We call this variant as Linux/KillFile because the original built ones has that name in their binaries:
But too bad these original trojans were infected by virus (Linux/RST) so I can not share it (dangerous).
But we have one sample is in the wild just now. This sample was uploaded by MalwareMustDie ELF team/
VT: https://www.virustotal.com/en/file/6e5d ... 437120536/
Which was names by AV as slexec, whatever that meaning is, we will stick to the original built name "killfile"
This Linux/KillFile binary is camouflaged itself as bluetooth daemon and executed the downloaded ELF to then running it w/faking it as "Microsoft". It's a small trojan, using the hardcoded CNC as download source, first compiled version looks was dated in April 2014. The malware was used by Xor.DDoS by the time we spotted them.
More of Linux/KillFile's reversing pads can be found in our post here: http://blog.malwaremustdie.org/2015/07/ ... shock.html
It downloads list of filename/process name to be killed and list of file name to be run in the infected hosts.
The name of "killfile" also shown in the mainly used function to kill file (before to run malware file)
So I am sure someone else too already saw this malware variant before. Please feel free to help to add more sample in here. Thank you.
But too bad these original trojans were infected by virus (Linux/RST) so I can not share it (dangerous).
But we have one sample is in the wild just now. This sample was uploaded by MalwareMustDie ELF team/
VT: https://www.virustotal.com/en/file/6e5d ... 437120536/
Which was names by AV as slexec, whatever that meaning is, we will stick to the original built name "killfile"
This Linux/KillFile binary is camouflaged itself as bluetooth daemon and executed the downloaded ELF to then running it w/faking it as "Microsoft". It's a small trojan, using the hardcoded CNC as download source, first compiled version looks was dated in April 2014. The malware was used by Xor.DDoS by the time we spotted them.
More of Linux/KillFile's reversing pads can be found in our post here: http://blog.malwaremustdie.org/2015/07/ ... shock.html
It downloads list of filename/process name to be killed and list of file name to be run in the infected hosts.
The name of "killfile" also shown in the mainly used function to kill file (before to run malware file)
So I am sure someone else too already saw this malware variant before. Please feel free to help to add more sample in here. Thank you.
Attachments
7z / infected
(224.73 KiB) Downloaded 63 times
(224.73 KiB) Downloaded 63 times
