[NFORCEIT] There is a new type of ELF malware, the backdoor DDoS type that is merging the function of Linux/Elknot

[pk]

The source of the threat is this AS40676 in Psychz Networks, but it seems 
like the actor are from People Rep of China. 

This malware will drop the intial config in the current directory where it 
is executed:
readlink("/proc/[PID/exe", "/[PATH]/MALWARE", 1024)
open("/[PATH]/MALWARENAME\\xmit.ini", O_RDWR)
unlink("/[PATH]/MALWARENAME\\xmit.ini")
open("/[PATH]/MALWARENAME\\xmit.ini", O_RDWR|O_CREAT|O_TRUNC, 0666)
write(3, 
"0\r\n192.168.x.xx:192.168.x.xx\r\n10000:60000\r\n\r\n0\r\n0:0:0\r\n", 55)
close(3)

Which contains the grep local ethernet with the range of port to be used 
for the outbound attack:
00000000 30 0d 0a 31 39 32 2e 31 36 38 2e 37 2e 32 31 3a |0..192.168.x.x:|
00000010 31 39 32 2e 31 36 38 2e 37 2e 32 31 0d 0a 31 30 |192.168.x.xx..10|
00000020 30 30 30 3a 36 30 30 30 30 0d 0a 0d 0a 30 0d 0a |000:60000....0..|
00000030 30 3a 30 3a 30 0d 0a |0:0:0..|

I reversed this malware to find that the code is a bit "raw" and unfinished 
in some parts, but the main TCP flood and backdoor function looks works. 
Different compare to the old fashioned previous version that exhaust the 
system resource this malware runs and only takes about 30 of my CPU usage.

The way to mitigate is to secure the usage of libnss and never open SSH 
login of root or anyone with the suid 0 or don't run FTP and Web service, 
or it's components (webapps) that can be gained-privilege to the root. That 
way the /tmp and current directory of the infection will be the only 
workplace for such malware to operate and easier to clean and dissect it.

I am sorry to post more link, but if you want to see a boring details is in 
here: http://blog.malwaremustdie.org/2015/...w-malware.html 
<http://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html>

I also recommend to take a look at this 
<http://www.linuxquestions.org/questions/linux-security-4/if-you-infected-by-any-of-these-recent-elf-malware-cases-please-contact-us-4175546925/>
 thread, 
as it gives better info and more links to get a better understanding of ELF 
malware.

-- 
You received this message because you are subscribed to the Google Groups 
"NFORCEIT" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nforceit+unsubscr...@googlegroups.com.
To post to this group, send an email to nforceit@googlegroups.com.
Visit this group at http://groups.google.com/group/nforceit.
For more options, visit https://groups.google.com/d/optout.