Famous terminal simulation software xshell multi version has backdoor, or upload user server account password!

August 15, 2017 988 point heat 0 liked it 0 comments

 https://wx1.vv1234.cn/o_1bnl6o0pgein5gf1mqs1fi510hoa.png

Introduction:


Xshell is a powerful and famous terminal simulation software, which is widely used in server operation and management. Xshell supports SSH, SFTP, Telnet, rlogin and serial functions. It provides industry-leading performance and powerful functions, and has an irreplaceable position in free terminal simulation software. Enterprise edition has more professional functions, including: tabbed environment, dynamic port forwarding, custom key mapping, user-defined button, VB script and Unicode terminal for displaying 2-byte characters and supporting international language.

Xshell provides many user-friendly functions that are not available in other terminal simulation software. These functions include: upload and download zmodem files by dragging and dropping files, simple mode, full screen mode, transparency options and custom layout mode, etc. Using xshell to perform terminal tasks saves time and energy.

Currently, the highest version of xshell is xshell 5 build 1326, which was updated on August 5, 2017

A few days ago, 360cert learned that a security company found nssock2.0 in netsarang's xmanager, xshell, xftp, xlpd and other products There is malicious code in DLL module, which has been confirmed in xshell 5.0.1322 and xshell 5.0.1322

 https://wx1.vv1234.cn/o_1bnl6pits191tvg51qe3vlm1e0qa.png

Official announcement:


It is worth mentioning that the upgrade prompt for 1326 is very interesting: the prompt fixes nssock2 DLL fixed a remote vulnerability (66666... Orz)

 https://wx1.vv1234.cn/o_1bnl6rsdh1m1bv1gfni1uk115va.png

Brief analysis


Through behavior analysis, 360cert found that the backdoor would make a request for a box domain name "nylalobghyhirgh. Com".

Privacy protection is enabled for this domain name, and only ns records can be queried:

 https://wx1.vv1234.cn/o_1bnl6t17r152g2roktc1cnlp7ha.png

Data source 360cert

In addition, the domain name will also seep into multiple super long domain names, and the domain name uses DGA generation algorithm to exude data through DNS resolution.

Some generated domain names are as follows:

 sajajlyoogrmkjlkmosbxowcrmwlvajdkbtbjoylypkoldjntglcoaskskwfjcolqlmcriqctjrhsltakoxnnmtlvdpdpcwhpgnet. nylalobghyhirgh. com  sajajlyoogrmkkmhncrjkingvmwlvajdketeknvbwfqppgkbtdlcj. esjsnwhjmjglnoksjmctgrlyhsgmgveqmrexmloppylmpl. nylalobghyhirgh. com  sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplm. tfvduaplkilcogrcpbv. nylalobghyhirgh. com  sajajlyoogrmkdjhrgpcllwanowlvajdkftfjcxlyokpmancxmqnpkrnwdx. dlpqjnholroqctarosbtpq. nylalobghyhirgh. com  sajajlyoogrmkjjmjmmhjdkgmmwlvajdkjtcmiycxjlppolisfqgpcs. jsnwap. nylalobghyhirgh. com  sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplmtfvduap. lkilcogrcpbv. nylalobghyhirgh. com  sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaqplmtfv. duaplkilcogrcpbv. nylalobghyhirgh. com  sajajlyoogrmkeloufodqfpjwmwlvajdkctmkcydybloooljwaqpp. gsoskwdkljlmkoksiqduix. nylalobghyhirgh. com  sajajlyoogrmkdmkporgujqmumwlvajdkctgjewiufqoppkotelgmovfvexem. lmaklmoxgoftfrcsbtgkayiohuevhknnevkj. nylalobghyhirgh. com  sajajlyoogrmkmliwgmgoooavmwlvajdkctckcwgvmjkjbpivjmgmc. udvnyamjmmjlmoxhvaphjencqasmmbsfv. nylalobghyhirgh. com  sajajlyoogrmkglhsnqnmkkpqmwlvajdkctckcwgvmjkjbpivjmgmcudvnyamj. mmjlmoxhvaphjencqasmmbsfv. nylalobghyhirgh. com  sajajlyoogrmkekbsbnowiwnsmwlvajdkctomcymyklhmdjpxbplqkrb. snwekokgllmoxapeubsorotbkhynnktft. nylalobghyhirgh. com  sajajlyoogrmkdjhrgpcllwanowlvajdkftfjcxlyokpmancxmqnpkrnwdxdl. pqjnholroqctarosbtpq. nylalobghyhirgh. com  sajajlyoogrmklkjqgxdxbxiymwlvajdkctckcwgvmjkjbpivjmgmc. udvnyamjmmjlmoxhvaphjencqasmmbsfv. nylalobghyhirgh. com  sajajlyoogrmkpmnmixivemirmwlvajdkctcjpymyjlfmoqjyaq. plmtfvduaplkilcogrcpbv. nylalobghyhirgh. com

Basic process

 https://wx1.vv1234.cn/o_1bnl6u5h99apkcb1hr41re5106ra.png

Xshell related component nssock2 for network communication DLL is found to have backdoor code. The DLL itself has a legal digital signature from the manufacturer, but it has been marked as malicious by several security vendors

 https://wx1.vv1234.cn/o_1bnl6vgfa1j5hk9v12be1cl412t7a.png

Each month, a new control domain name is generated by a specific algorithm. At present, some of them have been registered by the author


2017-06    vwrcbohspufip. com

2017-07    ribotqtonut. com

2017-08    nylalobghyhirgh. com

2017-09    jkvmdmjyfcvkf. com

2017-10    bafyvoruzgjitwr. com

2017-11    xmponmzmxkxkh. com

2017-12    tczafklirkl. com

Backdoor version present (verified)


Xshell Build 5.0.1322

Xshell Build 5.0.1325

Xmanager Enterprise 5.0 Build 1232

Xmanager 5.0 Build 1045

Xftp 5.0 Build 1218

Xftp 5.0 Build 1221

Xlpd 5.0 Build 1220

PS: a large number of domestic download stations, are the above problematic version

behavior characteristics


Versions with backdoors will nylalobghyhirgh. com Request, more than 8 million visits per day In addition to the official version of mandatory updates, I'm afraid there are no other ways to have so many...

 https://wx1.vv1234.cn/o_1bnl70hbd54h1c3j1mik1gq0gtca.png

Data source 360 Network Security Research Institute

Domain name whois information, which enables privacy protection.

 https://wx1.vv1234.cn/o_1bnl72n77ubu1ohniaqf0u1acea.jpg

Data source 360 Network Security Research Institute

The data transmission is suspected to be out of band through DNS

 https://wx1.vv1234.cn/o_1bnl74isk1fnshsu1f2d1fmn1sqma.png

Data source 360 Network Security Research Institute

No problem version


Xmanager Enterprise Build 1236

Xmanager Build 1049

Xshell Build 1326

Xftp Build 1222

Xlpd Build 1224

https://download.netsarang.com (primary)

https://download.netsarang.co.kr

terms of settlement


  1. Go to the official website to download and update the latest version
  2. If the program was upgraded from the problematic version to the latest one, the information may have been leaked. To be safe, it is suggested to change the password. At present, it can only prove that the program has obtained (user name, host name, network information, etc.), and other information is still being further verified.

Official response from netsarang


 https://wx1.vv1234.cn/o_1bnl75is9df11jfc96okv817vda.png

There is a backdoor in 1322. We released version 1326 to fix this backdoor problem. Please update now to avoid continuing to be affected by this issue.

Reference sources


360 Network Security Research Institute

360 Tianyan Laboratory

360 sun chasing team

360 Network Security Response Center: https://cert.360.cn/warning/detail?id=07450801f090579304c01e9338cb0ffb

360 Threat Intelligence Center: http://mp.weixin.qq.com/s/YAtWrn6XzogOMEjQTww9RQ

This article is transferred from @Safety guest

Gcod

If life is just like the first sight, what is the sad autumn wind painting fan

Article review