From website-locker to DDoS: Rex !

In May 2016, Softpedia wrote an article about a Drupal web ransomware. This malware exploits an SQL Injection on CMS Drupal, changes admin credentials and asks for bitcoins to unlock content.
After locking the website, a malware is executed on the server:

After this ends, the last uploaded file is a binary file written in the Go programming language, which is the actual ransomware. This Go binary deletes the file upload form and replaces it with the ransom note seen above.

3 months after this article, there was no available sample of this malware on public repositories. So, it’s time to try to find one. We only know that the malware is developed in Go and exploits Drupal vulnerabilities. Thanks to @DlBlind, we also know that it uses P2P to communicate.
Please note that this article is not a reverse of the malware but tries to explain the attack vector and some interesting key features.

Sample Hunting

Googling « Website is locked. Please transfer 1.4 BitCoin to address », we can found a lot of hacked Drupal. After a quick look, we retrieved an unknown sample executed as:

./G2eCM9jUiz -elevate.skip -wait 20619 2>/tmp/l

where the file “l” is actually a log file looking like:

*node.Node.Run "random" 8184
*node.Node.runScanner *node.BlacklistFilter 0x18d7e4c0 7366
*rpc.Client.SetBinary "linux-386" 0x18c0b560

*rpc.Service.SetBinary &{Platform:linux-386 Binary:0x1901ae40}
new neighbor
new neighbor
new neighbor
new neighbor
new neighbor
new neighbor

The above snippet shows that the sample uses P2P communication.

A quick analysis of the sample shows that it is developed in GO and compressed with UPX. As shown below, it is not known by any anti-virus on VT:
We found our sample and it’s an interesting one. Actually, Drupal-locking is a very small part of the available feature of the self-called “Rex” malware which is still in evolution. We found many different variants from April to August 2016.

Rex malware weapons

Rex is made of 5 different parts. Some of them seem to be still in development:

  • Attack vector
  • Bitcoin mining
  • C&C Communication
  • Ransom – Armada Collective
  • DDoS

Hereafter, we will look into details for each of this part.

Attack vector

Depending of the variant, Rex malware scan Internet for different vulnerable services. The kill chain is simple:

  • Bots are scanning Internet for vulnerable websites
  • Websites are infected and defaced (Drupal-locker)
  • “Rex” malware is dropped on the server
  • The server communicates with other bots via P2P.

Hereafter, a non exhaustive list of exploits used by different variants of Rex malware.


It’s not something new, Rex can exploit an SQL injection on Drupal 7 via CVE-2014-3704. The malware adds a new admin account, locks all blogposts with website-locker notes, uploads and executes Rex.


Rex is able to infect other CMS. WordPress plugins are mainly targeted. At least 8 exploits are available:

We have found some infected WordPress websites but we didn’t see any of them locked.


The botnet scans for Magento eCommerce too. It looks for ShopLift RCE – The attack is similar to the Drupal attack. A new admin account is created and a Webshell is used for executing Rex.


A few other exploits are shipped with Rex:

The above list confirms that Rex does not focus on website locking but tries to build a P2P botnet.

Bitcoin mining

As lots of malware, Rex has bitcoin mining capabilities. We won’t dig into details for this.

C&C communication

We haven’t looked deeper in the network part but thanks to @silascutler @DlBlind, we know that this botnet use Kademlia P2P network (“/home/user/src/rex/dht/” ) on port 5099 with TLS enabled.

It seems that all aforementioned weapons are available through the P2P network.

Ransom – Armada Collective

The most curious feature of the malware is called RansomScanner. It is used to retrieve admin contacts of the infected website, and send a DDoS threat email. Below, the email template:

Armada Collective <>
We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

It’s a well-known template used by the crooks of Armada Collective. Lot of people have received this kind of email. Cloudflare wrote a blogpost about this ransom note.
There is a supposed gang that sends extortion email to online businesses but nobody has seen any real DDoS. Unfortunately, this kind of scam seems works.

In spite of the lack of actual DDoS follow through, it appears that many victims are paying the extortion fee. A security analyst from the Bitcoin analysis firm Chainalysis studied payments sent to the Armada Collective’s Bitcoin addresses and concluded that more than USD$100,000 has been sent to the attackers by victims.

An example of StackExchange post:
But things starts to be different…


Armada Collective emails look like hoax, BUT, we have seen infected servers that actually run real DDoS attacks!

Armada collective seems to start a new strategy and try to launch real attacks. The “1Tbps” threat seems ridiculous but If the botnet grows leveraging on fresh vulnerabilities, it may become more harmful.

In the recent versions of Rex, the ransom note has been updated:

We are Anonymous.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
Right now we will start 15 minutes attack on your site's IP {{ .IP }}. It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Now, crooks talk about a 15 minutes testing DDoS. They ask checking logs as a proof. They want to be taken seriously.
Rex looks like a kind of strange webserver-ransomware that didn’t encrypt files but lock access to administration page and threat to DDoS.


Linux botnets continue to evolve and become very interesting. In this case, what looks like at first sight a Drupal locker is in fact a complete botnet, still in development, with many features.
In the nexts write-ups we will try to explain each module of this botnet.
As usual the attack vector is not 0day but well known vulnerabilities, so I’ll conclude this article like other:
If you are a website administrator, DO NOT LEAVE OUT OF DATE SERVICE ON THE INTERNET.


9070f56651f44ec722e17df67b8a954888e387a8f2574594c80937d0f39c471a  .0LD5dVbuo9
bf211d46551079e7f7646ffd6bfda065f1307ea81508d1625b5c65005d929cb3  .0OHjeERDbv
550b9b4c5b2dbe83fa3e227cca65b9b9768e2ea597c2e109205dba51faee5869  .0OhoU6US1m
677464da2fcf73b9793daca3191501da02957af08a6471a047410ce99ea49405  .0r4mKMUlJ6
69402f4bd7718a3403f1caaaa387edc70b299f6aecc06de39e3a9ac28873a184  .0rqNlrPujv
32c921dd4b755af519f648102098735a569a0326a79a911eb47174bd058e5c43  .0YOtp0GQMk
52bf6ae8fe7a0a59ca8d089444207c173e20a7a11c8b5e815b937e2f4224da4f  .1ZRhWKqTlY
950cd068d9c51b941bdfe4721a3156af15dc408d2df23c1f2bc41b87159b109e  .3v0UwARWmv
1f4d876b17a6d786aa793b9c529235f9f9e164d70a74d8d26ca850d18f1329a7  .3weUyhjJZe
09f1967e97a97a1d0963a84823fa2611b9555866f09d7a04bb69bc4d877f9631  .42wVPcdaFD
3e4cebd60a1d6a6b29bac68ace2547c2e3894a0e5865dd90aff5764f8e7dc16d  .4JkeqTzZSX
dcd0e1586630bc8c50fe600899bee76b853057fd9158ed541d7ddec53c8f2186  .5Ygi9nGrHn
cb42573e36fb148bc1109229a1025cdcb375c166361605f0681da9e54e3ef81d  .5ZFxAbOeBY
08ab4abd017568142d061ffd5a2592a491730dddb4485211fda53f39d43e3efb  .7RCBTpSOUh
ac36c87cacbe1b8327fae3084ebd1740a3a5c6c6f208c1c77da56932a9ca3be6  .7tsPagH3FM
d67ae5639618a3409711377e124ef2c6293200aa3026b8b2996654db63645481  .9bKas738kc
a1610e735042ce0197859e6fd7772039e63efce78d6c9cf642492d1c8f1d7540  .9G97ZhwNer
07dd2c7be7a0becb178967c43684c1a687deb217e87575d18fd6b73dc988bd78  .9MgvdLBtL0
dbc3f96fcbbfd90f877dc11fcdedca1c1e574b951ac70edc3160ed9f389c3fd3  .aH7HRrz554
8e7eaed42f50c865f72f7351b87a988de5aa94781b4dab4ddbe993872435f293  .bM04ITZnuq
97c1ed3d52d663f9bad2eef716169f06053dc2bcf8e3d857b0a702e8fae546c9  .C91EZKVz6Q
a1000d4cb81cfb7dfac660722938f3d9c7cb6e36c33e129097ddd29f3dfd1890  .cOVyPvf01L
9f568df46838872b389628b665940415d897823b2e1804e2625c3dfb0b6850b4  .D90yb8KdDV
cc01ba0825208402b0fc2eb62146e856f69d1e9f53b745d8f068f0d09e6170c0  .E61NBnYjak
40c882738ea1e01cc4e8027dd6ce5d55552e5630c8f65e86db630fca09d85fa9  .EETl2pJOf9
0e6c53797964b611c867cb5e5b492d45edf5472924c9a60a99433240f1712f15  .eLBaxwiu2d
c79d7b2a8caf5cc19a019772053c54d1ec02f8ae15b577bbbbd9bf82f19caedb  .fkmJQOIqYB
d097f55f82e88a32b057010c96f553aa7c8ccef12c2a8484aab0fb3dab9d4a0f  .H4g8bASf8Y
c058d576a108bdcf637a6ed399b4d9a1e3bbb6f194882ffada01b85e79109f65  .HdUykUNGy8
339eaabda43fbf0ee0caa6021a999d383713498911523d2b21e2ee2f1541f78f  .Ju7XqX36yy
3dee377037f7fcfd6539c23bb1cdc6eda46680c8773525b784150c1237788965  .KDnA4yWrGc
9d41dc182dee0690e5c5f08f9276548a85f4b986478fd30ec4208d95d54cffeb  .KzmJO5vHRQ
b30dfa13f8dc7162f3edb43dff8507f82c01bd5bd6e5a1ae2e3b2e55dd6b10c0  .LqZzmAJcjo
f7bc5d56312ae6205b21aa4c72708383716907754b037013f47bc88203fbb450  .Oer60jCsoB
9909910d6e008e15c98d26e214f619a7a82787137158784998d99b5c03cbe8f2  .OiZhEG9cEu
2549560970bb8ebca0136f7d6c8111196295d083c6fd6101a7f9178089502cc0  .q7hsioOPWv
fe2c837d1662ca47ebd86c0cf0a3a382ee589bce6b77dabae30801d71a7d280f  .rG47yPBz5p
67a3b5d1fb946daccd7f3562e35b90537f9032184a0605cc9b8613c91a4ea1be  .RnKtruJM9f
22a578f2d30f316d441b73efbeaa0b53641686d2fa75ad44d4d3992da9ceaf5f  .SzIYofKRTz
0723de24bc86eedde149c53e0f93a18596bed424e823f1b46c2f97e358931b83  .YPuels1RDm
6b46b6eff4be06d47284492fed7f71c53103bfaa610952151bddebb8046a34f1  .yYRSdRs6kH
9bd1d3a567e2036f8e57745dd81333911b06a34f4ed6d7d68daa674aac0d7b96  .Zw64nQ52IX


When ELF.BillGates met Windows

If you are used to play with honeypots, you have inevitably met the ELF.BillGates malware. It is a known[1] botnet spread over Internet for 4 years.

In a nutshell, ELF.BillGates is a (Chinese) DDOS botnet with backdooring features. It is a binary file with many behaviors depending on the installation path[2]:

  • Gate 0: Infection Monitor (dropper + persistence)
  • Gate 1: Host (Contact C&C + DDOS features)
  • Gate 2: Backdooring
  • Gate 3: Utility spoofing

The “Elf.BillGates” version targets Linux operating system. We have followed the activities of this botnet for several months and during our investigations we found some versions of a Windows fork of the malware. This article attempts to detail this variant.

The primary infection vector is the exploit of the vulnerability CVE-2014-6332[3], which drops the binary file hosted on an HTTPd File Server (HFS)[4]. This vulnerability allows an attacker to escape the Internet Explorer sandbox with a VBScript script and execute an arbitrary binary file downloaded from the Internet.



Figure 1 – Example of compromised HFS server

First and foremost, we noticed that this malware seems to be currently in development. The author seems to make tests in the wild, and several samples are unstable.

In a few weeks, we collected about thirty samples, and we identified 2 different versions of the malware:

    • A version almost working on Windows XP but unstable on more recent operating systems.
    • A very unstable version based on Safeengine protector (a packer against reverse engineering)[5].

Both versions reference the same symbol path:

重构 can be translated by builder.

This article analyzes a sample of the first family named 36000.exe (sha1: 4b14d7aca890642c3e269b75953e65cb)

GatesInstall – Gate 0 – Infection monitor

PDB: F:\\Updates\\重构\\GatesInstall\\Release\\GatesInstall.pdb

This is the installation part of the malware, that will drop the different files in the system, and create persistence.

This sample in not obfuscated, but we have met some UPX packed samples.

This binary file embeds seven executable resources.


Figure 2 – PEStudio view of the binary


As we can infer from the PDB path, this binary file is the installer of Win32.BillGates malware.

On its first execution, it checks if the system is not already infected by trying to kill BillGates instance with the system tool taskkill.exe :
Taskkill /F /IM DbSecuritySpt.exe
Taskkill /F /IM Bil.exe
Taskkill /F /IM svch0st.exe
Taskkill /F /IM DNSClient.exe
Taskkill /F /IM DNSProtection.exe

/F is for killing process, /IM is the image name.

After this check, the malware checks the OS version with GetOsVersionExA and fills a global variable with the following value. It is supposed to support all versions of Windows:

Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows Vista
Windows Server 2003
Windows XP
Windows 2000
Windows NT
Windows 32s
Windows Unknown

After that, it checks if it runs on a 32 or a 64-bit OS with the help of the GetSystemWow64DirectoryA API.

Happy to play with an old Windows installation, I tried to launch the installer on Windows 2000 but I was disappointed: GetSystemWow64DirectoryA is only available starting from Windows XP, so the process does not start due to this unresolved reference:


Figure 3- Error: Unable to find entry point of GetSystemWow64DirectoryA Proc on kernel32.dll

The detection of OS older than Windows XP is then pretty useless.

After that check, the malware installation depends on the version of the OS.

On Windows 2003 / XP, the following files are created:

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe (resource 107 or 108)
C:\Program Files\DbSecuritySpt\svch0st.exe (resource 104)
C:\Program Files\Windows Media Player\agony.exe ( resource 103)
C:\Program Files\Windows Media Player\agony.sys (resource 102)
C:\Program Files\Windows Media Player\DNSProtection.exe (resource 107 or 108)
C:\Program Files\Windows Media Player\DNSSupport.exe (resource 107 or 108)

On Windows 2008 Server, two additional files are created:

C:\Program Files\DbSecuritySpt\NPF.sys (resource 105)
C:\Program Files\DbSecuritySpt\packet.dll (resource 106)

DbSecuritySpt.exe, DNSSupport.exe and DNSProtection.exe have the same contents. On the 32-bit edition of the OS, resource 107 is used whereas resource 108 is used on the 64-bit variant of the OS.

After several tests, Win32.Billgates is only able to start on Windows XP. On newer versions of Windows, the installer simply crashes. This crash seems to be related to ASLR. In fact, when the code attempts to retrieve the security cookie in functions handling buffers, it references a hard-coded address as if the binary file was loaded at a fixed address. This generates an access violation.

afterviolation1 afterviolation2

The rest of this article details the analysis of the malware on Windows XP.

Once the binary files are written to disk, GateInstall launches DbSecuritySpt.exe and DNSSupport.exe as services. Creating services requires administrator privileges. In most cases, attackers gain administrator privileges by brute forcing administrator RDP account on Windows Server 2003 computers.

That’s all for the installer.


GateInstall writes the same binary file in 3 locations:

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe (resources 107 or 108)
C:\Program Files\Windows Media Player\DNSProtection.exe (resources 107 or 108)
C:\Program Files\Windows Media Player\DNSSupport.exe (resources 107 or 108)

PDB: F:\\Updates\\重构\\GatesInstall\\Release\\Gates.pdb

Gates starts by an identification routine:

      • Decryption of its configuration
      • Check of the file path and if it is launched as a service.

The configuration is encrypted with a hard-coded RSA 1024 key:


Once decrypted, the configuration data is organized in the same way as the ELF version[6]:


In the Windows version, Prime C, D and modulus N offset are hard-coded, meaningless and not used.

In this sample we noticed an empty campaign name, but other analyzed samples were linked? to a named campaign:

The Windows binary file also contains some clear strings that allow us to say it is a variant of the ELF version:


DbSecuritySpt – Gate 1 – Host

Launched as a service, DbSecuritySpt is the main persistent binary file that is run. To get into DbSecuritySpt behavior, the binary file must be launched as a service from C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe.

DbSecuritySpt launches several threads in charge of fingerprinting the computer, communicating with the C&C infrastructure and performing DDos actions.

The following data is sent to the C&C:

DbSecuritySpt – Gate 1 – Host


This service is also in charge of taking part of DDoS campaigns.

DbSecuritySpt is supposed to support several DDoS types: ICMP, SYN UPD and DNS amplification.

The binary file contains a list of 230 hardcoded IP addresses that correspond to DNS servers used for DNS amplification attacks[7].


We tested these DNS servers. Only 58 IP addresses seem to be still vulnerable. The other servers were either patched or unreachable.

svch0st – Gate 2 – Backdoor

PDB: E:\SVN\trunk\2014\小陈\重构\IECtrl\Release\IECtrl.pdb

小陈 can be translated as Chen and重构 as builder.

At last, GateInstall drops the binary file C:\Program Files\DbSecuritySpt\svch0st.exe.

The original name of this file is IECtrl.exe. IECtrl is an independent tool also used by other malwares (such as Win32:Wapomi-B )

It implements the backdoor functionalities of Win32.BillGates. This tool is identified by Microsoft as « Trojan:Win32/WebToos.B ».

DbSecuritySpt.exe passes a list of C&C server URLs as a parameter to IECtrl. IECtrl contains the logic to download, extract and execute payload from these URLs.

DNSSupport – Gate 3 – Spoofing utility

DNSSupport must be run as a service from the location C:\Program Files\Windows Media Player\DNSSupport.exe. Its behavior is simple: it is in charge of launching DNSProtection.exe and leaves the process in an infinite loop preventing the service from being stopped.

Spoofing utility


DNSProtection is a “spoofing utility” Gate. It is not functional in the analyzed sample. However, static analysis of the binary file allows drawing some conclusions about its internal behavior.

DNSProtection is used for hiding infection traces. It uses the rootkit Agony. Agony is composed of an executable (agony.exe) that loads and runs a driver (agony.sys). This rootkit was released in the wild some years ago. It is used for hiding files, services and network connections. This malware uses DNSProtection for hiding all dropped files (DNSSupport.exe, DNSProtection.exe, DbSecuritySpt.exe, agony.sys, agony.exe and svch0st.exe) and the connections to the C&C servers.


Agony.sys cannot be loaded on a 64-bit version of the operating system as it is not signed.


Win32.BillGates developers seem not to be used to develop malwares for the Windows operating system. They use poor techniques that can easily be detected by anti-virus software, and the limitations in terms of operating system compatibility could be easily avoided. This Windows port should not be a big threat as the ELF version is.

ELF structure compared with Windows version:

      • GateInstall : Gate 0
      • DbSecuritySpt : Gate 1
      • Svch0st : Gate 2
      • DNSSupport / DNSProtection : Gate 3


During our analysis, we noticed some samples with strange behaviors (hooking, binary file infection, IRC connections …). After further analysis it appears that some samples were infected by Win32.Virut and Win32.parite viruses. Virut and Parite are viruses that infect ‘.exe’ and ‘.scr’ Windows binary files on disk. It is possible that the crooks using BillGates malware are working on infected systems.

This may also explain why a lot of Win32.Parite cleaning tools were discovered on several malicious working BillGates C&C servers we visited. J

Here is a screenshot of such a tool:


About 30% of analyzed samples were infected by Win32.Parite and 20% by win32.Virut.



Some Win32.BillGates hashes:


Win32.BillGates infected by Win32.Virut:


Win32.BillGates infected by Win32.Parite:



      • Created files :
        • C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
        • C:\Program Files\DbSecuritySpt\svch0st.exe
        • C:\Program Files\Windows Media Player\agony.exe
        • C:\Program Files\Windows Media Player\agony.sys
        • C:\Program Files\Windows Media Player\DNSProtection.exe
        • C:\Program Files\Windows Media Player\DNSSupport.exe
        • C:\Program Files\DbSecuritySpt\NPF.sys
        • C:\Program Files\DbSecuritySpt\packet.dll
      • Created services:
        • DbSecuritySpt
        • DNSSupport
      • Running processes:
        • DbSecuritySpt
        • DNSSupport
        • DNSProtection
        • exe








Related works:

MalwareMustDie :