Page 4 of 5

Re: Malware collection

Posted: Fri Apr 08, 2016 5:36 pm
by ikolor

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Posted: Fri Apr 08, 2016 10:08 pm
by unixfreaxjp
Bashdoor or GayFgt, in crypted mode. ... 460150975/
CNC in Ecatel

Re: Malware collection

Posted: Sat Apr 09, 2016 3:05 pm
by benkow_
ikolor wrote:I'm the only one.

next ... 460136599/

Code: Select all
buf: %s
Failed opening raw socket.
Failed setting raw headers mode.
Invalid flag "%s"
My IP: %s
Killed %d.
None Killed.
fork failed
%s 2>&1
GCC: (GNU) 4.1.2

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Posted: Tue Apr 12, 2016 3:39 am
by unixfreaxjp
Playing around with this new sample ... 05#pr28248 to find they just obfuscate the strings in the ELF. It's a pure standard torlus inside, encoded/string obfuscated, w/stripped and no intel x86 samples ..which is fine for all of us 8-)

To all good folks who battle this threat: This version point of differences for memo: 1. the forks was run before decrypt, 2. syscall stripped but all are torlus' ones . 3. Some hint: Aiming the args which they never can hide. 4. Put them back together& you'll see torlus/lizkebab/gayfgt code as per it is. 5. Noted it is a different obfuscation method to what they did to ELF STD bot that was previously spotted.

"Try harder kids!"

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Posted: Sat Apr 30, 2016 9:05 am
by unixfreaxjp
Some insights of this malware is posted as additional here: ... tml#gayfgt

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Posted: Mon May 02, 2016 3:45 pm
by unixfreaxjp
Another GayFgt "BadLuckJosh" (BLJ) an obfuscated modification in some function name and strings.
Made a video on how to dissect it easier.
The reference for this particular "encrypted" type is here.
Sadly the plan works to fool AV products who doesn't aware of this version exists, make more sigs guys!

Re: Malware collection

Posted: Thu May 05, 2016 4:14 pm
by ikolor

Re: Malware collection

Posted: Thu May 05, 2016 9:55 pm
by unixfreaxjp
Poked by @Xylit0l, I checked your sample the powerpc one.
It is what young collective group of punk hacktivists (read:skiddos) who loves to ddos call it: Torlus or LizKebab or LizKaboob or Lizard Botnet or GayFgt (the coder loves using these words)
good guys call it as: bashdoor, bashlite or GafGyt or similar.
The malware family is in linux section: ... =16&t=3505
Firstly raising attention at the shellshock 0day.

Your particular sample is aiming for busybox router

And issuing spread/distribution effort via execution of tftp (busybox router command)

The CNC is in < to be blocked.
And if you find this sample is on the infected routers (not honeypot or some crook related sites) the nearby segment which is having busybox running on telnet would be firstly to be checked too. Just make sure they don't run the user/login names(red color) and passwords (purple color) as per described in the picture above.

But the download center (spread script center likely) is in different IP address downloading/exec that {meow*} binaries replacing busybox for the infection to then deleting them.

GeoLocation for the infectors is from the knownn NL shitty networks:

Code: Select all||29073 | | QUASINETWORKS | NL | | Ecatel LTD||29073 | | QUASINETWORKS | NL | | Ecatel LTD
The actor is known in some forum, for this specifics, as a part of thisthreat family.

Re: Malware collection

Posted: Fri May 06, 2016 1:56 am
by unixfreaxjp
ref: ... =60#p28247
This is actually an interesting sample, unusual build. I have two reasons for it:
(1) This is the lizkebab/torlus/gayfgt personal version basis..not so many are using it since not many skiddos owning this type, (2) in this ELF case the actor trimmed the telnet scanner brute credential data (assuming to disable it) , below is the code snippet:
One should see the db array of text of the root account, login strings and password strings before the NULL if exists. These data to be grabbed & use by the telnet scanner function.

The detection of the "personal version" I recognized it since I categorize samples of torlus/gayfgt found in the wild and check them case by case. Below is the diassembly data of this sample "b4e9af8e5fd11c94b68b7d13a75945af" on the main part which is showing the type of the client.c code was used.

So this version works as backdoor with ddos functios. The reason for telnet scanner is disabled maybe to avoid some IDS alarm on telnet scanning.

Judging by the network used as CNC, the actor "could be" the same as this case ... 461#p28460 is one of the crooks mentioned in here

Re: Malware collection

Posted: Sat May 07, 2016 9:36 am
by ikolor
I'm not too much familiar with analyze malware code .But I had scan my system on port 23 from this IP