A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25586  by benkow_
 Mon Apr 06, 2015 7:40 pm
Funny one: MrBack Win32 version.

Compilation timestamp 2015-03-15 18:36:38

Mutex: "Eliminate small Japanese"

C&C: 121.41.74.174:8000
Attachments
infected
(5.06 KiB) Downloaded 59 times
 #26227  by unixfreaxjp
 Thu Jul 02, 2015 11:30 pm
Report in Japanese is here: http://blog.0day.jp/2015/07/linuxaesddosarm.html

An SSH brute attack specifically aiming MY router:
Image

Yes it was from China:
Image

I have EVERY RIGHT to identify my attacker for the reporting purpose:
Image

And every right to seek what is going to hit me..ohh he planned to make my routers into a DDOS botnet! Look at those filenames:
Image

Yes, those binary are confirmed the ELF binaries compiled with CodeSoucery as MIPS, ARM and MIPS binaries.
Image

Packed in UPX:
Code: Select all
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1156461 <-    454640   39.31%  linux/mipsel   49mips-dep

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1001841 <-    398372   39.76%   linux/armel   49arm-dep

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1156895 <-    452356   39.10%  linux/mipseb   49wrt-dep
And it is an AES.DDOS (some of you say this as Mr.Black), I analyzed these type oif router version before..nothing special: http://blog.malwaremustdie.org/2014/09/ ... lknot.html
Image

But some AV released the signature based on the compilation used data instead of the specific characteristic of this malware, makes ppl think this as Kaiten/Tsunami .. obviously a case that automation kills QUALITY here :(
Image

The VT reports:
https://www.virustotal.com/en/file/5a3a ... 435876419/
https://www.virustotal.com/en/file/67b2 ... 435876796/
https://www.virustotal.com/en/file/cb6f ... 435877570/

#MalwareMustDie!!!
Attachments
7z / infected
(1.2 MiB) Downloaded 68 times
 #26363  by unixfreaxjp
 Fri Jul 24, 2015 3:32 am
ARM & MIPS version of AES.DDOSer is still hitting our routers hard.
Please see the downlod hits in the panel below:
Image
Samples:
https://www.virustotal.com/en/file/7b5c ... /analysis/
https://www.virustotal.com/en/file/6f67 ... /analysis/
Code: Select all
Landing panel: 222.186.21.166
SSH attacker: 222.186.21.166
CNC: hostname (domain) basis: 104984629.f3322.org 115.28.234.144
Reversing notes I made:
Image
Typical MO of the Mr.Black chinese crooks who's aiming routers for so long: /* be noted */
Image
This guy can make a good joke: /* be noted*/
Image
It's always good to know where they are..
Code: Select all
查询结果: 115.28.234.144 ==>> 1931274896 ==>> 山东省青岛市 阿里云BGP数据中心
AS37963 本站主数据:山东省青岛市 阿里云计算有限公司 阿里巴巴
参考数据一:北京市 万网高科技信息技术有限公司
"AS37963 Qingdao City, Shandong Province Ali Alibaba Cloud Computing Ltd.
Xref: Beijing million net high-tech Information Technology Co.,
The map of the CNC is here:
Image
Investigation/takedown sheet:
Code: Select all
Domain Name:F3322.ORG
Domain ID: D166576942-LROR
Creation Date: 2012-09-12T16:18:47Z
Updated Date: 2015-01-20T00:20:27Z
Registry Expiry Date: 2016-09-12T16:18:47Z
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)
Sponsoring Registrar IANA ID: 82
[...]
Registrant ID:ONLC-5353841-4
Registrant Name:peng yong
Registrant Organization:Bitcomm  ltd.
Registrant Street: yinyuan building
Registrant City:changzhou
Registrant State/Province:Jiangsu
Registrant Postal Code:213002
Registrant Country:CN
Registrant Phone:+86.51968887168
Registrant Fax: +86.51968887169
Registrant Email:ppyy@astpbx.com  <=== THIS
The PGP 0x59655bede106da9c1024D/E106DA9C trails to this ID: Tsung-Yu Ko (Johnny) alias Martin Michlmayr
Code: Select all
uid Peng Yong <ppyy@yaako.org>
sig  sig   E106DA9C 2005-01-24 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-02-06 __________ __________ [selfsig]
sig  sig   D9AF6DE9 2005-03-06 __________ __________ Tsung-Yu Ko (Johnny) <Ko.John@gmail.com>
sig  sig   68FD549F 2005-03-13 __________ __________ Martin Michlmayr <tbm@cyrius.com>

uid Peng Yong <ppyy@yaako.com>
sig  sig   E106DA9C 2006-08-26 __________ __________ [selfsig]
sig  sig   E001A845 2006-08-26 __________ __________ cn.admin.news.announce

uid Peng Yong <ppyy@astpbx.com>
sig  sig   E106DA9C 2006-08-26 __________ __________ [selfsig]

uid Peng Yong <ppyy3322@163.com>
sig  sig3  E106DA9C 2005-01-06 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-01-06 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-02-06 __________ __________ [selfsig]
sig  sig   D9AF6DE9 2005-03-06 __________ __________ Tsung-Yu Ko (Johnny) <Ko.John@gmail.com>
sig  sig   68FD549F 2005-03-13 __________ __________ Martin Michlmayr <tbm@cyrius.com>

uid Peng Yong <ppyy8866@gmail.com>
sig  sig   E106DA9C 2005-01-24 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-02-06 __________ __________ [selfsig]
sig  sig   D9AF6DE9 2005-03-06 __________ __________ Tsung-Yu Ko (Johnny) <Ko.John@gmail.com>
sig  sig   68FD549F 2005-03-13 __________ __________ Martin Michlmayr <tbm@cyrius.com>

uid Peng Yong <ppyy@staff.cn99.com>
sig  sig   E106DA9C 2005-01-24 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-02-06 __________ __________ [selfsig]
sig  sig   D9AF6DE9 2005-03-06 __________ __________ Tsung-Yu Ko (Johnny) <Ko.John@gmail.com>
sig  sig   68FD549F 2005-03-13 __________ __________ Martin Michlmayr <tbm@cyrius.com>
Thx @esachin to have exact same result :)
List of suspicious domains he managed:
Code: Select all
kccef.com 	czdjbh.com 	bentium.com
39aj.com 	vpn39.com 	foxyun.com
juyide.com 	holdlion.com 	longchengmetal.com
vps39.com 	astpbx.com 	authyun.com
qmwifi.com 	xuehongliang.com 	guilib.com
nbvox.com 	sns188.com 	lishinet.com
rssgate.com 	yangchequ.com 	tongluda.com
39jia.com 	guqiaow.com 	gzjtjl.com
zhuceyun.com 	eatuo.com 	rpqq.com
91yingcai.com 	c0188.com 	holdlion.net
webok.net 	yaako.net 	cnrss.net
3322.net 	mz668.net 	zhuceyun.net
authyun.net 	qmwifi.net 	f3322.net
x3322.net 	czdjbh.net 	guilib.net
eajia.net 	nbvox.net 	juyide.net
7766.org 	2288.org 	8800.org
9966.org 	6600.org 	8866.org
czdjbh.org 	qmwifi.org 	zhuceyun.org
3322.org 	authyun.org 	f3322.org
wxyh.org 	juyide.org 	guilib.org
nbvox.org 	pubyun.org 	astpbx.org
credit #MalwareMustDie (& malekal also got same attack in same time) assumed world wide scanner..
Attachments
7z / infected
(369.54 KiB) Downloaded 50 times
 #26498  by tWiCe
 Tue Aug 11, 2015 3:47 pm
C&C: yxs.f3322.org

HFS: htxp://119.147.145.213:8019

This HFS also hosts couple of Elknot UPX-packed executables.
Attachments
infected
(208.86 KiB) Downloaded 49 times
 #26665  by unixfreaxjp
 Fri Sep 04, 2015 4:17 pm
Nothing new about the recent binaries.. so I will explain the attack vectors the MrBlack router type does, as per picture below:

Image

"sharing public threat information is a right thing to do!"
 #26668  by unixfreaxjp
 Sat Sep 05, 2015 11:59 am
Linux/AES.DDoS on ARM, see the similarities with its cousin "Mr.Black"
Image
In here, found by Malekal Morte:
Image
Sample: https://www.virustotal.com/en/file/1d64 ... 441453958/
AGAIN.. Because it is packed w/upx doesn't have to be a TSUNAMI :D :lol: :) :D :lol: :roll:
Image
PoC: Scan after depacked https://www.virustotal.com/en/file/83da ... 441456448/
Attachments
7z / infected
(380.82 KiB) Downloaded 48 times