A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26309  by unixfreaxjp
 Fri Jul 17, 2015 8:32 am
We call this variant as Linux/KillFile because the original built ones has that name in their binaries:
But too bad these original trojans were infected by virus (Linux/RST) so I can not share it (dangerous).

But we have one sample is in the wild just now. This sample was uploaded by MalwareMustDie ELF team/
VT: https://www.virustotal.com/en/file/6e5d ... 437120536/
Which was names by AV as slexec, whatever that meaning is, we will stick to the original built name "killfile"

This Linux/KillFile binary is camouflaged itself as bluetooth daemon and executed the downloaded ELF to then running it w/faking it as "Microsoft". It's a small trojan, using the hardcoded CNC as download source, first compiled version looks was dated in April 2014. The malware was used by Xor.DDoS by the time we spotted them.
More of Linux/KillFile's reversing pads can be found in our post here: http://blog.malwaremustdie.org/2015/07/ ... shock.html

It downloads list of filename/process name to be killed and list of file name to be run in the infected hosts.
The name of "killfile" also shown in the mainly used function to kill file (before to run malware file)

So I am sure someone else too already saw this malware variant before. Please feel free to help to add more sample in here. Thank you.
You do not have the required permissions to view the files attached to this post.
 #26328  by unixfreaxjp
 Mon Jul 20, 2015 5:24 am
Two more samples , an x32 and x64.

A quicky for the download servers, downloaded file info and the user-agent used:
Code: Select all
IN .rodata:

0x0804A214 http://kill.et2046.com 
0x0804A22B http://sb.et2046.com 
0x0804A276 /txt/kill.txt
0x0804A29A /txt/run.txt 
0x0804A2B4 Accept: */*\r\nAccept-Language: zh-cn\r\nUA-CPU: x86\r\nAccept-Encoding: gzip, deflate\r\n
 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;SV1; TencentTraveler ; 
 .NET CLR 1.1.4322)\r\n
0x0804A370 Connection: Keep-Alive\r\n\r\n 
0x0804A38B http://
0x0804A394 GET %s HTTP/1.1\r\n%sHost: %s\r\n%s
0x0804A3B4 Content-Length:
0x0804A3C5 Content-length:
0x0804A3D6 \r\n\r\n 
Samples : (Poor detection ratio)
https://www.virustotal.com/en/file/6021 ... 437369029/
https://www.virustotal.com/en/file/a793 ... 437369085/
You do not have the required permissions to view the files attached to this post.