My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2016-08-28

Virus description added:


  • 3e71d70d910f85f546c526aa3a28f23455a19489

A malicious program designed to brute-force attack Linux devices using a special dictionary via the SSH protocol.

The Trojan contains configuration data and reads them after its launch:

cfg->IsWork = 0;
cfg->IsConnected = 0;
cfg->Thread = 50;
cfg->ThreadScan = 100;
cfg->Timeout = 15;
cfg->TimeoutScan = 2;
if ( runtime_writeBarrier.enabled )
  runtime_writebarrierptr((uintptr *)&cfg->Good, (uintptr)_r0_1);
  cfg = (ssh_bot_engine_Singleton *)v17;
  cfg->Good.list = _r0_1;
cfg->JsonForStart.str = 0;
cfg->JsonForStart.len = 0;
cfg->AutoStart = 0;
cfg->Validatebl = 0;
cfg->HostForCheckInfoIP.str = 0;
cfg->HostForCheckInfoIP.len = 0;
cfg->IsAddToSourceScan = 1;
cfg->City.str = "null";
cfg->City.len = 4;
cfg->State.str = "null";
cfg->State.len = 4;

Then the malicious program sends the POST request to its C&C server. This request contains a value of the “key” parameter. The server replies with the configuration data in the JSON format that looks as follows:


The Trojan parses the received data and then connects to the server indicated in the “host” parameter using the SocketIO library. In addition, it uses an ordinary (not secure) websocket. If the “AutoStart” parameter has a non-zero value in the configuration stored in the Trojan’s structure, the malicious program appends value “1” to the “IsWork” flag and sends information about its own status to the C&C server. After that, the value of the “IsWork” flag is set to “0”, and the Trojan reads parameters of its launch from the JsonForStart section of the embedded configuration data.

Then the malicious program installs processors for events “start”, “stop”, “killbot”, “clearlog” and launches a separate thread. It uses this thread to check a status of the connection to the C&C server by sending GET requests. If the server does not response with the “true” value, the bot shuts down.

Sending a GET request

The Trojan collects information about the operating system of the infected device and fills the following structure:

struct ssh_bot_structs_Hardware
  uint64 Memory;
  string OS;
  string Logical_cpu;
  string Processor;
  int32 Physical_cpu;
  string Cpu_load;

Using this information, configuration parameters and a list of hacked devices, a JSON file is formed. It looks the following way:

    "status": {
            "result":[],  // bruted devices
            "hardware": {
                "os":"linux 8.3",
                "processor":"Intel(R) Core(TM) i7-4500U CPU @ 1.80GHz",
            "parameters": {

Using this JSON file, the Trojan creates a “Status” event.


The Trojan receives the JSON which saves to the JsonForStart field in its configuration. In practice, JsonForStart partially duplicates the embedded information.

    "threadscan": 0,
    "thread": 0,
    "timeout": 0,
    "validatebl": false,
    "country": "",
    "state": "",
    "city": ""

If the “IsWork” flag has a non-zero value in the Trojan’s configuration, the malicious program reports an error by creating an event “result_start” with the string “fail” and sends status data to the C&C server. Then values of parameters “threadscan”, “thread” and “timeout” are checked. If at least one of them is less than or equal to zero, the Trojan reports an error and quits the processor.

Then the malicious program reads values (if they are available) of the following fields: “validatebl”, “country”, “state”, “city” and uses them to form a POST request to the C&C server. The host name is extracted from the Trojan’s configuration. The response is a list of subnetworks for the following hacking.

Then again the malicious program sends the POST request to the C&C server with the “key” value in order to update the configuration. After that, the Trojan runs two new threads: the first one checks the status of the malicious program with the interval of 3 seconds, and the second one is used to manage the process of hacking of remote network servers.

Managing the hacking process

The Trojan requests the configuration from the C&C server with the interval of 10 minutes. With the interval of 3 minutes, it updates the list of subnetworks for hacking and generates a list of IP addresses of attacked network servers on the basis of the indicated subnetworks.

It creates separate pools for threads that scan and search for passwords. The scanning thread gets an IP address from a queue and checks the possibility for connection to the port 22. If the flag “Validatebl” is set in the configuration, the Trojan checks an IP address by sending a GET request and adds it to the queue.


The Trojan goes through login:password combinations according to the list and tries to log into an attacked device via the SSH protocol. If successful, it sends the GET request via the SSH tunnel to the server “” and gets an IP address there. It sends the GET request to the address “http://<hostCheck>/?ip=<ip>” and gets as a response a JSON structure that looks the following way (value <hostCheck> is from the bot’s configuration):

    "blacklist": {
        "status": ""

Then the malicious program compares the value of the “status” with the string “listed”. If there is a match, it saves “login”, “password”, “host”, “country”, “region”, “city”, “blacklisted” (this parameter has a value “1” if the parameter “status” matches the parameter “listed”), “zip” to the list of hacked devices.


It stops all threads of scanning and hacking.


Creates an event “result_killbot” with the “success” string and shuts itself down.


Clears the list of hacked devices (cfg->Good), sends its status to the C&C server. Creates an event “result_clearlog” with the “success” string.

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number