SHARE
TWEET

ELF Malware Analysis

MalwareMustDie Mar 19th, 2014 487 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie!!  Analysis of ELF Malware.
  2. $ whoami; date
  3. unixfreaxjp
  4. Wed Mar 19 21:15:54 JST 2014
  5.  
  6. filename: Host.out
  7. -rwxr--r--  1 xxx xxx  56200 Mar 19 18:51 ./Host.out*
  8. Hash:
  9.    MD5 43adeb1ab71fae57b1993b51a6a8465b
  10.    SHA1 8bb226c54708599b2b0a9a933acc7b2f98648897
  11.    SHA256 a07821d1b6471a6f0d0587089635c2de27df22f041605ee5e6b2420af3a6675e
  12. VT (1/50): https://www.virustotal.com/en/file/a07821d1b6471a6f0d0587089635c2de27df22f041605ee5e6b2420af3a6675e/analysis/
  13.  
  14. On:
  15. $ uname -a
  16. FreeBSD unixfreaxjp 9.1-RELEASE-p5 FreeBSD 9.1-RELEASE-p5 #0: Sat Jul 27 01:01:40 UTC 2013
  17.  
  18. =================
  19. STATIC
  20. =================
  21.  
  22. ./Host.out: ELF 32-bit LSB executable,
  23. Intel 80386, version 1 (SYSV),
  24. dynamically linked (uses shared libs),
  25. BuildID[sha1]=0x6a4deb59e2dafed21178a06a3344e755a24c81ba, stripped
  26. $
  27.  
  28. ELF Header:
  29.   Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  30.   Class:                             ELF32
  31.   Data:                              2's complement, little endian
  32.  Version:                           1 (current)
  33.  OS/ABI:                            UNIX - System V
  34.  ABI Version:                       0
  35.  Type:                              EXEC (Executable file)
  36.  Machine:                           Intel 80386
  37.  Version:                           0x1
  38.  Entry point address:               0x8049dcb
  39.  Start of program headers:          52 (bytes into file)
  40.  Start of section headers:          55360 (bytes into file)
  41.  Flags:                             0x0
  42.  Size of this header:               52 (bytes)
  43.  Size of program headers:           32 (bytes)
  44.  Number of program headers:         9
  45.  Size of section headers:           40 (bytes)
  46.  Number of section headers:         21
  47.  Section header string table index: 20
  48.  
  49. 00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
  50. 00000010  02 00 03 00 01 00 00 00  cb 9d 04 08 34 00 00 00  |............4...|
  51. 00000020  40 d8 00 00 00 00 00 00  34 00 20 00 09 00 28 00  |@.......4. ...(.|
  52. 00000030  15 00 14 00 06 00 00 00  34 00 00 00 34 80 04 08  |........4...4...|
  53. 00000040  34 80 04 08 20 01 00 00  20 01 00 00 05 00 00 00  |4... ... .......|
  54. 00000050  04 00 00 00 03 00 00 00  54 01 00 00 54 81 04 08  |........T...T...|
  55. 00000060  54 81 04 08 13 00 00 00  13 00 00 00 04 00 00 00  |T...............|
  56. 00000070  01 00 00 00 01 00 00 00  00 00 00 00 00 80 04 08  |................|
  57. 00000080  00 80 04 08 78 c8 00 00  78 c8 00 00 05 00 00 00  |....x...x.......|
  58. 00000090  00 10 00 00 01 00 00 00  3c cf 00 00 3c 5f 05 08  |........<...<_..|
  59. 000000a0  3c 5f 05 08 fc 07 00 00  64 53 00 00 06 00 00 00  |<_......dS......|
  60. 000000b0  00 10 00 00 02 00 00 00  3c cf 00 00 3c 5f 05 08  |........<...<_..|
  61. 000000c0  3c 5f 05 08 b8 00 00 00  b8 00 00 00 06 00 00 00  |<_..............|
  62. 000000d0  04 00 00 00 04 00 00 00  68 01 00 00 68 81 04 08  |........h...h...|
  63. 000000e0  68 81 04 08 24 00 00 00  24 00 00 00 04 00 00 00  |h...$...$.......|
  64. 000000f0  04 00 00 00 50 e5 74 64  28 c8 00 00 28 48 05 08  |....P.td(...(H..|
  65. 00000100 [...]
  66.  
  67.  
  68. There are 21 section headers, starting at offset 0xd840:
  69.  
  70. Section Headers:
  71.  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  72.  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  73.  [ 1] .interp           PROGBITS        08048154 000154 000013 00   A  0   0  1
  74.  [ 2] .note.gnu.build-i NOTE            08048168 000168 000024 00   A  0   0  4
  75.  [ 3] .hash             HASH            0804818c 00018c 000238 04   A  5   0  4
  76.  [ 4] .gnu.hash         GNU_HASH        080483c4 0003c4 000018 04   A  5   0  4
  77.  [ 5] .dynsym           DYNSYM          080483dc 0003dc 000490 10   A  6   1  4
  78.  [ 6] .dynstr           STRTAB          0804886c 00086c 000251 00   A  0   0  1
  79.  [ 7] .gnu.version      VERSYM          08048abe 000abe 000092 02   A  5   0  2
  80.  [ 8] .gnu.version_r    VERNEED         08048b50 000b50 000090 00   A  6   3  4
  81.  [ 9] .rel.plt          REL             08048be0 000be0 000240 08   A  5  10  4
  82.  [10] .plt              PROGBITS        08048e20 000e20 000490 04  AX  0   0 16
  83.  [11] .text             PROGBITS        080492b0 0012b0 00aa32 00  AX  0   0 16
  84.  [12] .rodata           PROGBITS        08053ce8 00bce8 000b3e 00   A  0   0  8
  85.  [13] .eh_frame_hdr     PROGBITS        08054828 00c828 000014 00   A  0   0  4
  86.  [14] .eh_frame         PROGBITS        0805483c 00c83c 00003c 00   A  0   0  4
  87.  [15] .dynamic          DYNAMIC         08055f3c 00cf3c 0000b8 08  WA  6   0  4
  88.  [16] .got.plt          PROGBITS        08055ff4 00cff4 00012c 04  WA  0   0  4
  89.  [17] .data             PROGBITS        08056120 00d120 000618 00  WA  0   0  4
  90.  [18] .bss              NOBITS          08056738 00d738 004b68 00  WA  0   0  4
  91.  [19] .comment          PROGBITS        00000000 00d738 000056 01  MS  0   0  1
  92.  [20] .shstrtab         STRTAB          00000000 00d78e 0000b1 00      0   0  1
  93. Key to Flags:
  94.  W (write), A (alloc), X (execute), M (merge), S (strings)
  95.  I (info), L (link order), G (group), x (unknown)
  96.  O (extra OS processing required) o (OS specific), p (processor specific)
  97.  
  98. Relocation section '.rel.plt' at offset 0xbe0
  99. contains "AGGRESIVE" 20 of 72 entries:
  100.  
  101. Offset     Info    Type            Sym.Value  Sym. Name
  102. 08056000  00000107 R_386_JUMP_SLOT   00000000   setsockopt
  103. 08056004  00000207 R_386_JUMP_SLOT   00000000   pthread_mutex_unlock
  104. 08056008  00000307 R_386_JUMP_SLOT   00000000   read
  105. 0805600c  00000407 R_386_JUMP_SLOT   00000000   getpwuid
  106. 08056010  00000507 R_386_JUMP_SLOT   00000000   dup
  107. 08056014  00000607 R_386_JUMP_SLOT   00000000   free
  108. 08056018  00000707 R_386_JUMP_SLOT   00000000   fgets
  109. 0805601c  00000807 R_386_JUMP_SLOT   00000000   fclose
  110. 08056020  00000907 R_386_JUMP_SLOT   00000000   rmdir
  111. 08056024  00000a07 R_386_JUMP_SLOT   00000000   time
  112. 08056028  00000b07 R_386_JUMP_SLOT   00000000   select
  113. 0805602c  00000c07 R_386_JUMP_SLOT   00000000   chdir
  114. 08056030  00000d07 R_386_JUMP_SLOT   00000000   endutxent
  115. 08056034  00000e07 R_386_JUMP_SLOT   00000000   execlp
  116. 08056038  00000f07 R_386_JUMP_SLOT   00000000   dlclose
  117. 0805603c  00001007 R_386_JUMP_SLOT   00000000   sysconf
  118. 08056040  00001107 R_386_JUMP_SLOT   00000000   geteuid
  119. 08056044  00001207 R_386_JUMP_SLOT   00000000   pthread_mutex_lock
  120. 08056048  00001307 R_386_JUMP_SLOT   00000000   unlink
  121. 0805604c  00001407 R_386_JUMP_SLOT   00000000   readlink
  122. 08056050  00001507 R_386_JUMP_SLOT   00000000   fseek
  123. 08056054  00001607 R_386_JUMP_SLOT   00000000   __xstat
  124. 08056058  00001707 R_386_JUMP_SLOT   00000000   fwrite
  125. 0805605c  00001807 R_386_JUMP_SLOT   00000000   waitpid
  126. 08056060  00001907 R_386_JUMP_SLOT   00000000   usleep
  127. 08056064  00001a07 R_386_JUMP_SLOT   00000000   fread
  128. 08056068  00001b07 R_386_JUMP_SLOT   00000000   getpid
  129. 0805606c  00001c07 R_386_JUMP_SLOT   00000000   gethostname  <=====
  130. 08056070  00001d07 R_386_JUMP_SLOT   00000000   getenv   <=====
  131. 08056074  00001e07 R_386_JUMP_SLOT   00000000   realloc
  132. 08056078  00001f07 R_386_JUMP_SLOT   00000000   malloc
  133. 0805607c  00002007 R_386_JUMP_SLOT   00000000   sysinfo  <=====
  134. 08056080  00002107 R_386_JUMP_SLOT   00000000   getutxent  <=====
  135. 08056084  00002207 R_386_JUMP_SLOT   00000000   exit
  136. 08056088  00002307 R_386_JUMP_SLOT   00000000   kill   <=====
  137. 0805608c  00002407 R_386_JUMP_SLOT   00000000   open
  138. 08056090  00002507 R_386_JUMP_SLOT   00000000   setsid   <=====
  139. 08056094  00002607 R_386_JUMP_SLOT   00000000   localtime  <=====
  140. 08056098  00002707 R_386_JUMP_SLOT   00000000   rename  <=====
  141. 0805609c  00002807 R_386_JUMP_SLOT   00000000   write  <=====
  142. 080560a0  00002907 R_386_JUMP_SLOT   00000000   execv  <=====
  143. 080560a4  00002a07 R_386_JUMP_SLOT   00000000   fcntl
  144. 080560a8  00002b07 R_386_JUMP_SLOT   00000000   dlsym
  145. 080560ac  00002c07 R_386_JUMP_SLOT   00000000   ftell
  146. 080560b0  00002d07 R_386_JUMP_SLOT   00000000   fopen
  147. 080560b4  00002e07 R_386_JUMP_SLOT   00000000   gmtime
  148. 080560b8  00002f07 R_386_JUMP_SLOT   00000000   mkdir
  149. 080560bc  00003007 R_386_JUMP_SLOT   00000000   snprintf
  150. 080560c0  00003107 R_386_JUMP_SLOT   00000000   __errno_location
  151. 080560c4  00003207 R_386_JUMP_SLOT   00000000   asprintf
  152. 080560c8  00003307 R_386_JUMP_SLOT   00000000   ldiv
  153. 080560cc  00003407 R_386_JUMP_SLOT   00000000   pipe
  154. 080560d0  00003507 R_386_JUMP_SLOT   00000000   access
  155. 080560d4  00003607 R_386_JUMP_SLOT   00000000   fork
  156. 080560d8  00003707 R_386_JUMP_SLOT   00000000   readdir
  157. 080560dc  00003807 R_386_JUMP_SLOT   00000000   sscanf  <=====
  158. 080560e0  00003907 R_386_JUMP_SLOT   00000000   gmtime_r
  159. 080560e4  00003a07 R_386_JUMP_SLOT   00000000   setutxent  <=====
  160. 080560e8  00003b07 R_386_JUMP_SLOT   00000000   dlopen
  161. 080560ec  00003c07 R_386_JUMP_SLOT   00000000   socket
  162. 080560f0  00003d07 R_386_JUMP_SLOT   00000000   pthread_create
  163. 080560f4  00003e07 R_386_JUMP_SLOT   00000000   __lxstat
  164. 080560f8  00003f07 R_386_JUMP_SLOT   00000000   chmod  <=====
  165. 080560fc  00004007 R_386_JUMP_SLOT   00000000   umask
  166. 08056100  00004107 R_386_JUMP_SLOT   00000000   gethostbyname  <=====
  167. 08056104  00004207 R_386_JUMP_SLOT   00000000   shutdown  <=====
  168. 08056108  00004307 R_386_JUMP_SLOT   00000000   connect  <=====
  169. 0805610c  00004407 R_386_JUMP_SLOT   00000000   recv  <=====
  170. 08056110  00004507 R_386_JUMP_SLOT   00000000   close  <=====
  171. 08056114  00004607 R_386_JUMP_SLOT   00000000   closedir  <=====
  172. 08056118  00004707 R_386_JUMP_SLOT   00000000   opendir
  173. 0805611c  00004807 R_386_JUMP_SLOT   00000000   send  <=====
  174.  
  175. Elf file type is EXEC (Executable file)
  176. Entry point 0x8049dcb
  177. There are 9 program headers, starting at offset 52
  178.  
  179. Program Headers:
  180.  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  181.  PHDR           0x000034 0x08048034 0x08048034 0x00120 0x00120 R E 0x4
  182.  INTERP         0x000154 0x08048154 0x08048154 0x00013 0x00013 R   0x1
  183.      [Requesting program interpreter: /lib/ld-linux.so.2]
  184.  LOAD           0x000000 0x08048000 0x08048000 0x0c878 0x0c878 R E 0x1000
  185.  LOAD           0x00cf3c 0x08055f3c 0x08055f3c 0x007fc 0x05364 RW  0x1000
  186.  DYNAMIC        0x00cf3c 0x08055f3c 0x08055f3c 0x000b8 0x000b8 RW  0x4
  187.  NOTE           0x000168 0x08048168 0x08048168 0x00024 0x00024 R   0x4
  188.  GNU_EH_FRAME   0x00c828 0x08054828 0x08054828 0x00014 0x00014 R   0x4
  189.  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
  190.  GNU_RELRO      0x00cf3c 0x08055f3c 0x08055f3c 0x000c4 0x000c4 R   0x1
  191.  
  192. Section to Segment mapping:
  193.  Segment Sections...
  194.   00
  195.   01     .interp
  196.   02     .interp .note.gnu.build-id .hash .gnu.hash .dynsym .dynstr .gnu.version
  197.           .gnu.version_r .rel.plt .plt .text .rodata .eh_frame_hdr .eh_frame
  198.   03     .dynamic .got.plt .data .bss
  199.   04     .dynamic
  200.   05     .note.gnu.build-id
  201.   06     .eh_frame_hdr
  202.   07
  203.   08     .dynamic
  204.  
  205. Dynamic section at offset 0xcf3c contains 18 entries:
  206.  Tag        Type                         Name/Value
  207. 0x00000001 (NEEDED)                     Shared library: [libdl.so.2]
  208. 0x00000001 (NEEDED)                     Shared library: [libpthread.so.0]
  209. 0x00000001 (NEEDED)                     Shared library: [libc.so.6]
  210. 0x00000004 (HASH)                       0x804818c
  211. 0x6ffffef5 (GNU_HASH)                   0x80483c4
  212. 0x00000005 (STRTAB)                     0x804886c
  213. 0x00000006 (SYMTAB)                     0x80483dc
  214. 0x0000000a (STRSZ)                      593 (bytes)
  215. 0x0000000b (SYMENT)                     16 (bytes)
  216. 0x00000015 (DEBUG)                      0x0
  217. 0x00000003 (PLTGOT)                     0x8055ff4
  218. 0x00000002 (PLTRELSZ)                   576 (bytes)
  219. 0x00000014 (PLTREL)                     REL
  220. 0x00000017 (JMPREL)                     0x8048be0
  221. 0x6ffffffe (VERNEED)                    0x8048b50
  222. 0x6fffffff (VERNEEDNUM)                 3
  223. 0x6ffffff0 (VERSYM)                     0x8048abe
  224. 0x00000000 (NULL)                       0x0
  225.  
  226. Symbol table '.dynsym' contains 73 entries:
  227.   Num:    Value  Size Type    Bind   Vis      Ndx Name
  228.     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND
  229.     1: 00000000     0 FUNC    GLOBAL DEFAULT  UND setsockopt@GLIBC_2.0 (2)
  230.     2: 00000000     0 FUNC    GLOBAL DEFAULT  UND pthread_mutex_unlock@GLIBC_2.0 (3)
  231.     3: 00000000     0 FUNC    GLOBAL DEFAULT  UND read@GLIBC_2.0 (3)
  232.     4: 00000000     0 FUNC    GLOBAL DEFAULT  UND getpwuid@GLIBC_2.0 (2)
  233.     5: 00000000     0 FUNC    GLOBAL DEFAULT  UND dup@GLIBC_2.0 (2)
  234.     6: 00000000     0 FUNC    GLOBAL DEFAULT  UND free@GLIBC_2.0 (2)
  235.     7: 00000000     0 FUNC    GLOBAL DEFAULT  UND fgets@GLIBC_2.0 (2)
  236.     8: 00000000     0 FUNC    GLOBAL DEFAULT  UND fclose@GLIBC_2.1 (4)
  237.     9: 00000000     0 FUNC    GLOBAL DEFAULT  UND rmdir@GLIBC_2.0 (2)
  238.    10: 00000000     0 FUNC    GLOBAL DEFAULT  UND time@GLIBC_2.0 (2)
  239.    11: 00000000     0 FUNC    GLOBAL DEFAULT  UND select@GLIBC_2.0 (2)
  240.    12: 00000000     0 FUNC    GLOBAL DEFAULT  UND chdir@GLIBC_2.0 (2)
  241.    13: 00000000     0 FUNC    GLOBAL DEFAULT  UND endutxent@GLIBC_2.1 (4)
  242.    14: 00000000     0 FUNC    GLOBAL DEFAULT  UND execlp@GLIBC_2.0 (2)
  243.    15: 00000000     0 FUNC    GLOBAL DEFAULT  UND dlclose@GLIBC_2.0 (5)
  244.    16: 00000000     0 FUNC    GLOBAL DEFAULT  UND sysconf@GLIBC_2.0 (2)
  245.    17: 00000000     0 FUNC    GLOBAL DEFAULT  UND geteuid@GLIBC_2.0 (2)
  246.    18: 00000000     0 FUNC    GLOBAL DEFAULT  UND pthread_mutex_lock@GLIBC_2.0 (3)
  247.    19: 00000000     0 FUNC    GLOBAL DEFAULT  UND unlink@GLIBC_2.0 (2)
  248.    20: 00000000     0 FUNC    GLOBAL DEFAULT  UND readlink@GLIBC_2.0 (2)
  249.    21: 00000000     0 FUNC    GLOBAL DEFAULT  UND fseek@GLIBC_2.0 (2)
  250.    22: 00000000     0 FUNC    GLOBAL DEFAULT  UND __xstat@GLIBC_2.0 (2)
  251.    23: 00000000     0 FUNC    GLOBAL DEFAULT  UND fwrite@GLIBC_2.0 (2)
  252.    24: 00000000     0 FUNC    GLOBAL DEFAULT  UND waitpid@GLIBC_2.0 (3)
  253.    25: 00000000     0 FUNC    GLOBAL DEFAULT  UND usleep@GLIBC_2.0 (2)
  254.    26: 00000000     0 FUNC    GLOBAL DEFAULT  UND fread@GLIBC_2.0 (2)
  255.    27: 00000000     0 FUNC    GLOBAL DEFAULT  UND getpid@GLIBC_2.0 (2)
  256.    28: 00000000     0 FUNC    GLOBAL DEFAULT  UND gethostname@GLIBC_2.0 (2)
  257.    29: 00000000     0 FUNC    GLOBAL DEFAULT  UND getenv@GLIBC_2.0 (2)
  258.    30: 00000000     0 FUNC    GLOBAL DEFAULT  UND realloc@GLIBC_2.0 (2)
  259.    31: 00000000     0 FUNC    GLOBAL DEFAULT  UND malloc@GLIBC_2.0 (2)
  260.    32: 00000000     0 FUNC    GLOBAL DEFAULT  UND sysinfo@GLIBC_2.0 (2)
  261.    33: 00000000     0 FUNC    GLOBAL DEFAULT  UND getutxent@GLIBC_2.1 (4)
  262.    34: 00000000     0 FUNC    GLOBAL DEFAULT  UND exit@GLIBC_2.0 (2)
  263.    35: 00000000     0 FUNC    GLOBAL DEFAULT  UND kill@GLIBC_2.0 (2)
  264.    36: 00000000     0 FUNC    GLOBAL DEFAULT  UND open@GLIBC_2.0 (3)
  265.    37: 00000000     0 FUNC    GLOBAL DEFAULT  UND setsid@GLIBC_2.0 (2)
  266.    24: 00000000     0 FUNC    GLOBAL DEFAULT  UND waitpid@GLIBC_2.0 (3)
  267.    25: 00000000     0 FUNC    GLOBAL DEFAULT  UND usleep@GLIBC_2.0 (2)
  268.    26: 00000000     0 FUNC    GLOBAL DEFAULT  UND fread@GLIBC_2.0 (2)
  269.    27: 00000000     0 FUNC    GLOBAL DEFAULT  UND getpid@GLIBC_2.0 (2)
  270.    28: 00000000     0 FUNC    GLOBAL DEFAULT  UND gethostname@GLIBC_2.0 (2)
  271.    29: 00000000     0 FUNC    GLOBAL DEFAULT  UND getenv@GLIBC_2.0 (2)
  272.    30: 00000000     0 FUNC    GLOBAL DEFAULT  UND realloc@GLIBC_2.0 (2)
  273.    31: 00000000     0 FUNC    GLOBAL DEFAULT  UND malloc@GLIBC_2.0 (2)
  274.    32: 00000000     0 FUNC    GLOBAL DEFAULT  UND sysinfo@GLIBC_2.0 (2)
  275.    33: 00000000     0 FUNC    GLOBAL DEFAULT  UND getutxent@GLIBC_2.1 (4)
  276.    34: 00000000     0 FUNC    GLOBAL DEFAULT  UND exit@GLIBC_2.0 (2)
  277.    35: 00000000     0 FUNC    GLOBAL DEFAULT  UND kill@GLIBC_2.0 (2)
  278.    36: 00000000     0 FUNC    GLOBAL DEFAULT  UND open@GLIBC_2.0 (3)
  279.    37: 00000000     0 FUNC    GLOBAL DEFAULT  UND setsid@GLIBC_2.0 (2)
  280.    38: 00000000     0 FUNC    GLOBAL DEFAULT  UND localtime@GLIBC_2.0 (2)
  281.    39: 00000000     0 FUNC    GLOBAL DEFAULT  UND rename@GLIBC_2.0 (2)
  282.    40: 00000000     0 FUNC    GLOBAL DEFAULT  UND write@GLIBC_2.0 (3)
  283.    41: 00000000     0 FUNC    GLOBAL DEFAULT  UND execv@GLIBC_2.0 (2)
  284.    42: 00000000     0 FUNC    GLOBAL DEFAULT  UND fcntl@GLIBC_2.0 (3)
  285.    43: 00000000     0 FUNC    GLOBAL DEFAULT  UND dlsym@GLIBC_2.0 (5)
  286.    44: 00000000     0 FUNC    GLOBAL DEFAULT  UND ftell@GLIBC_2.0 (2)
  287.    45: 00000000     0 FUNC    GLOBAL DEFAULT  UND fopen@GLIBC_2.1 (4)
  288.    46: 00000000     0 FUNC    GLOBAL DEFAULT  UND gmtime@GLIBC_2.0 (2)
  289.    47: 00000000     0 FUNC    GLOBAL DEFAULT  UND mkdir@GLIBC_2.0 (2)
  290.    48: 00000000     0 FUNC    GLOBAL DEFAULT  UND snprintf@GLIBC_2.0 (2)
  291.    49: 00000000     0 FUNC    GLOBAL DEFAULT  UND __errno_location@GLIBC_2.0 (3)
  292.    50: 00000000     0 FUNC    GLOBAL DEFAULT  UND asprintf@GLIBC_2.0 (2)
  293.    51: 00000000     0 FUNC    GLOBAL DEFAULT  UND ldiv@GLIBC_2.0 (2)
  294.    52: 00000000     0 FUNC    GLOBAL DEFAULT  UND pipe@GLIBC_2.0 (2)
  295.    53: 00000000     0 FUNC    GLOBAL DEFAULT  UND access@GLIBC_2.0 (2)
  296.    54: 00000000     0 FUNC    GLOBAL DEFAULT  UND fork@GLIBC_2.0 (3)
  297.    55: 00000000     0 FUNC    GLOBAL DEFAULT  UND readdir@GLIBC_2.0 (2)
  298.    56: 00000000     0 FUNC    GLOBAL DEFAULT  UND sscanf@GLIBC_2.0 (2)
  299.    57: 00000000     0 FUNC    GLOBAL DEFAULT  UND gmtime_r@GLIBC_2.0 (2)
  300.    58: 00000000     0 FUNC    GLOBAL DEFAULT  UND setutxent@GLIBC_2.1 (4)
  301.    59: 00000000     0 FUNC    GLOBAL DEFAULT  UND dlopen@GLIBC_2.1 (6)
  302.    60: 00000000     0 FUNC    GLOBAL DEFAULT  UND socket@GLIBC_2.0 (2)
  303.    61: 00000000     0 FUNC    GLOBAL DEFAULT  UND pthread_create@GLIBC_2.1 (7)
  304.    62: 00000000     0 FUNC    GLOBAL DEFAULT  UND __lxstat@GLIBC_2.0 (2)
  305.    63: 00000000     0 FUNC    GLOBAL DEFAULT  UND chmod@GLIBC_2.0 (2)
  306.    64: 00000000     0 FUNC    GLOBAL DEFAULT  UND umask@GLIBC_2.0 (2)
  307.    65: 00000000     0 FUNC    GLOBAL DEFAULT  UND gethostbyname@GLIBC_2.0 (2)
  308.    66: 00000000     0 FUNC    GLOBAL DEFAULT  UND shutdown@GLIBC_2.0 (2)
  309.    67: 00000000     0 FUNC    GLOBAL DEFAULT  UND connect@GLIBC_2.0 (3)
  310.    68: 00000000     0 FUNC    GLOBAL DEFAULT  UND recv@GLIBC_2.0 (3)
  311.    69: 00000000     0 FUNC    GLOBAL DEFAULT  UND close@GLIBC_2.0 (3)
  312.    70: 00000000     0 FUNC    GLOBAL DEFAULT  UND closedir@GLIBC_2.0 (2)
  313.    71: 00000000     0 FUNC    GLOBAL DEFAULT  UND opendir@GLIBC_2.0 (2)
  314.    72: 00000000     0 FUNC    GLOBAL DEFAULT  UND send@GLIBC_2.0 (3)
  315.  
  316. Version needs section '.gnu.version_r' contains 3 entries:
  317. Addr: 0x0000000008048b50  Offset: 0x000b50  Link to section: 6 (.dynstr)
  318.  000000: Version: 1  File: libdl.so.2  Cnt: 2
  319.  0x0010:   Name: GLIBC_2.1  Flags: none  Version: 6
  320.  0x0020:   Name: GLIBC_2.0  Flags: none  Version: 5
  321.  0x0030: Version: 1  File: libpthread.so.0  Cnt: 2
  322.  0x0040:   Name: GLIBC_2.1  Flags: none  Version: 7
  323.  0x0050:   Name: GLIBC_2.0  Flags: none  Version: 3
  324.  0x0060: Version: 1  File: libc.so.6  Cnt: 2
  325.  0x0070:   Name: GLIBC_2.1  Flags: none  Version: 4
  326.  0x0080:   Name: GLIBC_2.0  Flags: none  Version: 2
  327.  
  328. Sections:
  329. Idx Name          Size      VMA       LMA       File off  Algn
  330.  0 .interp       00000013  08048154  08048154  00000154  2**0
  331.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  332.  1 .note.gnu.build-id 00000024  08048168  08048168  00000168  2**2
  333.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  334.  2 .hash         00000238  0804818c  0804818c  0000018c  2**2
  335.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  336.  3 .gnu.hash     00000018  080483c4  080483c4  000003c4  2**2
  337.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  338.  4 .dynsym       00000490  080483dc  080483dc  000003dc  2**2
  339.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  340.  5 .dynstr       00000251  0804886c  0804886c  0000086c  2**0
  341.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  342.  6 .gnu.version  00000092  08048abe  08048abe  00000abe  2**1
  343.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  344.  7 .gnu.version_r 00000090  08048b50  08048b50  00000b50  2**2
  345.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  346.  8 .rel.plt      00000240  08048be0  08048be0  00000be0  2**2
  347.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  348.  9 .plt          00000490  08048e20  08048e20  00000e20  2**4
  349.                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  350. 10 .text         0000aa32  080492b0  080492b0  000012b0  2**4
  351.                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  352. 11 .rodata       00000b3e  08053ce8  08053ce8  0000bce8  2**3
  353.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  354. 12 .eh_frame_hdr 00000014  08054828  08054828  0000c828  2**2
  355.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  356. 13 .eh_frame     0000003c  0805483c  0805483c  0000c83c  2**2
  357.                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  358. 14 .dynamic      000000b8  08055f3c  08055f3c  0000cf3c  2**2
  359.                  CONTENTS, ALLOC, LOAD, DATA
  360. 15 .got.plt      0000012c  08055ff4  08055ff4  0000cff4  2**2
  361.                  CONTENTS, ALLOC, LOAD, DATA
  362. 16 .data         00000618  08056120  08056120  0000d120  2**2
  363.                  CONTENTS, ALLOC, LOAD, DATA
  364. 17 .bss          00004b68  08056738  08056738  0000d738  2**2
  365.                  ALLOC
  366. 18 .comment      00000056  00000000  00000000  0000d738  2**0
  367.                  CONTENTS, READONLY
  368.  
  369. =================
  370. HEURISTIC
  371. =================
  372.  
  373. $ suspicous_strings sample:
  374.  
  375.  
  376. // Backconnect....
  377.  
  378. FCONNECT %s:%d HTTP/1.0
  379. 200 OK
  380. %s%s
  381. %.2d/%.2d/%d %.2d:%.2d:%.2d
  382. %llu
  383. %s/%s
  384. http://%s%s
  385. GET %s HTTP/1.1
  386. Host: %s
  387. Connection: close
  388.  
  389. // Shell
  390.  
  391. /proc/%i/exe
  392. /proc/self/cmdline
  393.  
  394. // Credentials grabber...
  395.  
  396. %s/.opera/wand.dat    // Opera
  397. %s/.purple/accounts.xml
  398. <protocol>
  399. %d%s
  400. <name>
  401. <password>
  402.  
  403. %s/.config/google-chrome/Default/Login Data // Chrome
  404. %s/.config/chromium/Default/Login Data
  405.  
  406. Path=firefox*     // Mozilla
  407. thunderbird*
  408. libmozsqlite3.so
  409. select *  from moz_logins
  410. %c%s
  411. %s/.mozilla/firefox/profiles.ini
  412. %s/.mozilla/firefox/%s
  413. %s/.thunderbird/profiles.ini
  414. %s/.thunderbird/%s
  415. %s/.mozilla/seamonkey/profiles.ini
  416. %s/.mozilla/seamonkey/%s
  417.  
  418. // Noted: unauthorized access to sqlite to access mozilla database:
  419.  
  420. libsqlite3.so
  421. libmozsqlite3.so
  422. %s/signons.sqlite
  423. sqlite3_open
  424. sqlite3_close
  425. sqlite3_prepare_v2
  426. sqlite3_step
  427. sqlite3_column_text
  428.  
  429. // Autostart...
  430.  
  431. %s/.config/autostart/%s.desktop
  432. /tmp/.%s
  433. -m %s
  434. %s/.config/autostart
  435. %s/%s.desktop
  436. [Desktop Entry]
  437. Type=Application
  438. Exec="%s"
  439. Hidden=false
  440. Name=%s
  441.  
  442. ====================
  443. DEBUG
  444. ====================
  445.  
  446. // Without Privilege
  447.  
  448. [001a57a2] execve("./Host.out", ["./Host.out"], [/* 20 vars */]) = -1 EACCES (Permission denied)
  449. [001a57a2] dup(2)                       = 3
  450. [001a57a2] fcntl64(3, F_GETFL)          = 0x8002 (flags O_RDWR|O_LARGEFILE)
  451. [001a57a2] fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
  452. [001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fde000
  453. [001a57a2] _llseek(3, 0, 0xbff04ff0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
  454. [001a57a2] write(3, "Ztrace: exec: Permission denied\n", 32Ztrace: exec: Permission denied
  455. ) = 32
  456. [001a57a2] close(3)                     = 0
  457. [001a57a2] munmap(0xb7fde000, 4096)     = 0
  458. [001a57a2] exit_group(1)                = ?
  459.  
  460. // With privileges
  461.  
  462. [001a57a2] execve("./Host.out", ["./Host.out"], [/* 20 vars */]) = 0
  463. [001b729d] uname({sys="Linux", node="YOUR.HOST.NAME", ...}) = 0
  464. [001b5e1b] brk(0)                       = 0x94d8000
  465. [001b6bb1] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
  466. [001b6a74] open("/etc/ld.so.cache", O_RDONLY) = 3
  467. [001b698b] fstat64(3, {st_mode=S_IFREG|0644, st_size=22317, ...}) = 0
  468. [001b71dd] old_mmap(NULL, 22317, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fd2000
  469. [001b6aad] close(3)                     = 0
  470. [001b6a74] open("/lib/libdl.so.2", O_RDONLY) = 3
  471. [001b6af4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260[1\0004\0\0\0"..., 512) = 512
  472. [001b698b] fstat64(3, {st_mode=S_IFREG|0755, st_size=16796, ...}) = 0
  473. [001b71dd] old_mmap(0x315000, 12388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x315000
  474. [001b71dd] old_mmap(0x317000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x317000
  475. [001b6aad] close(3)                     = 0
  476. [001b6a74] open("/lib/tls/libpthread.so.0", O_RDONLY) = 3
  477. [001b6af4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0PH7\0004\0\0\0"..., 512) = 512
  478. [001b698b] fstat64(3, {st_mode=S_IFREG|0755, st_size=108040, ...}) = 0
  479. [001b71dd] old_mmap(0x370000, 70108, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x370000
  480. [001b71dd] old_mmap(0x37e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x37e000
  481. [001b71dd] old_mmap(0x380000, 4572, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x380000
  482. [001b6aad] close(3)                     = 0
  483. [001b6a74] open("/lib/tls/libc.so.6", O_RDONLY) = 3
  484. [001b6af4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340>\35\0004\0\0\0"..., 512) = 512
  485. [001b698b] fstat64(3, {st_mode=S_IFREG|0755, st_size=1547732, ...}) = 0
  486. [001b71dd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fd1000
  487. [001b71dd] old_mmap(0x1bf000, 1240284, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x1bf000
  488. [001b71dd] old_mmap(0x2e8000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x129000) = 0x2e8000
  489. [001b71dd] old_mmap(0x2ec000, 7388, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2ec000
  490. [001b6aad] close(3)                     = 0
  491. [001b71dd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fd0000
  492. [001b7264] mprotect(0x2e8000, 8192, PROT_READ) = 0
  493. [001b7264] mprotect(0x37e000, 4096, PROT_READ) = 0
  494. [001b7264] mprotect(0x317000, 4096, PROT_READ) = 0
  495. [001b7264] mprotect(0x8055000, 4096, PROT_READ) = 0
  496. [001b7264] mprotect(0x1bb000, 4096, PROT_READ) = 0
  497. [001a7820] set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fd06c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
  498. [001b7221] munmap(0xb7fd2000, 22317)    = 0
  499. [001a57a2] set_tid_address(0xb7fd0708)  = 23661
  500. [001a57a2] rt_sigaction(SIGRTMIN, {0x374380, [], SA_RESTORER|SA_SIGINFO, 0x37ba90}, NULL, 8) = 0
  501. [001a57a2] rt_sigaction(SIGRT_1, {0x3743f0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x37ba90}, NULL, 8) = 0
  502. [001a57a2] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
  503. [001a57a2] getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
  504. [001a57a2] _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbff2550c, 30, (nil), 0}) = 0
  505. [001a57a2] brk(0)                       = 0x94d8000
  506. [001a57a2] brk(0x94f9000)               = 0x94f9000
  507. [001a57a2] readlink("/proc/23661/exe", "/YOUR.PATH.TO/Host.out", 4352) = 38
  508. [001a57a2] open("/tmp/.-", O_WRONLY|O_CREAT, 0666) = 3
  509. [001a57a2] fcntl64(3, F_SETLK, {type=F_WRLCK, whence=SEEK_SET, start=0, len=1}) = 0
  510. [001a57a2] open("/etc/resolv.conf", O_RDONLY) = 4
  511. [001a57a2] fstat64(4, {st_mode=S_IFREG|0644, st_size=156, ...}) = 0
  512. [001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fd7000
  513. [001a57a2] read(4, "search YOUR.DOMAIN\nnameserver 202.2"..., 4096) = 156
  514. [001a57a2] read(4, "", 4096)            = 0
  515. [001a57a2] close(4)                     = 0
  516. [001a57a2] munmap(0xb7fd7000, 4096)     = 0
  517. [001a57a2] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
  518. [001a57a2] connect(4, {sa_family=AF_INET, sin_port=htons(3360), sin_addr=inet_addr("127.0.133.7")}, 16) = -1 ECONNREFUSED (Connection refused)
  519. [001a57a2] shutdown(4, 2 /* send and receive */) = -1 ENOTCONN (Transport endpoint is not connected)
  520. [001a57a2] close(4)                     = 0
  521. [001a57a2] nanosleep({8, 0}, NULL)      = 0
  522. [001a57a2] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
  523. [001a57a2] connect(4, {sa_family=AF_INET, sin_port=htons(3360), sin_addr=inet_addr("127.0.133.7")}, 16) = -1 ECONNREFUSED (Connection refused)
  524. [001a57a2] shutdown(4, 2 /* send and receive */) = -1 ENOTCONN (Transport endpoint is not connected)
  525. [001a57a2] close(4)                     = 0
  526. [001a57a2] nanosleep({8, 0}, NULL)      = 0
  527. [001a57a2] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
  528. [001a57a2] connect(4, {sa_family=AF_INET, sin_port=htons(3360), sin_addr=inet_addr("127.0.133.7")}, 16) = -1 ECONNREFUSED (Connection refused)
  529. [001a57a2] shutdown(4, 2 /* send and receive */) = -1 ENOTCONN (Transport endpoint is not connected)
  530. [001a57a2] close(4)                     = 0
  531. [001a57a2] nanosleep({8, 0},
  532. [...] // Daemonized..
  533.  
  534. ===============
  535. PCAP
  536. ===============
  537.  
  538. No established connection made.
  539.  
  540. ----
  541. #MalwareMstDie!!
RAW Paste Data
Top