MAYHEM is a multi-purpose bot for * NIX servers. Yandex Security Investigation

    UPD . A few hours after the publication on Habré, the English version of this study of the Yandex Safe Search team was released on Virus Bulletin . A little more details and links to the bibliography.

    Botnets from infected servers running * nix-based OSs are becoming more and more popular with cybercriminals. A wide channel, excellent uptime and powerful hardware make the server an attractive target for infection. It is generally accepted that to fully infect a * nix system, you must have root privileges. However, attackers come up with more and more new ways to extract the maximum benefit from the infected server, while being content with small privileges. In this post, we will talk about a rather non-standard botnet called MAYHEM, which consists of infected servers.



    Initially, MAYHEM is a php script that, after starting up, determines the architecture of the system (x86 or x64) and the availability of write permissions to the current directory. In the vast majority of cases, these privileges are available to the user under whom the web server is running, and in this case they are enough for the bot to work.



    After the php-script kills all the “/ usr / bin / host” processes running under the current user, extracts the shared object from it for the desired architecture (x86 or x64) and starts the “/ usr / bin / host” process with the shared object loaded into it using the LD_PRELOAD technique.

    The LD_PRELOAD technique is pretty well described. It allows you to load a shared object into the address space of a process before the original executable file. Also, this technique allows the substitution of functions, for example, a standard library. In short, if an object loaded via LD_PRELOAD exports some function that matches the functions from other shared objects, then this function will be used.

    Thus, the LD_PRELOAD technique makes it easy to intercept functions, which is what cybercriminals use. In this case, the malicious object intercepts the “exit” function.

    After starting and receiving control, the malicious shared object removes the environment variable LD_PRELOAD and its body from the disk, and then performs several more anti-debugging tricks. As a result, there is practically no trace of its presence on the disk.

    Further, if everything is in order, the configuration is decrypted, which is located in the data segment of this object. The configuration is encrypted using the XTEA algorithm (32 rounds) in ECB mode.



    The configuration contains only three parameters: the command server URL (C & C), the name of the file with the hidden file system, and the size of the hidden file system.

    After the initial setup, the bot determines if a hidden file system has already been created. If not, he creates it. The hidden file system is a disk image with the FAT file system, each block of which is encrypted with the XTEA algorithm (32 rounds, ECB mode). Work with FAT occurs using the open source library FAT 16/32 File System Library , and encryption keys are generated from the block number in the file system and depend only on this number. This file system is used to store service files and bot plug-ins.



    If the file system is successfully initialized or was created earlier, the bot proceeds to its main functions. First, he notifies the command server (C&C) of the start of work and then receives and executes his commands: downloads the necessary plug-in and tasks for it, creates a number of workflows and proceeds to complete the task.

    As mentioned earlier, the bot expands its functionality with plugins. During the study, we were able to detect and analyze some of them. A set of plugins allows the botnet to perform the following tasks:

    1. Search for sites vulnerable to Remote File Inclusion (RFI). The screenshot shows a piece of the list, which is used to test the site.



    2. Definition of user names for sites based on Wordpress CMS. The bot receives from the command server a list of sites running Wordpress and, in the process, receives a list of registered users for each such site. This is done by querying the following: . User IDs are sorted in the range from 1 to 5. In the future, the collected data is used to select passwords.<адрес сайта>/?author=
    3. Search authorization pages for Joomla and Wordpress sites. The bot receives a list of sites from C&C and in the process of trying to get the pages /wp-login.php or / administration /. If successful, it returns to the command server a list of sites on which these pages were found.
    4. Searching passwords for authorization pages for CMS and ISP panels. This plugin is configured using a flexible system of rules and allows you to sort passwords for almost any authorization page. An example of setting this plugin can be seen in the screenshot below.



      For enumeration, attackers use a dictionary consisting of 17,911 passwords with lengths from 1 to 32 characters. The cloud of these passwords serves as the title picture for this post.
    5. Search for pages with a given topic. The plugin receives a list of sites, bypasses them recursively (the crawl depth is specified in the configuration) and collects the addresses of pages that satisfy a certain set of rules. An example of such a set of rules is presented in the screenshot below.



    6. Plugins for searching passwords for FTP accounts, plugins for bypassing ranges of IP addresses, searching phpMyAdmin and so on.
    7. We should also dwell on the plugin for exploiting the HeartBleed vulnerability. Despite the fact that many system administrators have already updated OpenSSL, there are still quite a number of vulnerable servers on the Internet.

    Thus, the modular structure allows the use of a botnet for a wide variety of tasks. Let us dwell on C&C. In the course of research, we were able to detect three different command servers. One of them was no longer functioning, and the remaining two were used to manage more than 1,400 bots.

    We analyzed the largest of the two command servers. The general view of the botnet control system looks like this:



    About 1100 bots were running under this server. The distribution of infected servers by country can be found on the map below. A darker tone means more infected servers.



    Thus, the bulk of the botnet was made up of servers located in Russia, the USA, Germany, and Canada.

    And here is the interface that allows you to give the task to the entire botnet or to individual groups of bots:



    At the time of the study, this botnet was sorting passwords for the administrative part of Wordpress CMS-based sites. The pictures below show the progress of the task and part of the file with the selected passwords - a report on the work done.





    As you can see, users used weak passwords unstable to brute force.

    Thus, to create a botnet from infected servers, it is by no means necessary to access the server with root privileges. Attackers are constantly inventing new ways to effectively use vulnerable sites and servers. Today they are ready to be content with even small privileges in the system. Keep this in mind when administering your servers and developing web applications, use brute-force passwords, regularly update OpenSSL, and monitor the security of your web applications.

    Take care of your users and your web servers.

    Also popular now: