A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26515  by tWiCe
 Fri Aug 14, 2015 12:53 pm
Malware family created by ChinaZ actor.
Trojan is being installed by compromised SSH access. Originally file is located on HFS and downloaded to target system via script or command.

Trojan is designed for routers and known to be compiled only for ARM and MIPS archs. Overall view of code reminds me MrBlack family.

Commands list includes HTTP Flood, SYN Flood, DNS Flood and stop attack.

This trojan has been spotted in-the-wild on compromised router.

#1
bot version: 20150412
C&C: 216.99.151.186
https://www.virustotal.com/ru/file/f0e7 ... /analysis/

#2
bot version: 20150412
C&C:222.186.21.82
https://www.virustotal.com/ru/file/4477 ... /analysis/

@unixfreaxjp samples include debug info, so you can take list of source files for your collection ;)
Attachments
infected
(454.81 KiB) Downloaded 63 times
 #26516  by malwarelabs
 Fri Aug 14, 2015 2:51 pm
I like how Kaspersky kyrspeasK made his signature Linux.Kluh.a for DDoS.Linux.hulk.a / Linux.Znaich.a for Linux.chinaZ.a
 #26739  by unixfreaxjp
 Wed Sep 16, 2015 12:20 pm
tWiCe wrote:@unixfreaxjp samples include debug info, so you can take list of source files for your collection ;)
Thank's so much! :) collected. Typical Chinaz..testing many things..but can't build elf properly. I humbly take every advantages from this for my skeleton :D
malwarelabs wrote:I like how Kaspersky kyrspeasK made his signature Linux.Kluh.a for DDoS.Linux.hulk.a / Linux.Znaich.a for Linux.chinaZ.a
"kysrepsak"< :P

Just checked and I think this is the thread when was first time detected:
https://twitter.com/wirehack7/status/590194047840555008
Image
VT: https://www.virustotal.com/en/file/354f ... /analysis/
I wasn't around when this was found. Anyone has the installer script? For collection :D
 #26747  by r3dbU7z
 Thu Sep 17, 2015 12:01 am
H! a11
Probably this information is useful to someone (I hope)

HFS h00p://23.251.57.95:655
Attachments
kluh-hfs.jpg
kluh-hfs.jpg (128.34 KiB) Viewed 636 times
 #26762  by unixfreaxjp
 Sat Sep 19, 2015 12:26 pm
r3dbU7z wrote:H! a11
Probably this information is useful to someone (I hope)
Hi @r3dbU7z it is very useful, Sir. Thank you. I can't fetch the sample since it looks down, would you please kindly share us in the attacment with usual passworded archive? with thank you in advance! regards.
 #26764  by r3dbU7z
 Sat Sep 19, 2015 8:08 pm
unixfreaxjp wrote:I can't fetch the sample since it looks down, would you please kindly share us in the attacment with usual passworded archive?
It's my fail. I'm sorry.
Attachments
pswd: infected
(6.39 MiB) Downloaded 58 times