Library
My library

+ Add to library

Profile

Linux.ProxyM.1

Added to the Dr.Web virus database: 2017-05-18

Virus description added:

SHA1:

  • 187842e65c2e4ab4ba48a0805e2fcd85c45e4446

Linux Trojan. Once launched, it attempts to detect honeypots using special symbols of a terminal:

/bin/busybox wget; /bin/busybox 81c46036wget; /bin/busybox echo -ne '\x0181c46036\x7f'; /bin/busybox printf '\00281c46036\177'; /bin/echo -ne '\x0381c46036\x7f'; /usr/bin/printf '\00481c46036\177'; /bin/busybox tftp; /bin/busybox 81c46036tftp;

Connects to the command and control server, the address of which is stored in the executable file. Receives 4 bytes and sends the data package:

struct StartPacket {
  short field_0; // checksum of the whole package
  short field_2; // version (0x11)
  int   field_4; // checksum field_2
  int   field_8; // received bytes
  int   field_C; // checksum field_8
}

Gets confirmation, and then—addresses of two servers. The first one is used to receive a list of logins and passwords, the second one—for operation of the SOCKS proxy server. Interaction with these servers is performed in two different threads.

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number