Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Linux Trojan: Linux/Bckdr-RKC 02-2012

By: a guest on Feb 14th, 2012  |  syntax: None  |  size: 15.74 KB  |  views: 904  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Linux Trojan: Linux/Bckdr-RKC *NEW!* Feb 2012
  2. =============================================
  3. - http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~Bckdr-RKC.aspx
  4. - http://tinyurl.com/Linux-Bckdr-RKC
  5.  
  6. Category: Viruses and Spyware
  7. Protection available since: 22 Dec 2011 08:23:46 (GMT)
  8. Type: Trojan
  9. Affected Operating Systems: Linux
  10. © 1997 - 2012 Sophos Ltd.
  11. =============================================
  12. * http://pastebin.com/u/CaffeineSecurity
  13. |
  14.  \__Linux/Bckdr-RKC Strings
  15.    http://pastebin.com/RZAnDnkz
  16.  \__Linux/Bckdr-RKC New Variant St...
  17.    http://pastebin.com/0hqYbT8m
  18.  \__Linux/Bckdr-RKC New Variant Diff
  19.    http://pastebin.com/ePdRxsT4
  20.  \__.ssyslog - first section decom...
  21.    http://pastebin.com/Tenmhmnf
  22. =============================================
  23. Linux/Bckdr-RKC: A New Variant Appears
  24.  
  25. - http://caffeinesecurity.blogspot.com/2011/12/linuxbckdr-rkc-new-variant-appears.html
  26. - http://tinyurl.com/Linux-Bckdr-RKC-part1
  27.  
  28. "Someone was busy this Christmas.
  29. A new variant of Linux/Bckdr-RKC has been placed on my honeypot.
  30. Unfortunately detections by Sophos do not detect this variant, so I've sent it back to them for analysis.
  31. I have posted the strings from the unpacked malware, as well as a diff between the strings of the old version and new version.
  32. I will post updates as I can.
  33. Posted by Ken on 12/26/2011"
  34. =============================================
  35. Linux/Bckdr-RKC Initial Analysis
  36.  
  37. - http://caffeinesecurity.blogspot.com/2011/12/linuxbckdr-rkc-initial-analysis.html
  38. - http://tinyurl.com/Linux-Bckdr-RKC-part2
  39.  
  40. "A malicious user dropped off a VERY interesting piece of malware on my honeypot today with the filename ".xsyslog"
  41. This piece of malware was previously undetected, and many kudos to Sophos for being the first to confirm my findings that the software was malicious.
  42. So far, I have been able to determine the following:
  43. This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches.
  44. The malware is installed from a compromised system after cracking a SSH server's root password, in the path /etc/.xsyslog
  45. The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: 216.83.44.229 port 99
  46. It phones home to an IP address which appears to be hosted by the same fake corporation: 216.83.44.226 port 81
  47. I have uploaded all relevant strings within the unpacked file to Pastebin.
  48. I will provide additional details as I find/receive them.  This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors.
  49.  
  50. Track current AV coverage at"
  51. http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011
  52.  
  53. Related Reading:
  54. Sophos Whitepaper Protection for Mac and Linux Computers: Genuine Need or Nice to Have?
  55. - http://caffinesecurity-blogspot.tradepub.com/free/w_aaaa1364/?p=w_aaaa1364
  56. Posted by Ken on 12/21/2011
  57. =============================================
  58. Chinese Origins in .ssyslog Decompiled - Linux/Bckdr-RKC
  59.  
  60. - http://caffeinesecurity.blogspot.com/2011/12/chinese-origins-in-ssyslog-decompiled.html
  61. - http://tinyurl.com/Linux-Bckdr-RKC-part-3
  62.  
  63. I have partially decompiled the second piece of malware which was similar to the original Linux/Bckdr-RKC dropped on my honeypot.
  64.  
  65. I am publicly posting the first section of this file to highlight my findings so far... -- http://pastebin.com/Tenmhmnf
  66.  
  67. Update: The full decompiled source of both pieces of malware is now available at SlingFile. -- hxxp://www.slingfile.com/file/iKwWO86Nr5
  68.  
  69. The first part of this decompiled code which really stood out was a clear marker that this malware is definately of Chinese origin.  This snippet of code is from the following function  
  70.  
  71.     int autoupdate(char* url_address, char* local_to_file)
  72.  
  73. Code:
  74.  
  75.     L0805FF50( &_v3660, "GET /%s HTTP/1.1
  76.     \nAccept: */*
  77.     \nAccept-Language: zh-cn
  78.     \nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
  79.     \nHost: %s:%d
  80.     \nConnection: Close
  81.     \n
  82.     \n",  &_v2380);
  83.  
  84. The "Accept-Language" of zh-cn represents Traditional Chinese as the desired web browse language. -- http://social.msdn.microsoft.com/Forums/en/netfxbcl/thread/4fe22069-6556-4ce5-a264-edb59d102c85
  85.  
  86. This means the malware in question was most likely programmed by a native speaker of Chinese.  Add to this the fact that the malware is hosted by a fake corporation in China, and that the previous version of this malware also phoned home to the same fake corporation, this all becomes very interesting.
  87.  
  88. Here are a few other function names from this latest version:
  89.  
  90.     copy_myself(const char* name)
  91.     autostart(const char* inser_to_file)
  92.     int SendSevMonitor()
  93.     int SendServerPack()
  94.     GetNetPackets(long long unsigned int* lNetOut, long long unsigned int* lPacketOut)
  95.     int moniter(char* host)
  96.     int udpflood(_Unknown_base* ThreadData)
  97.     int synflood(_Unknown_base* ThreadData)
  98.     int synbigpacket(_Unknown_base* ThreadData)
  99.     int ackflood(_Unknown_base* ThreadData)
  100.     int ackbigpacket(_Unknown_base* ThreadData)
  101.     GetStructureDnsPacket(char* QueryDomain, char* QueryData, int* nQueryData)
  102.     int dnsflood(_Unknown_base* ThreadData)
  103.     int more_ip_dns_test(_Unknown_base* ThreadData)
  104.     int autoupdate(char* url_address, char* local_to_file)
  105.     int get_online_ip(char* domain, char* return_ip)
  106.     int parse_dns_response(char* return_ip)
  107.     parse_dns_name(unsigned char* chunk, unsigned char* ptr, char* out, int* len)
  108.     send_dns_request(const char* dns_name)
  109.     connect_to_server()
  110.  
  111. Make no mistake, this malware is clearly designed to perform reconnaissance on internal networks and disrupt communications when instructed to do so by the command and control server.
  112.  
  113. The malware has self-replication and automatic update capabilities.
  114.  
  115. I find this malware very disturbing.
  116.  
  117. What I find even more distrubing is the fact that since my submission of this malware to antivirus vendors, with the exception of Avira who believes this file is clean, none of the antivirus vendors have completed their analysis.
  118.  
  119. These two pieces of malware seem very professionally crafted with a clear purpose - to serve as a "cyber weapon".
  120. Posted by Ken on 12/30/2011
  121. =============================================
  122. Following the Trail: Determining the Origins of Linux/Bckdr-RKC
  123.  
  124. - http://caffeinesecurity.blogspot.com/2011/12/following-trail-determining-origins-of.html#more
  125. - http://tinyurl.com/Linux-Bckdr-RKC-part-4
  126.  
  127. It is already known that the two Linux/Bckdr-RKC variants I have received have both been hosted by 216.83.44.229.  Furthermore, the first variant had a phone-home address of 216.83.44.226.
  128.  
  129. Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a different contact completely, and unrelated here).
  130.  
  131. Let's use what we already know to try to find the organization responsible for this malware.
  132.  
  133.  
  134.  
  135. Here is a traceroute I performed several days ago:
  136.  
  137.  
  138. Hop     (ms)    (ms)    (ms)                 IP Address         Host name
  139. 1         0       0       0          206.123.64.154      jbdr2.0.dal.colo4.com  
  140.  
  141. 2         0       0       0          64.124.196.225      xe-4-2-0.er2.dfw2.us.above.net  
  142.  
  143. 3         0       Timed out       0          63.218.23.29        ge5-4.br02.dal01.pccwbtn.net  
  144. 4         214     214     214        63.218.252.86       ge9-39.br03.hkg04.pccwbtn.net  
  145. 5         214     214     258        112.121.160.221      -  
  146. 6         213     213     213        112.121.160.18       -  
  147. 7         218     218     217        112.121.160.198      -  
  148. 8         213     213     212        216.83.44.226        -  
  149.  
  150.  
  151. And here is a traceroute as performed today:
  152.  
  153. TraceRoute to 216.83.44.226
  154.  
  155.  
  156. Hop     (ms)    (ms)    (ms)                 IP Address Host name
  157. 1         12      0       0          206.123.64.154      jbdr2.0.dal.colo4.com  
  158.  
  159. 2         0       0       0          64.124.196.225      xe-4-2-0.er2.dfw2.us.above.net  
  160. 3         0       0       0          63.218.23.29        ge5-4.br02.dal01.pccwbtn.net  
  161. 4         212     212     212        63.218.252.86       ge9-39.br03.hkg04.pccwbtn.net  
  162. 5         Timed out       Timed out       Timed out               -  
  163. 6         Timed out       Timed out       Timed out               -  
  164. 7         Timed out       Timed out       Timed out               -  
  165. 8         Timed out       Timed out       Timed out               -  
  166.  
  167.  
  168. Seems that either the responsible organization has been disconnected from the network by their provider, or they have purposely disconnected themselves to hinder analysis.
  169.  
  170. Starting with 216.83.44.226 and working backwards, let's see who this section of IP addresses is registered to.
  171.  
  172. 216.83.44.0 - 216.83.44.255 is registered to WIRELESS-ALARM.COM
  173.  
  174. OrgName: WIRELESS-ALARM.COM
  175. OrgId: WIREL-46
  176. Address: 3026 Ensley 5 Points W Avenue
  177. City: Birmingham
  178. StateProv: AL
  179. PostalCode: 35208
  180. Country: US
  181. RegDate: 2009-12-30
  182. Updated: 2011-09-24
  183. Ref: http://whois.arin.net/rest/org/WIREL-46
  184.  
  185. OrgAbuseHandle: PQU12-ARIN
  186. OrgAbuseName: Quagliano, Pedro
  187. OrgAbusePhone: +1-877-605-5273
  188. OrgAbuseEmail: pedroquagliano@cyanclouds.com
  189.  
  190. We already know that this is a fake registration, because all of my emails to pedroquagliano@cyanclouds.com were returned as non-deliverable due to DNS failures. That means cyanclouds.com is not an active domain.
  191.  
  192. Lets go up a level in IP address ownership.
  193.  
  194.  
  195. 216.83.32.0 - 216.83.63.255 is owned by Ether.Net LLC.
  196.  
  197. network:Class-Name:network
  198. network:ID:216.83.32.0/20
  199. network:Auth-Area:216.83.32.0/20
  200. network:Network-Name:ETHRN-216-83-46-0
  201. network:IP-Network:216.83.46.0/24
  202. network:IP-Network-Block:216.83.46.0 - 216.83.46.255
  203. network:Org-Name:InfoMove Hong Kong Limited.
  204. network:Street-Address:Unit 2001, 20/F, New Tech Plaza, 8 Tai Yau Street
  205. network:City:San Po Kong
  206. network:State:HK
  207. network:Country-Code:HK
  208.  
  209. Ether.NET appears to be a legitimate business operating in Hong Kong.
  210.  
  211. They have been around for many years. They have an AIM for support which I was able to trace back to 2003 posting on web hosting support forums. Doubtful that they're involved, so let's shift out focus elsewhere.
  212.  
  213.  
  214. Going back to the IP range owned by WIRELESS-ALARM.COM, 216.83.44.0 - 216.83.44.255, lets look at what else is hosted there.
  215.  
  216. From http://bgp.he.net/net/216.83.44.0/24#_dns as of 12/31/2011 6:21 PST
  217.  
  218. IP      PTR     A
  219. 216.83.44.31    mail.bostonyarn.com    
  220. 216.83.44.54    fold.bronxbreakfast.com        
  221. 216.83.44.113   prn.iselinnotebook.com  
  222. 216.83.44.115   joplinyear.com  
  223. 216.83.44.116   mail.joplinyear.com    
  224. 216.83.44.189   proe.northandoverschool.com    
  225. 216.83.44.191   northbendlearning.com  
  226. 216.83.44.202   wink.norwellobservation.com    
  227. 216.83.44.204   mail.philadelphiafather.com     e8lvbet.com, i3mic.com
  228. 216.83.44.221   copy.southplainfieldfeet.com    
  229. 216.83.44.2    
  230.         ns1.cyanclouds.com
  231. 216.83.44.3    
  232.         ns2.cyanclouds.com
  233. 216.83.44.10    
  234.         22073.com
  235. 216.83.44.18    
  236.         int-pe.com, interush-pe.com
  237. 216.83.44.19    
  238.         oll365.com
  239. 216.83.44.42    
  240.         centrinofund.com, cf-pe.com
  241. 216.83.44.44    
  242.         games456.us, gamt465.com, gmae456.info
  243. 216.83.44.45    
  244.         com-com-com-com-com.com
  245. 216.83.44.46    
  246.         111i.net, 23u9.com, 55-com.com, gamex6.com, llgame.net, org2.net
  247. 216.83.44.66    
  248.         bmp79.com
  249. 216.83.44.67    
  250.         app67.com, apt67.com, bbv78.com, bul79.com, ddc77.com, ght33.com, jjt55.com, jpg77.com, kky55.com, mmx88.com, rtr66.com, sta78.com, tgg33.com, uub33.com, vbo33.com, vvx45.com
  251. 216.83.44.68    
  252.         aaz33.com, ccx89.com, ygk77.com
  253. 216.83.44.69    
  254.         abo34.com, bmn99.com, ccx66.com, ese55.com, ffs234.com, jsa52.com, kbx33.com, kut99.com, kyy78.com, myb78.com, nnc99.com, rka77.com, ssx69.com, ttx77.com, tvn66.com, wsd22.com
  255. 216.83.44.70    
  256.         kgb69.com
  257. 216.83.44.82    
  258.         66hw.net, hk888.net
  259. 216.83.44.90    
  260.         clubwptasia.com, haedongcheong.com, oce365.com, openrace24.com
  261. 216.83.44.99    
  262.         ylg886.com
  263. 216.83.44.122  
  264.         hg1138.com
  265. 216.83.44.123  
  266.         fh636.com, hg3968.com, hk638.com, yh372.com
  267. 216.83.44.131  
  268.         hg0608.com, hg1918.com, hg4568.com, hg9168.com, hg9338.com
  269. 216.83.44.132  
  270.         hg7678.com
  271. 216.83.44.154  
  272.         sc93.com
  273. 216.83.44.155  
  274.         tv105.com
  275. 216.83.44.156  
  276.         duooo.com
  277. 216.83.44.157  
  278.         bbsveb.com
  279. 216.83.44.163  
  280.         1999829.com, 3771mm.info, 911meinv.info, mytaojia.com, qgxinxi.info, taaobbao.com, wawachina.info, yayaqq.info
  281. 216.83.44.164  
  282.         360meinv.info, 920meinv.com, 999taobao.com, kissbye.info, tabaserver.com
  283. 216.83.44.165  
  284.         265gc.com
  285. 216.83.44.166  
  286.         439995.com
  287. 216.83.44.186  
  288.         03hz.com, 18018.com
  289. 216.83.44.194  
  290.         ckk67.com, fta79.com, jkj88.com, ktm77.com, ktm99.com, mou79.com, nvb89.com, pub79.com, ssr999.com, ssx778.com, tot66.com, tut88.com, utp79.com, vub99.com, xxr44.com, yyc33.com
  291. 216.83.44.195  
  292.         aki77.com, amu77.com, arp77.com, arv99.com, avc77.com, eed69.com, gje88.com, mmb77.com, mpo77.com, tup77.com, vcd79.com
  293. 216.83.44.197  
  294.         vvz69.com
  295. 216.83.44.218  
  296.         hg0035.com, hg1090.com
  297. 216.83.44.219  
  298.         hg1095.com, hg8869.com
  299. 216.83.44.228  
  300.         lcddos.com
  301. 216.83.44.229  
  302.         todayg.com, xy100000.com
  303. 216.83.44.243  
  304.         hg0091.com, hg0093.com, hg0094.com
  305. 216.83.44.245  
  306.         hg0092.com
  307. 216.83.44.250  
  308.         tt95588.com
  309.  
  310.  
  311. Hmm, remember the registration for WIRELESS-ALARM.COM?
  312. The email address pointed at cyancoulds.com... and the DNS servers for cyanclouds.com happen to be hosted in the same netblock. Could it be cyanclouds.com is also being controlled by the responsible organization?
  313.  
  314. So let's lookup the contact info for cyanclouds.com...
  315.  
  316. Domain Name: CYANCLOUDS.COM
  317. Registrar: DIRECTNIC, LTD
  318. Whois Server: whois.directnic.com
  319. Referral URL: http://www.directnic.com
  320. Name Server: NS1.CYANCLOUDS.COM
  321. Name Server: NS2.CYANCLOUDS.COM
  322. Status: clientDeleteProhibited
  323. Status: clientTransferProhibited
  324. Status: clientUpdateProhibited
  325. Updated Date: 31-jan-2011
  326. Creation Date: 03-mar-2009
  327. Expiration Date: 03-mar-2012
  328.  
  329. Registrant:
  330. Good Names Network
  331. 342 Broadway
  332. New York, NY 10013
  333. US
  334. 212-555-1212
  335.  
  336.  
  337. Domain Name: CYANCLOUDS.COM
  338.  
  339. Administrative Contact:
  340. Operations, Network goodnames@yahoo.com
  341. 342 Broadway
  342. New York, NY 10013
  343. US
  344. 212-555-1212
  345.  
  346.  
  347. Technical Contact:
  348. Operations, Network goodnames@yahoo.com
  349. 342 Broadway
  350. New York, NY 10013
  351. US
  352. 212-555-1212
  353.  
  354.  
  355. It looks like cyanclouds.com is registered by "proxy" through another company called the "Good Names Network". But wait...is this company real either?
  356.  
  357. 212-555-1212 will simply give you directory assistance for the 212 area code. (New York)
  358.  
  359. 342 Broadway is actually a UPS Store which offers mailbox services...so this could be anyone.
  360.  
  361. So, another dead end?  This malware which has definite Chinese origins also has a link to an anonymous business New York.
  362.  
  363. This is where I'd like to point out the marvels of Google.  Specifically Google Street View.
  364.  
  365. Without Google Street View, we would never have known that next to this UPS Store at 344 Broadway is a shop called "Broadway Cleaners".  A quick Google search shows that Broadway Cleaners is actually owned by someone at 95 Worth Street, which happens to be in Chinatown.
  366.  
  367. Please note that this is absolutely speculation, and that there is no proof whatsoever anyone at Broadway Cleaners has anything to do with this.  However, the fact that the malware has definite ties to China, and the fact that the proxy company used to register WIRELESS-ALARM.COM's IP block is right next door to a business originating in Chinatown, is a very interesting coincidence.
  368.  
  369. Unfortunately this is where the trail goes cold.
  370.  
  371. This search for the origin of this malware has possibly raised more questions than provided answers.  But one thing is for certain - the network framework for this malware has definitely been in place for some time.  WIRELESS-ALARM.COM's IP block as well as cyanclouds.com have been registered since 2009.  This is not the work of a "fly-by-night" script kiddy.  Careful planning has been taken to not only develop this malware, but also to establish the hosting this malware would be using - and hide its true origins.
  372. Posted by Ken on 12/31/2011
  373. =============================================
  374. Caffeine Security @Twitter:
  375. - https://twitter.com/CaffSec
  376. =============================================