Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Linux.UbntFM.2

Added to Dr.Web virus database:2017-02-28
Virus description was added:2017-04-26

SHA1:

  • db6d99702dd8bb19c2a7608094ab3b4e9535d266
  • 9db691d2e302cbd6e7beba7f71e675911a17a6c7

A Trojan for Linux, including Air OS that is developed by Ubiquiti Networks and installed on its devices. It is implemented as bash scripts distributed in the archive tgz. Implements the following modifications in file /etc/passwd:

moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:/bin/sh

The contents of the archive:

download
infect
mfid
mfid.pub
mother
p
passlst
passwd
scan
sprd

p

Checks the system for the user account with login "moth3r". If there is no such account, the Trojan creates it. Checks if the Trojan is registered in the autorun, and if it is not registered—it specifies in file /etc/persistent/rc.poststart the unpacking of its own archive and launch of the “mother” script.

Deletes SSH keys and restarts the device.

download

Installs on the infected device curl, libcurl, libssl, libz, and allows downloading and running arbitrary files. In the body of the download file there is a link to website pastebin.com. If the file that is located through the link contains word "nomorelies”, and hash of the corresponding file fragment is equal to "d709745c628f6682ae506d54e4320a28”, then this file will be saved and executed.

#drweb

mother

Blocks access to the infected device through ports 80 and 443. Checks the system for a user with login "moth3r”, and if it is not available—it creates one.

Sets the following ssid to the wi-fi network: "mootherf u c k e r". Initiates scanning of subnets accessed by the device.

scan

Forms IP address in the cycle and launches the infect script, thus transferring the formed IP address as a parameter.

infect

Can take on 4 arguments:

  • IP address of the infected device;
  • String "dbss";
  • SSH port;
  • Protocol type ("http" or "https").

If SSH port is not specified, the script searches for the appropriate port by addressing ports 22 and 222. If the response contains string "dropbear”, this port is considered to be the required one.

If string "dbss” is indicated as an argument, and an SSH port is indicated or found, the script connects to the device via the SSH protocol using the key (MFID) and installs itself on this device.

If the protocol type is not indicated, the connection is executed via the http protocol, then—via the https protocol. Searches for the "airos" string in the reply.

If the Trojan successfully defines the protocol (or if protocol is indicated as an argument), the infection of devices is executed with the use of web interface vulnerability that allows downloading an arbitrary file through an arbitrary path without authorization.

#drweb

The Trojan overwrites files /etc/passwd and /etc/dropbear/authorized_keys, and replaces them with its own, after that it connects to the device via the SSH protocol using the key.

If the Trojan cannot define the protocol (or Air OS is not installed on the infected device), it can make an attempt to generate account details for the SSH connection using a special dictionary with the use of logins “root”, “admin”, “ubnt” and passwords stored in the “passlst” file.

passwd

Contains only one user—moth3r.

moth3r:$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/:0:0:Administrator:/etc/persistent:/bin/sh

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040