Library
My library

+ Add to library

Profile

Linux.BackDoor.Dklkt.1

Added to the Dr.Web virus database: 2015-07-10

Virus description added:

SHA1: bd24972a8e34bbd2e7f3b58d6d7fd1a94efa7355

A backdoor for Linux. Its creators planned to equip the program with a large number of functions typical of SOCKS proxy servers, remote shells, file managers, and so on. However, at the moment, the malicious application ignores the majority of incoming commands. The Trojan's internal name is “DDoS Attacker for Gh0st(sweet version 1.0)”.

Judging from debugging information, the Trojan's components are created in such a way that its executable file could be assembled both for Linux and Windows architectures. Once launched, Linux.BackDoor.Dklkt.1 checks the folder from which it is run for the configuration file containing the following parameters:

'remote_host'
'remote_port'
'remote_host2'
'remote_port2'
'remote_host3'
'remote_port3'
'ServiceDllName'
'm_enable_http'
'HttpAddress'
'szGroup'
'blDelMe'
'SelfDelete'
'Config'
'PassWord'
'Remark'
'Version'

where 'Config' indicates the path to the configuration file (in Linux) or to the system registry branch where configuration data is stored (in Windows). The configuration file contains three addresses of command and control servers; one of them is used by the backdoor, while the other two are stored for backup purposes. The file is encrypted with Base64. After Linux.BackDoor.Dklkt.1 is activated, it tries to register itself in the system as a deamon (system service). If the attempt fails, the backdoor terminates its work.

Once the malicious program is successfully run, it sends the server a packet with the information on the infected system and backdoor's parameters (all strings are encoded with Unicode).

<ComputerName>|<OSVersion>|<CpuCores> *
<CpuClock>MHz|Total:<MemTotal>MB,Avail:<MemFree>MB|<sysuptime_days>d
<sysuptime_hours>h <sysuptime_minutes>m <sysuptime_seconds>s|
<self_ip>|<external_ip>|<ConnectionTime>
ms|0|<Remark>|<Group>|<Password>|<Version>|0|0|1|\x00

The Remark, Group, Password, and Version parameters are retrieved from the configuration file; the last three are constant values, while other parameters are data on the infected system. Traffic is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains the CRC32 checksum, so that the recipient could verify data integrity.

Once this packet is sent, the Trojan stands ready to receive incoming commands.

CommandComments
Welcome packetIgnored
Update itselfIgnored
Change groupChange the Group parameter to the value received in the command
Change remarkChange the Remark parameter to the value received in the command
Open shellOpen the command interpreter and redirect input/output streams to the server
Open file managerIgnored
Open DDoS managerIgnored
Receive user dataIgnored
Remove itselfIgnored
Disconnect from the command and control serverIgnored
ExitExecute the "exit" command
RebootExecute the "reboot" command
Turn off the computerExecute the "poweroff" command
Delete logsIgnored
Launch a DDoS attack
Run an applicationThe application is specified in the incoming command
Start proxyStart SOCKS proxy on the infected computer

The Trojan can launch the following DDoS attacks:

  • SYN Flood
  • HTTP Flood (POST/GET requests)
  • Drv Flood (not implemented)
  • ICMP Flood
  • TCP Flood
  • UDP Flood

News about this threat

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number