[benkow_]

Funny one: MrBack Win32 version.

Compilation timestamp 2015-03-15 18:36:38

Mutex: "Eliminate small Japanese"

C&C: 121.41.74.174:8000

[unixfreaxjp]

Report in Japanese is here: http://blog.0day.jp/2015/07/linuxaesddosarm.html

An SSH brute attack specifically aiming MY router:


Yes it was from China:


I have EVERY RIGHT to identify my attacker for the reporting purpose:


And every right to seek what is going to hit me..ohh he planned to make my routers into a DDOS botnet! Look at those filenames:


Yes, those binary are confirmed the ELF binaries compiled with CodeSoucery as MIPS, ARM and MIPS binaries.


Packed in UPX:

Code: Select all

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1156461 <-    454640   39.31%  linux/mipsel   49mips-dep

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1001841 <-    398372   39.76%   linux/armel   49arm-dep

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1156895 <-    452356   39.10%  linux/mipseb   49wrt-dep

And it is an AES.DDOS (some of you say this as Mr.Black), I analyzed these type oif router version before..nothing special: http://blog.malwaremustdie.org/2014/09/ ... lknot.html


But some AV released the signature based on the compilation used data instead of the specific characteristic of this malware, makes ppl think this as Kaiten/Tsunami .. obviously a case that automation kills QUALITY here :(


The VT reports:
https://www.virustotal.com/en/file/5a3a ... 435876419/
https://www.virustotal.com/en/file/67b2 ... 435876796/
https://www.virustotal.com/en/file/cb6f ... 435877570/

#MalwareMustDie!!!

[unixfreaxjp]

ARM & MIPS version of AES.DDOSer is still hitting our routers hard.
Please see the downlod hits in the panel below:

Samples:
https://www.virustotal.com/en/file/7b5c ... /analysis/
https://www.virustotal.com/en/file/6f67 ... /analysis/

Code: Select all

Landing panel: 222.186.21.166
SSH attacker: 222.186.21.166
CNC: hostname (domain) basis: 104984629.f3322.org 115.28.234.144

Reversing notes I made:

Typical MO of the Mr.Black chinese crooks who's aiming routers for so long: /* be noted */

This guy can make a good joke: /* be noted*/

It's always good to know where they are..

Code: Select all

查询结果: 115.28.234.144 ==>> 1931274896 ==>> 山东省青岛市 阿里云BGP数据中心
AS37963 本站主数据：山东省青岛市 阿里云计算有限公司 阿里巴巴
参考数据一：北京市 万网高科技信息技术有限公司
"AS37963 Qingdao City, Shandong Province Ali Alibaba Cloud Computing Ltd.
Xref: Beijing million net high-tech Information Technology Co.,

The map of the CNC is here:

Investigation/takedown sheet:

Code: Select all

Domain Name:F3322.ORG
Domain ID: D166576942-LROR
Creation Date: 2012-09-12T16:18:47Z
Updated Date: 2015-01-20T00:20:27Z
Registry Expiry Date: 2016-09-12T16:18:47Z
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)
Sponsoring Registrar IANA ID: 82
[...]
Registrant ID:ONLC-5353841-4
Registrant Name:peng yong
Registrant Organization:Bitcomm  ltd.
Registrant Street: yinyuan building
Registrant City:changzhou
Registrant State/Province:Jiangsu
Registrant Postal Code:213002
Registrant Country:CN
Registrant Phone:+86.51968887168
Registrant Fax: +86.51968887169
Registrant Email:ppyy@astpbx.com  <=== THIS

The PGP 0x59655bede106da9c1024D/E106DA9C trails to this ID: Tsung-Yu Ko (Johnny) alias Martin Michlmayr

Code: Select all

uid Peng Yong <ppyy@yaako.org>
sig  sig   E106DA9C 2005-01-24 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-02-06 __________ __________ [selfsig]
sig  sig   D9AF6DE9 2005-03-06 __________ __________ Tsung-Yu Ko (Johnny) <Ko.John@gmail.com>
sig  sig   68FD549F 2005-03-13 __________ __________ Martin Michlmayr <tbm@cyrius.com>

uid Peng Yong <ppyy@yaako.com>
sig  sig   E106DA9C 2006-08-26 __________ __________ [selfsig]
sig  sig   E001A845 2006-08-26 __________ __________ cn.admin.news.announce

uid Peng Yong <ppyy@astpbx.com>
sig  sig   E106DA9C 2006-08-26 __________ __________ [selfsig]

uid Peng Yong <ppyy3322@163.com>
sig  sig3  E106DA9C 2005-01-06 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-01-06 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-02-06 __________ __________ [selfsig]
sig  sig   D9AF6DE9 2005-03-06 __________ __________ Tsung-Yu Ko (Johnny) <Ko.John@gmail.com>
sig  sig   68FD549F 2005-03-13 __________ __________ Martin Michlmayr <tbm@cyrius.com>

uid Peng Yong <ppyy8866@gmail.com>
sig  sig   E106DA9C 2005-01-24 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-02-06 __________ __________ [selfsig]
sig  sig   D9AF6DE9 2005-03-06 __________ __________ Tsung-Yu Ko (Johnny) <Ko.John@gmail.com>
sig  sig   68FD549F 2005-03-13 __________ __________ Martin Michlmayr <tbm@cyrius.com>

uid Peng Yong <ppyy@staff.cn99.com>
sig  sig   E106DA9C 2005-01-24 __________ __________ [selfsig]
sig  sig3  E106DA9C 2005-02-06 __________ __________ [selfsig]
sig  sig   D9AF6DE9 2005-03-06 __________ __________ Tsung-Yu Ko (Johnny) <Ko.John@gmail.com>
sig  sig   68FD549F 2005-03-13 __________ __________ Martin Michlmayr <tbm@cyrius.com>

Thx @esachin to have exact same result :)
List of suspicious domains he managed:

Code: Select all

kccef.com 	czdjbh.com 	bentium.com
39aj.com 	vpn39.com 	foxyun.com
juyide.com 	holdlion.com 	longchengmetal.com
vps39.com 	astpbx.com 	authyun.com
qmwifi.com 	xuehongliang.com 	guilib.com
nbvox.com 	sns188.com 	lishinet.com
rssgate.com 	yangchequ.com 	tongluda.com
39jia.com 	guqiaow.com 	gzjtjl.com
zhuceyun.com 	eatuo.com 	rpqq.com
91yingcai.com 	c0188.com 	holdlion.net
webok.net 	yaako.net 	cnrss.net
3322.net 	mz668.net 	zhuceyun.net
authyun.net 	qmwifi.net 	f3322.net
x3322.net 	czdjbh.net 	guilib.net
eajia.net 	nbvox.net 	juyide.net
7766.org 	2288.org 	8800.org
9966.org 	6600.org 	8866.org
czdjbh.org 	qmwifi.org 	zhuceyun.org
3322.org 	authyun.org 	f3322.org
wxyh.org 	juyide.org 	guilib.org
nbvox.org 	pubyun.org 	astpbx.org

credit #MalwareMustDie (& malekal also got same attack in same time) assumed world wide scanner..

[unixfreaxjp]

MIPS variant, infecting with a hot speed. Multiple bruters SSH with the login of root/root|ubnt/ubnt|admin/admin
Payload access to block: BLOCK: 122.224.54.104 183.60.197.212
Sample is here: https://www.virustotal.com/en/file/c531 ... /analysis/

[tWiCe]

HFS 180.97.215.111:8080

[unixfreaxjp]

MIPS version. panel:

https://www.virustotal.com/en/file/a4af ... /analysis/
https://www.virustotal.com/en/file/3197 ... /analysis/
https://www.virustotal.com/en/file/8a73 ... /analysis/

[tWiCe]

C&C: yxs.f3322.org

HFS: htxp://119.147.145.213:8019

This HFS also hosts couple of Elknot UPX-packed executables.

[unixfreaxjp]

Nothing new about the recent binaries.. so I will explain the attack vectors the MrBlack router type does, as per picture below:



"sharing public threat information is a right thing to do!"

[unixfreaxjp]

Linux/AES.DDoS on ARM, see the similarities with its cousin "Mr.Black"

In here, found by Malekal Morte:

Sample: https://www.virustotal.com/en/file/1d64 ... 441453958/
AGAIN.. Because it is packed w/upx doesn't have to be a TSUNAMI :D :lol: :) :D :lol: :roll:

PoC: Scan after depacked https://www.virustotal.com/en/file/83da ... 441456448/

[tWiCe]

Alive HFS:

210.92.18.118:7523
1.93.11.200:80