3
211.139.2.18211.139.29.150211.139.29.170211.139.29.68211.139.73.34
211.140.197.58211.141.16.99211.141.90.68211.142.210.100211.142.210.98
211.147.6.3211.161.158.11211.161.159.3211.162.61.225211.162.61.235
211.162.61.255211.162.62.1211.162.62.60211.78.130.1211.90.72.65
211.90.80.65211.91.88.129211.92.136.81211.92.144.161211.93.0.81
211.93.24.129211.93.64.129211.95.193.97211.95.1.97211.95.72.1
211.97.64.129211.97.96.65211.98.121.27211.98.2.4211.98.4.1
211.98.72.7218.104.111.114218.104.111.122218.104.128.106218.104.32.106
218.104.78.2218.106.127.114218.106.127.122218.108.248.219218.108.248.245
218.2.135.1218.201.17.2218.202.152.130218.203.101.3218.203.160.194
218.30.19.40218.30.19.50218.6.200.139218.76.192.100218.85.152.99
218.85.157.99218.89.0.124219.141.136.10219.141.140.10219.141.148.37
219.141.148.39219.146.1.66219.147.1.66219.147.198.230219.148.204.66
219.149.194.55219.149.6.99219.150.32.132219.235.127.1219.239.26.42
219.72.225.253220.168.208.3220.168.208.6220.170.64.68221.11.132.2
221.12.1.227221.12.33.227221.130.252.200221.130.32.100221.130.32.103
221.130.32.106221.130.32.109221.130.33.52221.130.33.60221.131.143.69
221.176.3.70221.176.3.73221.176.3.76221.176.3.79221.176.3.83
221.176.3.85221.176.4.12221.176.4.15221.176.4.18221.176.4.21
221.176.4.6221.176.4.9221.228.255.1221.232.129.30221.3.131.11
221.4.66.66221.5.203.86221.5.203.90221.5.203.98221.5.88.88
221.6.4.66221.7.1.20221.7.128.68221.7.136.68221.7.34.10
221.7.92.86221.7.92.98222.172.200.68222.221.5.240222.222.222.222
222.243.129.81222.246.129.80222.45.0.110222.45.1.40222.46.120.5
222.47.29.93222.47.62.142222.52.118.162222.75.152.129222.85.85.85
222.88.88.88

Looking at the IP Addresses I am not sure if these are targets of the DDoS, IP Addresses to avoid, or just a list of IP Addresses they decided to place in the malware.

Upon executing the malware it makes a static connection over port 25000 back to the IP Address that the malware came from.


The malware also copies itself into /usr/bin and creates a hidden file called .sshd.

After uploading the malware to virustotal its initial detection went back to early March.  It confirmed my theory of it being a tool used in DDoS and to remotely control the server.  If you would like to go to the information on virustotal.com click here.

Also in the research I found that it was trying to do a DNS lookup for the following domain lzj.passwd1.com
This domain on virustotal is flagged and you can see the results here.

Looking at the parent domain of passwd1.com you identify that it is related to other activity that is flagged by virustotal.

You also learn that it is registered at godaddy.com.  The above information can be found here.  Looking at the history of this domain it has an interesting past going back to June 6, 2014.







at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...