Linux/dtool

Forum for analysis and discussion about malware.

Linux/dtool

Postby unixfreaxjp » Tue Sep 29, 2015 8:17 pm

Just another IRC bot, used by skids. Found in some infected routers. in MIPS
Image
Source:
Image
CNC: 192.121.166.179:6969 (a lame IRCd, in AS20860 Lomart, United Kingdom), seems the actors are the GayFagotties malware skiddies *ewwl*
VT detection is zero now, but not anymore after this 8-)
https://www.virustotal.com/en/file/b320 ... /analysis/
sample found by @TechHelpList (thx!)
Image
I guess no one has the sigs yet (VT=0), therefore I post here to help. Below the extracted strings.
For specific one that can be used as sig see above VT comment.
Code: Select all
.rodata:0x0408C90 C HTTPFLOOD
.rodata:0x0408C9C C TCPFLOOD
.rodata:0x0408CA8 C UDPFLOOD
.rodata:0x0408CB4 C AUTH
.rodata:0x0408CBC C RAW
.rodata:0x0408CC0 C EXEC
.rodata:0x0408CC8 C CHSERVER
.rodata:0x0408CD4 C STOP
.rodata:0x0408CDC C RESTART
.rodata:0x0408CE4 C QUIT
.rodata:0x0408CEC C LOGOUT
.rodata:0x0408CF4 C Invalid number of arguments: %d\n
.rodata:0x0408D18 C 192.121.166.179
.rodata:0x0408D28 C #boat
.rodata:0x0408D34 C Hostname: %s\n
.rodata:0x0408D44 C dtool
.rodata:0x0408D4C C 127.0.0.1
.rodata:0x0408D58 C socket()
.rodata:0x0408D64 C Connecting to %s:%u.\n
.rodata:0x0408D7C C connect()
.rodata:0x0408D88 C PASS %s
.rodata:0x0408D90 C NICK %s\nUSER %s 8 * :%s
.rodata:0x0408DA8 C read()
.rodata:0x0408DB8 C Restart failed: %s\n
.rodata:0x0408DCC C JOIN %s %s
.rodata:0x0408DD8 C NICK %s
.rodata:0x0408DE0 C PRIVMSG
.rodata:0x0408DE8 C NOTICE
.rodata:0x0408DF0 C PING
.rodata:0x0408DF8 C PONG :%s
.rodata:0x0408E04 C PART
.rodata:0x0408E0C C KICK
.rodata:0x0408E14 C %s%s
.rodata:0x0408E20 C PRIVMSG %s :[%s] %s
.rodata:0x0408E34 C Usage: HTTPFLOOD
.rodata:0x0408E46 C host
.rodata:0x0408E4D C port
.rodata:0x0408E54 C file
.rodata:0x0408E5B C size (in MB)
.rodata:0x0408E6A C connections
.rodata:0x0408E78 C timeout (seconds)
.rodata:0x0408E8C C delay (milliseconds)
.rodata:0x0408EA4 C ERROR; return code from pthread_create() is %d\n
.rodata:0x0408ED4 C PRIVMSG %s :[%s] Erroneus return code from pthread_create() => %d
.rodata:0x0408F18 C PRIVMSG %s :[%s] {HTTPFLOOD} Started consuming data from host %s on port %d getting file %s (%s)
.rodata:0x0408F7C C Usage: TCPFLOOD
.rodata:0x0408F8D C host
.rodata:0x0408F94 C port
.rodata:0x0408F9B C packetsize
.rodata:0x0408FA8 C size (in MB)
.rodata:0x0408FB7 C connections
.rodata:0x0408FC5 C timeout (seconds)
.rodata:0x0408FD9 C delay (milliseconds)
.rodata:0x0408FF0 C PRIVMSG %s :[%s] {TCPFLOOD} Started sending tcp data to host %s on port %d (%s)
.rodata:0x0409040 C Usage: UDPFLOOD
.rodata:0x0409051 C host
.rodata:0x0409058 C port
.rodata:0x040905F C packetsize
.rodata:0x040906C C size (in MB)
.rodata:0x040907B C connections
.rodata:0x0409089 C delay (miliseconds)
.rodata:0x04090A0 C PRIVMSG %s :[%s] {UDPFLOOD} Started sending udp data to host %s on port %d (%s)
.rodata:0x04090F0 C Usage: RAW
.rodata:0x04090FC C command
.rodata:0x0409108 C PRIVMSG %s :[%s] {RAW} Executing command: %s (%s)
.rodata:0x0409140 C PRIVMSG %s :[%s] {QUIT} %s (%s)
.rodata:0x0409160 C QUIT :%s
.rodata:0x040916C C attack stoped
.rodata:0x040917C C no running attack
.rodata:0x0409190 C PRIVMSG %s :[%s] {STOP} Stop command -> %s (%s)
.rodata:0x04091C0 C PRIVMSG %s :[%s] {RESTART} (%s)
.rodata:0x04091E0 C Usage: EXEC
.rodata:0x04091ED C command
.rodata:0x04091F8 C PRIVMSG %s :[%s] {EXEC} Executing command: %s (%s)
.rodata:0x040922C C %s 2>&1
.rodata:0x0409238 C PRIVMSG %s :[%s] Unable to execute command
.rodata:0x0409264 C PRIVMSG %s :%s
.rodata:0x0409274 C PRIVMSG %s :[%s] Error occured while closing the pipe
.rodata:0x04092AC C Usage: AUTH
.rodata:0x04092B9 C password
.rodata:0x04092C8 C on
.rodata:0x04092CC C PRIVMSG %s :[%s] {AUTH} User %s!%s@%s logged in
.rodata:0x04092FC C Usage: CHSERVER
.rodata:0x040930D C host
.rodata:0x0409314 C port
.rodata:0x040931B C channel
.rodata:0x0409325 C [channel key]
.rodata:0x0409335 C [server pass]
.rodata:0x0409344 C PRIVMSG %s :[%s] {CHSERVER} Changing server: %s:%s (%s)
.rodata:0x040937C C PRIVMSG %s :[%s] {AUTH} User %s!%s@%s logged out
.rodata:0x04093B0 C GET %s HTTP/1.0\nHost: %s\n\n
.rodata:0x04093CC C PRIVMSG %s :[%s] Process finished => Total bytes read: %lld (%.2f MB), Total bytes sent: %lld (%.2f MB)
.rodata:0x0409434 C PRIVMSG %s :[%s] Total connections completed: %lu (%.2f%%), Total connections failed: %lu (%.2f%%)
.rodata:0x04094B0 C write()
.rodata:0x04094B8 C Error connecting: %s\n
.rodata:0x04094D0 C fcntl()
.rodata:0x04094D8 C Error in getsockopt() %d - %s\n
.rodata:0x04094F8 C Socket %d timed out after %d seconds\n
.rodata:0x0409520 C Connection timeout for socket: %d %s\n
.rodata:0x0409548 C Sent
.rodata:0x0409550 C Read
.rodata:0x0409558 C select()
.rodata:0x0409564 C hostname -f
.rodata:0x0409570 C Unable to get hostname\n
.rodata:0x0409588 C abcdefghijklmnopjrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
.rodata:0x04095C8 C gethostbyname()
.rodata:0x04095D8 C PRIVMSG %s :[%s] %s: %ld MB, Average speed: %ld KB/s\n
.rodata:0x0409610 C gettimeofday()

Nothing us is unusual. Protocol is plain and simple:
Code: Select all
HTTPFLOOD
TCPFLOOD
UDPFLOOD
AUTH
RAW
EXEC
CHSERVER
STOP
RESTART
QUIT
LOGOUT
It has the manual :mrgreen:
Code: Select all
(35): .rodata:0x0408E34 Usage: HTTPFLOOD
(46): .rodata:0x0408F7C Usage: TCPFLOOD
(55): .rodata:0x0409040 Usage: UDPFLOOD
(63): .rodata:0x04090F0 Usage: RAW
(72): .rodata:0x04091E0 Usage: EXEC
(79): .rodata:0x04092AC Usage: AUTH
(83): .rodata:0x04092FC Usage: CHSERVER

Really.. nothing special.. just follow the code, all in there to enjoy.
ps: this is shortcut to main to reverse..to save time in mipsel ep :P
Image
May add more details later ..if have time. Sample is attached, only one.
BTW↓ below is the dtool in action.. a courtessy from HackForum skids :lol:
Image
:P Some GayFagotties skids that responsible to this new malware, click to enlarge.
;) /* Warning! Spoilers */
Image
Image
Image
Image
Image
#MalwareMustDie!
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/dtool

Postby EP_X0FF » Wed Sep 30, 2015 6:18 pm

All new Linux malware threads added to the list. GJ and keep up the hard work :)
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571


Return to Malware

Who is online

Users browsing this forum: No registered users and 14 guests