Linux Malware

Home , Dirty COW, Interactive Disassembler

ПРОДАМ ГАРАЖ: 8-800-555-35-35 Linux Malware

Why Linux? 1) Relatively popular 2) Mostly used on servers and IoT devices a) Servers are powerful b) The number of IoT devices is huge c) Both types are always connected to the Internet and have almost 100% uptime

Main goals: 1) DDoS attacks 2) Coin mining 3) Data theft Linux Malware: Statistics

Basic Linux malware workflow: 1. Gain access (e.g. using exploit) 2. Escalate privileges (e.g. using exploit) 3. Install a backdoor … Profit!

Thus, Exploits and Backdoors are the most widespread types of Linux malware Linux Malware: IoT Linux Malware: IoT Example

Case with coffee machine:

Wi-Fi router Internet Wireless connection

Wired DMZ connection Factory endpoints

https://www.reddit.com/r/talesfromtechsupport/comments/6ovy0h/how_the_coffeemachine_took_down_a_factories/ CASES

2009: Attacks on Linux based routes with worms - PsyBot

Up to 500 000 devices were a part of big bot net called “Chuck Norris” (PSYBOT) BotNet CASES

2013: Attacks on Linux based routes with worms - Darlloz

Up to 31 000 devices were a part of Darlloz worm CASES

Attacks on Linux based routes with worms - The Moon – COIN MINING CASES

2017: Attacks on Linux based routes with worms - Mirai - DDoS

Up to 500 000 vulnerable devices online

1.1 Tbit/s attack bandwidth CASES

Most of attacks belong to IoT (Internet of Things) such as

1) IP cameras

2) Digital Video Records

3) Routers

4) TV Receivers

5) Printers

All these devices are from well known manufacturers.

Question is how did it happen? CASES

Mirai login/pass dictionary - Telnet master passwords CASES

D-Link DIR-100 revA v1.13 User-Agent auth bypass - Backdoor CASES

Port 7547 SOAP Remote Code Execution Attack – Command injection CASES

CVE-2017-13772: buffer overflow in TP-Link’s WR940N httpd Linux Malware: Exploits

Dirty COW (Dirty copy-on-write) , • Linux kernel vulnerability • CVE-2016-5195 • Exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem • Local privilege escalation via write access to otherwise read-only memory mappings • In the kernel for nine years • Has been found in the wild from an HTTP packet capture Linux malware: Backdoors

Web shells Linux malware: Backdoors

Reverse/bind shells Linux malware: Backdoors

SUID shells Linux malware: Backdoors

Patched binaries: ssh, sshd, su, cat, ls and so on… Linux malware: Backdoors

PAM backdoors Linux malware: Backdoors

Exotic backdoors: MySQL, PostgreSQL, Nginx, Apache… Linux malware: Hack tools

Main goals: • Antiforensics: log wiping, hiding processes, in-memory-only execution • Automated information gathering • Local vulnerability scanning • LAN access: socks5 proxy, network scanners, packet analyzers Linux malware: Rootkits

LD_PRELOAD rootkits - libc functions hooks Linux malware: Rootkits

Kernel rootkits – malicious kernel modules EternalMiner: Distribution

• Upload the files to Samba share • INAebsGB.so – reverse shell • cblRWuoCc.so – miner downloader • Bruteforce the path to the payload

• Use the exploit to execute the files • In the context of samba server process

• Delete the files • To hide the traces EternalMiner: Distribution EternalMiner: Persistence and evasion? EternalMiner: Mining

• Miner: modified cpuminer with hardcoded arguments

• Cryptocurrnecy: Monero (XMR)

• Mining pool: https://monero.crypto-pool.fr/

~ 30,000 USD Just Another Miner: Distribution

• Discovered in February 2018

• Distributed through vulnerability in Oracle WebLogic Server < 12.2.1.2.0 (CVE-2017-10271) • Version for windows also exists

• And through Weathermap PHP plugin <= 0.97a vulnerability (CVE-2013-2618)

https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/ Just Another Miner: Evasion Just Another Miner: Mining

• Miner: Modified version of XMRig • Cryptocurrency: Monero • Mining pool(s): pool.supportxmr.com:80, pool.minexmr.com:443, xmr.crypto-pool.fr:443

~1,150,000 USD Linux Malware: What about desktop Linux?

• In Feb 2016 official Linux Mint web site was compromised

• And a download link for Linux Mint 17.3 Cinnamon edition was replaced with a rogue one • The ISO image with the distributive was infected with Backdoor.Linux.Tsunami

• It’s an old Linux DDoS bot that is controlled via IRC Analysis - Formats

Linux can run binary files and scripts, there is no need for file extension, but executable attribute should be present Scripts are plaintext files – you can read them using CAT utility. First you need to determine file type. For this purpose use GNU File utility (is available for Windows too) Analysis - Formats

Executable and Linkable Format (ELF)

{ 0x7f, 'E', 'L', 'F'} - first forth bytes – is ELF Magic Number. Fifth byte is architecture byte (32 bit or 64 bit architecture) Analysis - Formats

Readelf tool can show some interesting information (entry point address, target architecture ) Analysis - Formats

Executable and Linkable Format (ELF)

File structure: File segmentation is necessary for success run but sections will be ignored by linker

For reverse engineering sections are more useful Analysis

Executable and Linkable Format (ELF)

Tools for ELF analysis: 1) Radare2 (Portable reversing framework: hex editor, disassembler, debugger, etc) • Disassemble (and assemble for) many different architectures • Debug with local native and remote debuggers • Powerful analysis capabilities • Free and open source

2) IDA (disassembler, debugger, decompiler) • Feature-full interactive disassembler • Decent Hex-Rays decompiler • Good extensibility • Commercial

Comparison table: https://rada.re/r/cmp.html Analysis - static Usually with strings you can classify file Executable and Linkable Format (ELF): reverse points behavior

Take a look at «rodata» section, this section used for strings store Analysis - static

Executable and Linkable Format (ELF): reverse points

Take a look at imports/exports Analysis - static

Executable and Linkable Format (ELF): reverse points

Try out IDA HEXRAYS pseudo code Analysis - Dynamic

Executable and Linkable Format (ELF): reverse points

Use Virtual Machine – to avoid fatal consequences Both IDA and R2 can debug sample remotely Analysis - Dynamic

GDB is useful to fast decryption

If you localized point where file should be already decrypted – place there a breakpoint and dump file: Analysis - Dynamic

For more complicated cases you can use special plugins for gdb: pwndbg/gef/peda Analysis - Dynamic

To trace system calls of samples use strace utility

You can trace IO operations, it`s necessary for infector analysis

For backdoor we need to attach to process Analysis - conclusion

ELFs:

Static analysis tools 1) Radare 2 + RetDec – open-source disassembler + decompiler 2) IDA Pro + Hex-Rays – commercial disassembler + decompiler, http://www.idasoft.ru/named/ 3) Readelf/Rabin2 - brief info about ELF (free)

Dynamic analysis tools 1) Radare 2 2) GDB – debugger (free, available in almost all *nix distributions) 3) Strace – shows system calls 4) IDA Pro (debugger is not available in demo version) Let’s talk?