A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28252  by benkow_
 Sat Apr 09, 2016 3:05 pm
ikolor wrote:I'm the only one.


next
https://www.virustotal.com/en/file/35fa ... 460136599/
GAYFGT
Code: Select all
89.248.162.146:179
(null)
buf: %s
/bin/sh
/proc/cpuinfo
BOGOMIPS
PING
:>%$#
%d.%d.%d.%d
%d.%d.%d.0
Failed opening raw socket.
Failed setting raw headers mode.
Invalid flag "%s"
GETLOCALIP
My IP: %s
HOLD
JUNK
KILLATTK
Killed %d.
None Killed.
LOLNOGTFO
8.8.8.8
/proc/net/route
	00000000	
[cpuset]
fork failed
FAILED TO CONNECT
PONG
%s 2>&1
LINK CLOSED
/dev/null
CAk[S
GCC: (GNU) 4.1.2
 #28286  by unixfreaxjp
 Tue Apr 12, 2016 3:39 am
Playing around with this new sample http://www.kernelmode.info/forum/postin ... 05#pr28248 to find they just obfuscate the strings in the ELF. It's a pure standard torlus inside, encoded/string obfuscated, w/stripped and no intel x86 samples ..which is fine for all of us 8-)

To all good folks who battle this threat: This version point of differences for memo: 1. the forks was run before decrypt, 2. syscall stripped but all are torlus' ones . 3. Some hint: Aiming the args which they never can hide. 4. Put them back together& you'll see torlus/lizkebab/gayfgt code as per it is. 5. Noted it is a different obfuscation method to what they did to ELF STD bot that was previously spotted.

"Try harder kids!"
 #28442  by unixfreaxjp
 Mon May 02, 2016 3:45 pm
Another GayFgt "BadLuckJosh" (BLJ) an obfuscated modification in some function name and strings.
Made a video on how to dissect it easier.
The reference for this particular "encrypted" type is here.
Sadly the plan works to fool AV products who doesn't aware of this version exists, make more sigs guys!
Image
Attachments
usual
(18.48 KiB) Downloaded 57 times
 #28460  by unixfreaxjp
 Thu May 05, 2016 9:55 pm
ikolor wrote: https://www.virustotal.com/en/file/8fb0 ... 462464664/
Hello.
Poked by @Xylit0l, I checked your sample the powerpc one.
It is what young collective group of punk hacktivists (read:skiddos) who loves to ddos call it: Torlus or LizKebab or LizKaboob or Lizard Botnet or GayFgt (the coder loves using these words)
good guys call it as: bashdoor, bashlite or GafGyt or similar.
The malware family is in linux section: http://www.kernelmode.info/forum/viewto ... =16&t=3505
Firstly raising attention at the shellshock 0day.

Your particular sample is aiming for busybox router
Image

And issuing spread/distribution effort via execution of tftp (busybox router command)

The CNC is in 89.248.162.167:121 < to be blocked.
And if you find this sample is on the infected routers (not honeypot or some crook related sites) the nearby segment which is having busybox running on telnet would be firstly to be checked too. Just make sure they don't run the user/login names(red color) and passwords (purple color) as per described in the picture above.

But the download center (spread script center likely) is in different IP address 93.174.95.38 downloading/exec that {meow*} binaries replacing busybox for the infection to then deleting them.
Image

GeoLocation for the infectors is from the knownn NL shitty networks:
Code: Select all
89.248.162.167|no-reverse-dns-configured.com.|29073 | 89.248.160.0/21 | QUASINETWORKS | NL | ecatel.net | Ecatel LTD
93.174.95.38||29073 | 93.174.88.0/21 | QUASINETWORKS | NL | ecatel.net | Ecatel LTD
The actor is known in some forum, for this specifics, as a part of thisthreat family.
 #28461  by unixfreaxjp
 Fri May 06, 2016 1:56 am
ref: http://www.kernelmode.info/forum/viewto ... =60#p28247
ikolor wrote:https://www.virustotal.com/en/file/35fa ... 460136599/
This is actually an interesting sample, unusual build. I have two reasons for it:
(1) This is the lizkebab/torlus/gayfgt personal version basis..not so many are using it since not many skiddos owning this type, (2) in this ELF case the actor trimmed the telnet scanner brute credential data (assuming to disable it) , below is the code snippet:
Image
One should see the db array of text of the root account, login strings and password strings before the NULL if exists. These data to be grabbed & use by the telnet scanner function.

The detection of the "personal version" I recognized it since I categorize samples of torlus/gayfgt found in the wild and check them case by case. Below is the diassembly data of this sample "b4e9af8e5fd11c94b68b7d13a75945af" on the main part which is showing the type of the client.c code was used.
Image

So this version works as backdoor with ddos functios. The reason for telnet scanner is disabled maybe to avoid some IDS alarm on telnet scanning.

Judging by the network used as CNC, the actor "could be" the same as this case http://www.kernelmode.info/forum/viewto ... 461#p28460 is one of the crooks mentioned in here
 #28464  by ikolor
 Sat May 07, 2016 9:36 am
I'm not too much familiar with analyze malware code .But I had scan my system on port 23 from this IP 93.174.93.50