A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24222  by unixfreaxjp
 Sun Oct 26, 2014 8:54 am
Another panel full of AES.DDoS: (see red marked) x32, MIPS and ARM version
Image
https://www.virustotal.com/en/file/1cc7 ... 414309615/
https://www.virustotal.com/en/file/cb46 ... 414309833/
https://www.virustotal.com/en/file/aa09 ... 414309860/
https://www.virustotal.com/en/file/240b ... 414309880/
https://www.virustotal.com/en/file/00c3 ... 414309989/
And all of those AES.DDoS is having one setting of CNC in USA network:
Code: Select all
cnc is IP basis/decoded syscall: sa_family=AF_INET, sin_port=htons(48080), sin_addr=inet_addr("104.194.25.180")
cnc PoC: TCP yourebangedbyMMD:33257->104.194.25.180:48080 (ESTABLISHED)
cnc alive status tested: Connection to 104.194.25.180 48080 port [tcp/*] succeeded!
cnc loc: 104.194.25.180||36114 | 104.194.0.0/19 | VERSAWEB-ASN | US | VERSAWEB.COM | VERSAWEB LLC
Encrypted data replied from CNC during initiating connection:
Code: Select all
00000000  07 00 00 00 80 5e 12 00  7c ec 79 01 02 37 b6 71 .....^.. |.y..7.q
00000010  00 00 00 00 b8 6e cd 00  00 00 00 00 b8 6e cd 00 .....n.. .....n..
00000020  90 74 d1 00 00 00 00 00  08 eb 79 01 08 eb 79 01 .t...... ..y...y.
00000030  78 01 d1 00 3e d9 95 7c  d8 ea 79 01 01 00 00 00 x...>..| ..y.....
00000040  25 9e 95 7c 60 74 d1 00  b8 eb 79 01 ad 9d 95 7c %..|`t.. ..y....|
00000050  78 07 d1 00 c9 9d 95 7c  18 00 00 00 68 74 d1 00 x......| ....ht..
00000060  b4 5f 12 00 78 70 00 00  78 01 d1 00 20 01 00 00 ._..xp.. x... ...
00000070  fe ae 00 7c 00 00 d1 00  04 e9 79 01 63 6f 64 65 ...|.... ..y.code
00000080  20 eb 79 01 01 00 00 00  25 9e 95 7c 40 74 d1 00  .y..... %..|@t..
00000090  00 ec 79 01 ad 9d 95 7c  48 07 d1 00 c9 9d 95 7c ..y....| H......|
000000A0  80 5e 12 00 48 74 d1 00  48 5f 12 00 2d 10 00 00 .^..Ht.. H_..-...
000000B0  17 00 00 00 b0 eb 79 01  00 00 00 00 b0 02 00 00 ......y. ........
000000C0  01 00 00 00 b4 5f 12 00  2d 10 00 00 05 00 00 00 ....._.. -.......
000000D0  fa 00 1c 00 b8 0b 4d 00  88 eb 79 01 00 00 00 00 ......M. ..y.....
000000E0  0b 00 00 00 68 74 d1 00  06 02 00 00 b4 5f 12 00 ....ht.. ....._..
000000F0  28 00 00 00 93 02 00 00  00 00 d1 00 88 e9 79 01 (....... ......y.
00000100  62 ba 35 28 30 ec 79 01  e0 80 95 7c 70 9f 95 7c b.5(0.y. ...|p..|
00000110  ff ff ff ff 6c 9f 95 7c  f9 b9 42 00 01 00 00 00 ....l..| ..B.....
00000120  00 00 00 00 d0 eb 79 01  72 ad 42 00 78 74 d1 00 ......y. r.B.xt..
00000130  e0 5b 45 00 01 00 00 00  0c 00 00 00 00 00 00 00 .[E..... ........
00000140  ec eb 79 01 72 ad 42 00  78 74 d1 00 cc 6e cd 00 ..y.r.B. xt...n..
00000150  0c 00 00 00 ec 12 88 00  0c 00 00 00 00 00 00 00 ........ ........
00000160  d2 7b 40 00 78 74 d1 00  0c 00 00 00 cc 6e cd 00 .{@.xt.. .....n..
00000170  0c 00 00 00 44 ec 79 01  ff ff ff ff cd 6e cd 00 ....D.y. .....n..
00000180  b8 ec 79 01 32 7d 40 00  cc 6e cd 00 0c 00 00 00 ..y.2}@. .n......
00000190  8a 12 ee 6c 80 5e 12 00  7c ec 79 01 44          ...l.^.. |.y.D
I think US side is seriously should be aware of this movement..

*) This is the research material of MalwareMustDie, ELF Team, posted only for KernelMode.
The usage of this information is requiring mention to MMD and KM. The material is bound this legal disclaimer: http://blog.malwaremustdie.org/p/the-ru ... es-we.html
Attachments
7z/infected
(1.77 MiB) Downloaded 65 times
 #24224  by unixfreaxjp
 Sun Oct 26, 2014 10:19 am
Attacked on some Windows VPS :evil: < this case is easier for legal process :lol: x32, MIPS and ARM
Image
https://www.virustotal.com/en/file/5c22 ... 414317316/
https://www.virustotal.com/en/file/e31a ... 414317468/
https://www.virustotal.com/en/file/8ec0 ... 414317495/
https://www.virustotal.com/en/file/4a3c ... 414317514/
https://www.virustotal.com/en/file/d1d1 ... 414317533/
All lead to the Chinese network alive CNC ;)
Code: Select all
decoded: sa_family=AF_INET, sin_port=htons(48080), sin_addr=inet_addr("222.211.86.205")
checked: TCP antimalware.mmd:49974->222.211.86.205:48080 (SYN_SENT)
location: 222.211.86.205||38283 | 222.211.86.0/23 | CHINANET-SCIDC-AS | CN | CHINATELECOM.COM.CN | CHINANET SICHUAN PROVINCE NETWORK 
Attachments
7z/infected
(1.76 MiB) Downloaded 63 times
 #24260  by dhuss
 Thu Oct 30, 2014 6:11 pm
Isn't this AES.DDoS (there is another thread here for that)? I have not looked at it closely though so my apologies if I'm mistaken, I'm just going off the CnC.
 #24317  by unixfreaxjp
 Wed Nov 12, 2014 5:56 am
Important notice: As per discussed with KM moderator @EP_X0FF I will post significant changes only, and not posting all of the samples since too many of them & it will be unefficient for fighting this threat with teh current resource. Since security community & industry is now already started to be aware of these China ELF threat, I will add the new things and changes from now on.
This is the sample of AES.DDOS variant:
x32: https://www.virustotal.com/en/file/061f ... 415773906/
x64: https://www.virustotal.com/en/file/9abf ... 415773930/
found in the below panel with the very heavy infection hits:
Image

The KM ELF analyst friends maybe noticed this already, but out there people are starting to think this is the new malware family, which is NOT.
The ELF is AES.DDOS code-stripped and minimized into the Dynamic dependence library per architecture basis, the sample "hua" I mentioned above is x32. So you can't analyze it without knowing its register well under common x64 reverse tool, and need the below x32 set of libs for example:
Code: Select all
libpthread.so.0 (x32)
libc.so.6 (x32)
x32 set of: GLIBC_2.0, GLIBC_2.1, GLIBC_2.7
The key is the DealwithDDoS function which was staying there to manage the new simplified attack vectors as I listed below:
Code: Select all
SYN_Flood
UDP_Flood
GET_Flood
ICMP_Flood
DNS_Flood
Stream_Flood
The interesting NEW stuff that I detected in both samples is the usage of double domain basis CNC for the backconnect, which each encrypted and can be known by reversing unless they might run on one of them only, yet I managed to crack them all into these CNC IP & Ports:
Code: Select all
a1203.f3322.org:1285 (222.186.34.123)
a.lq4444.com:28052 (38.72.114.63)
For unixmen to notice the PoC I used to recheck the reversed information is as per below:
Code: Select all
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}
send(4, "0\1\1\0\0\1\0\0\0\0\0\0\5a1203\5f3322\3org\0\0\1\0"...,,%d,%d)
$ host -ta a1203.f3322.org
a1203.f3322.org has address 222.186.34.123
connect(5, {sa_family=AF_INET, sin_port=htons(1285), sin_addr=inet_addr("222.186.34.123")}, 16)

connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}
send(4, "\311\262\1\0\0\1\0\0\0\0\0\0\1a\6lq4444\3com\0\0\1\0\1",%d,%d)
$ host -ta a.lq4444.com
a.lq4444.com has address 38.72.114.63
connect(4, {sa_family=AF_INET, sin_port=htons(28052), sin_addr=inet_addr("38.72.114.63")
The domain of f3322.org and lq4444.com BELONGS to these crooks, were reported accordingly and in the legal process. Contains this registrar-base information.

Domain Name:F3322.ORG by PDR:
Code: Select all
Domain ID: D166576942-LROR
Creation Date: 2012-09-12T16:18:47Z
Updated Date: 2014-10-12T00:20:20Z
Registry Expiry Date: 2015-09-12T16:18:47Z
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Sponsoring Registrar IANA ID: 303
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:DI_20367849
Registrant Name:peng yong
Registrant Organization:Bitcomm  ltd.
Registrant Street: 1406, yinyuan building
Registrant Street: 37, guanhe road
Registrant City:changzhou
Registrant State/Province:Jiangsu
Registrant Postal Code:213002
Registrant Country:CN
Registrant Phone:+86.51968887168
Registrant Phone Ext:
Registrant Fax: +86.51968887169
Registrant Fax Ext:
Registrant Email:ppyy@astpbx.com
Name Server:NS2.3322.NET
Name Server:NS1.3322.NET 
Domain Name: LQ4444.COM also by PDR:
Code: Select all
Registry Domain ID:
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2014-08-29T03:31:51Z
Creation Date: 2013-06-07T17:41:50Z
Registrar Registration Expiration Date: 2015-06-07T17:41:50Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Registrant Street: C/O ID#10760, PO Box 16 Note - Visit PrivacyProtect.org to contact the domain owner/operator Note - Visit PrivacyProtect.org to contact the domain owner/operator
Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID:
Name Server: f1g1ns1.dnspod.net
Name Server: f1g1ns2.dnspod.net
Additionally:
The first NS settings used is also lead to the domain that was being used for previous CNC of the same threat, with the clear registrant information at BOTCOMM, LTD, CHINA. I don't and hate to speculate on threat, but see the data below to you to find the similar contact information which suggesting the connectivity.

Domain Name: 3322.NET by: UK2 Group Ltd. d/a PDR, registrant: BITCOMM LTD.
Code: Select all
Registry Domain ID:
Registrar WHOIS Server: whois.stargateinc.com
Registrar URL: http://www.uk2group.com/domain-names/
Updated Date: 2014-11-01T15:11:02Z
Creation Date: 1999-11-28T15:42:39Z
Registrar Registration Expiration Date: 2016-11-28T15:42:39Z
Registrar: UK2 Group Ltd.
Registrar IANA ID: 084
Registrar Abuse Contact Email:  support@resell.biz
Registrar Abuse Contact Phone: +1-877-826-6890
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: peng yong
Registrant Organization: Bitcomm  ltd.
Registrant Street: 1406, yinyuan building 37, guanhe road
Registrant City: changzhou
Registrant State/Province: Jiangsu
Registrant Postal Code: 213002
Registrant Country: CN
Registrant Phone: +86.51968887168
Registrant Phone Ext:
Registrant Fax: +86.51968887169
Registrant Fax Ext:
Registrant Email: ppyy@astpbx.com
Registry Admin ID:
Name Server: ns1.pubyun.com
Name Server: ns2.pubyun.com
Last update of WHOIS database: 2014-11-12T05:49:15+0000Z<<<
Running these domain information deeper can prevent the crook to use the domain basis infection or CNC in the future.
This is the report of #MalwareMustDie, the ELF Op Team, I analyzed & reversed engineered the found binary and responsible for every technical aspect posted.
Attachments
7z/infected
(14.02 KiB) Downloaded 59 times
 #24393  by ikolor
 Thu Nov 20, 2014 5:06 pm
Hi it some malware code file .

pass. infected
Attachments
(2.65 MiB) Downloaded 77 times
 #24983  by unixfreaxjp
 Sat Jan 17, 2015 10:29 pm
Clarification for the misunderstanding:

#Linux/AES.DDoS is having variants that is NOT using "Mr.Black " strings,
so please be noted to NOT to put those as "equals".

Thank you. #MalwareMustDie