Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Linux.MulDrop.144

Added to the Dr.Web virus database: 2024-06-20

Virus description added:

  • sha1:ee78829b7057233643abc5fd685b46d3ef040a0347bb4569ac252984760eea2f
  • sha1:94f4eee7f986699699cd38eba68bf8adda1037eafbd0590c0d9b77b3133d0bfa

Description

A trojan dropper for Linux written in C and packed using UPX. It is used to deliver the Linux.BackDoor.Pam.8/9 PAM backdoors to a compromised system.

MITRE matrix

Stage Tactic
Execution (TA0002) Unix Shell (T1059.004)
Defense Evasion (TA0005) Software Packing (T1027.002)
Unix Shell (T1059.004)
File Deletion (T1070.004)
Timestomp (T1070.006)
Linux and Mac File and Directory Permissions Modification (T1222.002)

Operating routine

  1. The dropper accesses the following files and, using the chattr system utility, removes a number of attributes:
    Files Attributes
    /etc/pam.d/
    /etc/pam.d/sshd

    /lib/x86_64-linux-gnu/security or /lib64/security/security
    /lib/x86_64-linux-gnu/security/pam_sftp.so or /lib64/security/security/pam_sftp.so
    a – only allows information to be added to a file
    i – prohibits a file from being renamed or deleted
    e – indicates the use of extents* by the file

    *This is an attacker's mistake, since this attribute cannot be removed with chattr.

  2. It checks the hash of the pam_sftp.so file, and if its value does not match the string embedded in the dropper body, it replaces the file with the patched pam_sftp.so (Linux.BackDoor.Pam.8/9) and executes the touch command to copy the timestamp from the system file for cloaking purposes:

    for RHEL:
    touch /lib64/security/pam_sftp.so -r /lib64/security/pam_userdb,

    for Debian:
    touch /lib/x86_64-linux-gnu/security/pam_sftp.so -r /lib/x86_64-linux-gnu/security/pam_userdb.so.

Recommandations pour le traitement


Linux

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série