A malicious user dropped off a VERY interesting piece of malware on my honeypot today with the filename ".xsyslog"
This piece of malware was previously undetected, and many kudos to Sophos for being the first to confirm my findings that the software was malicious.
So far, I have been able to determine the following:
This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches.
The malware is installed from a compromised system after cracking a SSH server's root password, in the path /etc/.xsyslog
The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: 216.83.44.229 port 99
It phones home to an IP address which appears to be hosted by the same fake corporation: 216.83.44.226 port 81
I have uploaded all relevant strings within the unpacked file to Pastebin.
I will provide additional details as I find/receive them. This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors.
Track current AV coverage at http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011
Related Reading:
Sophos Whitepaper Protection for Mac and Linux Computers: Genuine Need or Nice to Have?