Linux/CDorked

A server-side malware campaign

:~$ whoami

What is this Cdorked thing anyway?

Linux/Cdorked.A is a backdoor, used by malicious actor to serve malicious content from legitimate websites."

This malware does not propagate by itself and it does not exploit a vulnerability in a specific software."

How did this started?

Tonight

Why should you care?

Notes
  • this thing is stealthy
  • biz also: not good if you infect your own organization
  • They’ve got an httpd privileged shell!!
    • but how did they installed it? A: root

High-level description

Notes

You have to be motivated to support all these webservers

Prevalence

Lets get technical

Stealth

Notes
  • no logs is actually possible because it is not a module and can affect the logging chain
  • harcoded C2: as opposed to most other threat we encounter. possible because nature of webserver.
  • obfusc HTTP: and these skip the webserver’s usual logging mechanisms

Stealth++

Found in the wild doing:

Notes
  • Languages: no JP, finnish, russian, ukrainian, kazakh or belarusian

Shared memory

Command channels

Two main command channels

Backdoor

backdoor.jpg
Notes

Backdoor component

Notes
  • hence the name

XOR obfuscation

h = headers
ip = (h['X-Real-IP'] || h['X-Forwarded-For'] || h['Remote-addr'])
ip = socket.inet_aton(ip)
xorkey = array.array('c', (
    (ord(ip[0]) + w) % 256,
    (ord(ip[1]) + x) % 256,
    (ord(ip[2]) + y) % 256,
    (ord(ip[3]) + z) % 256))
command = xor_decrypt(query_string, xorkey)

Since we can control X-Real-IP or
X-Forwarded-For a 0x00000000 key can be constructed

Backdoor quirks

Malicious payload

HTTP Location redirect

Controlling it

Command Description

L1, D1

Load or delete the list of redirect URL

L2, D2

Load or delete the list of blacklisted IP ranges

L3, D3

Load or delete the list of User-Agent whitelist pattern

L4, D4

Load or delete the list of User-Agent blacklist pattern

L5, D5

Load or delete the list of Referer whitelist pattern

L6, D6

Load or delete the list of blacklisted IP

L7, D7

Load or delete the list of request excluded pages

L8, D8

Load or delete the list of whitelisted IP ranges

L9, D9

Load or delete the list of Accept-Language blacklisted patterns

LA, DA

Load or delete the list of request whitelisted pages

ST

Print server stats

DU

Clear the list of redirected IPs

T1

A timestamp

Notes

23 commands available to affect redirection conditions

Staying under the radar

Not too aggressive

Only redirects victims once

Lastly

Redirection control mechanism

The query must have:

Notes
  • Varies per sample
  • With hex-encoded command in the query portion

Beyond Cdorked

Let’s see how the campaign we are tracking right now behaves. You have an idea for a cool name?

But first…

Notes