MMD-0061-2016 - EnergyMech 2.8 overkill mod

Background

This is a new threat analysis report I wrote in MalwareMustDie blog (this) after we moved out our blog from blogger, I hope you like the new blog system and design, and enjoy the post!

An unattended or abandoned Linux/UNIX system with its web service online (specially with the CGI function intact) with not having recent updates can be soon be exploited and infected by Linux malware. Scanner for seeking these system’s flaws is running every day by the attackers throughout the internet, seeking their target possibilities to perform malicious acivity. This is a story about the set of Linux malware injected to such compromised system causing by this flaw..

Threat summary

We received several reports of the same incidents from several sources within a year period, and it is very understandable if the sysadmins involved were not wilingly to disclose more details of the attackers in their system’s side, and for that I have to investigate myself to get more informative values of the threat, and fortunately we received some samples of the same attack pattern.

The last sample set was received from Brazil on November 11th, 2016 (thank you dear Brazillian friends!), and it contains the most recent used toolset of this context, so this analysis report is based on it. I frankly was not expected this tool to be still in circulation nowadays, indeed it is, so it would be good to have this case written in ELF / Linux malware threat library as additional reference, specially when we are in the period where attention for ELF DDoS malware threat is on spotlight.

ELF Linux malware is the threat that evolves, previous spotted bad codes keep on coming back, either being merged into other *badness form* or *incarnated* by new code scheme by the same old concepts, and each comeback they always bring more improvement along with adjustment made for its usage to adapt the capability to create more damage in the recent vulnerable Linux/UNIX vectors, since the people who use these codes are having good skill in networking and hacking on blackhat sides. This is why I think it is important to make a good library to analyze each ELF/Linux malware case, for the future reference. - unixfreaxjp, Dec 2016 -

To summarize the threat info itself: The actors are script kiddies hackers (likely), from a place in Europe that is famous for its vampire story. The modus operation and custom toolset used are actually known, but not as new as recent threats we detected/found/wrote before (i.e.: PnScan, Mirai, LuaBot, NyaDrop, IRCTelnet or UDPFker, and etc previous ones..), nor also popular ones (at least between the whitehats people), yet the tool’s activity is still exist (surprisingly). I categorized this threat as a customized Linux DDoS botnet via IRC protocol (aha!..not again..). And currently the spotted samples was compiled to aim Linux or Linux compatible systems (read: UNIX that can execute ELF file) under x86-32, x86-64 or amd64 processor architectures.

The malware itself, I call it as Linux/OverkillMod, for the reason that I will be explained in the following sections.

Threat attack vector: the buggy PHP

A pretty old version of a CGI scripting language: PHP was installed in a not-so-well-managed PHP powered web server that is having a CGI query handling vulnerability, in example like this one can trigger a remote code execution commands, is being spotted up and alive. Upon several common attack techniques used, one attacker was successfully compromising the system after sending the url-encoded POST command to exploit the buggy cgi_main.c in the target’s PHP binary to then execute a series of malicious shell-script via execution of PHP’s system() command.

system() is a PHP command to execute as well as any arguments you wish passed to that command and immediately displaying the result in the output stream, best used in i.e. system command line Web GUI coded in PHP. It is not wise to have this command activated for the security prevention, and if we must use it, we have to make sure to have extra secure precaution, including the PHP regular version update. Yes, this is a cliche’ exploitation scheme..but it still happens.

The shell-script command executed by the used system() is having a couple possibilities of one liner shell script to download, install, execute and then self-delete, to:

  • directly install and run a Linux malware, or..
  • download the installation shell script to be executed to install and run a Linux malware

..and the Linux malware mentioned above is our topic of the day.

The two possibilities, let’s call it as Possibility one and two, of spotted one-liner shell script codes I breakdown as per below structure, again..there is nothing new too, since we see many similar kind of codes fired by hacker script kiddies in daily basis.

Possibility one - direct installation and malware execution, it has two patterns:

Pattern A: php system shell script to infectA Pattern B: php system shell script to infectB In the pattern A the start.sh will lead to the execution of autostart and run executable script. The start.sh is like this:

./autorun
./run

As per seen in the above system() injected shell script code, the wget and (alternatively) curl was used to fetch a remotely served payload archive file to be extracted in the /tmp directory. The extracted directory is having the same name as payload’s name, but for the OPSEC purpose let’s call it as DIRBLAH. The installation of the malware is started by the execution of the ./autorun.

Possibility two - a downloader for malware’s installation and execution script: Possibility two - downloader In this Possibility two, works a bit similar to the first possibility, but it downloads, executes and delete BUH file. The executed BUH file itself is actually another better coded bash shell script contains installation (infection) and execution commands as per shown below, which is similar as direct installer show in Possibility one, and also it has two patterns:

Pattern C: Possibility two - installerC Pattern D: Possibility two - installerD

To be very honest. It wasn't easy to collect all of these installation details, since either the involved hacker(s) can manage to delete the files afterwards, or, the stuff was `crond` cleaned up in the `/tmp` directory, or all malware was detected and then deleted. But in several particular cases, with thank's to the good cooperation from site's sysadmins, we managed to forensics data needed to figure the scheme.

The malware’s persistency installation process

In very end of the installer scripts we can see the autorun or run file was executed. both of them are actually shell scripts components of the malware package. Together with the rest of files of the tar package, these files can be found in the extracted malware directory.

The autorun is the installer module of the malware, to be used to create a malware persistent starting scheme, with the process as as per follow:

  • creating schedule for malware’s auto-update $dir/update command in crontab
  • generating and dropping the $dir/update as auto-update file, a persistency script.
  • setting auto-update file into executable This way the persistent scheme ala “watchdog” for the malware tool can be performed.

Below is the autorun script itself: autorun

And this is the update script generated and dropped afterward: update You can see the Linux crontab scheduling part was done under this command:

* * * * * $dir/update >/dev/null 2>&1

Which means to execute the generated update shell script file every minute, to check whether the Linux malware is running, and if the malware is not running the malware “starter” executable component (also a script file) run will be executed.

The run file contains a simple script to execute the Linux ELF malware binary file named httpd:

export PATH=.
httpd

This httpd ELF binary is the malware that will be discussed in the next sections..

The other vector: via ssh/telnet login brute-force

This is the additional part of the initial analysis. After the analysis blog was posted I received additional information from our friends (thank’s to “Wp”), about the existence of infection cases via shell login compromising vectors too. One sample case can be viewed in a blog posted here or here, which is snipped as per below: It is obviously the same badware package “bogus httpd” was used for the above compromising method too, but at that time the flood components was fewer than the recent reports we received. Additionally, as the same type of malware used, the analysis explained in next sections will be applied for this vector of the attack too (under the same sample hash of the bogus httpd, if you need to be sure).

To be noted: In the mentioned shell compromised case, there is no persistency installation was executed.

The trace of EnergyMech codes

In the autorun or update file, you can find the below lines:

if test -r $dir/mech.pid; then
pid=\$(cat $dir/mech.pid)

This is actually giving much hint on what we are dealing with, mech.pid is part of the C coded IRC tool called EnergyMech (in sort: emech). An remote bot software, not a malware, similar to the EggDrop). Quoting from their web site:

The EnergyMech is a UNIX compatible IRC bot programmed in the C language, freely distributable under GNU General Public License (GPL)

Seeking the further overall collected and received samples we can find these files resides in the compromised system, proofing the EnergyMech existency:

 22,983 mech.help
  1,064 mech.levels
      5 mech.pid
    295 mech.session
    480 mech.set

(NOTE: inside of these files there are written the setting on how to connect to IRC server used for this bad purpose, nothing special on these, except if you would be kindly help to stop the bad guys together with us, please ping me)

The problem now is, which kind of EnergyMech (emech) used, by whom, why EnergyMech (emech), what for, and how. To answer these questions I guess we need to reverse the httpd a bit.

The bogus “httpd” = EnergyMech (emech) 2.8 overkill mod May 31st, 2001

The ELF:

httpd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.0.0, stripped

After you see bundle instruction of the common older version of EnergyMech, the modified version information of this package can be seen in the several parts, for example: That stated a modified EnergyMech version and build of:

"EnergyMech 2.8 overkill mod May 31st, 2001 Compiled on Jun 1 2001 14:09:42"

Further, the below undecent messages used is obviously not being included in official emech build too: More of these “original exotic messages” are in example:

0x806d619 21 20 // I m not on %s stupid
0x806d62e 21 20 // Cant fucking open %s
0x806d643 15 14 // init: Warning:
0x806d652 18 17 // This nick sux: %s
0x806d680 35 34 // Put me on some channels first punk
0x806d6c0 36 35 // Lists could not be saved to file %s
0x806d6e4 28 27 // I m not opped on %s asshole

This explains much of what kind of attackers we are dealing with.

So now we know these answers from our questions:

  • WHAT is the binary => a modded version of EnergyMech
  • by WHOM => hacker skiddies..

What is the purpose of using EnergyMech in this hack case? WHY emech?

This is acually a good question. To answer this, let’s see some of the accompanied files:

b:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
b2:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
f:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
f4:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
j:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.0.0, not stripped
j2:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
s:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
sl:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.0.0, not stripped
std:    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
stream: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
tty:    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.5, not stripped
v:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.0.0, not stripped
v2:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.0.0, not stripped
x:      Perl script, ASCII text executable

These are actually the ELF files (and one Perl script file) used for executable module for DDoS attack. Each one of them can act as stand-alone and also as modular, thus each of them has the each specific packet flood generation and sending method that needes specific arguments/parameters to perform the attack.

A bit of reversing of each “module” is explaining their origin, so I made a quick list to explain each of them, and how they are executed, as per follows:

Filename (exec) Description Syntax
b SirVic's B flood ./b 127.0.0.1 {hosts} 999
b2 reflection dos by Jabrick & DrBIOS ./b2 {target} {file} {seconds}
f SirVic's_Fuck.c flood ./f {ip} {port}
f4 FUDEDOR4.C (v4.0) by Alexander - PRIVATE!@#! ./f4 {host} {size} {time}
j Juno flood ./j {ip} {port}
j2 Juno flood ver 2 ./j2 {ip} {port (0=rnd)} [ns (1s/10^9) delay] [threads (dfl:1)]
s Stealth flood ./s {ip} {port}
sl anti-foonet (by blizzard) ./sl {srcaddr} {dstaddr} low high
std STD2.C (STD ver 2) BY STACKD ./std {host} {port}
stream jess_stream.c v1.0 TCPZ PacketStorm ./stream {ip} {port} {pktsize} {pps}
tty SirVic's flood2.c ./tty {ip} {port}
v1 Vadim I ./v1 {ip} {port} {ip_spoof}
v2 Vadim II / Vadim patched by paxi ./v2 {ip} {port} 10 0
x SirVic's Random flood ./x {ip} {port} {seconds}

It will be boring to show all codes in assembly, so I picked some of reversed codes and the perl snippet for the reader to have better idea of what these stuff are:

vadim2: vadim2

b2: reflection whatever

std: STD2 STAKD

f4: FUDEDORA4

x: Random Flood SirVic's

The interesting points of the executables above is, having similarities in:

  • compilation method
  • modular design
  • arguments that can supports command line and/or reading from files

The above points is showing these binaries are ment to be used in EnergyMech, and for that it should have a kind of API that can support file execution to run a script or binary. The best way to seek is reversing the sample, and in this below function the answer is found: Emech 2.8 mod executional function

So now we know it executes those files, but how?

I traced each suspected names and symbols that can trigger the expected action, and after some elimination these are the three left candidates that can support the execution of the file:

0x8064d67 11 10 NOSHELLCMD
0x806537d 8 7 STOPCMD
0x80653e9 9 8 SHELLCMD

I went also to the every good EnergyMech source code for the same purpose and could not find what I seek, so I guess I have not so much luck on that.

Then I went back to the samples in hand and disassembly all of the codes for each available sample, to then seek possible API that is actually used for this malicious EnergyMech version aka the +bogus httpd*.

And, to make it short, finally found a good clear trace on the effort from certain compilation trace:

/* snip 1*/

cfg_noshellcmd(char *args)
will.shellcmd = FALSE;
{"NOSHELLCMD",cfg_noshellcmd,0}


/* snip 2*/

if (!will.shellcmd)
tofile(sf,"noshellcmd\n");

// which is finally leading me into...

/* snip 3 */

tofile(sf,"cmdchar %c\n",bot->cmdchar);
tofile(sf,"userfile %s\n\n",bot->Userfile);

This is the additional updated info: After I released the analysis, under helps from MMD mates, we seek the overall nutshell for the source code of this badness, and confirming the bad codes that is responsible and was used to make this bogus httpd aka “EnergyMech (emech) Overkill mod 2.8” and the execution part can be seen in the snippet picture below:

So, by adding all of these detail, I can figure the command for execution the file via this version of EnergyMech exists actually, under the formulation syntax of:

{!} shellcmd [PATH_TO] [FILENAME] {ARGS}

To make it clear, all of the executables found together in the package of the bogus httpd can be executed after that bogus httpd connect to the IRC channel using the commands as per below:

shellcmd ./b 127.0.0.1 {hosts} 999
shellcmd ./b2 {target} {file} {seconds}
shellcmd ./f {ip} {port} 
shellcmd ./f4 {host} {size} {time}
shellcmd ./j {ip} {port}
shellcmd ./j2 {ip} {port (0=rnd)} [ns (1s/10^9) delay] [threads (dfl:1)]
shellcmd ./s {ip} {port}
shellcmd ./sl {srcaddr} {dstaddr} low high
shellcmd ./std {host} {port}
shellcmd ./stream  {ip} {port} {pktsize} {pps}
shellcmd ./tty {ip} {port} 
shellcmd ./v1 {ip} {port} {ip_spoof}
shellcmd ./v2 {ip} {port} 10 0
shellcmd ./x {ip} {port} {seconds}

Under curiosity, I re-checked the EnergyMech web site again for the latest version to seek for any code related to these execution logic, and I can not find any of this API enabled anymore from the latest sources that I can get, so this is explaining why the “mod’ed version” for the emech was built, for this malicious purpose.

For the note, the bogus httpd, which is the “EnergyMech 2.8 overkill mod May 31st, 2001 Compiled on Jun 1 2001 14:09:42” is a malicious ELF Linux malware, but EnergyMech original distribution is not, just like the EggDrop for example, EnergyMech is a good IRC tool, I am currently running several tests on it too.

It will not be fair for the EnergyMech decent development folks to call their project as malware, this is why I call the mod’ed malware version one as Linux/OverkillMod.

Mitigation

Several mitigation advisory for the threat:

  • For the current IR case, you will have to ask to update the PHP, web server and frankly said, the OS distribution too, it is too old and obsolete to serve an outdated web acessible service in this period of time, upgrading the platform will be easier and faster to prevent similar happening in the future.
  • Since Intel compatible platform is the current aim for the threat, the malware signature detection for the samples can prevent this infection, see the next section for the sample hash detail.
  • Furthermore, for the fellow sysadmins, please regularly monitor the unusual traffic inbound/outbound from the services (if possible), and also check for the bad code resides in the commonly hacker’s aimed directory like /tmp/ or /var/run/tmp or /var/run or /mnt or /root or / or var or /dev/shm, etc.

Analysis conclusion and samples

So now we perfectly know now about: WHY the EnergyMech (emech) was used for several hacking incidents, and WHAT the purpose of the hackers were using it, aiming to WHICH systems and platforms, by WHOM (only specific community culture in a known IRC server is using these), and and HOW the attackers are/were using it. The malicious scheme like this case, which is performed via IRC protocol botnet and used splitting attack modules saved in hacked nodes into several ELF executables, is a bad sign. But, since the actual working source code for this threat is a bit hard to find so can hope this threat will not migrate to the other platform soon.

I hope this post will help fellow incident response team and sysadmins friends. Since I don’t provide the comment section for this blog anymore, if you have any questions or opinion to be shared about tis analysis, you are welcome to write to us your advise/suggestion/questions/opinion in /r/LinuxMalware on reddit (the posts are moderated).

For the samples, the hashes is as per below table, I will make sure all of the samples are uploaded in the VirusTotal, but please bear for some delay for I need time to clean up the analysis “pad”.

For the source code of the bad emech that has finally collected, let this code to be a dead end, so we can kill this threat for good.

Malware file SHA1 hash
b 67ccc3866b13d10f5f7106b7580b7cbc8dc8a470
b2 b85a7130bbf77b4c237e0bf915f6ce672792e47e
f 1ed59a0dc45d4b744df58999a18f987183b2e4ee
f4 8238b054ea6eafd97898835052c7c01053a5c7b2
j 1527118dfa541b2aa99132a48bcde22f57d971e0
j2 2f40fb39d5082db49dbbfbf48a2b20fdb4a0946d
s 9d58bfb07d85483049f1d22bc02cfa3737706865
sl 971b6f93b15c28dd72e8fdada7ddc0449b8bfeca
std 34323bf56af2fc7105da5f64c1171aa28ebd5c4a
stream e2011b15fe673b40af2c72492d86214a5c9c917c
tty 5d2ed29211c04e0941584e26c9e5ce858628451d
v1 4e587b64d26cf46cf91d3ad145e0897d366f451a
v2 0a7661a038f21a98fcc75e7e04d828b4c2fef114
x 31f17179477c2a4eb13b87793a558ade271e12ad
httpd c34597af2f63be4214a1b63ca7915229e0578a93

Uptime, statistic and risk of Linux/OverkillMod botnet

Currently Emech 2.8 OverkillMod package (along with their flood functions) are spotted running in public and private IRC servers. With the help from the Eggdrop friends, we can identify the OverkillMod botnet listed that are having uptime more than 100days, with the amount of 305 BotID. Some of them are being duplicated, but the overall up and alive BotID amount for the running bots is still significantly big. In average each OverkillMod is having uptime around 30days, but that thank’s to the good and stability of EnergyMech code and functions.

If EMech in overall versions as the Bot IRC tool is having share statistically around 37% of the current detected bots, the OverkillMod nodes share is almost the half of it, so we can say currently that Linux/OverkillMod it is running on number between 2,000 to 3,000 nodes in the internet. With this amount, roughly predicted, if they want, Linux OverkillMod botnet can make a DDoS damage to any targeted site of an entity with the direct internet line without protection.

For that purpose, I grepped as many OverkillMod BotID that I can fetch and listed them sorted in their uptime as per below table. (You can ping me directly for the network origin used by each bot.)


Detection date: Sun Dec 4 06:15:45 JST 2016

Rank BotID Emech version detected Uptime as per now..
3 [flood] EnergyMech 2.8 overkill mod 4 years 138 days 1 hour
16 jp EnergyMech 2.8 overkill mod 3 years 228 days 12 hours
18 colskx EnergyMech 2.8 overkill mod 3 years 208 days 14 hours
24 punisher EnergyMech 2.8 overkill mod 3 years 126 days 8 hours
28 [OLD]-38 EnergyMech 2.8 overkill mod 3 years 44 days 4 hours
35 A2 EnergyMech 2.8 overkill mod 2 years 341 days 5 hours
36 HSWSX EnergyMech 2.8 overkill mod 2 years 327 days 23 hours
37 as1324 EnergyMech 2.8 overkill mod 2 years 321 days 18 hours
38 [OLD]-55 EnergyMech 2.8 overkill mod 2 years 321 days 14 hours
39 Sh EnergyMech 2.8 overkill mod 2 years 317 days 13 hours
40 Sh EnergyMech 2.8 overkill mod 2 years 317 days 7 hours
41 Sh EnergyMech 2.8 overkill mod 2 years 317 days 7 hours
42 Sh EnergyMech 2.8 overkill mod 2 years 317 days 7 hours
43 Sh EnergyMech 2.8 overkill mod 2 years 316 days 1 hour
44 Sh EnergyMech 2.8 overkill mod 2 years 316 days 1 hour
45 Sh EnergyMech 2.8 overkill mod 2 years 316 days 1 hour
46 Sh EnergyMech 2.8 overkill mod 2 years 315 days 19 hours
47 Sh EnergyMech 2.8 overkill mod 2 years 315 days 19 hours
48 Sh EnergyMech 2.8 overkill mod 2 years 315 days 19 hours
49 nic EnergyMech 2.8 overkill mod 2 years 314 days 1 hour
52 root EnergyMech 2.8 overkill mod 2 years 180 days 21 hours
53 Elefant EnergyMech 2.8 overkill mod 2 years 172 days 2 hours
54 as1324 EnergyMech 2.8 overkill mod 2 years 156 days 19 hours
55 juno EnergyMech 2.8 overkill mod 2 years 151 days 20 hours
57 xxx EnergyMech 2.8 overkill mod 2 years 121 days 6 hours
58 azazel EnergyMech 2.8 overkill mod 2 years 98 days 2 hours
60 DDoS EnergyMech 2.8 overkill mod 2 years 43 days 12 hours
65 id0___ EnergyMech 2.8 overkill mod 2 years 5 hours
67 Awesome EnergyMech 2.8 overkill mod 1 year 358 days 12 hours
68 KING EnergyMech 2.8 overkill mod 1 year 352 days 6 hours
69 KING EnergyMech 2.8 overkill mod 1 year 352 days 6 hours
70 new EnergyMech 2.8 overkill mod 1 year 349 days 11 hours
83 L EnergyMech 2.8 overkill mod 1 year 309 days 6 hours
86 cyborg EnergyMech 2.8 overkill mod 1 year 286 days 6 hours
91 four EnergyMech 2.8 overkill mod 1 year 264 days 15 hours
92 two EnergyMech 2.8 overkill mod 1 year 264 days 15 hours
93 Ddos EnergyMech 2.8 overkill mod 1 year 264 days 13 hours
94 Flood EnergyMech 2.8 overkill mod 1 year 264 days 3 hours
100 Flood EnergyMech 2.8 overkill mod 1 year 253 days 21 hours
101 Flood EnergyMech 2.8 overkill mod 1 year 253 days 21 hours
102 Flood EnergyMech 2.8 overkill mod 1 year 253 days 21 hours
107 cmd-amaz EnergyMech 2.8 overkill mod 1 year 245 days 18 hours
111 flood EnergyMech 2.8 overkill mod 1 year 232 days 1 hour
112 cmd-jp EnergyMech 2.8 overkill mod 1 year 231 days 10 hours
115 Flood EnergyMech 2.8 overkill mod 1 year 223 days 2 hours
121 juno EnergyMech 2.8 overkill mod 1 year 207 days 3 hours
122 mix EnergyMech 2.8 overkill mod 1 year 206 days 12 hours
124 photo EnergyMech 2.8 overkill mod 1 year 206 days
125 flood EnergyMech 2.8 overkill mod 1 year 205 days 12 hours
126 nl EnergyMech 2.8 overkill mod 1 year 204 days 18 hours
127 photo EnergyMech 2.8 overkill mod 1 year 186 days 3 hours
128 photo EnergyMech 2.8 overkill mod 1 year 174 days 7 hours
131 chaos036 EnergyMech 2.8 overkill mod 1 year 169 days 14 hours
132 chaos058 EnergyMech 2.8 overkill mod 1 year 169 days 14 hours
135 cmd-s4uu EnergyMech 2.8 overkill mod 1 year 155 days 2 hours
137 root EnergyMech 2.8 overkill mod 1 year 144 days
139 cmd-gmo EnergyMech 2.8 overkill mod 1 year 138 days 3 hours
147 root EnergyMech 2.8 overkill mod 1 year 126 days 18 hours
148 tex97 EnergyMech 2.8 overkill mod 1 year 123 days 6 hours
149 root EnergyMech 2.8 overkill mod 1 year 122 days 21 hours
150 root EnergyMech 2.8 overkill mod 1 year 122 days 21 hours
151 root EnergyMech 2.8 overkill mod 1 year 122 days 21 hours
152 root EnergyMech 2.8 overkill mod 1 year 122 days 21 hours
153 root EnergyMech 2.8 overkill mod 1 year 122 days 21 hours
154 LotKa EnergyMech 2.8 overkill mod 1 year 120 days 20 hours
155 L EnergyMech 2.8 overkill mod 1 year 120 days 18 hours
158 aic EnergyMech 2.8 overkill mod 1 year 77 days 1 hour
159 ameTeam EnergyMech 2.8 overkill mod 1 year 68 days 18 hours
160 ameTeam EnergyMech 2.8 overkill mod 1 year 68 days 18 hours
162 asdasd EnergyMech 2.8 overkill mod 1 year 64 days 6 hours
164 Home EnergyMech 2.8 overkill mod 1 year 63 days 6 hours
166 root EnergyMech 2.8 overkill mod 1 year 59 days
167 root EnergyMech 2.8 overkill mod 1 year 58 days 6 hours
168 root EnergyMech 2.8 overkill mod 1 year 58 days 6 hours
169 root EnergyMech 2.8 overkill mod 1 year 58 days 6 hours
170 Cap EnergyMech 2.8 overkill mod 1 year 56 days
172 root EnergyMech 2.8 overkill mod 1 year 48 days 12 hours
174 mix EnergyMech 2.8 overkill mod 1 year 37 days 12 hours
175 juno EnergyMech 2.8 overkill mod 1 year 34 days 7 hours
177 r00t4362 EnergyMech 2.8 overkill mod 1 year 30 days 12 hours
178 root EnergyMech 2.8 overkill mod 1 year 27 days 18 hours
179 313]- EnergyMech 2.8 overkill mod 1 year 25 days 18 hours
180 [313]-_ EnergyMech 2.8 overkill mod 1 year 25 days 6 hours
181 uid____ EnergyMech 2.8 overkill mod 1 year 22 days 12 hours
184 w36 EnergyMech 2.8 overkill mod 1 year 19 days 12 hours
186 old-69489 EnergyMech 2.8 overkill mod 1 year 11 days 18 hours
187 us-206-61 EnergyMech 2.8 overkill mod 1 year 4 days
188 uid8300 EnergyMech 2.8 overkill mod 364 days 19 hours
189 root EnergyMech 2.8 overkill mod 360 days 6 hours
190 cmd-jp2 EnergyMech 2.8 overkill mod 355 days 7 hours
191 tcp EnergyMech 2.8 overkill mod 354 days 6 hours
195 Mafia_ EnergyMech 2.8 overkill mod 335 days 4 hours
200 root EnergyMech 2.8 overkill mod 320 days 18 hours
201 xXx EnergyMech 2.8 overkill mod 318 days 23 hours
204 mix EnergyMech 2.8 overkill mod 303 days
207 mx1 EnergyMech 2.8 overkill mod 289 days 6 hours
208 shit_ EnergyMech 2.8 overkill mod 289 days
209 DinTe EnergyMech 2.8 overkill mod 287 days 19 hours
210 cmd-es EnergyMech 2.8 overkill mod 285 days 5 hours
212 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
213 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
214 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
215 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
216 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
217 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
218 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
219 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
220 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
221 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
222 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
223 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
224 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
225 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
226 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
227 Sh EnergyMech 2.8 overkill mod 283 days 6 hours
228 Sh EnergyMech 2.8 overkill mod 283 days
229 Sh EnergyMech 2.8 overkill mod 283 days
231 Sh EnergyMech 2.8 overkill mod 280 days 18 hours
233 yourvser EnergyMech 2.8 overkill mod 278 days 6 hours
249 uid_ EnergyMech 2.8 overkill mod 275 days 23 hours
262 dang EnergyMech 2.8 overkill mod 274 days 6 hours
267 dang EnergyMech 2.8 overkill mod 273 days
268 dang EnergyMech 2.8 overkill mod 273 days
269 dang EnergyMech 2.8 overkill mod 273 days
284 nouid6706 EnergyMech 2.8 overkill mod 270 days 16 hours
304 dami EnergyMech 2.8 overkill mod 269 days 4 hours
371 sfLXxks EnergyMech 2.8 overkill mod 257 days 12 hours
405 nouid2660 EnergyMech 2.8 overkill mod 250 days 21 hours
425 Bau_ EnergyMech 2.8 overkill mod 245 days 16 hours
435 luna EnergyMech 2.8 overkill mod 243 days 6 hours
443 juno EnergyMech 2.8 overkill mod 242 days 16 hours
447 Juno EnergyMech 2.8 overkill mod 242 days
452 Juno EnergyMech 2.8 overkill mod 240 days 18 hours
453 Juno EnergyMech 2.8 overkill mod 240 days 18 hours
454 Juno EnergyMech 2.8 overkill mod 240 days 18 hours
455 Juno EnergyMech 2.8 overkill mod 240 days 18 hours
459 Juno EnergyMech 2.8 overkill mod 239 days 1 hour
461 Juno EnergyMech 2.8 overkill mod 239 days
526 Juno EnergyMech 2.8 overkill mod 230 days 18 hours
527 Juno EnergyMech 2.8 overkill mod 230 days 18 hours
528 Juno EnergyMech 2.8 overkill mod 230 days 1 hour
529 Juno EnergyMech 2.8 overkill mod 230 days
530 Juno EnergyMech 2.8 overkill mod 230 days
531 Juno EnergyMech 2.8 overkill mod 230 days
539 Giani EnergyMech 2.8 overkill mod 227 days 16 hours
551 Juno EnergyMech 2.8 overkill mod 224 days 1 hour
552 Juno6680 EnergyMech 2.8 overkill mod 224 days
562 help EnergyMech 2.8 overkill mod 223 days 6 hours
575 uid5084 EnergyMech 2.8 overkill mod 221 days 4 hours
595 Juno EnergyMech 2.8 overkill mod 218 days 18 hours
596 Juno EnergyMech 2.8 overkill mod 218 days 18 hours
597 Juno EnergyMech 2.8 overkill mod 218 days 18 hours
631 photo EnergyMech 2.8 overkill mod 213 days 6 hours
652 Juno EnergyMech 2.8 overkill mod 210 days 6 hours
667 flood EnergyMech 2.8 overkill mod 208 days
691 _502day_2 EnergyMech 2.8 overkill mod 206 days 21 hours
692 502day EnergyMech 2.8 overkill mod 206 days 21 hours
697 sun EnergyMech 2.8 overkill mod 206 days 3 hours
720 Rand2 EnergyMech 2.8 overkill mod 204 days 15 hours
734 botnet EnergyMech 2.8 overkill mod 202 days 21 hours
736 Juno EnergyMech 2.8 overkill mod 202 days 6 hours
775 uid9001 EnergyMech 2.8 overkill mod 201 days 2 hours
778 Wallah EnergyMech 2.8 overkill mod 200 days 21 hours
779 Wallah2 EnergyMech 2.8 overkill mod 200 days 21 hours
780 Wifi2 EnergyMech 2.8 overkill mod 200 days 21 hours
782 Wifi1 EnergyMech 2.8 overkill mod 200 days 21 hours
786 Juno EnergyMech 2.8 overkill mod 200 days
797 flood EnergyMech 2.8 overkill mod 198 days 18 hours
798 cmd-rack EnergyMech 2.8 overkill mod 198 days 16 hours
822 Juno EnergyMech 2.8 overkill mod 195 days 18 hours
839 Juno EnergyMech 2.8 overkill mod 194 days
840 Juno EnergyMech 2.8 overkill mod 194 days
845 root EnergyMech 2.8 overkill mod 193 days 12 hours
846 root EnergyMech 2.8 overkill mod 193 days 12 hours
867 boot EnergyMech 2.8 overkill mod 191 days 12 hours
900 mixsds EnergyMech 2.8 overkill mod 187 days 9 hours
911 uid5556 EnergyMech 2.8 overkill mod 186 days 20 hours
913 Juno EnergyMech 2.8 overkill mod 186 days 18 hours
914 Juno EnergyMech 2.8 overkill mod 186 days 18 hours
919 Juno EnergyMech 2.8 overkill mod 186 days
920 Juno EnergyMech 2.8 overkill mod 186 days
938 Strasno EnergyMech 2.8 overkill mod 185 days 3 hours
940 w EnergyMech 2.8 overkill mod 184 days 21 hours
946 Juno EnergyMech 2.8 overkill mod 184 days 6 hours
947 Juno EnergyMech 2.8 overkill mod 184 days 6 hours
954 juno EnergyMech 2.8 overkill mod 183 days 9 hours
959 root EnergyMech 2.8 overkill mod 182 days 14 hours
960 old-69481 EnergyMech 2.8 overkill mod 182 days 14 hours
964 Juno EnergyMech 2.8 overkill mod 182 days
965 Juno EnergyMech 2.8 overkill mod 182 days
966 Juno EnergyMech 2.8 overkill mod 181 days 19 hours
967 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
968 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
969 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
970 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
971 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
973 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
974 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
975 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
976 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
977 Juno EnergyMech 2.8 overkill mod 181 days 18 hours
979 nouid4510 EnergyMech 2.8 overkill mod 181 days 9 hours
980 nouid3033 EnergyMech 2.8 overkill mod 181 days 9 hours
981 nouid1124 EnergyMech 2.8 overkill mod 181 days 9 hours
982 uid4450 EnergyMech 2.8 overkill mod 181 days 9 hours
983 uid1930 EnergyMech 2.8 overkill mod 181 days 9 hours
984 uid9712 EnergyMech 2.8 overkill mod 181 days 9 hours
985 uid_ EnergyMech 2.8 overkill mod 181 days 9 hours
986 nouid EnergyMech 2.8 overkill mod 181 days 9 hours
987 uid3525 EnergyMech 2.8 overkill mod 181 days 8 hours
988 uid1840 EnergyMech 2.8 overkill mod 181 days 8 hours
989 nouid EnergyMech 2.8 overkill mod 181 days 8 hours
990 nouid EnergyMech 2.8 overkill mod 181 days 8 hours
991 dang EnergyMech 2.8 overkill mod 181 days 8 hours
992 nouid5988 EnergyMech 2.8 overkill mod 181 days 8 hours
993 nouid2687 EnergyMech 2.8 overkill mod 181 days 7 hours
995 uid4972 EnergyMech 2.8 overkill mod 181 days 2 hours
998 Juno EnergyMech 2.8 overkill mod 181 days 1 hour
1000 Juno EnergyMech 2.8 overkill mod 181 days
1003 Juno EnergyMech 2.8 overkill mod 181 days
1004 Juno EnergyMech 2.8 overkill mod 181 days
1005 Juno EnergyMech 2.8 overkill mod 181 days
1019 Juno EnergyMech 2.8 overkill mod 179 days 1 hour
1020 Juno EnergyMech 2.8 overkill mod 179 days
1021 Juno EnergyMech 2.8 overkill mod 179 days
1022 Juno EnergyMech 2.8 overkill mod 179 days
1023 Juno EnergyMech 2.8 overkill mod 179 days
1024 Juno EnergyMech 2.8 overkill mod 179 days
1025 Juno EnergyMech 2.8 overkill mod 179 days
1026 Juno EnergyMech 2.8 overkill mod 179 days
1027 Juno EnergyMech 2.8 overkill mod 179 days
1028 Juno EnergyMech 2.8 overkill mod 179 days
1033 Hell EnergyMech 2.8 overkill mod 178 days 15 hours
1034 d__ EnergyMech 2.8 overkill mod 178 days 9 hours
1064 uid EnergyMech 2.8 overkill mod 176 days 12 hours
1076 Juno EnergyMech 2.8 overkill mod 175 days 6 hours
1077 Juno EnergyMech 2.8 overkill mod 175 days 6 hours
1078 Juno EnergyMech 2.8 overkill mod 175 days 6 hours
1080 Juno EnergyMech 2.8 overkill mod 175 days
1081 Juno EnergyMech 2.8 overkill mod 175 days
1082 Juno EnergyMech 2.8 overkill mod 175 days
1083 Juno EnergyMech 2.8 overkill mod 175 days
1084 Juno EnergyMech 2.8 overkill mod 175 days
1087 Juno EnergyMech 2.8 overkill mod 174 days 18 hours
1088 Juno EnergyMech 2.8 overkill mod 174 days 18 hours
1089 Juno EnergyMech 2.8 overkill mod 174 days 18 hours
1090 Juno EnergyMech 2.8 overkill mod 174 days 18 hours
1091 Juno EnergyMech 2.8 overkill mod 174 days 18 hours
1095 henk EnergyMech 2.8 overkill mod 173 days 18 hours
1101 ninja EnergyMech 2.8 overkill mod 173 days 2 hours
1110 wgetlog EnergyMech 2.8 overkill mod 172 days 1 hour
1111 warcrof EnergyMech 2.8 overkill mod 172 days
1113 ddos EnergyMech 2.8 overkill mod 172 days
1114 ddos EnergyMech 2.8 overkill mod 172 days
1115 ddos EnergyMech 2.8 overkill mod 172 days
1116 ddos EnergyMech 2.8 overkill mod 172 days
1117 ddos EnergyMech 2.8 overkill mod 172 days
1118 ddos_ EnergyMech 2.8 overkill mod 172 days
1119 Romania EnergyMech 2.8 overkill mod 171 days 20 hours
1120 PGL-RO EnergyMech 2.8 overkill mod 171 days 20 hours
1150 Juno EnergyMech 2.8 overkill mod 170 days
1152 Juno EnergyMech 2.8 overkill mod 170 days
1153 Juno EnergyMech 2.8 overkill mod 170 days
1164 cmdOVH9 EnergyMech 2.8 overkill mod 169 days 6 hours
1182 Northern EnergyMech 2.8 overkill mod 167 days 18 hours
1239 M0rtal1 EnergyMech 2.8 overkill mod 163 days 6 hours
1283 nr005 EnergyMech 2.8 overkill mod 158 days
1287 whatix EnergyMech 2.8 overkill mod 157 days 14 hours
1296 trouble EnergyMech 2.8 overkill mod 157 days 2 hours
1299 Sh EnergyMech 2.8 overkill mod
1301 uid_____ EnergyMech 2.8 overkill mod 156 days 15 hours
1308 juno EnergyMech 2.8 overkill mod 155 days 20 hours
1381 new EnergyMech 2.8 overkill mod 151 days
1386 cashout EnergyMech 2.8 overkill mod 150 days 12 hours
1417 cmd-s EnergyMech 2.8 overkill mod 149 days 9 hours
1442 id0 EnergyMech 2.8 overkill mod 147 days 8 hours
1444 id0 EnergyMech 2.8 overkill mod 147 days 7 hours
1447 Vacutele EnergyMech 2.8 overkill mod 147 days
1667 Sh EnergyMech 2.8 overkill mod
1668 root EnergyMech 2.8 overkill mod 136 days 6 hours
1669 flood4 EnergyMech 2.8 overkill mod 136 days 6 hours
1672 uid___ EnergyMech 2.8 overkill mod 136 days 3 hours
1673 uid EnergyMech 2.8 overkill mod 136 days 3 hours
1680 uid5705 EnergyMech 2.8 overkill mod 135 days 8 hours
1690 photo EnergyMech 2.8 overkill mod 134 days 12 hours
1856 flood13 EnergyMech 2.8 overkill mod 130 days
1898 new EnergyMech 2.8 overkill mod 127 days
1904 anon EnergyMech 2.8 overkill mod 125 days 14 hours
1929 Anonymous EnergyMech 2.8 overkill mod 123 days 18 hours
1959 dalmy_ EnergyMech 2.8 overkill mod 123 days
1968 Virusata EnergyMech 2.8 overkill mod 122 days 11 hours
2054 whatix EnergyMech 2.8 overkill mod 119 days 7 hours
2102 KING EnergyMech 2.8 overkill mod 117 days
2140 root EnergyMech 2.8 overkill mod 115 days 6 hours
2178 root19 EnergyMech 2.8 overkill mod 114 days
2213 Channel EnergyMech 2.8 overkill mod 112 days 7 hours
2224 pac EnergyMech 2.8 overkill mod 111 days 15 hours
2301 }----n-{ EnergyMech 2.8 overkill mod 107 days 6 hours
2311 G1 EnergyMech 2.8 overkill mod 106 days 18 hours
2358 x EnergyMech 2.8 overkill mod 104 days 7 hours
2373 bootz EnergyMech 2.8 overkill mod 103 days 6 hours
2431 13]- EnergyMech 2.8 overkill mod 101 days 7 hours
2438 juno EnergyMech 2.8 overkill mod 101 days 1 hour
2443 juno221 EnergyMech 2.8 overkill mod 100 days 19 hours
2444 juno____ EnergyMech 2.8 overkill mod 100 days 19 hours

A note about radare2 and gcc compatibility

I am sorry for I was using r2 older version for this analysis, my BSD clusters is using gcc version 4.2.1 (the recent version now is gcc 4.9.x) ports and gcc 4.2.1 and it looks incompatible with the recent r2 git version (Linux is unaffected since they always renew gcc binset packages in distro updates). As much as I want to upgrade the gcc to the newest release one, it is much work to be done actually since the development and reversing tool I build and/or use were compiled with same gcc version, so I think I just have to plan to migrate overall stuff to the new platform.

Yeah, gcc version is always be a problem in development. This is my two cents/personal opinion of the issue: If we want to support the client workstation only then it maybe good to use the very recent version of gcc, but if we want our tool to work in servers or embedded platforms too, the older gcc` version compatibility should be put in consideration too.

Production servers are often used for development, and they tend to have compilers that can support software for longer period, hence older version of gcc sometimes still in use. As of the embedded platform, it is mostly built on older gcc version (by my experience) for the minimalistic and hardware driver’s program compatibility.

In my work or in my personal UNIX development I am still compiling some software using older version of gcc just for supporting this compatibility matter. For the wide-used tools, maybe, it would be a good idea to be tested during the last development stage with considering older compiler compatibility check factor, or by restriction or rules in coding policy, or maybe, as the easiest workaround, it is good too to clearly state supported/unsupported gcc versions if somehow the incompatibility can not be avoided for the future road map or development.

But it is always easier said than done. As the follow up for this particular case, I had tested a list on r2 previous versions, which notifying which one was supported or unsupported to older gcc users in the github. Therefore, during the bug time the r2 previously released version that is supporting gcc 4.2.1 can be fetched from radare2’s site. During the test and a little bit of reading the code, the source of the current incompatibility problem can be found and viewed in here.

This is the update information: The r2 developer team was fixing this problem in only by several hours to eliminate the anonymous union usage in the libr/anal/p/anal_avr.c, and released the fix for the issue in this commit, thank you!

Stay safe friends! Thank you for your reading.

MalwareMustDie!!

  • This post is dedicated to radare.org great folks, malwaremustdie.org loyal friends and the open source community in Linux/UNIX platform.

  • Reversed, written and analyzed by @unixfreaxjp on November 28th 2016.

  • Tags used for the post: linux unix elf malware emech mech energymech overkill mod overkillmod irc botnet ddos undernet whitehat romania hacktool hacking