SHA1:
- d24e1970cf29065d3c9ec37ae7fec3e99de08831
- d4fbe3946d0fbbd5632fa2a75cc1dcae9d939e9e
- d3bb1db769a52c23efe439ebbe4a1a4ce055b7a9
- 5ea9d12fb91377a04cbacfe0c5de37442746805a
Malware for Linux systems. Cracks a login and password combination using a special dictionary (brute-force technique) to get an authorized access to various devices.
Once launched, it creates 200 identical threads. The Trojan generates a random IP address different from the following masks:
0.*.*.*
10.*.*.*
127.*.*.*
(IP & 0xFFC00000) == 0x64400000
Then it attempts to establish a connection to the device on every of these addresses via port 22 and authorize entering login:password pairs from the dictionary with 10,851 entries. To confirm the authorization, it sends the “id” command to the device .
Authorized successfully, the Trojan sends the following POST request to the command and control server:
123.***.***.120/stat.asp
POST request data:
data=<ip> <login> <pws>
where <ip>, <login>, <pws> - are compromised device data.
At that, the following User-Agent is used:
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3