Library
My library

+ Add to library

Profile

Linux.BackDoor.Xunpes.1

Added to the Dr.Web virus database: 2016-01-20

Virus description added:

SHA1: e2432fa6c53dfb62aeba242cd28fc4d51a70dbe3 (backdoor)
de5cc2779b9519bc3bbbda084f0b4cb858d2f890 (dropper)

A backdoor Trojan for Linux consisted of a dropper and a payload that performs main malicious functions.

The dropper is concocted using Lazarus, a free cross-platform IDE for the Free Pascal compiler. Once launched, it displays the following dialog prompting a user to enter their login and password:

#drweb

Upon entering arbitrary values, except those that are hard coded in the Trojan’s body, such dialog boxes as "Initializing", "Connecting”, and "Signing in” appear on the screen subsequently. Then the next error message will be displayed: "Incorrect user ID or password. Please try again”. If a user enters specified credentials from the following list:

  • j****/g***********
  • m*****/f*********
  • c****/j********

the Trojan’s response will be as follows: "An error occurred while attempting to login: invalid user token".

The second Trojan’s component—the backdoor itself—is saved to /tmp/.ltmp/ after the dropper is launched. Once the backdoor is running, it decrypts configuration lines encrypted using the RC4 algorithm. The decryption key is hard coded in the Trojan’s body. The configuration has the following structure:

#drweb

serversList: a list of C&C servers that are used to establish connection to;

proxyList: a list of proxy servers through which connection may be established;

Salt: a line used to generate a password;

bitMask: a number that checks specified bits. If they are set to “1”, specified actions will be performed during initialization.

Values of bits:

bitValue
0x1Copies itself in a location specified by a value of the pathToExe field in the configuration.
0x2Processes the -m parameter: -m file removes a file or the file folder.
0x4Unlocks its executable file for Read/Write.
0x8Sets autorun through $HOME/.config/autostart.
0x10Sets autorun through crontab.
0x20Opens /tmp/$tmpLockFileName and write-protect it.
0x40Launches a thread with a keylogger.
0x80Executes the fork/chdir command.
0x100Adds system proxies in a list of the necessary proxy servers.
0x400Tries to connect via a proxy first when connecting to the server.
0x800Connects via a proxy only.

The .default.conf file is created in the folder with the executable file and has the following structure:

struct conf{
    int32 magic; //0DE03C44h
    char hostid[32];
    char group[32];
}

Once the initialization procedure and the decryption of the configuration file are complete, the backdoor connects to one of the servers, sends the key to it and starts to execute commands. All of them, except a command with id=5, are encrypted.

The list of commands:

idActions to perform
5Gets the key for decryption of future commands from the server. It is the only message that comes decrypted and contains not only the key but also a buffer that is sent by the backdoor upon connection and is encrypted using the received key.
7Closes all running files and resets encryption keys. In fact, it is a command to terminate the connection.
8Removes itself from the autorun and turns itself off.
9Sets the HostId field in the configuration file.
10Sets the group field in the configuration file.
11Makes HTTP request, saves the received file into the /tmp/ folder and executes it.
12Runs a file, whose path and arguments are received from the server, which terminates the work of the backdoor.
13Ends a connection and turns itself off.
14Makes HTTP request and saves the received file into the /tmp/ folder. The server determines whether the file will be executed or not.
17Sends a list of files and folders in a specified directory (without opening the folders).
19Launches a thread that will check a specified folder for files matching a forwarded mask and sends them to the server until a command to terminate this thread is received.
21Terminates a thread used for files downloading.
22Opens a file, saves handle under the index number and sends its contents off to the server.
23Writes to a file, whose handle is under the index number.
25Copies a file.
26Executes a system call for a new process creation and runs this process.
27Renames a file.
28Deletes a file.
29Creates a folder.
30Deletes a folder.
31Creates a new folder or sends a list of files in a folder (recursively), depending on a value of the first 4 bytes.
33Creates a zip archive with a specified folder.
35Launches a thread that is used for executing the bash commands.
36Sends a command to a thread that is used for executing the bash commands.
37Terminates a thread that is used for executing the bash commands.
39Sends information about a device and the .default.conf file.
41Reads information from utmp.
45Kills the process by its pid.
46Receives a header of the current window.
47Closes a specified window by sending it an event like ClientMessage : _NET_CLOSE_WINDOW.
48Sends autorun files from the /usr/share/applications/ folder to the server.
50Makes HTTP request and saves the received file into the /tmp/ folder. The server determines whether the file will be executed or not.
52-53Generates the KeyPressed event.
54Generates the ButtonRelease event.
56Takes a screenshot and sends it off to the server.
59Sends a list of files created by a keylogger if it is enabled.
61Receives a size of a file created by a keylogger.
62Deletes a file created by a keylogger.
63Sends the contents of a file created by a keylogger to the server.
67Receives information about open sockets from /proc and sends it to the server.

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number