Linux.Siggen.6286
Added to the Dr.Web virus database:
2023-12-24
Virus description added:
2023-12-24
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
Malicious functions:
Manages services:
- ['systemctl', 'list-unit-files', '--full', '--type=socket']
- ['systemctl', 'daemon-reload']
Launches processes:
- basename /usr/sbin/service
- /bin/bash -c /etc/32678&
- /usr/bin/perl /usr/sbin/update-rc.d linux_kill defaults
- <SAMPLE_FULL_PATH> \x0a
- /bin/bash -c cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager
- /bin/sh /usr/sbin/service crond start
- sed -ne s/\x5c.socket\x5cs*[a-z]*\x5cs*$/.socket/p
Performs operations with the file system:
Modifies file access rights:
- /etc/id.services.conf
- /etc/32678
- /boot/System.img.config
Creates or modifies files:
- /etc/id.services.conf
- /etc/32678
- /dev/.old
- /dev/.img
- /dev/watchdog
- /dev/misc/watchdog
- /boot/System.img.config
- /usr/lib/systemd/system/linux.service
Locks files:
Changes time of creation/access/modification of files:
- /etc/id.services.conf
- /boot/System.img.config
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 15#.#.24.87:606
- 15#.#.24.87:5050
Attacks using a special dictionary (brute-force technique) via the SSH protocol
DNS ASK:
Sends data to the following servers:
- 15#.#.24.87:606
- 15#.#.24.87:5050
Receives data from the following servers:
- 15#.#.24.87:606
- 15#.#.24.87:5050
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
このウェブサイトを継続して訪問する場合、訪問者に関する統計データを収集するためのCookieファイルおよび他のテクノロジーを弊社が利用することに同意したものとします。詳細