Monday, February 9, 2015

Linux.BackDoor.XNote.1 indicators

We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.
Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog:

Today, DrWeb wrote about a multipurpose Linux ELF called 'xnote', that opens a backdoor on the compromised host.  The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.

We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.

Upon execution, we noted the sample contact a DNS server on with queries for the following domains:

For each query, IP address was returned for each of them.

In our run, the malicious 'xnote' process was noted to have process ID of 1303. Using 'volatility' to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid  Start      End        Flags Pgoff    Major Minor Inode  Path              
1303   0xc01000   0xc02000 r-x        0x0     8     1 405848 /home/mattyh/xnote
1303  0x8048000  0x81ba000 r-x        0x0     0     0      0                   
1303  0x81ba000  0x81c4000 rwx        0x0     0     0      0                   
1303  0xa137000  0xa158000 rwx        0x0     0     0      0 [heap]            
1303 0xb78b6000 0xb78b7000 r-x        0x0     0     0      0 [vdso]            
1303 0xbf843000 0xbf859000 rwx        0x0     0     0      0 [stack]

Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.



Domain and IP Information:

It is interesting to note that the domain "" has been seen before in other Linux ELF malware.
  • Note this post to an Ubuntu forum from May, 2014 where the subdomains '' and '' were noted in a running process on a compromised Ubuntu host.
  • Malware Must Die posted an analysis of the Linux iptablex malware where these domains were also seen:
  • Via VirusTotal searches, we find related malware to these domains:

Obtaining Passive DNS information from FarSight Security's DNSDB, we see that currently for IP address the only DNS records are: A

Additional information from DNSDB for the domain

count 54
first seen in zone file 2014-11-12 17:13:42 -0000
last seen in zone file 2015-01-13 17:23:33 -0000 NS NS NS

count 329
first seen in zone file 2013-12-17 17:13:33 -0000
last seen in zone file 2014-11-11 17:12:29 -0000 NS NS NS

Note that the malware uses a hardcoded DNS server on to provide all domain resolution.   This is a public DNS server based in China, with its web page at

whois -

inetnum: -
netname:        XFInfo
descr:          NanJing XinFeng Information Technologies, Inc.
descr:          Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road
descr:          Xuanwu District, Nanjing, Jiangsu, China
country:        CN
irt:            IRT-CNNIC-CN
address:        Beijing, China

person:         Yan Jian
nic-hdl:        YJ1777-AP

person:         Zhao Zhenping
nic-hdl:        ZZ2094-AP


inetnum: -
netname:        TOINTER-CN
descr:          Royal Network Technology Co., Ltd. in Guangzhou
country:        HK
admin-c:        WX2631-AP
tech-c:         WX2631-AP
mnt-by:         MAINT-CN-TOINTER122
mnt-irt:        IRT-TOINTER-CN
changed: 20150112
source:         APNIC

irt:            IRT-TOINTER-CN
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360
admin-c:        RNTC1-AP
tech-c:         RNTC1-AP
auth:           # Filtered
mnt-by:         MAINT-TOINTER-CN
changed: 20140919
source:         APNIC

person:         Wei XeiJun
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533
country:        CN
phone:          +86.1234567890
nic-hdl:        WX2631-AP
mnt-by:         MAINT-TOINTER-CN
changed: 20150111

'whois' for Domain

Domain Name: ET2046.COM
Registry Domain ID: 1762221508_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Update Date: 2014-08-25T06:58:17Z
Creation Date: 2012-11-27T14:02:55Z
Registrar Registration Expiration Date: 2016-11-27T14:02:55Z
Registrar:, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.480-624-2505

Registry Registrant ID: 
Registrant Name: smaina smaina
Registrant Organization: 
Registrant Street: Beijing
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100080
Registrant Country: China
Registrant Phone: +86.18622222222
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email:

(Uses same password scheme as Contagio.  Ping me or Mila for details if needed)

Thursday, February 5, 2015

Library of Malware Traffic Patterns

Update February 2015 
Use the new link below for a new interface and updates.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.

Click on the column headers to see recent entries. Use other column headers to sort as needed. Wait a few seconds for the table to load from the Google Sheet. URI and User-Agent fields might have spaces for easier cell wrapping. Remove them if you export the data.
Yes, you can download samples mentioned in the spreadsheet. See the "dl" column in the full spreadsheet table and corresponding links to the download location. Use "Contagio" password scheme (email Mila or admin at
Image credit: Jay Walker Library. Src.Vancouversun


 List of malware families and available downloads for their samples, pcaps (click on the link above for the full post)