166 lines
No EOL
6.1 KiB
JSON
166 lines
No EOL
6.1 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2013-05-30",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Another story of Unix Trojan: Tsunami/Kaiten.c (IRC/Bot) w/ Flooder, Backdoor at a hacked xBSD",
|
|
"publish_timestamp": "1481036386",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1481035028",
|
|
"uuid": "5846cc73-5bd0-4a20-9f50-49b0950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#730090",
|
|
"local": false,
|
|
"name": "ms-caro-malware:malware-platform=\"Unix\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#670080",
|
|
"local": false,
|
|
"name": "ms-caro-malware:malware-platform=\"Linux\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481034887",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5846cc87-c230-44f0-a71d-41f1950d210f",
|
|
"value": "http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481034906",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5846cc9a-92bc-4108-a848-4772950d210f",
|
|
"value": "Sadly, some strong waves of malware attacks on UNIX systems has started early this year. We still remember the rush from the Darkleech Rogue Apache Module, goes to Linux cDorked Rogue httpd, to the implementation of rogue web server binaries on other popular web servers like NGNIX and other web servers.\r\n\r\nToday I was asked to help fellow unixmen who maintain services based on a generic xBSD which detected some strange activities on IRC port access from several online machines. I was not hoping to see the cDorked or Darkleech new samples or common Linux threat on this one, as a FreeBSD users & fan I know how good the security is, but I guess I was wrong.\r\n\r\nThis case is actually a same old flaw's story: looks like the system was exploited via web admin panel abuse by HTTP access (sorry, can not tell you which web panel right now) using the tools that can send rapid packet fetch/wget requests (later on we know that the malware discussed here also have that function), the root privilege was gained via crontab UID (root, indeed), and practically overall server's security was compromised from that hole. And the bad guys was compiling nasty downloader/IRC Bot backdoor (known previously named as TSUNAMI) with deleting all source traces+logs related, thus run & hide its service using the fake bash process (ever see a BSD system with bash shell process before? *smile*)."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481034947",
|
|
"to_ids": true,
|
|
"type": "link",
|
|
"uuid": "5846ccb9-9de0-4d35-b537-4c58950d210f",
|
|
"value": "https://www.virustotal.com/en/file/6e4586e5ddf44da412e05543c275e466b9da0faa0cc20ee8a9cb2b2dfd48114e/analysis/1369913856/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481035026",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5846cd12-5630-4368-8a42-4f42950d210f",
|
|
"value": "cvv4you.ru"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481035026",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5846cd12-e394-4317-8f48-4f69950d210f",
|
|
"value": "188.190.124.120"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481035026",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5846cd12-0320-43db-8e9d-4472950d210f",
|
|
"value": "188.190.124.81"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481035026",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5846cd12-2618-44ad-803e-46dc950d210f",
|
|
"value": "wf.networksolution.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481035027",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5846cd13-7ae0-4bf6-863f-4430950d210f",
|
|
"value": "205.178.189.131"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481035027",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5846cd13-fa60-400c-93fb-413d950d210f",
|
|
"value": "6e4586e5ddf44da412e05543c275e466b9da0faa0cc20ee8a9cb2b2dfd48114e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481035027",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5846cd13-e480-46b9-b2c0-46e8950d210f",
|
|
"value": "13aa008b0f3c9e92450979ee52cb46accf49aff3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481035027",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5846cd13-9b70-48cc-8b04-49da950d210f",
|
|
"value": "6547b92156b39cb3bb5371b17d2488f2"
|
|
}
|
|
]
|
|
}
|
|
} |