Friday, November 7, 2014

China ELF botnet malware infection & distribution scheme unleashed

The background

There are so many ELF malware infection with the multiple type of backdoors and DDoS'ers originated from China. Our report in here -->[link] shows the known 6 (six) types of those DDoS'ers, From the Linux/Elknot, which is the oldest one, the popular ones, following by the Linux/BillGates which having the encrypted dropped backdoor with packet capture and rootkit functions, then the Linux/AES.DDoS that is aiming for the router & embedded architecture (ARM, MIPS, PPC), and we have Linux/IptabLes|x that is messing with the system's autorun by copying itself to the /boot, we have also the Linux/XOR.DDoS which suggesting the coder likes the CTF-like challange. And the last one is the new invented malware using Go language which is designed to infect ARM device: Linux/GoARM.Bot.

During the raising detection effort of these malware, MalwareMustdie found the two types of these malware which are Linux/GoARM.Bot & Linux/XOR.DDoS, thus we are also the one who invented name for Linux/AES.DDoS.

Except the .IptabLes|x, all of those ELF DDoS'er malware was distributing in web panel, a very handy good software called HTTP File Server, known as HFS. And those ELF backdoor/DDoS'er malware were downloaded to a successfully compromised SSH account of the Linux/FreeBSD and being installed as backdoor to perform DDoS operations. You can see the snapshot and videos of those panels in the link described above.

How bad the situation is?

So far we secured 85 web panels loaded by these ELF malwares and its builder and botnet CNC tools, which were served mainly in China network and under 91 IP addresses in total incidents recorded and those panels only using 76 IP addresses in unique counts. All of them are having similar materials, one linked to another panels in usage and tools, so we strongly think at least a coordinated team or group must be operated behind the scene to support this operation.

The suspicion is getting stronger after several evidence was found that was lead to the same modus operation (hint: Remote Desktop Protocol, HFS server, SSH bruters, IP Scanner tools, Botnet CNC tools), same target IP list and the exact same custom scripts which is distributed between the panels. Furthermore, the growth of these panels is very rapid. We can expect 15 new panels in average will be raised in a week. All loaded with the malicious related tools.

In the last operation we managed to neutralize 29 of these evil panels in overall, and now we are facing 35+ panels up and alive already. These are the pace of speed that this threat is actually performing and it's a steady grow. By this pace we can expect more than 100 panels will be taken down in the end of year, but only God will know how much new panels these crooks will make by then.

The answer: The video that is explaining the modus operation of the threat

But how they really operate? How can they manage to make that rapid speed? What is that same modus operation used? It was a mistery before, but now we just found exactly the answer for this question.
During our "research event", we had a chance to record the activity of the player while he was making a remote tutorial, and as a result the video of the tutorial of China actor's activity can be presented to security community, in this post.

Please see well of how they implement the strategy to make builder of an ELF malware (in this case was Elknot used as sample, practically they have many combination of those builders), to use the HFS server, to systematically scan for network for linux server, how they exploit the servers and infect them in an automation. You can see the many combination tools they are using too. This is a real evidence, caught in the act "manual" made by the crooks themself, they don't know that we actually grabbed this, and I hope this will make them bumping their heads to each others in their China crook's land.

Why the threat is fast growing, and large in volume? The actors behind this threat are actually and literally making tutorials, developing easy-to-use tools, transferring the knowledge via (remote) training. You will see in the video picture gallery presented in this post the tools that they made, the list of well-managed ip addresses produced by that tools & shared in the HFS panels, and most of all: the rapid improvement & development of those tools, malware and exploits they use. This facts, friends, raise a huge dilemma: Will individual crooks doing the stuff to be shared as "group basis" like this threat shows? Where the budget for all of these non-cheap-stuff activity was coming from? Why in the 85 panels that was in scattered in internet at various location has the exact same M.O, CNC/hack tools and scripts? (even they tried to camouflage these tools into various is just too obvious).
One doesn't have to be a super hacker to conclude that is a ONE unison movement pumping this threat. Some of the evidence are accidentally supporting to this deduction, showing the division/unit information (see the following video and gallery).

Below is the video that can answer much of the above questions, it was a pretty hard effort to compile it and we're not the professional video maker, please kindly bear some glitches.
(This is the hard work of the MalwareMustDie ELF Team, on behalf of the members, I must say: please do not use this material, information, clue or hint related to this case without mention to people who work very hard for this awareness. A mention to MalwareMustDie will be very appreciated)

Gallery of the malware builders and attacker tools used

Below is the important collection of picture snapshot our team took, this picture will explain you more than words of the above conclusion we wrote. Each snapshot was taken from the material secured from HFS panels used to distribute the ELF (and windows too) China malware botnet. Please kindly credit to our members who can not be disclosed their ID by mentioning MalwareMustDie.

Addition: China ELF actors start to use ShellShock

Starting from November 7th 2014 they started to aim for Shellshock vulnerability as new technique to infect:

The malware downloaded are the ELF DDoS'er originated from the panels that we mentioned in this post. And in those panel was captured the script used for this infection, with the signature in Chinese: "Nameless Division For Scanning Internet"

Another PoC that can describe teh generated sequential incoming IP attackers came from China "hacked" segment by the hacking toolsets mentioned in the video of this post

Credit: MMD ELF Team: BK (w00t!),WH,WP,SH,YN,(great work!), LVD,AB,AD,RJX,CP (Thank's for always be there!)and many more can not be listed here < Thanks for the great work & superb coordination always.



  1. This comment has been removed by a blog administrator.

    1. This is the Linux/ChinaZ.DDoS variant.
      We released advisories in--> Here and in Here

      But you paste comment of the infection script as per it is, in this post's comment part, anti virus may use it as chance to false positive our blog as malware site, I am sorry but we must delete the comment after released. Next time please pastebin them please? With respect and thanks.