La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Linux.Rootkit.400

Aggiunto al database dei virus Dr.Web: 2024-06-21

La descrizione è stata aggiunta:

  • sha1:071f7fa9dfb36b512d779668763d9d29462d1f543dde0056a100e6482a7325b3

Description

A rootkit written in C and designed as a kernel module for a number of Linux distributions (RHEL, Debian and EulerOS). Used as part of the SkidMap meta project for cryptocurrency mining, it replaces a number of kernel functions to mask the mining process.

MITRE matrix

Stage Tactic
Execution (TA0002) Unix Shell (T1059.004)
Defense Evasion (TA0005) Rootkit (T1014)
Disable or Modify Tools (T1562.001)
Disable or Modify Linux Audit System (T1562.012)
Match Legitimate Name or Location (T1036.005)
File/Path Exclusions (T1564.012)

Operating routine

A malicious Linux kernel module distributed on a compromised machine by the Linux.MulDrop.142/143 dropper. The rootkit's tasks are to:

  • Hide its own module
  • Hide a number of processes
  • Display false information about CPU usage
  • Hide network activity
  • Hide file artifacts related to the miner's work
  • Prohibit the loading of kernel modules that perform anti-rootkit functions
  • Filter debugging information
Kernel function Module Description
account_user_time cpu Substitutes the value of the miner process runtime by 1
loadavg_proc_show loadavg Substitutes the average system load values output to the /proc/loadavg file
tcp4_seq_show
tcp6_seq_show
port Hides information output to the proc/net/tcp and proc/net/tcp6 files about network activity on the following ports: 500, 8990, 3333, 4444, 5555, 6666, 7777, 3334, 3335, 30182, 52126, 53126, and 60032
filldir64 file Checks the filename in the read directory’s list of files for a match with one of the 45 names; if one matches, the file is hidden.
inet_sk_diag_fill diag Prohibits the use of this diagnostic function on the following ports: 500, 8990, 3333, 4444, 5555, 6666, 7777, 3334, 3335, 30182, 52126, 53126, and 60032
module_frob_arch_sections deny Intercepts loaded kernel modules and checks the strings they contain for keywords
parse_args symbol Checks command arguments for the same keywords that the deny module uses
vprintk
panic
bpf_trace_printk
trace_printk
vmcore These hooks are stubs; functions are not performed
sched_debug_show sched_debug Stub; no function is performed
perf_event_open perf Makes the syscall available only to the initialization process (PID 1) and disallows all others

List of files hidden by the file module:


mcpuinfo.ko
mzoneinfo.ko
kmeminfo.ko
systemd-firstload
postcated
devlinked
matchpathcond
mountinfo
telinited
systemd-udeved
systemd-udeved.service
logrotated
ldattached
hardlinked
biosdecoded
dhclientd
systemd-reboot
systemd-logined
collectd
ilog.h
olog.h
rctlconf
rctl_cert.pem
rctl_priv.pem
rctl_ca.crt
rctlcli.cfg
infocmp
selinuxdefconed
selinuxexecconed
postaliasd
blockdeved
lgroupdeleted
postmaped
getsebooled
systemd-runlevel
systemd-cgroup
systemd-deltaed
gettexted
dpkgsplit
lsloginsd
plymouthed
partprobed
discovered
mldconfig
review

The symbol and deny modules check for the following keywords:


sysdig_probe
scap
antirootkit
anti
rootkit
ANTIROOTKIT
ANTI
ROOTKIT
Anti
Rootkit

The rootkit also intercepts the execve system call: if the called executable can detect the presence of file and network attack artifacts, the rootkit replaces the path to that file with the path to a patched utility that was previously installed by the Linux.MulDrop.142/143 dropper. Calls to the following programs are intercepted:


conntrack
ifconfig
ip
iftop
netstat
unhide-tcp
unhide-linux
unhide-posix
tcpdump
busybox
telnet
ping
less
more
stat
mkdir
rmdir
head
tail
cat
mv
rm
ls
cp

Note that in different versions of the rootkit, such as 0.0.11 and 0.0.12, there are some differences in the paths used to store patched versions of executables. In version 0.0.11, patched network utilities are stored in /etc/infocmp, while in version 0.0.12, they are stored in /etc/reviews. Also, in the newer version of the rootkit, file system utilities are no longer used and have been replaced by intercepting FS system calls. This indicates that the project is under active development.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number