Linux Malware Research List

This is the copy for what had been posted in blog2.malwaremustdie.org [link] on:

Hello, as you may have already noticed, this is the new MalwareMustDie blog. From now on I will write not in HTML but in Liquid, Ruby, Markdown (which is so nice!), thank you to Jekyll team for the great platform, so within less than a day all of blogger data was migrated successfully to this new blog.. and the rest is just adjustment - hopefully - will not losing any links from previous blog. There are many minor beautifying process but I will be on it during writing new posts.

As I use FreeBSD, all of the new site development was done in it, not that smooth since many references are in Linux actually..but, it is done! Maybe I will write it down after 100% complete. So, this is my first post with Markdown and I am re-adjusting of the post I wrote in reddit to add some hidden analysis links and fixing correct dead urls. Hope you enjoy this new blog!

Background

Recently Linux (ELF form) malware is hitting us hard again, this time via IoT vulnerabilities platform, and it’s causing a serious DDoS disasters. This type of threat (ELF Linux malware) is so seasonable, as long as there are exploitable services that can be injected by executable codes to its shell; i.e.: in shellshock, PMA, Apache Struts. multiple CMS flaws, and now IoT telnet hardcoded credentials, etc.; ..then the infection of these malware or botnets are always there lurking us.

I mean, when a new weak points on our used services has just being exposed, either the flaw is public/affected many platforms (as per flaws I wrote above) or specific (i.e. what happened in the Linux xxxt site or what happened in xxxnode IRC server). The badness are racing to pwn and infect as many as they can for the affected victims, who maybe & mostly didn’t even realize a new (or maybe known) vulnerability is existed in their boxes. Some hackers wait patiently for the new flaw to be announced as 0day..or close to it, some are just using existed ones to aim the un-updated/non-manageable boxes, few of them are writing their own.

Hardening your servers or services, and developing a habit to always fast to update/patch/workaround any new flaws is a way to avoid these threat’s infection.

Reference

The general problem about flaw is, we don’t know when it will happen nor having any idea how wide the impact will be. Our internet and IT technology envolve along with new, faster and better specs everyday, new systems..versions, platforms born everyday and it is slowly leaving outdated devices, OS, and services behind. And even if we’re a good sysadmins, there will be a risk (I hope is not going to happen) when we’ll see unupdated services and got infected by unwanted objects. And when that time comes, what we hit first is mostly the web search, for information.

Reference, is what we all need in order to handle incident caused by Linux malware payloads. And in comparing to the other threat’s platform, Linux malware is having scattered info and many of them are quite old. For that, even it was so painful to conduct these, I just re-dumped list of the Linux malware analysis that our team MalwareMustDie has analyzed, with new links, so maybe this list will help sysadmins or other good fellows in order to have a quick browsing references during Linux malware and its incidents. As our operational form is not like AntiVirus company or industry, the posts are mostly related to a true incident response case, and some of these are escalated to the cyber crime cases too. I just hope it will be a good thing to share these as OSINT material too.

The list are as followings, some of them I wrote in MalwareMustDie Blog some are posted I initiated in KernelMode forum, and several from hidden posts * *) that are safe to be shared now, please feel free to bookmark, read, or use as reference (w/mention please):

  1. Tsunami/Kaiten [1]
  2. *) DNSAmp [1]
  3. *) LightAidra (Mod Zendran) [1]
  4. Elknot [1]
  5. Darkleech [1] [2] [3]
  6. *) Mayhem [1] [2]
  7. *) pscan & sshscan [1]
  8. ) *IptabLex and IptabLes [1] [2]
  9. *) AES.DDoS [1] [2]
  10. *) GayFgt/Bashdoor & Tiny backdoor1 [1] [2] [3] [4] [5]
  11. *) XOR.DDoS [1] [2] [3]
  12. *) ChinaZ [1] [2] [3] [4]
  13. *) DES.Downloader [1]
  14. *) Linux/BillGates.Lite [1] [2] [3] [4] [5]
  15. Mr. Black [1] [2] [3]
  16. *) BangSYN (unixfreaxjp/MMD) [1]
  17. *) Golang ARMbot (unixfreaxjp/MMD) [1] [2] [3]
  18. *) Yangji (unixfreaxjp/MMD) [1]
  19. *) KDefend [1]
  20. *) SSHV [1]
  21. *) DDOS.TF [1]
  22. Torte [1]
  23. *) Tiny backdoor2 [1]
  24. *) KillFile (unixfreaxjp/MMD) [1]
  25. *) Dtool (unixfreaxjp/MMD) [1]
  26. BossaBot (found by Malekal) [1] [2] [3] [4] [5] [6]
  27. *) Mubot [1] [2]
  28. Skiddies VARIOUS DDOS’ers [1]
  29. STDBot [1] [2] [3] [4]
  30. PnScan [1]
  31. *) Mirai [1]
  32. *) Luabot [1]
  33. *) NyaDrop (Tiny backdoor3) & s_malware [1]
  34. *) IRCTelnet (New Aidra) [1]
  35. *) UDPfker [1]
  36. Linux Website Ransomware - Reversing (in Japanese) [1]
  37. OverkillMod / “EnergyMech 2.8 overkill mod” [1]

NOTE: If you have any Linux (ELF) malware or UNIX malware (send me anything, IRIX, or, SPARC Solaris, or HPUX, anything) samples that can be uploaded via menu in the sidebar of this blog.

LEGENDS:

  • *) ORIGINALLY first published dissected Linux malware analysis & mostly named by MalwareMustDie team.
  • **) Several unreleased analysis exists for the open cyber crime cases, which can not be published yet.

These are really hard works & efforts. And you can use it as knowledge for your work freely. We don’t ask for any form of payments at all, but please mention us & link to related analysis, if you use any of our material (including original terms we use) on your articles, essays, or news publishment, as per bound to our Legal Disclaimer please kindly give us credit for these hard works.

Salutation

There are people who volunteered their hard work outside of their daily occupation in every mentioned analysis aboveor in platforms served for those analysis. Remember them and they deserve a good credits for the quality works they spent. Thank’s for the contribution for the InfoSec, for the long hours work,helps, support,push,remindings,howling :),yelling and advise on one or more analysis listed above.

Even some of them are not w/us anymore (We had a nice time together!), even there are many more that I can not even write them all, their contribution they did, stays, for our safer internet.

.....ELFTeam:
wopot
wirehack7
benkow
yinetsys
shibumi
.....great thanks:
xylit0l (reverser god)
malwared (unix threat intelligence)
malmouse (threat manager)
sempersecurus (support in ELF analysis)
JC (You should try GIPC by JC)
genuix (our friend who always be there)
lvdijk 
.....support & helps from friends:
rjacksix & cephurs of WTF,MT (cool friendship by these world's #1 crackers)
AVTokyo (tessyjp,senueno,hack_japan,ucq,++)
twice & DrWeb team (this team means serious business in Linux)
kernelmode mods and ELF analysts friends
DHA (tinker,whiskeyneon,rainmaker,commander,++) < great guys+missing you all
France friends et BotConf ppl < cool event, must go!
+ others there are so many to mention.

Additionally you may want to check Linux malware section in KernelMode for other threats that is not covered by us. (noted: For personal reason, I am not in the KM forum anymore).

Thank you for reading, hope the info is useful, I will try to updates to recent ones.

unixfreaxjp/MMD - #MalwareMustDie!!