SHA1:
- d0825f79a6e96ae1cb9a458f6f958deabf9b7111
A Trojan for Linux designed to carry out DDoS attacks. Every byte of its configuration file is encrypted with XOR. The key is hard-coded in the Trojan’s body. Some samples can contain the Linux.Rootkit.38 rootkit.
Once launched, it tries to copy itself to the folder specified in the configuration file and to such folders as /usr/bin, /bin/ or /tmp/ under a random 10-character name. Then the Trojan removes its original file. To enable its autorun function, the malware uses the cron scheduler and registers the launch of the /etc/cron.hourly/cron.sh script that contains the following lines:
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp/lib/libgcc.so /lib/libgcc.so.bak
/lib/libgcc.so.bak
Then the Trojan creates the “/etc/init.d/<fname>” file, where fname is the name of the Trojan. To do that, it generates 5 symlinks in “/etc/rc%d.d/S90%s”, where %d is numbers from 1 to 5 and %s is the name of the Trojan.
The malicious application also checks the system for the presence of the rootkit by sending a request to “/proc/rs_dev”. If it finds the rootkit, the Trojan uses it to conceal its files, processes, and network activity.
When the Trojan is installed, it can execute the following commands:
chkconfig --add <rclocal_file>
update-rc.d <rclocal_file defaults
sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab
During its operation, the Trojan receives a configuration file from the server. If the file contains the relevant information, Linux.DDoS.60 can terminate any process matching the name or MD5 hash or by sending a request to the certain IP address. It can also remove any file specified in its configuration. The Trojan executes the following commands:
cmd | Description |
---|---|
0x02 | Terminate a DDoS attack |
0x03 | Launch a DDoS attack |
0x06 | Download a file from the command and control server |
0x07 | Update the Trojan’s executable file |
0x08 | Send MD5 hash of its file to the server |
0x09 | Receive the configuration file with information about processes to terminate |