While doing heap research on Linux processes (results are going to be published soon), I came across the bot from the Mirai Botnet. As already mentioned in the blog post by Brian, the Mirai bot uses obfuscated configuration data which contains e.g. the CnC server. When now confronted only with a bot (e.g. in the context of a running task or the ELF binary), but without the according source code, the decryption of this configuration data for e.g. incident analysis purposes might not be easily possible (with the python script from the blog post), if the key has been changed.
But in this case that is not a problem at all, because
- the “table_key” results effectively only in a one byte key (so a maximum of 255 possibilities to brute force).
- the effective key is included in each obfuscated string (the Mirai encryptor appends a null byte on each string, so the last byte is the resulting key).
Using these facts, one can use, for example, Didier Steven’s xorsearch to get the correct key and the resulting deobfuscated strings.
The tool can be run on the ELF binary itself or on a heap dump for a running instance of the bot (this dump can for example be gathered from a system memory dump using frameworks such as Rekall or Volatility, or by directly gathering the heap space from /proc/$PID/mem).
The only information that we must provide are some strings that we expect in the deobfuscated output, so the tool recognizes the correct key.
The following list contains some of the strings I chose for this example:
/bin/busybox
Mozilla
/etc/resolv.conf
/proc
listening tun0
https://youtu.be/dQw4w9WgXcQ
When now providing these strings in the file “mirai_strings.txt”, the xorsearch tool can be used as follows:
xorsearch -f mirai_strings.txt -s -d 2,3,4,5 heap_dump
or
xorsearch -f mirai_strings.txt -s -d 2,3,4,5 mirai.x86
If one of the strings appears for a specific key, the according key is printed:
Found XOR 22 position 0158: /bin/busybox MIRAI
Found XOR 22 position 0194: /bin/busybox ps
Found XOR 22 position 01A8: /bin/busybox kill -9
Found XOR 22 position 0374: Mozilla/5.0 (Windows NT 10.0; WOW64)
Found XOR 22 position 03E8: Mozilla/5.0 (Windows NT 10.0; WOW64)
Found XOR 22 position 045C: Mozilla/5.0 (Windows NT 6.1; WOW64)
Found XOR 22 position 04D0: Mozilla/5.0 (Windows NT 6.1; WOW64)
Found XOR 22 position 0544: Mozilla/5.0 (Macintosh; Intel Mac OS X
Found XOR 22 position 01E0: /etc/resolv.conf
Found XOR 22 position 0078: /proc/
Found XOR 22 position 0040: listening tun0
Found XOR 22 position 0054: https://youtu.be/dQw4w9WgXcQ
The ‘-s’ option tells xorsearch to save a XORed version of the input file, so the desired output should now be in a file like ‘mirai.x86.XOR.22’.
When now e.g. using the tool ‘strings’, the relevant strings like the CnC server should be easily recognizable.
Following an example excerpt, when running it on a Mirai bot sample (SHA1: c05680360aa6c8e977f0b7836a3e3d16c670cacd):
='*"
&*C@AFGDEJKHINOLMRSPQVWTU
"xc3511"root"888888"xmhdipc"default"juantech"123456"54321"support"password"12345"user"pass"admin1234"smcadmin"666666"klv123"meinsm"Admin
istrator"service"supervisor"guest"admin1"administrator"ubnt"klv1234"Zte521"hi3518"jvbzd"anko"zlxx."7ujMko0vizxv"7ujMko0admin"system"ikwb
"dreambox"realtek"00000000"1111111"fucker"mother"MEKL"GLVGP"CQQUMPF"
''*w$'*
$'*R%'*
''*7*'*N+'*
('*B*'*swinginwithme.ru
"listening tun0
"https://youtu.be/dQw4w9WgXcQ
"/proc/
"/exe
" (deleted)
"/fd
".anime
"/status
"REPORT %s:%s
"HTTPFLOOD
"LOLNOGTFO
"zollard
"GETLOCALIP
"shell
"enable
"system
"/bin/busybox MIRAI
The CnC server in this case was ‘swinginwithme.ru’.
\x00
Frank