SHA1:
- 187842e65c2e4ab4ba48a0805e2fcd85c45e4446
Linux Trojan. Once launched, it attempts to detect honeypots using special symbols of a terminal:
/bin/busybox wget; /bin/busybox 81c46036wget; /bin/busybox echo -ne '\x0181c46036\x7f'; /bin/busybox printf '\00281c46036\177'; /bin/echo -ne '\x0381c46036\x7f'; /usr/bin/printf '\00481c46036\177'; /bin/busybox tftp; /bin/busybox 81c46036tftp;
Connects to the command and control server, the address of which is stored in the executable file. Receives 4 bytes and sends the data package:
struct StartPacket {
short field_0; // checksum of the whole package
short field_2; // version (0x11)
int field_4; // checksum field_2
int field_8; // received bytes
int field_C; // checksum field_8
}Gets confirmation, and then—addresses of two servers. The first one is used to receive a list of logins and passwords, the second one—for operation of the SOCKS proxy server. Interaction with these servers is performed in two different threads.
