A forum for reverse engineering, OS internals and malware analysis 

VertexNet (W32/Vertex.A, BackDoor.Vertex)

Forum for analysis and discussion about malware.

VertexNet (W32/Vertex.A, BackDoor.Vertex)

 #8528  by Xylitol
 Sun Sep 11, 2011 5:42 pm
VertexNet is a malware who can be used to steal passwords (keylogger feature) perform http flood attack, download/read/execute files, etc...
The bot got also a 'uninstall' command.
It's coded by a French guys named DarkCoderSc, and for the moment, latest version is 1.2.1

Image

Image

VertexNet malware call home (tasks.php) like this:
Code: Select all
GET /admtriii/v/tasks.php?uid={193c2e9a-7c24-11e0-b0f2-806d6172696f-2140809940} HTTP/1.1
User-Agent: V32
Host: www.cg1.fr
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sun, 11 Sep 2011 13:51:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/3.0.2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.6
Content-Length: 0
Content-Type: text/html
It will call it frequently because this page is also used to recieve orders.
The 'gate' can't be moved off the Vertexnet C&C folder due to php files dependency., so if you find the gate you find the rest.
Default User/Pass are root/toor, but with some magic tricks you can get inside the C&C, like for "www.cg1.fr"

Image

If you want start into malware reversing, VertnetNet is a good one, easy to understand.
Due to lack of features VertexNet is not really used by bad guys, they will prefer more sophisticated malware.

Sample in attach.
VirusTotal: 23/44 >> 52.3%
http://www.virustotal.com/file-scan/rep ... 1315111228
Attachments
password: infected
(62.71 KiB) Downloaded 129 times

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

 #8548  by Xylitol
 Tue Sep 13, 2011 2:58 pm
offtopic, seem VertexNet was hacked today and the original exe backdoored.
in attach the 'attack' video, i've see that too late for get a copy of the exe.

Image
sha1 field 'no md5', letters in intergers type.
sure, summer is not yet finished.

vertexnet website lead to 403 forbidden for the moment.
probably a .htaccess with Order Allow,Deny Deny from all
Image
Attachments
no passwd
(4.15 MiB) Downloaded 72 times

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

 #10485  by Xylitol
 Tue Dec 20, 2011 10:05 pm
VertexNet Loader
Code: Select all
Bot: http://blackicejoker.kilu.de/vtxnet.exe
C&C: http://blackicejoker.no-ip.biz/VertexNet/
BLACKICEJOKER.NO-IP.BIZ (193.107.17.47)
route: 193.107.17.0/24
descr: Ideal Solution Ltd
origin: AS41947
mnt-by: RU-WEBALTA-MNT
mnt-by: IDEAL-MNT
14/43 >> 32.6%
http://www.virustotal.com/file-scan/rep ... 1324341247

Image
Attachments
pw: infected
(421.74 KiB) Downloaded 58 times

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

 #10688  by Xylitol
 Thu Dec 29, 2011 10:40 am
I've do a fast graph of the VertexNet coder (without every connections, it would be really big otherwise)
He should take care of what's infos he leave.
DarklCoderSc.png
DarklCoderSc.png (366.09 KiB) Viewed 883 times
And the friend Xash (same, not completed, but contrary to DarkCoderSc this guys is really 'dark')
Xash.png
Xash.png (198.84 KiB) Viewed 888 times

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

 #10884  by Xylitol
 Sat Jan 07, 2012 12:02 am
Some other 1.2 samples.
Code: Select all
http://ekin0x.hack-free.net/King/
Image
Application.exe: 1/43 >> 2.3%
http://www.virustotal.com/file-scan/rep ... 1325894428
FUD.exe: 13/43 >> 30.2%
http://www.virustotal.com/file-scan/rep ... 1325893404
server1.exe: 2/43 >> 4.7%
http://www.virustotal.com/file-scan/rep ... 1325893343
---
Code: Select all
http://sakiir-hosting.eu/VertexPanel/
Image
Application.exe: 5/43 >> 11.6%
http://www.virustotal.com/file-scan/rep ... 1325892351
CryptedTest.exe: 22/43 >> 51.2%
http://www.virustotal.com/file-scan/rep ... 1325892486
uncrypted.exe: 31/43 >> 72.1%
http://www.virustotal.com/file-scan/rep ... 1325892910
vertex-1-.exe: 32/43 >> 74.4%
http://www.virustotal.com/file-scan/rep ... 1325892910

---
by adding '/upload/ to urls you can find more.
The file stealer.exe found on sakiir-hosting.eu lead to a istealer panel at:
Code: Select all
http://sakir.hack-free.net/Stealer/
Image
searching infos about this 'sakiir':
Code: Select all
Steam account: http://steamcommunity.com/id/Sakiir (Steam ID: STEAM_0:0:36928960)
Mail:  wawandup@gmail.com
Youtube accounts: (really alots) sakiirbrozz352, sakiirbrozz288, etc..
Profiles:
http://www.hackhound.org/forum/user/27927-sakiir/
http://piratologie.org/user-4196.html
http://www.the-s.fr/forum/index.php?/topic/442-presentation-de-sakiir/
http://hackforums.net/archive/index.php/thread-909206-62.html

Seem he have also some connections with french racist guys (sakiir is a racist?)
like: http://steamcommunity.com/id/londale_faf (Steam ID: STEAM_0:0:30953450)
screen here: http://i.imgur.com/CvI6H.png
Attachments
pw: infected
(681.27 KiB) Downloaded 52 times
pw: infected
(982.22 KiB) Downloaded 51 times

Re: VertexNet (W32/Vertex.A, BackDoor.Vertex)

 #11170  by Xylitol
 Fri Jan 20, 2012 5:13 pm
c&c
Code: Select all
http://www.cythisia-botdigz.azok.org/Web%20Panel/upload/
https://www.virustotal.com/file/0f64335 ... /analysis/
Attachments
infected
(75.18 KiB) Downloaded 60 times
 Return to “Malware”