The well-known terminal simulation software XSHELL has multiple versions of backdoors, or upload user server account passwords!

August 15, 2017 1764 point heat 0 likes 0 comments

 https://wx1.vv1234.cn/o_1bnl6o0pgein5gf1mqs1fi510hoa.png

Introduction:


Xshell is a powerful and famous terminal simulation software, which is widely used for server operation, maintenance and management. Xshell supports SSH, SFTP, TELNET, RLOGIN and SERIAL functions. It provides industry-leading performance and powerful functions, and plays an irreplaceable role in free terminal simulation software. The Enterprise Edition has more professional functions, including: tabbed environment, dynamic port forwarding, user-defined key mapping, user-defined buttons, VB script and UNICODE terminal for displaying 2 byte characters and supporting international languages.

Xshell provides many user-friendly functions that are not available in other terminal simulation software. These functions include Zmodem file upload and Zmodem file download by dragging and dropping files, simple mode, full screen mode, transparency option and custom layout mode, etc. Using Xshell to perform terminal tasks saves time and effort.

At present, the highest version of xshell is Xshell 5 Build 1326, which was updated on August 5, 2017

A few days ago, 360CERT learned that a security company found malicious code in the nssock2.dll module released by NetSarang's Xmanager, Xshell, Xftp, Xlpd and other products. The malicious code has been confirmed in Xshell 5.0.1322 and Xshell 5.0.1325:

 https://wx1.vv1234.cn/o_1bnl6pits191tvg51qe3vlm1e0qa.png

Official announcement:


It is worth mentioning that the 1326 upgrade prompt is very interesting: the prompt fixes nssock2.dll, which fixes a remote vulnerability (66666... Orz)

 https://wx1.vv1234.cn/o_1bnl6rsdh1m1bv1gfni1uk115va.png

Brief analysis


360CERT found through behavior analysis that the backdoor will send a request to a box domain name "nylalobghyhigh. com".

Privacy protection is enabled for this domain name, and only NS records can be queried:

 https://wx1.vv1234.cn/o_1bnl6t17r152g2roktc1cnlp7ha.png

Data source: 360CERT

In addition, the domain name will also leak out to multiple super long domain names, and the domain name uses the DGA generation algorithm to leak data through DNS resolution.

Some generated domain names are as follows:

 sajajlyoogrmkjlkmosbxowcrmwlvajdkbtbjoylypkoldjntglcoaskskwfjcolqlmcriqctjrhsltakoxnnmtlvdpdpcwhpgnet.nylalobghyhirgh.com  sajajlyoogrmkkmhncrjkingvmwlvajdketeknvbwfqppgkbtdlcj.esjsnwhjmjglnoksjmctgrlyhsgmgveqmrexmloppylmpl.nylalobghyhirgh.com  sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplm.tfvduaplkilcogrcpbv.nylalobghyhirgh.com  sajajlyoogrmkdjhrgpcllwanowlvajdkftfjcxlyokpmancxmqnpkrnwdx.dlpqjnholroqctarosbtpq.nylalobghyhirgh.com  sajajlyoogrmkjjmjmmhjdkgmmwlvajdkjtcmiycxjlppolisfqgpcs.jsnwap.nylalobghyhirgh.com  sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplmtfvduap.lkilcogrcpbv.nylalobghyhirgh.com  sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplmtfv.duaplkilcogrcpbv.nylalobghyhirgh.com  sajajlyoogrmkeloufodqfpjwmwlvajdkctmkcydybloooljwaqpp.gsoskwdkljlmkoksiqduix.nylalobghyhirgh.com  sajajlyoogrmkdmkporgujqmumwlvajdkctgjewiufqoppkotelgmovfvexem.lmaklmoxgoftfrcsbtgkayiohuevhknnevkj.nylalobghyhirgh.com  sajajlyoogrmkmliwgmgoooavmwlvajdkctckcwgvmjkjbpivjmgmc.udvnyamjmmjlmoxhvaphjencqasmmbsfv.nylalobghyhirgh.com  sajajlyoogrmkglhsnqnmkkpqmwlvajdkctckcwgvmjkjbpivjmgmcudvnyamj.mmjlmoxhvaphjencqasmmbsfv.nylalobghyhirgh.com  sajajlyoogrmkekbsbnowiwnsmwlvajdkctomcymyklhmdjpxbplqkrb.snwekokgllmoxapeubsorotbkhynnktft.nylalobghyhirgh.com  sajajlyoogrmkdjhrgpcllwanowlvajdkftfjcxlyokpmancxmqnpkrnwdxdl.pqjnholroqctarosbtpq.nylalobghyhirgh.com  sajajlyoogrmklkjqgxdxbxiymwlvajdkctckcwgvmjkjbpivjmgmc.udvnyamjmmjlmoxhvaphjencqasmmbsfv.nylalobghyhirgh.com  sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaq.plmtfvduaplkilcogrcpbv.nylalobghyhirgh.com

Basic process

 https://wx1.vv1234.cn/o_1bnl6u5h99apkcb1hr41re5106ra.png

The Xshell related component nssock2.dll used for network communication is found to have backdoor code. The DLL itself has a legitimate digital signature from the manufacturer, but has been marked as malicious by several security vendors:

 https://wx1.vv1234.cn/o_1bnl6vgfa1j5hk9v12be1cl412t7a.png

Each month, a new control domain name is generated through a specific algorithm. At present, some of them have been registered by the author


2017-06    vwrcbohspufip.com

2017-07    ribotqtonut.com

2017-08    nylalobghyhirgh.com

2017-09    jkvmdmjyfcvkf.com

2017-10    bafyvoruzgjitwr.com

2017-11    xmponmzmxkxkh.com

2017-12    tczafklirkl.com

Backdoor version exists (verified)


Xshell Build 5.0.1322

Xshell Build 5.0.1325

Xmanager Enterprise 5.0 Build 1232

Xmanager 5.0 Build 1045

Xftp 5.0 Build 1218

Xftp 5.0 Build 1221

Xlpd 5.0 Build 1220

PS: There are a large number of download stations in China. At present, they are all the above problematic versions

behavior characteristics


The version with a backdoor will nylalobghyhirgh.com Initiate a request, and the daily traffic exceeds 8 million Apart from the mandatory update of the official version, I'm afraid there is no other way to have such a large amount of data...

 https://wx1.vv1234.cn/o_1bnl70hbd54h1c3j1mik1gq0gtca.png

Data source: 360 Network Security Research Institute

Domain name whois information, which enables privacy protection.

 https://wx1.vv1234.cn/o_1bnl72n77ubu1ohniaqf0u1acea.jpg

Data source: 360 Network Security Research Institute

Data transmission is suspected to be through DNS out band

 https://wx1.vv1234.cn/o_1bnl74isk1fnshsu1f2d1fmn1sqma.png

Data source: 360 Network Security Research Institute

No problem version


Xmanager Enterprise Build 1236

Xmanager Build 1049

Xshell Build 1326

Xftp Build 1222

Xlpd Build 1224

https://download.netsarang.com (primary)

https://download.netsarang.co.kr

terms of settlement


  1. Go to the official website to download the latest version
  2. If the program was upgraded from the problematic version to the latest version, the information may have been leaked. To be safe, it is recommended to change the password. At present, it can only prove that the program has obtained (user name, host name, network information, etc.), and other information is still being further verified.

Official reply from NetSarang


 https://wx1.vv1234.cn/o_1bnl75is9df11jfc96okv817vda.png

The 1322 version has a back door. We released version 1326 to fix this backdoor problem. Please update now to avoid continuing to be affected by this problem.

Reference source


360 Network Security Research Institute

360 Tianyan Laboratory

360 Sun Chasing Team

360 Network Security Response Center: https://cert.360.cn/warning/detail?id=07450801f090579304c01e9338cb0ffb

360 Threat Intelligence Center: http://mp.weixin.qq.com/s/YAtWrn6XzogOMEjQTww9RQ

This article is transferred from @Safe passenger

Gcod

If life is just like the first sight, what is the sad autumn wind painting fan

Article comments