Proteggi ciò che crei

Le altre nostre risorse


La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto 24/7 | Regole per contattare




Aggiunto al database dei virus Dr.Web: 2017-02-28

La descrizione è stata aggiunta:


  • db6d99702dd8bb19c2a7608094ab3b4e9535d266
  • 9db691d2e302cbd6e7beba7f71e675911a17a6c7

A Trojan for Linux, including Air OS that is developed by Ubiquiti Networks and installed on its devices. It is implemented as bash scripts distributed in the archive tgz. Implements the following modifications in file /etc/passwd:


The contents of the archive:



Checks the system for the user account with login "moth3r". If there is no such account, the Trojan creates it. Checks if the Trojan is registered in the autorun, and if it is not registered—it specifies in file /etc/persistent/rc.poststart the unpacking of its own archive and launch of the “mother” script.

Deletes SSH keys and restarts the device.


Installs on the infected device curl, libcurl, libssl, libz, and allows downloading and running arbitrary files. In the body of the download file there is a link to website If the file that is located through the link contains word "nomorelies”, and hash of the corresponding file fragment is equal to "d709745c628f6682ae506d54e4320a28”, then this file will be saved and executed.



Blocks access to the infected device through ports 80 and 443. Checks the system for a user with login "moth3r”, and if it is not available—it creates one.

Sets the following ssid to the wi-fi network: "mootherf u c k e r". Initiates scanning of subnets accessed by the device.


Forms IP address in the cycle and launches the infect script, thus transferring the formed IP address as a parameter.


Can take on 4 arguments:

  • IP address of the infected device;
  • String "dbss";
  • SSH port;
  • Protocol type ("http" or "https").

If SSH port is not specified, the script searches for the appropriate port by addressing ports 22 and 222. If the response contains string "dropbear”, this port is considered to be the required one.

If string "dbss” is indicated as an argument, and an SSH port is indicated or found, the script connects to the device via the SSH protocol using the key (MFID) and installs itself on this device.

If the protocol type is not indicated, the connection is executed via the http protocol, then—via the https protocol. Searches for the "airos" string in the reply.

If the Trojan successfully defines the protocol (or if protocol is indicated as an argument), the infection of devices is executed with the use of web interface vulnerability that allows downloading an arbitrary file through an arbitrary path without authorization.


The Trojan overwrites files /etc/passwd and /etc/dropbear/authorized_keys, and replaces them with its own, after that it connects to the device via the SSH protocol using the key.

If the Trojan cannot define the protocol (or Air OS is not installed on the infected device), it can make an attempt to generate account details for the SSH connection using a special dictionary with the use of logins “root”, “admin”, “ubnt” and passwords stored in the “passlst” file.


Contains only one user—moth3r.


Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Sviluppatore russo degli antivirus Dr.Web

Esperienza di sviluppo dal 1992

Dr.Web viene utilizzato in 200+ paesi del mondo

L'antivirus viene fornito come un servizio dal 2007

Supporto ventiquattro ore su ventiquattro

© Doctor Web
2003 — 2020

Doctor Web — sviluppatore russo dei software di protezione antivirus delle informazioni Dr.Web. I prodotti Dr.Web vengono sviluppati fin dal 1992.

125040, Russia, Mosca, la 3° via Yamskogo polya, 2, 12A