Chinese Origins in .ssyslog Decompiled - Linux/Bckdr-RKC and Hutizu

 I have partially decompiled the second piece of malware which was similar to the original Linux/Bckdr-RKC dropped on my honeypot.

Update: .ssyslog is now detected as "Hutizu".

I am publicly posting the first section of this file to highlight my findings so far...

Update: The full decompiled source of both pieces of malware is now available at SlingFile.

The first part of this decompiled code which really stood out was a clear marker that this malware is definately of Chinese origin.  This snippet of code is from the following function  
int autoupdate(char* url_address, char* local_to_file)
Code:

L0805FF50( &_v3660, "GET /%s HTTP/1.1
\nAccept: */*
\nAccept-Language: zh-cn
\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
\nHost: %s:%d
\nConnection: Close
\n
\n",  &_v2380);
The "Accept-Language" of zh-cn represents Traditional Chinese as the desired web browse language.

This means the malware in question was most likely programmed by a native speaker of Chinese.  Add to this the fact that the malware is hosted by a fake corporation in China, and that the previous version of this malware also phoned home to the same fake corporation, this all becomes very interesting.

Here are a few other function names from this latest version:
  • copy_myself(const char* name)
  • autostart(const char* inser_to_file)
  • int SendSevMonitor()
  • int SendServerPack()
  • GetNetPackets(long long unsigned int* lNetOut, long long unsigned int* lPacketOut)
  • int moniter(char* host)
  • int udpflood(_Unknown_base* ThreadData)
  • int synflood(_Unknown_base* ThreadData)
  • int synbigpacket(_Unknown_base* ThreadData)
  • int ackflood(_Unknown_base* ThreadData)
  • int ackbigpacket(_Unknown_base* ThreadData)
  • GetStructureDnsPacket(char* QueryDomain, char* QueryData, int* nQueryData)
  • int dnsflood(_Unknown_base* ThreadData)
  • int more_ip_dns_test(_Unknown_base* ThreadData)
  • int autoupdate(char* url_address, char* local_to_file)
  • int get_online_ip(char* domain, char* return_ip)
  • int parse_dns_response(char* return_ip)
  • parse_dns_name(unsigned char* chunk, unsigned char* ptr, char* out, int* len)
  • send_dns_request(const char* dns_name)
  • connect_to_server()
Make no mistake, this malware is clearly designed to perform reconnaissance on internal networks and disrupt communications when instructed to do so by the command and control server.

The malware has self-replication and automatic update capabilities.

I find this malware very disturbing.

What I find even more distrubing is the fact that since my submission of this malware to antivirus vendors, with the exception of Avira who believes this file is clean, none of the antivirus vendors have completed their analysis.

These two pieces of malware seem very professionally crafted with a clear purpose - to serve as a "cyber weapon".