[nycbug-talk] Cdorked.A Backdoor

Pete Wright pete at nomadlogic.org
Thu May 9 20:17:44 EDT 2013


On 05/09/13 16:45, Pete Wright wrote:
> Hey - anyone else been able to find more reliable information on this
> backdoor?  This is pretty much the only semi-useful information I've
> been able to dig up on it today:
>
> http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
>
> While I'm specifically interested to see is if this is an application
> level vuln, something to do with the linux kernel's only ,thus making my
> *BSD servers mostly safe, or what...
>


had some cycles to dig deeper - found a python script from eset.ie that 
they believe will detect this code.  it's pretty simple - so i'm not 
sure how reliable it is tbh.  here's a link to a wordpress site which is 
hosing the python script (that's not sketchy at all is it?):

http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.7z


tl;dr version if you don't want to grab the script.

- defines a key and size of a linux shared memory segment:
  17 SHM_SIZE = 6118512
  18 SHM_KEY = 63599

- attempts to load librt.so via ctypes python module so it scan interact 
directly with systems shared memory pool:
  22 try:
  23   rt = CDLL('librt.so')
  24 except:
  25   rt = CDLL('librt.so.1')

- the scanning/detection bit is a little fuzzy to me atm - although i 
believe it looks for a chunk of shared memory allocated at SHM_KEY of 
SHM_SIZE assuming the backdoor exists if this pattern is matched.

dunno...still scratching my head about this whole thing....my current 
suspicion is that if this backdoor is dependent upon linux shared memory 
then the non-linux systems *should* be OK (assuming said systems are not 
running httpd via linux compatibility layer)?

dunno - still waiting for a good analysis about this whole thing :)




-p


-- 
Pete Wright
pete at nomadlogic.org
twitter => @nomadlogicLA




More information about the talk mailing list