Page 1 of 1

Linux/KillFile (alias Slexec)

PostPosted:Fri Jul 17, 2015 8:32 am
by unixfreaxjp
We call this variant as Linux/KillFile because the original built ones has that name in their binaries:
But too bad these original trojans were infected by virus (Linux/RST) so I can not share it (dangerous).

But we have one sample is in the wild just now. This sample was uploaded by MalwareMustDie ELF team/
VT: ... 437120536/
Which was names by AV as slexec, whatever that meaning is, we will stick to the original built name "killfile"

This Linux/KillFile binary is camouflaged itself as bluetooth daemon and executed the downloaded ELF to then running it w/faking it as "Microsoft". It's a small trojan, using the hardcoded CNC as download source, first compiled version looks was dated in April 2014. The malware was used by Xor.DDoS by the time we spotted them.
More of Linux/KillFile's reversing pads can be found in our post here: ... shock.html

It downloads list of filename/process name to be killed and list of file name to be run in the infected hosts.
The name of "killfile" also shown in the mainly used function to kill file (before to run malware file)

So I am sure someone else too already saw this malware variant before. Please feel free to help to add more sample in here. Thank you.

Re: Linux/KillFile (alias Slexec)

PostPosted:Mon Jul 20, 2015 5:24 am
by unixfreaxjp
Two more samples , an x32 and x64.

A quicky for the download servers, downloaded file info and the user-agent used:
Code: Select all
IN .rodata:

0x0804A276 /txt/kill.txt
0x0804A29A /txt/run.txt 
0x0804A2B4 Accept: */*\r\nAccept-Language: zh-cn\r\nUA-CPU: x86\r\nAccept-Encoding: gzip, deflate\r\n
 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;SV1; TencentTraveler ; 
 .NET CLR 1.1.4322)\r\n
0x0804A370 Connection: Keep-Alive\r\n\r\n 
0x0804A38B http://
0x0804A394 GET %s HTTP/1.1\r\n%sHost: %s\r\n%s
0x0804A3B4 Content-Length:
0x0804A3C5 Content-length:
0x0804A3D6 \r\n\r\n 
Samples : (Poor detection ratio) ... 437369029/ ... 437369085/

Re: Linux/KillFile (alias Slexec)

PostPosted:Wed Jul 22, 2015 2:09 pm
by tWiCe