The below report attempts to provide answers to the objectives set in the "NETWORK CHALLENGE - 001 - LINUX":
- Determine what likely occurred based on the evidence from the PCAP.
- Identify any network and/or host artifacts that could be used to scope this incident further.
- If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity.
The report comprises of multiple sections:
- Findings - Describes main findings and provides an overview of malicious activity.
- Analysis - Provides technical analysis of captured traffic and extracted artifacts.
- Timeline - Provides chronologically ordered list of events.
- Indicators - Provides a list of network and host indicators related with observed malicious activity.
- References - Contains a list of external publications, indicators and resources used during analysis.
- The Linux system behind the IP address
104.236.210.97
was compromised at approximately 2016-09-07T22:14:48Z when attacker successfully connected and authenticated to the system using SSH protocol. - At 2016-09-07T22:16:16Z attacker downloaded an instance of the BillGates trojan (
java.log
) from the remote IP address120.210.129.29
running HFS server on TCP port 5198. - At 2016-09-07T22:19:03Z the compromised system sent first DNS Type A query for the domain
top.t7ux.com
. This event designates approximate time when attacker executed malicious filejava.log
. At the same time first "Hello" packet was sent by compromised system to the C&C domaintop.t7ux.com
. - At approximately 2016-09-07T23:43:06Z attacker likely initiated installation of the Apache httpd server by executing the following command:
apt-get install apache2
. - Between 2016-09-07T23:47:06Z and 2016-09-07T23:50:42Z attacker downloaded additional malware and tools from the remote IP address
120.210.129.29
. The files comprised of multiple versions of BillGates trojan, reverse shell scrip, Netcat utility and backdoored version of OpenSSH. - Between 2016-09-07T23:52:18Z and 2016-09-07T23:53:05Z remote IP address
104.236.59.209
connected to the compromised system over TCP port 80 and downloaded two files:nc.exe
andback.pl
. Observed connections likely indicate that attacker successfully installed and ran Apache httpd server. - At 2016-09-08T01:22:06Z the attacker terminated SSH session from the remote IP address
46.101.128.129
. - Packet capture contained additional SSH packets from the remote IP address
71.171.119.98
between 2016-09-08T01:22:09Z and 2016-09-08T01:22:25Z. Based on the time of event the connection was likely also initiated by the attacker. - At 2016-09-08T10:18:13Z the compromised host attempted to connect to the IP address
222.174.168.234
- resolution of C&C domaintop.t7ux.com
at that time. - At 2016-09-08T10:54:44Z last packet to the C&C IP address
118.192.137.245
was captured. - At 2016-09-09T13:46:05Z the compromised host sent 32038 UDP Flood packets to the IP address
23.83.106.115
over port 80. - At 2016-09-09T13:46:21Z last packet to the C&C IP address
222.174.168.234
was captured.
Analysis of the captured network traffic around the time (2016-09-07T22:16:16Z) when first alert for the "HFS [File Download]" Snort signature occurred revealed download of suspicious files java.log
from the remote IP address 120.210.129.29
by the host 104.236.210.97. Initial analysis showed that the file was an instance of the BillGates trojan compiled for x86 Linux system and set with two C&C servers: top.t7ux.com
and www.vnc8.com
.
Review of network connections to the system behind the IP address 104.236.210.97
around the time when malicious file was downloaded showed only one active SSH connection from the IP address 46.101.128.129
. Based on this evidence and lack of other connections it was determined that attacker managed to successfully authenticate himself and establish interactive SSH connection to the system. System was likely initially compromised at approximately 2016-09-07T22:14:48Z. The SSH session was active for 3 hours and approximately one megabyte of data was exchanged between endpoint during that time.
At 2016-09-07T22:19:03Z the compromised system issued first observed DNS Type A query for the domain top.t7ux.com
. At the same time system established connection with the IP address 118.192.137.245
(resolution of top.t7ux.com
at that time) over TCP port 16081 and sent data which has been identified as "Hello" packet generated by the BillGates trojan. The "Hello" packet contained kernel version of the compromised Linux system (Linux 4.4.0.0-36-generic
) and version of the malware (G2.40
).
Between 2016-09-07T23:43:06Z and 2016-09-07T23:43:07 the compromised system established multiple HTTP connections to two legitimate domains mirrors.digitalocean.com
and nyc2.mirrors.digitalocean.com
and downloaded multiple .deb
files. The files were determined to be legitimate software packages of Apache httpd server and its dependencies. In the absence of additional interactive connections to the compromised system it's likely that it was attacker who initiated installation of the Apache httpd server by executing the following command apt-get install apache2
.
Between 2016-09-07T23:47:06Z and 2016-09-07T23:50:42Z the attacker downloaded additional malware and tools from the remote IP address 120.210.129.29
. The below table summarizes files downloaded by the attacker:
Filename | Md5 | Type | Architecture | VT Detection | C&C | Description |
---|---|---|---|---|---|---|
java.log | f4b3ec28a7b92de2821c221ef0faed5b | ELF | x86 | Linux/BillGates | top.t7ux.com, www.vnc8.com | BillGates trojan Linux binary |
16081 | c3a59d53af7571b0689e5c059311dbbe | ELF | x86 | Linux/BillGates | top.t7ux.com, www.vnc8.com | BillGates trojan Linux binary |
2.6.32 | ff1e9d1fc459dd83333fd94dbe36229a | ELF | x64 | CVE-2013-2094 | - | CVE-2013-2094 privilege escalation exploit (Source code) |
back.pl | fbaeef2b329b8c0427064eb883e3b999 | Perl | - | - | - | Reverse shell script written in Perl |
nc.exe | 1c207af4a791c5e87dcd209f2dc62bb8 | PE | x86 | Tool.Netcat | - | Windows Netcat tool (UPX packed) |
or.bin | 09b62916547477cc44121e39e1d6cc26 | Bash | - | - | - | Bash script. Contained compressed and DES-encrypted backdoored version of OpenSSH (openssh-5.9p1.tgz ) |
SYN/Trustr | cd291abe2f5f9bc9bc63a189a68cac82 | ELF | x86 | Linux/BillGates | top.t7ux.com, www.vnc8.com | BillGates trojan Linux binary |
SYN_1902 | 3e9a55d507d6707ab32bc1e0ba37a01a | ELF | x86 | Linux/BillGates | liv.t7ux.com, www.vnc8.com | BillGates trojan Linux binary |
winappes.exe/Windows_1902 | a91261551c31a5d9eec87a8435d5d337 | PE | x86 | BackDoor.Gates.8 | liv.t7ux.com | BillGates trojan Windows binary |
xmapp | c5593d522903e15a7ef02323543db14c | ELF | x86 | - | liv.t7ux.com, www.t7ux.com | BillGates trojan Linux binary |
Provided packet capture did not contain traces of traffic to C&C domains identified during initial analysis of the extracted files and this likely indicates that attacker did not execute additional instances of the BillGates trojan. One of the extracted files or.bin
contained installation script that extracted, decrypted and installed likely backdoored version of OpenSSH daemon (openssh-5.9p1.tgz
). Analysis of SSH server versions sent by the compromised host during negotiation of subsequent SSH connections did not reveal presence of OpenSSH-5.9p1
string.
Between 2016-09-07T23:52:18Z and 2016-09-07T23:53:05Z the remote IP address 104.236.59.209
connected to the compromised system over TCP port 80 and downloaded two files: nc.exe
and back.pl
. The HTTP server on the compromised system identified itself as Apache/2.4.18 (Ubuntu)
which suggests that the attacker successfully managed to install and ran Apache httpd server. The system behind the IP address 104.236.59.209
may indicate another host compromised by the same attacker.
At 2016-09-08T01:22:06Z the attacker terminated SSH session from the remote IP address 46.101.128.129
. Analysis of the traffic showed additional SSH session to be active around the same time and initiated from the IP address 71.171.119.98
. The packet capture contained only small fragment of data exchanged between 2016-09-08T01:22:09Z and 2016-09-08T01:22:25Z.
At approximately 2016-09-08T10:18:13Z the C&C domain top.t7ux.com
started resolving to the new IP address 222.174.168.234
. At the same time the compromised host attempted to connect to the new C&C IP address over TCP port 16081. At 2016-09-08T12:08:12Z the compromised host managed to successfully connect to the C&C address and sent "Hello" packet.
At 2016-09-09T13:46:05Z the compromised host sent 32038 UDP Flood packets to the IP address 23.83.106.115
over port 80. Analysis of provided PCAP did not reveal any packets sent by the C&C server instructing BillGates trojan running on the compromised host to initiate Denial of Service attack against IP address 23.83.106.115. Between 2016-09-09T13:46:05Z and 2016-09-09T13:46:21Z the compromised host sent multiple packets containing string "23.83.106.115" to the C&C server, likely as a confirmation of performed UDP Flood attack.
Last packet to the C&C server was captured at 2016-09-09T13:46:21Z.
Timestamp | Source IP Address | Destination IP Address | Protocol/Destination Port | Event Description |
---|---|---|---|---|
2016-09-07T22:14:48Z | 46.101.128.129 | 104.236.210.97 | TCP/22 | Initial SSH connection from the remote IP address 46.101.128.129. Duration: approximately 1m. |
2016-09-07T22:16:07Z | 46.101.128.129 | 104.236.210.97 | TCP/22 | Second SSH connection from the remote IP address 46.101.128.129. Duration: approximately 3h. |
2016-09-07T22:16:16Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the BillGates trojan ELF binary java.log to the compromised host. |
2016-09-07T22:16:16Z | 120.210.129.29 | 104.236.210.97 | TCP/47520 | Initial alert on the HFS [File Download] Snort signature. |
2016-09-07T22:19:03Z | 104.236.210.97 | 8.8.8.8 | UDP/53 | First observed DNS Type A query for the domain top.t7ux.com. Resolution: 118.192.137.245. |
2016-09-07T22:19:03Z | 104.236.210.97 | 118.192.137.245 | TCP/16081 | First observed Hello beacon to the C&C IP address 118.192.137.245 |
2016-09-07T23:43:06Z | 104.236.210.97 | 198.199.99.226 | TCP/80 | Initiated transfer of multiple legitimate Ubuntu packages from the remote host mirrors.digitalocean.com. |
2016-09-07T23:43:06Z | 104.236.210.97 | 192.241.164.26 | TCP/80 | Initiated transfer of multiple legitimate Ubuntu packages from the remote host nyc2.mirrors.digitalocean.com. |
2016-09-07T23:47:06Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the BillGates trojan ELF binary 16081 to the compromised host. |
2016-09-07T23:47:24Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the CVE-2013-2094 exploit file 2.6.32 to the compromised host. |
2016-09-07T23:47:32Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the reverse shell script back.pl to the compromised host. |
2016-09-07T23:47:41Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the Netcat PE binary nc.exe to the compromised host. |
2016-09-07T23:47:50Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the Bash script or.bin to the compromised host. |
2016-09-07T23:49:07Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the BillGates trojan ELF binary SYN to the compromised host. |
2016-09-07T23:49:18Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the BillGates trojan ELF binary SYN_1902 to the compromised host. |
2016-09-07T23:49:40Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the BillGates trojan ELF binary Trustr to the compromised host. |
2016-09-07T23:50:06Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the BillGates trojan PE binary winappes.exe to the compromised host. |
2016-09-07T23:50:24Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the BillGates trojan PE binary Windows_1902 to the compromised host. |
2016-09-07T23:50:42Z | 104.236.210.97 | 120.210.129.29 | TCP/5198 | Download of the BillGates trojan ELF binary xmapp to the compromised host. |
2016-09-07T23:52:18Z | 104.236.59.209 | 104.236.210.97 | TCP/80 | Download of the Netcat PE binary nc.exe from the compromised host. |
2016-09-07T23:53:05Z | 104.236.59.209 | 104.236.210.97 | TCP/80 | Download of the reverse shell script back.pl from the compromised host. |
2016-09-08T01:22:06Z | 46.101.128.129 | 104.236.210.97 | TCP/22 | End of the second SSH connection from the remote IP address 46.101.128.129. |
2016-09-08T01:22:09Z | 71.171.119.98 | 104.236.210.97 | TCP/22 | First captured packet of SSH connection to the compromised host from the IP address 71.171.119.98. |
2016-09-08T01:22:25Z | 71.171.119.98 | 104.236.210.97 | TCP/22 | Last captured packet of SSH connection to the compromised host from the IP address 71.171.119.98. |
2016-09-08T10:18:13Z | 8.8.8.8 | 104.236.210.97 | UDP/55022 | First observed DNS response pointing top.t7ux.com domain to the new IP address 222.174.168.234. |
2016-09-08T10:18:13Z | 104.236.210.97 | 222.174.168.234 | TCP/16081 | First observed attempted connection to to the C&C IP address 222.174.168.234. |
2016-09-08T10:54:44Z | 104.236.210.97 | 118.192.137.245 | TCP/16081 | Last observed TCP packet sent to the C&C IP address 118.192.137.245. |
2016-09-09T13:46:05Z | 104.236.210.97 | 23.83.106.115 | UDP/80 | 32038 UDP Flood packets sent to the remote IP address 23.83.106.115. |
2016-09-09T13:46:21Z | 104.236.210.97 | 222.174.168.234 | TCP/16081 | Last observed TCP packet sent to the C&C IP address 222.174.168.234. |
The below list of network indicators is based solely on network traffic observed in the provided PCAP and analysis of extracted artifacts:
IP Address/Domain | Description |
---|---|
46.101.128.129 | Source of suspicious SSH connection to the compromised host. |
71.171.119.98 | Source of suspicious SSH connection to the compromised host. |
120.210.129.29 | HFS server hosting attacker's malware and tools. |
118.192.137.245 | Resolution of top.t7ux.com. BillGates Trojan C&C. |
222.174.168.234 | Resolution of top.t7ux.com. BillGates Trojan C&C. |
104.236.59.209 | Downloaded nc.exe and back.pl from the compromised host. |
top.t7ux.com | C&C of BillGates Trojan |
www.vnc8.com | C&C of BillGates Trojan |
liv.t7ux.com | C&C of BillGates Trojan |
www.t7ux.com | C&C of BillGates Trojan |
- BillGates Trojan - "Hello" packet
alert tcp any any -> any any (msg:"BillGates Trojan [Hello]"; content:"|01 00 00 00|"; content:"|00 00 00 00 f4 01 00 00 32 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:5; pcre:"/(Linux|Windows)/"; byte_test:1,>,96,4; byte_test:1,<,160,4; dsize:<160; threshold:type limit, track by_src, count 1, seconds 3600; sid:999998; rev:1;)
- BillGates Trojan - Transfer of Linux binary
alert tcp any any -> any any (msg:"BillGates Trojan [Linux - Transfer]"; content:"GatesType"; content:"AttackBase"; distance:5; within:20; content:"ThreadShell"; distance:10; within:20; threshold:type limit, track by_src, count 1, seconds 60; sid:999997; rev:1;)
- BillGates Trojan - Transfer of Windows binary
alert tcp any any -> any any (msg:"BillGates Trojan [Windows - Transfer]"; content:"FakeDetectPayload"; content:"FakeDetectInfo"; distance:15 ;within:20 ; content:"ShellCmd"; distance:15; within:20; track by_src, count 1, seconds 60; sid:999996; rev:1;)
back.pl
- Successfull reverse shell connection
alert tcp any any -> any any (msg:"Reverse Shell [back.pl]"; flow: from_client, established; content:"Enjoy the shell.|0a|"; depth:17; dsize:<256; sid:999995; rev:1;)
2.6.32
CVE-2013-2094 exploit - Transfer of the binary
alert tcp any any -> any any (msg:"Exploit [CVE-2013-2094 - Transfer]"; content:"!close(fd)|00|map[i+1]|00|i<0x010000000/4"; sid:999994; rev:1;)
- BillGates Trojan - UDP Flood packet
alert udp any any -> any any (msg:"BillGates Trojan [UDP Flood]"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; pcre:"/\x00{900}/"; dsize:>900; threshold:type limit, track by_src, count 1, seconds 3600; sid:999993; rev:1;)
- BillGates Trojan (Windows and Linux binaries)
rule BillGates
{
strings:
$elf = "\x7fELF"
$mz = "MZ"
$b1 = "ThreadShell"
$b2 = "CheckGatesType"
$b3 = "AttackBase"
$b4 = "PacketAttack"
$b5 = "agony.pdb"
$b6 = "Gates.pdb"
$b7 = "Beikong"
condition:
($elf at 0 or $mz at 0) and 2 of ($b*)
}
- Reverse shell script
back.pl
rule Back
{
strings:
$s1 = "Remote_IP Remote_Port \\n\";"
$s2 = "\"Enjoy the shell.\\n\";"
condition:
2 of ($s*)
}
- UPX-packed Netcat tool
nc.exe
import "pe"
rule Netcat_UPX
{
condition:
pe.characteristics and pe.sections[0].name == "UPX0" and pe.sections[1].name == "UPX1" and pe.sections[2].name == "UPX2" and pe.imports("WSOCK32.dll") and filesize == 28160
}
- Bash script
or.bin
rule or_bin
{
strings:
$o1 = "mkdir /tmp/.tmp123 -p && tail -n $line $0 |tar zx -C /tmp/.tmp123"
$o2 = { 0a 1f 8b 08 00}
condition:
2 of ($o*)
}
- CVE-2013-2094 exploit ELF binary
2.6.32
rule CVE_2013_2094_Exploit
{
strings:
$elf = "\x7fELF"
$s1 = "semtex.c"
$s2 = "!close(fd)"
$s3 = "map[i+1]"
$s4 = "i<0x010000000/4"
$s5 = "!setuid(0)"
$s6 = "/bin/bash"
$s7 = "2.6.37-3.x x86_64"
$s8 = "sd@fucksheep.org 2010"
condition:
$elf at 0 and 3 of ($s*)
}
Existence of the following files on a filesystem can indicate that BillGates Trojan was executed on a host. The list is based on execution of java.log
file on a sandbox system:
/tmp/gates.lod
/tmp/moni.lod
/usr/bin/.sshd
/usr/bin/dpkgd/lsof
/usr/bin/dpkgd/netstat
/usr/bin/dpkgd/ps
/usr/bin/dpkgd/ss
/usr/bin/bsd-port/getty
/usr/bin/bsd-port/getty.lock
/etc/rc2.d/S97DbSecuritySpt
/etc/rc3.d/S97DbSecuritySpt
/etc/rc5.d/S97DbSecuritySpt
/etc/rc4.d/S97DbSecuritySpt
/etc/rc1.d/S97DbSecuritySpt
/etc/rc2.d/S99selinux
/etc/rc3.d/S99selinux
/etc/rc5.d/S99selinux
/etc/rc4.d/S99selinux
/etc/rc1.d/S99selinux
/etc/init.d/selinux
- Malware Must Die: MMD-0039-2015: ChinaZ made new malware: ELF Linux/BillGates.Lite
- Malware Must Die: China ELF botnet malware infection & distribution scheme unleashed
- Malware Must Die: China ELF botnet malware infection scheme unleashed (video)
- Akamai: BillGates Botnet Malware Used in Large DDoS Attacks
- Novetta: The Elastic Botnet Report
- Securelist: Versatile DDoS Trojan for Linux
- Thisissecurity: When ELF.BillGates met Windows
- Botconf: Chinese Chicken - Multiplatform DDoS botnets