The-Binary Advisory |
The-Binary has been found activly utilized in the wild running as [mingetty]. The-binary acts as a relay, passing information from an attacker to a 3rd party. The 3rd party is most likely a binary which processes the commands. The-Binary uses IP protocols 11 and 255 to pass encrypted data and avoid customary points of detection (i.e. firewalls).
The covert channels which the binary relays can be blocked by filtering IP protocols 11 and 255 at the firewalls or other perimeter defense device.
To check if a system is running the binary, perform a "netstat -an|grep raw", to review all the open raw sockets.
[scarbaci@honeyp binary]# netstat -an|grep raw raw 0 0 0.0.0.0:11 0.0.0.0:* 7This line shows evidence that the binary is listening to a raw socket using IP protocol 11.
Since the binary modifies its process name, it can be saved on the harddrive with any name. To find the location of the binary, the process id needs to be identified. To find the process id perform "ps -ef|grep mingetty".
[scarbaci@honeyp binary]$ ps -ef|grep mingetty root 1448 1 0 Aug12 tty5 00:00:00 /sbin/mingetty tty5 root 32043 1 0 08:25 ? 00:00:00 [mingetty] root 32073 21072 0 08:33 tty1 00:00:00 grep mingettyIn this example, The-binary hides itself as "[mingetty]" which in this case has the process id of32043. With the process id, the location can be found by viewing the processes exe link in the proc system. To find the link perform the following command, "ls -l /proc/X/exe", where X is the proccess id.
[scarbaci@honeyp binary]$ ls -l /proc/32043/exe lrwxrwxrwx 1 root root 0 May 29 08:39 /proc/32043/exe ->l; /usr/swdev/binary/reverse/the-binaryFirst remove the binary from memory by sending it a kill signal.
[scarbaci@honeyp binary]$ kill -9 32043Then remove the file from the system.
[scarbaci@honeyp binary]$ rm /usr/swdev/binary/reverse/the-binary