Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Linux.BackDoor.Xudp.1

Added to the Dr.Web virus database: 2016-03-15

Virus description added:

SHA1

  • 3a5f73d9beb74ee017965fa8922b2228fb684816

A backdoor for Linux that is installed by other downloader Trojans. The main module is located in the /lib/ folder. Its autorun function is enabled in the cron scheduler. At the Trojan’s installation, the contents of the iptables utility is cleared.

Once launched, Linux.BackDoor.Xudp.1 decrypts configuration data hard-coded in the Trojan’s body that looks as follows:

dr0id1.xyz          ; the C&C server
transfer.php        ; Page to which requests are sent
XorUDP              ; Name of the backdoor that is used as User-Agent when 
			generating requests
300                 ; Http sleep time
5                   ; Keepalive sleep time
/bin/socket         ;NewProcName
1                   ;usemutex
700                 ;low range udp port
800                 ;high rande udp port

Encrypted lines are stored and sent as follows:

<lenght>:<encrypted value>
10:09Ц<о*.Йs

If the NewProcName parameter has a non-zero value, the Trojan’s process is hidden under the name specified in the configuration.

If the usemutex parameter also is not set to zero, the “/var/.mutexlock” file is blocked. If the Trojan fails to block this file, it stops operating.

Then the Trojan generates a 128-byte key, selects a value of the UDP port, and runs three threads: HTTP_Thread, UDP_Listen, and UDP_KeepAlive.

HTTP_Thread

When this thread is launched, the Trojan sends a generated key, a port’s address, and the backdoor’s version to the server. Then it periodically requests the following page from the server:

template1 = "k=%s&p=%s&v=%s&s=1"
param1 = encodenum(ourKey)
param2 = encodenum(udpPort)
param3 = encodenum(version)
params = template1 % (param1,param2, param3)
request = "POST /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: %s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n\r\n%s"
actualRequest = request % (page, host, name, len(params), params)

The server replies with one of 4 messages:

First 2 bytesFunction
00Install client_key + client_port + client_ip
01Execute a command
02Reset client_key, client_port, client_ip
03Terminate execution

All instructions are first decrypted with a key generated by the backdoor. Then the obtained buffer is decrypted using client_key:

XOR(msg, len, ourKey);
XOR(msg, len, &client_key);

UDP_Listen

If a datagram was not received from client_ip, it is ignored. If the client_key value is not set, nothing happens. An incoming UDP message is decrypted and looks as follows:

<handler>:<transaction_id> <command>
FieldFunction
msg_idMessage ID. All incoming msg_id are saved, and a command is executed only if an unknown msg_id is received.
HandlerA 8-bytes command identifier
commandRandom line

The backdoor can execute the following commands:

  • Runs flood (i.e. sending repeated requests to a remote server)
  • Terminates flood
  • Executes an incoming command with the system() function
  • Launches a received line using the popen function and returns the command’s output
  • Opens a listening UDP socket that logs all requests to this port in a specified file in the <ipaddr> <size> <List Port> format
  • Sends the specified file by parts of a certain size in specified time interval
  • Scans a specified range of IP addresses
  • Sends a list of msg_id, that are less than those of the current message, which were not processed
  • Marks sent msg_id as processed
  • Terminates execution

UDP_KeepAlive:

The malware sends a specific datagram to the server in order to inform that it is still active.

News about the Trojan

Recommandations pour le traitement


Linux

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série