0day.jp (ゼロデイ.JP): 「Linux/AES.DDoS」ＭＩＰＳ/ARMルーターマルウェア感染攻撃

日本国内の某ルーターに下記のsshログイン攻撃が沢山来ました↓

[attacker: 61.139.5.22] [2015-07-03 02:54:44]: New connection: 61.139.5.22:63692
[attacker: 61.139.5.22] [2015-07-03 02:54:54]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:21:08]: New connection: 61.160.213.58:2523
[attacker: 61.139.5.22] [2015-07-03 03:21:08]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:21:08]: Login failed [admin/admin]
[attacker: 61.139.5.22] [2015-07-03 03:21:09]: Login failed [admin/1234]
[attacker: 61.139.5.22] [2015-07-03 03:21:10]: Login failed [admin/12345]
[attacker: 61.139.5.22] [2015-07-03 03:21:11]: Login failed [admin/123456]
[attacker: 61.139.5.22] [2015-07-03 03:21:13]: Login failed [admin/1234567]
[attacker: 61.139.5.22] [2015-07-03 03:21:14]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:21:14]: New connection: 61.160.213.58:4182
[attacker: 61.139.5.22] [2015-07-03 03:21:14]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:21:14]: Login failed [admin/12345678]
[attacker: 61.139.5.22] [2015-07-03 03:21:15]: Login failed [admin/123456789]
[attacker: 61.139.5.22] [2015-07-03 03:21:16]: Login failed [admin/1234567890]
[attacker: 61.139.5.22] [2015-07-03 03:21:17]: Login failed [admin/password]
[attacker: 61.139.5.22] [2015-07-03 03:21:18]: Login failed [admin/root]
[attacker: 61.139.5.22] [2015-07-03 03:21:20]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:21:20]: New connection: 61.160.213.58:1774
[attacker: 61.139.5.22] [2015-07-03 03:21:20]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:21:20]: Login failed [admin/onlime]
[attacker: 61.139.5.22] [2015-07-03 03:21:21]: Login failed [admin/mts]
[attacker: 61.139.5.22] [2015-07-03 03:21:22]: Login failed [admin/1]
[attacker: 61.139.5.22] [2015-07-03 03:21:23]: Login failed [admin/123]
[attacker: 61.139.5.22] [2015-07-03 03:21:24]: Login failed [admin/0000]
[attacker: 61.139.5.22] [2015-07-03 03:21:25]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:21:25]: New connection: 61.160.213.58:4889
[attacker: 61.139.5.22] [2015-07-03 03:21:26]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:21:26]: Login failed [admin/00000000]
[attacker: 61.139.5.22] [2015-07-03 03:21:27]: Login failed [admin/qwerty]
[attacker: 61.139.5.22] [2015-07-03 03:21:28]: Login failed [admin/beeline]
[attacker: 61.139.5.22] [2015-07-03 03:21:30]: Login failed [admin/beeline2013]
[attacker: 61.139.5.22] [2015-07-03 03:21:31]: Login failed [admin/iyeh]
[attacker: 61.139.5.22] [2015-07-03 03:21:32]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:21:32]: New connection: 61.160.213.58:4985
[attacker: 61.139.5.22] [2015-07-03 03:21:32]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:21:32]: Login failed [admin/ghbdtn]
[attacker: 61.139.5.22] [2015-07-03 03:21:33]: Login failed [admin/inet]
[attacker: 61.139.5.22] [2015-07-03 03:21:35]: Login failed [admin/internet]
[attacker: 61.139.5.22] [2015-07-03 03:21:36]: Login failed [admin/asus]
[attacker: 61.139.5.22] [2015-07-03 03:21:37]: Login failed [admin/ADMIN]
[attacker: 61.139.5.22] [2015-07-03 03:21:38]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:21:38]: New connection: 61.160.213.58:3388
[attacker: 61.139.5.22] [2015-07-03 03:21:38]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:21:40]: Login failed [admin/adsl]
[attacker: 61.139.5.22] [2015-07-03 03:21:41]: Login failed [admin/adslroot]
[attacker: 61.139.5.22] [2015-07-03 03:21:42]: Login failed [admin/adsladmin]
[attacker: 61.139.5.22] [2015-07-03 03:21:43]: Login failed [admin/Kendalf9]
[attacker: 61.139.5.22] [2015-07-03 03:21:44]: Login failed [admin/263297]
[attacker: 61.139.5.22] [2015-07-03 03:21:46]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:21:46]: New connection: 61.160.213.58:1302
[attacker: 61.139.5.22] [2015-07-03 03:21:46]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:21:47]: Login failed [admin/590152]
[attacker: 61.139.5.22] [2015-07-03 03:21:48]: Login failed [admin/21232]
[attacker: 61.139.5.22] [2015-07-03 03:21:49]: Login failed [admin/adn8pzszk]
[attacker: 61.139.5.22] [2015-07-03 03:21:50]: Login failed [admin/amvqnekk]
[attacker: 61.139.5.22] [2015-07-03 03:21:51]: Login failed [admin/biyshs9eq]
[attacker: 61.139.5.22] [2015-07-03 03:21:52]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:21:52]: New connection: 61.160.213.58:2120
[attacker: 61.139.5.22] [2015-07-03 03:21:52]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:21:55]: Login failed [admin/e2b81d_1]
[attacker: 61.139.5.22] [2015-07-03 03:21:56]: Login failed [admin/Dkdk8e89]
[attacker: 61.139.5.22] [2015-07-03 03:21:57]: Login failed [admin/flvbyctnb]
[attacker: 61.139.5.22] [2015-07-03 03:21:58]: Login failed [admin/qweasdOP]
[attacker: 61.139.5.22] [2015-07-03 03:21:59]: Login failed [admin/EbS2P8]
[attacker: 61.139.5.22] [2015-07-03 03:22:00]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:22:01]: New connection: 61.160.213.58:2180
[attacker: 61.139.5.22] [2015-07-03 03:22:04]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:22:12]: Login failed [admin/ZmqVfo]
[attacker: 61.139.5.22] [2015-07-03 03:22:14]: Login failed [admin/ZmqVfo1]
[attacker: 61.139.5.22] [2015-07-03 03:22:15]: Login failed [admin/ZmqVfo2]
[attacker: 61.139.5.22] [2015-07-03 03:22:16]: Login failed [admin/ZmqVfo3]
[attacker: 61.139.5.22] [2015-07-03 03:22:17]: Login failed [admin/ZmqVfo4]
[attacker: 61.139.5.22] [2015-07-03 03:22:18]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:22:18]: New connection: 61.160.213.58:1799
[attacker: 61.139.5.22] [2015-07-03 03:22:18]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:22:18]: Login failed [admin/ZmqVfoVPN]
[attacker: 61.139.5.22] [2015-07-03 03:22:19]: Login failed [admin/ZmqVfoSIP]
[attacker: 61.139.5.22] [2015-07-03 03:22:21]: Login failed [admin/9f4r5r79//]
[attacker: 61.139.5.22] [2015-07-03 03:22:22]: Login failed [admin/airocon]
[attacker: 61.139.5.22] [2015-07-03 03:22:23]: Login failed [admin/zyxel]
[attacker: 61.139.5.22] [2015-07-03 03:22:24]: Connection lost
[attacker: 61.139.5.22] [2015-07-03 03:22:24]: New connection: 61.160.213.58:3623
[attacker: 61.139.5.22] [2015-07-03 03:22:24]: Client version: [SSH-2.0-libssh2_1.4.3]
[attacker: 61.139.5.22] [2015-07-03 03:22:24]: Login failed [admin/default]
[attacker: 61.139.5.22] [2015-07-03 03:22:25]: Login failed [admin/cisco]
[attacker: 61.139.5.22] [2015-07-03 03:22:27]: Login failed [admin/changeme]
[attacker: 61.139.5.22] [2015-07-03 03:22:28]: Connection lost

中国のホストから↓

{
  "ip": "61.160.213.58",
  "SOA": " nmc1.ptt.js.cn. postmaster.nmc1.ptt.js.cn.",
  "city": "Nanjing",
  "region": "Jiangsu",
  "country": "CN",
  "loc": "32.0617,118.7778",
  "org": "AS23650 AS Number for CHINANET jiangsu province backbone"
}

この辺からですね↓

簡単な調査でマルウェアパネルを発見↓

中にある物はMIPSとARMバイナリー↓

詳しく迄確認しました↓

圧縮されたので解凍しました↓

File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1156461 <-    454640   39.31%  linux/mipsel   49mips-dep

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1001841 <-    398372   39.76%   linux/armel   49arm-dep

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1156895 <-    452356   39.10%  linux/mipseb   49wrt-dep

分析したら前に自分が発見した「Linux/AES.DDoS」マルウェアである事が分かりました。一部の研究仲間の間ではこのマルウェアの事を「Mr. Black」と呼んでいるようです。特徴は下記のコード↓