The page may not load correctly.
An analysis of the technologies used by cybercriminals allows us to draw conclusions about the virus industry’s possible vectors of development and more effectively confront future threats. You, too, can learn what actions various malicious programs take in infected systems and how to withstand them.
A family of Linux Trojans. One of its representatives is described below.
A modified version of Linux.DDoS.87 and Linux.DDoS.89. Its main differences from Linux.DDoS.89 are as follows:
The Trojan’s configuration looks as follows:
Number | Value | Purpose |
---|---|---|
3 | listening tun0 | main output to stdin |
4 | Host | Command and control (C&C) server’s IP address |
5 | Port | C&C server’s port |
6 | "https://youtube.com/watch?v=dQw4w9WgXcQ" | |
7 | "/proc/" | runkiller |
8 | "/exe" | runkiller |
9 | " (deleted)" | |
10 | "/fd" | runkiller |
11 | ".anime" | runkiller |
12 | "REPORT %s:%s" | runkiller |
13 | "HTTPFLOOD" | runkiller |
14 | "LOLNOGTFO" | runkiller |
15 | "\x58\x4D\x4E\x4E\x43\x50\x46\x22" | runkiller |
16 | "zollard" | runkiller |
17 | "GETLOCALIP" | |
18 | Host | |
19 | Port | |
20 | "shell" | |
21 | "enable" | |
22 | "system" | |
23 | "sh" | |
24 | "/bin/busybox MIRAI" | |
25 | "MIRAI: applet not found" | |
26 | "ncorrect" | |
27 | "/bin/busybox ps" | |
28 | "/bin/busybox kill -9 " | |
29 | "TSource Engine Query" | |
30 | "/etc/resolv.conf" | |
31 | "nameserver" | |
32 | "Connection: keep-alive" | |
33 | "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" | |
34 | "Accept-Language: en-US,en;q=0.8" | |
35 | "Content-Type: application/x-www-form-urlencoded" | |
36 | "setCookie('" | |
37 | "refresh:" | |
38 | "location:" | |
39 | "set-cookie:" | |
40 | "content-length:" | |
41 | "transfer-encoding:" | |
42 | "chunked" | |
43 | "keep-alive" | |
44 | "connection:" | |
45 | "server: dosarrest" | |
46 | "server: cloudflare-nginx" | |
47 | "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" | User Agent |
48 | "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" | User Agent |
49 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" | User Agent |
50 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" | User Agent |
51 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" | User Agent |
All samples of the Trojan use a function that hides the following strings:
def decode(str_enc):
return "".join([chr(ord(x) ^ 0x22) for x in str_enc])
Once launched, the Trojan removes its executable file from the disk, blocks the SIGINT signal with the help of sigprocmask, and sets the parameter SIG_IGN for SIGCHLD and a handler for SIGTRAP.
Then the Trojan tries to open the /dev/watchdog file for reading/writing (/dev/misc/watchdog is also checked) and, if successful, disables the watchdog timer.
ioctl(fd, WDIOC_SETOPTION, WDIOS_DISABLECARD)
The Trojan subsequently opens a root folder and sends a request to the address 8.8.8.8:53 to get the IP address of its network traffic.
Next, the Trojan calculates a function taken from the argv[0] value:
def check(name):
print name
a = [ord(x) for x in name]
sum = (0 - 0x51) & 0xff
for i in [2,4,6,8,10,12]:
z = (~a[i % len(a)] & 0xff)
sum = (sum + z)&0xff
#print "%x %x %x" % (z, sum, sum % 9)
return sum % 9
This function returns a number from 0 to 8 that represents an index in a function array:
off_8055DC0 dd offset bind_socket ; DATA XREF: main+109o
.rodata:08055DC4 dd offset sub_80517E0
.rodata:08055DC8 dd offset sub_8051730
.rodata:08055DCC dd offset create_config
.rodata:08055DD0 dd offset sub_8051760
.rodata:08055DD4 dd offset sub_80523F0
.rodata:08055DD8 dd offset strcopy
.rodata:08055DDC dd offset runkiller
.rodata:08055DE0 dd offset sub_804E900
If argv[0] == “./dvrHelper”, a parental process receives the SIGTRAP signal (for which a handler was previously installed). The handler, in turn, modifies the IP address taken from the configuration and the C&C server’s port to which the Trojan will connect.
Then a listening socket is opened at the address 127.0.0.1:48101. If this port is busy with another process, the Trojan runs a function that finds the process and kills it.
The Trojan subsequently generates a name that looks like a random sequence containing the characters [a-z 0-9] and writes it to argv[0]. Using the prctl function, the process’s name is changed to a random one.
Next, the Trojan creates child processes and terminates the parental one. All further steps are performed in a child process—in particular, a structure containing handlers is filled in. Then a function responsible for scanning telnet nodes and a function that terminates the processes of other Trojans are launched. The Trojan then runs a handler for incoming instructions sent from the C&C server. If the Trojan detects that a connection to a local server is being established, it runs a child process to scan vulnerable telnet nodes and terminates the parental process.
The picture below shows a code fragment for Linux.DDoS.87 (left column) and Linux.Mirai (right column).
A family of Linux Trojans. One of its representatives is described below.
A modified version of Linux.DDoS.87 and Linux.DDoS.89. Its main differences from Linux.DDoS.89 are as follows:
The Trojan’s configuration looks as follows:
Number | Value | Purpose |
---|---|---|
3 | listening tun0 | main output to stdin |
4 | Host | Command and control (C&C) server’s IP address |
5 | Port | C&C server’s port |
6 | "https://youtube.com/watch?v=dQw4w9WgXcQ" | |
7 | "/proc/" | runkiller |
8 | "/exe" | runkiller |
9 | " (deleted)" | |
10 | "/fd" | runkiller |
11 | ".anime" | runkiller |
12 | "REPORT %s:%s" | runkiller |
13 | "HTTPFLOOD" | runkiller |
14 | "LOLNOGTFO" | runkiller |
15 | "\x58\x4D\x4E\x4E\x43\x50\x46\x22" | runkiller |
16 | "zollard" | runkiller |
17 | "GETLOCALIP" | |
18 | Host | |
19 | Port | |
20 | "shell" | |
21 | "enable" | |
22 | "system" | |
23 | "sh" | |
24 | "/bin/busybox MIRAI" | |
25 | "MIRAI: applet not found" | |
26 | "ncorrect" | |
27 | "/bin/busybox ps" | |
28 | "/bin/busybox kill -9 " | |
29 | "TSource Engine Query" | |
30 | "/etc/resolv.conf" | |
31 | "nameserver" | |
32 | "Connection: keep-alive" | |
33 | "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" | |
34 | "Accept-Language: en-US,en;q=0.8" | |
35 | "Content-Type: application/x-www-form-urlencoded" | |
36 | "setCookie('" | |
37 | "refresh:" | |
38 | "location:" | |
39 | "set-cookie:" | |
40 | "content-length:" | |
41 | "transfer-encoding:" | |
42 | "chunked" | |
43 | "keep-alive" | |
44 | "connection:" | |
45 | "server: dosarrest" | |
46 | "server: cloudflare-nginx" | |
47 | "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" | User Agent |
48 | "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" | User Agent |
49 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" | User Agent |
50 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" | User Agent |
51 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" | User Agent |
All samples of the Trojan use a function that hides the following strings:
def decode(str_enc):
return "".join([chr(ord(x) ^ 0x22) for x in str_enc])
Once launched, the Trojan removes its executable file from the disk, blocks the SIGINT signal with the help of sigprocmask, and sets the parameter SIG_IGN for SIGCHLD and a handler for SIGTRAP.
Then the Trojan tries to open the /dev/watchdog file for reading/writing (/dev/misc/watchdog is also checked) and, if successful, disables the watchdog timer.
ioctl(fd, WDIOC_SETOPTION, WDIOS_DISABLECARD)
The Trojan subsequently opens a root folder and sends a request to the address 8.8.8.8:53 to get the IP address of its network traffic.
Next, the Trojan calculates a function taken from the argv[0] value:
def check(name):
print name
a = [ord(x) for x in name]
sum = (0 - 0x51) & 0xff
for i in [2,4,6,8,10,12]:
z = (~a[i % len(a)] & 0xff)
sum = (sum + z)&0xff
#print "%x %x %x" % (z, sum, sum % 9)
return sum % 9
This function returns a number from 0 to 8 that represents an index in a function array:
off_8055DC0 dd offset bind_socket ; DATA XREF: main+109o
.rodata:08055DC4 dd offset sub_80517E0
.rodata:08055DC8 dd offset sub_8051730
.rodata:08055DCC dd offset create_config
.rodata:08055DD0 dd offset sub_8051760
.rodata:08055DD4 dd offset sub_80523F0
.rodata:08055DD8 dd offset strcopy
.rodata:08055DDC dd offset runkiller
.rodata:08055DE0 dd offset sub_804E900
If argv[0] == “./dvrHelper”, a parental process receives the SIGTRAP signal (for which a handler was previously installed). The handler, in turn, modifies the IP address taken from the configuration and the C&C server’s port to which the Trojan will connect.
Then a listening socket is opened at the address 127.0.0.1:48101. If this port is busy with another process, the Trojan runs a function that finds the process and kills it.
The Trojan subsequently generates a name that looks like a random sequence containing the characters [a-z 0-9] and writes it to argv[0]. Using the prctl function, the process’s name is changed to a random one.
Next, the Trojan creates child processes and terminates the parental one. All further steps are performed in a child process—in particular, a structure containing handlers is filled in. Then a function responsible for scanning telnet nodes and a function that terminates the processes of other Trojans are launched. The Trojan then runs a handler for incoming instructions sent from the C&C server. If the Trojan detects that a connection to a local server is being established, it runs a child process to scan vulnerable telnet nodes and terminates the parental process.
The picture below shows a code fragment for Linux.DDoS.87 (left column) and Linux.Mirai (right column).
Name | Vendor | Dr.Web classification name |
---|---|---|
Linux | Avira | Elf.dropper.2647 |
Linux.Mirai.2388
Linux.Mirai.2391
Linux.Mirai.2392
Linux.Mirai.2398
Linux.Mirai.2399
Linux.Mirai.2428
Linux.Mirai.2429
Linux.Mirai.2435
Linux.Mirai.2453
Linux.Mirai.2454
Linux.Mirai.2456
Linux.Mirai.2473
Linux.Mirai.2474
Linux.Mirai.2475
Linux.Mirai.2488
Linux.Mirai.2686
Linux.Mirai.2687
Linux.Mirai.2701
Linux.Mirai.2720
Linux.Mirai.2721
Linux.Mirai.2722
Linux.Mirai.2723
Linux.Mirai.2724
Linux.Mirai.2725
Linux.Mirai.2726
Linux.Mirai.2727
Linux.Mirai.2733
Linux.Mirai.2738
Linux.Mirai.2740
Linux.Mirai.2745
Linux.Mirai.2751
Linux.Mirai.2752
Linux.Mirai.2753
Linux.Mirai.2759
Linux.Mirai.2768
Linux.Mirai.2769
Linux.Mirai.2770
Linux.Mirai.2810
Linux.Mirai.2812
Linux.Mirai.2813
Linux.Mirai.2817
Linux.Mirai.2847
Linux.Mirai.2848
Linux.Mirai.2849
Linux.Mirai.2853
Linux.Mirai.2862
Linux.Mirai.2912
Linux.Mirai.2945
Linux.Mirai.2964
Linux.Mirai.2967
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158
According to statistics, every fifth program for Android contains a vulnerability (or, in other words, a "loophole") that lets cybercriminals successfully introduce Trojans onto mobile devices and manipulate them into doing whatever actions they need them to.
Dr.Web Security Auditor for Android diagnoses and analyses a mobile device’s security and offers solutions to address security problems and vulnerabilities.