Linux/KillFile (alias Slexec)

Forum for analysis and discussion about malware.

Linux/KillFile (alias Slexec)

Postby unixfreaxjp » Fri Jul 17, 2015 8:32 am

We call this variant as Linux/KillFile because the original built ones has that name in their binaries:
Image
But too bad these original trojans were infected by virus (Linux/RST) so I can not share it (dangerous).

But we have one sample is in the wild just now. This sample was uploaded by MalwareMustDie ELF team/
VT: https://www.virustotal.com/en/file/6e5d ... 437120536/
Which was names by AV as slexec, whatever that meaning is, we will stick to the original built name "killfile"

This Linux/KillFile binary is camouflaged itself as bluetooth daemon and executed the downloaded ELF to then running it w/faking it as "Microsoft". It's a small trojan, using the hardcoded CNC as download source, first compiled version looks was dated in April 2014. The malware was used by Xor.DDoS by the time we spotted them.
More of Linux/KillFile's reversing pads can be found in our post here: http://blog.malwaremustdie.org/2015/07/ ... shock.html

It downloads list of filename/process name to be killed and list of file name to be run in the infected hosts.
The name of "killfile" also shown in the mainly used function to kill file (before to run malware file)
Image
Image

So I am sure someone else too already saw this malware variant before. Please feel free to help to add more sample in here. Thank you.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/KillFile (alias Slexec)

Postby unixfreaxjp » Mon Jul 20, 2015 5:24 am

Two more samples , an x32 and x64.

A quicky for the download servers, downloaded file info and the user-agent used:
Code: Select all
IN .rodata:

0x0804A214 http://kill.et2046.com
0x0804A22B http://sb.et2046.com
0x0804A240 http://115.23.172.31
0x0804A276 /txt/kill.txt
0x0804A29A /txt/run.txt
0x0804A2B4 Accept: */*\r\nAccept-Language: zh-cn\r\nUA-CPU: x86\r\nAccept-Encoding: gzip, deflate\r\n
 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;SV1; TencentTraveler ;
 .NET CLR 1.1.4322)\r\n
0x0804A370 Connection: Keep-Alive\r\n\r\n
0x0804A38B http://
0x0804A394 GET %s HTTP/1.1\r\n%sHost: %s\r\n%s
0x0804A3B4 Content-Length:
0x0804A3C5 Content-length:
0x0804A3D6 \r\n\r\n

Samples : (Poor detection ratio)
https://www.virustotal.com/en/file/6021 ... 437369029/
https://www.virustotal.com/en/file/a793 ... 437369085/
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/KillFile (alias Slexec)

Postby tWiCe » Wed Jul 22, 2015 2:09 pm

You do not have the required permissions to view the files attached to this post.
tWiCe
 
Posts: 49
Joined: Sat Jul 18, 2015 8:56 am
Reputation point: 25


Return to Malware

Who is online

Users browsing this forum: Q454 and 4 guests