Add shell support for parenthesis.

[fe7ch]

Hajime trojan started to use () brackets during infection stage. It prevents cowrie from capturing samples.

Part of the session how it was seen by the attacker:

root@honeypot:~# cd /var; (cat .s || cp /bin/echo .s); /bin/busybox GAWOG
bash: (: command not found
cp: target `GAWOG' is not a directory
root@busybox:/var# (dd bs=52 count=1 if=.s || cat .s)
bash: (: command not found
cat: .s: No such file or directory
cat: ): No such file or directory

2016-11-23 07:01:18+0300 [CowrieTelnetTransport,951,censored] CMD: cd /var; (cat .s || cp /bin/echo .s); /bin/busybox GAWOG
2016-11-23 07:01:18+0300 [CowrieTelnetTransport,951,censored] Command found: cd /var
2016-11-23 07:01:18+0300 [CowrieTelnetTransport,951,censored] Command not found: ( cat .s
2016-11-23 07:01:18+0300 [CowrieTelnetTransport,951,censored] Command found: cp /bin/echo .s ); /bin/busybox GAWOG
2016-11-23 07:01:19+0300 [CowrieTelnetTransport,951,censored] CMD: (dd bs=52 count=1 if=.s || cat .s)
2016-11-23 07:01:19+0300 [CowrieTelnetTransport,951,censored] Command not found: ( dd bs=52 count=1 if=.s
2016-11-23 07:01:19+0300 [CowrieTelnetTransport,951,censored] Command found: cat .s )
2016-11-23 07:01:19+0300 [CowrieTelnetTransport,951,censored] CMD: /bin/busybox GAWOG

[dwasss]

By brackets I think you mean parentheses? In any case, I have seen this on my cowrie as well.

[fe7ch]

By brackets I think you mean parentheses? In any case, I have seen this on my cowrie as well.

Yep, thanks. I've translated it incorrectly :(

[fe7ch]

If I got it right, shlex doesn't support parentheses. That's sad.

[micheloosterhof]

The quick fix would be to just ignore parenthesis.

[fe7ch]

The quick fix would be to just ignore parenthesis.

Yep, that's what I did. (fe7ch@ede2338, fe7ch@e2cd464). I wasn't sure if you are okey with such dirty hacks, so I didn't fill it in pull request.

[dwasss]

I keep seeing this on my honeypot. A fix that works would be appreciated! :)

[fe7ch]

micheloosterhof, dwasserm, I've filled a pull request with a hotfix. It was tested on my honeypots for a week or so.

[dwasss]

Cool. Can the hotfix be merged into the current build?

[fe7ch]

Closed, since a solution was merged.

[funtimes-ninja]

@fe7ch not sure if I'm doing something incorrect or not, however I've followed the same guidance for copying a working copy of the binary's into honeyfs/bin in order to get this sample captured, however it doesn't seem to work, was hoping maybe you could shed some light on the situation

2017-02-08 17:10:51-0500 [CowrieTelnetTransport,2,14.44.103.9] CMD: (dd bs=52 count=1 if=.s || cat .s)
2017-02-08 17:10:51-0500 [CowrieTelnetTransport,2,14.44.103.9] Command not found: dd bs=52 count=1 if=.s

root@honeypot-1:/home/cowrie/cowrie/honeyfs/bin# ls -la
total 264
drwxrwxr-x 2 cowrie cowrie   4096 Feb  8 17:09 .
drwxrwxr-x 5 cowrie cowrie   4096 Feb  7 17:39 ..
-rwxr-xr-x 1 cowrie cowrie  72632 Feb  8 17:09 dd
-rwxr-xr-x 1 cowrie cowrie  31376 Feb  8 10:10 echo
-rwxr-xr-x 1 cowrie cowrie 154072 Feb  8 16:44 sh

[fe7ch]

@funtimes-ninja
I'll have more clues if you post full session log and the output of file honeyfs/bin/echo.

You don't neeed dd in honeyfs/bin since it's used as command, so it's needed to be implemented as a command (#344). But in fact, the trojan will drop the payload even if dd fails (cat .s will be executed in this case).