[unixfreaxjp]

Infected sites is spreading this infection widely:

[unixfreaxjp]

Infected site originate 9days Linux/Xor.DDoS sample
VT: https://www.virustotal.com/en/file/9c79 ... 421487429/
Detection ratio is low: 8/57
I wrote CNC (in PRC/CHINA network) and XOR key in VT comment.
#MalwareMustDie!

[Blaze]

Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited
https://www.fireeye.com/blog/threat-res ... rutef.html

[benkow_]

XorDDOS sample + RAT commander.
attached (infected)

[unixfreaxjp]

samples:
https://www.virustotal.com/en/file/c394 ... 435078237/
https://www.virustotal.com/en/file/61b0 ... 435078464/
https://www.virustotal.com/en/file/92a2 ... 435078440/
https://www.virustotal.com/en/file/0a31 ... 435078415/
https://www.virustotal.com/en/file/fd60 ... 435078378/

Infection analysis & incident report is in here:
http://blog.malwaremustdie.org/2015/06/ ... on_23.html

#MalwareMustDie!

[ilaloyka]

How to get installer.exe

[unixfreaxjp]

New sample and is detected in ChinaZ shellshock infection panel today:

A PoC:

VT:
https://www.virustotal.com/en/file/2c37 ... 436766305/
#MalwareMustDie

[unixfreaxjp]

Bulk share of Xor.DDoS recent binaries, alive CNC. Good quality for signature production & analysis (I sound like salesman now..sigh..)

From our case MMD-0037-2015 http://blog.malwaremustdie.org/2015/07/ ... shock.html see the post for details of these.
Thanks to Sh1bumi for doing xxxx to get this during my busy analysis the case.
#MalwareMustDie!

[FafZee]

From hxxp://125.88.181.43:8989/
Name : 665544

MD5 8d4a6d2c8e5920d654ad1da48df2ba32
SHA1 25d9554107b51ff34148c10d1690b6cb2dcae65b
SHA256 34700258a7cd947c85c3465680c0f0855940fe1380efd65a0f99501248078a24

[zrav]

Here is another Linux/Xor.DDoS with an active C&C.

https://www.virustotal.com/en/file/498f ... /analysis/

122.224.48.63:2866
zhegege.3322.org:2866
66.102.253.30:2866

Details can be found here:
http://security.radware.com/uploadedFil ... Report.pdf

/zrav