We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog: http://blog.malwaremustdie.org/
Today, DrWeb wrote about a multipurpose Linux ELF called ‘xnote’, that opens a backdoor on the compromised host. The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.
We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.
Upon execution, we noted the sample contact a DNS server on 184.108.40.206 with queries for the following domains:
For each query, IP address 220.127.116.11 was returned for each of them.
In our run, the malicious ‘xnote’ process was noted to have process ID of 1303. Using ‘volatility‘ to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid Start End Flags Pgoff Major Minor Inode Path
1303 0xc01000 0xc02000 r-x 0x0 8 1 405848 /home/mattyh/xnote
1303 0x8048000 0x81ba000 r-x 0x0 0 0 0
1303 0x81ba000 0x81c4000 rwx 0x0 0 0 0
1303 0xa137000 0xa158000 rwx 0x0 0 0 0 [heap]
1303 0xb78b6000 0xb78b7000 r-x 0x0 0 0 0 [vdso]
1303 0xbf843000 0xbf859000 rwx 0x0 0 0 0 [stack]
Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.
Domain and IP Information:
It is interesting to note that the domain “et2046.com” has been seen before in other Linux ELF malware.
- Note this post to an Ubuntu forum from May, 2014 where the subdomains ‘kill.et2046.com‘ and ‘sb.et2046.com‘ were noted in a running process on a compromised Ubuntu host.
- Malware Must Die posted an analysis of the Linux iptablex malware where these domains were also seen:
- Via VirusTotal searches, we find related malware to these domains:
Obtaining Passive DNS information from FarSight Security’s DNSDB, we see that currently for IP address 18.104.22.168 the only DNS records are:
www.qtol.tv. A 22.214.171.124
Additional information from DNSDB for the domain et2046.com:
first seen in zone file 2014-11-12 17:13:42 -0000
last seen in zone file 2015-01-13 17:23:33 -0000
et2046.com. NS a.dnspod.com.
et2046.com. NS b.dnspod.com.
et2046.com. NS c.dnspod.com.
first seen in zone file 2013-12-17 17:13:33 -0000
last seen in zone file 2014-11-11 17:12:29 -0000
et2046.com. NS ns155.dnsever.com.
et2046.com. NS ns165.dnsever.com.
et2046.com. NS ns179.dnsever.com
Note that the malware uses a hardcoded DNS server on 126.96.36.199 to provide all domain resolution. This is a public DNS server based in China, with its web page at www.114dns.com
whois – 188.8.131.52
inetnum: 184.108.40.206 – 220.127.116.11
descr: NanJing XinFeng Information Technologies, Inc.
descr: Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road
descr: Xuanwu District, Nanjing, Jiangsu, China
address: Beijing, China
person: Yan Jian
person: Zhao Zhenping
inetnum: 18.104.22.168 – 22.214.171.124
descr: Royal Network Technology Co., Ltd. in Guangzhou
status: ASSIGNED NON-PORTABLE
changed: email@example.com 20150112
address: Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360
auth: # Filtered
changed: firstname.lastname@example.org 20140919
person: Wei XeiJun
address: Liwan District of Guangzhou, Guangdong Fangcun West 533
changed: email@example.com 20150111
‘whois’ for Domain et2046.com
Domain Name: ET2046.COM
Registry Domain ID: 1762221508_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-08-25T06:58:17Z
Creation Date: 2012-11-27T14:02:55Z
Registrar Registration Expiration Date: 2016-11-27T14:02:55Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: firstname.lastname@example.org
Registrar Abuse Contact Phone: +1.480-624-2505
Registry Registrant ID:
Registrant Name: smaina smaina
Registrant Street: Beijing
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100080
Registrant Country: China
Registrant Phone: +86.18622222222
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: email@example.com
(Uses same password scheme as Contagio. Ping me or Mila for details if needed)