Today we continue the story of malicious software running under Linux. At this time we will discuss the heavy artillery - IDA Pro. This indispensable tool has the ability to debug programs running under Windows, Linux and Mac OS. We will mention Mac OS next time, but now we use familiar Virtual Machine VirtualBox running Ubuntu 10.04 on board as an experimental platform.
First of all, let's find the "linux_server" file in the IDA's directory:
It needs to be passed to the virtual machine to run in a terminal:
The default port is 23946. It is possible to change the port number by using the parameter "-p" with a desired number. The port number must be specified without spaces. You can also specify a password - to do so use a capital letter: "-P". The password must be specified without spaces too. For example:
After that you should run a usual version of IDA Pro for Windows.
We will use Trojan-Downloader.Linux.Small.b as an experimental piece of malicious code. It is quite simple and well suited for an example.
Once a file being debugged is selected, we go to debugging options, specifically to the settings of the process:
What do we see here?
We are interested in the connection settings. Specify the address or the name of the system running "linux_server". Then specify the port. To simplify an analyst's life, the client port will be automatically set to 23946 by default, as well as the port for the server. Just leave the option blank if "linux_server" was started without a password. Note that the password you type isn`t hidden by asterisks but shown in clear text. So do not use your "default" password if there is a spy behind your back :rolleys:
The message on the server console will indicate the successful connection:
After that the debugging process is quite familiar.
Let's look at what's inside of our Trojan:
Working with sockets ... And where is the port binding? Here it is:
When the port is opened, the Trojan listens for incoming connections. The Trojan continues to work only when someone connects to the port. Well, if you want communication - you'll get it! Let's run the Windows Console this time. Use a tool called "telnet" to connect to the port being watched by the Trojan.
There is no need to send data - the Trojan continues to work immediately the connection is established.
And now we have approached the most important part, which is the key:
The Trojan sends the command to the system to perform:
The link is broken for a long time, so we can cite it entirely as it is listed in the malicious program.
What does this command do?
- it downloads the specified file and stores it to the current directory
- it unpacks the archive "angela.tgz" to the current directory
- it changes working directory to a directory called "angela"
- it runs the file called "angela"
Specifying multiple commands separated by implies simultaneous execution. At the same time, we can see the following output in the console running "linux_server":
As we see, "exec" and "cd" commands report errors. This is not surprising, because there is no "angela" file at the moment of the commands execution. Tar archiver reports errors for the same reason. But "wget" command worked well. But it had downloaded not an archive, but the standard "404 page" - the file on the server was not found.
After this, the Trojan returns to listening of the port and waits for the next connection. Let's visualise the working algorithm in a form of pseudocode using IDA:
As you can see, the Trojan working cycle will never stop, because the condition "while (1)" is always true.
So, if the link was valid, then on the first iteration the file would be downloaded, on the second iteration - the archive would be unzipped, on the third - the working directory would be changed to the directory with the unzipped files, and on the fourth iteration the execution command would be performed.
Unfortunately, the link is not valid. This is very interesting for me, what could this Trojan do running under Linux whith rights of a regular user.
IDA for Linux
