A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23774  by unixfreaxjp
 Wed Sep 03, 2014 10:05 pm
Since this threat is still on-going, and samples are spotted a lot, allow me to open this topic here, to raise detection ratio of the threat.
Base threat information: http://blog.malwaremustdie.org/2014/06/ ... f-elf.html
Warning from AKAMAI: http://www.providencejournal.com/busine ... ewalls.ece
Will add the recent samples, pls help to share yours.
Attached are the set files of one infection extracted by the malware installer.
https://www.virustotal.com/en/file/dc2b ... 404948532/
https://www.virustotal.com/en/file/18ee ... 404128237/
sample is attached
Attachments
7z, pwd:infected
(669.68 KiB) Downloaded 110 times
 #23821  by fade
 Mon Sep 08, 2014 11:03 pm
If I recall correctly, this was dropped (but not exclusive to) some exploitation of open ElasticSearch instances.
 #23857  by unixfreaxjp
 Wed Sep 10, 2014 11:21 pm
fade wrote:If I recall correctly, this was dropped (but not exclusive to) some exploitation of open ElasticSearch instances.
(1) Detected infection entries :
1. Web exploitation (of: ElasticSearch, Apache Struts2, Tomcat, Apache, cpanels, may be added more..)
2. ssh brute

(2) If you find this malware installed in your system and not running, meaning, there is a security hole in your ssh or webapps, and yet there is a possibility that your root privilege was not taken. But if you see it successfully installed, operated & performed DDoS (as per seen in netstat..) I bet that your root privilege was taken and do not trust your server anymore.
Put it offline, perform audit, and/or launch a clean backup server(s) instead, is recommended.
 #23860  by unixfreaxjp
 Thu Sep 11, 2014 3:51 am
Variants of this DDoS'er https://www.virustotal.com/en/file/393e ... 409505289/
The DDoS'er part looks having the same source codes, hard-coded filenames in autostart is different:
Installer:
Code: Select all
.rodata:080B9F51 0x015 C /etc/init.d/rc.local
.rodata:080B9F66 0x01A C /etc/rc.d/init.d/rc.local
.rodata:080B9F8 0x0013 C /etc/rc.d/rc.local
.rodata:080B9F93 0x017 C /etc/init.d/boot.local
CNC: 98.126.45.226 and feifeitian.com port 80, PoC (pls noted how this variant is using Google DNS to resolve CNC domain:
Code: Select all
0x804B31F   mov     dword ptr [esp], offset a98_126_45_226 ; "98.126.45.226"
0x804B326   call    sub_8074DB0
0x804B32B   mov     ds:dword_8153764, eax
0x804B330   add     eax, 1
0x804B333   jz      short loc_804B3B1
          :
0x804B335   mov     dword ptr [esp+0Ch], 0
0x804B33D   mov     dword ptr [esp+8], 0Ah
0x804B345   mov     dword ptr [esp+4], 0
0x804B34D   mov     dword ptr [esp], offset a80_0 ; "80"
0x804B354   call    sub_805EA50
0x804B359   mov     edx, ds:dword_8153764
0x804B35F   test    edx, edx
0x804B361   mov     ds:word_8153768, ax
0x804B367   jz      loc_804B2DD
0x804B36D   jmp     loc_804B2CE

0x804B372   mov     dword ptr [esp+4], offset aFeifeitian_com ; "feifeitian.com"
0x804B37A   mov     dword ptr [esp], offset a8_8_8_8 ; "8.8.8.8"
0x804B381   call    sub_804F500
0x804B386   test    eax, eax
0x804B388   mov     ds:dword_8153764, eax
0x804B38D   jnz     loc_804B29A
0x804B393   mov     dword ptr [esp+4], offset aFeifeitian_com ; "feifeitian.com"
0x804B39B   mov     dword ptr [esp], offset a8_8_4_4 ; "8.8.4.4"
0x804B3A2   call    sub_804F500
0x804B3A7   mov     ds:dword_8153764, eax
0x804B3AC   jmp     loc_804B29A
    :
0804B29A   mov     dword ptr [esp+0Ch], 0
0804B2A2   mov     dword ptr [esp+8], 0Ah
0804B2AA   mov     dword ptr [esp+4], 0
0804B2B2   mov     dword ptr [esp], offset a80 ; "80"
0804B2B9   call    sub_805EA50
0804B2BE   mov     ecx, ds:dword_8153764
0804B2C4   test    ecx, ecx
0804B2C6   mov     ds:word_8153768, ax
0804B2CC   jz      short loc_804B31F
Attachments
7z,pwd:infected
(295.46 KiB) Downloaded 68 times
 #24032  by unixfreaxjp
 Thu Oct 02, 2014 11:06 am
A rather new .IptabLes payload, spotted used in the wild for infection:
Image
VT score is..TWO/55 https://www.virustotal.com/en/file/9dbf ... 412243116/
Self-copy efforts:
Code: Select all
execve("/usr/bin/cp", ["cp", "/MALWARE", "/boot/.IptabLes"]
execve("/usr/bin/cp", ["cp", "/MALWARE", "/usr/.IptabLes"]
execve("/usr/bin/cp", ["cp", "/MALWARE", "/.IptabLes"]
symlinks for installation:
Code: Select all
symlink("/.IptabLes", "/boot/.IptabLes")
symlink("/.IptabLes", "/usr/.IptabLes")
symlink("/IptabLes", "/etc/rc.d/init.d/IptabLes")
symlink("/IptabLes", "/etc/rc.d/IptabLes")
symlink("/IptabLes", "/etc/rc.d/rc2.d/S55IptabLes")
symlink("/IptabLes", "/etc/rc2.d/S55IptabLes")
symlink("/IptabLes", "/etc/rc.d/rc3.d/S55IptabLes")
symlink("/IptabLes", "/etc/rc3.d/S55IptabLes")
symlink("/IptabLes", "/etc/rc.d/rc4.d/S55IptabLes")
symlink("/IptabLes", "/etc/rc4.d/S55IptabLes")
symlink("/IptabLes", "/etc/rc.d/rc5.d/S55IptabLes")
symlink("/IptabLes", "/etc/rc5.d/S55IptabLes")
And started this malware as daemon with its malicious xinetd:
Code: Select all
execve("/bin/sh", ["sh", "-c", "/etc/rc2.d/S55IptabLes"]
The rest of details is as usal, more info is here: http://blog.malwaremustdie.org/2014/06/ ... f-elf.html
In this case, after depacking the I cracked CNC used as below:
Code: Select all
;; public deinfo ()
;; deinfo    proc near
0x8049D96    push    ebp
0x8049D97    mov     ebp, esp
0x8049D99    sub     esp, 38h
0x8049D9C    mov     [ebp+var_F], 0
0x8049DA0    mov     [ebp+var_E], 0
0x8049DA4    mov     [ebp+var_D], 0
0x8049DA8    mov     eax, [ebp+arg_0]
0x8049DAB    add     eax, 1
0x8049DAE    mov     [ebp+var_C], eax
0x8049DB1    mov     [ebp+var_14], 0
0x8049DB8    mov     eax, [ebp+arg_0]
0x8049DBB    mov     [esp], eax
0x8049DBE    call    CheckIsTest
0x8049DC3    test    eax, eax
0x8049DC5    jz      short 0x8049E26
0x8049DC7    mov     dword ptr [esp+8], 32h
0x8049DCF    mov     dword ptr [esp+4], 0
0x8049DD7    mov     dword ptr [esp], 0x80FB8A4h
0x8049DDE    call    0x80481A0
0x8049DE3    mov     eax, [esp], 0x80CE73F <-----------------|
0x8049DE8    mov     dword ptr [esp+8], 12h                  |
0x8049DF0    mov     [esp+4], eax                            |
0x8049DF4    mov     dword ptr [esp], 0x80FB8A4h             |
0x8049DFB    call    memcpy                                  |
0x8049E00    mov     word ptr ds:g_mainsrvinfo+158h, 4D2h    |
0x8049E09    mov     word ptr ds:g_mainsrvinfo+156h, 929h    |
0x8049E12    mov     dword ptr ds:g_mainsrvinfo+218h, 1      |
0x8049E1C    mov     eax, 1                                  |
0x8049E21    jmp     0x8049F1D                               |
(...)                                                        |
0x80CE73F aSetupsrv_uxfb_ db 'setupsrv.uxfb.com',0 <---------|
Noted with the changing of DNS beforehand.
#MalwareMustDie catched this flag
Attachments
7z/infected
(696.46 KiB) Downloaded 62 times
 #24152  by unixfreaxjp
 Wed Oct 15, 2014 12:51 pm
It is a bit out of line here, but is very related. Allow me to post this in here:
I can't believe this myself, I think .IptableX has just been ported into a windows version
See the disassembly of the similar part I reported here: https://pastebin.com/1AEa8Jzq
The VT: https://www.virustotal.com/en/file/803e ... 413370561/
Hint :
1. the usage of yahoo.com baidu.com china.com and ifeng.com is so typical
2. It uses windows service named as "IptabLex Services"
3. The logic for flood request is similar but it uses windows libs (WS2_32.DLL)

Any opinion? Wow.. we can expect more infection of these DDoS'er in windows from now on.
Attachments
pwd/infected
(30.7 KiB) Downloaded 58 times
 #24160  by unixfreaxjp
 Fri Oct 17, 2014 8:39 am
Additionals to: http://www.kernelmode.info/forum/viewto ... 160#p24152
one more PE sample, different panels used, sample spotted from one month ago.
Image
VT: https://www.virustotal.com/en/file/ea81 ... 413194264/
Herewith the PoC they ported the windows ddoser too now. Will not add PE samples in this thread anymore.
Attachments
7z/infected
(69.74 KiB) Downloaded 62 times
 #26218  by unixfreaxjp
 Wed Jul 01, 2015 6:46 am
It's looks like ChinaZ crook is dropping original payload and using Iptables|x instead.
Analysis: MMD-0035-2015 http://blog.malwaremustdie.org/2015/06/ ... es-on.html
Samples:
https://www.virustotal.com/en/file/bef8 ... 435727299/
https://www.virustotal.com/en/file/7a95 ... 435727314/
Panels:
Image
CNC:
Code: Select all
domain: v8.f1122.org 
IP: 61.160.212.172 port 1122

61.160.212.172| - |23650 | 61.160.212.0/24 | CHINANET-JS-AS | CN | chinatelecom.com.cn
ChinaNet Jiangsu Province Network
{
  "ip": "61.160.212.172",
  "hostname": "v8.f1122.org",
  "city": "Nanjing",
  "region": "Jiangsu",
  "country": "CN",
  "loc": "32.0617,118.7778",
  "org": "AS23650 AS Number for CHINANET jiangsu province backbone"
}
Attachments
7z / infected
(462.32 KiB) Downloaded 58 times
 #26273  by unixfreaxjp
 Mon Jul 13, 2015 6:01 am
This case: http://www.kernelmode.info/forum/postin ... 68#pr26218
They (ChinaZ crook) just moved the panel and shellshock attacker bot into:
Code: Select all
shellshock IP: 211.147,2.192 
panel: 211.147.2,192:911
attack PoC:
Image thanks ben!

panel:
Image
They are now using Linux/XOR.DDoS ELF malware variant (replacing the BillGates) http://www.kernelmode.info/forum/viewto ... =10#p26272

#MalwareMustDie!