A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26836  by tWiCe
 Tue Sep 29, 2015 8:23 am
r3dbU7z wrote:I will dare to add a few the information on the given theme.
The matter is that the first sample pnscan2 daemon.armv4l.mod has been loaded by me on virustotal.com and the sample in drweb has been simultaneously sent.
28 Jul 2015 me the letter from drweb has come that the sample has received name PNScan2. The remark: I have no relation to PNScan1 about which at them is written in the report -- New Trojan for Linux infects routers
Since that moment I actively watch moving pnscan2. Also I consider that drweb in the news (see above) has strongly underestimated quantity of the infected devices. In my not full logs of over 2K entries IP-addresses which have received from files good2 with infected devices (at present they mostly are not accessible on ssh). Among the infected devices to me met not only routers but also NAS, web-servers, Raspberry Pi (TM), etc. And also one PowerXpert in the domain nasa.ad.etn.com (I what did not touch - swear!)
I am not an expert in reverse engineering malware, but in the sample pnscan2 daemon.i686.mod
there are such lines:
Code: Select all
load:082BCF0C 000022ED C мэйликов</span>\n\t\t</span>\n\t</div>\n\t<span class=\"b-payments__plus10-buy ui-button-main\" data-action=\"buy\">Активировать услугу</span>\n</div>\n</script>\n\n<script type=\"text/plain\" data-mru-fragment=\"models/user/active\">\n\t{\n\t\t\"name\": \"\",\n\t\t\"id\": \"\",\n\t\t\"email\": \"\",\n\t\t\"dir\": \"\",\n\t\t\"isVip\": false,\n\t\t\"isAdmin\": false,\n\t\t\"isOwner\": false,\n\t\t\"isInSandbox\": false\n\t}\n</script>\n\n\n\n\n<script type=\"text/plain\" data-mru-fragment=\"models/user/journal\">\n\t{\n\t\t\"name\": \"\",\n\t\t\"id\": \"\",\n\t\t\"email\": \"reevessosa13@mail.ru\",\n\t\t\"dir\": \"/mail/reevessosa13/\",\n\t\t\n\t\t\"isVip\": false,\n\t\t\"isCommunity\": false,\n\t\t\"isVideoChannel\": false\n\t}\n</script>\n\n<script type=\"text/plain\" class=\"b-date-time-options\">\n\t{\n\t\t\"months\": [\n\t\t\t\"январь\",\n\t\t\t\"февраль\",\n\t\t\t\"март\",\n\t\t\t\"апрель\",\n\t\t\t\"май\",\n\t\t\t\"июнь\",\n\t\t\t\"июль\",\n\

load:082BF1F9 00001864 C plaintProgressText\": \"Жалоба отправляется\",\n\t\t\"useFiled\": \"\",\n        \"complaintDoneText\": \"Жалоба принята\",\n        \"imageHost\": \"content.foto.my.mail.ru\",\n\n        \"activeEmail\": \"\",\n        \"journalEmail\": \"reevessosa13@mail.ru\",\n        \"isCommunity\": \"\",\n\n        \"preloader\": \"https://my1.imgsmail.ru/mail/ru/images/my/mmanim_spinner_photo_32.gif\",\n        \"bannerCounter\": 10,\n        \n            \"hideBanner\": true,\n        \n\n        \"videoAlbum\" : \"\",\n        \"videoHost\" : \"content.video.mail.ru\",\n        \"host\" : \"my.mail.ru\",\n        \"apiHost\": \"videoapi.my.mail.ru/videos/embed\",\n        \"videoPreviewHost\" : \"https://content.video.mail.ru\",\n        \"videoSwfurl\" : \"https://my1.imgsmail.ru/r/video2/uvpv3.swf?57\",\n\n        \"idForLayer\" : \"\",\n        \"linkForLayer\": \"\",\n        \n\n        \"navigation\" : \"\",\n        \"serverErrorMessage\": \"<span class=\\\"b-photo__server-err   

load:082C0A5D 00000093 C GET /mail/reevessosa13/ HTTP/1.1\r\nHost: my.mail.ru\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0\r\nAccept: */*\r\n\r\n                                                                                                                                                                                              
load:082C7574 000007F7 C =\"b-photo__indicate\">Загружаю...</div></div><div class=\"b-photo__close\"><span id=\"b-photo-close\" data-clns=\"d713136\" type=\"destroy\" class=\"b-photo__close-ico icon-mmico_close_white_24\"></span></div></div></script><script type=\"text/plain\" id=\"photo-select-friends-form\"><div class=\"photo-select-friends-form\"><input type=\"text\" name=\"\" value=\"\"  placeholder=\"Введите имя друга\" class=\"ui-form-input  photo-select-friends-input\">Или выберите друга из списка<ul class=\"photo-select-friends-list\" data-total=\"\"></ul><div class=\"photo-select-friends-buttons\"><a href=\"\" class=\"ui-button-main photo-select-friends-submit\">Выбрать</a><a href=\"\" class=\"ui-button-link ml10 photo-select-friends-cancel\">Отмена</a></div><div class=\"photo-select-friends-error\"data-error=\"Не удалось создать отметку\"data-error-already=\"Уже есть на фото\"></div></div></script><script type=\"text/plain\" id= 

load:082CA2C4 000009DF C ?{?lass=\"dropdown-title lightdrop\">links from:&#32;</span><div class=\"dropdown lightdrop\" onclick=\"open_menu(this)\"><span class=\"selected\">all time</span></div><div class=\"drop-choices lightdrop\"><a href=\"https://www.reddit.com/search?q=reevessosa13&t=hour\" class=\"choice\" >past hour</a><a href=\"https://www.reddit.com/search?q=reevessosa13&t=day\" class=\"choice\" >past 24 hours</a><a href=\"https://www.reddit.com/search?q=reevessosa13&t=week\" class=\"choice\" >past week</a><a href=\"https://www.reddit.com/search?q=reevessosa13&t=month\" class=\"choice\" >past month</a><a href=\"https://www.reddit.com/search?q=reevessosa13&t=year\" class=\"choice\" >past year</a></div></div></div></header><div class=\"contents\"></div><footer><p class=\"info\">there doesn't seem to be anything here</p></footer></div></div></div><div class=\"footer-parent\"><div by-zero class=\"footer rounded\"><div class=\"col\"><ul class=\"flat-vert hover\" ><li class=\"flat-vert title\">about</li><li ><a
I can assume that pnscan2 bot it was planned to use not just brute force and infection routers. Certainly I can be mistaken.
I will make this things clear:

1. It doesn't care what devices to infect as long as this device have standart password from the list (admin/admin, root/root, ubnt/ubnt) and it have supported architecture (Intel i686, MIPS, ARM, mipsel).
2. Strings you noticed are related to routine that searches for a C&C server.
3. It have some cool functions too (upload & run for ex.) but it could be used _ONLY_ by malware operators.
 #26840  by unixfreaxjp
 Tue Sep 29, 2015 2:30 pm
tWiCe wrote:3. It have some cool functions too (upload & run for ex.) but it could be used _ONLY_ by malware operators.
@tWiCe Sadly I didn't see the above function in mine, could you please point me the hash to sample that is having the above function? With thanks in advance.
 #26841  by tWiCe
 Tue Sep 29, 2015 2:58 pm
unixfreaxjp wrote:
tWiCe wrote:3. It have some cool functions too (upload & run for ex.) but it could be used _ONLY_ by malware operators.
@tWiCe Sadly I didn't see the above function in mine, could you please point me the hash to sample that is having the above function? With thanks in advance.
Probably, you are looking at the wrong place ;)

Unpack your i686 binary and locate function @ 0x804AC30 (or locate usage of "/upload" string in the memory of unpacked binary). This function handles incoming queries on port 9000.
It could accept:
/check - check bot status
/upload - accept json with parameters, including arch & encoded binary data

This bot could perform much more cool stuff (download/exec script), but this commands allowed only from the C&C, that wasn't registered for a long time now.

The function that executes commands from С&C is located at 0x804CB00.

Anyway, as I've already mentioned, no one except botnet operators could execute anything interesting (except /check). Now figure out why? ;)
 #26844  by theKestrel
 Tue Sep 29, 2015 7:29 pm
IF anybody needs the deconstructed IDB please see the article here. I probably know the most about this malware and have been following it for months now.

http://blog.cari.net/carisirt-defaultin ... -1-r0_bot/

1) /check is for checking to see if the bot is running
2) srv_cc is a binary-encoded file that contains the controller string.
3) See the post and then ask questions.

Zach W.
 #26848  by tWiCe
 Tue Sep 29, 2015 9:13 pm
theKestrel wrote:2) srv_cc is a binary-encoded file that contains the controller string.
Zach W.
It contains binary data, but It's not encoded. Neither does srv_report.

Btw, did somebody see any active C&C in last month? Or maybe somebody spotted "config" file on some of the infected devices?

The best thing I found one srv_cc/srv_report for the server that was active somewhen in the past, but has been shutted down before my analisys took place.
 #26849  by theKestrel
 Tue Sep 29, 2015 9:20 pm
tWiCe wrote:
theKestrel wrote:2) srv_cc is a binary-encoded file that contains the controller string.
Zach W.
It contains binary data, but It's not encoded. Neither does srv_report.

Btw, did somebody see any active C&C in last month? Or maybe somebody spotted "config" file on some of the infected devices?

The best thing I found one srv_cc/srv_report for the server that was active somewhen in the past, but has been shutted down before my analisys took place.


Sorry about that. That's what I meant. Please shoot me a message off post. We can talk it about it more off forum.

Zach W.
 #26850  by theKestrel
 Tue Sep 29, 2015 9:31 pm
tWiCe wrote:
theKestrel wrote:2) srv_cc is a binary-encoded file that contains the controller string.
Zach W.
It contains binary data, but It's not encoded. Neither does srv_report.

Btw, did somebody see any active C&C in last month? Or maybe somebody spotted "config" file on some of the infected devices?

The best thing I found one srv_cc/srv_report for the server that was active somewhen in the past, but has been shutted down before my analisys took place.
CC was taken down August 7th. I have coredumps of communication prior to that as well as pcaps.

Zach W.
 #26856  by unixfreaxjp
 Thu Oct 01, 2015 7:15 am
theKestrel wrote:CC was taken down August 7th. I have coredumps of communication prior to that as well as pcaps.
Zach W.
If CNC down in Aug 2015 what infection that I just seeing in Sept 29th 2015 then?? The malware name matched (same) so does the MO & symptoms, I was refering to Dr Web writing but didn't have much to see there, why I started analysing this.

The infector was coming from different segment network than the aimed network here..
And I think I am talking of the epidemic on routers. Elaborate your current pls & share your data, people are suffering here.
We can not install AV on routers, any preventive effort has to be done soon.

FYI, US basis routers are the victim, Denver to Nebraska. AirOS mostly.
I look forward for reply - #MalwareMustDie
 #26857  by tWiCe
 Thu Oct 01, 2015 8:37 am
unixfreaxjp wrote: If CNC down in Aug 2015 what infection that I just seeing in Sept 29th 2015 then?? The malware name matched (same) so does the MO & symptoms, I was refering to Dr Web writing but didn't have much to see there, why I started analysing this.

The infector was coming from different segment network than the aimed network here..
And I think I am talking of the epidemic on routers. Elaborate your current pls & share your data, people are suffering here.
We can not install AV on routers, any preventive effort has to be done soon.

FYI, US basis routers are the victim, Denver to Nebraska. AirOS mostly.
I look forward for reply - #MalwareMustDie
Updated info is available here: http://vms.drweb.ru/virus/?i=7299536&lng=ru (currently only in Russian, but translation will be posted asap).

Existence of C&C has no effect on infection process. C&C is needed only for reporting infected devices & receiving commands. As you already verified by yourself this malware spreads as a worm by abusing standart router's credentials.

This malware doesn't have any persistence methods, so what should be done if the device is compromised?

1. Kill processes by name mask "/tmp/.xs/daemon.*.mod"
2. Check existence of file "/tmp/.xs/files/config". If it exists, copy whole "/tmp/.xs/" folder and investigate which commands did receive this bot.
3. Remove folder "/tmp/.xs/"
4. Change password for ssh access!

If you don't change the password, device will be reinfected soon by the bot, who did it first time!

Btw, did you find the function that handles commands via my tips?
AirOS mostly
Because its default pair is ubnt/ubnt.
 #26858  by unixfreaxjp
 Thu Oct 01, 2015 12:47 pm
Twice,
Thanks for the reply, friend. I know the above posted fact already, I can not say much here since many malware assholes are reading this forum too.

About the Russia language posted explanation of Dr.Web, that is having request to twitter.com (and others too!), THAT is exactly what I wrote in the previous post too here http://www.kernelmode.info/forum/viewto ... 975#p26827 .. Yes and I think this is another version, a newer one. Anyway, offlist and we are in touch. I just see your email and replied. Noted : the statement I wrote previously, is not addressing you.
tWiCe wrote:1. It contains binary data, but It's not encoded. Neither does srv_report.
2. Btw, did somebody see any active C&C in last month? Or maybe somebody spotted "config" file on some of the infected devices?
1. Coompletely agreed
2. I am struggling with stopping infection, but the way I see it, as per analyzed before, NO CNC callback spotted yet. nothing. The twitter requerst was hard coded, so does the targeted ip. Meanwhile I am still in urgent analysis of the issue to get the cavalry stop this mess hurricaning routers.

For the crook who made this worm, if you read this post which you are, You will regret this, I will make sure of it.