Linux.BackDoor.XNote.1 indicators

We continue to see a variety of Linux ELF malware, particularly those focused on DDoS.
Over the past few years, the good folks at Malware Must Die have done an extensive study of ELF malware variants at their blog: http://blog.malwaremustdie.org/

Today, DrWeb wrote about a multipurpose Linux ELF called ‘xnote’, that opens a backdoor on the compromised host.  The host is then used for a variety of functions, including as a DDoS bot.
The DrWeb posts provide a very good analysis of the malware and its overall structure.
http://news.drweb.com/show/?i=9272&lng=en&c=5
http://vms.drweb.com/virus/?i=4323517

We decided to take a closer look at this sample in order to provide a few indicators that may be of interest.
The xnote sample we studied has MD5 hash f374d1561e553a4c5b803e1d9d15a34e.

Upon execution, we noted the sample contact a DNS server on 114.114.114.114 with queries for the following domains:

  • a.et2046.com
  • b.et2046.com
  • c.et2046.com

For each query, IP address 122.10.85.54 was returned for each of them.

In our run, the malicious ‘xnote’ process was noted to have process ID of 1303. Using ‘volatility‘ to map information about the process memory, we noted:
Volatility Foundation Volatility Framework 2.4
Pid  Start      End        Flags Pgoff    Major Minor Inode  Path              
1303   0xc01000   0xc02000 r-x        0x0     8     1 405848 /home/mattyh/xnote
1303  0x8048000  0x81ba000 r-x        0x0     0     0      0                   
1303  0x81ba000  0x81c4000 rwx        0x0     0     0      0                   
1303  0xa137000  0xa158000 rwx        0x0     0     0      0 [heap]            
1303 0xb78b6000 0xb78b7000 r-x        0x0     0     0      0 [vdso]            
1303 0xbf843000 0xbf859000 rwx        0x0     0     0      0 [stack]

Dumping the associated data from each segment, we were able to recover a few artifacts from the process, including the domains queried.

XXXXXXXXXXXXXXXX122.10.85.54
a.et2046.com
b.et2046.com
c.et2046.com
e.et2046.com
test
CAk[S
 !”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~
.,-+xX0123456789abcdef0123456789ABCDEF-+xX0123456789abcdefABCDEF
-0123456789

-0123456789

Domain and IP Information:

It is interesting to note that the domain “et2046.com” has been seen before in other Linux ELF malware.
  • Note this post to an Ubuntu forum from May, 2014 where the subdomains ‘kill.et2046.com‘ and ‘sb.et2046.com‘ were noted in a running process on a compromised Ubuntu host.
  • Malware Must Die posted an analysis of the Linux iptablex malware where these domains were also seen:
  • Via VirusTotal searches, we find related malware to these domains:
Obtaining Passive DNS information from FarSight Security’s DNSDB, we see that currently for IP address 122.10.85.54 the only DNS records are:

www.qtol.tv. A 122.10.85.54

Additional information from DNSDB for the domain et2046.com:

count 54
first seen in zone file 2014-11-12 17:13:42 -0000
last seen in zone file 2015-01-13 17:23:33 -0000
et2046.com. NS a.dnspod.com.
et2046.com. NS b.dnspod.com.
et2046.com. NS c.dnspod.com.


count 329
first seen in zone file 2013-12-17 17:13:33 -0000
last seen in zone file 2014-11-11 17:12:29 -0000
et2046.com. NS ns155.dnsever.com.
et2046.com. NS ns165.dnsever.com.
et2046.com. NS ns179.dnsever.com

Note that the malware uses a hardcoded DNS server on 114.114.114.114 to provide all domain resolution.   This is a public DNS server based in China, with its web page at www.114dns.com



whois – 114.114.114.114

inetnum:        114.114.0.0 – 114.114.255.255
netname:        XFInfo
descr:          NanJing XinFeng Information Technologies, Inc.
descr:          Room 207, Building 53, XiongMao Group, No.168 LongPanZhong Road
descr:          Xuanwu District, Nanjing, Jiangsu, China
country:        CN
irt:            IRT-
CNNIC-CN
address:        Beijing, China
e-mail:         ipas@cnnic.cn
abuse-mailbox:  ipas@cnnic.cn

person:         Yan Jian
nic-hdl:        YJ1777-AP
e-mail:         jyan@greatbit.com

person:         Zhao Zhenping
nic-hdl:        ZZ2094-AP
e-mail:         ping@greatbit.com

whois- 122.10.85.54

inetnum:        122.10.80.0 – 122.10.95.255
netname:        TOINTER-CN
descr:          Royal Network Technology Co., Ltd. in Guangzhou
country:        HK
admin-c:        WX2631-AP
tech-c:         WX2631-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CN-TOINTER122
mnt-irt:        IRT-TOINTER-CN
changed:        tengdayx@gmail.com 20150112
source:         APNIC

irt:            IRT-TOINTER-CN
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533, guangzhou guangdong 510360
e-mail:         abuse@gzroyal.cn
abuse-mailbox:  abuse@gzroyal.cn
admin-c:        RNTC1-AP
tech-c:         RNTC1-AP
auth:           # Filtered
mnt-by:         MAINT-TOINTER-CN
changed:        hm-changed@apnic.net 20140919
source:         APNIC

person:         Wei XeiJun
address:        Liwan District of Guangzhou, Guangdong Fangcun West 533
country:        CN
phone:          +86.1234567890
e-mail:         tengdayx@qq.com
nic-hdl:        WX2631-AP
mnt-by:         MAINT-TOINTER-CN
changed:        tengdayx@qq.com 20150111

‘whois’ for Domain et2046.com

Domain Name: ET2046.COM
Registry Domain ID: 1762221508_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-08-25T06:58:17Z
Creation Date: 2012-11-27T14:02:55Z
Registrar Registration Expiration Date: 2016-11-27T14:02:55Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505

Registry Registrant ID: 
Registrant Name: smaina smaina
Registrant Organization: 
Registrant Street: Beijing
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100080
Registrant Country: China
Registrant Phone: +86.18622222222
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: tuhao550@gmail.com
———————————————————————————————————————–
(Uses same password scheme as Contagio.  Ping me or Mila for details if needed)

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips