A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24045  by unixfreaxjp
 Sat Oct 04, 2014 5:53 am
A new spotted panel loaded with BillGates from end of Sept 2014 (28th and 25th):
Image
https://www.virustotal.com/en/file/2e09 ... 412400730/
https://www.virustotal.com/en/file/34e1 ... 412401476/
CNC is IP address setting, not domain basis.
Code: Select all
IP: 121.40.85.20:44050
Location: 121.40.85.20||37963 | 121.40.0.0/14 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD
This time we got him caught in the act while hacking servers, a crime evidence:
Image
trapper credit: @wirehack von #MalwareMustDie
Attachments
7z/infected
(739.12 KiB) Downloaded 56 times
 #24059  by tekkie
 Sun Oct 05, 2014 5:42 pm
I received alerts from my data center (OVH) that an IP on a virtual machine belonging to a client had been blocked for attacking numerous IPs. I confronted him and he had no idea what I was talking about. I looked into it further to see that the server was trying to connect back to 115.231.17.13:36665 and that top showed a process called nhgbhhj using a lot of CPU. I found that it was running out of /etc/nhgbhhj, but opening it with nano just showed random symbols.

Right now, the box has no network connection, but I can still access it through the node, as it's virtualized. I'd like to find more information on the infection, including how my clients server was infected in less than twelve hours of going online. I'd also like to put a stop to this malware.

What information can I provide in order to help and obtain more information?

EDIT: I have just deployed two new servers with Debian 7, which is the same OS as the one that was compromised. The first is fresh with no updates. The second is fresh with apt-get update && apt-get upgrade executed. That is all.
 #24064  by unixfreaxjp
 Mon Oct 06, 2014 10:44 pm
tekkie wrote:I received alerts from my data center (OVH) that an IP on a virtual machine belonging to a client had been blocked for attacking numerous IPs. I confronted him and he had no idea what I was talking about. I looked into it further to see that the server was trying to connect back to 115.231.17.13:36665 and that top showed a process called nhgbhhj using a lot of CPU. I found that it was running out of /etc/nhgbhhj, but opening it with nano just showed random symbols...
That machine was infected these campaign of Billgates: https://twitter.com/unixfreaxjp/status/ ... 3494391808 < only this campaign has that callback, and the callback in every bins is specific.
It's good to know which "process name" the malware is. Your lsof & netstat/sockstat is your friend for this. Aim the thread PID, which can be only one parent, ignore the child. Seek file of /tmp/gates* < this contains PID of the parent thread of the malware, you can kill that PID and all process of DDoS/backdoor will be stoped. Check again in the lsof|netstat to make sure no active process running. This is a howto kill the malware running process smoothly. DDoS process and multiple thread runs by the malware is exhausting the CPU.
Linux/BillGates will be auto-started since it is installed in xinetd. Check in which UID "/etc/nhgbhhj" runs, since "/etc was mentioned I think it gets the root already, anyway, pls check. If suid=0 was taken then you will have a lot to clean up, like: check every entry used in /etc/init.d/, check the /etc/rc.local, check the /etc/crontab for suspicious entries < not so much area to check and this is all they are using. Don't delete that file without seeing the contents, which will tell which basedir of the malware payload, use the data to clean the infected directory/unix user.
Lucky that in this case you have specific data of callback which lead to specific known malware. I always crite the CNC info in each ELF malware I found for this purpose to help sysadmins know which ELF hits them.

About root privilege. In my country, if suid 0 of a NIX server taken by malware/backdoor. I can not trust that machine anymore. It's not about the malware itself, but it is about "what else" the hacker did after getting suid 0, so I strongly suggest you audit the system, or restore it from image backup, or rebuild it. I saw many cases that the attacker implement special crafted user access for the "second visit" after the malware part was cleaned.
Very important point: BillGates in all cases I see, was installed AFTER the attacker gained the shell environment. The malware can run with or without root privilege. It depends on the attacker to gain the root or not gaining the root, not the malware. And in your case "it looks like" (noted: I did not see your system info well) there is a strong probability they got the root.
 #24066  by unixfreaxjp
 Tue Oct 07, 2014 12:10 am
New samples, x32 2 files same CNC:
https://www.virustotal.com/en/file/d0ed ... 412639053/https://www.virustotal.com/en/file/2f62 ... 412639839/ … CNC (ip basis/non-domain)
Code: Select all
callback: 218.244.148.150:36000
loc: 218.244.148.150||37963 | 218.244.128.0/19 | CNNIC-ALIBABA-CN-NET | CN | - | HICHINA TELECOM NET
// PoC of CNC is up & alive:
$ date
Tue Oct  7 09:08:21 JST 2014
Connection to 218.244.148.150 36000 port [tcp/*] succeeded!
setsockopt(4, SOL_SOCKET, SO_SNDTIMEO, "\24\0\0\0\0\0\0\0", 8) = 0
send(4, "\1\0\0\0h\0\0\0\0\364\1\0\0002\0\0\0\350\3\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 112, 0) = 112
recv(4, "\10\0\0\0", 4, 0)  = 4
#MalwareMustDie!
Attachments
7z/infected
(738.3 KiB) Downloaded 48 times
 #24104  by unixfreaxjp
 Thu Oct 09, 2014 7:09 am
A fresh new sample:
Image
https://www.virustotal.com/en/file/6812 ... 412823174/
Panel and CNC (non-domain basis) is
Code: Select all
IP:port = 222.186.34.152:36000
Loc: 222.186.34.152||23650 | 222.186.34.0/23 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
CNC is alive:
Thu Oct 9 16:02:38 JST 2014
Connection to 222.186.34.152 36000 port [tcp/*] succeeded!
Attachments
7z/infected
(348.81 KiB) Downloaded 51 times
 #24110  by unixfreaxjp
 Thu Oct 09, 2014 9:55 am
A month old sample:
Image
https://www.virustotal.com/en/file/f4a4 ... 412839747/
CNC is IP basis (non-domain)
Code: Select all
222.186.59.4:25002
In: 222.186.59.4||23650 | 222.186.56.0/21 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
CNC is alive:
Thu Oct 9 18:49:32 JST 2014
Connection to 222.186.59.4 25002 port succeeded!
^C
Noted:
This sample is trying to fake this xinetd entry as autostart /etc/init.d/DbSecuritySpt
Another older sample is accompanied: https://www.virustotal.com/en/file/536d ... 411983566/ < too old, has detection, skipped.
Attachments
7z\infected
(363.27 KiB) Downloaded 49 times
 #24114  by unixfreaxjp
 Thu Oct 09, 2014 1:55 pm
A new one, rather unusual. Drops Dest.cfg in working dirs..
https://www.virustotal.com/en/file/689e ... 412862052/
C2 Info:
Code: Select all
CNC (ip basis) 124.173.118.167:1234
Loc: 124.173.118.167||4134 | 124.172.0.0/15 | CHINANET | CN | SZGWBN.NET.CN | WORLD CROSSING TELECOM (GUANGZHOU) LTD.
PoC: TCP MMD-TEST:43271->124.173.118.167:1234 (ESTABLISHED)
PoC Socket alive now:
Thu Oct 9 22:42:03 JST 2014
Connection to 124.173.118.167 1234 port succeeded!
^C
Attachments
7z/infected
(377.23 KiB) Downloaded 51 times
 #24145  by unixfreaxjp
 Tue Oct 14, 2014 4:55 pm
This one is fresh and agressive:
Image
BillGates: https://www.virustotal.com/en/file/7d72 ... 413300871/
Dropped backdoor: https://www.virustotal.com/en/file/e20c ... 404395742/
Code: Select all
CNC: 118.123.119.14:36000 (IP basis)
Loc: 118.123.119.14||38283 | 118.123.119.0/24 | CHINANET-SCIDC-AS | CN | CHINATELECOM.COM.CN | CHINANET SICHUAN PROVINCE NETWORK
Attached is the set. #MalwareMustDie
Attachments
7z/infected
(752.8 KiB) Downloaded 47 times
 #24149  by unixfreaxjp
 Wed Oct 15, 2014 8:40 am
2 builts of recent payloads in China panel, with hot download hits ( read: infection)
Image
https://www.virustotal.com/en/file/6e5f ... 413359336/
https://www.virustotal.com/en/file/51f8 ... 413359368/
CNC is in USA host.
Code: Select all
CNC: 23.228.102.131:25000 (IP base)
CNC is up:
Wed Oct 15 17:00:58 JST 2014
Connection to 23.228.102.131 25000 port [tcp/*] succeeded!
CNC Loc: 23.228.102.131||32421 | 23.228.102.0/24 | BLCC | US | - | ARIEL MICHAELI
Thanks to @leonvdijk
Attachments
7z/infected
(766.65 KiB) Downloaded 48 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 8