Tango OP Announcement:
We are releasing the take-down (Tango OP) project information of our current on-going operation against the ELF DDoS malware, the threat with origin from China.
The threat is verdicted to be originated from China based on:
1. The source binary data contains China specific details
2. Attacker IP address during attempt to infect are mostly (98%) originated from China network
3. Panels served by ELF malware be downloaded during infection, are located in China network (98%)
4. CNC server used for downloading config or used for remote attack (92%)
The distributed malware are separated into 3 categories:
1. "Elknot" variants, technical information: --> [link]
2. "AES.DDoS", technical information: --> [link]
3. ".IptabLes|x", technical information: --> [link]
4. "BillGates", technical information: --> [link]
5. (NEW)"GoARM.Bot", technical information: --> [link]
The malware analyzed was compiled with aiming NIX base routers/servers, with these OS & CPU architectures:
1. Intel x32 (Linux / FreeBSD)
2. Intel x64 (Linux / FreeBSD)
3. AMD x64 (Linux)
3. ARM (Linux)
4. MIPS (Linux)
5. (NEW) PPC (Linux)
PoC, Evidence & Samples
We have some video recorded as hard evidence of the attack in progress as per listed in the links below:
1. https://www.youtube.com/watch?v=JjtOUto9Sr8
2. https://www.youtube.com/watch?v=z6MdtFck6x4
3. https://www.youtube.com/watch?v=sdKCjbrs5uQ
4. https://www.youtube.com/watch?v=YtxaT1rahY8
5. https://www.youtube.com/watch?v=OcOiuxAtbOk
We also posted three awareness , for the detail analysis of this threat:
1. May 2014 [link]
2. June 2014 [link]
3. Sept 2014 [link]
View of some download panel pictures for evidence:
Thank you @300trg for fixing the 5th picture↑
Illustration of "Volume & Combination" in its distribution
In a panel served with ELF malware, China DDoS'er crooks is distributing quite big amount of downloads (even we are assuming 70% downloads are for infection), as per seen in one panel snapshot picture below:
In a panel we often spotted the China crook is mixing the type of malware, as per seen in the PoC below:
Mixing samples PoC:↓
Recent ELF samples we collected & analyzed for the past one month:
(there are a lot more than these..and these are still coming)
https://www.virustotal.com/en/file/276b2bb1bb19e7b81e7656a6c411a094952592f77948151d43d460907e9702de/analysis/
https://www.virustotal.com/en/file/cb4aa1bc0a65771b7a23afc99d559a9943ebe06901b6ba37fcf563c64f28a872/analysis/
https://www.virustotal.com/en/file/586c2afdedef5e2ff0298b6bb5d8e11d847d35e86b2be56b437a35227643fb58/analysis/
https://www.virustotal.com/en/file/bfdad0437c12ccfb2b5406f902bcae0856c716a6f8b6c3b5e925a48e12ca51ec/analysis/
https://www.virustotal.com/en/file/afece0410779068b43c122008dad83af98a6a20e37f4414a99587ebc0f9f13d1/analysis/
https://www.virustotal.com/en/file/daccf72b00939ef0f14eb19b2a9cf73a61514a4c86d28369886634644fb0159d/analysis/
https://www.virustotal.com/en/file/77100c8e3ec940af6336bf5a8772057ed1a052658f0af5e6bb4a0f853ebb7a82/analysis/
https://www.virustotal.com/en/file/9d43b31bc47a4fff65ab5156e2fc348bf36451d58d00850a1f3c21e2d696910b/analysis/
https://www.virustotal.com/en/file/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/
https://www.virustotal.com/en/file/c1014f0ff0efc018e28300c2296459948489bd5d22633a0af1ca6ffb0c2336fe/analysis/
https://www.virustotal.com/en/file/3f50c0f70e3eb2debf77ba7626e9c358d7ed02d57ee6da375c0b507006df3da5/analysis/
https://www.virustotal.com/en/file/393ac47184475af099eafce91d7472ea5af1d74636a992cc08bf40872d22fa4a/analysis/
https://www.virustotal.com/en/file/3f50c0f70e3eb2debf77ba7626e9c358d7ed02d57ee6da375c0b507006df3da5/analysis/
https://www.virustotal.com/en/file/393ac47184475af099eafce91d7472ea5af1d74636a992cc08bf40872d22fa4a/analysis/
https://www.virustotal.com/en/file/b81cc1f3d87fe5eddb8dec8140f0f255697a58284882d9edc4e8d636b75772c3/analysis/
https://www.virustotal.com/en/file/6dd946e821df59705dcfeb79fab810336d0ee497fd715fb5b6711e05c0428f4d/analysis/
https://www.virustotal.com/en/file/9746054219bfa20e0bf55a066acd447a8878913d4b857057729a579cb1a078b3/analysis/
https://www.virustotal.com/en/file/8fa44a7b3eb707f584b223792bdb78b1e5f69a40dba20634094077c2f0287bca/analysis/
https://www.virustotal.com/en/file/d2b3ce2195b1422c165faeb1fbbdd098f13df6cf6595fb18f8d618cd78df597c/analysis/
https://www.virustotal.com/en/file/bb4786695774ae7777200a78e56db83ad5d5bdf1c1b84ef86dd796f7c9a3e1b4/analysis/
https://www.virustotal.com/en/file/406074b1c168602163a8c246f88ae9914f54ceacc47ec7fa0d8d3116e35374be/analysis/
https://www.virustotal.com/en/file/393ea466d635ea97150ca4bc52b6de7c47da2e7bffae28248b388523141a1cc8/analysis/
https://www.virustotal.com/en/file/470dbcc291008e183e46a81ce84aff1f90131f5a3d1fb30caf885769748d981e/analysis/
https://www.virustotal.com/en/file/661233de0cd229dbcbe37c06c2a6c86e1dbc081072e03c3207c00c6ce19aa57c/analysis/
https://www.virustotal.com/en/file/96aad20e56a59389117609aa192fc1771e105741e2e04664de56ecc1545a4c8a/analysis/
https://www.virustotal.com/en/file/223f66e52e84cfa21ae94053152e015f652894f77d129b3b738bb4937cfc857d/analysis/
https://www.virustotal.com/en/file/701ea25c01212e6f21ffbf5e60214a441558825ec9b86159e19b1f9576962e86/analysis/
https://www.virustotal.com/en/file/0383b323737e02f2e39a9ade6539432f7bb17ebb79fd809510a8ea1102963a0d/analysis/
https://www.virustotal.com/en/file/18ee96df892b632073d1d6ecc3c339dd120e66411c15eff176efcf2c1728cfc7/analysis/
https://www.virustotal.com/en/file/dc2b6a4d1e1f4014f0f9c3fb13908a3f46f9cb6a01a51f6447f9e85d3d1abcfe/analysis/
https://www.virustotal.com/en/file/5e3aea8e7f297685ddca0fadf9503d350d78be6f0bca700dc79fccc2ac9f925d/analysis/
https://www.virustotal.com/en/file/f5e7ba8d7b40415c7cbb8f45177deb5daffc2450c9f64d0e5c2ed65b9d9d7d55/analysis/
https://www.virustotal.com/en/file/d86a12974631e8711b9bce8fdf1f1fd4775f741461274005b2362647f17a63c6/analysis/
[..]
Tango down result so far of the China ELF DDoS'er download panels:
'h00p:/222.76. 210.140:81
h00p://122.94. 40.23:38384
h00p://60.173. 10.184:8080
h00p://122.142. 161.163:8080
h00p://125.46. 53.155:1996
h00p://183.60. 197.240:8181
h00p://112.117. 223.10:280
h00p://23.95.28. 228:8080
h00p://61.164. 145.100:89
h00p://108.171. 200.16:3100
h00p://183.56. 173.44:281
h00p://112.117. 223.10:789
h00p://61.147. 103.21:8080
h00p://218.25. 36.220:630
h00p://183.60. 197.240:8181
h00p://120.210. 204.102:999
h00p://174. 139.20.66:10080/
h00p://119. 90.135.206/
h00p://183. 60.142.173:523
h00p://183. 60.149.199:8081
h00p://183. 60.202.61:8088
h00p://183. 56.173.44:281
h00p://162. 221.12.193:68
h00p://218. 28.116.248
h00p://108. 171. 200.16:3100
h00p://183.60. 197.240:8181
h00p://199.192. 158.36:888
h00p://218.6.12. 157:8023
h00p://182.254. 168.157:4343
h00p://110.80. 129.134:999/
h00p://183.60. 202.91:2013/
h00p://182.254. 168.157:4343/
h00p://182. 254.180.241:2015/
h00p://219. 235.8.29:2015/
h00p://104.194.6.138:110/
h00p://121.127.241.55:8081/
h00p://183. 60.202.209:44335/ '
Detail network information for the origin of ELF malware panel addresses above:
222.76.210.140||4134 | 222.76.0.0/14 | CHINANET | CN | - | XIAMEN TELECOM IDC
122.94.40.23||9394 | 122.94.0.0/16 | CTTNET | CN | CHINATIETONG.COM | CHINA TIETONG TELECOMMUNICATIONS CORPORATION
60.173.10.184||4134 | 60.168.0.0/13 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET ANHUI PROVINCE NETWORK
122.142.161.163|163.161.142.122.adsl-pool.jlccptt.net.cn.|4837 | 122.136.0.0/13 | CHINA169 | CN | CHINAUNICOM.COM | CHINA UNICOM JILIN PROVINCE NETWORK
125.46.53.155|hn.kd.ny.adsl.|4837 | 125.40.0.0/13 | CHINA169 | CN | CHINAUNICOM.COM | CHINA UNICOM HENAN PROVINCE NETWORK
183.60.197.240||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
112.117.223.10|10.223.117.112.broad.km.yn.dynamic.163data.com.cn.|4134 | 112.116.0.0/15 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET YUNNAN PROVINCE NETWORK
23.95.28.228|host.colocrossing.com.|36352 | 23.95.24.0/21 | AS-COLOCROSSING | US | HUDSONVALLEYHOST.COM | HUDSON VALLEY HOST
61.164.145.100||4134 | 61.164.0.0/16 | CHINANET | CN | - | WENZHOU TELECOM CO. LTD
108.171.200.16|108-171-200-16.static.webnx.com.|18450 | 108.171.192.0/19 | WEBNX | US | WEBNX.COM | WEBNX INC.
183.56.173.44||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
112.117.223.10|10.223.117.112.broad.km.yn.dynamic.163data.com.cn.|4134 | 112.116.0.0/15 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET YUNNAN PROVINCE NETWORK
61.147.103.21||65222 | 61.147.103.21/32 | -Private | | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
218.25.36.220||4837 | 218.25.0.0/16 | CHINA169 | CN | CHINAUNICOM.COM | CHINA UNICOM LIAONING PROVINCE NETWORK
183.60.197.240||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
120.210.204.102||9808 | 120.210.192.0/19 | CMNET | CN | CHINAMOBILELTD.COM | CHINA MOBILE COMMUNICATIONS CORPORATION
174.139.20.66|customer.krypt.com.|35908 | 174.139.20.0/24 | VPLSNET | US | KRYPT.COM | KRYPT TECHNOLOGIES
119.90.135.206||23724 | 119.90.128.0/17 | CHINANET-IDC-BJ | CN | CNPC.COM.CN | HUABEI OIL FIELD COMMUNICATION CO
183.60.142.173||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
183.60.149.199||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
183.60.202.61||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
183.56.173.44||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
162.221.12.193|193.12.221.162.clear-ddos.com.|62466 | 162.221.12.0/24 | CLEAR-DDOS-AS | CA | CLEAR-DDOS.COM | CLEARDDOS TECHNOLOGIES
218.28.116.248|pc0.zz.ha.cn.|4837 | 218.28.0.0/15 | CHINA169 | CN | CHINAUNICOM.COM | CHINA UNICOM HENAN PROVINCE NETWORK
108.171.200.16|108-171-200-16.static.webnx.com.|18450 | 108.171.192.0/19 | WEBNX | US | WEBNX.COM | WEBNX INC.
183.60.197.240||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
199.192.158.36||6939 | 199.192.152.0/21 | HURRICANE | US | EHOSTINGUSA.COM | VPS21 LTD
218.6.12.157||4134 | 218.6.0.0/17 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET FUJIAN PROVINCE NETWORK
182.254.168.157||45090 | 182.254.168.0/23 | CNNIC-TENCENT-NET | | - | COMSENZ TECHNOLOGY LTD
183.60.202.91||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
110.80.129.134||4134 | 110.80.0.0/13 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET FUJIAN PROVINCE NETWORK
182.254.168.157||45090 | 182.254.168.0/23 | CNNIC-TENCENT-NET | | - | COMSENZ TECHNOLOGY LTD
182.254.180.241||45090 | 182.254.180.0/23 | CNNIC-TENCENT-NET | | - | COMSENZ TECHNOLOGY LTD
219.235.8.29|host-219-235-8-29.iphost.gotonets.com.|17621 | 219.235.8.0/24 | CNCGROUP | CN | GOTONETS.COM | SHANGHAI QIANWAN NETWORK CO. LTD
104.194.6.138||36114 | 104.194.0.0/19 | VWEB-8 | US | VERSA14 | VERSAWEB, LLC
121.127.241.55||38197 | 121.127.241.0/24 | SUNHK-DATA-AS | HK | SUN.NET.HK | SUN NETWORK (HONG KONG) LIMITED
183.60.202.209||4134 | 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
Below is the list of IP addresses to block (Tango Queue List)
222.186.30.239
218.84.198.37
61.147.103.185
114.215.140.230
We thank you for all entities that were kindly helping us to fight this threat. We look forward to keep on having good coordination to take down more infector IP addresses and domains.
If you happened to have ELF malware, please do not hesitate to send us sample by uploading to this-->[link] URL.
Please help our effort to report us the existence of new panels if the IP is not on the above lists (Tango or Queue List), by writing the comment under this post (will not be published), or mention to @malwaremustdie (twitter).
Comment & follow up:
Preliminary stage of takedown (was only 11 confirmed that time)
There's NO bullet proof anymore but there's only laziness.
We #TANGO'ed 11 #China#ELF#DDoS#CNC
#MalwareMustDie! pic.twitter.com/qbVvib16pN
— MalwareMustDie, NPO (@MalwareMustDie) September 14, 2014What is the impact of this take down to the actor(s) actually?
.@lvdeijk this takedown will hurt the crooks badly, since every CNC need to be decoded in #ELF binary, they cry hard. And they deserve it.
— MalwareMustDie, NPO (@MalwareMustDie) September 14, 2014Follow up the next takedown:
Three more taken down, total China #ELF#malware#tango = 32 panels
Updated: http://t.co/n2gKTXSDDh
#MalwareMustDiepic.twitter.com/026fb4dDiL
— MalwareMustDie, NPO (@MalwareMustDie) September 18, 2014Just confirmed #Tango on #China#ELF#malware panels, 6 more went down (pic) - Will add this to blog.
#MalwareMustDiepic.twitter.com/GaP2Exthcf
— MalwareMustDie, NPO (@MalwareMustDie) September 20, 2014MalwareMustDie!