- dc4229d5fb4ee05ad2f7643e57a5d5796e43e8c8 (unpacked)
- 29d053a4ed228630904538cfb859d7ad54281161 (packed)
A Linux Trojan designed to set up a proxy server on the infected computer. It is distributed in the course of attacks aimed at brute-forcing accounts to get access to an attacked system using the SSH protocol.
It can take the following arguments:
- --lport—local port for the proxy;
- --laddr—local address for the proxy;
- --cport—command and control server port;
- --caddr—command and control server IP address;
- --debug—is not used;
- --timeout—timeout between requests;
- --ident—ident parameter for the standard syslog function;
- --name—same as ident;
- --syslog—enable logging;
- --transproxy—set up a SOCKS proxy on the infected machine;
- --secret—if this parameter is specified, the Trojan deletes its original file and replicates itself to "/etc/tirqd";
- --noweb—disable support for HTTP traffic;
- --anti—enable the “paranoid” mode;
- --pretimeout—same as timeout;
- --udp—command and control server IP address (data will be sent using a method different from caddr);
- --killer—“kill” processes that refer to specific addresses;
- --badcn—list of addresses to block;
- --yaban—is not used.
Once launched, the Trojan removes its own working directory ("/tmp/.../") and clears the list of iptables rules. Then it “kills” processes of a number of running applications—for example, of programs used to log events and analyze traffic:
killall syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump killall -9 syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump kill -9 `pidof syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump`
Using the "/var/log/*" and "/disk/*log*" masks, the Trojan replaces existing directories and system log files with folders under the same names—this makes creation of logs with identical names in future impossible:
mkdir /var/log/all.log /var/log/auth.log /var/log/messages /var/log/secure /var/log/everything.log /var/log/messages.log /disk/all.log /disk/auth.log /disk/messages /disk/secure /disk/everything.log /disk/messages.log
The malicious program modifies the "/etc/coyote/coyote.conf" configuration file by adding the following string:
Then it removes a number of system tools from /bin/, /sbin/, and /usr/bin/:
The Trojan sets up the “immutable” flag for the following files:
If the Trojan receives a list of addresses by means of the “badcn” argument, the malicious program blocks those addresses and also the addresses from three lists stored in the Trojan's body. At that, “blocking” means that after an appropriate iptables rule is created, a specific IP address is not allowed to send or receive packages over a specified port or protocol. For the addresses from the first two lists, TCP and ICMP packages are blocked; for the addresses from the third list, all packages.
For each blocked IP or a range of IP addresses, a corresponding file with the ".filtered" extension is created in the working directory of the Trojan.
To execute its main function—operating as a proxy server—the Trojan opens a specified port and monitors connections at the laddr:lportlocal address or, if laddr is not specified, at 0.0.0.0:lport.
If the "noweb" argument is specified, the malicious program checks all traffic from the client to the server looking for the following strings:
Accept-Language: User-Agent: Mozilla/
The Trojan replaces these strings with the following one:
where %08X is replaced with the command and control server IP in a hex representation. Moreover, the string
is replaced with
where %08X is also replaced with the command and control server IP in a hex representation.
If the "anti" argument and "lport" with the "80" value are specified in the incoming parameters, the Trojan searches packages for the "Location: http://" string. If successful, the malware creates an empty file with the "/tmp/.../ip.good" name, where ip indicates an IP address generated by the Trojan as follows:
rndnum = Rnd() % 25 + 97; ip_a ^= rndnum ^ 5; ip_b ^= rndnum ^ 8; ip_c ^= rndnum ^ 10; ip_d ^= rndnum ^ 3; sscanf(dword_807A728, "%d.%d.%d.%d", &ip_a, &ip_b, &ip_c, &ip_d);
Moreover, if the "lport" parameter has the 80 value or the 8080 value, the Trojan searches packages for the "PHP//apsession/" string. If successful, the following string is added to the package:
snprintf(&phpapsession, 10, "%c%02x%02x%02x%02x", rndnum, ip_a, ip_b, ip_c, ip_d);
The Trojan encompasses a list of strings for which it searchers network traffic. If any of the strings is detected, the Trojan blocks data transfer to the corresponding remote server at the IP address:
kproxy.com Mozilla/5.0 (compatible; coccoc/1.0; +http://help.coccoc.com/) Mozilla/5.0 (compatible; LinkpadBot/1.06; +http://www.linkpad.ru) Mozilla/5.0 (compatible; Linux x86_64; Mail.RU_Bot/2.0; +http://go.mail.ru/help/robots) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0); 360Spider Mozilla/5.0 (compatible; oBot/2.3.1; +http://filterdb.iss.net/crawler/) Mozilla/5.0 (compatible; spbot/4.0.9; +http://OpenLinkProfiler.org/bot ) Mozilla/5.0 (compatible; spbot/4.1.0; +http://OpenLinkProfiler.org/bot ) Mozilla/5.0 (compatible; SputnikBot/2.3) Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1; 360Spider Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:188.8.131.52) Gecko/2009073022 Firefox/3.5.2 (.NET CLR 3.5.30729) SurveyBot/2.3 (DomainTools) Mozilla/5.0 (Windows; Crawler; U; Windows NT 6.0; en-US; rv:184.108.40.206) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729) Hellocoton.fr nutch-1.4/Nutch-1.4 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) Mozilla/4.0 (Windows 98; US) Opera 10.00 [en] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:220.127.116.11) Gecko/2009021910 Firefox/3.0.7 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/18.104.22.1685 Safari/532.5 Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.16 SurveyBot DomainTools SV1; InfoPath.2; .NET CLR 2.0.50727 Chrome/22.214.171.1245 YandexBot SpeedTestSpeedTest ooglebot panscient.com Yahoo! Slurp; spamspamspam slowhttptest ihatespammers nospam.html SpamBlocker Hendas HTTP /?stopspamme /?injection User-Agent: Java ../../.. djbghklmxtvwtyafzchcm eghijkacfm.herathle Wget SPAMMING stop_spaming_me GET /10.php HTTP GET /20.php HTTP GET /30.php HTTP GET /40.php HTTP odfnh.brahfuwzu lylvueleb impulse-m. dnikoydle gisro.a goodcarecard.a
Moreover, the contents of the "/etc/badwords". file are added to the list. The list of forbidden words also has a part which changes in accordance with the contents of the incoming package:
- If an HTTP header contains the following string:
the list of forbidden words is appended with the following values:
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- If the following fields are specified:
or the following string is present:
Accept: */*\nAccept-language: en-us\n
the list of forbidden words is appended with the following string:
GET /index.php HTTP
- If the following field is specified:
and the "Referer" field is missing, while the GET field contains a string from the following list:
the list of forbidden words is appended with the following value:
GET /products/ HTTP GET /cart/ HTTP GET / HTTP
- If a file with either the .gif extension or the .jpg extension is requested, the following strings are added to the “black list”:
_ HTTP spammer CONTACTING_US
- If the following field is specified:
the “black list” is appended with the following string:
Moreover, the Trojan uses the list of ignored and suspicious words appending them with the contents from the "/etc/ignorewords" file.
Apart from blocking remote nodes from the list, the Trojan checks all network connections and sends the remote server the IP address to which the connection is established. If the server responds with the “kill” command, the Trojan shuts down the application that established the connection and blocks the IP address using iptables. In the home directory, Linux.Ellipsis.1 creates the "ip.filtered" file, where "ip" is replaced with a string representation of the blocked IP address. The same check is applied to processes that contain "sshd" in their names. IP addresses from the lists are blocked forever, while other addresses are blocked just for 2 hours—once every half an hour, a separate malicious process scans the contents of the home directory looking for files that were created more than two hours ago and whose names start with an IP address. After that, these files are deleted and a corresponding rule in iptables is created.