Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.DDoS.Xor.2

Added to the Dr.Web virus database: 2016-09-29

Virus description added:

SHA1:

  • d0825f79a6e96ae1cb9a458f6f958deabf9b7111

A Trojan for Linux designed to carry out DDoS attacks. Every byte of its configuration file is encrypted with XOR. The key is hard-coded in the Trojan’s body. Some samples can contain the Linux.Rootkit.38 rootkit.

Once launched, it tries to copy itself to the folder specified in the configuration file and to such folders as /usr/bin, /bin/ or /tmp/ under a random 10-character name. Then the Trojan removes its original file. To enable its autorun function, the malware uses the cron scheduler and registers the launch of the /etc/cron.hourly/cron.sh script that contains the following lines:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp/lib/libgcc.so /lib/libgcc.so.bak
/lib/libgcc.so.bak

Then the Trojan creates the “/etc/init.d/<fname>” file, where fname is the name of the Trojan. To do that, it generates 5 symlinks in “/etc/rc%d.d/S90%s”, where %d is numbers from 1 to 5 and %s is the name of the Trojan.

The malicious application also checks the system for the presence of the rootkit by sending a request to “/proc/rs_dev”. If it finds the rootkit, the Trojan uses it to conceal its files, processes, and network activity.

When the Trojan is installed, it can execute the following commands:

chkconfig --add <rclocal_file>
update-rc.d <rclocal_file defaults
sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab

During its operation, the Trojan receives a configuration file from the server. If the file contains the relevant information, Linux.DDoS.60 can terminate any process matching the name or MD5 hash or by sending a request to the certain IP address. It can also remove any file specified in its configuration. The Trojan executes the following commands:

cmdDescription
0x02Terminate a DDoS attack
0x03Launch a DDoS attack
0x06Download a file from the command and control server
0x07Update the Trojan’s executable file
0x08Send MD5 hash of its file to the server
0x09Receive the configuration file with information about processes to terminate

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number