[nycbug-talk] Cdorked.A Backdoor
Pete Wright
pete at nomadlogic.org
Thu May 9 20:17:44 EDT 2013
On 05/09/13 16:45, Pete Wright wrote:
> Hey - anyone else been able to find more reliable information on this
> backdoor? This is pretty much the only semi-useful information I've
> been able to dig up on it today:
>
> http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
>
> While I'm specifically interested to see is if this is an application
> level vuln, something to do with the linux kernel's only ,thus making my
> *BSD servers mostly safe, or what...
>
had some cycles to dig deeper - found a python script from eset.ie that
they believe will detect this code. it's pretty simple - so i'm not
sure how reliable it is tbh. here's a link to a wordpress site which is
hosing the python script (that's not sketchy at all is it?):
http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.7z
tl;dr version if you don't want to grab the script.
- defines a key and size of a linux shared memory segment:
17 SHM_SIZE = 6118512
18 SHM_KEY = 63599
- attempts to load librt.so via ctypes python module so it scan interact
directly with systems shared memory pool:
22 try:
23 rt = CDLL('librt.so')
24 except:
25 rt = CDLL('librt.so.1')
- the scanning/detection bit is a little fuzzy to me atm - although i
believe it looks for a chunk of shared memory allocated at SHM_KEY of
SHM_SIZE assuming the backdoor exists if this pattern is matched.
dunno...still scratching my head about this whole thing....my current
suspicion is that if this backdoor is dependent upon linux shared memory
then the non-linux systems *should* be OK (assuming said systems are not
running httpd via linux compatibility layer)?
dunno - still waiting for a good analysis about this whole thing :)
-p
--
Pete Wright
pete at nomadlogic.org
twitter => @nomadlogicLA
More information about the talk
mailing list