{
	"id": "118f24ad-b9f8-4d2a-bf95-c83c1d78c59f",
	"created_at": "2026-04-06T01:29:45.01563Z",
	"updated_at": "2026-04-10T03:22:39.345969Z",
	"deleted_at": null,
	"sha1_hash": "c3b6f47ed10e2ffe5c01c23e80b004c668df89d0",
	"title": "MMD-0028-2014 - Linux/XOR.DDoS : Fuzzy reversing a new China ELF",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1511800,
	"plain_text": "MMD-0028-2014 - Linux/XOR.DDoS : Fuzzy reversing a new\r\nChina ELF\r\nPublished: 2014-09-29 · Archived: 2026-04-06 01:05:22 UTC\r\nSticky note: The latest incident (MMD-0033-2015) we disclosed on ELF Linux/XOR.DDoS malware is here --\u003e\r\n[LINK]\r\nThis research is detected \u0026 solved by a hard work of MMD members. Credits are in the bottom of the post.\r\nThe case is on and malware infrastructure is mostly up \u0026 alive, we don't want to be too details in writing because\r\nof that reason, we don't want to teach this crook of what they're lacking of by this post, yet this post necessary to\r\nraise awareness of this new emerged threat. Feel free to follow the process at will.\r\nThe infection\r\nDuring the rush of #shellshock we saw another new threat emerged. We saw an attack log of one-liner shell script\r\nbeing injected via ssh connection. By the attack source+CNC IP and the payload, this looks like a China crook's\r\nnew hack scheme to spread new ELF DDoS'er threat. This is spotted silently spread during the #shellshock waves,\r\nnoted: it was NOT using #shellshock exploit itself.\r\nThe details of the attacker's trace in one-liner shell command is as per shown below:\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 1 of 17\n\nIf we beautified it as per below we will see the obfuscation this shell script:\r\n↑the marked mark is the point of all these code, to download the file 3502.rar from some defined host addresses.\r\nThe mentioned RAR file itself is actually a shell script too:\r\nYou can read the codes here, no free ride copy/paste this time, since we have hard times with those false positives\r\nfrom antiviruses\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 2 of 17\n\nThe main() function is explaining how this script works, read the comments we made (in purple colored words):\r\nShortly. The blue color explaining the obfuscation strings saved in some variables. The yellow marked color\r\nwords are functions to be executed, and the red color area is the main function of this script, to download and\r\ninstall a payload.\r\nThe obfuscation used is in the enc() and dec() function (see that big pic codes) for encryption and decryption, by\r\nusing the below code (I picked this one, the one used for decrypting)\r\n1 tr \"[.0-9a-zA-Z\\/\\/\\:]\" \"[a-zA-Z0-9\\;-=+*\\/]\" ;\r\nThey called it encryption, but is just a mere obfuscator using the character map translation in \"tr\". Below is the\r\neasy shell script I made to decode them:\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 3 of 17\n\nBelow is the result:\r\nWe'll see another 3502 file. And a bunch of the CNC used. Noted the username and password they use ;)\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 4 of 17\n\nIf you permutated the URL with the payload name you will some ALIVE malware URLs like these:\r\nWhat is this thing? In short: It's a sophisticated \u0026 well-thought ELF malware infection scheme, aiming Linux in\r\nmultiple platform. It downloads, detect all parameter need to download the payload or source code of payload. It\r\ndetected infected host's architecture, compiler. libraries together with sending sensitive information of the host,\r\nsent request to CNC to download the certain bins or to download resources to hack and then install the ELF\r\nbinary.\r\nThe POC of this hack is the payload below:\r\nThe payload\r\nThe header looks very \"fine\":\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nELF Header:\r\nMagic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00\r\nClass: ELF32\r\nData: 2's complement, little endian\r\nVersion: 1 (current)\r\nOS/ABI: UNIX - System V\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 5 of 17\n\n7\r\n8\r\n9\r\n10\r\n11\r\nABI Version: 0\r\nType: EXEC (Executable file)\r\nMachine: Intel 80386\r\nVersion: 0x1\r\nEntry point address: 0x8048110\r\nFirst block:\r\nVarious analysis can resulted to the payload was coded in C, hmm..a quality up, we have a challenger here :) A\r\nnew DDoS'er made in China. Here's the codes (for future reference):\r\n1\r\n2\r\n3\r\n4\r\n5\r\n'crtstuff.c'\r\n'autorun.c'\r\n'crc32.c'\r\n'encrypt.c'\r\n'execpacket.c'\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 6 of 17\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n'buildnet.c'\r\n'hide.c'\r\n'http.c'\r\n'kill.c'\r\n'main.c'\r\n'proc.c'\r\n'socket.c'\r\n'tcp.c'\r\n'thread.c'\r\n'findip.c'\r\n'dns.c'  \r\nSome pointers for characteristic:\r\nSelf copy:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nopen( \"/boot/[a-z]{10}\" , O_WRONLY|O_CREAT, 0400)\r\nopen( \"/boot/[a-z]{10}\" , O_WRONLY)\r\nchmod( \"/boot/[a-z]{10}\" , 0750)\r\nopen( \"/boot/[a-z]{10}\" , O_RDONLY)\r\nAuto start:\r\n1 // install SYS\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 7 of 17\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n.text:0x8048B2E mov      dword ptr [ esp ], offset aSbinInsmod \u003c==\r\n\"/sbin/insmod\"\r\n.text:0x8048B35 call     LinuxExec_Argv\r\n.text:0x8048B3A mov      dword ptr [ esp ], 2\r\n.text:0x8048B41 call     sleep\r\n// xinetd setup..\r\n.text:0x8048852 call     abstract_file_name\r\n.text:0x8048857 mov      [ ebp +var_8], eax\r\n.text:0x804885A mov      eax , [ ebp +arg_0]\r\n.text:0x804885D mov      [ esp +0Ch], eax\r\n.text:0x8048861 mov      dword ptr [ esp +8], offset aBinShS \u003c==\r\n\"#!/bin/sh\\n%s\\n\"\r\n.text:0x8048869 mov      dword ptr [ esp +4], 400h\r\n.text:0x8048871 lea      eax , [ ebp +newpath]\r\n.text:0x8048877 mov      [ esp ], eax\r\n.text:0x804887A call     snprintf\r\n:\r\n.text:0x804887F mov      eax , [ ebp +var_8]\r\n.text:0x8048882 mov      [ esp +0Ch], eax\r\n.text:0x8048886 mov      dword ptr [ esp +8], offset aEtcInit_dS \u003c==\r\n\"/etc/init.d/%s\"\r\n.text:0x804888E mov      dword ptr [ esp +4], 400h\r\n.text:0x8048896 lea      eax , [ ebp +filename]\r\n.text:0x804889C mov      [ esp ], eax\r\n.text:0x804889F call     snprintf\r\n.text:0x80488A4 mov      dword ptr [ esp +4], offset aW \u003c== \"w\"\r\n.text:0x80488AC lea      eax , [ ebp +filename]\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 8 of 17\n\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n.text:0x80488B2 mov      [ esp ], eax\r\n.text:0x80488B5 call     fopen\r\n:\r\n.text:0x8048980 mov      dword ptr [ esp +8], offset aEtcRcD_dS90S \u003c==\r\n\"/etc/rc%d.d/S90%s\"\r\n.text:0x8048988 mov      dword ptr [ esp +4], 400h\r\n.text:0x8048990 lea      eax , [ ebp +newpath]\r\n.text:0x8048996 mov      [ esp ], eax\r\n.text:0x8048999 call     \"snprintf\"\r\n.text:0x804899E lea      eax , [ ebp +newpath] // assemble flag component for file\r\nattribs\r\n.text:0x80489A4 mov      [ esp ], eax       \u003c== \"filename\"\r\n.text:0x80489A7 call     \"unlink\"\r\n.text:0x80489AC lea      eax , [ ebp +newpath]\r\n.text:0x80489B2 mov      [ esp +4], eax     \u003c== \"newpath\"\r\n.text:0x80489B6 lea      eax , [ ebp +filename]\r\n.text:0x80489BC mov      [ esp ], eax       \u003c== \"oldpath\"\r\n.text:0x80489BF call     \"symlink\"\r\n.text:0x80489C4 cmp      [ ebp +var_C], 0\r\n.text:0x80489C8 jnz      short loc_80489E8\r\n.text:0x80489CA mov      dword ptr [ esp +8], 0AD1473B8h \u003c== \"group\"\r\n.text:0x80489D2 mov      dword ptr [ esp +4], 0AD1473B8h \u003c== \"owner\"\r\n.text:0x80489DA lea      eax , [ ebp +filename]\r\n.text:0x80489E0 mov      [ esp ], eax       \u003c== \"filename\"\r\n.text:0x80489E3 call     \"lchown\"\r\nMalicious environment setup (i.e. export cmd):\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 9 of 17\n\n1\r\n2\r\n3\r\n4\r\n0x06988C HOME=/\r\n0x069893 HISTFILE=/dev/null\r\n0x0698A6 MYSQL_HISTFILE=/dev/null\r\n0x0698C0 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ local /bin:/usr/ local /sbin\r\nEncryption:\r\nThere are some encryption to be decrypted in this malware, that I tested as per below, that looks having xor\r\npattern:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n// checking decryptor...\r\n.text:0x804CB63 mov    dword ptr [ esp +4], offset aM_Nfr7nlqqgf_0\r\n.text:0x804CB6B lea    eax , [ ebp +filename]\r\n.text:0x804CB71 mov    [ esp ], eax\r\n.text:0x804CB74 call   dec_conf // decrypting function..\r\n.text:0x804CB79 mov    dword ptr [ esp +8], 0Ch // \u003c== break it here..\r\nBreakpoint 1, 0x0804cb79 in main ()\r\nquery offset aM_Nfr7nlqqgf_0: \"m.[$nFR$7nLQQGF\"\r\nquery register: $ esp\r\n0xffffa1b0: \"[\\305\\377\\377\\343\\033\\v\\b\\020\"\r\n.text:0x804CB81 mov     dword ptr [ esp +4], offset aM_Nfr7n9_0\r\n.text:0x804CB89 lea     eax , [ ebp +var_114D]\r\n.text:0x804CB8F mov     [ esp ], eax\r\n.text:0x804CB92 call    dec_conf\r\nBreakpoint 2, 0x0804cb9 in main ()\r\nquery offset aM_Nfr7n9_0: \"m.[$nFR$7n9\"\r\nquery register: $ esp\r\n0xffffa1b0: \"[\\304\\377\\377\\363\\033\\v\\b\\f\"\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 10 of 17\n\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n.text:0x804CBBD mov     dword ptr [ esp +4], offset aM4s4nacNa\r\n.text:0x804CBC5 lea     eax , [ ebp +var_E4D]\r\n.text:0x804CBCB mov     [ esp ], eax\r\n.text:0x804CBCE call    dec_conf\r\n.text:0x804CBD3 mov     [ ebp +var_34], 0\r\nBreakpoint 3, 0x0804cbd3 in main ()\r\nquery offset aM4s4nacNa\r\nquery register: $ esp\r\n0xffffa1b0: \"[\\307\\377\\377#\\034\\v\\b\\v\"\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 11 of 17\n\nHere is the xor used as the component logic for the decryption function:\r\nWith the key that lead to this address:\r\nIt \"looks like\" the author is having \"interesting\" way to remind him the XOR key itself, I don't investigate this\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 12 of 17\n\nfurther since I had the goal..\r\nA hard-coded callback IP address\r\nAnd look what I got next to the xor key :))\r\nSo now we know the CNC is too ;)\r\n1 IP: 103.25.9.228||59270 | 103.25.9.0/24 | CLOUD\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 13 of 17\n\n2 Country: \"HK | CLOUDRELY.COM\" |CLOUD RELY LIMITED\r\nThe bummer part of this malware is, it crashed itself when run under limited permission...\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n\"msec calls \"\r\n-----------------------------------------------------------------------\r\n(120): execve( \"./SAMPLE-MALWARE\" , [ \"./SAMPLE-MALWARE\" ], [\"SHELL=etc..])\r\n(125): set_thread_area(0xffc8373c)\r\n(126): set_tid_address(0x92e6888)\r\n(127): set_robust_list(0x92e6890, 0xc)\r\n(128): futex(0xffc83a04, FUTEX_WAKE_PRIVATE, 1)\r\n(129): rt_sigaction(SIGRTMIN, {0x8053860, [], SA_SIGINFO}, NULL, 8)\r\n(130): rt_sigaction(SIGRT_1, {0x8053780, [], SA_RESTART|SA_SIGINFO}, NULL, 8)\r\n(131): rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8)\r\n(132): getrlimit(RLIMIT_STACK,etc)\r\n(133): uname({sysname= \"Linux\" , nodename= \"mmd\" , release= \"mmd-amd64\" ,\r\nversion= \"#1 SMP mmd-7u1\" , machine= \"saever-momma\" })\r\n(142): readlink( \"/proc/self/exe\" , \"/home/mmd/test/SAMPLE-MALWARE\" , 1023)\r\n(143): clone(Process)\r\n(145): exit_group(0)\r\n(146): [pid new] setsid()\r\n(147): open( \"/dev/null\" , O_RDWR)\r\n(148): fstat64(3, {st_dev=makedev] etc)\r\n(149): dup2(3, 0)\r\n(150): dup2(3, 1)\r\n(151): dup2(3, 2)\r\n(152): close(3)\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 14 of 17\n\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n(153): readlink( \"/proc/self/exe\" , \"/home/mmd/test/SAMPLE-MALWARE\" , 1023) = 20\r\n(154): stat64( \"/boot\" etc)\r\n(155): stat64( \"/lib\" , etc)\r\n(156): stat64( \"/lib/udev\" etc)\r\n(157): stat64( \"/var\" , etc)\r\n(158): stat64( \"/var/run\" , etc)\r\n(159): gettimeofday({1411989055, 135168}, NULL)\r\n(160): readlink( \"/proc/self/exe\" , \"/home/mmd/test/SAMPLE-MALWARE\" , 1023)\r\n(161): unlink( \"/lib/udev/udev\" )\r\n(162): open( \"/home/mmd/test/SAMPLE-MALWARE\" , O_RDONLY)\r\n(163): open( \"/lib/udev/udev\" , O_WRONLY|O_CREAT, 0400)\r\n(165): open( \"/home/mmd/test/SAMPLE-MALWARE\" , O_RDONLY)\r\n(166): open( \"/boot/[a-z]{10}\" , O_WRONLY|O_CREAT, 0400)\r\n(168): open( \"/boot/[a-z]{10}\" , O_WRONLY)\r\n(169): clone(Process attached\r\n(171): waitpid(Process suspended\r\n(173): clone(Process attached\r\n(175): exit_group(0)\r\n(179): rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8)\r\n(180): rt_sigaction(SIGCHLD, NULL, {SIG_IGN, [CHLD], SA_RESTART}, 8)\r\n(181): nanosleep({1, 0},..\r\n(192): chmod( \"/boot/[a-z]{10}\" , 0750)\r\n(193): open( \"/boot/[a-z]{10}\" , O_RDONLY)\r\n(194): \"--- SIGSEGV (Segmentation fault) @ 0 (0)\" --- ref: [a-z]{10}\r\n(197): \"rt_sigprocmask(SIG_SETMASK, [], NULL, 8)\"\r\nIt saves the file in /boot with this regex: [a-z]{10}\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 15 of 17\n\nWhat is the purpose of this malware?\r\nThe first is backdoor, and then, obviously DoS (SYN, UDP, TCP flood), using encrypted (temporary) config.\r\nBelow is the PoC of the DDoS function names:\r\n1\r\n2\r\n3\r\n0x09305E build_syn // SYN Flood\r\n0x0950D0 build_tcphdr // TCP Flood\r\n0x097101 build_udphdr // UDP FLood\r\nAnd below is part of backdoor operation using HTTP/1.1 GET (to download / update) and callback in HTTP/1.1\r\nPOST:\r\n1\r\n2\r\n3\r\n4\r\n.text:0x804A917 mov    dword ptr [ esp +8], offset aPostSHttp1_1Sh\r\nvalue: \"POST %s HTTP/1.1\\r\\n%sHost: %s\\r\\nContent-T\"\r\n.text:0x804AB1D mov    dword ptr [ esp +8], offset aGetSHttp1_1Sho\r\nvalue: \"GET %s HTTP/1.1\\r\\n%sHost: %s\\r\\n%s\"\r\nBased on the code it looks like using AES.DDoS'er and IptabLes strategy to install, but the source are different.\r\nSo, this is another new China DDoS'er, I call this as Linux/XOR.DDoS.\r\nVirus Total and sample\r\nVirus total detection is below (click the image to access..) One of 55 is a bad detection..\r\nSample is shared in kernel mode--\u003e[here]\r\nConclusion \u0026 Credits\r\nThis threat is the first time we see using complicated installer/builder. I and other team mates start to feel like\r\nplaying CTF with this crook. They (China actors) are improving in steps, we must be aware. Please stay safe\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 16 of 17\n\nfolks..\r\nCredit: @shibumi (threat sensoring), @wirehack7 (formulation), and others who doesn't want to be mentioned.\r\nAdditional\r\n(A reserved section for additional and updates)\r\n#MalwareMustDie!!\r\nSource: http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nhttp://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html\r\nPage 17 of 17\n\nAnd look what So now we I got next know the CNC to the xor is too ;) key :)) \n1 IP: 103.25.9.228||59270 | 103.25.9.0/24 | CLOUD\n   Page 13 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html"
	],
	"report_names": [
		"mmd-0028-2014-fuzzy-reversing-new-china.html"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438985,
	"ts_updated_at": 1775791359,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3b6f47ed10e2ffe5c01c23e80b004c668df89d0.pdf",
		"text": "https://archive.orkl.eu/c3b6f47ed10e2ffe5c01c23e80b004c668df89d0.txt",
		"img": "https://archive.orkl.eu/c3b6f47ed10e2ffe5c01c23e80b004c668df89d0.jpg"
	}
}