Linux/Tsunami Malware Captured from honeypot

Today we got a shell file which was captured from honeypot and submitted to VT. We checked the detection for that file and flagged as Linux/Tsunami.NJH. We directly look in to the contents of shell script and it is generic downloader as it seem.

Figure 1 Linux/Tsunami.NJH

 The script contains same IP address throughout the file: 46.218.149(.)85. We checked this IP address with those file directories in VT and it actually download malicious ELF file. We moved to the detection page and it got similar hits where Eset detects it as a variant of Linux/Tsunami.NCD. The family description for this variant says that it is a backdoor and can be controlled remotely. The main purpose of this malware is to download other malware files from the server, DDoS attack and shell command execution.

Downloaded files - analysis

Based on the details, we manually downloaded the important files and started our analysis. We started with the string analysis of these file to get any idea. All the three files which we downloaded have junk strings. And there is two line of strings which at least look like a Japanese words. Refer the below snapshot:

Figure 2 Strings of all the three files

·         0000000A5069   0000000A5069    nandemo shiranai wa yo,

·         0000000A5084   0000000A5084                    shitteru koto dake

String analysis – Based on Google search results

When we read that string it spell like Japanese words, we need to check in google. Yes it is Japanese word and it means “I don’t know anything” and “only I know”. But the plain google search leads to some interesting posts like funtime ninja codes and DDoS router malware.

Figure 3 Funtimes Ninja Malware

TFTP is a protocol for transferring data servers use to boot diskless workstations, X-terminals, and routers by using User Data Protocol (UDP). TFTP was primarily designed to read or write files by using a remote server. Here busybox is found in all the loops. It giving a hint that it could attack on limited resource linux machine (aka linux on embedded systems).

Let’s move on to the next one DDoS router malware article where we found the following yara rule to detect the presence of router DDoS malware:

import “elf”

rule STD

{

 meta:

 author = “Akamai SIRT”

 description = “Kaiten/STD DDoS malware”

 strings:

 $s0 = “shitteru koto dake”

 $s1 = “nandemo wa shiranai wa yo,”

 condition:

 elf.number_of_sections == 0 and

 elf.number_of_segments == 2 and

 $s0 and $s1

}

This yara rule was created by researchers from Akamai for Kaiten/STD router DDoS malware.

Figure 4 DDoS Campaign

The above graph is from Akamai on the DDoS campaign from different locations across the globe.

Static analysis of the downloaded files

We ran the file command to check the file properties of these files, and resulted as valid elf file.

Figure 5 File command elf

Figure 6 ELF Header

When we try to disassemble these files we are facing following warnings:

·         Warning: read (shdr) at 0xffff

·         Warning: Cannot initialize section headers

·         Warning: Cannot initialize strings table

Using the initial script, tweaked few lines related to download, now it’s throwing error as exec format error.

Figure 7 Execution error

Conclusion

Based on the AV detection and string analysis, these files are found to be backdoor with DDoS functionalities. It is highly recommended to block the malicious IP address in the firewall and proxy. A good SOC with better threat intelligence feed will minimise the attack and even stop the attack before it creates any damage.

Research done by

newWorld security researchers