Page 1 of 1

Linux/Pscan+SSHscan

Posted: Wed Sep 10, 2014 7:24 pm
by unixfreaxjp
This malware (until this post is written) always goes as a pair.
The basic information of this threat can be read here: http://blog.malwaremustdie.org/2014/05/ ... rooks.html
↑Will break down how the old & new version of pscan, and the sshscan works.

Pscan or often named as "scanner" is used for port scanning, used to detect SSH (mainly) or FTP services in WWW.

Code: Select all

int main(int argc, char *argv[])
{   int done = 0, i, cip = 1, bb = 0, ret, k, ns, x;
    time_t scantime;
    char ip[20], outfile[128], last[256];
    if (argc < 3)
    {   printf("Usage: %s <b-block> <port> [c-block]\n", argv[0]);
        exit(EXIT_FAILURE);  }
Some may think "pscan" is not a virus/malware, but from what I see, this tool is detected in compromised sites used by hackers to scan their next targets, PoC: https://www.youtube.com/watch?v=G4DWqejmnp0
Sample I shared in VT are below:
https://www.virustotal.com/en/file/50bd ... 400800455/
https://www.virustotal.com/en/file/4422 ... /analysis/

And SSHscan or often named as "scan" or "attack" (etc) is used to attack the login with brute logic.
Samples are:
https://www.virustotal.com/en/file/0d96 ... 408969125/
https://www.virustotal.com/en/file/93df ... 400804192/

I uploaded here 2 samples of pscan and more samples of sshscan for the fellow researchers to help study the ELF threat deeper.

Code: Select all

// pscan (port scanner)
MD5 (pscan) = cbe22cc5e72ef0d02429def557d504f5
MD5 (pscan2) = b3eb1ec8094fa10169dba7a8bd1a97f1

//ssh-scan (SSH bruter)
MD5 (scanssh) = ab106d75a3b87641937d5a8891abc8ce
MD5 (scanssh2) = dc88de3fb0b1a52c0706446dc089b7a8
MD5 (ssh-scan) = a213ebd69fbc11d612d0374b373f65d8
MD5 (ssh-scan2) = a213ebd69fbc11d612d0374b373f65d8
MD5 (ssh2) = 100c0e553fe7eebcd76c2e3934aae8a0
If you happen finding the similar samples, please kindly help our ELF research by uploading yours.
malwaremustdie.org