Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Virus library

An analysis of the technologies used by cybercriminals allows us to draw conclusions about the virus industry’s possible vectors of development and more effectively confront future threats. You, too, can learn what actions various malicious programs take in infected systems and how to withstand them.

Linux.Sshdkit in virus library:

A malicious dynamic library for 32-bit and 64-bit Linux distributions. On different infected servers, the following file names were detected:

  • libkeyutils.so.1.9,
  • libkeyutils.so.1.3.0,
  • libkeyutils.so.1.3.2,
  • libkeyutils-1.2.so.2.

Depending on the platform, the files resided in /lib or /lib64.</p. <<

The Trojan's main purpose is to steal SSHD passwords by intercepting the following functions:

  • pam_authenticate,
  • crypt.

Using the XOR algorithm and a 4-byte key stored in the Trojan's body, the malicious program encrypts data and forwards it via the UDP protocol to port 53 of the remote server. The data is included into a standard DNS request for dereferencing of a domain name.

At first, the IP address 78.47.***.110 is used as a remote server. After that, a new IP address is determined every two days. For this purpose, a domain generation algorithm consisting of the following steps is used:

  1. Depending on the infection date, two numbers are selected every two days.
  2. Every number is modified into a string sequence with one of the following suffixes: “.biz”, “.info”, “.net”.
  3. Both strings should resolve to the same IP address.
  4. The IP address determined at the third step is modified into the final IP address, which will be used for data transfer.

It should be noted that the counter of infection days resets every 10, 20, 30 and till 1,024 days from the moment of infection. Thus, a possible number of domain pairs equals 1,024.

The malware also performs other malicious activities. For example, it can set a default password to access the infected server. Moreover, the Trojan can execute the following commands:

  • Xver—print to the console the Trojan's version.
  • Xcat—print to the console the gathered data.
  • Xbnd—establish a connection using the connect() function.

Linux.Sshdkit in virus library:

Vulnerabilities for Android

According to statistics, every fifth program for Android contains a vulnerability (or, in other words, a "loophole") that lets cybercriminals successfully introduce Trojans onto mobile devices and manipulate them into doing whatever actions they need them to.

Dr.Web Security Auditor for Android diagnoses and analyses a mobile device’s security and offers solutions to address security problems and vulnerabilities.

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124