2017/01/11 Advisory: VENOM Linux rootkit

This page covers ongoing attacks and may be updated.

The Linux VENOM rootkit is a two-component malicious software aimed at maintaining unauthorised access on compromised Linux systems. It requires root privileges to be installed, and relies on:

  • A userland binary, providing an encrypted backdoor with remote code execution and proxy functionalities
  • A lightweight Linux Loadable Kernel Module, providing an additionnal port-knocking service for the userland backdoor

VENOM features similar mechanisms to the tools used during the Freenode intrusion in 2014.

As the attacker attempts to remove all local traces, it is highly recommended to deploy and use a remote logging service (e.g. remote syslog).

This is related to http://go.egi.eu/venom_rootkit.

Attacker’s tactics, techniques, and procedures (TTP)

The VENOM rootkit has been used in the wild since at least October 2016. Typically:

  • The binaries are compiled on the victim’s machine in /dev/shm
  • Paths, including runtime, are changed, by always ressemble a legitimate or expected Linux system component
  • Local log files are erased and filesystem timestamps are manipulated
  • Persistence across system reboot is relying on a modification of the system init scripts (/etc/rc.d/init.d/functions)

Indicators of compromises

Network

  • The kernel port-knocking requires 3 specific TCP packets featuring:
    "TCP Source Port + Sequence Number == 1221"
  • The userland knocking requires a TCP packet containing "SSH-2.5-OpenSSH_6.1.9"
  • Traffic on TCP/9090 involving binary or ELF files
  • RAW sockets

Filesystem

  • Check the integrity of the system's init scripts (/etc/rc.d/init.d/functions)
  • Check for unexpected LKM, for example "cpu_cachelift"
  • Check for a /var/lib/mkinitramfs file
  • Check for a /etc/X11/applnk/.window file
  • Check for a /usr/share/man/man5/printers_cupsd.conf.5.gz file
  • Check for running processes (e.g. crond) using a raw socket (netstat/ss):
    raw    0    0 0.0.0.0:6   0.0.0.0:*    7    18505/crond

Strings in the binary or over TCP/9090

%%VENOM%CTRL%MODE%% %%VENOM%OK%OK%% %%VENOM%WIN%WN%% %s%c%d:%d %%VENOM%AUTHENTICATE%% . entering interactive shell %s%c%c%c%s . processing ltun request . processing rtun request . processing get request . processing put request - accept failed - listen failed - bind failed venom by mouzone justCANTbeSTOPPED

Indicators of compromise

Indicators of compromise are also available below in MISP and OpenIOC formats:

Technical details

Kernel module


Credits: Georg Swoboda of Liberty Global

The kernel module adds a single network filter. The filter waits for three TCP packets featuring "TCP Source Port + Sequence Number == 1221", then it will execute the backdoor with the srcip and a port (taken from the payload) as arguments.

Backdoor

The backdoor has 3 modes RAW, BIND and connect. It first stats by rewriting its argv to 'crond' The mode depends on the argv[1]

RAW mode (argv[1] == RAW)

The raw mode waits for a packet containing 'SSH-2.5-OpenSSH_6.1.9' on byte 52. In case of a match, it splits the rest of that string with '|' into two arguments. It then forks and re-execute itself with these two arguments.

BIND mode (argv[1] == BIND)

The bind mode binds to port == argv[2]. Whenever it gets a connection, it calls the main function (see below)

Connect mode (other)

The connect mode connects to argv[1]:argv[2] It then calls the main function (see below)

Main function

All exchanges are encrypted using RC4 (key == 'justCANTbeSTOPPED').
First the backdoor sends '%%VENOM%AUTHENTICATE%%'
It expects a password, which should correspond to a hardcoded password using crypt.
If the password match, the backdoor sends '%%VENOM%OK%OK%%' and wait for a command There are 6 commands implemented:

  • Interactive shell
  • Command execution (blind)
  • Remote proxy (connect to remote host)
  • Local proxy (bind to local port and wait for incoming connection)
  • Read file
  • Write file

Credits