A backdoor for Linux that is installed by other downloader Trojans. The main module is located in the /lib/ folder. Its autorun function is enabled in the cron scheduler. At the Trojan’s installation, the contents of the iptables utility is cleared.
Once launched, Linux.BackDoor.Xudp.1 decrypts configuration data hard-coded in the Trojan’s body that looks as follows:
dr0id1.xyz ; the C&C server transfer.php ; Page to which requests are sent XorUDP ; Name of the backdoor that is used as User-Agent when generating requests 300 ; Http sleep time 5 ; Keepalive sleep time /bin/socket ;NewProcName 1 ;usemutex 700 ;low range udp port 800 ;high rande udp port
Encrypted lines are stored and sent as follows:
<lenght>:<encrypted value> 10:09Ц<о*.Йs
If the NewProcName parameter has a non-zero value, the Trojan’s process is hidden under the name specified in the configuration.
If the usemutex parameter also is not set to zero, the “/var/.mutexlock” file is blocked. If the Trojan fails to block this file, it stops operating.
Then the Trojan generates a 128-byte key, selects a value of the UDP port, and runs three threads: HTTP_Thread, UDP_Listen, and UDP_KeepAlive.
When this thread is launched, the Trojan sends a generated key, a port’s address, and the backdoor’s version to the server. Then it periodically requests the following page from the server:
template1 = "k=%s&p=%s&v=%s&s=1" param1 = encodenum(ourKey) param2 = encodenum(udpPort) param3 = encodenum(version) params = template1 % (param1,param2, param3) request = "POST /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: %s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n\r\n%s" actualRequest = request % (page, host, name, len(params), params)
The server replies with one of 4 messages:
|First 2 bytes||Function|
|00||Install client_key + client_port + client_ip|
|01||Execute a command|
|02||Reset client_key, client_port, client_ip|
All instructions are first decrypted with a key generated by the backdoor. Then the obtained buffer is decrypted using client_key:
XOR(msg, len, ourKey); XOR(msg, len, &client_key);
If a datagram was not received from client_ip, it is ignored. If the client_key value is not set, nothing happens. An incoming UDP message is decrypted and looks as follows:
|msg_id||Message ID. All incoming msg_id are saved, and a command is executed only if an unknown msg_id is received.|
|Handler||A 8-bytes command identifier|
The backdoor can execute the following commands:
- Runs flood (i.e. sending repeated requests to a remote server)
- Terminates flood
- Executes an incoming command with the system() function
- Launches a received line using the popen function and returns the command’s output
- Opens a listening UDP socket that logs all requests to this port in a specified file in the <ipaddr> <size> <List Port> format
- Sends the specified file by parts of a certain size in specified time interval
- Scans a specified range of IP addresses
- Sends a list of msg_id, that are less than those of the current message, which were not processed
- Marks sent msg_id as processed
- Terminates execution
The malware sends a specific datagram to the server in order to inform that it is still active.