Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2017-02-28

Virus description added:


  • db6d99702dd8bb19c2a7608094ab3b4e9535d266
  • 9db691d2e302cbd6e7beba7f71e675911a17a6c7

A Trojan for Linux, including Air OS that is developed by Ubiquiti Networks and installed on its devices. It is implemented as bash scripts distributed in the archive tgz. Implements the following modifications in file /etc/passwd:


The contents of the archive:



Checks the system for the user account with login "moth3r". If there is no such account, the Trojan creates it. Checks if the Trojan is registered in the autorun, and if it is not registered—it specifies in file /etc/persistent/rc.poststart the unpacking of its own archive and launch of the “mother” script.

Deletes SSH keys and restarts the device.


Installs on the infected device curl, libcurl, libssl, libz, and allows downloading and running arbitrary files. In the body of the download file there is a link to website If the file that is located through the link contains word "nomorelies”, and hash of the corresponding file fragment is equal to "d709745c628f6682ae506d54e4320a28”, then this file will be saved and executed.



Blocks access to the infected device through ports 80 and 443. Checks the system for a user with login "moth3r”, and if it is not available—it creates one.

Sets the following ssid to the wi-fi network: "mootherf u c k e r". Initiates scanning of subnets accessed by the device.


Forms IP address in the cycle and launches the infect script, thus transferring the formed IP address as a parameter.


Can take on 4 arguments:

  • IP address of the infected device;
  • String "dbss";
  • SSH port;
  • Protocol type ("http" or "https").

If SSH port is not specified, the script searches for the appropriate port by addressing ports 22 and 222. If the response contains string "dropbear”, this port is considered to be the required one.

If string "dbss” is indicated as an argument, and an SSH port is indicated or found, the script connects to the device via the SSH protocol using the key (MFID) and installs itself on this device.

If the protocol type is not indicated, the connection is executed via the http protocol, then—via the https protocol. Searches for the "airos" string in the reply.

If the Trojan successfully defines the protocol (or if protocol is indicated as an argument), the infection of devices is executed with the use of web interface vulnerability that allows downloading an arbitrary file through an arbitrary path without authorization.


The Trojan overwrites files /etc/passwd and /etc/dropbear/authorized_keys, and replaces them with its own, after that it connects to the device via the SSH protocol using the key.

If the Trojan cannot define the protocol (or Air OS is not installed on the infected device), it can make an attempt to generate account details for the SSH connection using a special dictionary with the use of logins “root”, “admin”, “ubnt” and passwords stored in the “passlst” file.


Contains only one user—moth3r.


Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124