Linux/DDOSTF

unixfreaxjp · Post by **unixfreaxjp** » Tue Jan 05, 2016 7:01 am

Analysis: http://blog.malwaremustdie.org/2016/01/ ... ndows.html
Samples:
https://www.virustotal.com/en/file/4074 ... 451976226/
https://www.virustotal.com/en/file/01a4 ... /analysis/

unixfreaxjp · Post by **unixfreaxjp** » Tue Jan 05, 2016 5:54 pm

Older version was spotted in virus total, thanks to Michal Malik for informing.
Sample: https://www.virustotal.com/en/file/98a0 ... /analysis/
Added new comment for older version and hidden cnc http://blog.malwaremustdie.org/2016/01/ ... tml#oldver
cnc:

Code: Select all

(hostname basis) balei.f3322.org, port: 6666
  {
  "ip": "222.186.34.143",
  "city": "Nanjing",
  "region": "Jiangsu Sheng",
  "country": "CN",
  "org": "AS23650 AS Number for CHINANET jiangsu province backbone"
  "prefix:" "222.186.34.0/23"
}

Post by **benkow_** » Tue Jan 12, 2016 7:49 am

2 sample ELF + 1 PE:
yummi: https://www.virustotal.com/fr/file/71f4 ... 452584836/
IP: https://www.virustotal.com/fr/file/33b6 ... 452584904/
8888.exe (infected by Ramnit): https://www.virustotal.com/fr/file/5707 ... 452584811/

Infection vector: Elasticsearch
attached

unixfreaxjp · Post by **unixfreaxjp** » Fri Apr 08, 2016 2:46 pm

Recent 2 ELF and 2 PE samples:
https://www.virustotal.com/en/file/d9d3 ... 460109289/
https://www.virustotal.com/en/file/c907 ... 460111745/
https://www.virustotal.com/en/file/4c56 ... 460115917/
https://www.virustotal.com/en/file/68a4 ... 460125835/

It's from this panel in Hongkong (On clean up now)

The typical loops used for attacks in the Win32 PE samples I reversed as below, can be used as indicator:

KernelMode.info

Linux/DDOSTF

Linux/DDOSTF

Re: Linux/DDOSTF

Re: Linux/DDOSTF

Re: Linux/DDOSTF