an tian's exclusive deep exposure analysis equation organizes multi platform malicious code weapons

Posted by santillano at 2020-03-10

Since February 2015, Antan has published two analysis reports on the formula attack organization, analyzing the composition of malicious code components for Windows platform, the persistence of hard disk and the use of encryption algorithm. This report will be the first time to publish the partial sample analysis of formula attack organization for Solaris platform and Linux platform. We can also be proud to say that this is the first public analysis in the industry that officially confirms the real existence of these "evil spirits". In fact, Antan's work was completed a few years ago. Since 2012, Antan's analysis engineers have paid attention to super attack organizations, trying to cover all scenarios where intrusion and persistence can be achieved. In these scenarios, various server operating systems, such as Linux, Solaris, FreeBSD, etc., are highly concerned targets. These loads are not ordinary script Trojans, but binary components with componentization, rootkit ability, strong encryption and anti analysis ability, and strict encryption communication. Engineers in Antan always call the attacks launched by super attack organizations as a2pt, and take the full platform coverage capability of malicious code load as an important symbol of a2pt.

Antai has transformed the experience of long-term tracking and analysis of advanced threats and malicious codes into product capabilities. It helps users to detect threats and help users to capture load delivery and lateral movement in the network. It also provides comprehensive protection for traditional windows hosts and domestic operating systems by using intelligent terminal defense system, and helps users to use the tracking security analysis platform to carry out the evil of multiple platforms Semantic code analysis. The deployment of these products also enables Antian to obtain more threat clues with the support of users. At the same time, Antan also actively pays attention to open source intelligence and open information, and relevant information and trends of relevant organizations.

After Kaspersky and Antan exposed the malicious code used by formula at the beginning of last year, formula emerged in a series of "explosive" events. In the attack code of equation organization for various firewalls and network devices leaked in August 2016 [1], for the first time, the public connected equation organization with the attack equipment system named "ant", and saw its ability to achieve injection and persistence for firewall products such as Cisco, juniper, Fortinet, etc. On October 31, 2016, the Hacker News published the article "shadow brokers reeals list of servers hacked by the NSA" [2], which disclosed more documents disclosed by "shadow brokers", including the list of foreign servers invaded by some equation organizations. According to related documents, most of the infected servers are running Solaris, Oracle owned UNIX and other operating systems, and some are running FreeBSD or Linux systems. With the mutual confirmation of these information and the capture and analysis work of Antan, the all platform attack capability of a super attack organization has become increasingly clear.

In the past few years, this kind of analysis has been so long, complex and difficult that it goes beyond the challenges we faced in the analysis and recurrence of "Earthquake Network" and "fire". This kind of highly complex and covert all-around high-level malicious code is a huge challenge for both victims and analysts. Especially when its attack scope covers almost all architectures and operating systems, the traditional security analysis team, which is better at malicious code analysis under the mainstream operating system platforms such as windows, Linux and Android, has experienced tremendous pressure and challenges. If we use the organization's name "equation" as a metaphor for the difficulty of analysis, we need to solve not only an "equation", but a more complex multi-dimensional and multiple "equation group".

Equation organization has adopted an industrial standard Standardized attack weapon library. In the previous report, Antan has analyzed six malicious code components "equipment", which are equationlaser, equationplug, doublefantasy, triplefantasy, Fanny and grayfish. Equationplug and doublefantasy Antan have found samples of other platforms. See the following table for the information of the equation arsenal:

By reading the following reports, readers can complete their own puzzle of equation attack organization for multi platform operating system:

Note: the user agent analyzed by Antai in the Solaris sample has the Solaris identity, while Kaspersky disclosed the information of the user agent that has captured Mac OS X in the "equation group: questions and answers" [8]. From this point of view, although Antai and Kaspersky manufacturers have not yet captured the samples of Mac OS X, the equation organization aims at Mac OS The attack load of X is real.

Antai has captured and analyzed the Double Fantasy component under Linux. This component is the attack sample used by equation organization on Linux platform for early detection and detection of expected targets. Because it is a sample under Linux platform, it is different from the exposed windows sample in the technical details of specific function implementation.

3.1 leading module of investigation and detection: doublefantasy

3.1.1 document label

3.1.2 operation process

Trojan / linux.doublefantasy samples can be executed with or without parameters. When there is a parameter '- C', they are only used to obtain system information, which can be regarded as scene detection function. The process is as follows:

Figure 1 Trojan / linux.doublefantasy – C parameter flow

If the sample runs with no parameters, it will have network communication behavior. The process is as follows:

Figure 2. Trojan / linux.doublefantasy running process without parameters

3.1.3 basic functions

Traverse system files, clear / var / log / lastlog records, and obtain system account password information.

Connect Google to determine the network connectivity status.

Connect to the remote server and perform different operations according to the remote control instructions.

There are also multiple encryption algorithms for information and network communication in the sample.

The sample will start itself with a linked file, and the proc /% D / EXE file points to the sample's own file.

Three consecutive PID threads will be opened after the sample runs.

Then the information of the infected machine is collected, including system directory, file extension and so on. The following picture:

Figure 3 collecting general system information

The malicious code starts the fork() process and judges the PID number of the fork() sub process to determine whether the execution is successful. If the execution is successful, the main process exits and cannot be debugged. The debugging process is affected as shown in the following figure:

Figure 4 sub process judgment

Decrypt various strings and obtain user information, including system version, etc.

Get user login information getpwnam.

View the file / bin / fast / SBIN / login / usr / SBIN / nologin.

Get the user login password getpwuid.

Read the user log var / log / lastlog.

3.1.4 dynamic loading of functions and data

The functions and data called by this sample are all dynamic load calls, which need dynamic debugging during analysis. After analysis, we decrypt the function call address through dynamic analysis as follows:

Figure 5 function call address

3.1.5 string decryption analysis

A custom encryption algorithm is used inside the sample to encrypt the string information to be used inside. The algorithm has been called 115 times. The encryption algorithm is as follows:

Figure 6 Linux sample string encryption algorithm

3.1.6 network communication encryption

When the Linux sample of doublefantasy communicates on the network, the 16 bit key hard coded in the sample is the same as the 16 bit key used by doublefantasy to encrypt the data related to the registry in the windows platform sample:

66 39 71 3c 0f 85 99 81 20 19 35 43 fe 9a 84 11

The sub key generated after calculation is:

E9 BE CD E0 A8 9F 4D DB C3 42 AC 2B 24 77 AB CB 5A C1 52 F8 5B 3E F0 78 CB 01 0A 69 29 8F 85 8C 03 9C 7C EF 5E 36 0E 8B C0 40 76 28 9C 9C F2 24 81 9D 02 72 4F 6A BB B5 5B 42 73 14 88 F2 73 75 8B F9 37 98 3B 9F 64 2B A3 C4 FF C7 8A 40 67 C1 25 9F 65 54 45 36 48 FF E2 86 05 1A F4 94 AC 2B 08 D5 E5 83 BE 2C AD EE D0 A6 98 CB 8D 35 ED EE C4 F0 8C F2 CD BA 87 03 54 27 3D 13 A7 9B 6A 05 C7 02 30 21 05 67 58 3B E6 A1 44 0A 37 16 3C 86 E9 BC 8B 20 1A 98 7E 28 E6 7F F7 CA F7 9E 38 31 7F F0 2F 93 11 2B 28 F0 FF 11 B7 FC 1C 63 86 CB

The custom algorithm of Linux sample is the same as that of windows sample, and only one encryption key is used (because Linux system has no registry, there is no registry encryption function). The key is the same as that of the registry encryption data under Windows platform (Windows platform has two groups of keys, one group of registry keys and one group of network communication keys). From the following figure, we can see two levels The two-level key change algorithm of Taiwan is the same (refer to the analysis part of windows encryption algorithm for specific algorithm).

Figure 7 two level key change algorithm

3.1.7 network control instructions

The instruction branch part of the Linux sample is basically the same as the windows part analyzed in the report released by Antan before. The Linux sample has nine branch instructions with similar functions. The instruction codes are 0x4a, 0x4b, 0x60, 0x70, 0x75, 0x76, 0x78, 0x79 and 0x80.

Figure 8 instruction branch code of Linux sample

The sample function of Linux system is the same as that of windows sample in terms of instruction, and there are only slight differences in obtaining system information. The format of Linux sample obtaining information is shown in the figure:

Figure 9 Linux sample access information format

Get information format description:

Equation organization may have created malicious code with rootkit attribute under the first SPARC Architecture [9], and provided cover for the Solaris [10] version of double fantasy.

4.1 Solaris System and SPARC architecture

Solaris is a computer operating system developed by Sun Microsystems. It adopts SPARC architecture or x86 architecture, and is mainly used for operating systems on workstations and servers. The malicious code on Solaris platform is relatively rare. From the statistics of Antan, even in the previous sun OS period, the number of malicious code variants in binary compilation form is no more than 60, and almost all are based on X86 platform.

SPARC is called "scalable processor architecture", which is one of RISC microprocessor architectures. Its instruction set is significantly different from x86, and it has its own unique window, delay slot and procedure call features.

SPARC architecture computers are generally used in industrial and aerospace related fields, and its use in similar IDC and general it scenarios is extremely rare.

4.2 rootkit hidden module

This module is a rootkit program under the Solaris platform of spacr architecture. Like other rootkit programs, it is mainly responsible for hiding the main function sample files, related derived files and themselves, including process, file, and service information. It first runs on the target machine, investigates the system environment, configuration information, network status of the target machine, and hides the specified files and processes.

4.2.1 document label

4.2.2 sample main function

There are 249 functions in the sample, as shown in the figure is the main function flow of the sample, some functions are relatively complex, and there are also many kinds of encrypted data in the sample.

Figure 10 sample main function

4.2.3 derived file name and path

After the sample runs, the file name is generated according to the combination of two sets of strings configured internally, which is used as its new file name and copied to the directory / SBIN /.

It can be found from the above table that these words are high-frequency words or prefixes used in system files and system commands. Therefore, the file name of the sample is carefully constructed, and the file name is very confusing. In the system file, it is difficult for the general administrator to detect the difference.

4.2.4 startup script

The sample uses the service mode to start the startup, and creates a script (s85s%) in the etc / rc.d/ directory. The script will run as the service to be executed at startup with the start parameter.

Figure 11 service script

The content of the s85s% file is encrypted. When the sample runs, call its own function to decrypt it, modify the variable of its file name, and then write it to the / etc / RC. D / directory (the path of the sample itself will be modified at the place% e below).

Figure 12 content of script after decryption

4.2.5 hiding directories and files

The sample will generate MD5 according to the hostid of the target machine, and then calculate an algorithm of Base64 like MD5. Finally, take the first six bits, splice. TMP and these six characters into the folder name, and then create the folder.

Figure 13. Folder name of sample creation

The sample also copies other files to this folder for execution according to the running parameters, and is responsible for hiding all files under this folder.

4.2.6 version judgment

The sample uses uname function to determine that the system is not sun4m or sun4d version. By reading the / dev / ksyms file, it determines the system architecture: i386, IA64, SPARC, sparcv9. It determines the SPARC architecture and the release version must be 5.1.

Figure 14 version determination

4.2.7 encrypt configuration data

There are many encryption algorithms in the sample, one of which is called many times. We analyze and decrypt its data.  

Figure 15 encryption algorithm

Decrypted encrypted data:

4.2.8 perform other codes / samples for Solaris System and SPARC architecture decryption

The sample adds the encrypted data at the end of the file, determines the encrypted data size through the end data after execution, analyzes and reads through the defined format, and guesses that the encrypted data will be loaded and executed after decryption.

4.3 SPARC architecture module of doublefantasy

The functions of this sample are basically the same as those of windows and Linux platform samples. The main differences are CPU architecture, assembly instructions, configuration of information storage location, acquisition of system information, etc.

4.3.1 document label

4.3.2 basic functions

Initialize string, dynamic array, decrypt internal configuration information.

Connect to Google or Yahoo to determine the network connectivity status.

Connect to the remote URL address. The sample will collect the host's information and send it back to the remote address, and wait for the remote host to send instructions.

With the function of reading system account password file, it can steal user and password information.

The samples run in the mode of daemons, which can protect themselves from being ended.

This sample uses a variety of encryption algorithms to encrypt string information.

Obtain a large amount of information of the system and send it back to the server (such as computer name, IP address, process information, account information, etc., see the detailed analysis later in this chapter for details).

In the network instruction part, there are 7 network instructions. The function is the same as that of Windows version. The corresponding instructions can be operated on the computer. For the detailed functions of the corresponding instructions, see the detailed analysis later in this chapter.

4.3.3 configuration information encryption

Because the Solaris System does not have a Windows registry, the configuration data of this sample will be decrypted directly and then used. One of the decryption algorithms is as follows. This decryption function has been called 63 times in total.

Figure 16 string decryption

The decrypted string information is shown in the following table:

Another algorithm for encrypting the string used by the sample is used to encrypt the configuration information needed by the sample running. The decryption algorithm is as follows:

Figure 17 another decryption algorithm

See the following table for decryption contents:

4.3.4 network communication encryption

The custom encryption algorithm of Solaris samples is the same as that of windows samples, and only one encryption key is used (because there is no registry in Solaris System, there is no registry encryption function). The key is the same as that of the registry encryption data in Windows platform, and the custom encryption algorithm of the two platforms is the same (refer to 3.1.6 encryption algorithm analysis section for specific algorithm Points).

Through the analysis of Antian Cert, the original 16 bit key is obtained as follows:

66 39 71 3c 0f 85 99 81 20 19 35 43 fe 9a 84 11

The length is 16 bytes, the same as the original 16 bit key length of windows.

Since the algorithm of generating network communication sub key is the same for Solaris and windows samples, sub key can be generated:

E9 BE CD E0 A8 9F 4D DB C3 42 AC 2B 24 77 AB CB 5A C1 52 F8 5B 3E F0 78 CB 01 0A 69 29 8F 85 8C 03 9C 7C EF 5E 36 0E 8B C0 40 76 28 9C F2 24 81 9D 02 72 4F 6A BB B5 5B 42 73 14 88 F2 73 75 8B F9 37 98 3B 9F 64 2B A3 C4 FF C7 8A 40 67 C1 25 9F 65 54 45 36 48 FF E2 86 05 1A F4 94 AC 2B 08 D5 E5 83 BE 2C AD EE D0 A6 98 CB 8D 35 ED EE C4 F0 8C F2 CD BA 87 03 54 27 3D 13 A7 9B 6A 05 C7 02 30 21 05 67 58 3B E6 A1 44 0A 37 16 3C 86 E9 BC 8B 20 1A 98 7E 28 E6 7F F7 CA F7 9E 38 31 7F F0 2F 93 11 2B 28 F0 FF 11 B7 FC 1C 63 86 CB

This sub key is used to encrypt and decrypt data sent and received.

4.3.4 network control instructions

In the analysis of the Solaris sample, we found that its function is less than that of the windows sample. There are only seven instructions in the Solaris platform, which are basically the same as windows. The following is a comparison diagram of IDA under the two platforms. In the multiple diagrams, it can be seen that the sample instructions under the Solaris platform are much less than those on the windows platform, and the structure diagram is also very simple.

Figure 18 comparison of network instruction structure between windows platform and Solaris platform

The instruction function of the Solaris sample is not implemented in the figure above. At first, we thought that the instruction function of the Solaris sample was not completed. However, after further analysis, we found that the Solaris sample uses a special dynamic calculation method to jump to different instruction branch codes. The red part in the figure below is the instruction branch after dynamic calculation.

Figure 19 Solaris instruction branch function

The functions of each instruction in the Solaris sample are briefly described as follows. The general functions are the same as those of the windows instruction:

The download execution part of the sample is the same as that of windows, using the same instruction tag, and also using three steps (create, write, execute) to complete the download execution function, except for the difference in the code structure. Solaris integrates three instructions into one function.

When executing a file, first give the file permission, and then use the execle function to execute the file with parameters:

Parameter 1: file B path

Parameter 2: filename B or "sendmail" (guess mail related)

Parameter 3:0

Parameter 4: path =% path% (environment variable)

For example: execle ("/ usr / bin / sample", "sample", null,% ENVP%);

Figure 20 execution file parameters

The instruction function and packet format of Solaris sample are the same as that of windows sample. The detailed function and packet format of the instruction can be seen in the instruction analysis of Windows platform sample.

The system information collected under the Solaris sample is slightly different from that of windows, as follows:

5.1 driving the improvement of China's information defense capability with real threat

An Tian hopes to use his own work to tell Chinese users that all kinds of revelations about the full platform coverage of super attack organizations are not legends, but a real threat and an established fact.

In the practice of security defense in China, there is a preconceived view that nodes exposed on the Internet, even the intranet that can access the Internet, do not store high-value information due to various regulations and constraints. "All valuable information exists in the isolation network" - this is a good vision and imagination, but not the real situation in the era of mass production and high-speed flow of information. At the same time, in the era of big data, the definition and scope of high-value information are constantly changing. More information assets are inevitably distributed in the public network system. And snooping and attacks on these assets continue to increase. The super attack group is the initiator and long-term practitioner of similar attacks.

For the intrusion of DNS server, it can assist in malicious code injection and information hijacking for other network targets; for the implantation of mail server, all users' mails can be connected to one network, and for the persistence of backbone nodes of operators, it can be used to obtain all-round information, including harvesting the "easy victory" similar to the camperdada [11] plan.

Note: the camperdada plan is a monitoring action plan exposed by Snowden. Relevant organizations monitor the emails sent by users to antivirus manufacturers through the persistent nodes of operators to find out whether their attacks are exposed, and realize the sample capture and reuse of other parties.

When the myth of "physical isolation" has come to the end, general secretary Xi Jinping has reminded domestic users and network security workers in his 4.19 speech: "physical isolation" can be crossed by the network, the power distribution instructions can be malicious tampered with, and financial transaction information can be stolen. These are major risks.

However, China's huge and fragile information-based body is faced with opponents armed to the teeth. The scale of code engineering of attack load, the precise design of work chain and all-round platform coverage without dead angle have shown the unprecedented attack ability of super attack organization such as equation attack organization. According to the information of relevant exposure, the attacks launched by the group in the face of a large number of key targets over a period of several years also show the firm determination of the group to attack. In the previous research, Antan called the similar attack capability organization a2pt, and gave some evaluation criteria of a2pt from the perspective of malicious code load. These criteria are highly consistent with the behavior and capabilities of equation organizations.

As we have summarized before, the relevant super attack organizations have "formed network attack teams, huge supporting engineering systems and standardized attack equipment libraries, powerful vulnerability collection and analysis mining capabilities and associated resource reserves, as well as systematic operation procedures and manuals, with equipment systems covering the whole scene, vulnerability utilization tools and malicious code load coverage It covers the whole platform and the whole link with the ability of persistence. In the face of this systematic, industrial and highly directional attack, the perpetual motion machine is doomed to stop and the silver bullet is doomed to be flameless. If we want to achieve the defense effect and trace the source, we can only gradually take the initiative with clear strategy, full cost investment, systematic defense against systematic attack [12], and through long-term hard and solid work and capacity-building.

5.2 our efforts and expectations for the in-depth cooperation of capability manufacturers

Since 2010, Antan has carried out in-depth analysis on "ZHENWANG", "Duqu", "Huo", "apt-tocs", "white elephant", "Ukraine blackout", "equation" and other advanced attack actions or attack organizations, and issued hundreds of pages of analysis reports. There is no doubt that the ability of advanced threat detection products is constantly improved by relying on a solid and effective analysis process. Antan has released a product system for advanced threat detection and situational awareness: Antan's sea threat detection system improves the depth and ability of threat detection on the user's traffic side, Antan's intelligent armour terminal defense system provides users with a variety of defense strategies including "white list + security baseline", and Antan's tracing threat analysis platform provides users with dynamic and static The ability of in-depth analysis of threat loads by means of the means, Antan also plays a key role in the construction of situation awareness and notification and early warning platform of multiple industries and departments, providing overall design support, development integration and supply of key detection and analysis capabilities.

Antan regards the next generation threat detection engine, highly customized in-depth analysis, asset and threat oriented interactive visual analysis and knowledge and intelligence support as its product gene to achieve effective and landing user value.

However, Antan also objectively sees that in the face of the powerful ability, firm will and unimaginable attack cost of the super attack organization, it is difficult for any manufacturer to achieve its mission effectively by fighting alone. Therefore, Antan has always been working with the industry to advocate active cooperation and mutual recognition of capabilities among capable security manufacturers. In the previous analysis and response to the cyber attacks from the South Asian subcontinent, although Antan named the incident "white elephant" and 360 enterprise security "mahacao", both sides effectively exchanged information during the formation of the report, and cited and recognized each other's analysis results, which is a good start. We believe that the cooperation of similar capability based security manufacturers will More and more.

5.3 looking forward to a more secure Internet world

At present, the full coverage of super attack organizations has caused the security anxiety of global users that "everything is untrustworthy." Last year, in some domestic media reports on the formula attack, it was interpreted as that the current mainstream hard disks have backdoors, which is a misunderstanding. However, when a super attack organization is so powerful that it can only guess and imagine, it is impossible not to cause panic, This leads to a serious doubt about the "abuse of supply chain and information flow advantages" of superpowers.

However, the recent formula attack code Disclosure Event and the previous exposure of "ant" equipment system make us see the possibility of relevant exploit reserves and attack ideas flowing into the network criminal organizations and even terrorist organizations. In view of the low cost of replication in network attack technology, there is a serious risk of network arms proliferation. Therefore, whether the superpower can reasonably control the speed and scale of its own network armament development, and effectively intervene and control the possible armament proliferation in the network field due to its failure to effectively fulfill its responsibilities is the key factor for us to achieve a more secure network world.

We are looking forward to a more secure network world, we will work hard for it!

If any technical problems or questions are found in the report issued by Antan, please contact the Antan engineer. We will revise the report later in the website version report.

Click the link below to view two previous analysis reports issued by Antan to equation organization.


This analysis report is issued by Antian safety research and emergency response center (Antian Cert). It is welcome to forward it without damage.

It is inevitable that there are mistakes and omissions in this analysis report. Experts and researchers in the industry are invited to post comments and corrections.

An Tian

Starting from the R & D team of anti-virus engine, Antan has developed into a group security enterprise with Antan laboratory as its headquarters and enterprise security company and mobile security company as its two wings. Antan always adheres to the corporate belief of safeguarding user value, advocates independent R & D and innovation, and has formed a full capacity chain layout in security detection engine, mobile security, network protocol analysis and reduction, dynamic analysis, terminal protection, virtualization security, etc. Antan's monitoring and early warning capability covers the whole country, and its products and services radiate to many countries. Antian effectively combines the technology of big data analysis and safety visualization with the product system, and extends the working ability of the engineer team and shortens the product response cycle with the massive sample automatic analysis platform. Combined with the massive security threat knowledge base accumulated for many years, and the comprehensive application of big data analysis, security visualization and other aspects of experience, we have put forward solutions to deal with advanced persistent threat (APT) and situation awareness and monitoring early warning for large-scale networks and key infrastructure.

More than 30 well-known security and IT companies around the world have chosen anti-virus engine of anti-virus engine to provide security protection for nearly 100000 network devices, network security devices and nearly 200 million mobile phones. Antan mobile detection engine is the first Chinese product in the world to win the annual av-test award.

Antan's technical strength has been recognized by industry management agencies, customers and partners. Antan has been awarded the national security emergency support unit qualification for four consecutive years, and is also one of the first six first level support units in China's national information security vulnerability database. Antan is an important enterprise node in China's emergency response system. In major security events such as red code, password worm, earthquake network, shell breaking, sand worm, equation, etc., Antan provides a solution of early warning, in-depth analysis or system.

For more information, please visit:

Http:// (Chinese)

Http:// (English)

For more information, please visit: 

For more information, please visit: