I have recently downloaded an executable, this is a piece of Linux malware. I run a query with strings on this file and I find out that this file makes changes to various utility commands on a Linux system such as netstat, ps, top and /bin/sh. This would be all the hallmarks of a rootkit executable. This is a rare find, malware intended for a Linux machine. But this is a chance to see this for once. I am not sure if I can run this executable without it doing damage. I wish there was a sandbox environment where I could run it and see what it does when executing. The strace command would be very good for this, even though there are no debugging symbols in the executable. Cuckoo Sandbox allows analysis of malware in a safe environment. This could be a good way to find out exactly what this executable does. I have found an installation guide here: https://www.proteansec.com/linux/installing-using-cuckoo-malware-analysis-sandbox/. I have decompiled the executable using this website: https://retdec.com/ and this is the result, a gzipped file containing the source code.
This section is interesting. This shows a list of all the Linux binaries targeted by this executable.
char * g15[12] = { "/bin/netstat", "/bin/lsof", "/bin/ps", "/bin/ss", "/usr/bin/netstat", "/usr/bin/lsof", "/usr/bin/ps", "/usr/bin/ss", "/usr/sbin/netstat", "/usr/sbin/lsof", "/usr/sbin/ps", "/usr/sbin/ss" }; // 0x8131cc0 |
And this is a huge list of IP addresses…
char * g13[113] = { "61.132.163.68", "202.102.192.68", "202.102.213.68", "202.102.200.101", "58.242.2.2", "202.38.64.1", "211.91.88.129", "211.138.180.2", "218.104.78.2", "202.102.199.68", "202.175.3.3", "202.175.3.8", "202.112.144.30", "61.233.9.9", "61.233.9.61", "124.207.160.110", "202.97.7.6", "202.97.7.17", "202.106.0.20", "202.106.46.151", "202.106.195.68", "202.106.196.115", "202.106.196.212", "202.106.196.228", "202.106.196.230", "202.106.196.232", "202.106.196.237", "202.112.112.10", "211.136.17.107", "211.136.28.231", "211.136.28.234", "211.136.28.237", "211.147.6.3", "219.141.136.10", "219.141.140.10", "219.141.148.37", "219.141.148.39", "219.239.26.42", "221.130.32.100", "221.130.32.103", "221.130.32.106", "221.130.32.109", "221.130.33.52", "221.130.33.60", "221.176.3.70", "221.176.3.73", "221.176.3.76", "221.176.3.79", "221.176.3.83", "221.176.3.85", "221.176.4.6", "221.176.4.9", "221.176.4.12", "221.176.4.15", "221.176.4.18", "221.176.4.21", "58.22.96.66", "218.104.128.106", "202.101.98.55", "211.138.145.194", "211.138.151.161", "211.138.156.66", "218.85.152.99", "218.85.157.99", "222.47.29.93", "202.101.107.85", "119.233.255.228", "222.47.62.142", "122.72.33.240", "211.98.121.27", "218.203.160.194", "221.7.34.10", "61.235.70.98", "113.111.211.22", "202.96.128.68", "202.96.128.86", "202.96.128.166", "210.21.3.140", "210.21.4.130", "211.95.193.97", "211.98.2.4", "211.98.4.1", "211.162.61.225", "211.162.61.235", "211.162.61.255", "211.162.62.1", "211.162.62.60", "221.4.66.66", "202.103.176.22", "202.96.144.47", "210.38.192.33", "202.96.134.33", "202.96.134.133", "202.96.154.15", "210.21.196.6", "221.5.88.88", "202.103.243.112", "202.193.64.33", "61.235.164.13", "61.235.164.18", "202.103.225.68", "221.7.136.68", "202.103.224.68", "211.97.64.129", "211.138.240.100", "211.138.242.18", "211.138.245.180", "221.7.128.68", "222.52.118.162", "202.98.192.67", "202.98.198.167", "211.92.136.81", "211.139.1.3" }; // 0x8131760 |
This program might phone home or join your computer to a botnet. Anyway, As well as creating many new processes on your machine that perform all sorts of evil things to your computer and the network. I have found an example of a person that was owned by this rootkit and their machine was taken over. if you find this executable on the Internet do not run it. But it is fun to play with and learn about Linux rootkits though. The source code I have posted is decompiled source and may not even compile on your machine. I just posted it for interests sake.