Pastebin
API
tools
faq
paste
Login
Sign up
Please fix the following errors:
New Paste
Syntax Highlighting
Linux Trojan: Linux/Bckdr-RKC *NEW!* Feb 2012 ============================================= - http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~Bckdr-RKC.aspx - http://tinyurl.com/Linux-Bckdr-RKC Category: Viruses and Spyware Protection available since: 22 Dec 2011 08:23:46 (GMT) Type: Trojan Affected Operating Systems: Linux © 1997 - 2012 Sophos Ltd. ============================================= * http://pastebin.com/u/CaffeineSecurity | \__Linux/Bckdr-RKC Strings http://pastebin.com/RZAnDnkz \__Linux/Bckdr-RKC New Variant St... http://pastebin.com/0hqYbT8m \__Linux/Bckdr-RKC New Variant Diff http://pastebin.com/ePdRxsT4 \__.ssyslog - first section decom... http://pastebin.com/Tenmhmnf ============================================= Linux/Bckdr-RKC: A New Variant Appears - http://caffeinesecurity.blogspot.com/2011/12/linuxbckdr-rkc-new-variant-appears.html - http://tinyurl.com/Linux-Bckdr-RKC-part1 "Someone was busy this Christmas. A new variant of Linux/Bckdr-RKC has been placed on my honeypot. Unfortunately detections by Sophos do not detect this variant, so I've sent it back to them for analysis. I have posted the strings from the unpacked malware, as well as a diff between the strings of the old version and new version. I will post updates as I can. Posted by Ken on 12/26/2011" ============================================= Linux/Bckdr-RKC Initial Analysis - http://caffeinesecurity.blogspot.com/2011/12/linuxbckdr-rkc-initial-analysis.html - http://tinyurl.com/Linux-Bckdr-RKC-part2 "A malicious user dropped off a VERY interesting piece of malware on my honeypot today with the filename ".xsyslog" This piece of malware was previously undetected, and many kudos to Sophos for being the first to confirm my findings that the software was malicious. So far, I have been able to determine the following: This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches. The malware is installed from a compromised system after cracking a SSH server's root password, in the path /etc/.xsyslog The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: 216.83.44.229 port 99 It phones home to an IP address which appears to be hosted by the same fake corporation: 216.83.44.226 port 81 I have uploaded all relevant strings within the unpacked file to Pastebin. I will provide additional details as I find/receive them. This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors. Track current AV coverage at" http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011 Related Reading: Sophos Whitepaper Protection for Mac and Linux Computers: Genuine Need or Nice to Have? - http://caffinesecurity-blogspot.tradepub.com/free/w_aaaa1364/?p=w_aaaa1364 Posted by Ken on 12/21/2011 ============================================= Chinese Origins in .ssyslog Decompiled - Linux/Bckdr-RKC - http://caffeinesecurity.blogspot.com/2011/12/chinese-origins-in-ssyslog-decompiled.html - http://tinyurl.com/Linux-Bckdr-RKC-part-3 I have partially decompiled the second piece of malware which was similar to the original Linux/Bckdr-RKC dropped on my honeypot. I am publicly posting the first section of this file to highlight my findings so far... -- http://pastebin.com/Tenmhmnf Update: The full decompiled source of both pieces of malware is now available at SlingFile. -- hxxp://www.slingfile.com/file/iKwWO86Nr5 The first part of this decompiled code which really stood out was a clear marker that this malware is definately of Chinese origin. This snippet of code is from the following function int autoupdate(char* url_address, char* local_to_file) Code: L0805FF50( &_v3660, "GET /%s HTTP/1.1 \nAccept: */* \nAccept-Language: zh-cn \nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) \nHost: %s:%d \nConnection: Close \n \n", &_v2380); The "Accept-Language" of zh-cn represents Traditional Chinese as the desired web browse language. -- http://social.msdn.microsoft.com/Forums/en/netfxbcl/thread/4fe22069-6556-4ce5-a264-edb59d102c85 This means the malware in question was most likely programmed by a native speaker of Chinese. Add to this the fact that the malware is hosted by a fake corporation in China, and that the previous version of this malware also phoned home to the same fake corporation, this all becomes very interesting. Here are a few other function names from this latest version: copy_myself(const char* name) autostart(const char* inser_to_file) int SendSevMonitor() int SendServerPack() GetNetPackets(long long unsigned int* lNetOut, long long unsigned int* lPacketOut) int moniter(char* host) int udpflood(_Unknown_base* ThreadData) int synflood(_Unknown_base* ThreadData) int synbigpacket(_Unknown_base* ThreadData) int ackflood(_Unknown_base* ThreadData) int ackbigpacket(_Unknown_base* ThreadData) GetStructureDnsPacket(char* QueryDomain, char* QueryData, int* nQueryData) int dnsflood(_Unknown_base* ThreadData) int more_ip_dns_test(_Unknown_base* ThreadData) int autoupdate(char* url_address, char* local_to_file) int get_online_ip(char* domain, char* return_ip) int parse_dns_response(char* return_ip) parse_dns_name(unsigned char* chunk, unsigned char* ptr, char* out, int* len) send_dns_request(const char* dns_name) connect_to_server() Make no mistake, this malware is clearly designed to perform reconnaissance on internal networks and disrupt communications when instructed to do so by the command and control server. The malware has self-replication and automatic update capabilities. I find this malware very disturbing. What I find even more distrubing is the fact that since my submission of this malware to antivirus vendors, with the exception of Avira who believes this file is clean, none of the antivirus vendors have completed their analysis. These two pieces of malware seem very professionally crafted with a clear purpose - to serve as a "cyber weapon". Posted by Ken on 12/30/2011 ============================================= Following the Trail: Determining the Origins of Linux/Bckdr-RKC - http://caffeinesecurity.blogspot.com/2011/12/following-trail-determining-origins-of.html#more - http://tinyurl.com/Linux-Bckdr-RKC-part-4 It is already known that the two Linux/Bckdr-RKC variants I have received have both been hosted by 216.83.44.229. Furthermore, the first variant had a phone-home address of 216.83.44.226. Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a different contact completely, and unrelated here). Let's use what we already know to try to find the organization responsible for this malware. Here is a traceroute I performed several days ago: Hop (ms) (ms) (ms) IP Address Host name 1 0 0 0 206.123.64.154 jbdr2.0.dal.colo4.com 2 0 0 0 64.124.196.225 xe-4-2-0.er2.dfw2.us.above.net 3 0 Timed out 0 63.218.23.29 ge5-4.br02.dal01.pccwbtn.net 4 214 214 214 63.218.252.86 ge9-39.br03.hkg04.pccwbtn.net 5 214 214 258 112.121.160.221 - 6 213 213 213 112.121.160.18 - 7 218 218 217 112.121.160.198 - 8 213 213 212 216.83.44.226 - And here is a traceroute as performed today: TraceRoute to 216.83.44.226 Hop (ms) (ms) (ms) IP Address Host name 1 12 0 0 206.123.64.154 jbdr2.0.dal.colo4.com 2 0 0 0 64.124.196.225 xe-4-2-0.er2.dfw2.us.above.net 3 0 0 0 63.218.23.29 ge5-4.br02.dal01.pccwbtn.net 4 212 212 212 63.218.252.86 ge9-39.br03.hkg04.pccwbtn.net 5 Timed out Timed out Timed out - 6 Timed out Timed out Timed out - 7 Timed out Timed out Timed out - 8 Timed out Timed out Timed out - Seems that either the responsible organization has been disconnected from the network by their provider, or they have purposely disconnected themselves to hinder analysis. Starting with 216.83.44.226 and working backwards, let's see who this section of IP addresses is registered to. 216.83.44.0 - 216.83.44.255 is registered to WIRELESS-ALARM.COM OrgName: WIRELESS-ALARM.COM OrgId: WIREL-46 Address: 3026 Ensley 5 Points W Avenue City: Birmingham StateProv: AL PostalCode: 35208 Country: US RegDate: 2009-12-30 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/WIREL-46 OrgAbuseHandle: PQU12-ARIN OrgAbuseName: Quagliano, Pedro OrgAbusePhone: +1-877-605-5273 OrgAbuseEmail: pedroquagliano@cyanclouds.com We already know that this is a fake registration, because all of my emails to pedroquagliano@cyanclouds.com were returned as non-deliverable due to DNS failures. That means cyanclouds.com is not an active domain. Lets go up a level in IP address ownership. 216.83.32.0 - 216.83.63.255 is owned by Ether.Net LLC. network:Class-Name:network network:ID:216.83.32.0/20 network:Auth-Area:216.83.32.0/20 network:Network-Name:ETHRN-216-83-46-0 network:IP-Network:216.83.46.0/24 network:IP-Network-Block:216.83.46.0 - 216.83.46.255 network:Org-Name:InfoMove Hong Kong Limited. network:Street-Address:Unit 2001, 20/F, New Tech Plaza, 8 Tai Yau Street network:City:San Po Kong network:State:HK network:Country-Code:HK Ether.NET appears to be a legitimate business operating in Hong Kong. They have been around for many years. They have an AIM for support which I was able to trace back to 2003 posting on web hosting support forums. Doubtful that they're involved, so let's shift out focus elsewhere. Going back to the IP range owned by WIRELESS-ALARM.COM, 216.83.44.0 - 216.83.44.255, lets look at what else is hosted there. From http://bgp.he.net/net/216.83.44.0/24#_dns as of 12/31/2011 6:21 PST IP PTR A 216.83.44.31 mail.bostonyarn.com 216.83.44.54 fold.bronxbreakfast.com 216.83.44.113 prn.iselinnotebook.com 216.83.44.115 joplinyear.com 216.83.44.116 mail.joplinyear.com 216.83.44.189 proe.northandoverschool.com 216.83.44.191 northbendlearning.com 216.83.44.202 wink.norwellobservation.com 216.83.44.204 mail.philadelphiafather.com e8lvbet.com, i3mic.com 216.83.44.221 copy.southplainfieldfeet.com 216.83.44.2 ns1.cyanclouds.com 216.83.44.3 ns2.cyanclouds.com 216.83.44.10 22073.com 216.83.44.18 int-pe.com, interush-pe.com 216.83.44.19 oll365.com 216.83.44.42 centrinofund.com, cf-pe.com 216.83.44.44 games456.us, gamt465.com, gmae456.info 216.83.44.45 com-com-com-com-com.com 216.83.44.46 111i.net, 23u9.com, 55-com.com, gamex6.com, llgame.net, org2.net 216.83.44.66 bmp79.com 216.83.44.67 app67.com, apt67.com, bbv78.com, bul79.com, ddc77.com, ght33.com, jjt55.com, jpg77.com, kky55.com, mmx88.com, rtr66.com, sta78.com, tgg33.com, uub33.com, vbo33.com, vvx45.com 216.83.44.68 aaz33.com, ccx89.com, ygk77.com 216.83.44.69 abo34.com, bmn99.com, ccx66.com, ese55.com, ffs234.com, jsa52.com, kbx33.com, kut99.com, kyy78.com, myb78.com, nnc99.com, rka77.com, ssx69.com, ttx77.com, tvn66.com, wsd22.com 216.83.44.70 kgb69.com 216.83.44.82 66hw.net, hk888.net 216.83.44.90 clubwptasia.com, haedongcheong.com, oce365.com, openrace24.com 216.83.44.99 ylg886.com 216.83.44.122 hg1138.com 216.83.44.123 fh636.com, hg3968.com, hk638.com, yh372.com 216.83.44.131 hg0608.com, hg1918.com, hg4568.com, hg9168.com, hg9338.com 216.83.44.132 hg7678.com 216.83.44.154 sc93.com 216.83.44.155 tv105.com 216.83.44.156 duooo.com 216.83.44.157 bbsveb.com 216.83.44.163 1999829.com, 3771mm.info, 911meinv.info, mytaojia.com, qgxinxi.info, taaobbao.com, wawachina.info, yayaqq.info 216.83.44.164 360meinv.info, 920meinv.com, 999taobao.com, kissbye.info, tabaserver.com 216.83.44.165 265gc.com 216.83.44.166 439995.com 216.83.44.186 03hz.com, 18018.com 216.83.44.194 ckk67.com, fta79.com, jkj88.com, ktm77.com, ktm99.com, mou79.com, nvb89.com, pub79.com, ssr999.com, ssx778.com, tot66.com, tut88.com, utp79.com, vub99.com, xxr44.com, yyc33.com 216.83.44.195 aki77.com, amu77.com, arp77.com, arv99.com, avc77.com, eed69.com, gje88.com, mmb77.com, mpo77.com, tup77.com, vcd79.com 216.83.44.197 vvz69.com 216.83.44.218 hg0035.com, hg1090.com 216.83.44.219 hg1095.com, hg8869.com 216.83.44.228 lcddos.com 216.83.44.229 todayg.com, xy100000.com 216.83.44.243 hg0091.com, hg0093.com, hg0094.com 216.83.44.245 hg0092.com 216.83.44.250 tt95588.com Hmm, remember the registration for WIRELESS-ALARM.COM? The email address pointed at cyancoulds.com... and the DNS servers for cyanclouds.com happen to be hosted in the same netblock. Could it be cyanclouds.com is also being controlled by the responsible organization? So let's lookup the contact info for cyanclouds.com... Domain Name: CYANCLOUDS.COM Registrar: DIRECTNIC, LTD Whois Server: whois.directnic.com Referral URL: http://www.directnic.com Name Server: NS1.CYANCLOUDS.COM Name Server: NS2.CYANCLOUDS.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 31-jan-2011 Creation Date: 03-mar-2009 Expiration Date: 03-mar-2012 Registrant: Good Names Network 342 Broadway New York, NY 10013 US 212-555-1212 Domain Name: CYANCLOUDS.COM Administrative Contact: Operations, Network goodnames@yahoo.com 342 Broadway New York, NY 10013 US 212-555-1212 Technical Contact: Operations, Network goodnames@yahoo.com 342 Broadway New York, NY 10013 US 212-555-1212 It looks like cyanclouds.com is registered by "proxy" through another company called the "Good Names Network". But wait...is this company real either? 212-555-1212 will simply give you directory assistance for the 212 area code. (New York) 342 Broadway is actually a UPS Store which offers mailbox services...so this could be anyone. So, another dead end? This malware which has definite Chinese origins also has a link to an anonymous business New York. This is where I'd like to point out the marvels of Google. Specifically Google Street View. Without Google Street View, we would never have known that next to this UPS Store at 344 Broadway is a shop called "Broadway Cleaners". A quick Google search shows that Broadway Cleaners is actually owned by someone at 95 Worth Street, which happens to be in Chinatown. Please note that this is absolutely speculation, and that there is no proof whatsoever anyone at Broadway Cleaners has anything to do with this. However, the fact that the malware has definite ties to China, and the fact that the proxy company used to register WIRELESS-ALARM.COM's IP block is right next door to a business originating in Chinatown, is a very interesting coincidence. Unfortunately this is where the trail goes cold. This search for the origin of this malware has possibly raised more questions than provided answers. But one thing is for certain - the network framework for this malware has definitely been in place for some time. WIRELESS-ALARM.COM's IP block as well as cyanclouds.com have been registered since 2009. This is not the work of a "fly-by-night" script kiddy. Careful planning has been taken to not only develop this malware, but also to establish the hosting this malware would be using - and hide its true origins. Posted by Ken on 12/31/2011 ============================================= Caffeine Security @Twitter: - https://twitter.com/CaffSec =============================================
Optional Paste Settings
Category:
None
Cryptocurrency
Cybersecurity
Fixit
Food
Gaming
Haiku
Help
History
Housing
Jokes
Legal
Money
Movies
Music
Pets
Photo
Science
Software
Source Code
Spirit
Sports
Travel
TV
Writing
Tags:
Syntax Highlighting:
None
Bash
C
C#
C++
CSS
HTML
JSON
Java
JavaScript
Lua
Markdown (PRO members only)
Objective C
PHP
Perl
Python
Ruby
Swift
4CS
6502 ACME Cross Assembler
6502 Kick Assembler
6502 TASM/64TASS
ABAP
AIMMS
ALGOL 68
APT Sources
ARM
ASM (NASM)
ASP
ActionScript
ActionScript 3
Ada
Apache Log
AppleScript
Arduino
Asymptote
AutoIt
Autohotkey
Avisynth
Awk
BASCOM AVR
BNF
BOO
Bash
Basic4GL
Batch
BibTeX
Blitz Basic
Blitz3D
BlitzMax
BrainFuck
C
C (WinAPI)
C Intermediate Language
C for Macs
C#
C++
C++ (WinAPI)
C++ (with Qt extensions)
C: Loadrunner
CAD DCL
CAD Lisp
CFDG
CMake
COBOL
CSS
Ceylon
ChaiScript
Chapel
Clojure
Clone C
Clone C++
CoffeeScript
ColdFusion
Cuesheet
D
DCL
DCPU-16
DCS
DIV
DOT
Dart
Delphi
Delphi Prism (Oxygene)
Diff
E
ECMAScript
EPC
Easytrieve
Eiffel
Email
Erlang
Euphoria
F#
FO Language
Falcon
Filemaker
Formula One
Fortran
FreeBasic
FreeSWITCH
GAMBAS
GDB
GDScript
Game Maker
Genero
Genie
GetText
Go
Godot GLSL
Groovy
GwBasic
HQ9 Plus
HTML
HTML 5
Haskell
Haxe
HicEst
IDL
INI file
INTERCAL
IO
ISPF Panel Definition
Icon
Inno Script
J
JCL
JSON
Java
Java 5
JavaScript
Julia
KSP (Kontakt Script)
KiXtart
Kotlin
LDIF
LLVM
LOL Code
LScript
Latex
Liberty BASIC
Linden Scripting
Lisp
Loco Basic
Logtalk
Lotus Formulas
Lotus Script
Lua
M68000 Assembler
MIX Assembler
MK-61/52
MPASM
MXML
MagikSF
Make
MapBasic
Markdown (PRO members only)
MatLab
Mercury
MetaPost
Modula 2
Modula 3
Motorola 68000 HiSoft Dev
MySQL
Nagios
NetRexx
Nginx
Nim
NullSoft Installer
OCaml
OCaml Brief
Oberon 2
Objeck Programming Langua
Objective C
Octave
Open Object Rexx
OpenBSD PACKET FILTER
OpenGL Shading
Openoffice BASIC
Oracle 11
Oracle 8
Oz
PARI/GP
PCRE
PHP
PHP Brief
PL/I
PL/SQL
POV-Ray
ParaSail
Pascal
Pawn
Per
Perl
Perl 6
Phix
Pic 16
Pike
Pixel Bender
PostScript
PostgreSQL
PowerBuilder
PowerShell
ProFTPd
Progress
Prolog
Properties
ProvideX
Puppet
PureBasic
PyCon
Python
Python for S60
QBasic
QML
R
RBScript
REBOL
REG
RPM Spec
Racket
Rails
Rexx
Robots
Roff Manpage
Ruby
Ruby Gnuplot
Rust
SAS
SCL
SPARK
SPARQL
SQF
SQL
SSH Config
Scala
Scheme
Scilab
SdlBasic
Smalltalk
Smarty
StandardML
StoneScript
SuperCollider
Swift
SystemVerilog
T-SQL
TCL
TeXgraph
Tera Term
TypeScript
TypoScript
UPC
Unicon
UnrealScript
Urbi
VB.NET
VBScript
VHDL
VIM
Vala
Vedit
VeriLog
Visual Pro Log
VisualBasic
VisualFoxPro
WHOIS
WhiteSpace
Winbatch
XBasic
XML
XPP
Xojo
Xorg Config
YAML
YARA
Z80 Assembler
ZXBasic
autoconf
jQuery
mIRC
newLISP
q/kdb+
thinBasic
Paste Expiration:
Never
Burn after read
10 Minutes
1 Hour
1 Day
1 Week
2 Weeks
1 Month
6 Months
1 Year
Paste Exposure:
Public
Unlisted
Private
Folder:
(members only)
Password
NEW
Enabled
Disabled
Burn after read
NEW
Paste Name / Title:
Create New Paste
Hello
Guest
Sign Up
or
Login
Sign in with Facebook
Sign in with Twitter
Sign in with Google
You are currently not logged in, this means you can not edit or delete anything you paste.
Sign Up
or
Login
Public Pastes
Untitled
4 min ago | 0.46 KB
Untitled
6 min ago | 1.07 KB
Untitled
8 min ago | 0.39 KB
Untitled
8 min ago | 0.17 KB
Christmas Gift
27 min ago | 0.84 KB
December smells like money (Release)
CSS | 27 min ago | 0.82 KB
Untitled
34 min ago | 2.94 KB
Untitled
35 min ago | 0.90 KB
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the
Cookies Policy
.
OK, I Understand
Not a member of Pastebin yet?
Sign Up
, it unlocks many cool features!
