May 1, 2015 at 15:12Attackers use Linux / Mumblehard to compromise servers, part 1
The Linux / Mumblehard malware family is a special tool for cybercriminals using which they compromised servers running various modifications of the Linux and BSD operating systems. The main purpose of this malware is to provide full access to a compromised system for attackers (backdoor) and spamming. After gaining such access, attackers can run other malicious programs on the remote system. Mumblehard also includes modules for organizing proxies and spamming.
The components of this malicious program are Perl scripts that are encrypted and packaged inside an executable ELF file. In some cases, these scripts may contain another executable ELF file.
ESET analysts were able to perform a sinkhole operation to obtain statistics about infected systems, which allowed us to calculate their number and notify their owners. Our analysis led us to the following key findings:
Introduction
Our analysts faced Linux / Mumblehard when a system administrator of one of the companies contacted our specialists to get advice on their server, which was blacklisted by the provider for spamming. On this server, we recorded a suspicious process and dumped its memory. The process was a running Perl interpreter. This process executed a malicious script. We also found a suspicious ELF file in the / tmp directory. In the process of analysis, it became clear that this file belongs to Linux / Mumblehard .
The attention of our analysts was drawn to the fact that the malicious Perl scripts themselves were located inside the executable ELF file, which is a rather unusual case of their storage. Our investigation revealed that the group of cybercriminals behind this malware had close ties to an IT company called Yellsoft. The first sample of the Mumblehard component, which was responsible for spamming, was uploaded to the VirusTotal service back in 2009. At the same time, Yellsoft has been working since 2004. It is not clear to us whether this company had any connections with cybercriminals between 2004 and 2009. .
Fig. Yellsoft homepage, what it looked like in 2004
Using our special server and a list of those systems that were infected, we established two main vectors for the distribution of this malware. One of these vectors was the use by exploiters of exploits for the popular content management systems of the Joomla and Wordpress sites. Another vector was the spread by cybercriminals of pirated backdoored versions of DirectMailer for Linux & BSD. This program is sold by Yellsoft for $ 240. Pirated copies of the program specialize in installing the Mumblehard backdoor. The backdoor allows attackers to install other malicious programs on a compromised server.
Malware analysis
We analyzed two different components of the malware that were used by a group of cybercriminals. The first is a backdoor that will request commands from the controlling C & C server. Command data contains URLs. They must be downloaded and executed on a compromised server. The second component is a spam component, the so-called. spammer daemon. Both components are written in Perl and obfuscated using one packer, which is written in assembler and located in an ELF file. The following diagram shows the connections between the Mumblehard components and their management servers.
Fig. The interaction between Mumblehard components and their management servers.
One of the first interesting features that we noticed was the Perl script wrapper located inside the ELF file. It is written in assembler and consists of two hundred instructions. This code itself calls the Linux system services by using the int 80h statement. The packer's software functions are also devoid of the usual prologue responsible for servicing the stack.
Using the int 80h system call gives the packer code one significant advantage, depriving it of any external dependencies on OS libraries. In addition, the packer itself can work normally on both Linux and BSD. The type of system is determined at the beginning of the malware code by a system call number 13 with argument 0. For Linux, this corresponds to an API call to the time (NULL) function , and on a BSD callfchdir(stdin). В случае с BSD вызов функции с таким аргументом завершится неудачей и возвращаемое значение будет представлять из себя отрицательное число, а в случае с Linux, возвращаемое значение соответствующего вызова будет положительным, и оно соответствует количеству секунд, прошедших с 1-го января 1970 г.
Рис. Точка входа в исполняемый ELF-файл (начало кода упаковщика). Виден вызов сервиса с идентификатором 13 (SYS_TIME).
Далее вредоносный код вызовет функцию fork() и запустит интерпретатор Perl вызовом execve("/usr/bin/perl", ...). Тело самого скрипта будет отправлено процессу интерпретатора через канал STDIN. С использованием системного вызова dup2the parent process will be able to pass the decrypted script to the interpreter process through the duplicated file descriptor.
The backdoor itself does a simple job, it requests commands from the controlling C & C server and tells it the results of their execution. The backdoor does not start on the system as a service (daemon); instead, it uses the crontab task scheduler, which provides it with execution every 15 minutes.
It also disguises itself as an httpd service.
Each time it starts, the backdoor polls all the C&C servers from the list for receiving commands. In fact, it supports only one command with identifier 0x10, which instructs the backdoor to download from the URL of the specified file and its subsequent execution on the system. Typically, a list of C&C servers consists of ten addresses. The list we found was identical for all the Linux / Mumblehard samples we observed. We have witnessed the activity of only one C&C server with an IP address of 194.54.81.163. One of the servers with the behance.net domain in 2005 belonged to Adobe.
When the server with the address 194.54.81.163 contains a command to send, it can only respond in a fixed amount of time.
The backdoor generates its HTTP GET request for each C&C server from the list. The server responds with a command that is masked in the Set-Cookie field of the HTTP header. Such a technique can be justified, because when you capture such a network packet, its analysis will not cause suspicion.
Fig. Sample C & C server response.
A cookie called PHPSESSID is encoded in hexadecimal. The lines inside the commands themselves are also encrypted using a special algorithm. This algorithm is identical to that used in the Perl script wrapper. It can be assumed that the development of both parts of the malicious code was the same group or person.
Fig. The function of decrypting the data of the command received from the C & C server.
Fig. The same decryption function in Perl.
Once the string has been decoded, the following information will be extracted from the cookie.
Tab. List of parameters inside the PHPSESSID cookie.
Tab. Example parameter values inside PHPSESSID.
When requesting a command from a C&C server, the backdoor uses the user agent string. The line is shown below and corresponds to the one used by the Mozilla Firefox 7.0.1 browser on Windows 7.
After the file download and URL execution are completed, the backdoor reports the operation status to each of the C & C servers from which the command was received . This information is masked inside the user agent string and has the following form.
The following figure shows an example user agent string sent by the backdoor upon successful (HTTP 200 OK) operation (download-and-execute) with code 0x18 (24) to execute a file of 56.013 bytes in size.
The components of this malicious program are Perl scripts that are encrypted and packaged inside an executable ELF file. In some cases, these scripts may contain another executable ELF file.
ESET analysts were able to perform a sinkhole operation to obtain statistics about infected systems, which allowed us to calculate their number and notify their owners. Our analysis led us to the following key findings:
- Modules of the Linux / Mumblehard malware are Perl scripts that are located in the Mumblehard ELF executable files, which are written using assembly language.
- Using the sinkhole, it was possible to identify 8,867 unique IP addresses of infected systems over a seven-month period.
- The largest number of such unique IP addresses per day was 3.292.
- The malware has been active since at least 2009.
- Web servers dominated all infected computers.
- There is a close relationship between Mumblehard and Yellsoft. The latter is a company that distributes software for mass sending email emails.
Introduction
Our analysts faced Linux / Mumblehard when a system administrator of one of the companies contacted our specialists to get advice on their server, which was blacklisted by the provider for spamming. On this server, we recorded a suspicious process and dumped its memory. The process was a running Perl interpreter. This process executed a malicious script. We also found a suspicious ELF file in the / tmp directory. In the process of analysis, it became clear that this file belongs to Linux / Mumblehard .
The attention of our analysts was drawn to the fact that the malicious Perl scripts themselves were located inside the executable ELF file, which is a rather unusual case of their storage. Our investigation revealed that the group of cybercriminals behind this malware had close ties to an IT company called Yellsoft. The first sample of the Mumblehard component, which was responsible for spamming, was uploaded to the VirusTotal service back in 2009. At the same time, Yellsoft has been working since 2004. It is not clear to us whether this company had any connections with cybercriminals between 2004 and 2009. .
Fig. Yellsoft homepage, what it looked like in 2004
Using our special server and a list of those systems that were infected, we established two main vectors for the distribution of this malware. One of these vectors was the use by exploiters of exploits for the popular content management systems of the Joomla and Wordpress sites. Another vector was the spread by cybercriminals of pirated backdoored versions of DirectMailer for Linux & BSD. This program is sold by Yellsoft for $ 240. Pirated copies of the program specialize in installing the Mumblehard backdoor. The backdoor allows attackers to install other malicious programs on a compromised server.
Malware analysis
We analyzed two different components of the malware that were used by a group of cybercriminals. The first is a backdoor that will request commands from the controlling C & C server. Command data contains URLs. They must be downloaded and executed on a compromised server. The second component is a spam component, the so-called. spammer daemon. Both components are written in Perl and obfuscated using one packer, which is written in assembler and located in an ELF file. The following diagram shows the connections between the Mumblehard components and their management servers.
Fig. The interaction between Mumblehard components and their management servers.
One of the first interesting features that we noticed was the Perl script wrapper located inside the ELF file. It is written in assembler and consists of two hundred instructions. This code itself calls the Linux system services by using the int 80h statement. The packer's software functions are also devoid of the usual prologue responsible for servicing the stack.
Using the int 80h system call gives the packer code one significant advantage, depriving it of any external dependencies on OS libraries. In addition, the packer itself can work normally on both Linux and BSD. The type of system is determined at the beginning of the malware code by a system call number 13 with argument 0. For Linux, this corresponds to an API call to the time (NULL) function , and on a BSD callfchdir(stdin). В случае с BSD вызов функции с таким аргументом завершится неудачей и возвращаемое значение будет представлять из себя отрицательное число, а в случае с Linux, возвращаемое значение соответствующего вызова будет положительным, и оно соответствует количеству секунд, прошедших с 1-го января 1970 г.
Рис. Точка входа в исполняемый ELF-файл (начало кода упаковщика). Виден вызов сервиса с идентификатором 13 (SYS_TIME).
Далее вредоносный код вызовет функцию fork() и запустит интерпретатор Perl вызовом execve("/usr/bin/perl", ...). Тело самого скрипта будет отправлено процессу интерпретатора через канал STDIN. С использованием системного вызова dup2the parent process will be able to pass the decrypted script to the interpreter process through the duplicated file descriptor.
The backdoor itself does a simple job, it requests commands from the controlling C & C server and tells it the results of their execution. The backdoor does not start on the system as a service (daemon); instead, it uses the crontab task scheduler, which provides it with execution every 15 minutes.
It also disguises itself as an httpd service.
Each time it starts, the backdoor polls all the C&C servers from the list for receiving commands. In fact, it supports only one command with identifier 0x10, which instructs the backdoor to download from the URL of the specified file and its subsequent execution on the system. Typically, a list of C&C servers consists of ten addresses. The list we found was identical for all the Linux / Mumblehard samples we observed. We have witnessed the activity of only one C&C server with an IP address of 194.54.81.163. One of the servers with the behance.net domain in 2005 belonged to Adobe.
- 184.106.208.157
- 194.54.81.163
- advseedpromoan.com
- 50.28.24.79
- 67.221.183.105
- seoratingonlyup.net
- advertise.com
- 195.242.70.4
- pratioupstudios.org
- behance.net
When the server with the address 194.54.81.163 contains a command to send, it can only respond in a fixed amount of time.
The backdoor generates its HTTP GET request for each C&C server from the list. The server responds with a command that is masked in the Set-Cookie field of the HTTP header. Such a technique can be justified, because when you capture such a network packet, its analysis will not cause suspicion.
Fig. Sample C & C server response.
A cookie called PHPSESSID is encoded in hexadecimal. The lines inside the commands themselves are also encrypted using a special algorithm. This algorithm is identical to that used in the Perl script wrapper. It can be assumed that the development of both parts of the malicious code was the same group or person.
Fig. The function of decrypting the data of the command received from the C & C server.
Fig. The same decryption function in Perl.
Once the string has been decoded, the following information will be extracted from the cookie.
Tab. List of parameters inside the PHPSESSID cookie.
Tab. Example parameter values inside PHPSESSID.
When requesting a command from a C&C server, the backdoor uses the user agent string. The line is shown below and corresponds to the one used by the Mozilla Firefox 7.0.1 browser on Windows 7.
After the file download and URL execution are completed, the backdoor reports the operation status to each of the C & C servers from which the command was received . This information is masked inside the user agent string and has the following form.
The following figure shows an example user agent string sent by the backdoor upon successful (HTTP 200 OK) operation (download-and-execute) with code 0x18 (24) to execute a file of 56.013 bytes in size.