Monday, November 23, 2015

MMD-0044-2015 - Source code disclosure of bunch of SkiDDoS ELF malware

This sharing has been closed due to time limit (60days) - Thank you

MalwareMustDie,NPO is a white-hat non-profit security research workgroup launched in August 2012 for/by security professionals and malware researchers gathered to form a work-flow to reduce malware infection in internet. In this opportunity I, hereby, on behalf of the active projects and field operational ELF malware researches, am sharing first series of ELF malware source code collected in action and secured in 2015, wrapped in a form of RAR(version 5) password-archive, with its further additional.

As per internally decided, we are now having new scheme of sharing malcodes, to reduce the unwanted access to the archive, the file was uploaded to the virus total with the hash of:

SHA256 (ELF-malware-in-C-leaks.rar) 
43a383bb8b2fa799a0a06a585c52e91f6ea1c877bba12c21e691e32a99f9adf4
The password has a high character count and the archive was built in a way to avoid brute. You can receive the password by commenting this post with informing your current active email address and the detail of which known security entity you are actually working with (or anti-viruses entities, or law enforcement research agencies, or government related interet security incident response & research teams, i.e: SOC/CERT/CSIRT, as entities allowed t receive these code) and the comment will not be published to the public (feel free to test it first).

We will check each request and not sharing the password to unknown individual/independent contacts without clear confirmed information/identification of who they are. These are malware source codes and not malware samples nor toys to play with, it is a very dangerous material to be passed to wrong hands. Please bear with the slowness in response due to the check process and due the fact that we are a non-profit organization, with limited resources and only active in our spare time.

The archive will stay online for two months, after that period we won't share it anymore and will delete our files. Don't request the code after this time has passed. We are not responsible to any of damage that will occur due to the misuse of the shared material, please read our Legal Disclaimer and Sharing Guide for more information-->[here]

What can be achieved by these source code are:

- better mitigation of the leaked ELF botnet specific type/variants
- several hard coded leads for prevention of DDOS attack methodology used to research
- several exploitation research that can be produced and implemented by each ELF botnet
- you may publish research of these code(s), on a condition: mention us, #MalwareMustDie.
  (we did the hard part in achieving, collecting, selecting, testing and sharing -
   these codes, for free)

Below is the snapshot of the original archive, that you will see after you open it correctly.
The total codes shared in this part is 21 (twenty one) source code, all in C except one bonus in html.

I think I will see how this first part of the new scheme of sharing goes with studying the negative aspects for it, if things go well, for the next part (part 2 of sharing) will be focusing on the share on source codes for the ELF threats codes that is collected from some "specific" regions :-)

Additional ELF malware source code..

As per mentioned below:

This is the additional's share with the same method & the arvhive was uploaded to virus total with hash:

SHA256 (mmd-extra.7z)
9464b4443d4ce19977d774bddf4b1987c4e090f1ac4ccb80d534e0e593a2b41c
it's using a different long-password, you can ask for it by the same scheme.

PS: This (below) action will be executed as response of a further attacks from the shared source codes malware bad actors :-)

Cheers from #MalwareMustDie