Linux Gafgyt.B!tr Exploits Netcore Vulnerability

Over the past few months we have seen a lot of malware activity around the Netcore vulnerability, so we decided to take closer look at its exploitation. The following screen shot shows attack traffic captured through Wireshark.

Figure 1

Figure 2 shows a quick enumeration of the sample. (There are different versions of the sample for several architectures. We chose to analyze the MIPS one)

Figure 2

My analysis shows that this sample is a variant of the Gafgyt family, with some changes which I will discuss in detail later in this blog.

After the Gafgyt bot executes it establishes a connection to IP address 8.8.8.8 on port 53 in order to track the internet activity of its targeted victim. Upon successfully connecting, the bot continues to gather information about the current device IP address, attaches it to a string that is the build name of the infector, and sends it to the C&C server IP address that has been hardcoded into the infector file. (Figure 3)

Figure 3

The main process of the bot serves as a listener that waits for commands from its C&C. If no command is received it sends a “PING” message to the server, which means there are regular communication messages sent between the bot and the C&C server. The following commands trigger certain functionality on the bot:

1. PING/PONG/DUP: PING and PONG are monitoring commands to test if the server and bot are alive. DUP will kill the bot.
2. ! :
   1. SH : Linux command execution module
   2. PYTHON : Spreader/Scanner module based on python
   3. TABLE: File Descriptor enumerator for the victim
   4. UPDATE: Downloader for the latest version of the bot
   5. SCANNER : Spreader/Scanner module
   6. REMOVER: Found and kill known bots on the victim
   7. GETPUBLICIP: Enumerate victim public IP
   8. UDP : UDP flooding attack
   9. TCP : TCP flooding attack
   10. HTTP : HTTP flooding attack
   11. CNC : connect to specified CNC server periodically
   12. STD : Another UDP flooding
   13. KILLATTK: Kill the bot processes
   14. LOLNOGTFO: Exit the process

Some other samples use “! *” format instead of “!”.

Now let’s have a look at some of these commands and their associated modules.

Scanner Modules

The Gafgyt bot has two scanners. Either of them is triggered upon receiving a “! SCANNER ON/OFF” and “! PYTHON START/OFF” command.

We’ll start by taking a look at the first scanner (Figure 4.)

Figure 4

Once it is activated (Figure 5) the bot forks a process and sends a confirmation message to the C&C server.

Figure 5

It then generates IPs from the following subnets and tests them one by one until a “! SCANNER OFF” command is received:

49.144.X.X , 49.145.X.X , 49.146.X.X , 49.147.X.X , 49.148.X.X , 58.69.X.X, 58.71.X.X

112.206.X.X , 119.92.X.X , 119.93.X.X , 119.94.X.X , 122.2.X.X , 122.3.X.X , 122.52.X.X

122.53.X.X , 122.54.X.X , 122.55.X.X , 124.83.X.X , 124.104.X.X , 124.105.X.X , 124.106.X.X

124.107.X.X , 210.5.X.X , 210.213.X.X , 103.20.X.X , 103.47.X.X , 103.57.X.X , 45.117.X.X

101.51.X.X , 101.109.X.X , 113.53.X.X , 118.172.X.X , 118.173.X.X , 118.174.X.X , 125.24.X.X

125.25.X.X , 125.27.X.X , 180.180.X.X , 182.52.X.X , 182.53.X.X , 203.113.X.X , 1.24.X.X

1.56.X.X , 1.188.X.X , 14.204.X.X , 27.0.X.X , 27.8.X.X , 27.50.X.X , 27.54.X.X , 27.98.X.X

27.112.X.X , 27.192.X.X , 36.32.X.X , 36.248.X.X , 39.64.X.X , 42.4.X.X , 42.48.X.X , 42.52.X.X

42.56.X.X , 42.63.X.X , 42.84.X.X , 42.176.X.X , 42.224.X.X , 42.176.X.X , 60.0.X.X , 60.16.X.X

92.X.X.X , 62.30.X.X , 62.252.X.X , 62.254.X.X , 62.255.X.X , 77.96.X.X , 77.97.X.X , 77.98.X.X

77.100.X.X , 77.102.X.X , 80.X.X.X , 81.100.X.X , 82.X.X.X , 86.X.X.X , 94.174.X.X , 83.80.X.X

82.217.X.X , 84.24.X.X , 145.46.X.X , 212.120.X.X , 212.203.X.X , 213.34.X.X , 213.124.X.X

213.132.X.X , 217.63.X.X , 217.100.X.X , 217.102.X.X

For each randomly generated IP received, the bot connects to port 23 (telnet) and tries to login using a simple username/password dictionary (Figure 6.)

Figure 6

For any successful login the bot infects the victim by sending shell commands, and then informs the server about the infection. (Figure 7)

Figure 7

The second module is a Python SCANNER. This module is activated when the malware receives a “! PYTHON START” command. (Figure 8)

Figure 8

Most of the C&C servers had deleted the python scanner. However, after some hunting we managed to find the python script. The python script is run by passing the command “python good2.py 1000 LUCKY 1 3” to the “execve” system call. The first argument indicates the number of running threads for the script, and the second indicates the IP ranges to scan, which are:

122.3.0.0/16, 122.52.0.0/15, 122.54.0.0/16, 124.83.0.0/16, 124.105.0.0/16, 124.106.0.0/15, 112.200.0.0/13, 112.208.0.0/14, 112.212.0.0/15,112.214.0.0/16,210.213.0.0/16

The third argument is used to specify an IP instead of the string “LUCKY.” It indicates the end of the range to scan, and the last parameter is an index to a list of strings in “user:password.” {(admin, 1234) (root,root) (guest,guest) (telnet,telnet)} are used to log in to the SSH service. If the login is successful, the victim’s address along with the username and password will be written into a file and the victim will then be infected. The script uses the Paramiko package to do the process.

Enough said about the scanners. The main intention of this bot is to launch a DDoS attack. So we briefly describe the use of STD flooder as an example, below.

STD flooding modules:

Based on our analysis, this module accepts three arguments, “! STD , and ”. Once the bot receives the command to launch the attack, it starts to send UDP packets with a bit length of 65 to the victim’s “Address/Port” for given period of time. (Figure 9)

Figure 9

Conclusion

The era of IOT has started, so we are certain to see more of these sorts of attacks in the near future. The primary reasons that this sort of malware is interesting for cybercriminals are their level of security, the lack of knowledge of the end users, and usually, the lack of security mechanisms built into the devices themselves.

Fortinet’s products are equipped with 3 signatures to protect customers:

• “Gafgyt.Botnet”
• “Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass”
• “Linux/Gafgyt.B!tr”

If you would like to receive a weekly threat brief from the FortiGuard team, you can subscribe here.