Page 4 of 5

Re: Malware collection

Posted: Fri Apr 08, 2016 5:36 pm
by ikolor

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Posted: Fri Apr 08, 2016 10:08 pm
by unixfreaxjp
Bashdoor or GayFgt, in crypted mode.
https://www.virustotal.com/en/file/b911 ... 460150975/
CNC in Ecatel 93.174.95.55:80
Image

Re: Malware collection

Posted: Sat Apr 09, 2016 3:05 pm
by benkow_
ikolor wrote:I'm the only one.


next
https://www.virustotal.com/en/file/35fa ... 460136599/
GAYFGT

Code: Select all

89.248.162.146:179
(null)
buf: %s
/bin/sh
/proc/cpuinfo
BOGOMIPS
PING
:>%$#
%d.%d.%d.%d
%d.%d.%d.0
Failed opening raw socket.
Failed setting raw headers mode.
Invalid flag "%s"
GETLOCALIP
My IP: %s
HOLD
JUNK
KILLATTK
Killed %d.
None Killed.
LOLNOGTFO
8.8.8.8
/proc/net/route
	00000000	
[cpuset]
fork failed
FAILED TO CONNECT
PONG
%s 2>&1
LINK CLOSED
/dev/null
CAk[S
GCC: (GNU) 4.1.2

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Posted: Tue Apr 12, 2016 3:39 am
by unixfreaxjp
Playing around with this new sample http://www.kernelmode.info/forum/postin ... 05#pr28248 to find they just obfuscate the strings in the ELF. It's a pure standard torlus inside, encoded/string obfuscated, w/stripped and no intel x86 samples ..which is fine for all of us 8-)

To all good folks who battle this threat: This version point of differences for memo: 1. the forks was run before decrypt, 2. syscall stripped but all are torlus' ones . 3. Some hint: Aiming the args which they never can hide. 4. Put them back together& you'll see torlus/lizkebab/gayfgt code as per it is. 5. Noted it is a different obfuscation method to what they did to ELF STD bot that was previously spotted.

"Try harder kids!"

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Posted: Sat Apr 30, 2016 9:05 am
by unixfreaxjp
Some insights of this malware is posted as additional here:
http://blog.malwaremustdie.org/2016/02/ ... tml#gayfgt

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Posted: Mon May 02, 2016 3:45 pm
by unixfreaxjp
Another GayFgt "BadLuckJosh" (BLJ) an obfuscated modification in some function name and strings.
Made a video on how to dissect it easier.
The reference for this particular "encrypted" type is here.
Sadly the plan works to fool AV products who doesn't aware of this version exists, make more sigs guys!
Image

Re: Malware collection

Posted: Thu May 05, 2016 4:14 pm
by ikolor

Re: Malware collection

Posted: Thu May 05, 2016 9:55 pm
by unixfreaxjp
Hello.
Poked by @Xylit0l, I checked your sample the powerpc one.
It is what young collective group of punk hacktivists (read:skiddos) who loves to ddos call it: Torlus or LizKebab or LizKaboob or Lizard Botnet or GayFgt (the coder loves using these words)
good guys call it as: bashdoor, bashlite or GafGyt or similar.
The malware family is in linux section: http://www.kernelmode.info/forum/viewto ... =16&t=3505
Firstly raising attention at the shellshock 0day.

Your particular sample is aiming for busybox router
Image

And issuing spread/distribution effort via execution of tftp (busybox router command)

The CNC is in 89.248.162.167:121 < to be blocked.
And if you find this sample is on the infected routers (not honeypot or some crook related sites) the nearby segment which is having busybox running on telnet would be firstly to be checked too. Just make sure they don't run the user/login names(red color) and passwords (purple color) as per described in the picture above.

But the download center (spread script center likely) is in different IP address 93.174.95.38 downloading/exec that {meow*} binaries replacing busybox for the infection to then deleting them.
Image

GeoLocation for the infectors is from the knownn NL shitty networks:

Code: Select all

89.248.162.167|no-reverse-dns-configured.com.|29073 | 89.248.160.0/21 | QUASINETWORKS | NL | ecatel.net | Ecatel LTD
93.174.95.38||29073 | 93.174.88.0/21 | QUASINETWORKS | NL | ecatel.net | Ecatel LTD
The actor is known in some forum, for this specifics, as a part of thisthreat family.

Re: Malware collection

Posted: Fri May 06, 2016 1:56 am
by unixfreaxjp
ref: http://www.kernelmode.info/forum/viewto ... =60#p28247
This is actually an interesting sample, unusual build. I have two reasons for it:
(1) This is the lizkebab/torlus/gayfgt personal version basis..not so many are using it since not many skiddos owning this type, (2) in this ELF case the actor trimmed the telnet scanner brute credential data (assuming to disable it) , below is the code snippet:
Image
One should see the db array of text of the root account, login strings and password strings before the NULL if exists. These data to be grabbed & use by the telnet scanner function.

The detection of the "personal version" I recognized it since I categorize samples of torlus/gayfgt found in the wild and check them case by case. Below is the diassembly data of this sample "b4e9af8e5fd11c94b68b7d13a75945af" on the main part which is showing the type of the client.c code was used.
Image

So this version works as backdoor with ddos functios. The reason for telnet scanner is disabled maybe to avoid some IDS alarm on telnet scanning.

Judging by the network used as CNC, the actor "could be" the same as this case http://www.kernelmode.info/forum/viewto ... 461#p28460 is one of the crooks mentioned in here

Re: Malware collection

Posted: Sat May 07, 2016 9:36 am
by ikolor
I'm not too much familiar with analyze malware code .But I had scan my system on port 23 from this IP 93.174.93.50