Linux/Bckdr-RKC Initial Analysis

A malicious user dropped off a VERY interesting piece of malware on my honeypot today with the filename ".xsyslog"

This piece of malware was previously undetected, and many kudos to Sophos for being the first to confirm my findings that the software was malicious.

So far, I have been able to determine the following:

This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches.

The malware is installed from a compromised system after cracking a SSH server's root password, in the path /etc/.xsyslog

The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: port 99

It phones home to an IP address which appears to be hosted by the same fake corporation: port 81

I have uploaded all relevant strings within the unpacked file to Pastebin.

I will provide additional details as I find/receive them.  This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors.

Track current AV coverage at

Related Reading:
Sophos Whitepaper Protection for Mac and Linux Computers: Genuine Need or Nice to Have?

No comments:

Post a Comment