SHA1: bd24972a8e34bbd2e7f3b58d6d7fd1a94efa7355
A backdoor for Linux. Its creators planned to equip the program with a large number of functions typical of SOCKS proxy servers, remote shells, file managers, and so on. However, at the moment, the malicious application ignores the majority of incoming commands. The Trojan's internal name is “DDoS Attacker for Gh0st(sweet version 1.0)”.
Judging from debugging information, the Trojan's components are created in such a way that its executable file could be assembled both for Linux and Windows architectures. Once launched, Linux.BackDoor.Dklkt.1 checks the folder from which it is run for the configuration file containing the following parameters:
'remote_host'
'remote_port'
'remote_host2'
'remote_port2'
'remote_host3'
'remote_port3'
'ServiceDllName'
'm_enable_http'
'HttpAddress'
'szGroup'
'blDelMe'
'SelfDelete'
'Config'
'PassWord'
'Remark'
'Version'
where 'Config' indicates the path to the configuration file (in Linux) or to the system registry branch where configuration data is stored (in Windows). The configuration file contains three addresses of command and control servers; one of them is used by the backdoor, while the other two are stored for backup purposes. The file is encrypted with Base64. After Linux.BackDoor.Dklkt.1 is activated, it tries to register itself in the system as a deamon (system service). If the attempt fails, the backdoor terminates its work.
Once the malicious program is successfully run, it sends the server a packet with the information on the infected system and backdoor's parameters (all strings are encoded with Unicode).
<ComputerName>|<OSVersion>|<CpuCores> *
<CpuClock>MHz|Total:<MemTotal>MB,Avail:<MemFree>MB|<sysuptime_days>d
<sysuptime_hours>h <sysuptime_minutes>m <sysuptime_seconds>s|
<self_ip>|<external_ip>|<ConnectionTime>
ms|0|<Remark>|<Group>|<Password>|<Version>|0|0|1|\x00
The Remark, Group, Password, and Version parameters are retrieved from the configuration file; the last three are constant values, while other parameters are data on the infected system. Traffic is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains the CRC32 checksum, so that the recipient could verify data integrity.
Once this packet is sent, the Trojan stands ready to receive incoming commands.
| Command | Comments |
|---|---|
| Welcome packet | Ignored |
| Update itself | Ignored |
| Change group | Change the Group parameter to the value received in the command |
| Change remark | Change the Remark parameter to the value received in the command |
| Open shell | Open the command interpreter and redirect input/output streams to the server |
| Open file manager | Ignored |
| Open DDoS manager | Ignored |
| Receive user data | Ignored |
| Remove itself | Ignored |
| Disconnect from the command and control server | Ignored |
| Exit | Execute the "exit" command |
| Reboot | Execute the "reboot" command |
| Turn off the computer | Execute the "poweroff" command |
| Delete logs | Ignored |
| Launch a DDoS attack | |
| Run an application | The application is specified in the incoming command |
| Start proxy | Start SOCKS proxy on the infected computer |
The Trojan can launch the following DDoS attacks:
- SYN Flood
- HTTP Flood (POST/GET requests)
- Drv Flood (not implemented)
- ICMP Flood
- TCP Flood
- UDP Flood