tag:blogger.com,1999:blog-82683580955544002452024-03-06T15:41:22.166+09:00Malware Must Die!The MalwareMustDie Blog (blog.malwaremustdie.org)Unknownnoreply@blogger.comBlogger184125tag:blogger.com,1999:blog-8268358095554400245.post-17019689147346197672021-03-03T13:41:00.015+09:002021-06-17T16:32:09.075+09:00MMD-067-2021 - Recent talks on shellcode analysis series at R2CON-2020, ROOTCON-14 2020 from HACK.LU-2019Tag: Linux, LinuxSecurity, Memory Fornsics, RE, ReverseEnineering, DFIR, Fileless, ProcessInjection, Shellcode, Exploit, PostExploitation, BlueTeaming, HandsOut, Demo, Video, Slides, Presentation
The background of these research and talks
After HACK.LU-2019's talk in 2019 [link], I was asked a lot of questions about Linux process injection that can trigger code execution and yes, one of Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-89263208335466837542020-02-24T05:26:00.000+09:002020-05-29T19:46:47.014+09:00MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threatChapters: [TelnetLoader] [EchoLoader] [Propagation] [NewActor] [Epilogue]
Prologue
A month ago I wrote about IoT malware for Linux operating system, a Mirai botnet's client variant dubbed as FBOT. The writing [link] was about reverse engineering Linux ELF ARM 32bit to dissect the new encryption that has been used by their January's bot binaries,
The threat had been on vacuum state for almost Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-83008779808435730062020-01-15T21:48:00.000+09:002020-04-27T00:13:01.866+09:00MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained
Prologue
[For the most recent information of this threat please follow this ==> link]
I setup a local brand new ARM base router I bought online around this new year 2020 to replace my old pots, and yesterday, it was soon pwned by malware and I had to reset it to the factory mode to make it work again (never happened before). When the "incident" occurred, the affected router wasn't dead but it Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-34210945436049696142019-10-28T23:02:00.001+09:002020-01-02T02:44:30.495+09:00More about my 2019.HACK.LU Keynote talkAs promised, this is my additional notes and review about my Keynote talk in 2019.HACK.LU (link). My keynote talk title is very long actually, but it explained the description of the whole slides clearly. What was presented is about TODAY's Linux post exploitation, process injection, fileless execution from infrastructures and components that has been supporting those activities, based on the Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-9862738415449853702019-09-28T02:35:00.002+09:002020-03-16T10:12:33.371+09:00MMD-0064-2019 - Linux/AirDropBot
Prologue
There are a lot of botnet aiming multiple architecture of Linux basis internet of thing, and this story is just one of them, but I haven't seen the one was coded like this before.
Like the most of other posts of our analysis reports in MalwareMustDie blog, this post has been started from a friend's request to take a look at a certain Linux executable malicious binary that was having a Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-43756438429733609852019-09-21T21:21:00.002+09:002021-02-20T19:28:42.943+09:00MMD-0063-2019 - Summary of 3 years MMD research (Sept 2016-Sept 2019)Hello, it's unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time. If you want to see what we were doing during all of our silence time just click this link
The background / TLDR
It was in September 2016 when we decided to move our blog and since then myself and the team had a lot of fun in learning and Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-64726661712143535792017-03-08T00:50:00.003+09:002021-02-15T22:51:50.225+09:00MMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via IoT botnet Sticky note: We call this threat as "Strudels Attack"
1. Background
In this post there is no malicious software/malware analyzed, but this is one of the impact of the malware infecting IoT devices caused by weak credentials that are utilized by the bad actors for bigger crime process. The only malicious aspect written in the post is/are individual(s) involved and participated to these attacks, Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-30184584594403406652016-12-03T07:11:00.001+09:002019-09-24T16:56:43.778+09:00MMD-0061-2016 - EnergyMech 2.8 overkill mod
This is a new threat analysis report I wrote in MalwareMustDie blog (this) after we moved out from blogger, I hope you like the new blog system and design, and enjoy the post!
An unattended or abandoned Linux/UNIX system with its web service online (specially with the CGI function intact) with not having recent updates can be soon be exploited and infected by Linux malware. Scanner for Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-31666519190630731592016-10-30T23:21:00.000+09:002016-10-31T10:49:03.303+09:00MMD-0060-2016 - Linux/UDPfker and ChinaZ threat todayBackground
ChinaZ is the PRC (Public Rep of China) actor's made Linux ELF DDoS malware and its service. This threat has been covered several times in this blog post, several takedown efforts also had been taken, yet the threat is still lurking us, until now. Using specific indicators used during their infection effort, I can manage to trace the overall activity and their activity has been Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-261354451607889802016-10-29T01:47:00.002+09:002016-11-02T15:15:50.906+09:00MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6 readyIt's a Kaiten/Tsunami? No.. STD?? No! It's a GayFgt/Torlus/Qbot? No!! Is it Mirai?? NO!!
It's a Linux/IRCTelnet (new Aidra)! ..a new coded IoT DDoS botnet's Linux malware..
Summary
This post is a report of what it seems to be a new IRC botnet ELF malware, that is obviously used for performing DDoS attack via IRC botnet. It was coded with partially is having specification as per Tsunami/Kaiten Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-1157685962597202152016-10-14T05:02:00.002+09:002020-08-24T19:37:39.872+09:00MMD-0058-2016 - Linux/NyaDrop - a linux MIPS IoT bad newsBackground
Since the end of September 2016 I received a new type of attacks that aims the MIPS platform I provided to detect IoT attacks. I will call this threat as new ELF Linux/NyaDrop as per the name used by threat actor himself, for the "nyadrop" binary that is dropped in the compromised system.
This is not the "really" first time we're seeing this threat actually, in this year, some Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-63336337420734875242016-09-06T01:15:00.001+09:002016-10-29T21:15:42.820+09:00MMD-0057-2016 - Linux/LuaBot - IoT botnet as serviceBackground
On Mon, Aug 29, 2016 at 5:07 PM I received this ELF malware sample from a person (thank you!). There wasn't any detail or comment what so ever just one cute little ARM ELF stripped binary file with following data:
arm_lsb: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
hash: a220940db4be6878e47b74403a8079a1
This is a cleanly GCC: (GNU) 5.3.x Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-9623517718584876032016-09-01T11:34:00.000+09:002020-04-27T00:00:08.160+09:00MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. Our recent analysis about Mirai is in here==>[Link]
Background
From August 4th 2016 several sysadmin friends were helping us by uploading this malware files to our dropbox. The samples of this particular ELF malware ware not easy to retrieve, there are good ones and also some broken ones, I listed in this post for the good ones only. This threat is made by a new ELF trojan backdoor which is nowUnknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-9281463247632697472016-08-24T01:09:00.001+09:002016-09-07T20:33:08.964+09:00 MMD-0055-2016 - Linux/PnScan ; ELF worm that still circles aroundBackground
Just checked around internet and found an interesting ELF worm distribution that may help raising awareness for fellow sysadmins. As per shown in title, it's a known ELF malware threat, could be a latest variant of "Linux/PnScan", found in platform x86-32 that it seems run around the web within infected nodes before it came to my our hand. This worm is more aiming embed platform and IUnknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-38391390874385057732016-06-07T20:30:00.000+09:002016-08-28T03:41:21.090+09:00MMD-0054-2016 - ATMOS botnet facts you should knowThe background
This post is about recent intelligence and sharing information of the currently emerged credential stealer and spying botnet named "Atmos", for the purpose of threat recognizing, incident response and may help reverse engineering. This report is the third coverage of online crime toolkit analysis series that we disclose in MalwareMustDie blog, on previous posts we disclosed about Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-65613411997162941282016-05-09T02:33:00.000+09:002016-08-29T12:29:38.050+09:00[Slide|Video] Kelihos & Peter Severa; the "All Out" versionTag: Kelihos, Khelios, P2P, FastFlux, Botnet, CNC, C2, Clickfraud, Traffic Redirection, Spambot, DNS Poison, Botnet as Service, Affiliate, Severa, Peter Severa, Petrushakov, Saever, Saushkin
We yanked this page off along with the slides & its video links from public view to support cyber crime investigation to stop the botnet for good. It's a good will from our investigation team and there's Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-76084446929810677582016-04-16T01:50:00.005+09:002016-10-19T20:43:47.010+09:00MMD-0053-2016 - A bit about ELF/STD IRC Bot: x00's CBack aka xxx.pokemon(.)inc
Latest UPDATE incident of this threat is-->[link]
Background
I received the report of the host in Google cloud network is serving ELF malware:
{
"ip": "130.211.127.186",
"hostname": "186.127.211.130.bc.googleusercontent.com",
"prefix": "130.211.0.0/16",
"org": "AS15169 Google Inc.",
"city": "Mountain View",
"region": "California",
"country": "USA",
"loc": "37.4192,Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-58450158482479558122016-02-07T19:08:00.003+09:002021-05-08T16:22:34.455+09:00MMD-0052-2016 - Overview of "SkidDDoS" ELF++ IRC BotnetTag: kaiten, ktx, tsunami, STD, stdbot, torlus, Qbot, gayfgt, lizard, lizkebab, antichrist, sinden, sdn, $dn, bossaline, bossabot, dtool, aidra, lightaidra, zendran, styx, Code, Robert, cod, unixcod, styxcod, irc, ircbot, ddos, elfbot, ddoser, nix, elf, linux, unix. backdoor, syn flood, ack flood, ntp flood, udp flood, dns amp, xmas attack, pan flood, x00, cback, LiGhT, Proxseas, BLJ, KaitenBot, Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-14705867201597091742016-02-03T18:33:00.002+09:002020-03-22T23:09:17.084+09:00MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock part 2)The background
In September 2014 during the ShellShock exploitation incidents was in the rush, one of them is the case MMD-0027-2014 of two ELF malware dropped payloads via ShellShock attack, a new malware and a backconnect ELF, with the details can be read in-->[here]
Today I found another interesting ELF x86-32 sample that was reported several hours back, the infection vector is also via Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-2118102808143702792016-01-12T12:20:00.000+09:002016-02-29T06:12:12.478+09:00MMD-0050-2016 - Incident report: ELF Linux/Torte infection (in Wordpress)The indicator
Several hours ago, it was detected a suspicious inbound access on a Wordpress site with the below log:
(Thank's for the hard work from Y)
It's an unusual traffic coming from the unusual source of ip address:
37.139.47.183|37-139-47-183.clodo.ru.|56534 | 37.139.40.0/21 | PIRIX-INET | RU | comfortel.pro | Comfortel Ltd.
62.76.41.190 |62-76-41-190.clodo.ru. |57010 | 62.76.40.0/21 |Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-35236424170670887782016-01-09T20:50:00.001+09:002016-01-11T07:37:30.158+09:00MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hackBackground
This is a short post for supporting the takedown purpose. Warning: Sorry, this time there's nothing fancy nor "in-depth analysis" :-) Yet the current hacking & infecting scheme is so bad, so I think it's best for all of us (fellow sysadmins in particular) to know this information for mitigation and hardening purpose.
In this case, a bad actor was using java coded malware injected to aUnknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-22775744362300074532016-01-05T11:39:00.001+09:002016-04-11T01:39:57.973+09:00MMD-0048-2016 - DDOS.TF = (new) ELF & Win32 DDoS service with ASP + PHP/MySQL MOF webshellsBackground
Linux exploitation by bad actors from People Republic of China (in short: PRC) is not a new matter. Their attacks are coming everyday and their method is also improving by days.
This post is another case of the issue, except it is reporting you some improvement and new source of DoS threat from the same landscape. The unique point of this one is by combining ElasticSearch Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-19459290602459129782015-12-24T02:52:00.003+09:002019-09-26T00:51:12.092+09:00MMD-0047-2015 - SSHV: SSH bruter ELF botnet malware w/hidden process kernel moduleBackground
Apparently Linux ELF malware is becoming an interesting attraction from several actors from People Republic of China(in short: PRC). This post is one good example about it. It explains also why myself, from my team (MMD), put many effort to study Linux executable malicious scheme came from that region recently, so does our colleges professional researchers in industry started to put Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-29604411584523065382015-12-21T21:53:00.000+09:002020-01-26T21:31:58.035+09:00MMD-0046-2015 - Kelihos 10 nodes CNC on NJIIX, New Jersey USA, with a known russian crook who rented themGlobal variable declaration to read correctly
#include
int main(void) {
char * email = "XXXXX\(censored\)\ data";
}
Background
Note2: Considering: The attack of Kelihos botnet to my country and several countries is still un-stoppable and on-going, Yet I was told to censored Kelihos investgation on 2013 without getting good follow up from law enforcement in this planet, no Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8268358095554400245.post-31922821811949222092015-12-04T06:44:00.000+09:002015-12-05T21:59:14.254+09:00MMD-0045-2015 - KDefend: a new ELF threat with a disclaimerBackground
It's been a while not writing new analysis in our blog & this timing is just perfect.
On December 1st, 2015 this sample was detected by our ELF team member @benkow_
..and our ELF Team started to investigate the threat and come into conclusion that another new ELF malware was spotted, and post this is the report. It was calling itself "KDefend" or "KDLinux", so we call it as "Linux/Unknownnoreply@blogger.com