マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

JSP.BackDoor.8

Added to the Dr.Web virus database: 2023-09-08

Virus description added:

SHA1: 0c6249feee3fef50fc0a5a06299c3e81681cc838

SHA1: 41d2247842151825aa8001a35ee339a0fef2813f

SHA1: 62ea0fce2716006d16a1408cda159cf20f90004e

SHA1: 33c11e7b2b3950a430cf3b40128429d9b723103c

Description

JSP.BackDoor.8 is a trojan backdoor program capable of infecting Windows and Linux devices and executing shell commands sent from a remote host. The trojan is implemented as a JAR file, and it is controlled by HTTP requests.

Operating routine

sha1:41d2247842151825aa8001a35ee339a0fef2813f

During initialization, this sample checks its environment variables, and then receives a GET request containing a “t” parameter with the value “cmd” and a “c” parameter that passes along the command to execute. If the trojan is run on Windows, it executes

cmd /c <value>

otherwise, it executes

/bin/bash -c <value>

When the trojan receives a POST request, it loads additional functionality: the request body contains a base64 encoded plugin that is loaded into the process memory.

sha1:0c6249feee3fef50fc0a5a06299c3e81681cc838

This JAR file is also remotely controlled using HTTP requests, but it only supports the following types of requests: GET, POST, HEAD. The trojan checks the “go” parameter containing the IP address for downloading the script. It then checks the operating system. In the case of Windows, it downloads a script called 1.ps1 and executes it with the following parameters

Set-ExecutionPolicy Bypass -Scope Process -Force

If the trojan is running on Linux, it downloads the ELF file kinsing (Linux.BtcMine.546) and executes it by exporting the SKL=op environment variable.

The 1.ps1 script downloads the miner’s components, namely sysupdate.exe (the miner itself), config.json and the update.ps1 script. If the miner had been previously installed in the system, the script stops it and updates it. After downloading the files, the script creates a job for the system scheduler to run the update.ps1 script every minute, suppressing any warnings. To do this, the following command is executed:

SchTasks.exe /Create /SC MINUTE /TN “Update service for Windows Service” /TR “PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -File $HOME\update.ps1” /MO 30 /F 
sha1:62ea0fce2716006d16a1408cda159cf20f90004e

This sample contains two jsp servlets: updata2_jsp and chakan_jsp. The former connects to the Openfire server SQL database

jdbc:mysql[:]//localhost:3306/openfire root 123456

and takes data from the query parameters:

name0..30 = ; value0..30= ;

The servlet then updates the “name” variable in the “ofproperty” table according to the “value”.

Name Description
cmd Executes a command via cmd.exe or /bin/bash, depending on the OS
copy Creates a page for copying a file
del Deletes a file. The file name is based on path + / + file
down Displays the contents of a file on the screen. The file name is based on path + / + file
edit Creates a page for editing a file
newFile Creates a file/directory.
Contains three query parameters:
fileName — object name
btnNewFile — if this field is not empty, a file will be created
btnNewDir — if this field is not empty, a directory will be created
save Saves the data from the “content” parameter to a file. The file name is based on path + / + file
savecopy Gets the name of the file to copy from the “file2” parameter. If the name received is a directory, the new file name will be formed as follows: <dir>/"cqq_"; + <original file name>
The file is copied from “path + file” to “file2”
sha1:33c11e7b2b3950a430cf3b40128429d9b723103c

The sample processes only HTTP requests with the following methods GET, POST, and HEAD. If the request comes without the “action” parameter, then “action” will equal “main”; otherwise, the “action” parameter contains the name of the form to be interacted with. The main menu of the web shell consists of the following forms: main, filesystem, command, database, config, about, exit. They are described below:

Filesystem

The command is passed to the backdoor in the “fsAction” parameter. If this parameter is empty, it is assigned the “list” value.

List of fsAction commands

Name Description
browse Outputs a list of files in the parent directory
copyto Moves a file from the source directory to the target directory. The value of the source directory is taken from the “deleteFile” parameter; the value of the destination directory is taken from the “dstPath” parameter
createFile Creates a file; the file name is taken from the “filename” parameter
createFolder Creates a folder; the file name is taken from the “folderName” parameter
deleteFile Deletes a file; the file name is taken from the “filesDelete” parameter
list Outputs a list of files in the directory whose name is passed as an argument
open Outputs the contents of the file
rename Renames a file; the old file name is taken from the “fileRename” parameter; the new name is taken from the “newName” parameter
save Saves an open file; the file content comes in the “fileContent” parameter
saveAs Saves the file; the file content comes in the “fileContent” parameter
upload Updates the file; the file comes in the body of the request
Command

Runs the command transmitted in the “command” parameter. The result is displayed on the screen.

Database

The command is transmitted in the “dbAction” parameter. If this parameter is empty, it is assigned the value “main”, and the SQL query builder menu is displayed on the screen. When a query is sent, the “dbAction” parameter is assigned the value “dbContent”.

Method “dbConnect”. The arguments of this method are data for connecting to the database, which are taken from the query parameters: dbServer, dbPort, dbUsername, dbPassword, dbName. The query to be executed is taken from the “sql” parameter. After the command is executed, its result is displayed on the screen.

Config

The command is transmitted in the “cfAction” parameter. If this parameter is empty, it is assigned the value “main”.

List of cfAction commands

Name Description
main Displays: password, encodeType, sessionTime, fileTypes
save Stores password, encode, sessionTime, and textFileTypes. The values are taken from the corresponding parameters
About

This command outputs a blank page.

Exit

After this command is entered, the password will be removed from the session and the user is redirected to the main authorization page.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android