ISC StormCast for Tuesday, July 8th 2014 http://isc.sans.edu/podcastdetail.html?id=4051

Multi Platform *Coin Miner Attacking Routers on Port 32764

Published: 2014-07-07
Last Updated: 2014-07-07 21:43:23 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Thanks to reader Gary for sending us in a sample of a *Coin miner that he found attacking Port 32764. Port 32764 was recently found to offer yet another backdoor on Sercomm equipped devices. We covered this backdoor before [1]

The bot itself appears to be a variant of the "zollard" worm sean before by Symantec [2]. Symantec's writeup describes the worm as attacking a php-cgi vulnerability, not the Sercomm backdoor. But this worm has been seen using various exploits.

Here some quick, very preliminary, details:

The reason I call it *Coin vs. Bitcoin is that in the past, we found these miners to mostly attack non-Bitcoin crypto-currencies to make use of the limited capabilities of these devices. I do not have sufficient detail yet about this variant.

Interestingly, Gary found what looks like 5 binaries with identical functionality, but compiled for 4 different architecture providing for larger coverage across possible vulnerable devices. The binaries are named according to the architecture they support.

Name Size "file" output
arm 86680 ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
armeabi 131812 ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
mips 140352 ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mipsel 141288 ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
x86 74332 ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

The binary appears to do the following among other things:

  • delete and then recreate the /tmp directory (to have an empty one for download)
  • create a directory /var/run/.zollard
  • firewall port 23 (telnet) and 32764 (trying to avoid re-exploitation. Port 23 is odd ...)
  • start the telnet demon (odd that it also firewalls port 23)
  • it uses this user agent for some outbound requests: Mozilla/5.0 (compatible; Zollard; Linux)
  • setup a php file with a backdoor (simple php "exec") 

It also looks like there are many other variants for different architectures based on string in the file Gary sent us.

[1] https://isc.sans.edu/diary/Port+32764+Router+Backdoor+is+Back+(or+was+it+ever+gone%3F)/18009
[2] http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices

---

Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: 32764 bitcoin coin miner
1 comment(s)

Comments


Diary Archives