Linux/BillGates

Forum for analysis and discussion about malware.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Sun Sep 21, 2014 9:08 am

Following previous post http://www.kernelmode.info/forum/viewto ... 955#p23868 below is some PCAP characteristic of BillGates:

(1) Complete communication to CNC from initiation & receiving target's IP list:
https://lh6.googleusercontent.com/-Vf6c ... 46/005.png

(2) The above (1) is breaking down into packet sent/ receive:
https://lh3.googleusercontent.com/-u05M ... 12/006.png

(3) DDoS packet (UDP one) analyzed:
https://lh6.googleusercontent.com/-oc-n ... 76/007.png
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Sun Sep 21, 2014 1:28 pm

2 months old sample spotted https://www.virustotal.com/en/file/ab8f ... 411305213/
with its updater (downloader+installer) https://www.virustotal.com/en/file/295f ... 411305627/
↑see comment I wrote in VT for the installer.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Sun Sep 21, 2014 8:50 pm

A fresh sample by several hours ago uploaded my malware crooks:
Image
Noted: see how it names itself as ethtool to fake utilities.
VT (7/54): https://www.virustotal.com/en/file/854d ... 411330589/
CNC: 162.221.12.154:25000
It's currently sinkholed by: 162.221.12.0/24 | CLEAR-DDOS-AS | CA | CLEAR-DDOS.COM | CLEARDDOS TECHNOLOGIES (Sinkhole)

Below is the first packet sent during initial communication sent to the CNC, CNC was already sinkholed beforehand so no full initial communication can be established:
Image

If you find any FRESH samples (please..please dont send us old samples with dead CNC) , or URL to download these ELF, please PM in here or DM me in @malwaremustdie for mitigation coordination of this threat. Thank you in advance.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Tue Sep 23, 2014 10:02 pm

Fresh new built Linux/BillGates https://www.virustotal.com/en/file/b64b ... 411509418/
PoC:

Code: Select all

0x080F1FF0 0x00E // 11CUpdateBill 
0x080F200C 0x00F // 12CUpdateGates  
0x080F2A3C 0x00F // /tmp/bill.lock  
0x080F5C53 0x010 // /tmp/gates.lock

Attack set:

Code: Select all

11CAttackBase 
13CPacketAttack 
10CAttackUdp  
10CAttackSyn  
11CAttackIcmp 
10CAttackDns  
10CAttackAmp  
10CAttackPrx  
15CAttackCompress   
10CTcpAttack  
9CAttackCc
9CAttackIe
RSAs:

Code: Select all

.rodata:0x080F2424 0x101 // 14BC88F8F4F502D88907B9085EBA3EA9E906C5D316067CEA69242F1D910E0CA19D1999C0ECD6BEC630764AD5DB96879D483F6C1B44E3F7A033DF51051660E4E5BB679D3C02F47B1E9940C904357AA976DD2C6ADA5998BD0817746FFB6C4D74948714DBC1A6A223900845135F7F03CD6A03631FA220A39F06B136700641193AD9
.rodata:0x080F2628 0x081 // 3AF43028DD9C86509C88A0F0629E7DC838AA707E756EBD78416AA17E5B10C022EE943F62A6FCDF507CB24178D044739EB676CE869D5C719A40BC38DADE461B1B
.rodata:0x080F282C 0x101 // 13D845472758A12E97B13953F10B062DDBE120BE626A46E07A1420917F330E15502C7CC7C3E73C9F1A3C180BA6BC962C1E63FACB22F836098A68B53A71850DC34ECF9A5937CC3DCA8923BC21C74223478A3AC3CADDEB9AA2706873F53D0A00B2B10EDC1569343A29BF4ED8EF9525F0487E45B5F958E52D53DCB8749F85124DCF
CNC:

Code: Select all

183.60.205.183:23456
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Wed Sep 24, 2014 4:14 am

Linux/DDoS 3 weeks ago sample with CNC still alive :roll: https://www.virustotal.com/en/file/7829 ... 411530968/ <packed
CNC domain vipy.f3322.org
IP/Port: 120.210.204.102:36000
Nothing special.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Mon Sep 29, 2014 11:16 pm

This malware was uploaded to the panel on Sept 9th, 2014.
Image
VT: 17/55 https://www.virustotal.com/en/file/710a ... 412031254/ not bad.

Code: Select all

CNC = 447556707.com
Callback IP: Port = 121.42.12.57:8558
Loc = 121.42.12.57||37963 | 121.42.0.0/18 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Wed Oct 01, 2014 3:25 am

Distributed via shellshock. VT: https://www.virustotal.com/en/file/e242 ... 412133130/
This sample is not using domain (blank) as CNC but IP address: 204.41.234.23:36001 < sinkholed ;))
#MalwareMustDie!!
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Thu Oct 02, 2014 2:31 pm

A panel with these three ELF binaries was found:
Image
VT are:
https://www.virustotal.com/en/file/2b80 ... 412258290/
https://www.virustotal.com/en/file/2b82 ... 412258871/
https://www.virustotal.com/en/file/7d45 ... 412259627/
All leads to same CNC & ports:

Code: Select all

98.126.127.183:25000
More details I wrote in VT comment
findings credit @leonvdijk
#MalwareMustDie
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Thu Oct 02, 2014 4:22 pm

New panels! :D These crooks will not stand a chance against all Infosec ppl scanning their network now :lol:
Image
x32:/linux: https://www.virustotal.com/en/file/4870 ... 412192527/
x32/linux: https://www.virustotal.com/en/file/7bcf ... 412192617/
x32 FreeBSD: https://www.virustotal.com/en/file/ab34 ... 412193094/
I'll decode the cnc after resting a while ;) Feel free to decode & post it!
#MalwareMustDie!
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Fri Oct 03, 2014 3:37 am

About: http://www.kernelmode.info/forum/viewto ... =20#p24037
Decoding this sample: https://www.virustotal.com/en/file/4870 ... 412303984/ and https://www.virustotal.com/en/file/7bcf ... 412303565/ only.
CNC is the domain, not IP address. Info:

Code: Select all

Domain: www.bw110x.com
IP & ports: 124.173.116.183:1352
PoC up and alive: TCP MMD-BANG-YOU-AGAIN:56798->124.173.116.183:lotusnote (ESTABLISHED)
location: ASN: 4134 | 124.172.0.0/15 | CHINANET | CN | SZGWBN.NET.CN | WORLD CROSSING TELECOM (GUANGZHOU) LTD.
#MalwareMustDie!
Post Reply