Virus

ELF/Gafgyt.A!tr

Analysis

ELF/Gafgyt.A!tr is a piece of malware targetting embedded devices such as routers, IP Cameras etc.
There are variants for different kinds of processors such as ARM, Intel 80386, MC68000, MIPS R3000, PowerPC, Sparc, Advanced Micro Devices X86-64 or Renesas / SuperH SH.
It has been seen distributed by exploiting the Shellshock vulnerability in the past.
When executed, the malicious executable opens a connection with a C&C address present hardcoded within it.
In some cases, after the connection is established the bot sends a message to the C&C specifying the build based on the presence of macros like MIPS_BUILD, MIPSEL_BUILD, X86_BUILD, ARM_BUILD or PPC_BUILD. The message in the format

BUILD undefineds
where undefineds can be MIPS, MIPSEL, X86, ARM, POWERPC or UNKNOWN
Several variants of the malware have been found having different combinations of the capabilities mentioned below.
Depending upon the commands received from the C&C, the malware can perform the following functions :
Command Received Resulting action
PING Respond with a message PONG on the connection already open with the C&C
GETLOCALIP Sends a message to the C&C with the message "My IP: X.X.X.X" where X.X.X.X corresponds to the infected host's IP address (obtained by reading the output of the route command)
TELNETSCAN or SCANNER
  • If the command is followed by "START", the TelnetScanner (described in detail below) is started. The corresponding Process ID is saved as ScanPid
  • If the command is followed by "STOP", the process corresponding to ScanPid, saved while starting the TelnetScanner, is killed.
  • If the command is not followed by anything, the bot sends back the message "TELNETSCAN START | STOP"
HOLD [IP] [PORT] [TIME] A connection is opened with an IP address and PORT specified in the command. It is sustained for a duration of TIME also specified in the command
JUNK [IP] [PORT] [TIME] The same function as above is carried out, with the difference that a randomly generated string is sent the destination IP Address
UDP [IP] [PORT] [TIME] [SPOOFIT] [SIZE] [INTERVAL]
  • This command enables the bot to send UDP packets of SIZE containing randomly generated strings to the IP and PORT specified.
  • The packets are sent at regular intervals specified by INTERVAL for the duration of TIME. If the SPOOFIT flag is set to '32', the source address of the packets is set to a randomly generated IP, to avoid revealing the bot's IP address
  • If the IP or PORT are not specified in the command, they are randomly generated by the bot
TCP [IP] [PORT] [TIME] [SPOOFIT] [FLAGS] [SIZE] [INTERVAL] This command enables the same functionality as above, but for sending TCP packets. It uses an additional parameter FLAGS that allows the C&C to specify the kind of packets sent out as part of the TCP Flood (e.g. "all", syn", "rst", "fin", "ack", "psh")
KILLALL or KILLATTK Kills all currently running processes forked from the original bot process
LOLNOGTFO or I95O752W3X or DUP Exits the bot process
EMAIL [TARGET] [HOST] [SUB] [MSG] Enables the bot to connect to HOST at Port 25 and send an email to TARGET from an email id 'rastrent.com'. As the names suggest, SUB and MSG provide and the Subject and Body of the email sent.
DNS

TelnetScanner : This is the part of the bot that is responsible for propagation of the malware. It performs the following functions
  • Generates a random Public IP, say W.X.Y.Z with the following conditions :
    W - !(0, 10, 100, 127, 169, 172, 192, 198, 203, 223)
    X - above 31 and !(0, 51, 19, 18, 168, 88)
    Y - !(2, 99, 100, 113)
  • Tries to establish a connection with the above IP address at port 23
  • If the connection is established, it reads the response from the server upto the string "ogin:" (probably to match both Login and login) assuming the server expects the client to enter a username beyond this point.
  • It sends one by one strings from an array of usernames e.g. {"root", "", "admin", "user", "login", "guest"} followed by a newline character. If the server responds, it continues onto the next step.
  • If the server response contains the string "ncorrect", the bot tries the next username. Else it looks for the string "assword:" and proceeds to the next step.
  • The bot then tries a number of passwords from an array e.g. {"root", "", "toor", "admin", "user", "guest", "login", "changeme", "1234", "12345", "123456", "default", "pass", "password"} by sending them as a response to the telnet server
  • If the server responds with a string that is other than "ncorrect", the bot looks for either of the following strings in the response {":",">","undefined","$","#"} implying the presence of a prompt. If the response contains "ncorrect", the next password in the array is tried.
  • Next, it checks for the presence of busybox on the device by sending the command "/bin/busybox;echo -e '\\147\\141\\171\\146\\147\\164'\r\n" (note this is the octal form of 'gayfgt')
  • If the response from the server includes 'gayfgt' (indicating the presence of a busybox binary on it), a report is sent to the C&C. The format is
    REPORT [IP]:[Username]
    if only the username is required to authenticate with the Telnet Server OR
    REPORT [IP]:[Username]:[Password]
    where both Username and Password are required. IP corresponds to the randomly generated IP address where a telnet server with busybox was found.
  • Next, a shell is launched by sending the instructions 'sh' or '/bin/busybox;shell'
  • This is followed by an instruction to download and launch a shell script on the randomly generated IP. After this script is launched, it is deleted.

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.