マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.MulDrop.144

Added to the Dr.Web virus database: 2024-06-20

Virus description added:

  • sha1:ee78829b7057233643abc5fd685b46d3ef040a0347bb4569ac252984760eea2f
  • sha1:94f4eee7f986699699cd38eba68bf8adda1037eafbd0590c0d9b77b3133d0bfa

Description

A trojan dropper for Linux written in C and packed using UPX. It is used to deliver the Linux.BackDoor.Pam.8/9 PAM backdoors to a compromised system.

MITRE matrix

Stage Tactic
Execution (TA0002) Unix Shell (T1059.004)
Defense Evasion (TA0005) Software Packing (T1027.002)
Unix Shell (T1059.004)
File Deletion (T1070.004)
Timestomp (T1070.006)
Linux and Mac File and Directory Permissions Modification (T1222.002)

Operating routine

  1. The dropper accesses the following files and, using the chattr system utility, removes a number of attributes:
    Files Attributes
    /etc/pam.d/
    /etc/pam.d/sshd

    /lib/x86_64-linux-gnu/security or /lib64/security/security
    /lib/x86_64-linux-gnu/security/pam_sftp.so or /lib64/security/security/pam_sftp.so
    a – only allows information to be added to a file
    i – prohibits a file from being renamed or deleted
    e – indicates the use of extents* by the file

    *This is an attacker's mistake, since this attribute cannot be removed with chattr.

  2. It checks the hash of the pam_sftp.so file, and if its value does not match the string embedded in the dropper body, it replaces the file with the patched pam_sftp.so (Linux.BackDoor.Pam.8/9) and executes the touch command to copy the timestamp from the system file for cloaking purposes:

    for RHEL:
    touch /lib64/security/pam_sftp.so -r /lib64/security/pam_userdb,

    for Debian:
    touch /lib/x86_64-linux-gnu/security/pam_sftp.so -r /lib/x86_64-linux-gnu/security/pam_userdb.so.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number