Analysis of malicious samples on Controlled Terminals of a botnet

Analysis of malicious samples on Controlled Terminals of a botnet

0x00 intro

Recently, the "360-eye threat awareness system", which is deployed on the 360 cloud platform (https://cloud.360.cn), found that the system warns of abnormal traffic on a cloud host just activated by a partner, after joint investigation, a malicious attacker intruded into the server by exploiting the redis crackit vulnerability and planted a malicious program named unama. 360 Wang yangdong, a cloud security researcher, analyzed the malicious program in depth. This sample may be a variant of the billgates botnet.

0x01 billgates backdoor Introduction

Billgates is a very active DDoS botnet in recent years. The botnet composed of this program has spread all over the world. In the network, most bot nodes are linux Hosts with weak passwords or software vulnerabilities. Attackers use ssh brute-force, exploit, 1day, 2day, and other methods to attack a large number of IP addresses and try to gain control over the server, it also expands the botnet by deploying a zombie Trojan on the controlled end. Based on server commands, botnets can perform DDoS attacks, reverse shell attacks, and other operations.

0x02 sample analysis

The size of the captured sample file is 1223123 bytes, And the MD5 value is EFF1CB4E98BCC8FBCBDCA671D4C4A050.

There are 44 source code file names obtained through readelf. It is estimated that this program has many working threads from the source file name.

After static analysis, it is found that the Code style of different parts of the sample varies greatly: the code of the main function is relatively simple and rough, however, the main function class CManager and its ancillary classes show the proficiency of virus authors in C ++.

A. main Function

Initialization operation:

The program uses a custom algorithm from. the rodata segment decrypts the configuration information and saves it. It obtains the corresponding values in the program file size and configuration information for comparison to implement simple self-verification, and searches for gdb in the parent process path for reverse debugging.

Call the custom decryption function to obtain hardcoded data and splice it to obtain data such as DbSecuritySpt, selinux, getty,/tmp/moni. (Details),/tmp/gates. and stores them to global variables. Check the current program path to determine the function to be executed. The relationship between path and function is as follows:

Program path backdoor type function main functions/usr/bin /. sshd MainMonitor Monitor, daemon unknown path (does not match other types) 1 MainBeikong installation and other operations, and execute main functions/usr/bin/bsd-port/getty 2 MainBackdoor main function execution Program/bin/,/usr/bin/,/usr/sbin/netstat, lsof, ps or ss 3 MainSystool run the system tool backed up under/usr/bin/dpkgd and filter the output information

If it is a Type 0, 1 or 2 backdoor, a string of hexadecimal numbers is spliced from the hard-coded string (in fact, it is a two-part hexadecimal number, which is separated by an uppercase letter O and looks like a string ),

According to the hex number string of the corresponding part of the backdoor type decryption, the configuration of Class 1 backdoor is 173.254.230.84: 3411: 1: 1: yz: 1,

The configuration for the two types of backdoors is fk.appledoesnt.com: 30000: 1: 1: yz: 1. Use a colon to separate the strings to obtain and save six configuration items.

Check whether the file name is "update_temporary". If yes, execute DoUpdate and exit.

Execute the corresponding function.

MainMonitor (Daemon ):

Log on to the daemon, generate the pid file/tmp/moni. Levels, read/tmp/Y. file, and save the file. Create the Thread class CThreadMonGates and start the monitoring thread. The main thread loop sleep hangs. The monitoring thread checks/tmp/gates every minute. (pid file of the MainBackdoor process). If the file does not exist, copy the file to notify. file and execute the program in the new path.

MainBeikong (program installation ):

Go to daemon mode and call KillChaos to end/tmp/moni. and/tmp/gates. the old process indicated by the level of failure (the virus author mistakenly returns the strcmp value, so the code here is useless) and ends/tmp/moni again. complete/tmp/bill. lock and delete bill. lock. End/tmp/gates. Levels Again and set the pid file. Set the S97DbSecuritySpt startup item in the/etc/init. d,/etc/rc (1-5). d and other paths.

End/usr/bin/bsd-port/getty. lock and udevd. lock the corresponding process and delete udevd. lock, copy itself to/usr/bin/bsd-port/getty (corresponding to MainBackdoor) and start. Write the current program path to/tmp/Y. file (used by the daemon), copy the current file to/usr/bin/. sshd (corresponding to MainMonitor), and start it. Execute the MainProcess function. The MainProcess function contains the main functions of Trojans.

The reason for executing a guess in the installation operation is that the configuration of the virus is incorrect:

Because the two hex strings separated by letters "O" are reversed, the invalid domain name fk.appledoesnt.com is obtained for the two types of backdoors (the main Trojan function, however, a class-1 backdoor (installer) can obtain the valid IP address 173.254.230.84: 3411. Therefore, if the cause of the problem is not found, add the main function (MainProcess) to the end of the function installation) it is also a temporary solution.

MainSystool (System Tool replacement ):

Obtain the current program name and parameters, and call the corresponding original system program (netstat, lsof, ps, and ss) in/usr/bin/dpkgd ). Filter out the lines that contain information such as the trojan directory and the server communication port from the output of the original system program.

MainBackdoor ):

Go to daemon, set the pid file, and create a startup Item with S99selinux as the service name. Mobile System Program ps, ss, netstat, lsof to/usr/bin/dpkgd/directory, copy itself to/bin,/usr/bin,/usr/sbin to replace ps, ss, netstat, lsof, and other system programs, and execute the main function MainProcess.

MainProcess function:

The main function MainProcess first suspends for 2 seconds to delete the temporary files for the upgrade (. /update_temporary), according to/etc/resolv. conf and Google dns (8.8.8.8 and 8.8.4.4) initialize the instance g_dnsCache of the CDNSCache class.

Initialize g_cnfgDoing (try to read the conf. n file), g_mongodoing (try to read the cmd. n file), g_statBase class instance, and convert the 330 IP addresses in g_sProvinceDns into numbers to save the g_provinceDns object. Try to use insmod to load the xpacket. ko driver in the current directory (this file is not found ). Read the IP address from/usr/lib/libamplify. so and save it to the g_AmpResource structure (this file is not found ). Initialize CManager (1076 bytes), set the signal processing function, and infinite loop sleep.

B. CManager class (sudden changes in image style ):

The CManager class contains all the functions of the bot. This class has many members and each member implements certain functions. The list of its main members is roughly as follows:

The member offset function vectorIPs 0x00 controls the Server IP address (multiple IP addresses can exist) CThreadSignaledMessageList 0x0c c0000msg's Message Queue (thread security) c0000msg contains the control command CThreadTaskGates 0xe4 Task Distribution Thread class issued by the Control Server, waiting for the CThreadClientStatus 0xe8 status update Thread class in the cthreadmsg message queue, cpu and network usage updated per second (CThreadSignaledMessageList) 0xf0 CThreadConnection Queue (thread security) CThreadLoopCmd 0x1c8 loop wait signal, and finally execute the command CThreadFakeDetect 0x1cc command configured in the cmd. n file CThreadSignaledMessageList 0x1d0 CThreadShell Queue (thread security) CThreadShell is used to maintain a reverse connection shell session CThreadDoFun 0x2ac. It judges the validity of the bot file through some calculations, sets the g_bReal variable CThreadKillChaos 0x2b0, checks the pid file every five minutes, and cleans the CInitResponse 0x2b4 initialization data packets, contains the status data of the currently controlled machine CThreadMutex_Operation 0x378 CManager mutex, thread security SetOfCThreadFXConn 0x390 CThreadFXConnection class set (C ++ STL) CTask 0x400 contains command information issued by the Control Server

CManager: The Initialize function initializes the members. check whether there are unprocessed commands according to g_mongodoing. If yes, execute them immediately.

Run the CManager: MainProcess command after the variable is initialized. Set the program to work in the controlled terminal mode according to the g_iGatsIsFx value (this is 1 at this time) to obtain the IP address in the vectorIPs (only the IP address pointed to by strConnTgts) initialize a CThreadFXConnection for each IP address and add it to the set. After the operation is complete, the sleep loop is infinite.

The CThreadFXConnection Thread class finally calls CManager: FXConnectionProcess to establish a TCP connection with the control server. After the connection is established, it calls CManager: ConnectionProcess to initialize the CInitResponse object and send a notification packet:

CInitResponse contains IP address (c0 a8 7a 87) 192.168.122.135, system version information, Cpu and memory information.

After the initialization package is sent, CManager: ConnectionProcess enters the cycle of sending and receiving data, receives data through CManager: RecvCommand and encapsulates the data to the c1_msg structure, and adds c1_msg to CThreadSignaledMessageList Queue.

Send the bot status through CManager: SendClientStatus.

The CThreadTaskGates thread is used by the CManager: TastGatesProcess thread to extract and distribute messages from the receiving queue ).

The general type of c0000msg is as follows:

Type function 1 call CManager: DoAtkStartCommand initialize a DDoS attack 2 select to execute CManager: StopUpdate to stop the update or CManager: StopAtkTask to stop the attack 3 call CManager :: doConfigCommand updates g_cnfgDoing and conf. n Configuration File 5 call CManager: DoUpdateCommand update program file 7 call CManager: DoCommandCommand update csf-doing object 8 call CManager: DoFakeDetectCommand 9 call CManager :: doShellCommand establishes a reverse shell connection to the specified IP address and port

The general structure of the CManager class is as follows:

DDoS attacks are finally implemented through CManager: DoAtkStartCommand. This function reads the CTask object in c0000msg and sets the CThreadAtkCtrl thread object according to the global configuration of CConfigDoing (conf. n. CThreadAtkCtrl: ProcessMain performs common or kernel-level attacks based on the configuration. A common attack is executed using CThreadAtkCtrl: DoNormalSubTask. This function finally calls CThreadAtkCtrl: StartNormalSubTask and initializes a CThreadNormalAtkExcutor Thread class based on each task. The final thread function is CThreadNormalAtkExcutor: ProcessMain. This function initializes a CPacketAttack subclass based on the value of CSubTask. taskType to execute the corresponding attacks. The correspondence between the type value and the attack type is as follows:

CSubTask. taskType subclass attack method 0x10, 0x11 (var_06 = 0) CAttackSyn SYN semi-join 0x10, 0x11 (var_06 = 1) CAttackCompress custom IP address, TCP Header 0x20 CAttackUdp UDP 0x21, 0x23, 0x24 CAttackDns random subdomain name attack 0x22 CAttackAmp DNS enlarge 0x25 CAttackPrx some DNS attack 0x30 CAttackIcmp ping 0x40 CTcpAttack arbitrary TCP data, sending the custom data content of the attacker 0x41 CAttackCc CC 0x42 CAttackIe is not implemented, reset to 0x41

CThreadNormalAtkExcutor: ProcessMain calls the Create member according to the configuration to construct the data required for a specific type.

Call the member function Do, Do call MakePacket to construct attack data packets, call UpdateCurVariant to modify some attributes of data packets (such as TCP sequence numbers), and call SendPacket to send data packets. The Do function is called cyclically until a predetermined number of attacks are completed.

Kernel attacks are executed by calling CThreadAtkCtrl: DoKernelSubTask (type 0x43 ),

This function finally calls CThreadAtkCtrl: StartKernelSubTask to initialize CThreadKernelAtkExcutor.

The final execution thread is CThreadKernelAtkExcutor: ProcessMain.

This function fork the current process and runs the function CThreadKernelAtkExcutor: k0000dev on each CPU. This function sends the command rem_device_all (remove all devices), add_device ethN (add Nic N), max_before_softirq (change the packet kernel interruption threshold) to the pktgen device, where N is 0, 1, 2, and so on, pointing to the NIC name. The pktgen device is located in/proc/net/pktgen/kpktgend_X, where X is the current cpu number. The virus author made a mistake here. In kpktgend_X, X indicates the cpu number associated with the current package generator, but the virus author uses the NIC number here, this error causes the virus to use only one cpu when generating data packets, and cannot fully utilize the performance of multiple cpu cores. After the pktgen device is initialized, CThreadKernelAtkExcutor: ProcessMain calls CThreadKernelAtkExcutor: k1_cfg. This function configures the package generator through/proc/net/pktgen/ethN. The configuration includes the target IP port, number of attack packets sent, random packet size range, waiting time between packets, random Source IP range, random source port range, and other information. After the pktgen parameter is set, CThreadKernelAtkExcutor: ProcessMain writes start to/proc/net/pktgen/pgctrl to start the attack.

0x03 attack simulation

Modify the IP address of the bot control server to the local host, write a simple control script, and conduct a tcp rst attack experiment in the virtual machine:

When the attack target is set to 192.168.122.1: 9876, the packet size range is 128-500, the number of threads is 200, the number of attacks is 100, and the Cpu load balancing switch is disabled, the attack packets obtained are as follows:

We can see that a single bot sends 21268252 attack packets in this attack, an astonishing number.

Because the Cpu usage limit option is set to disabled, the bot maximizes the usage of system resources, and the dual-core cpu usage reaches 192.4%.

0x04 Summary

Through this sample, we can find that the DDoS Attack Strength of the black industry team has reached a "more skillful" level, according to the different code styles in different parts of the sample, it is suggested that the black production team may have a multi-person, multi-team programming method or code theft of "Black.

With the continuous development of basic IT technology, the black market team is still making unremitting use of the vulnerabilities just exposed to attack the neglected operating systems, threatening user data security. Users are willing to put their data, process implementation, and ideas on our cloud platform because they believe that we can effectively ensure the privacy and security of such data, 360 the cloud security team continues to build a secure cloud for you.