Thank you for the clear clarification, what you wrote is the truth.
linux/x86/shell_reverse_tcp from metasploit
Some background explanation behind my post:
I analyzed the binary straightly w/o seeking some reference beforehand, so it is purely analyzed and I intend to do it that way for the future too, to minimize influence in reversing. When I was analyzing/writing it I think I saw this somewhere (wrote that in MMD blog ).
After posted MMD post & searched in web I actually noticed that too.
Why I did not push the fact that far in writing, is, since it was still in "zeroday state ", there are more msf / exploit backtrack payloads that can be used in shellshock is ELF or Mach-O, and I really don't want to give those "brats skids :D " with more "idea" of what they can do since the massive waves of shellshock payloads are literaly out of hand already..maybe after shellshock patched and cooled down a bit will add later on < what I thought.
So I wrote comment: I did not analyze the msf payload. And this is the malware, a backdoor < to raise AV detection for the bin
Question came up to me afterward, like:
Should we drop this from "malware" category? and Go to "exploit" instead?
Since so many asked the same. Disregards its nature. I answer: This ELF is a malware category: "backdoor" (with, yes, which is originated from a msf payload), it is widely infected host and need to be scanned, detected and stopped.
Why as malware backdoor then, why not as exploit code? below is explanation:
If one compile any (known/unknown) exploit payload, with back-connect (or reverse connection) functions (with shell, with CGI, or with open port/protocol) to any remote host/port, as an executable binary or library linked executable (in ELF/PE/Mach-O..etc) or executable script/codes that can be triggered manually, and maliciously installed (i.e. via using exploit like shellshock like this case, or even just a simple email attachment) in a victim host (NIX/Windows/Mac/Mobile etc), is considered as a malicious software (or malware) with category of backdoor.
this is copy-paste or likely re-using of open-source, maybe even hexedit of existing module ;)
Yes (just re-checked both code now)... and I think now I know WHERE those skids are coming from, it is from (somewhere in) south (east) Asia country where there are many Internet Cafes used for such bad activity by computer college students wanna be a hacker powerd by those copy-paste and IRC bots with the purpose of DDOS (mostly are used against US)
Thank you for support and reading.
