A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19091  by rkhunter
 Sat Apr 27, 2013 5:24 am
http://www.welivesecurity.com/2013/04/2 ... blackhole/

https://www.virustotal.com/ru/file/7b3c ... /analysis/

SHA256: 7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6
SHA1: 24e3ebc0c5a28ba433dfa69c169a8dd90e05c429
MD5: 1785109e71a8f6eb6fb1ba7cce7c51e6
Attachments
pass:infected
(570.79 KiB) Downloaded 94 times
 #19143  by unixfreaxjp
 Thu May 02, 2013 1:40 am
@rkhunter, thank's for the kindly share↓
SHA256: 7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6
SHA1: 24e3ebc0c5a28ba433dfa69c169a8dd90e05c429
MD5: 1785109e71a8f6eb6fb1ba7cce7c51e6
I spent a full week monitoring the web & some suspected infected linux servers for another sample.
Couldn't find other similar sample of this threat anywhere.. I thought I was but yet another mod-apache/darkleech (sad), it is a bit odd for a so-called "in-the-wild" ongoing-infection (by some blog post) category.

Assuming, as per news/couple of posts said, if most of cPanel was actually targeted + understanding that most of cPanel were used in Linux hosting and/or VPS services are the target, and by statistic almost 70% of them are up in service based on x86 processor, I expect to see more of ELF x86 similar sample exists more than x64. This theory has been proved by my previous research in Darkleech mod apache.. indeed I found many in x86, but this one.. none found yet, why? (wonder..)

Additionally, by the current sample shared, need to see more sample for reference for clarification/PoC of the below stated:
It was using the httpd source code compiled with the option to run in memory, so if you familiar with apache's httpd source code, you'll know that is more to a compilation "option" not as malware functionality.
Thus, so many other similarities in obfuscation binary used as per Darkleech mod apache, i,e, the way it used xor + its key to encode the text DB contains the cnc data used (a bit smarter in putting different vars for the key this time).
And so many more details too..

I+others stripped previous linux fake mod apache malware to the bone in the malwaremustdie post, I really expect to see another of this ELF malware's sample for more research reference, hopefully someone will kind enough to post to this post if found one.
Shortly, pls help to inform more sample. I'll share my analysis openly as always.
Kindly mention me in here or here.

Thank's in advance & kindly regards.