A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23948  by unixfreaxjp
 Sat Sep 20, 2014 6:07 pm
I am opening this topic of Linux/Yangji, a China's ELF backdoor (sending sensitive information), and doing malicious installation to an infected system. This malware often spotted accompanied to the infection of BillGates, IptabLes|x or Elknot.
It is a quite popular and spotted to more than 5 cases now, so I decided to write in here.
The x32 and x64 version of the latest fresh sample (not the first ones) is as per below VT (uploaded):
x32: https://www.virustotal.com/en/file/6938 ... 411230624/
x64: https://www.virustotal.com/en/file/8cda ... 411230658/
Some reversing highlights I wrote (in a hurry) in VT comment.
You do not have the required permissions to view the files attached to this post.
 #23950  by EP_X0FF
 Sun Sep 21, 2014 3:59 am
Thank you for sharing. List of linux malware updated.

BTW what is the most prevalent malware architecture regarding to *NIX world? x86, x64, ARM?
 #23953  by unixfreaxjp
 Sun Sep 21, 2014 5:32 am
EP_X0FF wrote:BTW what is the most prevalent malware architecture regarding to *NIX world? x86, x64, ARM?
Thank's for the updates. I am trying to answer the question from my professional perspective:

If we are talking about "recent" *NIX malware scope. There are two streams, malware that aim weak vulnerable servers (with the zerodays possibility intact), and malware that aim weak routers (with the zerodays possibility intact).
Depends on the purpose of the malware. If the malware crook is aiming for big botnet scheme on rapid mass-infection traffic by attacking/infecting servers with weak CMS/WebApps via malicious automation tools/UI, then they will aim servers with CMS (PHP/Perl) flaw or etc auth-related service flaws (xxxPanel, Struts2, xxSQL), then they will mostly aiming x64 and x32, then AMD(64) architectures. These specs are following the range of architecture specification used for up+alive world-wide used VPS services (aka Cloud etc etc devices)

For the DDoS'er or backdoors, like the IRC bots based DDoS'er/port-scanner ELF; or ; like what China malware crooks are doing recently, they aim Servers AND Routers too. In routers version, they mostly aim SOHO but also middle spec that runs *NIX. These routers malware spotted binaries are aiming the architectures like: ARM (biggest), MIPS (2nd), PPC (3rd), MIPSEL (4th) and SH/SuperH (5th).

By volume, x64 and x32 is majority in overall. Since it is the current statistic. Good thing is, the scanner for these products are available (I dont say effective though). There are also malware & boot/rootkits aiming Sparc, HPUX & AIX, but these are minor cases

By risk, MIPS, ARM, PPC routers are also potentially severe targets since majority of the *NIX online devices are routers using these platform, this research is explaining a lot of aspect of vulnerability in the sector of routers.

Additionally, by purpose. Eliminating the common function like backdoors & botnets, NIX malware are used for: (1) mass PC malware traffic infection, (2) port/vulnerability scanning, (3) service login brute attacks, (4) DDoS attack, (5) Bitcoin mining, (6) traffic sniffer/spy (minor), etc..

I know what most of you are thinking about MIPS/PPC/ARM routers. No kidding, the crooks are seeing this too now.. Think it this way: routers device are in effective average supported with update like 5 years (if you buy a new release one) by the paper..but like 3-4 years by practical. But these routers are being used more than that.. explaining why many routers are "sitting duck" with tons of flaws and big in volume + unprotected due to hacking and/or malware attacks now.

I give you example in my personal case, I bought a router after seeing the product is proven good by reference, it took a year to study to make sure a new product is solid in service/quality etc, then after I bought, it runs updates well for first 2 years, then when next version released, and then next next version released, then suddenly no more updates after 4th year. The router is still running, but with some flaws (in CGI.. etc etc) from that point, and the flaw is added as time flies. Means.. I must change to the next router version/brand, so I must go back to study new product again, and so on..
Every house or SOHO office is having these routers with wifi with one point access CGI/WebUI, is a kinda electronic device "must have" now, and running 365/24 basis and they are majority of the up and alive machines in internet now. But not every house has a sysadmins.. so they maybe don't even know they routers now is vulnerable after, say, 3-4years running. Or..maybe your router goes with your internet/phone hard line..which you can not change it at your own will, etc < These are what the malware for routers are aiming now.
If the targeted routers volume is transformed to be a DDoS cannons, I think the crook can nuke down any company network by it.
More over, there is NO scanner/AV for the router product. serious threat indeed.

This explains we must to see it in the risk point of view too. And I reversed NIX malware based on recent samples I spotted. There are still many of them un-reversed yet in ITW.