SHA1:
- dc4229d5fb4ee05ad2f7643e57a5d5796e43e8c8 (unpacked)
- 29d053a4ed228630904538cfb859d7ad54281161 (packed)
A Linux Trojan designed to set up a proxy server on the infected computer. It is distributed in the course of attacks aimed at brute-forcing accounts to get access to an attacked system using the SSH protocol.
It can take the following arguments:
- --lport—local port for the proxy;
- --laddr—local address for the proxy;
- --cport—command and control server port;
- --caddr—command and control server IP address;
- --debug—is not used;
- --timeout—timeout between requests;
- --ident—ident parameter for the standard syslog function;
- --name—same as ident;
- --syslog—enable logging;
- --transproxy—set up a SOCKS proxy on the infected machine;
- --secret—if this parameter is specified, the Trojan deletes its original file and replicates itself to "/etc/tirqd";
- --noweb—disable support for HTTP traffic;
- --anti—enable the “paranoid” mode;
- --pretimeout—same as timeout;
- --udp—command and control server IP address (data will be sent using a method different from caddr);
- --killer—“kill” processes that refer to specific addresses;
- --badcn—list of addresses to block;
- --yaban—is not used.
Once launched, the Trojan removes its own working directory ("/tmp/.../") and clears the list of iptables rules. Then it “kills” processes of a number of running applications—for example, of programs used to log events and analyze traffic:
killall syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump
killall -9 syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump
kill -9 `pidof syslogd rsyslogd syslog syslog-ng named dnscache dnsmasq tcpdump`Using the "/var/log/*" and "/disk/*log*" masks, the Trojan replaces existing directories and system log files with folders under the same names—this makes creation of logs with identical names in future impossible:
mkdir /var/log/all.log /var/log/auth.log /var/log/messages /var/log/secure /var/log/everything.log /var/log/messages.log /disk/all.log /disk/auth.log /disk/messages /disk/secure /disk/everything.log /disk/messages.logThe malicious program modifies the "/etc/coyote/coyote.conf" configuration file by adding the following string:
alias passwd=cat\nThen it removes a number of system tools from /bin/, /sbin/, and /usr/bin/:
- passwd
- chattr
- lsattr
- tcpdump
- wget
- netstat
- pstree
- strace
- curl
- lsof
- reboot
- shutdown
- poweroff
- halt
The Trojan sets up the “immutable” flag for the following files:
- /usr/sbin/iptables
- /sbin/iptables
- /etc/shadow
- /etc/passwd
- /bin/ps
- /bin/grep
If the Trojan receives a list of addresses by means of the “badcn” argument, the malicious program blocks those addresses and also the addresses from three lists stored in the Trojan's body. At that, “blocking” means that after an appropriate iptables rule is created, a specific IP address is not allowed to send or receive packages over a specified port or protocol. For the addresses from the first two lists, TCP and ICMP packages are blocked; for the addresses from the third list, all packages.
For each blocked IP or a range of IP addresses, a corresponding file with the ".filtered" extension is created in the working directory of the Trojan.
To execute its main function—operating as a proxy server—the Trojan opens a specified port and monitors connections at the laddr:lportlocal address or, if laddr is not specified, at 0.0.0.0:lport.
If the "noweb" argument is specified, the malicious program checks all traffic from the client to the server looking for the following strings:
Accept-Language:
User-Agent: Mozilla/The Trojan replaces these strings with the following one:
Client: %08Xwhere %08X is replaced with the command and control server IP in a hex representation. Moreover, the string
?ip=12345678foris replaced with
?ip=%08Xforwhere %08X is also replaced with the command and control server IP in a hex representation.
If the "anti" argument and "lport" with the "80" value are specified in the incoming parameters, the Trojan searches packages for the "Location: http://" string. If successful, the malware creates an empty file with the "/tmp/.../ip.good" name, where ip indicates an IP address generated by the Trojan as follows:
rndnum = Rnd() % 25 + 97;
ip_a ^= rndnum ^ 5;
ip_b ^= rndnum ^ 8;
ip_c ^= rndnum ^ 10;
ip_d ^= rndnum ^ 3;
sscanf(dword_807A728, "%d.%d.%d.%d", &ip_a, &ip_b, &ip_c, &ip_d);Moreover, if the "lport" parameter has the 80 value or the 8080 value, the Trojan searches packages for the "PHP//apsession/" string. If successful, the following string is added to the package:
snprintf(&phpapsession, 10, "%c%02x%02x%02x%02x", rndnum, ip_a, ip_b, ip_c, ip_d);The Trojan encompasses a list of strings for which it searchers network traffic. If any of the strings is detected, the Trojan blocks data transfer to the corresponding remote server at the IP address:
kproxy.com
Mozilla/5.0 (compatible; coccoc/1.0; +http://help.coccoc.com/)
Mozilla/5.0 (compatible; LinkpadBot/1.06; +http://www.linkpad.ru)
Mozilla/5.0 (compatible; Linux x86_64; Mail.RU_Bot/2.0; +http://go.mail.ru/help/robots)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0); 360Spider
Mozilla/5.0 (compatible; oBot/2.3.1; +http://filterdb.iss.net/crawler/)
Mozilla/5.0 (compatible; spbot/4.0.9; +http://OpenLinkProfiler.org/bot )
Mozilla/5.0 (compatible; spbot/4.1.0; +http://OpenLinkProfiler.org/bot )
Mozilla/5.0 (compatible; SputnikBot/2.3)
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1; 360Spider
Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.13) Gecko/2009073022 Firefox/3.5.2 (.NET CLR 3.5.30729) SurveyBot/2.3 (DomainTools)
Mozilla/5.0 (Windows; Crawler; U; Windows NT 6.0; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
Hellocoton.fr
nutch-1.4/Nutch-1.4
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Mozilla/4.0 (Windows 98; US) Opera 10.00 [en]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1025 Safari/532.5
Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.16
SurveyBot
DomainTools
SV1; InfoPath.2; .NET CLR 2.0.50727
Chrome/4.1.249.1025
YandexBot
SpeedTestSpeedTest
ooglebot
panscient.com
Yahoo! Slurp;
spamspamspam
slowhttptest
ihatespammers
nospam.html
SpamBlocker
Hendas HTTP
/?stopspamme
/?injection
User-Agent: Java
../../..
djbghklmxtvwtyafzchcm
eghijkacfm.herathle
Wget
SPAMMING
stop_spaming_me
GET /10.php HTTP
GET /20.php HTTP
GET /30.php HTTP
GET /40.php HTTP
odfnh.brahfuwzu
lylvueleb
impulse-m.
dnikoydle
gisro.a
goodcarecard.aMoreover, the contents of the "/etc/badwords". file are added to the list. The list of forbidden words also has a part which changes in accordance with the contents of the incoming package:
- If an HTTP header contains the following string:
the list of forbidden words is appended with the following values:User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)eapmygev. ascuviej. - If the following fields are specified:
or the following string is present:Accept: */*\nAccept-language: en-us\n
the list of forbidden words is appended with the following string:xonfavhowlGET /index.php HTTP - If the following field is specified:
and the "Referer" field is missing, while the GET field contains a string from the following list:Accept-Language: en-US
the list of forbidden words is appended with the following value:GET /products/ HTTP GET /cart/ HTTP GET / HTTPAccept: */* - If a file with either the .gif extension or the .jpg extension is requested, the following strings are added to the “black list”:
_ HTTP spammer CONTACTING_US - If the following field is specified:
the “black list” is appended with the following string:Accept:sssid=
Moreover, the Trojan uses the list of ignored and suspicious words appending them with the contents from the "/etc/ignorewords" file.
Apart from blocking remote nodes from the list, the Trojan checks all network connections and sends the remote server the IP address to which the connection is established. If the server responds with the “kill” command, the Trojan shuts down the application that established the connection and blocks the IP address using iptables. In the home directory, Linux.Ellipsis.1 creates the "ip.filtered" file, where "ip" is replaced with a string representation of the blocked IP address. The same check is applied to processes that contain "sshd" in their names. IP addresses from the lists are blocked forever, while other addresses are blocked just for 2 hours—once every half an hour, a separate malicious process scans the contents of the home directory looking for files that were created more than two hours ago and whose names start with an IP address. After that, these files are deleted and a corresponding rule in iptables is created.