Mystery Malware Examined

In a previous post, I looked inside a hacker's toolkit, and found two "mystery files", "i" and "f".

Analysis of these files has revealed that these files were both Linux executables.

In addition to forwarding these files to AV vendors, I am analyzing these files myself.

Using decompile-it.com, I was able to retrieve source code for "i", and limited source for "f".



"i" (with is 4.7% detection rate) was compiled in debug mode, and contains three source files.  It appears to be some sort of SSH scanner.  Unfortunately it's been a while since I programmed, so if anyone can shed some light on what this code does, please post a comment.

Auth.c:
#include "auth.c.h"
static char *keys_path[5] =
{ 0, "%s/.ssh/identity", "%s/.ssh/id_dsa",
"%s/.ssh/id_rsa", 0 };
static char *pub_keys_path[5] =
{ 0, "%s/.ssh/identity.pub", "%s/.ssh/id_dsa.pub",
"%s/.ssh/id_rsa.pub", 0 };
int ask_userauth( SSH_SESSION *session )
{
if ( session->auth_service_asked == 0 &&
ssh_service_request( session, "ssh-userauth" ) == 0 )
{
session->auth_service_asked++;
}
return 0;
}
void burn( char *ptr )
{
if ( ptr )
{
( ptr );
}
return;
}
int wait_auth_status( SSH_SESSION *session, int kbdint )
{
int err;
/* phantom */ int cont;
STRING *can_continue;
u8 partial = 0;
char *c_cont;
channels.c:
#include "channels.c.h"
CHANNEL *channel_new( SSH_SESSION *session )
{
int ebx;
int edi;
/* phantom */ CHANNEL *channel;
memset( malloc( 72 ), 0, 72 );
*(int*)malloc( 72 )/*.8*/ = session->error.error_code;
*(int*)malloc( 72 )/*.64*/ = session->version;
*(int*)malloc( 72 )/*.52*/ = buffer_new( );
*(int*)malloc( 72 )/*.56*/ = buffer_new( );
if ( *(int*)(malloc( 72 ) + 8 + 1212) == 0 )
{
session->channels = malloc( ( 1 ) * sizeof( CHANNEL ) );
*(int*)malloc( 72 )/*.4*/ = malloc( 72 );
}
*(int*)malloc( 72 )/*.4*/ = *(int*)(malloc( 72 ) + 8 + 1212);
*(int*)(malloc( 72 )) = *(int*)(*(int*)(malloc( 72 ) + 8 + 1212));
*(int*)(*(int*)(malloc( 72 )) + 4) = malloc( 72 );
return *(int*)(malloc( 72 )) + 4;
}
u32 ssh_channel_new_id( SSH_SESSION *session )
{
session->maxchannel++;
return session->maxchannel;
}

client.c:
#include "client.c.h"
char *ssh_get_banner( SSH_SESSION *session )
{
char buffer[128];
int i = 0;
do
{
if ( session->fd < 0 || read( session->fd, buffer, 1 ) <= 0 )
{
ssh_set_error( (void*)session, 2, "Remote host closed connection" );
return 0;
}
if ( buffer[0] != '\r' )
{
if ( ebx == '\n' )
{
buffer[ i ] = 0;
return strdup( buffer );
}
i++;
}
else
{
i++;
buffer[0] = 0;
if ( i + 1 == 127 )

Unfortunately "f" (with its 7% detection rate) was not compiled in debug mode, and can not be as easily examined.  However, its purpose can be inferred by the char arrays (strings) which are contained within the program:

// Minimal support for non-debug binary...
char _fp_hw[];
char _IO_stdin_used[];
char esel[];
char initial_perm[];
char BITMASK[];
char longmask[];
char rots[];
char pc1[];
char bytemask[];
char pc2[];
char perm32[];
char final_perm[];
char sbox[];
char any_descr[];
char _nl_C_name[];
char pcap_version_string[];
char charmap[];
char _dl_out_of_memory[];
char map[];
char yy_ec[];
char yy_accept[];
char yy_def[];
char yy_meta[];
char yy_base[];
char yy_chk[];
 Based upon the "pcap_version_string" I believe it may be safe to say that "f" is a packet sniffer of some sort.