Introduction:
Xshell is a powerful and famous terminal simulation software, which is widely used for server operation, maintenance and management. Xshell supports SSH, SFTP, TELNET, RLOGIN and SERIAL functions. It provides industry-leading performance and powerful functions, and plays an irreplaceable role in free terminal simulation software. The Enterprise Edition has more professional functions, including: tabbed environment, dynamic port forwarding, user-defined key mapping, user-defined buttons, VB script and UNICODE terminal for displaying 2 byte characters and supporting international languages.
Xshell provides many user-friendly functions that are not available in other terminal simulation software. These functions include Zmodem file upload and Zmodem file download by dragging and dropping files, simple mode, full screen mode, transparency option and custom layout mode, etc. Using Xshell to perform terminal tasks saves time and effort.
At present, the highest version of xshell is Xshell 5 Build 1326, which was updated on August 5, 2017
A few days ago, 360CERT learned that a security company found malicious code in the nssock2.dll module released by NetSarang's Xmanager, Xshell, Xftp, Xlpd and other products. The malicious code has been confirmed in Xshell 5.0.1322 and Xshell 5.0.1325:
Official announcement:
It is worth mentioning that the 1326 upgrade prompt is very interesting: the prompt fixes nssock2.dll, which fixes a remote vulnerability (66666... Orz)
Brief analysis
360CERT found through behavior analysis that the backdoor will send a request to a box domain name "nylalobghyhigh. com".
Privacy protection is enabled for this domain name, and only NS records can be queried:
Data source: 360CERT
In addition, the domain name will also leak out to multiple super long domain names, and the domain name uses the DGA generation algorithm to leak data through DNS resolution.
Some generated domain names are as follows:
sajajlyoogrmkjlkmosbxowcrmwlvajdkbtbjoylypkoldjntglcoaskskwfjcolqlmcriqctjrhsltakoxnnmtlvdpdpcwhpgnet.nylalobghyhirgh.com sajajlyoogrmkkmhncrjkingvmwlvajdketeknvbwfqppgkbtdlcj.esjsnwhjmjglnoksjmctgrlyhsgmgveqmrexmloppylmpl.nylalobghyhirgh.com sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplm.tfvduaplkilcogrcpbv.nylalobghyhirgh.com sajajlyoogrmkdjhrgpcllwanowlvajdkftfjcxlyokpmancxmqnpkrnwdx.dlpqjnholroqctarosbtpq.nylalobghyhirgh.com sajajlyoogrmkjjmjmmhjdkgmmwlvajdkjtcmiycxjlppolisfqgpcs.jsnwap.nylalobghyhirgh.com sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplmtfvduap.lkilcogrcpbv.nylalobghyhirgh.com sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplmtfv.duaplkilcogrcpbv.nylalobghyhirgh.com sajajlyoogrmkeloufodqfpjwmwlvajdkctmkcydybloooljwaqpp.gsoskwdkljlmkoksiqduix.nylalobghyhirgh.com sajajlyoogrmkdmkporgujqmumwlvajdkctgjewiufqoppkotelgmovfvexem.lmaklmoxgoftfrcsbtgkayiohuevhknnevkj.nylalobghyhirgh.com sajajlyoogrmkmliwgmgoooavmwlvajdkctckcwgvmjkjbpivjmgmc.udvnyamjmmjlmoxhvaphjencqasmmbsfv.nylalobghyhirgh.com sajajlyoogrmkglhsnqnmkkpqmwlvajdkctckcwgvmjkjbpivjmgmcudvnyamj.mmjlmoxhvaphjencqasmmbsfv.nylalobghyhirgh.com sajajlyoogrmkekbsbnowiwnsmwlvajdkctomcymyklhmdjpxbplqkrb.snwekokgllmoxapeubsorotbkhynnktft.nylalobghyhirgh.com sajajlyoogrmkdjhrgpcllwanowlvajdkftfjcxlyokpmancxmqnpkrnwdxdl.pqjnholroqctarosbtpq.nylalobghyhirgh.com sajajlyoogrmklkjqgxdxbxiymwlvajdkctckcwgvmjkjbpivjmgmc.udvnyamjmmjlmoxhvaphjencqasmmbsfv.nylalobghyhirgh.com sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaq.plmtfvduaplkilcogrcpbv.nylalobghyhirgh.com
Basic process
The Xshell related component nssock2.dll used for network communication is found to have backdoor code. The DLL itself has a legitimate digital signature from the manufacturer, but has been marked as malicious by several security vendors:
Each month, a new control domain name is generated through a specific algorithm. At present, some of them have been registered by the author
2017-06 vwrcbohspufip.com
2017-07 ribotqtonut.com
2017-08 nylalobghyhirgh.com
2017-09 jkvmdmjyfcvkf.com
2017-10 bafyvoruzgjitwr.com
2017-11 xmponmzmxkxkh.com
2017-12 tczafklirkl.com
Backdoor version exists (verified)
Xshell Build 5.0.1322
Xshell Build 5.0.1325
Xmanager Enterprise 5.0 Build 1232
Xmanager 5.0 Build 1045
Xftp 5.0 Build 1218
Xftp 5.0 Build 1221
Xlpd 5.0 Build 1220
PS: There are a large number of download stations in China. At present, they are all the above problematic versions
behavior characteristics
The version with a backdoor will nylalobghyhirgh.com Initiate a request, and the daily traffic exceeds 8 million Apart from the mandatory update of the official version, I'm afraid there is no other way to have such a large amount of data...
Data source: 360 Network Security Research Institute
Domain name whois information, which enables privacy protection.
Data source: 360 Network Security Research Institute
Data transmission is suspected to be through DNS out band
Data source: 360 Network Security Research Institute
No problem version
Xmanager Enterprise Build 1236
Xmanager Build 1049
Xshell Build 1326
Xftp Build 1222
Xlpd Build 1224
https://download.netsarang.com (primary)
https://download.netsarang.co.kr
terms of settlement
- Go to the official website to download the latest version
- If it was upgraded from the problematic version to the latest version, the information may have been leaked. To be safe, it is recommended to change the password. At present, it can only prove that the program has obtained (user name, host name, network information, etc.), and other information is still being further verified.
Official reply from NetSarang
The 1322 version has a back door. We released version 1326 to fix this backdoor problem. Please update now to avoid continuing to be affected by this problem.
Reference source
360 Network Security Research Institute
360 Tianyan Laboratory
360 Sun Chasing Team
360 Network Security Response Center: https://cert.360.cn/warning/detail?id=07450801f090579304c01e9338cb0ffb
360 Threat Intelligence Center: http://mp.weixin.qq.com/s/YAtWrn6XzogOMEjQTww9RQ
This article is transferred from @Safe passenger
