This malware (until this post is written) always goes as a pair.
The basic information of this threat can be read here: http://blog.malwaremustdie.org/2014/05/ ... rooks.html
↑Will break down how the old & new version of pscan, and the sshscan works.
Pscan or often named as "scanner" is used for port scanning, used to detect SSH (mainly) or FTP services in WWW.
Sample I shared in VT are below:
https://www.virustotal.com/en/file/50bd ... 400800455/
https://www.virustotal.com/en/file/4422 ... /analysis/
And SSHscan or often named as "scan" or "attack" (etc) is used to attack the login with brute logic.
Samples are:
https://www.virustotal.com/en/file/0d96 ... 408969125/
https://www.virustotal.com/en/file/93df ... 400804192/
I uploaded here 2 samples of pscan and more samples of sshscan for the fellow researchers to help study the ELF threat deeper.
malwaremustdie.org
The basic information of this threat can be read here: http://blog.malwaremustdie.org/2014/05/ ... rooks.html
↑Will break down how the old & new version of pscan, and the sshscan works.
Pscan or often named as "scanner" is used for port scanning, used to detect SSH (mainly) or FTP services in WWW.
Code: Select all
Some may think "pscan" is not a virus/malware, but from what I see, this tool is detected in compromised sites used by hackers to scan their next targets, PoC: https://www.youtube.com/watch?v=G4DWqejmnp0int main(int argc, char *argv[])
{ int done = 0, i, cip = 1, bb = 0, ret, k, ns, x;
time_t scantime;
char ip[20], outfile[128], last[256];
if (argc < 3)
{ printf("Usage: %s <b-block> <port> [c-block]\n", argv[0]);
exit(EXIT_FAILURE); }Sample I shared in VT are below:
https://www.virustotal.com/en/file/50bd ... 400800455/
https://www.virustotal.com/en/file/4422 ... /analysis/
And SSHscan or often named as "scan" or "attack" (etc) is used to attack the login with brute logic.
Samples are:
https://www.virustotal.com/en/file/0d96 ... 408969125/
https://www.virustotal.com/en/file/93df ... 400804192/
I uploaded here 2 samples of pscan and more samples of sshscan for the fellow researchers to help study the ELF threat deeper.
Code: Select all
If you happen finding the similar samples, please kindly help our ELF research by uploading yours.// pscan (port scanner)
MD5 (pscan) = cbe22cc5e72ef0d02429def557d504f5
MD5 (pscan2) = b3eb1ec8094fa10169dba7a8bd1a97f1
//ssh-scan (SSH bruter)
MD5 (scanssh) = ab106d75a3b87641937d5a8891abc8ce
MD5 (scanssh2) = dc88de3fb0b1a52c0706446dc089b7a8
MD5 (ssh-scan) = a213ebd69fbc11d612d0374b373f65d8
MD5 (ssh-scan2) = a213ebd69fbc11d612d0374b373f65d8
MD5 (ssh2) = 100c0e553fe7eebcd76c2e3934aae8a0malwaremustdie.org
Attachments
7z,infected
(1.48 MiB) Downloaded 74 times
(1.48 MiB) Downloaded 74 times
