If you infected by any of these recent ELF malware cases please contact us?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am sure fellow server's sysadmins know a bit about these malware, if you happen to have infection incident, please comment to the above posts by sharing the infection details with us to handle in IR basis?
I've been working in NIX OS for 21 years now. I started MMD to fight malware of all kind, but I did not see ELF malware was handled as fairly the same as the windows ones, in generally speaking.
I know how it feel to be sysadmin since I've been one of you in the field, and I know how bad an ELF malware can ruin our week days or week ends too. I know how tight the budget is, and I also know how costly the protection for server side if we consider to buy one..yet the information are so limited.
So I dedicated the most of time on ELF recently until the overall mitigation scheme works better.
The links I posted up there are recent cases of report, an analysis, the attack source recently are mostly China, except Linux/Mayhem is Ukraine basis.
I saw the infection source or malware web panel and surprised to the huge numbers of downloads, specially the ones who rides on shellshock infection scheme < this vulnerability really kicks. Also the Elasticsearch exploit and of course the weak ssh force entries.
So I just think maybe there are more admins hit, this is why I asked. You can click on every link I posted safely, I mean no harm. If you can comment with your cases it will be so wonderful.
We NEED more ways to mitigate the infection like setting some directories under specific permission, harden the SE Linux for some points, mdsumchecks regularly for new changes in files, and so on.
Come on, friends, can not fight these alone, let's fight these bad stuff together.
MalwareMustDie
Last edited by malwaremustdie; 07-04-2015 at 09:51 AM.
Come on guys be smart, the people of malwaremustdie are great , they only want a must secure linux , and stop china malware , i always read his blog. Im a sysadmin at mexico , we have some apps living at racksapce cloud , o. January we notice some strange binary an ips conections to china, finally we discover that somebody infect us with an elf using a struts vulnerability on our jboss app. This is the screenshot of virustotal analisys: https://twitter.com/daniel_sal/statu...450181632?s=09
There is a good repository for Linux sysadmin to identify an ELF malware.
It is a perfectly safe site, KernelMode is a community of malware researcher. I am a contributor for the repository too, together with the well-known malware researchers.
You can browse to these ELF topics shown in the link, freely, and read the information to what malware hit you, and some posts have good mitigation hints too, but you will need to subscribe for getting the samples.
The source of the threat is this AS40676 in Psychz Networks, but it seems like the actor are from People Rep of China.
This malware will drop the intial config in the current directory where it is executed:
readlink("/proc/[PID/exe", "/[PATH]/MALWARE", 1024)
open("/[PATH]/MALWARENAME\\xmit.ini", O_RDWR)
unlink("/[PATH]/MALWARENAME\\xmit.ini")
open("/[PATH]/MALWARENAME\\xmit.ini", O_RDWR|O_CREAT|O_TRUNC, 0666)
write(3, "0\r\n192.168.x.xx:192.168.x.xx\r\n10000:60000\r\n\r\n0\r\n0:0:0\r\n", 55)
close(3)
Which contains the grep local ethernet with the range of port to be used for the outbound attack:
00000000 30 0d 0a 31 39 32 2e 31 36 38 2e 37 2e 32 31 3a |0..192.168.x.x:|
00000010 31 39 32 2e 31 36 38 2e 37 2e 32 31 0d 0a 31 30 |192.168.x.xx..10|
00000020 30 30 30 3a 36 30 30 30 30 0d 0a 0d 0a 30 0d 0a |000:60000....0..|
00000030 30 3a 30 3a 30 0d 0a |0:0:0..|
I reversed this malware to find that the code is a bit "raw" and unfinished in some parts, but the main TCP flood and backdoor function looks works. Different compare to the old fashioned previous version that exhaust the system resource this malware runs and only takes about 30 of my CPU usage.
The way to mitigate is to secure the usage of libnss and never open SSH login of root or anyone with the suid 0 or don't run FTP and Web service, or it's components (webapps) that can be gained-privilege to the root. That way the /tmp and current directory of the infection will be the only workplace for such malware to operate and easier to clean and dissect it.
The malware will connect via HTTP to aa.hostasa.org and perform command and control back connect to several IP as per called by their hostnames summarized/recorded below:
Code:
aa.hostasa.org 23.234.60.143 // http downloads h00p://aa.hostasa.org/leg.rar
(is a Xor-ed ELF trojan/downloader malware, prev known as "g.rar")
ns1.hostasa.org 107.160.40.9 // cnc
ns2.hostasa.org 103.240.140.152 // cnc
ns3.hostasa.org 103.240.141.54 // cnc
ns4.hostasa.org 192.126.126.64 // cnc
;; AUTHORITY SECTION:
hostasa.org. 3600 IN NS ns1cnb.domain-resolution.net.
hostasa.org. 3600 IN NS ns4lny.domain-resolution.net.
hostasa.org. 3600 IN NS ns3cna.domain-resolution.net.
hostasa.org. 3600 IN NS ns2dky.domain-resolution.net.
Some recent PoC of the backdoor/back connection to those CNCs:
I wrote a new ELF malicious activity, for the threat aimed Linux and it is having a polymorphic method during infection.
This is a bit technical but, practically all of the analysis I just wrote was on the bash shell, I jumped to browse it after about to post it. I think is a thorough explanation for combining: reverse engineering, linux kernel debugging and forensics (mostly memory data from /proc) for this simple analysis.
Why I announce it in here too, is because the most sample of this threat (XOR.DDoS) that went to the signature are from the pre-infection and not post-infection, so if you conduct the scanning AFTER you get infected..there is a possibility that you got no detection since the malware self-copied into other size and hash.
Please read, I hope it makes out POSIX based OS saver from these attackers.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.