While his hack tools did not actually infect anything, I retained a copy for evaluation, and even gained access to his FTP server which contained all of his tools.
The available tools in this attacker's bag of tricks is quite interesting.
The attacker's first tool in his/her bag of tricks is a simple Linux virus (light.tgz) designed to infect binaries in the /bin folder of the system, called Linux/Rst.a
According to VirusTotal, this virus has a 74% detection rate.
Accompanying this virus is a file called "inst". This file contains a shell script which sets configuration settings for connecting to multiple IRC servers and joining a specific IRC channel, which acts as a command and control center for the now infected system.
Rst.a isn't the only tool in the attacker's toolkit. Let's take a look at a few other files:
- biz.tgz - 72.1% detected by VirusTotal, the B variant of the Rst virus above (Rst.b).
- hecaru.rar - 72.1% detected by VirusTotal, a DDoS attack bot
- ActivWin2008R2.zip - 32.6% detected by VirusTotal, a hack tool which apparently allows the user to use a pirated copy of Windows perpetually, but most likely also installs additional, malicious, software.
- vnc.tgz - 16.3% detected by VirusTotal, a copy of the attacker's SSH scan tool
- cacat.tgz - 67.4% detected by VirusTotal, another version of the SSH scan tool
- shony.tgz - 18.6% detected by VirusTotal, a backdoor/trojan IRC bot
- zmeu configuration files, part of the attacker's botnet
- An iso of (Russian?) version of Win 2k8 R2
Finally, a couple very interesting files which are being forwarded to AV vendors for analysis...
The file "i" has a 4.7% detection rate on VirusTotal, and its actual intentions are unknown. The file is 2.51 MB, rather large for your usual virus.
The file f.jpg has a 7% detection rate on VirusTotal, and once again its intentions are unknown.
The IP address of this attacker is 18.104.22.168, which originates from Spain.