We would like to proudly announce that Intezer Analyze™ now supports genetic malware analysis for ELF binaries! You may now upload ELF files to our system and find code reuse. We have already indexed the genes of millions of different files into our ELF genome database, classified into both malicious, trusted, and neutral (libraries) software. The support extends to ELF binaries that have been compiled in either the x86 or x86_64 architectures.
INTEZER ANALYZE™ ELF FEATURES
Here are the features that are currently available for ELF files:
- Code Reuse
- View Related Samples
- String Reuse
- View Shared Code / Unique Code
- Vaccination (Enterprise)
- IDA Plugin (Enterprise)
VAST WORLD OF ELF MALWARE
A lot of malware created for Linux flies completely under the radar when it comes to detection. There are many different types of malware we have seen, from cryptominers to APTs, and much more to be discovered. We would like to show you an example of an ELF analysis in our system by using Hakai (based off Mirai) and its direct variants.
If we dive in to the related Hakai sample, we can see an evolution of code from other variants.
HAKAI VARIANTS: KENJIRO & IZUKU
We would like to demonstrate an example of malware that shows how useful looking for code reuse is by showcasing variants off Hakai with low detections on VirusTotal, Kenjiro (6/60), and Izuku (7/60). According to Intezer Analyze™, the code base is almost exactly the same for both Kenjiro and Izuku, but the C&Cs are different and also the strings the malware seems to use to name itself.
We decided to dive a bit deeper to see the small changes in the code. After further investigation, we could see Kenjiro seems to be an upgraded version of Izuku. One of the differences between Kenjiro and Izuku is that it changes its UDP flood algorithm to add some randomization to the buffer, where Izuku’s flood algorithm uses the same string.
We can also see in the code that these Hakai variants use 4 exploits to spread:
- D-Link DSL-2750B – OS Command Injection (https://www.exploit-db.com/exploits/44760/)
- CVE-2015-2051 (https://www.exploit-db.com/exploits/37171/)
- CVE-2017-17215 (https://www.exploit-db.com/exploits/43414/)
- CVE-2014-8361 (https://www.exploit-db.com/exploits/37169/)
TRY IT OUT
We invite you to try out our new support of ELF binaries by registering to our free community edition of Intezer Analyze™. We are still working on adding more data to our system in order to give you better results on your upload. Stay tuned for new features and blog posts that will include future ELF malware research!