A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24007  by unixfreaxjp
 Mon Sep 29, 2014 3:09 pm
THis "can be said" as a new ELF malware. A DDoSer, encrypted (w/Xor) in comm. It looks like originated from China.
This malware is spotted in a well-thought infection scheme, I posted here: http://blog.malwaremustdie.org/2014/09/ ... a-elf.html
Sample is in VT here: https://www.virustotal.com/en/file/834e ... 411743709/

For the code used, as per sources, looks new design. But for the general works, it adapts IptabLes and AES.DDoS.
But this variant has specific XOR used.
So in the mean time I called it Linux/Xor.DDoS, some people will make their own name anyway.
Feel free to improve thread with analysis, new findings or opinion, thats related to the ELF malware used, PS: not the hack scheme used please.

Our MMD mates were dissecting the codes while I did the binary and checking overall scheme. Threat is up and alive, many things has to be shutdown in this scheme.

Rgds
Attachments
7z/infected
(229.04 KiB) Downloaded 148 times
 #24023  by maddy
 Wed Oct 01, 2014 6:46 am
hxxp://23.234.21.82/upload/3502 still alive :o :shock:
 #24029  by unixfreaxjp
 Thu Oct 02, 2014 2:36 am
hxxp://../3502
Yes. we noted that, it is on authority investigation, we backed off the case as per instructed. Kindly not to access if not want to be logged.
 #24144  by shibumi
 Tue Oct 14, 2014 2:44 pm
Updated ELFs 3502_s.rar and 3503_s.rar

The source: 178.33.196.164:80 is still alive and spreading malware

inetnum: 178.33.196.160 - 178.33.196.175
netname: NEXTECLOUD-NETWORKS
country: PT
Attachments
pw:infected
(247.46 KiB) Downloaded 77 times
 #24148  by unixfreaxjp
 Wed Oct 15, 2014 4:19 am
Two additionals:

1. Authority works too slow, infection happens and spreads. I disclose the source for the blocking purpose here:
Image

2. The research reference link looks broken:
unixfreaxjp wrote:...This malware is spotted in a well-thought infection scheme, I posted here: http://blog.malwaremustdie.org/2014/09/ ... a-elf.html ...
Correct one: http://blog.malwaremustdie.org/2014/09/ ... china.html

rgds
 #24864  by shibumi
 Wed Jan 07, 2015 1:52 pm
Next wave of Linux/XOR.DDoS:

Binaries:
Code: Select all
MD5                               Filename
-----------------------------------------------------------
5d75cafeb85754571f3bfd5b100eb3ab  3502              found via filebruteforcing
82cb0aa39b47ec0ce883d8ca5202350d  3503              found via filebruteforcing
132ba54b1b187a38a455dd27c1e74d62  3504              found via filebruteforcing
e9394cbfce81084bb47230f1f774a97e  3505              found via filebruteforcing
0b7630ead879da12b74b2ed7566da2fe  8000              found via filebruteforcing
7543d6467ce696c24950344ed313c8ab  8001              found via filebruteforcing
e9db2bcc3678779114f8ed31c875cbd3  8002              found via filebruteforcing
1975ff1586f0115e89fa1fe72708939a  8003              found via filebruteforcing
7d0a19f984f6730a1d64eda63d8f6d9f  8004              found via filebruteforcing
f0c7591db042a0e8f66d0d8b48eaa3ce  8005              found via filebruteforcing
9213fb26095c01ec7f739eb99b043caf  8006              found via filebruteforcing
8ecd61dfe29ae9ca80425c3ae1613d1d  8007              found via filebruteforcing
6387622dc599a220749b77411a56d13f  8008              downloaded via drop.sh
ea708b86c2a50a94457c7cb3ebc97f9d  mini_23.234.21.81 downloaded via drop.sh
5b0cc5ca0ff3e7382f896a4e14845e59  48513             downloaded directly via wget

First Analysis:

Filename  Type of Malware     probably CNC-Server
----------------------------------------------------------------
3502      Linux/XOR.DDoS      103.25.9.228
3503      Linux/XOR.DDoS      103.25.9.228
3504      Linux/XOR.DDoS      103.25.9.228
3505      Linux/XOR.DDoS      103.25.9.228
8000      Linux/XOR.DDoS      103.25.9.228
8001      Linux/XOR.DDoS      103.25.9.228
8002      Linux/XOR.DDoS      103.25.9.228
8003      Linux/XOR.DDoS      103.25.9.228
8004      Linux/XOR.DDoS      103.25.9.228
8005      Linux/XOR.DDoS      103.25.9.228
8006      Linux/XOR.DDoS      103.25.9.228
8007      Linux/XOR.DDoS      103.25.9.228
8008      Linux/XOR.DDoS      103.25.9.228
48513     Linux/XOR.DDoS      103.25.9.228
mini          NEW??                 -
All binaries are from this IP/DIR : hxxp://23.234.60.140/install/
Except mini, the binary 'mini' is from: hxxp://23.234.21.81/upload/
I identified all the binaries as Linux/XOR.DDoS with the symbol that unixfreaxjp had found in the other Linux/XOR.DDoS samples: sym.xorkeys
The CNC IP is hardcoded in the near of this symbol.

All these binaries are dropped via the shellscript 'drop' in my attachment.
I just called it to 'drop' because the attacker is executing the code directly in the
shell. Must be some automated botnet behind that.

The deobfuscated drop file is: 'drop.decrypted'.

Check my attachment for whois information/ nmap scans about this threat.
Attachments
includes whois queries and nmap scans from me
(465.13 KiB) Downloaded 81 times
 #24939  by unixfreaxjp
 Tue Jan 13, 2015 10:11 pm
VT: https://www.virustotal.com/en/file/292a ... 421185647/
Code: Select all
// XOR KEYS
080CBD54 42 42 32 46 41 33 36 41 41 41 39 35 34 31 46 30 BB2FA36AAA9541F0

// CNC w/DNS resolver
080CBD84 00 00 29 10 00 00 00 00 00 00 00 00 B0 FA 0A 08 ..).........ー・.
080CBD94 40 FB 0A 08 31 30 33 2E 32 35 2E 39 2E 32 32 38 @・.103.25.9.228
080CBDA4 00 00 00 00 38 2E 38 2E 38 2E 38 00 00 00 00 00 ....8.8.8.8..... 
served in infector domain:
Code: Select all
buhenge.com
#MalwareMustDie!
Attachments
7z/infected
(227.13 KiB) Downloaded 68 times