Linux.DDoS.Xor.2

SHA1:

• d0825f79a6e96ae1cb9a458f6f958deabf9b7111

A Trojan for Linux designed to carry out DDoS attacks. Every byte of its configuration file is encrypted with XOR. The key is hard-coded in the Trojan’s body. Some samples can contain the Linux.Rootkit.38 rootkit.

Once launched, it tries to copy itself to the folder specified in the configuration file and to such folders as /usr/bin, /bin/ or /tmp/ under a random 10-character name. Then the Trojan removes its original file. To enable its autorun function, the malware uses the cron scheduler and registers the launch of the /etc/cron.hourly/cron.sh script that contains the following lines:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp/lib/libgcc.so /lib/libgcc.so.bak
/lib/libgcc.so.bak

Then the Trojan creates the “/etc/init.d/<fname>” file, where fname is the name of the Trojan. To do that, it generates 5 symlinks in “/etc/rc%d.d/S90%s”, where %d is numbers from 1 to 5 and %s is the name of the Trojan.

The malicious application also checks the system for the presence of the rootkit by sending a request to “/proc/rs_dev”. If it finds the rootkit, the Trojan uses it to conceal its files, processes, and network activity.

When the Trojan is installed, it can execute the following commands:

chkconfig --add <rclocal_file>
update-rc.d <rclocal_file defaults
sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab

During its operation, the Trojan receives a configuration file from the server. If the file contains the relevant information, Linux.DDoS.60 can terminate any process matching the name or MD5 hash or by sending a request to the certain IP address. It can also remove any file specified in its configuration. The Trojan executes the following commands: