A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26859  by unixfreaxjp
 Thu Oct 01, 2015 1:01 pm
theKestrel wrote:IF anybody needs the deconstructed IDB please see the article here. I probably know the most about this malware and have been following it for months now. http://blog.cari.net/carisirt-defaultin ... -1-r0_bot/
Information was known BEFORE you posted. Instead of posting that, you have 65 routers RIGHT NOW in your country infecting each other now, go and get us help on that!
 #26861  by theKestrel
 Thu Oct 01, 2015 2:17 pm
unixfreaxjp wrote:
theKestrel wrote:IF anybody needs the deconstructed IDB please see the article here. I probably know the most about this malware and have been following it for months now. http://blog.cari.net/carisirt-defaultin ... -1-r0_bot/
Information was known BEFORE you posted. Instead of posting that, you have 65 routers RIGHT NOW in your country infecting each other now, go and get us help on that!
Hey bud, shoot me a PM. We need to talk about this. It's a bit more complicated than you think. And actually I've been notifying orgs one by one and helping them learning about the infection. I've been notifying folks for two months now.

So the question is will you help me do this RIGHT.
 #26867  by theKestrel
 Fri Oct 02, 2015 4:41 am
unixfreaxjp wrote:
theKestrel wrote:CC was taken down August 7th. I have coredumps of communication prior to that as well as pcaps.
Zach W.
If CNC down in Aug 2015 what infection that I just seeing in Sept 29th 2015 then?? The malware name matched (same) so does the MO & symptoms, I was refering to Dr Web writing but didn't have much to see there, why I started analysing this.

The infector was coming from different segment network than the aimed network here..
And I think I am talking of the epidemic on routers. Elaborate your current pls & share your data, people are suffering here.
We can not install AV on routers, any preventive effort has to be done soon.

FYI, US basis routers are the victim, Denver to Nebraska. AirOS mostly.
I look forward for reply - #MalwareMustDie
This malware is much more than that. The binary has everything it needs to spread within itself. As long as one node is running, everybody can still re-infected. Do not go around and change peoples passwords. That does jack in solving this problem and makes a legit response difficult. It's already being handled. When this thing hit in July, there was 60k bots. In just 4 weeks, we got it under 25. So whatever you are doing to "clean this up"; stop. It's not helping. My team has been tackling this the right way from day one.
 #26929  by unixfreaxjp
 Mon Oct 12, 2015 4:39 am
theKestrel wrote:Do not go around and change peoples passwords. That does jack in solving this problem and makes a legit response difficult. It's already being handled. When this thing hit in July, there was 60k bots. In just 4 weeks, we got it under 25. So whatever you are doing to "clean this up"; stop. It's not helping. My team has been tackling this the right way from day one.
Nope, we don't change any passwords, even we don't make any action yet, but we observed the crooks were following successfully infected devices and went into the routers via backdoor after got infected , they did it. So most of the "owned" routers are not in default passwords anymore. Please be noted this fact and this is what had happened now.
They then implemented the malicious DNAT routing as 2tiers proxy of another window basis payload malware for the stealer campaign via spams. We have at least 500- nodes recorded as infected with 100+ are online currently (was 65) and serves as malware download proxy infecting word wide.

If you want to handle this internally you'd better move soon. It's not only the US problem, since the malware proxied by those routers are hitting world wide here. And most of the router proxy used are US ones. The windows malware served by those proxy routers are Upatre/Dyre.
theKestrel wrote:Hey bud, shoot me a PM. We need to talk about this. It's a bit more complicated than you think. And actually I've been notifying orgs one by one and helping them learning about the infection. I've been notifying folks for two months now. So the question is will you help me do this RIGHT.
PM is fine. Feel free to PM me at will.
 #29097  by jioushizhu
 Thu Aug 25, 2016 10:26 am
Found in a Lenovo newifi router in China
There are recheck and good2 these two files I did not upload, which is IP and password
muma.rar
You do not have the required permissions to view the files attached to this post.
 #29104  by jioushizhu
 Fri Aug 26, 2016 5:25 am
Found in the equipment of the China Telecom
arm.rar
You do not have the required permissions to view the files attached to this post.
 #29105  by tWiCe
 Fri Aug 26, 2016 8:34 am
jioushizhu wrote:Found in a Lenovo newifi router in China
There are recheck and good2 these two files I did not upload, which is IP and password
muma.rar
Nothing new, Linux.PNScan.2 aka 1.0.14 version.
 #29106  by tWiCe
 Fri Aug 26, 2016 8:36 am
jioushizhu wrote:Found in the equipment of the China Telecom
arm.rar
It's not related to PNScan.

java is an Linux.Mrblack
mmmm is an GoARM malware

Both are authored by ChinaZ.