Linux malware
ПРОДАМ ГАРАЖ: 8-800-555-35-35 Linux Malware
Why Linux? 1) Relatively popular 2) Mostly used on servers and IoT devices a) Servers are powerful b) The number of IoT devices is huge c) Both types are always connected to the Internet and have almost 100% uptime
Main goals: 1) DDoS attacks 2) Coin mining 3) Data theft Linux Malware: Statistics
Basic Linux malware workflow: 1. Gain access (e.g. using exploit) 2. Escalate privileges (e.g. using exploit) 3. Install a backdoor … Profit!
Thus, Exploits and Backdoors are the most widespread types of Linux malware Linux Malware: IoT Linux Malware: IoT Example
Case with coffee machine:
Wi-Fi router Internet Wireless connection
Wired DMZ connection Factory endpoints
https://www.reddit.com/r/talesfromtechsupport/comments/6ovy0h/how_the_coffeemachine_took_down_a_factories/ CASES
2009: Attacks on Linux based routes with worms - PsyBot
Up to 500 000 devices were a part of big bot net called “Chuck Norris” (PSYBOT) BotNet CASES
2013: Attacks on Linux based routes with worms - Darlloz
Up to 31 000 devices were a part of Darlloz worm CASES
Attacks on Linux based routes with worms - The Moon – COIN MINING CASES
2017: Attacks on Linux based routes with worms - Mirai - DDoS
Up to 500 000 vulnerable devices online
1.1 Tbit/s attack bandwidth CASES
Most of attacks belong to IoT (Internet of Things) such as
1) IP cameras
2) Digital Video Records
3) Routers
4) TV Receivers
5) Printers
All these devices are from well known manufacturers.
Question is how did it happen? CASES
Mirai login/pass dictionary - Telnet master passwords CASES
D-Link DIR-100 revA v1.13 User-Agent auth bypass - Backdoor CASES
Port 7547 SOAP Remote Code Execution Attack – Command injection CASES
CVE-2017-13772: buffer overflow in TP-Link’s WR940N httpd Linux Malware: Exploits
Dirty COW (Dirty copy-on-write) , • Linux kernel vulnerability • CVE-2016-5195 • Exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem • Local privilege escalation via write access to otherwise read-only memory mappings • In the kernel for nine years • Has been found in the wild from an HTTP packet capture Linux malware: Backdoors
Web shells Linux malware: Backdoors
Reverse/bind shells Linux malware: Backdoors
SUID shells Linux malware: Backdoors
Patched binaries: ssh, sshd, su, cat, ls and so on… Linux malware: Backdoors
PAM backdoors Linux malware: Backdoors
Exotic backdoors: MySQL, PostgreSQL, Nginx, Apache… Linux malware: Hack tools
Main goals: • Antiforensics: log wiping, hiding processes, in-memory-only execution • Automated information gathering • Local vulnerability scanning • LAN access: socks5 proxy, network scanners, packet analyzers Linux malware: Rootkits
LD_PRELOAD rootkits - libc functions hooks Linux malware: Rootkits
Kernel rootkits – malicious kernel modules EternalMiner: Distribution
• Upload the files to Samba share • INAebsGB.so – reverse shell • cblRWuoCc.so – miner downloader • Bruteforce the path to the payload
• Use the exploit to execute the files • In the context of samba server process
• Delete the files • To hide the traces EternalMiner: Distribution EternalMiner: Persistence and evasion? EternalMiner: Mining
• Miner: modified cpuminer with hardcoded arguments
• Cryptocurrnecy: Monero (XMR)
• Mining pool: https://monero.crypto-pool.fr/
~ 30,000 USD Just Another Miner: Distribution
• Discovered in February 2018
• Distributed through vulnerability in Oracle WebLogic Server < 12.2.1.2.0 (CVE-2017-10271) • Version for windows also exists
• And through Weathermap PHP plugin <= 0.97a vulnerability (CVE-2013-2618)
https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/ Just Another Miner: Evasion Just Another Miner: Mining
• Miner: Modified version of XMRig • Cryptocurrency: Monero • Mining pool(s): pool.supportxmr.com:80, pool.minexmr.com:443, xmr.crypto-pool.fr:443
~1,150,000 USD Linux Malware: What about desktop Linux?
• In Feb 2016 official Linux Mint web site was compromised
• And a download link for Linux Mint 17.3 Cinnamon edition was replaced with a rogue one • The ISO image with the distributive was infected with Backdoor.Linux.Tsunami
• It’s an old Linux DDoS bot that is controlled via IRC Analysis - Formats
Linux can run binary files and scripts, there is no need for file extension, but executable attribute should be present Scripts are plaintext files – you can read them using CAT utility. First you need to determine file type. For this purpose use GNU File utility (is available for Windows too) Analysis - Formats
Executable and Linkable Format (ELF)
{ 0x7f, 'E', 'L', 'F'} - first forth bytes – is ELF Magic Number. Fifth byte is architecture byte (32 bit or 64 bit architecture) Analysis - Formats
Readelf tool can show some interesting information (entry point address, target architecture ) Analysis - Formats
Executable and Linkable Format (ELF)
File structure: File segmentation is necessary for success run but sections will be ignored by linker
For reverse engineering sections are more useful Analysis
Executable and Linkable Format (ELF)
Tools for ELF analysis: 1) Radare2 (Portable reversing framework: hex editor, disassembler, debugger, etc) • Disassemble (and assemble for) many different architectures • Debug with local native and remote debuggers • Powerful analysis capabilities • Free and open source
2) IDA (disassembler, debugger, decompiler) • Feature-full interactive disassembler • Decent Hex-Rays decompiler • Good extensibility • Commercial
Comparison table: https://rada.re/r/cmp.html Analysis - static Usually with strings you can classify file Executable and Linkable Format (ELF): reverse points behavior
Take a look at «rodata» section, this section used for strings store Analysis - static
Executable and Linkable Format (ELF): reverse points
Take a look at imports/exports Analysis - static
Executable and Linkable Format (ELF): reverse points
Try out IDA HEXRAYS pseudo code Analysis - Dynamic
Executable and Linkable Format (ELF): reverse points
Use Virtual Machine – to avoid fatal consequences Both IDA and R2 can debug sample remotely Analysis - Dynamic
GDB is useful to fast decryption
If you localized point where file should be already decrypted – place there a breakpoint and dump file: Analysis - Dynamic
For more complicated cases you can use special plugins for gdb: pwndbg/gef/peda Analysis - Dynamic
To trace system calls of samples use strace utility
You can trace IO operations, it`s necessary for infector analysis
For backdoor we need to attach to process Analysis - conclusion
ELFs:
Static analysis tools 1) Radare 2 + RetDec – open-source disassembler + decompiler 2) IDA Pro + Hex-Rays – commercial disassembler + decompiler, http://www.idasoft.ru/named/ 3) Readelf/Rabin2 - brief info about ELF (free)
Dynamic analysis tools 1) Radare 2 2) GDB – debugger (free, available in almost all *nix distributions) 3) Strace – shows system calls 4) IDA Pro (debugger is not available in demo version) Let’s talk?