Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.DDoS.3

Added to the Dr.Web virus database: 2013-12-05

Virus description added:

A Trojan for Linux designed to carry out DDoS attacks. It is written in С++/STL and compressed with UPX.

During installation, it reads the link

/proc/self/exe

and defines the path to its running file. The file contains the information regarding the program’s current directory. The Trojan creates its own copy and starts with the following parameters:

cp /home/user/hihjok /home/user/freeBSD
/home/user/freeBSD /home/user/freeBSD 1
cp /home/user/hihjok /home/user/hihjoka
/home/user/hihjoka

Once launched, the malware deletes its current file and extracts another file from its body replacing the original one. Depending on the launch parameters, it changes the IP address and the port of the command and control server specified in the file.

The Trojan starts as a daemon and initializes the fake.cfg configuration file:

0
0.0.0.0:0.0.0.0
10000:60000

Then it gets information regarding the infected system and sends it as a request to the command and control server:

#pragma pack(push,1)
struct OS_INFO{
    DWORD MHz; // /proc/cpuinfo cpu MHz
    BYTE is_count; 
    DWORD ip1;
    DWORD ip2;
    WORD port1;
    WORD port2; 
    BYTE os_name[0x80];
    BYTE host[0xFF];
};
#pragma pack(pop)

In return, it gets a DWORD op value.

If op equals 1, the Trojan receives the LookTask task. Once the DWORD size is determined, the bot uploads the data and puts the task in the queue:

#pragma pack(push,1)
struct CLoopTask{
  BYTE byte0;
  BYTE byte1;
  BYTE byte2;
  BYTE byte3;
  DWORD max2;
  DWORD SomeTime;
  DWORD max1;
  CSubTask SubTask[];
};
#pragma pack(pop)

If op equals 2, the task is aborted. The task status is sent to the command and control server as follows:

#pragma pack(push,1)
struct TASK_STATUS{
    DWORD max;
    DWORD index1;
    DWORD index2;
    BYTE op;
    DWORD size;
    WORD fw1;
    DWORD CPUUse;
    DWORD NetUse;
};
#pragma pack(pop)

If op equals 3, the command and control server sends the configuration data containing the task information. The data is saved to the fake.cfg file.

#pragma pack(push, 1)
struct CSubTask{
  BYTE op; //DDoS attack type
  BYTE byte1;
  BYTE byte2;
  BYTE byte3;
  DWORD max;
  WORD port;
  WORD w2;
  DWORD dwordC;
  DWORD time2;
  DWORD time1;
  DWORD dword18;
  DWORD dword1C;
  WORD port1;
  WORD port2;
  DWORD ip1;
  DWORD ip2;
  DWORD count;
  char Host[];
};
#pragma pack(pop)

If op equals 4, the TASK_STATUS message is sent.

Apart from the main cycle of communication with the server, the Trojan has 19 threads that monitor the queue of SubTask.op tasks which, in turn, determine the attack type:

  • 0x80—tcp flood 1
  • 0x81—udp flood
  • 0x82—tcp flood 2
  • 0x83—amp 1 (dns)
  • 0x84—amp 2 (dns)

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124