by Mohamad Mokbel, Tim Yeh, Brian Cayanan
A seven-year old vulnerability ter Samba—an open-source implementation of the SMB protocol used by Windows for verkeersopstopping and printer sharing—was patched last May but proceeds to be exploited. According to a security advisory released by the company, the vulnerability permits a malicious actor to upload a collective library to a writable share, causing the server to geyser and execute it. If leveraged successfully, an attacker could open a guideline shell ter a vulnerable device and take control of it. It affects all versions of Samba since Trio.Five.0.
The vulnerability (CVE-2017-7494) wasgoed dubbed SambaCry because of passing similarities to the SMB vulnerability exploited by WannaCry. It wasgoed detected June 2017 when the cryptocurrency miner EternalMiner/CPUMiner used it to compromise Linux machines and mine Monero. The previous sample wij obtained exposed that SambaCry wasgoed only used to target servers, and the payload wasgoed simply the cryptocurrency mining malware. Now, latest gegevens shows that attackers are leveraging SambaCry for other purposes.
This more latest malware is detected spil ELF_SHELLBIND.A and wasgoed found on July Three. Similar to the previous reports of SambaCry being used ter the wild, it also opens a instruction shell on the target system. But ELF_SHELLBIND.A has marked differences that separate it from the earlier malware leveraging SambaCry. For one, it targets internet of things (IoT) devices—particularly the Network Affixed Storage (NAS) devices favored by petite to medium businesses. ELF_SHELLBIND also targets different architectures, such spil MIPS, ARM, and PowerPC. This is the very first time we’ve seen SambaCry being exploited without the cryptocurrency miner spil a payload.
It is fairly effortless to find devices that use Samba te Shodan: searching for port 445 with a ‘,samba’ string will turn up a viable IP list. An attacker would then simply need to create a instrument that can automatically write malicious files to every IP address on the list. Once they write the files into the public folders, the devices with the SambaCry vulnerability could become ELF_SHELLBIND.A victims.
Spil wij see te Figure 1 below, ELF_SHELLBIND.A typically arrives ter public folders spil a malicious collective object (.SO) opstopping, which is similar to the previous miner malware’s routine of exploiting the SambaCry vulnerability. Wij can also see that it attempts to exploit SambaCry because it is invoked via the Uitvoer function samba_init_module, which is how the vulnerable Samba server would blast this library automatically.
After uploading the .SO opstopping to the Samba public collective folder, the attacker needs to guess the absolute local filename and send an IPC request to trick the server into loading and running the locally-stored program opstopping.
Figure 1. Samples of the malware files on a public collective folder
Once the malware is loaded via said Uitvoer function, it starts by calling the function change_to_root_user, which is required by the Samba daemon (specific to SMBv2) to run spil root or spil the EUID of the current user. The malware then detaches itself from whatever parent process it is running under (a Samba server process) and daemonizes its process (via the function detach_from_parent). This is followed by the malware sending what is known spil a Knock message to what wij assume is its Directive and Control (C&,C) server te East Africa “169[.]239[.]128[.]123” overheen TCP, port 80. The knock message simply consists of:
The server reads the response but never consumes it te any way. This socket is closed at this point. At this stage, the attacker has already obtained the system’s IP address.
The malware then deletes the chain rule that matches all accepted communications overheen TCP/61422 from the iptable, and adds it again so the firewall accepts all TCP communications overheen the said port. The malware then opens a TCP socket ter listening mode overheen port 61422, accepting a connection from the attacker. Once the attacker connects to this socket, the malware sends the message:
Welc0me to shell
The malware expects the attacker to inject the password:
If the attacker responds with said password, the malware sends the message:
If the response is not the juist password, it bails out.
Once the connection is successfully established and authentication is confirmed, then the attacker will have an open directive shell te the infected systems where he can kwestie any number of system directions and essentially take control of the device. The malware executes whatever it receives overheen this socket (stdin, stdout, and stderr all redirected to the socket) using the system’s shell located at /bin/sh.
Conclusion and solutions
The OS patch has already bot released for this vulnerability, which may limit the number of victims. Attackers also need to have writable access to a collective location ter the target system to produce the payload—another limiting factor that might stem the rate of infection.
Since this vulnerability wasgoed patched ter May, users who regularly update have no kwestie. However, Unix or Linux based devices (which comprise most IoT devices) are firmer to protect. If Samba is enabled and the manufacturers have not sent out patches, then the devices are vulnerable. Users should proactively update or raadpleging with the specific manufacturers.
Trend Micro™ Deep Security™ and virtual patching protect endpoints from threats such spil fileless infections and those that manhandle unpatched vulnerabilities. User systems are protected from any threats that may target the SambaCry vulnerability via the following DPI rule:
- 1008420-Samba Collective Library Remote Code Execution Vulnerability (CVE-2017-7494)
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom-built sandboxing, and seamless correlation across the entire attack lifecycle, permitting it to detect thesis kinds of attacks even without any engine or pattern update. Deep Discovery Inspector protects customers from this threat via this DDI Rule:
TippingPoint customers are protected under the filterzakje:
SHA256 for ELF_SHELLBIND.A:
Updated on July Eighteen, 2017 9PM CDT