2014-06-16

The background

I think some of Linux sysadmins and malware researchers already know this issue well by reading references in sysadmin/linux forums or reported incident in works, or maybe facing this problem them self. Since the wave of attacks are still spotted and hitting several services with the known webapp vulnerabilities, yet there are no complete verdict details of the threat (yet), we feel it's important to raise an alert on this subject in MMD post as advisory to help fellow admins who may google info of this threat with hoping this may help giving thorough explanation. The recent vulnerability that was exploited to spread this malware infection is a per tweeted here:

Insecure default in #Elasticsearch enables remote code execution http://t.co/SG2vIfVINF < causing some ELF malware injection (was reported)

β€” Hendrik Adrian (@unixfreaxjp) June 15, 2014

Maybe some of us think that DDoS tools are just only infiltrating victim sites with some kids attemting to hack on unattended sites & installing their bots written in IRC Perl/PHP DDoS'er scripts. This post is a good reading for you who think that way, since it explained a more serious threat using ELF DoS binaries specifically built to conduct DDoS action in hacked Linux servers via serious root exploitation method in each infection. This threat is known as the infection of .IptabLex and .IptabLes ELF #DDoS backdoor trojan (malware). The infection was coming from China, and is world-wide now, hitting various Linux based services with new flaws in vulnerability and giving problems to some of us.
Here goes the details..

The worldwide incidents reported

First, how is the coverage of this infection? Below is the list of reported incidents of the current threat world wide, I followed & collected in chronological basis, all are referring to the same binary sets and similar infection modus operandi. Infected server's distributions are varied like Debian, Ubuntu, Slackware, CentOS to Redhat, via vulnerability in server application like Tomcat, Elasticsearch, Apache struts etc. But all of them are informing same vector of hack in code injection vulnerability.
FYI. No, we have not seen any FreeBSD or Mac OS X based server as victim (yet).

Source of threat

The origin of the threat is coming from China, which can be technically described in the next analysis sections, but there are so many report posted about the threat in China sites with this reference -->>[here]

.@SeraphimDomain @virusbtn The highlights "IptabLe(s|x) ELF infection is they aim Apache base: Struts,Tomcat & Elasticsearch to exploit root

β€” MalwareMustDie, NPO (@MalwareMustDie) June 16, 2014

The symptoms of infection

An infected linux host will suffer the root privilege escalation and installed with the malware sets as per below details.

Malware main files will be located in either /boot or /usr as per below. It firstly tried to write in /boot , if fail the malware will be saved in /usr.

Or..

The malware will be accompanied by the autostart script:

Contains:

The PID locked files will be detected:

↑In most cases we found these files spotted in root (/) directory.

In the case that I was handled, the binaries and autostart scripts is having these size:

While the first two are the malware binaries them self, following by the autostart scripts. Usually the infected host is having both binaries. The bigger size one is the newer and "advanced version", and the smaller one is limited version.

In some cases the "advanced" versions is having runtime problem and created segmentation fault (crash) as per lsof below:

Where the smaller size mostly runs well, as per reported lsof:

The netstat connection upon started upon malware success running and connected to the backdoor can be seen like this:

There will be also some UDP ports opened as per below:

And the SYN packet generated from the infected host will look like this:

Definition of the Malware

This malware is the DDoS bot ELF malware variant, with a bot backdoor function connected to the CNC which sending them instruction to attack targeted hosts by SYN Flood or DNS Flood DoS techniques. It was autostarted as daemon everytime the host's services started.

So far we see no RAT (Remote Access Trojan) functionality spotted unless for the specific DoS bot functions, and also no sign of rootkits/system environment deletion detected except the additional of autostart scripts.
The deletion process of this malware can be performed safely by execution of the below commands:

The further observation of the binaries we know that it was originated in China Linux environment.

According to the reported cases it has backdoors connected to China IP addresses as per recorded data below:

And recorded targets, also go to the China networks:

Binary Analysis

ELF file type:

With noted:

The header:

..and Section Headers:

The smaller size and big size is different in Symbol table '.symtab' entries, if you diff the table functions, the newer version (the bigger in size) is suggesting the "advanced mode" version with the "pro" features:

..and also having more additional "features":

Reverse Engineering Highlights

These are the source codes file list of this malware in C language:

Reversing this malware is interesting, and overall reverse effort was taking longer time than I thought. In this highlight I will guide you to the best way to go to the malicious code PoC the verdict the DoS activities. After choosing your best disassembler, I suggest you start trailing the function in address .text:0804DA40 called startmain() to find the good trail that can lead you to the DDoS functions (the verdict) soon:

You should find the PID and its locking can be followed afterwards from .text:0804DAF5 (for the checking are you trailing the right path..):

Followed by the fork function at .text:080533B0 below:

Seek the calls lead to this function's start addeess (0x80533B0) and you will see the main DDoS function directly referring to it:

The above functions are DoS function which can be reversed as per here-->>[Pastebin] and here-->>[Pastebin], which can be breakdown deeper in how the SYN or UDP packets were formed, randomization of size and the build then followed by the sending thread. The details of those sub functions I will not cover here since it is going to be very long (but please feel free to comment for requests), and the pastebins showed enough evidence of the attack act performed by this flooder.

Let's moving on. In the .rodata:080B3360 you'll find the URL that the malware use for "test purpose", which can help PoC'ing the origin of this malware w/o much heavy reversing:

As you can see, three of the listed sites are Chinese web sites. The other things that can help to ID is the multilanguage Linux trace detected and the way it compiled the binaries (based on previous reference of similar threat from same origin, it is typical)

More malicious activities on the update server's data (link) which clearly show the fetch for updates then save it and deleting those upon done, infected host's sensitive information taken (link), getting networking information of the infected host (link), and hard coding installation of autostart scripts and installation steps (link) which PoC'ed all of the symptoms written above. For the own data handle itself this malware uses a compression logic with the decompression logic that's so "spaghetti coded" like the image below:

..with the code can be viewed here (link) ; Note: All reversed snips can be viewed in each shown disassembler links.

Analysis Samples & Virus Total

Samples are all in Virus Total already with the below hashes, under detection ratio between 3/54 to 8/54:

For fellow researchers, sysadmins or IR friends, I am sharing samples below:

That can be downloaded here-->>[MMD Mediafire] with the usual password.

Additionals:

#ELF IptabLe(s|X) autorun sh(pic), no AV would even do match "IptabLes" to detect as #malware https://t.co/Hi8yeGiGQe pic.twitter.com/jT1OrqO4c8

β€” MalwareMustDie, NPO (@MalwareMustDie) August 7, 2014

For the questions and comments are welcome. I need more samples of the recent incidents, if you happen to know ones please help to send us the sample via the DropBox link in the right panel in our (this) blog menu. The comment with the sensitive information or privacy will not posted. With thank you in advance.

Follow up

(reserved space for follow up & updates)

#MalwareMustDie!

Show more