VertexNet (W32/Vertex.A, BackDoor.Vertex)

Forum for analysis and discussion about malware.
Post Reply
User avatar
Xylitol
Global Moderator
Posts: 1660
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

VertexNet (W32/Vertex.A, BackDoor.Vertex)

Post by Xylitol » Sun Sep 11, 2011 5:42 pm

VertexNet is a malware who can be used to steal passwords (keylogger feature) perform http flood attack, download/read/execute files, etc...
The bot got also a 'uninstall' command.
It's coded by a French guys named DarkCoderSc, and for the moment, latest version is 1.2.1

Image

Image

VertexNet malware call home (tasks.php) like this:

Code: Select all

GET /admtriii/v/tasks.php?uid={193c2e9a-7c24-11e0-b0f2-806d6172696f-2140809940} HTTP/1.1
User-Agent: V32
Host: www.cg1.fr
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sun, 11 Sep 2011 13:51:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/3.0.2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.6
Content-Length: 0
Content-Type: text/html
It will call it frequently because this page is also used to recieve orders.
The 'gate' can't be moved off the Vertexnet C&C folder due to php files dependency., so if you find the gate you find the rest.
Default User/Pass are root/toor, but with some magic tricks you can get inside the C&C, like for "www.cg1.fr"

Image

If you want start into malware reversing, VertnetNet is a good one, easy to understand.
Due to lack of features VertexNet is not really used by bad guys, they will prefer more sophisticated malware.

Sample in attach.
VirusTotal: 23/44 >> 52.3%
http://www.virustotal.com/file-scan/rep ... 1315111228
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1660
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Post by Xylitol » Tue Sep 13, 2011 2:58 pm

offtopic, seem VertexNet was hacked today and the original exe backdoored.
in attach the 'attack' video, i've see that too late for get a copy of the exe.

Image
sha1 field 'no md5', letters in intergers type.
sure, summer is not yet finished.

vertexnet website lead to 403 forbidden for the moment.
probably a .htaccess with Order Allow,Deny Deny from all
Image
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1660
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Post by Xylitol » Tue Dec 20, 2011 10:05 pm

VertexNet Loader

Code: Select all

Bot: http://blackicejoker.kilu.de/vtxnet.exe
C&C: http://blackicejoker.no-ip.biz/VertexNet/
BLACKICEJOKER.NO-IP.BIZ (193.107.17.47)
route: 193.107.17.0/24
descr: Ideal Solution Ltd
origin: AS41947
mnt-by: RU-WEBALTA-MNT
mnt-by: IDEAL-MNT
14/43 >> 32.6%
http://www.virustotal.com/file-scan/rep ... 1324341247

Image
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1660
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Post by Xylitol » Thu Dec 29, 2011 10:40 am

I've do a fast graph of the VertexNet coder (without every connections, it would be really big otherwise)
He should take care of what's infos he leave.
DarklCoderSc.png
And the friend Xash (same, not completed, but contrary to DarkCoderSc this guys is really 'dark')
Xash.png
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1660
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Post by Xylitol » Sat Jan 07, 2012 12:02 am

Some other 1.2 samples.

Code: Select all

http://ekin0x.hack-free.net/King/
Image
Application.exe: 1/43 >> 2.3%
http://www.virustotal.com/file-scan/rep ... 1325894428
FUD.exe: 13/43 >> 30.2%
http://www.virustotal.com/file-scan/rep ... 1325893404
server1.exe: 2/43 >> 4.7%
http://www.virustotal.com/file-scan/rep ... 1325893343
---

Code: Select all

http://sakiir-hosting.eu/VertexPanel/
Image
Application.exe: 5/43 >> 11.6%
http://www.virustotal.com/file-scan/rep ... 1325892351
CryptedTest.exe: 22/43 >> 51.2%
http://www.virustotal.com/file-scan/rep ... 1325892486
uncrypted.exe: 31/43 >> 72.1%
http://www.virustotal.com/file-scan/rep ... 1325892910
vertex-1-.exe: 32/43 >> 74.4%
http://www.virustotal.com/file-scan/rep ... 1325892910

---
by adding '/upload/ to urls you can find more.
The file stealer.exe found on sakiir-hosting.eu lead to a istealer panel at:

Code: Select all

http://sakir.hack-free.net/Stealer/
Image
searching infos about this 'sakiir':

Code: Select all

Steam account: http://steamcommunity.com/id/Sakiir (Steam ID: STEAM_0:0:36928960)
Mail:  wawandup@gmail.com
Youtube accounts: (really alots) sakiirbrozz352, sakiirbrozz288, etc..
Profiles:
http://www.hackhound.org/forum/user/27927-sakiir/
http://piratologie.org/user-4196.html
http://www.the-s.fr/forum/index.php?/topic/442-presentation-de-sakiir/
http://hackforums.net/archive/index.php/thread-909206-62.html

Seem he have also some connections with french racist guys (sakiir is a racist?)
like: http://steamcommunity.com/id/londale_faf (Steam ID: STEAM_0:0:30953450)
screen here: http://i.imgur.com/CvI6H.png
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1660
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Post by Xylitol » Fri Jan 20, 2012 5:13 pm

c&c

Code: Select all

http://www.cythisia-botdigz.azok.org/Web%20Panel/upload/
https://www.virustotal.com/file/0f64335 ... /analysis/
You do not have the required permissions to view the files attached to this post.

CTurt
Posts: 1
Joined: Mon Apr 27, 2015 5:03 pm
Contact:

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

Post by CTurt » Sat May 09, 2015 9:29 am

I did an analysis of the executable attached to the first post of this thread:

http://cturt.github.io/vertex-net.html

I'm a beginner to malware analysis so I may have placed too much emphasis on simple details, but hopefully it is useful to others who are also new.

Post Reply