Monday, February 9, 2015

Linux.BackDoor.XNote.1 indicators

We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.
Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog:

Today, DrWeb wrote about a multipurpose Linux ELF called 'xnote', that opens a backdoor on the compromised host.  The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.

We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.

Upon execution, we noted the sample contact a DNS server on with queries for the following domains:

For each query, IP address was returned for each of them.

In our run, the malicious 'xnote' process was noted to have process ID of 1303. Using 'volatility' to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid  Start      End        Flags Pgoff    Major Minor Inode  Path              
1303   0xc01000   0xc02000 r-x        0x0     8     1 405848 /home/mattyh/xnote
1303  0x8048000  0x81ba000 r-x        0x0     0     0      0                   
1303  0x81ba000  0x81c4000 rwx        0x0     0     0      0                   
1303  0xa137000  0xa158000 rwx        0x0     0     0      0 [heap]            
1303 0xb78b6000 0xb78b7000 r-x        0x0     0     0      0 [vdso]            
1303 0xbf843000 0xbf859000 rwx        0x0     0     0      0 [stack]

Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.



Domain and IP Information:

It is interesting to note that the domain "" has been seen before in other Linux ELF malware.
  • Note this post to an Ubuntu forum from May, 2014 where the subdomains '' and '' were noted in a running process on a compromised Ubuntu host.
  • Malware Must Die posted an analysis of the Linux iptablex malware where these domains were also seen:
  • Via VirusTotal searches, we find related malware to these domains:

Obtaining Passive DNS information from FarSight Security's DNSDB, we see that currently for IP address the only DNS records are: A

Additional information from DNSDB for the domain

count 54
first seen in zone file 2014-11-12 17:13:42 -0000
last seen in zone file 2015-01-13 17:23:33 -0000 NS NS NS

count 329
first seen in zone file 2013-12-17 17:13:33 -0000
last seen in zone file 2014-11-11 17:12:29 -0000 NS NS NS

Note that the malware uses a hardcoded DNS server on to provide all domain resolution.   This is a public DNS server based in China, with its web page at

whois -

inetnum: -
netname:        XFInfo
descr:          NanJing XinFeng Information Technologies, Inc.
descr:          Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road
descr:          Xuanwu District, Nanjing, Jiangsu, China
country:        CN
irt:            IRT-CNNIC-CN
address:        Beijing, China

person:         Yan Jian
nic-hdl:        YJ1777-AP

person:         Zhao Zhenping
nic-hdl:        ZZ2094-AP


inetnum: -
netname:        TOINTER-CN
descr:          Royal Network Technology Co., Ltd. in Guangzhou
country:        HK
admin-c:        WX2631-AP
tech-c:         WX2631-AP
mnt-by:         MAINT-CN-TOINTER122
mnt-irt:        IRT-TOINTER-CN
changed: 20150112
source:         APNIC

irt:            IRT-TOINTER-CN
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360
admin-c:        RNTC1-AP
tech-c:         RNTC1-AP
auth:           # Filtered
mnt-by:         MAINT-TOINTER-CN
changed: 20140919
source:         APNIC

person:         Wei XeiJun
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533
country:        CN
phone:          +86.1234567890
nic-hdl:        WX2631-AP
mnt-by:         MAINT-TOINTER-CN
changed: 20150111

'whois' for Domain

Domain Name: ET2046.COM
Registry Domain ID: 1762221508_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Update Date: 2014-08-25T06:58:17Z
Creation Date: 2012-11-27T14:02:55Z
Registrar Registration Expiration Date: 2016-11-27T14:02:55Z
Registrar:, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.480-624-2505

Registry Registrant ID: 
Registrant Name: smaina smaina
Registrant Organization: 
Registrant Street: Beijing
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100080
Registrant Country: China
Registrant Phone: +86.18622222222
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email:

(Uses same password scheme as Contagio.  Ping me or Mila for details if needed)

No comments:

Post a Comment