A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23854  by unixfreaxjp
 Wed Sep 10, 2014 7:24 pm
This malware (until this post is written) always goes as a pair.
The basic information of this threat can be read here: http://blog.malwaremustdie.org/2014/05/ ... rooks.html
↑Will break down how the old & new version of pscan, and the sshscan works.

Pscan or often named as "scanner" is used for port scanning, used to detect SSH (mainly) or FTP services in WWW.
Code: Select all
int main(int argc, char *argv[])
{   int done = 0, i, cip = 1, bb = 0, ret, k, ns, x;
    time_t scantime;
    char ip[20], outfile[128], last[256];
    if (argc < 3)
    {   printf("Usage: %s <b-block> <port> [c-block]\n", argv[0]);
        exit(EXIT_FAILURE);  }
Some may think "pscan" is not a virus/malware, but from what I see, this tool is detected in compromised sites used by hackers to scan their next targets, PoC: https://www.youtube.com/watch?v=G4DWqejmnp0
Sample I shared in VT are below:
https://www.virustotal.com/en/file/50bd ... 400800455/
https://www.virustotal.com/en/file/4422 ... /analysis/

And SSHscan or often named as "scan" or "attack" (etc) is used to attack the login with brute logic.
Samples are:
https://www.virustotal.com/en/file/0d96 ... 408969125/
https://www.virustotal.com/en/file/93df ... 400804192/

I uploaded here 2 samples of pscan and more samples of sshscan for the fellow researchers to help study the ELF threat deeper.
Code: Select all
// pscan (port scanner)
MD5 (pscan) = cbe22cc5e72ef0d02429def557d504f5
MD5 (pscan2) = b3eb1ec8094fa10169dba7a8bd1a97f1

//ssh-scan (SSH bruter)
MD5 (scanssh) = ab106d75a3b87641937d5a8891abc8ce
MD5 (scanssh2) = dc88de3fb0b1a52c0706446dc089b7a8
MD5 (ssh-scan) = a213ebd69fbc11d612d0374b373f65d8
MD5 (ssh-scan2) = a213ebd69fbc11d612d0374b373f65d8
MD5 (ssh2) = 100c0e553fe7eebcd76c2e3934aae8a0
If you happen finding the similar samples, please kindly help our ELF research by uploading yours.
You do not have the required permissions to view the files attached to this post.