SHARE
TWEET

Analysis of the suspected Linux DDoS backdoor Tool

MalwareMustDie Nov 14th, 2013 1,839 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie!
  2. Found the below ELF sample reported by @lvdeijk
  3. Is the evil daemon with remote backdoor to 190.115.20.11:59870
  4. Assembly data showing suspected DDoS tool
  5.  
  6. Sample : ./ms20
  7. MD5    : 7348efce3d373ee1a3ac18c6c0796a84
  8. SHA256 : ea7b6cebdac78a42e1b4f5073c125e974e9da8ee7c5a4604be57061332ad93c3
  9. VT: https://www.virustotal.com/en/file/ea7b6cebdac78a42e1b4f5073c125e974e9da8ee7c5a4604be57061332ad93c3/analysis/
  10.  
  11. <script>
  12.  
  13. / ELF Information /
  14.  
  15. ms20: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  16.  
  17. Entry Point at 0x120
  18. architecture: i386, flags 0x00000112:
  19. EXEC_P, HAS_SYMS, D_PAGED
  20. start address 0x08048120
  21.  
  22. / snips /
  23.  
  24. $ hd -n 256 ./ms20
  25. 00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
  26. 00000010  02 00 03 00 01 00 00 00  20 81 04 08 34 00 00 00  |........ ...4...|
  27. 00000020  c8 07 12 00 00 00 00 00  34 00 20 00 05 00 28 00  |........4. ...(.|
  28. 00000030  1c 00 19 00 01 00 00 00  00 00 00 00 00 80 04 08  |................|
  29. 00000040  00 80 04 08 6d d7 11 00  6d d7 11 00 05 00 00 00  |....m...m.......|
  30. 00000050  00 10 00 00 01 00 00 00  00 e0 11 00 00 60 16 08  |.............`..|
  31. 00000060  00 60 16 08 54 17 00 00  58 a9 00 00 06 00 00 00  |.`..T...X.......|
  32. 00000070  00 10 00 00 04 00 00 00  d4 00 00 00 d4 80 04 08  |................|
  33. 00000080  d4 80 04 08 20 00 00 00  20 00 00 00 04 00 00 00  |.... ... .......|
  34. 00000090  04 00 00 00 07 00 00 00  00 e0 11 00 00 60 16 08  |.............`..|
  35. 000000a0  00 60 16 08 14 00 00 00  30 00 00 00 04 00 00 00  |.`......0.......|
  36. 000000b0  04 00 00 00 51 e5 74 64  00 00 00 00 00 00 00 00  |....Q.td........|
  37. 000000c0  00 00 00 00 00 00 00 00  00 00 00 00 06 00 00 00  |................|
  38. 000000d0  04 00 00 00 04 00 00 00  10 00 00 00 01 00 00 00  |................|
  39. 000000e0  47 4e 55 00 00 00 00 00  02 00 00 00 02 00 00 00  |GNU.............|
  40. 000000f0  05 00 00 00 55 89 e5 83  ec 08 e8 45 00 00 00 e8  |....U......E....|
  41.  
  42. / header, sections, segments, relocations, etc /
  43.  
  44. ELF Header:
  45.   Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  46.   Class:                             ELF32
  47.   Data:                              2s complement, little endian
  48.   Version:                           1 (current)
  49.   OS/ABI:                            UNIX - System V
  50.   ABI Version:                       0
  51.   Type:                              EXEC (Executable file)
  52.   Machine:                           Intel 80386
  53.   Version:                           0x1
  54.   Entry point address:               0x8048120
  55.   Start of program headers:          52 (bytes into file)
  56.   Start of section headers:          1181640 (bytes into file)
  57.   Flags:                             0x0
  58.   Size of this header:               52 (bytes)
  59.   Size of program headers:           32 (bytes)
  60.   Number of program headers:         5
  61.   Size of section headers:           40 (bytes)
  62.   Number of section headers:         28
  63.   Section header string table index: 25
  64.  
  65. / sections /
  66.  
  67.   Elf file type is EXEC (Executable file)
  68.   Entry point 0x8048120
  69.   There are 5 program headers, starting at offset 52
  70.   There are no relocations in this file.
  71.   There is no dynamic section in this file.
  72.   There are 28 section headers, starting at offset 0x1207c8:
  73.  
  74.   Program Headers:
  75.     Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  76.     LOAD           0x000000 0x08048000 0x08048000 0x11d76d 0x11d76d R E 0x1000
  77.     LOAD           0x11e000 0x08166000 0x08166000 0x01754 0x0a958 RW  0x1000
  78.     NOTE           0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R   0x4
  79.     TLS            0x11e000 0x08166000 0x08166000 0x00014 0x00030 R   0x4
  80.     GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
  81.  
  82.    Section to Segment mapping:
  83.     Segment Sections...
  84.      00     .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
  85.      01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
  86.      02     .note.ABI-tag
  87.      03     .tdata .tbss
  88.      04    
  89.  
  90.   Section Headers:
  91.     [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  92.     [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  93.     [ 1] .note.ABI-tag     NOTE            080480d4 0000d4 000020 00   A  0   0  4
  94.     [ 2] .init             PROGBITS        080480f4 0000f4 000017 00  AX  0   0  4
  95.     [ 3] .text             PROGBITS        08048120 000120 0e0520 00  AX  0   0 32
  96.     [ 4] __libc_freeres_fn PROGBITS        08128640 0e0640 000f6e 00  AX  0   0  4 <== patchable
  97.     [ 5] __libc_thread_fre PROGBITS        081295b0 0e15b0 0000e2 00  AX  0   0  4 <== patchable
  98.     [ 6] .fini             PROGBITS        08129694 0e1694 00001a 00  AX  0   0  4
  99.     [ 7] .rodata           PROGBITS        081296c0 0e16c0 020bee 00   A  0   0 32
  100.     [ 8] __libc_subfreeres PROGBITS        0814a2b0 1022b0 00003c 00   A  0   0  4 <== patchable
  101.     [ 9] __libc_atexit     PROGBITS        0814a2ec 1022ec 000004 00   A  0   0  4 <== patchable
  102.     [10] __libc_thread_sub PROGBITS        0814a2f0 1022f0 000004 00   A  0   0  4 <== patchable
  103.     [11] .eh_frame         PROGBITS        0814a2f4 1022f4 01670c 00   A  0   0  4
  104.     [12] .gcc_except_table PROGBITS        08160a00 118a00 004d6d 00   A  0   0  4
  105.     [13] .tdata            PROGBITS        08166000 11e000 000014 00 WAT  0   0  4
  106.     [14] .tbss             NOBITS          08166014 11e014 00001c 00 WAT  0   0  4
  107.     [15] .ctors            PROGBITS        08166014 11e014 00002c 00  WA  0   0  4
  108.     [16] .dtors            PROGBITS        08166040 11e040 00000c 00  WA  0   0  4
  109.     [17] .jcr              PROGBITS        0816604c 11e04c 000004 00  WA  0   0  4
  110.     [18] .data.rel.ro      PROGBITS        08166060 11e060 00063c 00  WA  0   0 32
  111.     [19] .got              PROGBITS        0816669c 11e69c 00005c 04  WA  0   0  4
  112.     [20] .got.plt          PROGBITS        081666f8 11e6f8 00000c 04  WA  0   0  4
  113.     [21] .data             PROGBITS        08166720 11e720 001034 00  WA  0   0 32
  114.     [22] .bss              NOBITS          08167760 11f754 0091d8 00  WA  0   0 32
  115.     [23] __libc_freeres_pt NOBITS          08170938 11f754 000020 00  WA  0   0  4 <== patchable
  116.     [24] .comment          PROGBITS        00000000 11f754 000f4b 00      0   0  1
  117.     [25] .shstrtab         STRTAB          00000000 12069f 000126 00      0   0  1
  118.     [26] .symtab           SYMTAB          00000000 120c28 017a60 10     27 1217  4
  119.     [27] .strtab           STRTAB          00000000 138688 03103b 00      0   0  1
  120.   Key to Flags:
  121.     W (write), A (alloc), X (execute), M (merge), S (strings)
  122.     I (info), L (link order), G (group), x (unknown)
  123.     O (extra OS processing required) o (OS specific), p (processor specific)
  124.  
  125.  
  126. / Header in Full /
  127.  
  128. complete header --> HEADER-FULL.TXT
  129.  
  130. / assembler contents of executable and FULL sections /
  131.  
  132. ASSEMBLER-CODE-EX-SECTION.TXT
  133. ASSEMBLER-CODE-FULL-SECTION.TXT
  134.  
  135. / full contents of all sections /
  136.  
  137. FULL-CONTENTS-SECTIONS.TXT
  138.  
  139. / symbol tables /
  140.  
  141. SYMBOL-TABLES.TXT
  142.  
  143. / step by step assembly /
  144.  
  145.  STEPPED-ASSEMBLY.TXT
  146.  
  147.  </script unixfreaxjp>
  148.  
  149.  ===========
  150.  BEHAVIOR
  151.  ==========
  152.  
  153.  Now the most important part is to see how this can run..
  154.  
  155.  / debugging /
  156.  / result: there is a away to make this run.., see below.. after patched /
  157.  
  158.  execve("./ms20", ["./ms20"], [/* 21 vars */]) = 0
  159.  uname({sys="Linux", node="unixfreaxjp", ...}) = 0
  160.  brk(0)                                  = 0xa12b000
  161.  brk(0xa12bc90)                          = 0xa12bc90
  162.  set_thread_area({entry_number:-1 -> 6, base_addr:0xa12b830, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
  163.  set_tid_address(0xa12b878)              = 13708
  164.  rt_sigaction(SIGRTMIN, {0x8063228, [], SA_RESTORER|SA_SIGINFO, 0x8063550}, NULL, 8) = 0
  165.  rt_sigaction(SIGRT_1, {0x8063290, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x8063550}, NULL, 8) = 0
  166.  rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
  167.  getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
  168.  _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfec5df0, 30, (nil), 0}) = 0
  169.  brk(0xa14cc90)                          = 0xa14cc90
  170.  brk(0xa14d000)                          = 0xa14d000
  171.  open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
  172.  fstat64(3, {st_mode=S_IFREG|0644, st_size=48524976, ...}) = 0
  173.  mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7d5d000
  174.  mmap2(NULL, 888832, PROT_READ, MAP_PRIVATE, 3, 0x162) = 0xb7c84000
  175.  mmap2(NULL, 208896, PROT_READ, MAP_PRIVATE, 3, 0x2b2) = 0xb7c51000
  176.  mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0x21fd) = 0xb7c50000
  177.  close(3)                                = 0
  178.  brk(0xa171000)                          = 0xa171000
  179.  futex(0x816780c, FUTEX_WAKE, 2147483647) = 0
  180.  brk(0xa192000)                          = 0xa192000
  181.  clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xa12b878) = 13709
  182.  exit_group(0)                           = ?
  183.  
  184.  
  185.  / in debug mode select the requirement libs... use any trace tools will do.. /
  186.  
  187.  ms20      13709    mem       REG        3,3   112260    1537133 /lib/ld-2.3.4.so
  188.  ms20      13709    mem       REG        3,3  1547732    1537211 /lib/tls/libc-2.3.4.so
  189.  ms20      13709    mem       REG        3,3    47468    1537158 /lib/libnss_files-2.3.4.so
  190.  ms20      13709    mem       REG        3,3    21544    2093265 /usr/lib/gconv/gconv-modules.cache
  191.  ms20      13709    mem       REG        3,3 48524976    2068507 /usr/lib/locale/locale-archive
  192.  
  193.  / feed the libs they want....and RUN IT!!! in active mode /
  194.  
  195.  ms20      13858    operator  cwd       DIR        3,3     4096    1391017 /blah/unixfreaxjp/TRANSIT/TMP
  196.  ms20      13858    operator  rtd       DIR        3,3     4096          2 /
  197.  ms20      13858    operator  txt       REG        3,3  1480387    1030178 /blah/unixfreaxjp/TRANSIT/TMP/ms20
  198.  ms20      13858    operator  mem       REG        3,3 48524976    2068507 /usr/lib/locale/locale-archive
  199.  ms20      13858    operator    0u      CHR        1,3                2034 /dev/null
  200.  ms20      13858    operator    1u      CHR        1,3                2034 /dev/null
  201.  ms20      13858    operator    2u      CHR        1,3                2034 /dev/null
  202.  ms20      13858    operator    3u     IPv4     685671                 TCP joe:38016->190.115.20.11:59870 (ESTABLISHED) <=== W000T!!!
  203.  
  204.  
  205.  / establisged connection  to IP: 190.115.20.11:59870 .. go figure.. a BACK DOORZ /
  206.  
  207.  Active Internet connections (servers and established)
  208.  Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
  209.  tcp        0      0 x.x.x.x:38015          190.115.20.11:59870         ESTABLISHED 13709/ms20          
  210.  
  211.  
  212.  / capture /
  213.  
  214.  # tcpdump -i eth0 dst 190.115.20.11 -w 002.pcap
  215.  tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
  216.  
  217.  / tarffic sent /
  218.  
  219.  0000   D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00    ................
  220.  0010   60 00 00 00 01 00 00 00 B6 63 83 52 5E BA 02 00    `........c.R^...
  221.  0020   5D 00 00 00 5D 00 00 00 00 A0 C9 22 B0 EE 00 10    ]...]......"....
  222.  0030   C6 0F 98 D9 08 00 45 00 00 4F E2 DA 40 00 40 06    ......E..O..@.@.
  223.  0040   BD 9D C0 A8 07 0A BE 73 14 0B 94 80 E9 DE B5 99    .......s........
  224.  0050   99 6F 06 14 26 F4 80 18 05 B4 FC 0E 00 00 01 01    .o..&...........
  225.  0060   08 0A 7E 1E AF 6C 00 11 B2 95 00 00 00 00 00 00    ..~..l..........
  226.  0070   00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00    ................
  227.  0080   00 00 00 00 00 B7 63 83 52 A2 79 0A 00 5D 00 00    ......c.R.y..]..
  228.  0090   00 5D 00 00 00 00 A0 C9 22 B0 EE 00 10 C6 0F 98    .]......".......
  229.  00A0   D9 08 00 45 00 00 4F E2 DC 40 00 40 06 BD 9B C0    ...E..O..@.@....
  230.  00B0   A8 07 0A BE 73 14 0B 94 80 E9 DE B5 99 99 8A 06    ....s...........
  231.  00C0   14 26 F8 80 18 05 B4 F5 FF 00 00 01 01 08 0A 7E    .&.............~
  232.  00D0   1E B5 50 00 11 B2 A5 00 00 00 00 00 00 00 00 00    ..P.............
  233.  00E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  234.  00F0   00 00 B9 63 83 52 AF E1 02 00 5D 00 00 00 5D 00    ...c.R....]...].
  235.  0100   00 00 00 A0 C9 22 B0 EE 00 10 C6 0F 98 D9 08 00    ....."..........
  236.  0110   45 00 00 4F E2 DE 40 00 40 06 BD 99 C0 A8 07 0A    E..O..@.@.......
  237.  0120   BE 73 14 0B 94 80 E9 DE B5 99 99 A5 06 14 26 FC    .s............&.
  238.  0130   80 18 05 B4 EF F4 00 00 01 01 08 0A 7E 1E BB 2E    ............~...
  239.  0140   00 11 B2 B3 00 00 00 00 00 00 00 00 00 00 00 00    ................
  240.  0150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BA    ................
  241.  0160   63 83 52 FB 64 0A 00 5D 00 00 00 5D 00 00 00 00    c.R.d..]...]....
  242.  0170   A0 C9 22 B0 EE 00 10 C6 0F 98 D9 08 00 45 00 00    .."..........E..
  243.  0180   4F E2 E0 40 00 40 06 BD 97 C0 A8 07 0A BE 73 14    O..@.@........s.
  244.  0190   0B 94 80 E9 DE B5 99 99 C0 06 14 27 00 80 18 05    ...............
  245.  01A0   B4 E9 F2 00 00 01 01 08 0A 7E 1E C1 02 00 11 B2    .........~......
  246.  01B0   C2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  247.  01C0   00 00 00 00 00 00 00 00 00 00 00 00 BC 63 83 52    .............c.R
  248.  01D0   81 28 03 00 5D 00 00 00 5D 00 00 00 00 A0 C9 22    .(..]...].......
  249.  01E0   B0 EE 00 10 C6 0F 98 D9 08 00 45 00 00 4F E2 E2    ..........E..O..
  250.  01F0   40 00 40 06 BD 95 C0 A8 07 0A BE 73 14 0B 94 80    @.@........s....
  251.  
  252.  / traffic translation /
  253.  
  254.  +---------+---------------+----------+
  255.  11:34:14,178,782   ETHER
  256.  |0   |00|a0|c9|22|b0|ee|00|10|c6|0f|98|d9|08|00|45|00|00|4f|e2|da|40|00|40|06|bd|9d|c0|a8|07|0a|be|73|14|0b|94|80|e9|de|b5|99|99|6f|06|14|26|f4|80|18|05|b4|fc|0e|00|00|01|01|08|0a|7e|1e|af|6c|00|11|b2|95|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|04|00|00|00|00|00|00|00|
  257.  
  258.  +---------+---------------+----------+
  259.  11:34:15,686,498   ETHER
  260.  |0   |00|a0|c9|22|b0|ee|00|10|c6|0f|98|d9|08|00|45|00|00|4f|e2|dc|40|00|40|06|bd|9b|c0|a8|07|0a|be|73|14|0b|94|80|e9|de|b5|99|99|8a|06|14|26|f8|80|18|05|b4|f5|ff|00|00|01|01|08|0a|7e|1e|b5|50|00|11|b2|a5|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|
  261.  
  262.  +---------+---------------+----------+
  263.  11:34:17,188,847   ETHER
  264.  |0   |00|a0|c9|22|b0|ee|00|10|c6|0f|98|d9|08|00|45|00|00|4f|e2|de|40|00|40|06|bd|99|c0|a8|07|0a|be|73|14|0b|94|80|e9|de|b5|99|99|a5|06|14|26|fc|80|18|05|b4|ef|f4|00|00|01|01|08|0a|7e|1e|bb|2e|00|11|b2|b3|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|
  265.  
  266.  +---------+---------------+----------+
  267.  11:34:18,681,211   ETHER
  268.  |0   |00|a0|c9|22|b0|ee|00|10|c6|0f|98|d9|08|00|45|00|00|4f|e2|e0|40|00|40|06|bd|97|c0|a8|07|0a|be|73|14|0b|94|80|e9|de|b5|99|99|c0|06|14|27|00|80|18|05|b4|e9|f2|00|00|01|01|08|0a|7e|1e|c1|02|00|11|b2|c2|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|
  269.  
  270.  +---------+---------------+----------+
  271.  11:34:20,206,977   ETHER
  272.  |0   |00|a0|c9|22|b0|ee|00|10|c6|0f|98|d9|08|00|45|00|00|4f|e2|e2|40|00|40|06|bd|95|c0|a8|07|0a|be|73|14|0b|94|80|e9|de|b5|99|99|db|06|14|27|04|80|18|05|b4|e3|ce|00|00|01|01|08|0a|7e|1e|c6|f8|00|11|b2|d1|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|
  273.  
  274.  [...] repeating...
  275.  
  276.  / packet capture viewer /
  277.  
  278.  1      0.000000        x.x.x.x 190.115.20.11   TCP     93      38016 > 59870 [PSH, ACK] Seq=1 Ack=1 Win=1460 Len=27 TSval=2115940204 TSecr=1159829
  279.  2      1.507716        x.x.x.x 190.115.20.11   TCP     93      38016 > 59870 [PSH, ACK] Seq=28 Ack=5 Win=1460 Len=27 TSval=2115941712 TSecr=1159845
  280.  3      3.010065        x.x.x.x 190.115.20.11   TCP     93      38016 > 59870 [PSH, ACK] Seq=55 Ack=9 Win=1460 Len=27 TSval=2115943214 TSecr=1159859
  281.  
  282.  / the remote IP info /
  283.  
  284.  % Copyright LACNIC lacnic.net
  285.  %  The data below is provided for information purposes
  286.  %  and to assist persons in obtaining information about or
  287.  %  related to AS and IP numbers registrations
  288.  %  By submitting a whois query, you agree to use this data
  289.  %  only for lawful purposes.
  290.  %  2013-11-13 09:54:36 (BRST -02:00)
  291. operator
  292.  
  293.  inetnum:     190.115.16/20
  294.  status:      allocated
  295.  aut-num:     AS262254
  296.  abuse-c:     EVM3
  297.  owner:       DANCOM LTD
  298.  ownerid:     BZ-DALT-LACNIC
  299.  responsible: Evgeniy Marchenko
  300.  address:     1/2Miles Northern Highway, --, --
  301.  address:     -- - Belize - BZ
  302.  country:     BZ
  303.  phone:       +7 928 2797045 []
  304.  owner-c:     EVM3
  305.  tech-c:      EVM3
  306.  abuse-c:     EVM3
  307.  created:     20130627
  308.  changed:     20130627
  309.  
  310.  nic-hdl:     EVM3
  311.  person:      Evgeniy Marchenko
  312.  e-mail:      e.marchenko@DDOS-GUARD.NET
  313.  address:     1/2Miles Northern Highway, Belize City, Belize, ,
  314.  address:     0000 - Belize -
  315.  country:     BZ
  316.  phone:       +7 928 2797045 []
  317.  created:     20121102
  318.  changed:     20130527
  319.  
  320.  
  321.  #MalwareMustDie!
  322. @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top