A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23853  by unixfreaxjp
 Wed Sep 10, 2014 5:47 pm
The base technical information of the threat is here: http://blog.malwaremustdie.org/2014/05/ ... cheme.html
This variant had just mentioned in IT media news in The Register here: http://www.theregister.co.uk/2014/09/09 ... modem_bot/
The threat investigation is here: https://capsop.com/lightaidra-cc-investigation/
The actor (skids+gamer) had just got arrested for using weed in school but just got released, PoC: https://www.youtube.com/watch?v=ojlsAQ_Wf60 - And the coder is following us in twitter..
The actor is US citizen and never get arrested for what he did, even though successfully infected 100+ clients.
HE uses this malware for selling his "unhittable VPN", poc:
Image

Malware is coded based on lightaidra (new gen of taidra) IRC bot, known for its DoS functions.
Snapshot of a session connected to the CNC (modded UnrealIRC)
Image
I shared samples as per attached. I picked x32 and x64 for the other researchers conveniences. The samples are exists also in multiARC like MIPS, ARM, SuperH, MIPSEL, etc.
Code: Select all
MD5 (halfnint) = ec5556e3026b98aaf0f0a7d53b1a76d6
MD5 (nintendo) = 0fb662c9b63b415361791e7597b673d7
If anyone somehow found this variant, please share/coordination with us? We want this abuse to stop.
malwaremustdie.org
Attachments
7z,pwd:infected
(28.21 KiB) Downloaded 85 times