Library
My library

+ Add to library

Profile

Linux.Rex.1

Added to the Dr.Web virus database: 2016-08-13

Virus description added:

SHA1: 98172e49c3d5d70ffdcefd071f9762c58430a393

A multifunctional self-replicating Trojan for Linux written in Go. The Trojan implements the ВРЕ protocol to share data with other P2P botnet’s nodes and is launched as a node that receives and processes RPC messages. Probably, this malware program’s modification is still under development because it generates a large number of debugging messages recorded to the /dev/null device.

Once the -debug input parameter is received, the Trojan runs an HTTP server on port 6061. In addition, it executes the following commands:

CommandDescription
scanLaunch rpc provider that receives instructions for scanning
elevateSearch passwords and keys and elevate the privileges using sudo, su or SSH connection
stressLaunch rpc provider that receives instructions to carry out a DDoS attack
-wait <num>Wait for the process termination with a specified PID

When the elevate command is received, the Trojan tries to obtain user information and write it to the structure that looks as follows:

screen #drweb

Files are scanned for private SSH keys. PHP files are parsed in order to get login credentials. A separate function retrieves user accounts from drupalSettingsDatabases. The module tries to relaunch itself using su, sudo, and via SSH.

Once launched, the Trojan receives directives from a P2P network over HTTPS on port 5099 and transmits them to local nodes. To transmit instructions to a descendent node, the Trojan uses interprocess communication over RPC.

Several RPC plug-ins are launched on an infected node. The Scan plug-in is implemented for resource network search by a specified parameter and uses the library https://github.com/natefinch/pie. The plug-in applies scanners names as follows:

  • Drupal scanner
  • DrupalRESTWS scanner
  • Wordpress
  • magento
  • airos
  • Jetspeed
  • kerner
  • exagrid
  • ContactScanner
  • RansomScanner

The scan module

Some structures used by this module (a pseudo code similar to the Go syntax):

struct SetBinaryRequest{
    platform string,
    Binary rex.Binary
} 
 
struct SetBinaryResponse{
}
 
struct scanRequest{
    target *scanner.Target;
}
 
struct scanResponse{
    result *scanner.Result;
}
 
struct scanner.Target{
    host          string,
    port          Int,
    Username      string,
    password      string,
    isHTTP        bool,
    isTLS         bool,
    Via           string,
    Err           error, //string
    DisableRansom bool,
    done          *chan struct {}
}
 
struct scanner.Result{
    _              *scanner.Target,
    mu              sync.Mutex,
    Username        string
    Password        string
    Domain          string
    isHTTP          Bool
    isTLS           Bool
    Via             string
    Err             err
    Emansipated     bool
    Contacts      []scanner.Contact
    Ransom         *struct { Deadline time.Time; Address string; Amount int; 
Step int; Stressed bool }
}
rex.Binary{
    SHA1    [20]uint8,
    Data    []uint8,
}
struct scanner.Service{
    nm          scanner.networkMapper,
    scanner    *scanner.ConnScanner,
    targets    *chan *scanner.Target,
    resultsMU   sync.Mutex,
    results   []scanner.Target
}
 
iface scanner.Dialer{
    func Dial;
    func DialContext;
}
 
iface scanner.Scanner{
    func Scan;
}
 
iface scanner.PHPExecutor{
    func ExecPHP;
}
 
struct scanner.ConnScanner {
    dialer       scanner.Dialer{},<-interface with Dial, DialContext methods
    scanners   []scanner.Scanner, <-interface with Scan method
    binariesMu   sync.Mutex,
    binaries    *map[string]*rex.Binary,
}
 
struct scanner.HttpScanner{
    dialer      scanner.Dialer,
    http       *scanner.HTTP,
    payloadfn  *func(string) (io.Reader, error),
    scanners  []scanner.Scanner
}
 
struct scanner.HTTP {
    client    *http.Client,
    UserAgent  string
}
 
struct scanner.Drupal{
    _         *scanner.HTTP,
    dialer     scanner.Dialer,
    payloadfn *func(string) (io.Reader, error)
}
     
struct scanner.Wordpress {
    _          *scanner.HTTP
    payloadfn  *func(string) (io.Reader, error)
    revslider  *scanner.PHP
    showbiz    *scanner.PHP
    wpo        *scanner.PHP
}
 
struct scanner.PHP{
    _ scanner.PHPExecutor
    _ scanner.Dialer
}
... 

Drupal scanner

The Trojan first checks whether the Drupal CMS is installed on a website by searching the Changelog.TXT file and an index page. Then it parses them. It also checks the system for the CVE-2014-3704 vulnerability and performs an SQL injection into an input form in order to execute the following request:

update users set name='%s',pass='%s',status='1' where uid='1';

Then it executes the request

UPDATE filter_format SET status='1' WHERE format='php_core';

After that, the following command is performed:

kill `grep -l \^/tmp/x /proc/*/cmdline|sed s,/proc/,,|sed s,/cmdline,,`

Linux.Rex.1 loads its copy into an infected server and runs it:

nohup %s >/tmp/l 2>&1

DrupalRESTWS scanner

Checks a website for the vulnerability https://www.exploit-db.com/exploits/40130/. No other actions are performed.

Wordpress scanner

Checks whether a website uses Wordpress and has vulnerabilities specific for this CMS.

ContactScanner scanner

Requests an HTML page from a specified node, parses it and extracts email addresses from this page.

Magento scanner

Searches for RCE (remote code execution) vulnerabilities in Magento.

Kerner scanner

Attacks a remote node using shellshock vulnerability.

Airos scanner

Searches for devices that run AirOS and tries to detect the Ubiquiti airOS Arbitrary File Upload vulnerability.

Exagrid scanner

Checks a version of Exagrid (an application designed to manage data storage systems) in order to get public keys.

Jetspeed scanner

Checks for the CVE-2016-0712 vulnerability (Reflected Cross Site Scripting in URI path).

RansomScanner scanner

Tries to obtain all domains from the requested website and returns those ones that do not correspond to a transmitted IP.

Stress module

Like the scanner module, it launches an RPC server named "Stresser”. This module is responsible for performing DDoS attacks and spam email messaging. The following DDoS attacks can be carried out:

  • HttpFlood;
  • HttpPost;
  • slowLoris;
  • tlsThc;
  • DnsAmp.

In addition, the Trojan sends out email messages composed using the following template:

We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Or:

We are Anonymous.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all. Right now we will start 15 minutes attack on your site's IP {{ .IP }}.
It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment.
It's just to prove that this is not a hoax. Check your logs!
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second.
So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you.
AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Each message has the following line in the beginning:

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

Some structures used by this module (a pseudo code similar to the Go syntax):

struct stresser.Stresser {
    ua        *scanner.HTTP,
    nworkers   Int,
    jobsch    *chan ransom.Jobs
    token     *chan struct {}
}
 
typedef ransom.Jobs map[string]*ransom.Job
 
struct ransom.Job{
    IP        net.IP,
    DeadLine  time.Time,
    Address   string,
    Amount    Int,
    Step      Int,
    Stressed  Bool
}
 
struct rpc.StressArgs{
    IP       net.IP,
    Duration time.Time,
    Message  string,
    Yield    Bool
}
 
struct rpc.StressReply{
}  
 
iface stresser.Runner{
    func Run;
}
 
struct rpc.SetRansomJobsArgs{
    Jobs ransom.Jobs
}
 
struct rpc.SetRansomJobsReply{
}

If the Trojan is launched without parameters, it works as a new node of DHT network and monitors requests to port 5099. It also tries to identify an external IP address by requesting to the following resources:

https://ipv4.icanhazip.com
https://ipinfo.io/ip
http://www.trackip.net/ip?json

The Trojan can implement the DHT protocol. For data sharing, the https://github.com/gorilla/rpc library is used.

The following structures are used:

struct node.Node{
    ProxyAddr      string,
    cfg           *node.Config,
    mu             sync.Mutex,
    epoch          time.Time,
    dialer         node.Dialer,
    ip            *net.IP,
    targets       *chan *scanner.Target,
    jobsMu         sync.Mutex,
    jobs          *map[string]chan string,
    resultsMu      sync.Mutex,
    results     []*scanner.Result,
    key           *rsa.PrivateKey,
    mcp           *rsa.PublicKey,
    metrics       *map[string]*node.Counter,
    nodeMetricsMu  sync.Mutex,
    nodeMetrics   *map[string]map[string]interface {},
    report         Bool,
    safe           Bool,
    selfUpdate     Bool,
    ipWhitelist  []net.Ip,
    public         Bool,
    binariesMu     sync.Mutex,
    binaries      *map[string]*rex.Binary,
    myBinaryHash   hash.Hash, <-интерфейс
    dht           *dht.Node,
    stress        *chan *node.stressJob,
    ransomjobsch  *chan ransom.Jobs,
    ua            *scanner.HTTP
}
 
struct node.Config {
    disableScanner   Bool,
    disableStresser  Bool,
    disableRansom    Bool,
    _               *scanner.ConnScannerConfig
}
 
struct dht.Node{
    cfg         dht.NodeConfig,
    ContactDir  string,
    rtMu        sync.Mutex,
    rt          dht.RoutingTable,
    s          *dht.Store,
    addr       *net.TCPAddr,
    client     *dht.Client,
    wkeys    []*rsa.PublicKey
}
 
struct dht.NodeConfig {
    Bootstrap   []string,
    SaveContacts  string
}
 
struct dht.Store{
    mu  sync.Mutex,
    m  *map[dht.NodeID]*dht.Value
}
 
typedef dht.NodeID [0x14]uint8
 
struct dht.Client{
    node *dht.Node,
    rpc  *rpc.Client
}
 
struct dht.RoutingTable {
    _           dht.NodeID,
    buckets [160]dht.Bucket
}
typedef dht.Bucket [0x14]dht.Contact
 
struct dht.Contact {
    _     dht.NodeID,
    addr  string,
    time  time.Time
}
 
struct dht.Value{
    _         dht.NodeID,
    bytes   []uint8,
    sha1    []uint8,
    expires   time.Time,
    PSS     []uint8
}

The Trojan stores a list of botnet’s node addresses for connection. If an external IP coincides with one from the list, the connection will not be established.

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number