theKestrel wrote:IF anybody needs the deconstructed IDB please see the article here. I probably know the most about this malware and have been following it for months now. http://blog.cari.net/carisirt-defaultin ... -1-r0_bot/Information was known BEFORE you posted. Instead of posting that, you have 65 routers RIGHT NOW in your country infecting each other now, go and get us help on that!
A forum for reverse engineering, OS internals and malware analysis
unixfreaxjp wrote:Hey bud, shoot me a PM. We need to talk about this. It's a bit more complicated than you think. And actually I've been notifying orgs one by one and helping them learning about the infection. I've been notifying folks for two months now.theKestrel wrote:IF anybody needs the deconstructed IDB please see the article here. I probably know the most about this malware and have been following it for months now. http://blog.cari.net/carisirt-defaultin ... -1-r0_bot/Information was known BEFORE you posted. Instead of posting that, you have 65 routers RIGHT NOW in your country infecting each other now, go and get us help on that!
So the question is will you help me do this RIGHT.
unixfreaxjp wrote:This malware is much more than that. The binary has everything it needs to spread within itself. As long as one node is running, everybody can still re-infected. Do not go around and change peoples passwords. That does jack in solving this problem and makes a legit response difficult. It's already being handled. When this thing hit in July, there was 60k bots. In just 4 weeks, we got it under 25. So whatever you are doing to "clean this up"; stop. It's not helping. My team has been tackling this the right way from day one.theKestrel wrote:CC was taken down August 7th. I have coredumps of communication prior to that as well as pcaps.If CNC down in Aug 2015 what infection that I just seeing in Sept 29th 2015 then?? The malware name matched (same) so does the MO & symptoms, I was refering to Dr Web writing but didn't have much to see there, why I started analysing this.
Zach W.
The infector was coming from different segment network than the aimed network here..
And I think I am talking of the epidemic on routers. Elaborate your current pls & share your data, people are suffering here.
We can not install AV on routers, any preventive effort has to be done soon.
FYI, US basis routers are the victim, Denver to Nebraska. AirOS mostly.
I look forward for reply - #MalwareMustDie
theKestrel wrote:Do not go around and change peoples passwords. That does jack in solving this problem and makes a legit response difficult. It's already being handled. When this thing hit in July, there was 60k bots. In just 4 weeks, we got it under 25. So whatever you are doing to "clean this up"; stop. It's not helping. My team has been tackling this the right way from day one.Nope, we don't change any passwords, even we don't make any action yet, but we observed the crooks were following successfully infected devices and went into the routers via backdoor after got infected , they did it. So most of the "owned" routers are not in default passwords anymore. Please be noted this fact and this is what had happened now.
They then implemented the malicious DNAT routing as 2tiers proxy of another window basis payload malware for the stealer campaign via spams. We have at least 500- nodes recorded as infected with 100+ are online currently (was 65) and serves as malware download proxy infecting word wide.
If you want to handle this internally you'd better move soon. It's not only the US problem, since the malware proxied by those routers are hitting world wide here. And most of the router proxy used are US ones. The windows malware served by those proxy routers are Upatre/Dyre.
theKestrel wrote:Hey bud, shoot me a PM. We need to talk about this. It's a bit more complicated than you think. And actually I've been notifying orgs one by one and helping them learning about the infection. I've been notifying folks for two months now. So the question is will you help me do this RIGHT.PM is fine. Feel free to PM me at will.
Found in a Lenovo newifi router in China
There are recheck and good2 these two files I did not upload, which is IP and password
There are recheck and good2 these two files I did not upload, which is IP and password
Found in the equipment of the China Telecom
jioushizhu wrote:Found in a Lenovo newifi router in ChinaNothing new, Linux.PNScan.2 aka 1.0.14 version.
There are recheck and good2 these two files I did not upload, which is IP and password
jioushizhu wrote:Found in the equipment of the China TelecomIt's not related to PNScan.
java is an Linux.Mrblack
mmmm is an GoARM malware
Both are authored by ChinaZ.