Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Linux.DDoS.Xor.2

Added to the Dr.Web virus database: 2016-09-29

Virus description added:

SHA1:

  • d0825f79a6e96ae1cb9a458f6f958deabf9b7111

A Trojan for Linux designed to carry out DDoS attacks. Every byte of its configuration file is encrypted with XOR. The key is hard-coded in the Trojan’s body. Some samples can contain the Linux.Rootkit.38 rootkit.

Once launched, it tries to copy itself to the folder specified in the configuration file and to such folders as /usr/bin, /bin/ or /tmp/ under a random 10-character name. Then the Trojan removes its original file. To enable its autorun function, the malware uses the cron scheduler and registers the launch of the /etc/cron.hourly/cron.sh script that contains the following lines:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp/lib/libgcc.so /lib/libgcc.so.bak
/lib/libgcc.so.bak

Then the Trojan creates the “/etc/init.d/<fname>” file, where fname is the name of the Trojan. To do that, it generates 5 symlinks in “/etc/rc%d.d/S90%s”, where %d is numbers from 1 to 5 and %s is the name of the Trojan.

The malicious application also checks the system for the presence of the rootkit by sending a request to “/proc/rs_dev”. If it finds the rootkit, the Trojan uses it to conceal its files, processes, and network activity.

When the Trojan is installed, it can execute the following commands:

chkconfig --add <rclocal_file>
update-rc.d <rclocal_file defaults
sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab

During its operation, the Trojan receives a configuration file from the server. If the file contains the relevant information, Linux.DDoS.60 can terminate any process matching the name or MD5 hash or by sending a request to the certain IP address. It can also remove any file specified in its configuration. The Trojan executes the following commands:

cmdDescription
0x02Terminate a DDoS attack
0x03Launch a DDoS attack
0x06Download a file from the command and control server
0x07Update the Trojan’s executable file
0x08Send MD5 hash of its file to the server
0x09Receive the configuration file with information about processes to terminate

Recommandations pour le traitement


Linux

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série