SHA1:
- 3e71d70d910f85f546c526aa3a28f23455a19489
A malicious program designed to brute-force attack Linux devices using a special dictionary via the SSH protocol.
The Trojan contains configuration data and reads them after its launch:
cfg->IsWork = 0;
cfg->IsConnected = 0;
cfg->Thread = 50;
cfg->ThreadScan = 100;
cfg->Timeout = 15;
cfg->TimeoutScan = 2;
if ( runtime_writeBarrier.enabled )
{
runtime_writebarrierptr((uintptr *)&cfg->Good, (uintptr)_r0_1);
cfg = (ssh_bot_engine_Singleton *)v17;
}
else
{
cfg->Good.list = _r0_1;
}
cfg->JsonForStart.str = 0;
cfg->JsonForStart.len = 0;
cfg->AutoStart = 0;
cfg->Validatebl = 0;
cfg->HostForCheckInfoIP.str = 0;
cfg->HostForCheckInfoIP.len = 0;
cfg->IsAddToSourceScan = 1;
cfg->City.str = "null";
cfg->City.len = 4;
cfg->State.str = "null";
cfg->State.len = 4;Then the malicious program sends the POST request to its C&C server. This request contains a value of the “key” parameter. The server replies with the configuration data in the JSON format that looks as follows:
{
"host":"***.***.***.***:1337",
"hostCheck":"***.***.***.***:1488",
"timeoutScan":"4",
"logins":["admin","root","pi","alpine","ubnt","sshd"],
"passwords":["admin","root","pi","raspberry","alpine","ubnt","sshd","password","openelec"],
"manualdisconnect":true
}The Trojan parses the received data and then connects to the server indicated in the “host” parameter using the SocketIO library. In addition, it uses an ordinary (not secure) websocket. If the “AutoStart” parameter has a non-zero value in the configuration stored in the Trojan’s structure, the malicious program appends value “1” to the “IsWork” flag and sends information about its own status to the C&C server. After that, the value of the “IsWork” flag is set to “0”, and the Trojan reads parameters of its launch from the JsonForStart section of the embedded configuration data.
Then the malicious program installs processors for events “start”, “stop”, “killbot”, “clearlog” and launches a separate thread. It uses this thread to check a status of the connection to the C&C server by sending GET requests. If the server does not response with the “true” value, the bot shuts down.
Sending a GET request
The Trojan collects information about the operating system of the infected device and fills the following structure:
struct ssh_bot_structs_Hardware
{
uint64 Memory;
string OS;
string Logical_cpu;
string Processor;
int32 Physical_cpu;
string Cpu_load;
};Using this information, configuration parameters and a list of hacked devices, a JSON file is formed. It looks the following way:
{
"status": {
"Work":False,
"result":[], // bruted devices
"hardware": {
"memory":4096,
"os":"linux 8.3",
"logical_cpu":4,
"processor":"Intel(R) Core(TM) i7-4500U CPU @ 1.80GHz",
"physical_cpu":2,
"cpu_load":"0.01"
},
"parameters": {
"country":"",
"thread":"50",
"threadscan":"100",
"state":"null",
"city":"null",
"timeout":"15"
},
"validatebl":False
}
}Using this JSON file, the Trojan creates a “Status” event.
Start
The Trojan receives the JSON which saves to the JsonForStart field in its configuration. In practice, JsonForStart partially duplicates the embedded information.
{
"threadscan": 0,
"thread": 0,
"timeout": 0,
"validatebl": false,
"country": "",
"state": "",
"city": ""
}If the “IsWork” flag has a non-zero value in the Trojan’s configuration, the malicious program reports an error by creating an event “result_start” with the string “fail” and sends status data to the C&C server. Then values of parameters “threadscan”, “thread” and “timeout” are checked. If at least one of them is less than or equal to zero, the Trojan reports an error and quits the processor.
Then the malicious program reads values (if they are available) of the following fields: “validatebl”, “country”, “state”, “city” and uses them to form a POST request to the C&C server. The host name is extracted from the Trojan’s configuration. The response is a list of subnetworks for the following hacking.
Then again the malicious program sends the POST request to the C&C server with the “key” value in order to update the configuration. After that, the Trojan runs two new threads: the first one checks the status of the malicious program with the interval of 3 seconds, and the second one is used to manage the process of hacking of remote network servers.
Managing the hacking process
The Trojan requests the configuration from the C&C server with the interval of 10 minutes. With the interval of 3 minutes, it updates the list of subnetworks for hacking and generates a list of IP addresses of attacked network servers on the basis of the indicated subnetworks.
It creates separate pools for threads that scan and search for passwords. The scanning thread gets an IP address from a queue and checks the possibility for connection to the port 22. If the flag “Validatebl” is set in the configuration, the Trojan checks an IP address by sending a GET request and adds it to the queue.
Hacking
The Trojan goes through login:password combinations according to the list and tries to log into an attacked device via the SSH protocol. If successful, it sends the GET request via the SSH tunnel to the server “http://whoer.com:80” and gets an IP address there. It sends the GET request to the address “http://<hostCheck>/?ip=<ip>” and gets as a response a JSON structure that looks the following way (value <hostCheck> is from the bot’s configuration):
{
"country":"",
"region":"",
"city":"",
"zip":"",
"blacklist": {
"status": ""
}
}Then the malicious program compares the value of the “status” with the string “listed”. If there is a match, it saves “login”, “password”, “host”, “country”, “region”, “city”, “blacklisted” (this parameter has a value “1” if the parameter “status” matches the parameter “listed”), “zip” to the list of hacked devices.
Stop
It stops all threads of scanning and hacking.
Killbot
Creates an event “result_killbot” with the “success” string and shuts itself down.
Clearlog
Clears the list of hacked devices (cfg->Good), sends its status to the C&C server. Creates an event “result_clearlog” with the “success” string.
