Some time ago we started to redirect to SSH honeypots in the test mode the outer SSH port from Turrises of some volunteers from the development team. For the biggest number of attackers to “talk“ to us, we allowed in honeypot the login into root by random password; despite this most of bots will anyway do nothing and they will immediately disconnect themselves even after unsuccessful attempt.
After other successful logins follows either an attempt to forward the connection (and the use of SSH device as proxy) or effort for loading and starting some malware. I was interested in what the malware was doing.
It can be said that most of caught malware is quite uninteresting, it is not much obfuscated, the symbols are often even not stripped. In the most common case the matter concerned is Trojan which can do the DOS attack through TCP, UDP or DNS amplification. It does not even try to hide the process much. The attackers evidently expect that computers with simple passwords which were attacked by them are wrongly controlled and nobody will even notice it.
These Trojans are usually multiplatform, distributed as statistically linked binaries. The attacker loads several versions by wget – for x86, x86_64, ARM and MIPS. In most cases these are linux binaries, sometimes also a binary for *BSD appears. The existence of ARM and MIPS binaries demonstrates that the attackers target also the embedded systems. Then they simply start all of them one after another and do not deal with the detection of the system at all: “because something of it is sure to run“. In the end he/she adds the starting after start by cron, through SysV init scripts in /etc/rc.d or to /etc/rc.local.
It is more remarkable that the quality of the code of Trojans themselves is much better than what the used shell scripts look like. It can be seen from them e.g. how fairly they are divided into modules, use threads, synchronizing primitives and queues of messages. The analysis of one “better“ Trojan BillGates can be seen here.
I was personally more attracted by a recent Trojan which looks like it has the capabilities of rootkit to hide files and processes and walk around iptables. These functions are started up through the ioctl calling on the file /proc/rs_dev, whose creation is the occupation of kernel module. After starting up it deletes the binary from which it was started, is copied to /boot/ directory with accidental name, does double-fork and calls the mentioned function for hiding its PID. It ensures the autostart of the binary from /boot/ by creating the init script in /etc/rc.d.
After more detailed examination I found out that the hiding functions do not exist yet because the Trojan always skips the creation and introduction of file with kernel module (the body of the module in the binary has only one byte). The module is either not yet implemented or is not present in this variant. The analysed Trojan is again primarily destined for DOS attacks and its CNC server is at the address 126.96.36.199.
Where does this malware come from? One malware analyst did a daring feat when he caught directly how malware distributors were training their customers how to distribute and use their malware. Part of the article is also a video from this training. It is also explained here why so many variants exist – the Chinese have builder which generates ELF binaries according to entered parameters.