A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26185  by unixfreaxjp
 Thu Jun 25, 2015 7:04 pm
This is a new ELF malware. Attacking Elasticsearch with CVE-2015-1427 exploit in the wild (as per now..).
Virus Total detection for the ELF payload and its shell script companion are ZERO:
https://www.virustotal.com/en/file/2b22 ... 435255038/
https://www.virustotal.com/en/file/55b6 ... 435255748/
Quoted from the posted alert: As a summary, this malware will run under current user privilege and check whether it can escalate its privilege. After the self-check for the current version and previous installation, it will continue to run initially, or stopped if the previous running instance was detected, or requesting the update to the motherhost. During the initial installation, it will register an autorun in crontab, And it will then contacting motherhost via HTTP to poke and requesting a download, and then to decrypt the part of downloaded data (DES2) and save it in the work directory to be executed, the downloaded data which was dropped in the same directory of this malware...
Analysis of the threat and the malware I released in MMD-0034-2015 http://blog.malwaremustdie.org/2015/06/ ... w-elf.html
Please help to do the best to release detection signature and all mitigation/filtration available.
With thanks.

You do not have the required permissions to view the files attached to this post.