A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24163  by unixfreaxjp
 Sat Oct 18, 2014 11:06 am
I think this is a spinned-out version of BillGates or they released NEW version, just spotted by the generous anonymous report (w/thanks)
This is the sample: https://www.virustotal.com/en/file/a2da ... /analysis/
Noted : Detection ratio is dropped to ZERO (oh.. not again) !!!

No Bill nor Gates, No DNSAmp with its IP addresses hard coded too, the atack "Beikong" manager is gone & replaced with fresh one.
Same GCC: (GNU) 4.0.0 compilers with glibc 2.3.5 compats..but this can be changed.
Serials and other "parts" stays, with new addition in the C++ projects:
Code: Select all
 Attack.cpp
 Bee.cpp
 CmdMsg.cpp
 ConfigDoing.cpp
 ExChange.cpp
 Manager.cpp
 ProtocolUtil.cpp
 StatBase.cpp
 ThreadAtk.cpp
 ThreadAtkTimer.cpp
 ThreadClientStatus.cpp
 ThreadTask.cpp
 AutoLock.cpp
 Media.cpp
 NetBase.cpp
 ThreadCondition.cpp
 Thread.cpp
 ThreadMutex.cpp
 Utility.cpp
 WinDefSVC.cpp
 Attack.cpp
 Bee.cpp
 CmdMsg.cpp
 ConfigDoing.cpp
 ExChange.cpp
 Manager.cpp
 ProtocolUtil.cpp
 StatBase.cpp
 ThreadAtk.cpp
 ThreadAtkTimer.cpp
 ThreadClientStatus.cpp
 ThreadTask.cpp
 AutoLock.cpp
 Media.cpp
 NetBase.cpp
 ThreadCondition.cpp
 Thread.cpp
 ThreadMutex.cpp
 Utility.cpp
 WinDefSVC.cpp
xinetd for autostart stays:
Code: Select all
#!/bin/bash
/etc/rc%d.d/S%d%s
ln -s /etc/init.d/%s %s
The attack vectors is decreased:
Code: Select all
1. AttackUdp
2. AttackSyn
3. AttackIcmp
4. AttackDns
5. AttackCC
6. AttackTcp
More user-agent used:
Code: Select all
Mozilla/4.0 (compatible; MSIE 4.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1b2) Gecko/20060823 SeaMonkey/1.1a
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.6) Gecko/20070809 Camino/1.5.1
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E)
0x08047C    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
*) I will add the reversing highlight later. Gotta nail this down first.

Typical drop:
Code: Select all
00000000  16 00 00 00 01 00 00 00  00 00 4e 2e 25 45 4e 2e  |..........N.%EN.|
00000010  25 45 4e 2e 25 45 e8 fd  e8 03                    |%EN.%E....|
0000001a
They tried to fool us in CNC connection now, but good guys IS NOT THAT STUPID. CNC data is cracked as per below:
Code: Select all
IP: 61.147.103.21 
Port: 8809
CNC Hostname: g.nasa-uni.com ==> 61.147.103.21 
IP Location:  61.147.103.21||23650 | 61.147.103.0/24 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
CNC Domain registration details for "escalation process":
Domain Name: NASA-UNI.COM
Registry Domain ID: 1838734896_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-12-11 03:32:25
Creation Date: 2013-12-11 03:14:08
Registrar Registration Expiration Date: 2015-12-11 03:14:08
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: xxx xxx
Registrant Organization: xxx
Registrant Street: xxx
Registrant City: xxx
Registrant State/Province: Alberta
Registrant Postal Code: 520131
Registrant Country: China
Registrant Phone: +0.1522222222
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: thierrysy410@gmail.com
Registry Admin ID: 
Yep. This prick is using this email address, which I just confirmed is valid:
thierrysy410@gmail.com

CNC domain cracked PoC:
Code: Select all
SYSCALL-sendto(4, "3=\1\0\0\1\0\0\0\0\0\0\1g\10nasa-uni\3com\0\0\1\0\1", 32, 0, 
{sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("DNS-SERVER-ADDRESS")}, 16)
CNC IP cracked PoC:
Code: Select all
SYSCALL-connect(3, {sa_family=AF_INET, sin_port=htons(8809), 
sin_addr=inet_addr("61.147.103.21")}, 16)
Can be lookud^up:
Code: Select all
; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60523
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;g.nasa-uni.com.                        IN      A

;; ANSWER SECTION:
g.nasa-uni.com.         3600    IN      A       61.147.103.21

;; AUTHORITY SECTION:
nasa-uni.com.           3600    IN      NS      ns56.domaincontrol.com.
nasa-uni.com.           3600    IN      NS      ns55.domaincontrol.com.

;; ADDITIONAL SECTION:
ns56.domaincontrol.com. 1404    IN      A       208.109.255.28
ns55.domaincontrol.com. 934     IN      A       216.69.185.28

;; Query time: 347 msec
;; SERVER: 202.238.95.24#53(202.238.95.24)
;; WHEN: Sat Oct 18 20:45:00 2014
;; MSG SIZE  rcvd: 132
#MalwareMustDIE!
Attachments
7z/infected
(375.16 KiB) Downloaded 53 times
 #24190  by unixfreaxjp
 Thu Oct 23, 2014 7:44 am
This panel:
Image
https://www.virustotal.com/en/file/3ef0 ... 413824232/
Please refer to VT posted analysis I made.
linux.win-ddos.com is unrelated to the malware itself (sinkhole).

CNC:
Code: Select all
{...} TCP MMD-BANGS-YOU:36673->222.186.58.146:43200 (SYN_SENT)
Connection to 222.186.58.146 43200 port [tcp/*] succeeded!
^C
$ date
Thu Oct 23 06:48:46 JST 2014

CNC located at:
222.186.58.146||23650 | 222.186.56.0/21 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
Attachments
7z/infected
(348.6 KiB) Downloaded 49 times
 #24193  by unixfreaxjp
 Thu Oct 23, 2014 12:48 pm
VT: https://www.virustotal.com/en/file/fc1c ... 414066967/
CNC:
Code: Select all
crooksmustdie.malwaremustdie.org:49304->222.186.55.84:25000 (ESTABLISHED)
sa_family=AF_INET, sin_port=htons(25000), sin_addr=inet_addr("222.186.55.84")
[222.186.55.84] 25000 (?) open
Location:
Code: Select all
222.186.55.84||23650 | 222.186.54.0/23 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
CNC is Windows OS running DDoS botnet software
#MalwareMustDie
Attachments
7z/infected
(360.45 KiB) Downloaded 47 times
 #24197  by unixfreaxjp
 Thu Oct 23, 2014 5:39 pm
Two ELF Billgates with same CNC different ports:
Image
https://www.virustotal.com/en/file/aec8 ... 414080768/
https://www.virustotal.com/en/file/dfe6 ... 414080916/
CNC:
Code: Select all
121.40.179.212.8325  & 121.40.179.212:23899
Loc: 121.40.179.212||37963 | 121.40.0.0/14 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD
Attachments
7z/infected
(449.07 KiB) Downloaded 45 times
 #24199  by unixfreaxjp
 Thu Oct 23, 2014 8:01 pm
BillGates with CNC in hostname basis
Image
Analysis is written in VT comment: https://www.virustotal.com/en/file/1c2b ... 414086822/
Infected machine will see these CNC connections:
Code: Select all
m.yzyxyz.com:1127   or
104.194.25.74:1127 or
104.194.25.74:supfiledbg or
m.yzyxyz.com:supfiledbg
location of CNC is USA, it is alive.
Code: Select all
104.194.25.74||36114 | 104.194.0.0/19 | VERSAWEB-ASN | US | VERSAWEB.COM | VERSAWEB LLC 
Just in case changing, below is the domain info:
Code: Select all
  Domain Name: YZYXYZ.COM
   Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
   Whois Server: grs-whois.hichina.com
   Referral URL: http://www.net.cn
   Name Server: V2S1.XUNDNS.COM
   Name Server: V2S2.XUNDNS.COM
   Status: ok
   Updated Date: 08-jul-2013
   Creation Date: 16-mar-2012
   Expiration Date: 16-mar-2015
   >>> Last update of whois database: Thu, 23 Oct 2014 19:10:21 GMT <<<

Domain Name:yzyxyz.com
Registry Domain ID:
Registrar WHOIS Server: whois.hichina.com
Registrar URL: http://www.net.cn/
Updated Date:2013-07-08T10:00:57Z
Creation Date:2012-03-16T07:22:20Z
Registrar Registration Expiration Date:2015-03-16T07:22:20Z
Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
Registrar IANA ID: 420
Registrar Abuse Contact Email: abuse@list.alibaba-inc.com
Registrar Abuse Contact Phone: +86.4006008500
Reseller:
Domain Status:
Registry Registrant ID:hc953572598-cn
Registrant Name:wen liping
Registrant Organization:wen liping
Registrant Street:zuohaizujia Bqu 2dong 905,,
Registrant City:fuzhou
Registrant State/Province:fujian
Registrant Postal Code:523008
Registrant Country:CN
Registrant Phone:+86.76987165110
Registrant Phone Ext:0
Registrant Fax:+86.76987165110
Registrant Fax Ext:0
Registrant Email:41840084533@qq.com
Registry Admin ID:hc953572598-cn
Admin Name:wen liping
Admin Organization:wen liping
Name Server:v2s1.xundns.com
Name Server:v2s2.xundns.com
#MalwareMustDie!
Attachments
7z/infected
(348.59 KiB) Downloaded 48 times
 #24212  by unixfreaxjp
 Sat Oct 25, 2014 7:18 am
BillGates, fresh:
Image
VT:
https://www.virustotal.com/en/file/670a ... 414220121/
https://www.virustotal.com/en/file/76cc ... 414220800/
Same built & CNC:
Code: Select all
CNC is IP basis 118.123.119.14:36000
Located at 118.123.119.14||38283 | 118.123.119.0/24 | CHINANET-SCIDC-AS | CN | CHINATELECOM.COM.CN | CHINANET SICHUAN PROVINCE NETWORK
Attachments
7z/infected
(738.9 KiB) Downloaded 46 times
 #24217  by unixfreaxjp
 Sat Oct 25, 2014 4:23 pm
This is the panel filed with the recent BillGates, except that "bugs" is an old & analyzed ElknotCrypted one.
Image
The Billgates:
https://www.virustotal.com/en/file/b535 ... 414250915/
https://www.virustotal.com/en/file/ff01 ... 414251330/
https://www.virustotal.com/en/file/864c ... 414252371/
https://www.virustotal.com/en/file/6810 ... 414252396/
Which leads to CNC in China with IP/port:
Code: Select all
218.244.148.150:25000 or 218.244.148.150:25001
CNC is Located: 218.244.148.150||37963 | 218.244.128.0/19 | CNNIC-ALIBABA-CN-NET | CN | - | HICHINA TELECOM NET
*) Research by MalwareMustDie ELF team, only posted in KernelMode. Further publishment of this material is forbidden without permission
Attachments
7z/infected
(740.98 KiB) Downloaded 50 times
 #24223  by unixfreaxjp
 Sun Oct 26, 2014 9:08 am
Yet another BillGates:
Image
CNC info:
Code: Select all
cnc is domain based:
syscall decoded: sendto(5, "I\256\1\0\0\1\0\0\0\0\0\0\3www\6cq11fb\3com\0\0\1\0\1", 32, 0, 
{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16)

existance PoC:
domain: www.cq11fb.com
www.cq11fb.com.         600     IN      A       110.246.74.114
cq11fb.com.             600     IN      NS      f1g1ns2.dnspod.net.
cq11fb.com.             600     IN      NS      f1g1ns1.dnspod.net.

DNS replied raw PoC:
00000000  49 ae 01 00 00 01 00 00  00 00 00 00 03 77 77 77 I....... .....www
00000010  06 63 71 31 31 66 62 03  63 6f 6d 00 00 01 00 01 .cq11fb. com.....
    00000000  49 ae 81 80 00 01 00 01  00 00 00 00 03 77 77 77 I....... .....www
    00000010  06 63 71 31 31 66 62 03  63 6f 6d 00 00 01 00 01 .cq11fb. com.....
    00000020  c0 0c 00 01 00 01 00 00  02 57 00 04 79 1b 38 c9 ........ .W..y.8.

connection decoded: sa_family=AF_INET, sin_port=htons(36000), sin_addr=inet_addr("121.27.56.201")
connection PoC: TCP mmd-bangs-stupidz:41283->121.27.56.201:36000 (ESTABLISHED)
cnc location: 121.27.56.201||4837 | 121.24.0.0/14 | CHINA169 | CN | CHINAUNICOM.COM | CHINA UNICOM HEBEI PROVINCE NETWORK

Just in case the data changed.. Domain by GoDaddy, registered by 2270184364@qq.com :lol:
Code: Select all
   Domain Name: CQ11FB.COM
   Registrar: GODADDY.COM, LLC
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: F1G1NS1.DNSPOD.NET
   Name Server: F1G1NS2.DNSPOD.NET
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 17-aug-2014
   Creation Date: 17-aug-2014
   Expiration Date: 17-aug-2015
   >>> Last update of whois database: Sun, 26 Oct 2014 09:03:59 GMT <<<

Domain Name: CQ11FB.COM
Registry Domain ID: 1871427036_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-08-17 02:37:11
Creation Date: 2014-08-17 02:22:14
Registrar Registration Expiration Date: 2015-08-17 02:22:14
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: sijiajia yang
Registrant Organization:
Registrant Street: longhualu818hao
Registrant City: shanghaixuhui
Registrant State/Province: shanghai
Registrant Postal Code: 200000
Registrant Country: China
Registrant Phone: +86.133561831779
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 2270184364@qq.com
Registry Admin ID:
*) This is the research material of MalwareMustDie, ELF Team, posted only for KernelMode.
The usage of this information is requiring mention to MMD and KM. The material is bound this legal disclaimer: http://blog.malwaremustdie.org/p/the-ru ... es-we.html
Attachments
7z/infected
(652.13 KiB) Downloaded 55 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8