We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.
Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog: http://blog.malwaremustdie.org/
Today, DrWeb wrote about a multipurpose Linux ELF called 'xnote', that opens a backdoor on the compromised host. The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.
http://news.drweb.com/show/?i=9272&lng=en&c=5
http://vms.drweb.com/virus/?i=4323517
We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.
Upon execution, we noted the sample contact a DNS server on 114.114.114.114 with queries for the following domains:
In our run, the malicious 'xnote' process was noted to have process ID of 1303. Using 'volatility' to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid Start End Flags Pgoff Major Minor Inode Path
1303 0xc01000 0xc02000 r-x 0x0 8 1 405848 /home/mattyh/xnote
1303 0x8048000 0x81ba000 r-x 0x0 0 0 0
1303 0x81ba000 0x81c4000 rwx 0x0 0 0 0
1303 0xa137000 0xa158000 rwx 0x0 0 0 0 [heap]
1303 0xb78b6000 0xb78b7000 r-x 0x0 0 0 0 [vdso]
1303 0xbf843000 0xbf859000 rwx 0x0 0 0 0 [stack]
Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.
XXXXXXXXXXXXXXXX122.10.85.54
a.et2046.com
b.et2046.com
c.et2046.com
e.et2046.com
test
CAk[S
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.,-+xX0123456789abcdef0123456789ABCDEF-+xX0123456789abcdefABCDEF
-0123456789
-0123456789
Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog: http://blog.malwaremustdie.org/
Today, DrWeb wrote about a multipurpose Linux ELF called 'xnote', that opens a backdoor on the compromised host. The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.
http://news.drweb.com/show/?i=9272&lng=en&c=5
http://vms.drweb.com/virus/?i=4323517
We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.
Upon execution, we noted the sample contact a DNS server on 114.114.114.114 with queries for the following domains:
- a.et2046.com
- b.et2046.com
- c.et2046.com
In our run, the malicious 'xnote' process was noted to have process ID of 1303. Using 'volatility' to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid Start End Flags Pgoff Major Minor Inode Path
1303 0xc01000 0xc02000 r-x 0x0 8 1 405848 /home/mattyh/xnote
1303 0x8048000 0x81ba000 r-x 0x0 0 0 0
1303 0x81ba000 0x81c4000 rwx 0x0 0 0 0
1303 0xa137000 0xa158000 rwx 0x0 0 0 0 [heap]
1303 0xb78b6000 0xb78b7000 r-x 0x0 0 0 0 [vdso]
1303 0xbf843000 0xbf859000 rwx 0x0 0 0 0 [stack]
Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.
XXXXXXXXXXXXXXXX122.10.85.54
a.et2046.com
b.et2046.com
c.et2046.com
e.et2046.com
test
CAk[S
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.,-+xX0123456789abcdef0123456789ABCDEF-+xX0123456789abcdefABCDEF
-0123456789
-0123456789
Domain and IP Information:
It is interesting to note that the domain "et2046.com" has been seen before in other Linux ELF malware.
- Note this post to an Ubuntu forum from May, 2014 where the subdomains 'kill.et2046.com' and 'sb.et2046.com' were noted in a running process on a compromised Ubuntu host.
- Palo Alto Networks discusses these same domains in their post from July 16, 2014
- Malware Must Die posted an analysis of the Linux iptablex malware where these domains were also seen:
- Via VirusTotal searches, we find related malware to these domains:
Obtaining Passive DNS information from FarSight Security's DNSDB, we see that currently for IP address 122.10.85.54 the only DNS records are:
www.qtol.tv. A 122.10.85.54
Additional information from DNSDB for the domain et2046.com:
count 54
first seen in zone file 2014-11-12 17:13:42 -0000
last seen in zone file 2015-01-13 17:23:33 -0000
et2046.com. NS a.dnspod.com.
et2046.com. NS b.dnspod.com.
et2046.com. NS c.dnspod.com.
count 329
first seen in zone file 2013-12-17 17:13:33 -0000
last seen in zone file 2014-11-11 17:12:29 -0000
et2046.com. NS ns155.dnsever.com.
et2046.com. NS ns165.dnsever.com.
et2046.com. NS ns179.dnsever.com
Note that the malware uses a hardcoded DNS server on 114.114.114.114 to provide all domain resolution. This is a public DNS server based in China, with its web page at www.114dns.com
whois - 114.114.114.114
inetnum: 114.114.0.0 - 114.114.255.255
netname: XFInfo
descr: NanJing XinFeng Information Technologies, Inc.
descr: Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road
descr: Xuanwu District, Nanjing, Jiangsu, China
country: CN
irt: IRT-CNNIC-CN
address: Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
person: Yan Jian
nic-hdl: YJ1777-AP
e-mail: jyan@greatbit.com
person: Zhao Zhenping
nic-hdl: ZZ2094-AP
e-mail: ping@greatbit.com
whois- 122.10.85.54
inetnum: 122.10.80.0 - 122.10.95.255
netname: TOINTER-CN
descr: Royal Network Technology Co., Ltd. in Guangzhou
country: HK
admin-c: WX2631-AP
tech-c: WX2631-AP
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-CN-TOINTER122
mnt-irt: IRT-TOINTER-CN
changed: tengdayx@gmail.com 20150112
source: APNIC
irt: IRT-TOINTER-CN
address: Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360
e-mail: abuse@gzroyal.cn
abuse-mailbox: abuse@gzroyal.cn
admin-c: RNTC1-AP
tech-c: RNTC1-AP
auth: # Filtered
mnt-by: MAINT-TOINTER-CN
changed: hm-changed@apnic.net 20140919
source: APNIC
person: Wei XeiJun
address: Liwan District of Guangzhou, Guangdong Fangcun West 533
country: CN
phone: +86.1234567890
e-mail: tengdayx@qq.com
nic-hdl: WX2631-AP
mnt-by: MAINT-TOINTER-CN
changed: tengdayx@qq.com 20150111
'whois' for Domain et2046.com
Domain Name: ET2046.COM
Registry Domain ID: 1762221508_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-08-25T06:58:17Z
Creation Date: 2012-11-27T14:02:55Z
Registrar Registration Expiration Date: 2016-11-27T14:02:55Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Registry Registrant ID:
Registrant Name: smaina smaina
Registrant Organization:
Registrant Street: Beijing
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100080
Registrant Country: China
Registrant Phone: +86.18622222222
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: tuhao550@gmail.com
-----------------------------------------------------------------------------------------------------------------------
Analysis Files
Malware - f374d1561e553a4c5b803e1d9d15a34e
(Uses same password scheme as Contagio. Ping me or Mila for details if needed)
No comments:
Post a Comment