Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/init.d/developer
- /etc/init.d/rcS_bak
- /etc/init.d/rcS
- /etc/rc.local
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- GNU
Modifies firewall settings:
- /sbin/iptables -A INPUT -p tcp --destination-port 22 -j DROP
- /sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
- /sbin/iptables -A INPUT -p tcp --destination-port 37215 -j DROP
- /sbin/iptables -A INPUT -p tcp --destination-port 23 -j DROP
Launches processes:
- sh -c rm -rf /tmp/* /var/tmp/*
- rm -rf /tmp/* /var/tmp/*
- sh -c echo 0>/var/log/wtmp
- sh -c rm -rf /bin/netstat
- rm -rf /bin/netstat
- sh -c echo 0>/var/log/secure
- sh -c /sbin/iptables -A INPUT -p tcp --destination-port 22 -j DROP
- sh -c /sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
- sh -c /sbin/iptables -A INPUT -p tcp --destination-port 37215 -j DROP
- sh -c /sbin/iptables -A INPUT -p tcp --destination-port 23 -j DROP
- sh -c rm -rf ~/.bash_history
- rm -rf /root/.bash_history
- sh -c history -c
- sh -c umount /proc/*
- sh -c /bin/busybox cp <SAMPLE_FULL_PATH> /usr/sbin/developer
- umount /proc/1 /proc/10 /proc/11 /proc/12 /proc/13 /proc/134 /proc/135 /proc/14 /proc/141 /proc/144 /proc/15 /proc/16 /proc/166 /proc/169 /proc/17 /proc/18 /proc/19 /proc/2 /proc/20 /proc/21 /proc/22 /proc/23 /proc/29 /proc/3 /proc/30 /proc/31 /proc/32 /proc/354 /proc/375 /proc/384 /proc/389 /proc/392 /proc/399 /proc/4 /proc/400 /proc/401 /proc/402 /proc/404 /proc/406 /proc/408 /proc/410 /proc/434 /proc/437 /proc/5 /proc/6 /proc/66 /proc/668 /proc/67 /proc/679 /proc/68 /proc/681 /proc/683 /proc/686 /proc/687 /proc/69 /proc/699 /proc/7 /proc/70 /proc/700 /proc/71 /proc/712 /proc/713 /proc/714 /proc/72 /proc/74 /proc/77 /proc/8 /proc/9 /proc/98 /proc/99 /proc/acpi /proc/buddyinfo /proc/bus /proc/cgroups /proc/cmdline /proc/consoles /proc/cpuin[rkmodule] [sh][PPID:0x2c9] [sh][PID:0x2cb] do_filp_open. Filename: \"/bin/umount\
- /bin/busybox cp <SAMPLE_FULL_PATH> /usr/sbin/developer
- sh -c /bin/busybox cp <SAMPLE_FULL_PATH> /etc/init.d/developer
- /bin/busybox cp <SAMPLE_FULL_PATH> /etc/init.d/developer
- sh -c /bin/busybox cp /etc/init.d/rcS /etc/init.d/rcS_bak
- /bin/busybox cp /etc/init.d/rcS /etc/init.d/rcS_bak
- sh -c /bin/busybox echo '/usr/sbin/developer self.load' >> /etc/init.d/rcS
- /bin/busybox echo /usr/sbin/developer self.load
- sh -c /bin/busybox echo '/etc/init.d/developer self.load' >> /etc/init.d/rcS
- /bin/busybox echo /etc/init.d/developer self.load
- sh -c echo '/usr/sbin/developer self.load' >> /etc/rc.local
- sh -c echo '/etc/init.d/developer self.load' >> /etc/rc.local
- sh -c /sbin/chkconfig --add mashiro
- /sbin/chkconfig --add mashiro
- sh -c setenforce 0
- sh -c mount -o bind /tmp /proc/732
- sh -c mount -o bind /tmp /proc/731
- sh -c mount -o bind /tmp /proc/734
- mount -o bind /tmp /proc/734
- mount -o bind /tmp /proc/731
- mount -o bind /tmp /proc/732
- sh -c mount -o bind /tmp /proc/712
- mount -o bind /tmp /proc/712
- sh -c mount -o bind /tmp /proc/730
- mount -o bind /tmp /proc/730
Performs operations with the file system:
Creates or modifies files:
- /var/log/wtmp
- /var/log/secure
- /usr/sbin/developer
- /run/mount/utab
Deletes files:
- /tmp/*
- /var/tmp/*
- /bin/netstat
- /root/.bash_history
- /
Mounts file systems:
- /tmp
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:13219
Establishes connection:
- 8.#.8.8:53
- 3.##.#58.164:42022
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- sh####.ilove26.cf
Sends data to the following servers:
- 3.##.#58.164:42022
Receives data from the following servers:
- 3.##.#58.164:42022