Julien Vehent: Shellshock IOC search using MIG

Пятница, 26 Сентября 2014 г. 03:06 + в цитатник

Shellshock is being exploited. People are analyzing malwares dropped on systems using the bash vulnerability.

I wrote a MIG Action to check for these IOCs. I will keep updating it with more indicators as we discover them. To run this on your Linux 32 or 64 bits system, download the following archive: mig-shellshock.tar.xz

Download the archive and run mig-agent as follow:

$ wget https://jve.linuxwall.info/ressources/taf/mig-shellshock.tar.xz

$ sha256sum mig-shellshock.tar.xz 
0b527b86ae4803736c6892deb4b3477c7d6b66c27837b5532fb968705d968822  mig-shellshock.tar.xz

$ tar -xJvf mig-shellshock.tar.xz 
shellshock_iocs.json
mig-agent-linux64
mig-agent-linux32

$ ./mig-agent-linux64 -i shellshock_iocs.json

This will output results in JSON format. If you grep for "foundanything" and both values return "false", it means no IOC was found on your system. If you get "true", look at the detailed results in the JSON output to find out what exactly was found.

$ ./mig-agent-linux64 -i shellshock_iocs.json|grep foundanything
    "foundanything": false,
    "foundanything": false,

The full action for MIG is below. I will keep updating it over time, I recommend you use the one below instead of the one in the archive.

{
  "name": "Shellshock IOCs (nginx and more)",
  "target": "os='linux' and heartbeattime \u003e NOW() - interval '5 minutes'",
  "threat": {
    "family": "malware",
    "level": "high"
  },
  "operations": [
    {
      "module": "filechecker",
      "parameters": {
        "searches": {
          "iocs": {
            "paths": [
              "/usr/bin",
              "/usr/sbin",
              "/bin",
              "/sbin",
              "/tmp"
            ],
            "sha256": [
              "73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489",
              "ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b",
              "2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614",
              "2ff32fcfee5088b14ce6c96ccb47315d7172135b999767296682c368e3d5ccac",
              "1f5f14853819800e740d43c4919cc0cbb889d182cc213b0954251ee714a70e4b"
            ],
            "regexes": [
              "/bin/busybox;echo -e '\\\\147\\\\141\\\\171\\\\146\\\\147\\\\164'"
            ]
          }
        }
      }
    },
    {
      "module": "netstat",
      "parameters": {
        "connectedip": [
          "108.162.197.26",
          "162.253.66.76",
          "89.238.150.154",
          "198.46.135.194",
          "166.78.61.142",
          "23.235.43.31",
          "54.228.25.245",
          "23.235.43.21",
          "23.235.43.27",
          "198.58.106.99",
          "23.235.43.25",
          "23.235.43.23",
          "23.235.43.29",
          "108.174.50.137",
          "201.67.234.45",
          "128.199.216.68",
          "75.127.84.182",
          "82.118.242.223",
          "24.251.197.244",
          "166.78.61.142"
        ]
      }
    }
  ],
  "description": {
    "author": "Julien Vehent",
    "email": "ulfr@mozilla.com",
    "revision": 201409252305
  },
  "syntaxversion": 2
}