[unixfreaxjp]

Following previous post http://www.kernelmode.info/forum/viewto ... 955#p23868 below is some PCAP characteristic of BillGates:

(1) Complete communication to CNC from initiation & receiving target's IP list:
https://lh6.googleusercontent.com/-Vf6c ... 46/005.png

(2) The above (1) is breaking down into packet sent/ receive:
https://lh3.googleusercontent.com/-u05M ... 12/006.png

(3) DDoS packet (UDP one) analyzed:
https://lh6.googleusercontent.com/-oc-n ... 76/007.png

[unixfreaxjp]

2 months old sample spotted https://www.virustotal.com/en/file/ab8f ... 411305213/
with its updater (downloader+installer) https://www.virustotal.com/en/file/295f ... 411305627/
↑see comment I wrote in VT for the installer.

[unixfreaxjp]

A fresh sample by several hours ago uploaded my malware crooks:

Noted: see how it names itself as ethtool to fake utilities.
VT (7/54): https://www.virustotal.com/en/file/854d ... 411330589/
CNC: 162.221.12.154:25000
It's currently sinkholed by: 162.221.12.0/24 | CLEAR-DDOS-AS | CA | CLEAR-DDOS.COM | CLEARDDOS TECHNOLOGIES (Sinkhole)

Below is the first packet sent during initial communication sent to the CNC, CNC was already sinkholed beforehand so no full initial communication can be established:


If you find any FRESH samples (please..please dont send us old samples with dead CNC) , or URL to download these ELF, please PM in here or DM me in @malwaremustdie for mitigation coordination of this threat. Thank you in advance.

[unixfreaxjp]

Fresh new built Linux/BillGates https://www.virustotal.com/en/file/b64b ... 411509418/
PoC:

Code: Select all

0x080F1FF0 0x00E // 11CUpdateBill 
0x080F200C 0x00F // 12CUpdateGates  
0x080F2A3C 0x00F // /tmp/bill.lock  
0x080F5C53 0x010 // /tmp/gates.lock

Attack set:

Code: Select all

11CAttackBase 
13CPacketAttack 
10CAttackUdp  
10CAttackSyn  
11CAttackIcmp 
10CAttackDns  
10CAttackAmp  
10CAttackPrx  
15CAttackCompress   
10CTcpAttack  
9CAttackCc
9CAttackIe

RSAs:

Code: Select all

.rodata:0x080F2424 0x101 // 14BC88F8F4F502D88907B9085EBA3EA9E906C5D316067CEA69242F1D910E0CA19D1999C0ECD6BEC630764AD5DB96879D483F6C1B44E3F7A033DF51051660E4E5BB679D3C02F47B1E9940C904357AA976DD2C6ADA5998BD0817746FFB6C4D74948714DBC1A6A223900845135F7F03CD6A03631FA220A39F06B136700641193AD9
.rodata:0x080F2628 0x081 // 3AF43028DD9C86509C88A0F0629E7DC838AA707E756EBD78416AA17E5B10C022EE943F62A6FCDF507CB24178D044739EB676CE869D5C719A40BC38DADE461B1B
.rodata:0x080F282C 0x101 // 13D845472758A12E97B13953F10B062DDBE120BE626A46E07A1420917F330E15502C7CC7C3E73C9F1A3C180BA6BC962C1E63FACB22F836098A68B53A71850DC34ECF9A5937CC3DCA8923BC21C74223478A3AC3CADDEB9AA2706873F53D0A00B2B10EDC1569343A29BF4ED8EF9525F0487E45B5F958E52D53DCB8749F85124DCF

CNC:

Code: Select all

183.60.205.183:23456

[unixfreaxjp]

Linux/DDoS 3 weeks ago sample with CNC still alive :roll: https://www.virustotal.com/en/file/7829 ... 411530968/ <packed
CNC domain vipy.f3322.org
IP/Port: 120.210.204.102:36000
Nothing special.

[unixfreaxjp]

This malware was uploaded to the panel on Sept 9th, 2014.

VT: 17/55 https://www.virustotal.com/en/file/710a ... 412031254/ not bad.

Code: Select all

CNC = 447556707.com
Callback IP: Port = 121.42.12.57:8558
Loc = 121.42.12.57||37963 | 121.42.0.0/18 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD

[unixfreaxjp]

Distributed via shellshock. VT: https://www.virustotal.com/en/file/e242 ... 412133130/
This sample is not using domain (blank) as CNC but IP address: 204.41.234.23:36001 < sinkholed ;))
#MalwareMustDie!!

[unixfreaxjp]

A panel with these three ELF binaries was found:

VT are:
https://www.virustotal.com/en/file/2b80 ... 412258290/
https://www.virustotal.com/en/file/2b82 ... 412258871/
https://www.virustotal.com/en/file/7d45 ... 412259627/
All leads to same CNC & ports:

Code: Select all

98.126.127.183:25000

More details I wrote in VT comment
findings credit @leonvdijk
#MalwareMustDie

[unixfreaxjp]

New panels! :D These crooks will not stand a chance against all Infosec ppl scanning their network now :lol:

x32:/linux: https://www.virustotal.com/en/file/4870 ... 412192527/
x32/linux: https://www.virustotal.com/en/file/7bcf ... 412192617/
x32 FreeBSD: https://www.virustotal.com/en/file/ab34 ... 412193094/
I'll decode the cnc after resting a while ;) Feel free to decode & post it!
#MalwareMustDie!

[unixfreaxjp]

About: http://www.kernelmode.info/forum/viewto ... =20#p24037
Decoding this sample: https://www.virustotal.com/en/file/4870 ... 412303984/ and https://www.virustotal.com/en/file/7bcf ... 412303565/ only.
CNC is the domain, not IP address. Info:

Code: Select all

Domain: www.bw110x.com
IP & ports: 124.173.116.183:1352
PoC up and alive: TCP MMD-BANG-YOU-AGAIN:56798->124.173.116.183:lotusnote (ESTABLISHED)
location: ASN: 4134 | 124.172.0.0/15 | CHINANET | CN | SZGWBN.NET.CN | WORLD CROSSING TELECOM (GUANGZHOU) LTD.

#MalwareMustDie!