Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about the source code analysis of the ibus worm Category C module on the Linux platform. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Recently, while troubleshooting the problem, the security team was convinced that a host constantly visited the malicious domain name linuxsrv134.xp3.biz and tried to communicate with it. Through the troubleshooting of the problem host and the threat intelligence analysis of the domain name, it was associated with a new 2019 Linux worm-ibus. Here is a detailed analysis of its ClearC module.

Initialize and detect in the first phase. Determine whether the / tmp/.Abe0ffdecac1a561be917bfded951a7a pid record file exists or not, and determine whether there is a thread that is already running.

Re-fork a process:

And record the new pid to the / tmp/.Abe0ffdecac1a561be917bfded951a7a file:

Initialize the second phase to determine whether the configuration file / usr/share/hplip/data/images/24x24/.rc exists, which contains the hash of the configuration file and the sleep time:

Determine whether the scheduled UUID is empty, and if so, produce a new UUID and write to the / usr/share/hplip/data/images/24x24/Remove_user.png file.

Complete the second phase of initialization and enter the loop execution phase:

MAIN is the main function. Call check_relay to determine whether the instruction still exists:

But at present, the domain name has expired and no data can be obtained.

If there are still unexecuted instructions, the Knock_Knock function will be called to upload ID information to obtain the instruction contents encoded and XOR encrypted by base64. The instruction tasks are mainly divided into four categories, namely needregr, newtask, notasks and newreconfig.

The following figure shows the task processing process:

The specific instruction functions are shown in the following table:

Function classification function number specific function Needregr

Upload local information and update configuration file Newtask (task execution) 1 download execute 3 download and execute 6 exit 9 for self-update 10 uninstall 11 command execute notasks

Dormant Newreconfig according to dormant duration

Reconfigure profile hash and hibernation duration

If there are no instructions or there is a problem with the network, in order to continue communicating, the following four ways will be tried:

1. Try to reconnect:

two。 Obtain new ClearC addresses from backup networks such as linuxservers.000webhostapp.com and linuxsrv134.xp3.biz to communicate:

Currently, the instructions for the blog linuxservers.000webhostapp.com are as follows, hidden by hiding properties. The content can be accessed manually, and 404 can be accessed directly through the script:

3. Through the decryption function, the decryption is divided into two parts. First, the base64 is decoded, and then the following update information is obtained through XOR ("#" is key):

The new C2 address is obtained according to the DGA algorithm, but this method has not been implemented at present.

4. By looking for the development port of 5.196.70.86, the new C2 address is 5.2.73.127 and the port is updated to the detected open port:

Finally, in order to stay for a long time, it creates a timing task, which is divided into two timing tasks: user mode and kernel mode.

User mode: execute / bin/sh "/ bin/nmi" every hour

Kernel state: execute / bin/sh "/ var/run/pm-utils/locks/nbus" once a day

Execute / bin/sh "/ usr/lib/rpm/platform/x86_x64-linux/.dbus" every Sunday.

Most of the time, it is checked directly on root, but some viruses come in through web vulnerabilities, so when troubleshooting, you need to confirm which users are currently available, and check for each user, otherwise there will be omissions and can not correctly locate the problem.

IOCIP&Domain:5.196.70.865.2.73.127speakupomaha.comlinuxservers.000webhostapp.comlinuxsrv134.xp3.biz after reading the above content, do you have any further understanding of the source code analysis of the ibus worm C module on the Linux platform? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.