VirusTotal welcomes ELF DIGEST, the first integrated multi-sandox fully dedicated to only
processing linux files. This addition helps put the spotlight on
linux malware.
In the words of the founder Tolijan Trajanovski:
In the words of the founder Tolijan Trajanovski:
ELF DIGEST is a cloud-based Linux malware analysis service provided to security researchers, analysts, and academics. The service performs static, behavioral, and network analysis to extract IoCs and IoAs. The static analysis searches for IoCs in the strings and may also identify obfuscation in the form of string encoding and executable packing. The behavioral analysis can recognize various malicious actions, including VM detection, anti-debugging, persistence, process injection, loading of kernel modules, firewall configuration changes, and others. The network analysis can identify C2 endpoints, resolved domains, HTTP requests, and port scanning. In addition, ELF DIGEST utilizes the open-source malware labeling tool AvClass to determine the most probable malware family the analyzed sample belongs to. The currently supported CPU architectures include ARMv5, ARMv7, MIPS, x86 and x86_64. The detailed findings of the analysis are presented in an aggregated view and can be also downloaded as a JSON report.
Let's take a deeper dive on some samples:
Botnet on ARM with iptables kernel modules
This sample is part of the Mirai botnet. At the top of the report we can see
the network communication, possibly the command and control
server.
In
the shell commands we can observe the iptables firewall
stopped and tables flushed. This would allow the malware to
communicate without the firewall obstructing it.
The linux kernel modules being loaded, which are most likely
related to the iptables command line interactions.
Mozi botnet with bittorrent
Within this sample we see DNS resolutions to common
bittorrent trackers and traffic on common bittorrent port
6881.
ELF DIGEST, uploads the PCAP network traffic capture. When sandboxes or users upload PCAPs to VirusTotal, we analyze them with snort and suricata, using rules from community contributors.
Other Interesting samples to have a look at:
In the HTTP requests section, scanning for other vulnerable devices on the internet
Using a file search modifier we can find similar samples that perform the same request. behaviour_network:"boaform/admin"
ELF DIGEST, uploads the PCAP network traffic capture. When sandboxes or users upload PCAPs to VirusTotal, we analyze them with snort and suricata, using rules from community contributors.
Other Interesting samples to have a look at:
- Mirai 19907fba39b0065fea0047b533d3d1f61d46c49e8ad78f65f7ad6d5d906d2d7b
- Service Scanning: cd02800b747b27a65382132770c77823304404dc0611917a21b423727d058ae1
- A coin miner detecting its environment: 6f445252494a0908ab51d526e09134cebc33a199384771acd58c4a87f1ffc063