Parsers for detection of Linux/Ebury 1.6 malware indicators

Libkeyutils - command find -L /lib /lib64 -name 'libkeyutils.so*'

Parses output of command find -L /lib /lib64 -name 'libkeyutils.so*' to find all potentially affected libraries.

LibkeyutilsObjdumps - command find -L /lib /lib64 -name libkeyutils.so.1 -exec objdump -x "{}" \;

Parses output of command find -L /lib /lib64 -name libkeyutils.so.1 -exec objdump -x "{}" \; to verify linked libraries.

https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/

class insights.parsers.libkeyutils.Libkeyutils(*args, **kwargs)[source]

Bases: insights.core.CommandParser

This parser finds all ‘libkeyutils.so*’ libraries in either /lib or /lib64 directory and its sub-directories.

Output of Command:

/lib/libkeyutils.so.1
/lib/tls/libkeyutils.so.1.6
/lib64/libkeyutils.so

Example:

>>> shared[Libkeyutils].libraries
['/lib/libkeyutils.so.1', '/lib/tls/libkeyutils.so.1.6', '/lib64/libkeyutils.so']
libraries = None

all ‘libkeyutils.so*’ libraries located in either /lib or /lib64 directory and its sub-directories.

Type

list

parse_content(content)[source]

This method must be implemented by classes based on this class.

class insights.parsers.libkeyutils.LibkeyutilsObjdumps(*args, **kwargs)[source]

Bases: insights.core.CommandParser

This parser goes through objdumps of all ‘libkeyutils.so.1’ libraries in either /lib or /lib64 directory, and its sub-directories, to finds linked libraries.

Output of Command:

/lib/libkeyutils.so.1:     file format elf32-i386
/lib/libkeyutils.so.1
architecture: i386, flags 0x00000150:
HAS_SYMS, DYNAMIC, D_PAGED
start address 0x00000f80
...

Dynamic Section:
  NEEDED               libdl.so.2
  NEEDED               libc.so.6
  NEEDED               libsbr.so
  SONAME               libkeyutils.so.1
  INIT                 0x00000e54
...


/lib64/libkeyutils.so.1:     file format elf64-x86-64
/lib64/libkeyutils.so.1
architecture: i386:x86-64, flags 0x00000150:
HAS_SYMS, DYNAMIC, D_PAGED
start address 0x00000000000014b0
...

Dynamic Section:
  NEEDED               libdl.so.2
  NEEDED               libsbr.so.6
  NEEDED               libfake.so
  SONAME               libkeyutils.so.1
  INIT                 0x0000000000001390
...

Example:

>>> shared[LibkeyutilsObjdumps].linked_libraries
{'/lib/libkeyutils.so.1': ['libdl.so.2', 'libc.so.6', 'libsbr.so'],
 '/lib64/libkeyutils.so.1': ['libdl.so.2', 'libsbr.so.6', 'libfake.so']}
linked_libraries = None

found libraries and their linked libraries.

Type

dict

parse_content(content)[source]

This method must be implemented by classes based on this class.