A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23992  by unixfreaxjp
 Fri Sep 26, 2014 8:22 am
One of exploit sent via shellshock spotted by my friend today, is to infect this ELF malware (new): https://www.virustotal.com/en/file/e74b ... 411702025/
I register this new repository name: Linux/binsh < since it uses "/bin//sh" as shell in hard coded shellcode.
Of course is a FUD, as I said, current linux AV is a zeroday itself to a new ELF malware:
https://lh3.googleusercontent.com/-QgV_ ... 80/005.png
Analysis: http://blog.malwaremustdie.org/2014/09/ ... -just.html
Attachments
7z/infected
(295 Bytes) Downloaded 99 times
 #24000  by EP_X0FF
 Sun Sep 28, 2014 2:48 am
It is actually linux/x86/shell_reverse_tcp from metasploit
http://codinguyassignments.wordpress.co ... verse_tcp/.

The only difference in assembly is the connect information - sin_addr and sin_port/sin_family, even without deep knowledge of linux internals I've a knowledge of x86 assembly to tell this is copy-paste or likely re-using of open-source, maybe even hexedit of existing module ;)

where 0xe09f131b it is IP 27.19.159.224
Code: Select all
	in_addr addr;
	addr.S_un.S_addr = 0xe09f131b;
	char *ip = inet_ntoa(addr);
	printf(ip);
Image
 #24003  by unixfreaxjp
 Sun Sep 28, 2014 7:32 pm
Thank you for the clear clarification, what you wrote is the truth.
linux/x86/shell_reverse_tcp from metasploit
Some background explanation behind my post:
I analyzed the binary straightly w/o seeking some reference beforehand, so it is purely analyzed and I intend to do it that way for the future too, to minimize influence in reversing. When I was analyzing/writing it I think I saw this somewhere (wrote that in MMD blog ).
After posted MMD post & searched in web I actually noticed that too.

Why I did not push the fact that far in writing, is, since it was still in "zeroday state ", there are more msf / exploit backtrack payloads that can be used in shellshock is ELF or Mach-O, and I really don't want to give those "brats skids :D " with more "idea" of what they can do since the massive waves of shellshock payloads are literaly out of hand already..maybe after shellshock patched and cooled down a bit will add later on < what I thought.
So I wrote comment: I did not analyze the msf payload. And this is the malware, a backdoor < to raise AV detection for the bin

Question came up to me afterward, like:
Should we drop this from "malware" category? and Go to "exploit" instead?
Since so many asked the same. Disregards its nature. I answer: This ELF is a malware category: "backdoor" (with, yes, which is originated from a msf payload), it is widely infected host and need to be scanned, detected and stopped.

Why as malware backdoor then, why not as exploit code? below is explanation:

If one compile any (known/unknown) exploit payload, with back-connect (or reverse connection) functions (with shell, with CGI, or with open port/protocol) to any remote host/port, as an executable binary or library linked executable (in ELF/PE/Mach-O..etc) or executable script/codes that can be triggered manually, and maliciously installed (i.e. via using exploit like shellshock like this case, or even just a simple email attachment) in a victim host (NIX/Windows/Mac/Mobile etc), is considered as a malicious software (or malware) with category of backdoor.
this is copy-paste or likely re-using of open-source, maybe even hexedit of existing module ;)
Yes (just re-checked both code now)... and I think now I know WHERE those skids are coming from, it is from (somewhere in) south (east) Asia country where there are many Internet Cafes used for such bad activity by computer college students wanna be a hacker powerd by those copy-paste and IRC bots with the purpose of DDOS (mostly are used against US)

Thank you for support and reading.
 #27809  by unixfreaxjp
 Wed Feb 03, 2016 10:41 am
This is the variant of the sample that I posted here in September 2014.
The infection vector is the same shellshock. The sample is new. And this sample is also based on shellcode compiled as a tiny ELF. The functionality is connecting to te remote machine, opening to the backdoor and write anything pushed from remote, with save and execute it in the infected machine. As category, "backdoor" is enough to cover this criteria.

The full analysis is in here: http://blog.malwaremustdie.org/2016/02/ ... y-elf.html
Sample is in the VT here: https://www.virustotal.com/en/file/cb95 ... 454487250/
Attachments
7z/infected
(361 Bytes) Downloaded 48 times